overview of statistical disclosure limitation lawrence h
play

OVERVIEW OF STATISTICAL DISCLOSURE LIMITATION Lawrence H. Cox, - PDF document

Dec 05, 2023 •276 likes •547 views

OVERVIEW OF STATISTICAL DISCLOSURE LIMITATION Lawrence H. Cox, Associate Director National Center for Health Statistics LCOX@CDC.GOV DIMACS Working Group on Privacy/Confidentiality of Health Data DIMACS Rutgers University, Piscataway NJ

  1. OVERVIEW OF STATISTICAL DISCLOSURE LIMITATION Lawrence H. Cox, Associate Director National Center for Health Statistics LCOX@CDC.GOV DIMACS Working Group on Privacy/Confidentiality of Health Data DIMACS Rutgers University, Piscataway NJ December 10-12, 2003

  2. WHAT IS STATISTICAL DISCLOSURE? WHY IS IT A PROBLEM? * Qualitatively * Quantitatively WHAT CAN BE DONE TO LIMIT STATISTICAL DISCLOSURE?

  3. QUALITATIVE/POLICY ISSUES What is confidentiality preservation? * holding close information of a personal or proprietary nature pertaining to a respondent, and not revealing it (directly or indirectly) to an unauthorized third party What is statistical confidentiality protection? * preserving confidentiality in statistical data products What is statistical disclosure? * statistical disclosure occurs when the release of a data product enables a third party to learn more about a respondent than originally known (T. Dalenius) Note: " Respondent " refers to direct providers of data (person, organization, business) and to “units of analysis" they represent (families, corporations, groups)

  4. Is confidentiality important? Why should the data provider preserve confidentiality? * required by law, regulation or policy * ethical obligation: the social contract * practical considerations - data accuracy - data completeness - developing trust How is confidentiality threatened by release of statistical data? * overt or derived identification and disclosure of individual respondent data * identification thru matching attributes to another data file, leading to disclosure of individual attributes * associate large percentage of an identifiable group with a characteristic ( group disclosure )

  5. Must confidentiality preservation be absolute? What is its relative importance? * the balance issue: right to privacy vs. need to know * absolute confidentiality preservation is impossible: releasing any data divulges something about each respondent * technology limits what can be done - technology to limit disclosure - technology to cause disclosure * in principle: - minimum disclosure protection and data quality and completeness standards are not incompatible - a joint optimum can be reached * in practice: - the balancing process is iterative - incompatibilities are resolved in favor of preserving confidentiality

  6. What factors affect statistical disclosure? * factors affecting likelihood of disclosure - number of variables - level(s) of data aggregation or presentation - accuracy/quality of data - sampling rate(s) - knowledge about survey participation - distribution of characteristics - time - insider knowledge * factors affecting the risk of disclosure - likelihood of disclosure - number of confidential variables - sensitivity of confidential data - time - target of disclosure # targeted respondent # arbitrary respondent: fishing expedition # group disclosure - existence/quality of matching files - motivation/abilities of intruder - cost to achieve disclosure - ease to access/manipulate data

  7. QUANTITATIVE/STATISTICAL ISSUES Statistical Disclosure in Tabular Data: An Illustration RACE CATEGORY A 1 6 4 7 6 7 31 G E 6 7 6 5 7 1 32 C A 3 6 5 7 6 7 34 T E 38 6 7 6 6 7 6 G O R 28 2 6 7 2 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State Releaser determines: disclosure occurs whenever a cell count is (or can be reliably inferred to be) between 1 - 4 This results in 6 primary disclosure cells (in bold ) Traditional disclosure limitation methods : Rounding (base B = 5), perturbation, cell suppression

  8. ROUNDING Conventional Rounding (round to nearest multiple of B = 5) 0 5 5 5 5 5 30 (25) 5 5 5 5 5 0 30 (25) 5 5 5 5 5 5 35 (30) 40 (30) 5 5 5 5 5 5 30 (20) 0 5 5 0 5 5 20 30 30 25 30 25 165 (15) (25) (25) (20) (25) (20) (130) ( ) = sum of rounded entries Rounded table is NOT additive!!! 165 - 130 = 35 individuals are not accounted for!!!

  9. Controlled Rounding - round to an adjacent multiple of B = 5 - preserve additivity within the table - multiples of B = 5 remain fixed 0 5 5 5 5 10 30 5 10 5 5 10 0 35 5 5 5 10 5 5 35 35 5 10 5 5 5 5 25 0 5 10 0 5 5 15 35 30 25 30 25 160 Many different Controlled Roundings are possible This CR is optimal as it is close as possible to the original table CR methodology for 2-D tables based on network optimization Random (Unbiased) Controlled Rounding also possible (Controlled) (Random) Perturbation is analogous

  10. COMPLEMENTARY CELL SUPPRESSION Suppressing only the disclosure cells D D 6 7 6 7 31 6 7 6 5 7 D 32 D 6 5 7 6 7 34 38 6 7 6 6 7 6 28 D D 6 7 6 5 18 32 28 27 32 26 163 Suppression pattern is inadequate due to ability of attacker to reconstruct/estimate one or more suppressions using the row and column equations Need complementary cell suppression , viz., suppress additional nondisclosure cells to thwart reconstruction or narrow estimation of primary disclosure cells

  11. Heuristic complementary cell suppression D 11 6 D 13 7 6 7 31 6 7 6 D 24 7 D 26 32 D 31 D 33 6 7 6 7 34 38 6 7 6 6 7 6 28 D 51 6 7 D 54 6 D 56 18 32 28 27 32 26 163 This does better and appears to adequately limit disclosure D 51 � 2 However, : Row 2 + Row 5 - Col 4 - Col 6 = 32 + 28 - 27 - 26 = 7: 7 � ( D 24 � D 26 � 26) � ( D 51 � D 54 � 19) � ( D 24 � D 54 � 20) � ( D 26 � D 56 � 20) � D 51 � 5 Detecting such structural insufficiency usually requires mathematical programming, viz., subject to the row and column constraints, compute min { D 51 } and max { D 51 }

  12. A better suppression pattern D 6 D 7 6 7 31 6 7 D 5 7 D 32 D D 6 5 6 7 34 38 6 7 6 6 7 6 28 D 6 7 D 6 D 18 32 28 27 32 26 163

  13. Mathematically, this pattern is equivalent to D 11 D 13 0 0 5 0 D 23 0 D 26 7 10 D 31 D 34 0 0 9 D 51 0 D 54 D 56 6 10 9 6 31 This pattern has some desirable features: - not structurally insufficient - minimum possible number of cells suppressed - minimum possible total value suppressed This pattern does not appear inadequate: - at least two suppressions in each row/column - reduced row/col equations add to at least 5 However, appearances can be deceiving

  14. Suppression Audit Linear analysis reveals exact bounds for suppressed entries: [0,2] 6 [3,5] 7 6 7 31 [0,2] 6 7 [5,7] 5 7 32 [1,5] 6 5 [5,9] 6 7 34 38 6 7 6 6 7 6 28 [0,5] 6 7 [0,4] 6 [4,6] 18 32 28 27 32 26 163 A suppression pattern is adequate (passes audit), if the interval for each disclosure cell contains the open interval (0,5) This suppression pattern fails the audit for 3 cells Detecting such numerical insufficiency requires mathematical programming or other algorithms and software, implemented knowledgeably Could publish audit bounds in lieu of “ D ”

  15. An adequate suppression pattern [0,5] 6 [0,5] 7 6 7 31 6 7 6 [0,6] 7 [0,6] 32 [0,6] 6 [2,8] 7 6 7 34 38 6 7 6 6 7 6 28 [0,6] 6 [4,10] [1,7] 6 [0,6] 18 32 28 27 32 26 163

  16. Mathematically, this pattern is equivalent to D 11 D 13 0 0 5 0 0 D 24 D 26 6 8 D 31 D 34 0 0 16 D 51 D 53 D 54 D 56 6 16 7 6 35

  17. CONTROLLED TABULAR ADJUSTMENT Complementary cell suppression: - an NP hard problem : difficult theoretically and practically - produces “tables with holes” - thwarts statistical analysis An alternative method (to be discussed Friday) called controlled tabular adjustment - produces a full and fully analyzable table(s) - is close to the original table(s) * locally (cell by cell) * globally (minimizes a measure of overall distortion) - preserves important statistical properties of the table(s)

  18. Controlled Tabular Adjustment: Example Original table: RACE CATEGORY A 1 6 4 7 6 7 31 G E 6 7 6 5 7 1 32 C A 3 6 5 7 6 7 34 T E 38 6 7 6 6 7 6 G O R 28 2 6 7 2 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State

  19. Adjusted table: RACE CATEGORY A 0 6 5 6 6 8 31 G E 7 7 6 5 7 0 32 C A 5 6 5 5 6 7 34 T E 38 6 7 6 6 7 6 G O R 28 0 6 6 5 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State This solution minimizes sum of absolute adjustments subject to preserving marginal totals Various other optimization criteria are available, leading to other solutions

  20. For example: If in addition adjustments to the 24 nondisclosure cells are limited to a maximum of 1 unit, then an optimal adjusted table is: RACE CATEGORY A 0 6 5 6 6 8 31 G E 7 7 6 5 7 0 32 C A 5 6 5 6 5 7 34 T E 38 6 7 6 5 8 6 G O R 28 0 6 6 5 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TOWARDS A QUALITY ASSESSMENT OF DISCLOSURE-LIMITED STATISTICAL DATA Lawrence H. Cox, Ph.D.

TOWARDS A QUALITY ASSESSMENT OF DISCLOSURE-LIMITED STATISTICAL DATA Lawrence H. Cox, Ph.D.

TOWARDS A QUALITY ASSESSMENT OF DISCLOSURE-LIMITED STATISTICAL DATA Lawrence H. Cox, Ph.D. National Center for Health Statistics LCOX@CDC.GOV QUALITY-CONFIDENTIALITY TRADEOFF To reduce risk of statistical disclosure to an acceptable level ,

685 views • 32 slides
Preserving Confidentiality Overview AND Providing Adequate Data for Statistical Modeling

Preserving Confidentiality Overview AND Providing Adequate Data for Statistical Modeling

Preserving Confidentiality Overview AND Providing Adequate Data for Statistical Modeling Background and some fundamental abstractions for disclosure limitation. Stephen E. Fienberg Statistical users want more than to retrieve a few

427 views • 9 slides
Disclosure of tables Disclosure of statistical tables with primary and secondary suppressing of

Disclosure of tables Disclosure of statistical tables with primary and secondary suppressing of

Disclosure of tables Disclosure of statistical tables with primary and secondary suppressing of cell values within a SAS process chain Nordiskt SAS-mte, SSB, Oslo 2011 Anders Kraftling Methods Variety of methods to choose from in

668 views • 32 slides
Disclosure Mark Ashley DAC Beachcroft LLP Disclosure: Overview A vast topic! What is

Disclosure Mark Ashley DAC Beachcroft LLP Disclosure: Overview A vast topic! What is

Disclosure Mark Ashley DAC Beachcroft LLP Disclosure: Overview A vast topic! What is disclosure? Why documents are really important How it works in practice: The request for records Letter of Claim Litigation Other

778 views • 26 slides
How Modern Disclosure Avoidance Methods Could Change the Way Statistical Agencies Operate John M.

How Modern Disclosure Avoidance Methods Could Change the Way Statistical Agencies Operate John M.

How Modern Disclosure Avoidance Methods Could Change the Way Statistical Agencies Operate John M. Abowd Chief Scientist and Associate Director for Research and Methodology U.S. Census Bureau Federal Economic Statistics Advisory Committee December

216 views • 20 slides
Understanding the Effects of Real-World Behavior in Statistical Disclosure Attacks Simon Oya ,

Understanding the Effects of Real-World Behavior in Statistical Disclosure Attacks Simon Oya ,

Understanding the Effects of Real-World Behavior in Statistical Disclosure Attacks Simon Oya , Carmela Troncoso and Fernando Prez-Gonzlez In Introduction. Mix ixes. MIX The adversary is able to learn Alices sending profile!!! 2 In

219 views • 17 slides
Late Night Noise Limitation Program Overview Sea-Tac Stakeholder Advisory Roundtable, April 24 1

Late Night Noise Limitation Program Overview Sea-Tac Stakeholder Advisory Roundtable, April 24 1

Late Night Noise Limitation Program Overview Sea-Tac Stakeholder Advisory Roundtable, April 24 1 Late Night Noise Limitation Program Overview Focus on operations between the hours of 12am to 5am SEL noise thresholds established at 4

372 views • 23 slides
Lawrence Activity and Wellness Center Overview Where weve been Sales tax passed in 1994 to

Lawrence Activity and Wellness Center Overview Where weve been Sales tax passed in 1994 to

Lawrence Parks & Recreation Department Lawrence Activity and Wellness Center Overview Where weve been Sales tax passed in 1994 to fund, in part, parks and recreation facilities and programming Major improvements Lawrence

512 views • 21 slides
Genetic and cardiovascular risk factors in relation to physical limitation Emerald G. Heiland,

Genetic and cardiovascular risk factors in relation to physical limitation Emerald G. Heiland,

Genetic and cardiovascular risk factors in relation to physical limitation Emerald G. Heiland, PhD candidate Aging Research Center, Karolinska Institutet, Stockholm, Sweden Emerald.heiland@ki.se CONFLICT OF INTEREST DISCLOSURE I have no

345 views • 23 slides
Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure

Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure

Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure Continuing Disclosure Presenters: Lawrence Flynn Walter Goldsmith Topics for Discussion Continuing Disclosure - Background and post-MCDC

364 views • 20 slides
Overview and research directions Public Disclosure Authorized Dhushyanth Raju Office of the

Overview and research directions Public Disclosure Authorized Dhushyanth Raju Office of the

Public Disclosure Authorized Public Disclosure Authorized Overview and research directions Public Disclosure Authorized Dhushyanth Raju Office of the Chief Economist, South Asia Region World Bank June 25, 2018 Public Disclosure Authorized

369 views • 22 slides
Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation of deterministic approaches Continuous, deterministic models cant cope with: 1. Sensitivity to a very small number of molecules 2. Protein

1.14k views • 66 slides
Integrated LTSS: 10 Exemplar Programs G. Lawrence Atkins, PhD

Integrated LTSS: 10 Exemplar Programs G. Lawrence Atkins, PhD

Integrated LTSS: 10 Exemplar Programs G. Lawrence Atkins, PhD Integra6ng LTSS: Ten Case Studies of Exemplar Projects November 18, 2016 DISCLOSURE(S) Research

441 views • 10 slides
Overview 1. Introduction to statistical mechanics: Partition functions and statistical ensembles

Overview 1. Introduction to statistical mechanics: Partition functions and statistical ensembles

Phase transitions for particles in R 3 Sabine Jansen LMU Munich Konstanz, 29 May 2018 Overview 1. Introduction to statistical mechanics: Partition functions and statistical ensembles 2. Phase transitions: conjectures 3. Mathematical results:

384 views • 14 slides
Road map Three class sessions on ethics: Ethics 1 General 2 Scientific STAT8801 3 Statistical

Road map Three class sessions on ethics: Ethics 1 General 2 Scientific STAT8801 3 Statistical

Road map Three class sessions on ethics: Ethics 1 General 2 Scientific STAT8801 3 Statistical Statistical Consulting Full Disclosure School of Statistics These classes draw heavily and extensively from material assembled by University of

466 views • 7 slides
St. Lawrence Action Plan 2011-2026 Presentation to the Great Lakes and St. Lawrence Cities

St. Lawrence Action Plan 2011-2026 Presentation to the Great Lakes and St. Lawrence Cities

St. Lawrence Action Plan 2011-2026 Presentation to the Great Lakes and St. Lawrence Cities Initiative Qubec City June 28, 2012 1 Canada/Quebec cooperation on the St. Lawrence River Industrial State of the PHASE I Industry and

558 views • 26 slides
Measures of Fit for Logistic Regression Paul D. Allison, Ph.D. Statistical Horizons LLC Paper

Measures of Fit for Logistic Regression Paul D. Allison, Ph.D. Statistical Horizons LLC Paper

Measures of Fit for Logistic Regression Paul D. Allison, Ph.D. Statistical Horizons LLC Paper 1485-2014 Introduction How do I know if my model is a good model? Translation: How can I convince my boss/reviewer/regulator that this

327 views • 32 slides
Transition to Adulthood Learning Collaborative (TALC) FY20 Quarter 4 Meeting August 10, 2020

Transition to Adulthood Learning Collaborative (TALC) FY20 Quarter 4 Meeting August 10, 2020

Transition to Adulthood Learning Collaborative (TALC) FY20 Quarter 4 Meeting August 10, 2020 Agenda Welcome & Housekeeping Presentation Texas Transition: 2020 and Beyond CSHCN Systems Development Group Updates Current

900 views • 62 slides
(Un)Successful Adaptation NERRS Science Collaborative 1 Welcome Enjoy your lunch and dive right

(Un)Successful Adaptation NERRS Science Collaborative 1 Welcome Enjoy your lunch and dive right

(Un)Successful Adaptation NERRS Science Collaborative 1 Welcome Enjoy your lunch and dive right in! What does successful adaptation mean to you? In your work? NERRS Science Collaborative 2 Fourth National Adaptation Forum Madison,

642 views • 17 slides
Coxs proportional hazards model and Coxs partial likelihood Rasmus Waagepetersen October

Coxs proportional hazards model and Coxs partial likelihood Rasmus Waagepetersen October

Coxs proportional hazards model and Coxs partial likelihood Rasmus Waagepetersen October 8, 2020 1 / 27 Non-parametric vs. parametric Suppose we want to estimate unknown function, e.g. survival function. Approaches: Non-parametric

595 views • 27 slides
Manchester UK Professor Jorge Ribeiro Patrick Ribeiro 1 SAS/ETS Econometrics Time Series

Manchester UK Professor Jorge Ribeiro Patrick Ribeiro 1 SAS/ETS Econometrics Time Series

Survival Data Mining using Enterprise Miner and Proportional Hazard Cox Model 25 th June 2015 Manchester UK Professor Jorge Ribeiro Patrick Ribeiro 1 SAS/ETS Econometrics Time Series Enterprise Miner 13.2 PROC ARIMA Survival Analysis

663 views • 47 slides
The Cross-section of Managerial Ability and Risk Preferences Ralph S.J. Koijen Chicago GSB

The Cross-section of Managerial Ability and Risk Preferences Ralph S.J. Koijen Chicago GSB

Motivation Data Model Econometric approach Empirical results The Cross-section of Managerial Ability and Risk Preferences Ralph S.J. Koijen Chicago GSB October 2008 Ralph S.J. Koijen - Chicago GSB Motivation Data Model Econometric

829 views • 72 slides
EACA 2014 XIV Encuentro de lgebra Computacional y Aplicaciones Barcelona June 1820 2014

EACA 2014 XIV Encuentro de lgebra Computacional y Aplicaciones Barcelona June 1820 2014

EACA 2014 XIV Encuentro de lgebra Computacional y Aplicaciones Barcelona June 1820 2014 http://www.ub.edu/eaca2014/ Carlos DAndrea Moving surfaces ideals of rational parametrizations Moving surfaces ideals of rational parametrizations

446 views • 40 slides
The Role of Atmospheric Circulation in the Seasonal Melt of Snow and Sea Ice in the Pacific

The Role of Atmospheric Circulation in the Seasonal Melt of Snow and Sea Ice in the Pacific

The Role of Atmospheric Circulation in the Seasonal Melt of Snow and Sea Ice in the Pacific Arctic Christopher J. Cox 1,2 , Robert S. Stone 3 , Diane Stanitski 4 , David C. Douglas 5 1 Cooperative Institute for Research in Environmental Sciences

335 views • 19 slides

More recommend