Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidentiality risks of releasing measures of data quality Jerry Reiter Department of Statistical Science Duke University

Published byGuadalupe Weatherly Modified over 9 years ago

Similar presentations

Presentation on theme: "Confidentiality risks of releasing measures of data quality Jerry Reiter Department of Statistical Science Duke University"— Presentation transcript:

1 Confidentiality risks of releasing measures of data quality Jerry Reiter Department of Statistical Science Duke University jerry@stat.duke.edu

2 General setting Original microdata, O Candidate release, M (1:1 link with O). Provide some measure of quality of M for specific analyses, labeled FM. Released dynamically for analyses submitted to a “verification server.”

3 Possible measures (think regression coefficients) Overlap in confidence intervals Compute 95% CI for Q with O; compute 95% CI for Q with M; measure overlap in intervals. Distance between Q(M) and Q(O). Absolute (relative) error. Percentage change in variance.

4 Possible measures (think regression coefficients) Posterior predictive p-value Computed for (pre-specified?) statistics. Goodness of fit measure PRESS or other predictive stats for D. Value of likelihood or AIC/BIC in D. Others….

5 General confidentiality risks Backsolving risk If FM is exact, analyst might determine elements of O from FM and Q(M). Prediction risk If utility measure indicates small difference, analyst might closely estimate elements of O from FM and Q(M).

6 Confidentiality attacks for different SDL Data swapping: Try all possible swaps until utility measure reports exact for some Q that depends on all (swapped) variables. Adding noise: If constant variance noise and large dataset, recover noise variance by division. Increase individual records’ values in some Q until utility measure reveals a close fit. Re-coding / Suppression: Get utility measures for tabular-like Q to figure out individual values.

7 Confidentiality attacks for different SDL General attack strategies Turn microdata into tabular data. -- Create indicator variables out of continuous variables for tail area events, where limits change slightly.

8 Example of attacks: Setting Suppose agency uses 3% data swap of five categorical quasi-identifiers, X. When record selected for swapping, all of its X is swapped with the X for another record. Other values, Y, are not swapped.

9 Example continued User asks for quality of - coefficients in linear regression of Y on X. - sample mean of Y. - mean of Y for small subpopulation defined by X. - contingency table analysis with X. Fidelity measure is confidence interval overlap (not coarsened). Perfect overlap defined as 1. No overlap defined as 0.

10 Intruder attacks Find out which records were swapped: Try different records in M for some query involving a subset of the data. If FM = 1, assume records were not swapped. Find out values of swapped X: Find at least one not swapped record for each level of univariate X. Add target record with swapped X. Let Q be frequencies of each cell for the selected records. Correct value is the one not equal to swapped value for which FM < 1.

11 Another example To previous scenario, employ top-coding to protect upper 1% tail of a continuous Y1. And, add noise to all values of some Y2. Users desire regressions, means, confidence intervals for quantiles.

12 Intruder attacks Order the records by values of Y1: Form a data set with one top-coded record and many not top-coded records. Let Q be sample mean and obtain FM. Repeat for all top-coded records. Order records by FM. Estimate values of Y1 in upper 1%: Repeat above strategy. Try values of true Y1 that result in recreation of FM.

13 Intruder attacks Estimate values of Y1 in upper 1%: Form group of not top-coded records for which Y1 is transformed so that it equals zero (or any one number). Add one top- coded record. Get FM for mean of Y1 for these values. Try values of true Y1 that result in recreation of FM. Same strategy applies for learning values of Y2 with added noise.

14 Reducing risks of these attacks Limit what is released Report something other than exact FM. Coarsen or add noise to measures before release. Do not release FM for some Q. Limit what is answerable Do not allow any copying or transposing data. Do not allow arbitrary transformations of data.

15 Limiting queries Minimum sample sizes for queries. Automatic feedback for set of common transformations, and make all others go through disclosure review. (Counter attacks based on unusual transformations that are unlikely to be legit analysis).

16 Coarsening FM measures Report FM rounded, for example to nearest.05 for CI overlap. Hard to know what values are safe and useful for generic Q. Add noise to FM measure. Same difficulty! One approach is to create “acceptable” bounds for each true value, and choose rounding/noise to ensure those bounds are feasible under an attack strategy.

17 Randomness in FM measures FM based on Q(M) and Q(O-), where O- built by randomly delete k records from data used in Q(O). resample deleted records with replacement (random seed defined by Q). FM not true except by random chance. Adds large noise to Q with small sample sizes and small noise to Q with large sample sizes.

18 Where to go from here Evaluate how much noise infusion/aggregation/resampling to the FM to defeat the attacks against topcoding or noise. Begin to develop system.

Download ppt "Confidentiality risks of releasing measures of data quality Jerry Reiter Department of Statistical Science Duke University"

Similar presentations

Alternative Approaches to Data Dissemination and Data Sharing Jerome Reiter Duke University

Alternative Approaches to Data Dissemination and Data Sharing Jerome Reiter Duke University
Estimating Identification Risks for Microdata Jerome P. Reiter Institute of Statistics and Decision Sciences Duke University, Durham NC, USA.

Estimating Identification Risks for Microdata Jerome P. Reiter Institute of Statistics and Decision Sciences Duke University, Durham NC, USA.
“Students” t-test.

“Students” t-test.
STA305 Spring 2014 This started with excerpts from STA2101f13

STA305 Spring 2014 This started with excerpts from STA2101f13
Welcome to PHYS 225a Lab Introduction, class rules, error analysis Julia Velkovska.

Welcome to PHYS 225a Lab Introduction, class rules, error analysis Julia Velkovska.
Extension The General Linear Model with Categorical Predictors.

Extension The General Linear Model with Categorical Predictors.
Estimating a Population Proportion

Estimating a Population Proportion
SDC for continuous variables under edit restrictions Natalie Shlomo & Ton de Waal UN/ECE Work Session on Statistical Data Editing, Bonn, September 2006.

SDC for continuous variables under edit restrictions Natalie Shlomo & Ton de Waal UN/ECE Work Session on Statistical Data Editing, Bonn, September 2006.
Sections 7-1 and 7-2 Review and Preview and Estimating a Population Proportion.

Sections 7-1 and 7-2 Review and Preview and Estimating a Population Proportion.
6-1 Introduction To Empirical Models 6-1 Introduction To Empirical Models.

6-1 Introduction To Empirical Models 6-1 Introduction To Empirical Models.
Ch11 Curve Fitting Dr. Deshi Ye

Ch11 Curve Fitting Dr. Deshi Ye
April 21, 2010 STAT 950 Chris Wichman. Motivation Every ten years, the U.S. government conducts a population census, and every five years the U. S. National.

April 21, 2010 STAT 950 Chris Wichman. Motivation Every ten years, the U.S. government conducts a population census, and every five years the U. S. National.
MF-852 Financial Econometrics

MF-852 Financial Econometrics
Evaluation (practice). 2 Predicting performance  Assume the estimated error rate is 25%. How close is this to the true error rate?  Depends on the amount.

Evaluation (practice). 2 Predicting performance  Assume the estimated error rate is 25%. How close is this to the true error rate?  Depends on the amount.
Evaluation.

Evaluation.
Lecture 24: Thurs. Dec. 4 Extra sum of squares F-tests (10.3) R-squared statistic (10.4.1) Residual plots (11.2) Influential observations (11.3, 11.4.3.

Lecture 24: Thurs. Dec. 4 Extra sum of squares F-tests (10.3) R-squared statistic (10.4.1) Residual plots (11.2) Influential observations (11.3,
Sample Size Determination In the Context of Hypothesis Testing

Sample Size Determination In the Context of Hypothesis Testing
Review for Exam 2 Some important themes from Chapters 6-9 Chap. 6. Significance Tests Chap. 7: Comparing Two Groups Chap. 8: Contingency Tables (Categorical.

Review for Exam 2 Some important themes from Chapters 6-9 Chap. 6. Significance Tests Chap. 7: Comparing Two Groups Chap. 8: Contingency Tables (Categorical.
Inferential Statistics

Inferential Statistics
Correlation Question 1 This question asks you to use the Pearson correlation coefficient to measure the association between [educ4] and [empstat]. However,

Correlation Question 1 This question asks you to use the Pearson correlation coefficient to measure the association between [educ4] and [empstat]. However,

Similar presentations

Ads by Google