overview of statistical disclosure limitation lawrence h
play

OVERVIEW OF STATISTICAL DISCLOSURE LIMITATION Lawrence H. Cox, - PDF document

Dec 05, 2023 •276 likes •547 views

OVERVIEW OF STATISTICAL DISCLOSURE LIMITATION Lawrence H. Cox, Associate Director National Center for Health Statistics LCOX@CDC.GOV DIMACS Working Group on Privacy/Confidentiality of Health Data DIMACS Rutgers University, Piscataway NJ

  1. OVERVIEW OF STATISTICAL DISCLOSURE LIMITATION Lawrence H. Cox, Associate Director National Center for Health Statistics LCOX@CDC.GOV DIMACS Working Group on Privacy/Confidentiality of Health Data DIMACS Rutgers University, Piscataway NJ December 10-12, 2003

  2. WHAT IS STATISTICAL DISCLOSURE? WHY IS IT A PROBLEM? * Qualitatively * Quantitatively WHAT CAN BE DONE TO LIMIT STATISTICAL DISCLOSURE?

  3. QUALITATIVE/POLICY ISSUES What is confidentiality preservation? * holding close information of a personal or proprietary nature pertaining to a respondent, and not revealing it (directly or indirectly) to an unauthorized third party What is statistical confidentiality protection? * preserving confidentiality in statistical data products What is statistical disclosure? * statistical disclosure occurs when the release of a data product enables a third party to learn more about a respondent than originally known (T. Dalenius) Note: " Respondent " refers to direct providers of data (person, organization, business) and to “units of analysis" they represent (families, corporations, groups)

  4. Is confidentiality important? Why should the data provider preserve confidentiality? * required by law, regulation or policy * ethical obligation: the social contract * practical considerations - data accuracy - data completeness - developing trust How is confidentiality threatened by release of statistical data? * overt or derived identification and disclosure of individual respondent data * identification thru matching attributes to another data file, leading to disclosure of individual attributes * associate large percentage of an identifiable group with a characteristic ( group disclosure )

  5. Must confidentiality preservation be absolute? What is its relative importance? * the balance issue: right to privacy vs. need to know * absolute confidentiality preservation is impossible: releasing any data divulges something about each respondent * technology limits what can be done - technology to limit disclosure - technology to cause disclosure * in principle: - minimum disclosure protection and data quality and completeness standards are not incompatible - a joint optimum can be reached * in practice: - the balancing process is iterative - incompatibilities are resolved in favor of preserving confidentiality

  6. What factors affect statistical disclosure? * factors affecting likelihood of disclosure - number of variables - level(s) of data aggregation or presentation - accuracy/quality of data - sampling rate(s) - knowledge about survey participation - distribution of characteristics - time - insider knowledge * factors affecting the risk of disclosure - likelihood of disclosure - number of confidential variables - sensitivity of confidential data - time - target of disclosure # targeted respondent # arbitrary respondent: fishing expedition # group disclosure - existence/quality of matching files - motivation/abilities of intruder - cost to achieve disclosure - ease to access/manipulate data

  7. QUANTITATIVE/STATISTICAL ISSUES Statistical Disclosure in Tabular Data: An Illustration RACE CATEGORY A 1 6 4 7 6 7 31 G E 6 7 6 5 7 1 32 C A 3 6 5 7 6 7 34 T E 38 6 7 6 6 7 6 G O R 28 2 6 7 2 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State Releaser determines: disclosure occurs whenever a cell count is (or can be reliably inferred to be) between 1 - 4 This results in 6 primary disclosure cells (in bold ) Traditional disclosure limitation methods : Rounding (base B = 5), perturbation, cell suppression

  8. ROUNDING Conventional Rounding (round to nearest multiple of B = 5) 0 5 5 5 5 5 30 (25) 5 5 5 5 5 0 30 (25) 5 5 5 5 5 5 35 (30) 40 (30) 5 5 5 5 5 5 30 (20) 0 5 5 0 5 5 20 30 30 25 30 25 165 (15) (25) (25) (20) (25) (20) (130) ( ) = sum of rounded entries Rounded table is NOT additive!!! 165 - 130 = 35 individuals are not accounted for!!!

  9. Controlled Rounding - round to an adjacent multiple of B = 5 - preserve additivity within the table - multiples of B = 5 remain fixed 0 5 5 5 5 10 30 5 10 5 5 10 0 35 5 5 5 10 5 5 35 35 5 10 5 5 5 5 25 0 5 10 0 5 5 15 35 30 25 30 25 160 Many different Controlled Roundings are possible This CR is optimal as it is close as possible to the original table CR methodology for 2-D tables based on network optimization Random (Unbiased) Controlled Rounding also possible (Controlled) (Random) Perturbation is analogous

  10. COMPLEMENTARY CELL SUPPRESSION Suppressing only the disclosure cells D D 6 7 6 7 31 6 7 6 5 7 D 32 D 6 5 7 6 7 34 38 6 7 6 6 7 6 28 D D 6 7 6 5 18 32 28 27 32 26 163 Suppression pattern is inadequate due to ability of attacker to reconstruct/estimate one or more suppressions using the row and column equations Need complementary cell suppression , viz., suppress additional nondisclosure cells to thwart reconstruction or narrow estimation of primary disclosure cells

  11. Heuristic complementary cell suppression D 11 6 D 13 7 6 7 31 6 7 6 D 24 7 D 26 32 D 31 D 33 6 7 6 7 34 38 6 7 6 6 7 6 28 D 51 6 7 D 54 6 D 56 18 32 28 27 32 26 163 This does better and appears to adequately limit disclosure D 51 � 2 However, : Row 2 + Row 5 - Col 4 - Col 6 = 32 + 28 - 27 - 26 = 7: 7 � ( D 24 � D 26 � 26) � ( D 51 � D 54 � 19) � ( D 24 � D 54 � 20) � ( D 26 � D 56 � 20) � D 51 � 5 Detecting such structural insufficiency usually requires mathematical programming, viz., subject to the row and column constraints, compute min { D 51 } and max { D 51 }

  12. A better suppression pattern D 6 D 7 6 7 31 6 7 D 5 7 D 32 D D 6 5 6 7 34 38 6 7 6 6 7 6 28 D 6 7 D 6 D 18 32 28 27 32 26 163

  13. Mathematically, this pattern is equivalent to D 11 D 13 0 0 5 0 D 23 0 D 26 7 10 D 31 D 34 0 0 9 D 51 0 D 54 D 56 6 10 9 6 31 This pattern has some desirable features: - not structurally insufficient - minimum possible number of cells suppressed - minimum possible total value suppressed This pattern does not appear inadequate: - at least two suppressions in each row/column - reduced row/col equations add to at least 5 However, appearances can be deceiving

  14. Suppression Audit Linear analysis reveals exact bounds for suppressed entries: [0,2] 6 [3,5] 7 6 7 31 [0,2] 6 7 [5,7] 5 7 32 [1,5] 6 5 [5,9] 6 7 34 38 6 7 6 6 7 6 28 [0,5] 6 7 [0,4] 6 [4,6] 18 32 28 27 32 26 163 A suppression pattern is adequate (passes audit), if the interval for each disclosure cell contains the open interval (0,5) This suppression pattern fails the audit for 3 cells Detecting such numerical insufficiency requires mathematical programming or other algorithms and software, implemented knowledgeably Could publish audit bounds in lieu of “ D ”

  15. An adequate suppression pattern [0,5] 6 [0,5] 7 6 7 31 6 7 6 [0,6] 7 [0,6] 32 [0,6] 6 [2,8] 7 6 7 34 38 6 7 6 6 7 6 28 [0,6] 6 [4,10] [1,7] 6 [0,6] 18 32 28 27 32 26 163

  16. Mathematically, this pattern is equivalent to D 11 D 13 0 0 5 0 0 D 24 D 26 6 8 D 31 D 34 0 0 16 D 51 D 53 D 54 D 56 6 16 7 6 35

  17. CONTROLLED TABULAR ADJUSTMENT Complementary cell suppression: - an NP hard problem : difficult theoretically and practically - produces “tables with holes” - thwarts statistical analysis An alternative method (to be discussed Friday) called controlled tabular adjustment - produces a full and fully analyzable table(s) - is close to the original table(s) * locally (cell by cell) * globally (minimizes a measure of overall distortion) - preserves important statistical properties of the table(s)

  18. Controlled Tabular Adjustment: Example Original table: RACE CATEGORY A 1 6 4 7 6 7 31 G E 6 7 6 5 7 1 32 C A 3 6 5 7 6 7 34 T E 38 6 7 6 6 7 6 G O R 28 2 6 7 2 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State

  19. Adjusted table: RACE CATEGORY A 0 6 5 6 6 8 31 G E 7 7 6 5 7 0 32 C A 5 6 5 5 6 7 34 T E 38 6 7 6 6 7 6 G O R 28 0 6 6 5 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State This solution minimizes sum of absolute adjustments subject to preserving marginal totals Various other optimization criteria are available, leading to other solutions

  20. For example: If in addition adjustments to the 24 nondisclosure cells are limited to a maximum of 1 unit, then an optimal adjusted table is: RACE CATEGORY A 0 6 5 6 6 8 31 G E 7 7 6 5 7 0 32 C A 5 6 5 6 5 7 34 T E 38 6 7 6 5 8 6 G O R 28 0 6 6 5 6 5 Y 18 32 28 27 32 26 163 Incidence of Death Related to a Specific Disease in a State

Recommend

TOWARDS A QUALITY ASSESSMENT OF DISCLOSURE-LIMITED STATISTICAL DATA Lawrence H. Cox, Ph.D.

TOWARDS A QUALITY ASSESSMENT OF DISCLOSURE-LIMITED STATISTICAL DATA Lawrence H. Cox, Ph.D.

TOWARDS A QUALITY ASSESSMENT OF DISCLOSURE-LIMITED STATISTICAL DATA Lawrence H. Cox, Ph.D. National Center for Health Statistics LCOX@CDC.GOV QUALITY-CONFIDENTIALITY TRADEOFF To reduce risk of statistical disclosure to an acceptable level ,

685 views • 32 slides
Preserving Confidentiality Overview AND Providing Adequate Data for Statistical Modeling

Preserving Confidentiality Overview AND Providing Adequate Data for Statistical Modeling

Preserving Confidentiality Overview AND Providing Adequate Data for Statistical Modeling Background and some fundamental abstractions for disclosure limitation. Stephen E. Fienberg Statistical users want more than to retrieve a few

427 views • 9 slides
Disclosure of tables Disclosure of statistical tables with primary and secondary suppressing of

Disclosure of tables Disclosure of statistical tables with primary and secondary suppressing of

Disclosure of tables Disclosure of statistical tables with primary and secondary suppressing of cell values within a SAS process chain Nordiskt SAS-mte, SSB, Oslo 2011 Anders Kraftling Methods Variety of methods to choose from in

668 views • 32 slides
Disclosure Mark Ashley DAC Beachcroft LLP Disclosure: Overview A vast topic! What is

Disclosure Mark Ashley DAC Beachcroft LLP Disclosure: Overview A vast topic! What is

Disclosure Mark Ashley DAC Beachcroft LLP Disclosure: Overview A vast topic! What is disclosure? Why documents are really important How it works in practice: The request for records Letter of Claim Litigation Other

778 views • 26 slides
How Modern Disclosure Avoidance Methods Could Change the Way Statistical Agencies Operate John M.

How Modern Disclosure Avoidance Methods Could Change the Way Statistical Agencies Operate John M.

How Modern Disclosure Avoidance Methods Could Change the Way Statistical Agencies Operate John M. Abowd Chief Scientist and Associate Director for Research and Methodology U.S. Census Bureau Federal Economic Statistics Advisory Committee December

216 views • 20 slides
Understanding the Effects of Real-World Behavior in Statistical Disclosure Attacks Simon Oya ,

Understanding the Effects of Real-World Behavior in Statistical Disclosure Attacks Simon Oya ,

Understanding the Effects of Real-World Behavior in Statistical Disclosure Attacks Simon Oya , Carmela Troncoso and Fernando Prez-Gonzlez In Introduction. Mix ixes. MIX The adversary is able to learn Alices sending profile!!! 2 In

219 views • 17 slides
Late Night Noise Limitation Program Overview Sea-Tac Stakeholder Advisory Roundtable, April 24 1

Late Night Noise Limitation Program Overview Sea-Tac Stakeholder Advisory Roundtable, April 24 1

Late Night Noise Limitation Program Overview Sea-Tac Stakeholder Advisory Roundtable, April 24 1 Late Night Noise Limitation Program Overview Focus on operations between the hours of 12am to 5am SEL noise thresholds established at 4

372 views • 23 slides
Lawrence Activity and Wellness Center Overview Where weve been Sales tax passed in 1994 to

Lawrence Activity and Wellness Center Overview Where weve been Sales tax passed in 1994 to

Lawrence Parks & Recreation Department Lawrence Activity and Wellness Center Overview Where weve been Sales tax passed in 1994 to fund, in part, parks and recreation facilities and programming Major improvements Lawrence

512 views • 21 slides
Genetic and cardiovascular risk factors in relation to physical limitation Emerald G. Heiland,

Genetic and cardiovascular risk factors in relation to physical limitation Emerald G. Heiland,

Genetic and cardiovascular risk factors in relation to physical limitation Emerald G. Heiland, PhD candidate Aging Research Center, Karolinska Institutet, Stockholm, Sweden Emerald.heiland@ki.se CONFLICT OF INTEREST DISCLOSURE I have no

345 views • 23 slides
Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure

Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure

Bond Issuance, Muni A Bond Issuance, Muni Advisor R visor Rule and le and Continuing Disclosure Continuing Disclosure Presenters: Lawrence Flynn Walter Goldsmith Topics for Discussion Continuing Disclosure - Background and post-MCDC

364 views • 20 slides
Overview and research directions Public Disclosure Authorized Dhushyanth Raju Office of the

Overview and research directions Public Disclosure Authorized Dhushyanth Raju Office of the

Public Disclosure Authorized Public Disclosure Authorized Overview and research directions Public Disclosure Authorized Dhushyanth Raju Office of the Chief Economist, South Asia Region World Bank June 25, 2018 Public Disclosure Authorized

369 views • 22 slides
Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation of deterministic approaches Continuous, deterministic models cant cope with: 1. Sensitivity to a very small number of molecules 2. Protein

1.14k views • 66 slides
Integrated LTSS: 10 Exemplar Programs G. Lawrence Atkins, PhD

Integrated LTSS: 10 Exemplar Programs G. Lawrence Atkins, PhD

Integrated LTSS: 10 Exemplar Programs G. Lawrence Atkins, PhD Integra6ng LTSS: Ten Case Studies of Exemplar Projects November 18, 2016 DISCLOSURE(S) Research

441 views • 10 slides
Overview 1. Introduction to statistical mechanics: Partition functions and statistical ensembles

Overview 1. Introduction to statistical mechanics: Partition functions and statistical ensembles

Phase transitions for particles in R 3 Sabine Jansen LMU Munich Konstanz, 29 May 2018 Overview 1. Introduction to statistical mechanics: Partition functions and statistical ensembles 2. Phase transitions: conjectures 3. Mathematical results:

384 views • 14 slides
Road map Three class sessions on ethics: Ethics 1 General 2 Scientific STAT8801 3 Statistical

Road map Three class sessions on ethics: Ethics 1 General 2 Scientific STAT8801 3 Statistical

Road map Three class sessions on ethics: Ethics 1 General 2 Scientific STAT8801 3 Statistical Statistical Consulting Full Disclosure School of Statistics These classes draw heavily and extensively from material assembled by University of

466 views • 7 slides
St. Lawrence Action Plan 2011-2026 Presentation to the Great Lakes and St. Lawrence Cities

St. Lawrence Action Plan 2011-2026 Presentation to the Great Lakes and St. Lawrence Cities

St. Lawrence Action Plan 2011-2026 Presentation to the Great Lakes and St. Lawrence Cities Initiative Qubec City June 28, 2012 1 Canada/Quebec cooperation on the St. Lawrence River Industrial State of the PHASE I Industry and

558 views • 26 slides
Axion-driven inflation and quantum gravity Albion Lawrence, Brandeis University Kaloper,

Axion-driven inflation and quantum gravity Albion Lawrence, Brandeis University Kaloper,

Axion-driven inflation and quantum gravity Albion Lawrence, Brandeis University Kaloper, Lawrence, and Sorbo 1101.0026 Kaloper and Lawrence 1404.2912 Kaloper, Kleban, Lawrence, and Sloth 1511.05119 Kaloper and Lawrence, in progress 1 I.

528 views • 20 slides
Evaluating Variability in the Implementation of Surgical Time-Outs Lawrence, S; Hechenbleikner,

Evaluating Variability in the Implementation of Surgical Time-Outs Lawrence, S; Hechenbleikner,

Evaluating Variability in the Implementation of Surgical Time-Outs Lawrence, S; Hechenbleikner, E; Cane, S; Boyle, L; Al-Refaie, W MedStar-Georgetown Surgical Outcomes Research Center 2016 Academic Surgical Congress 1 2016 Disclosure Slide

180 views • 6 slides
2020 Census Participant Statistical Areas Program (PSAP) Standard Statistical Geography Webinar

2020 Census Participant Statistical Areas Program (PSAP) Standard Statistical Geography Webinar

2020 Census Participant Statistical Areas Program (PSAP) Standard Statistical Geography Webinar Agenda PSAP Overview. Schedule. Materials. Standard Statistical Geography Overview. Geographic Update Partnership Software

962 views • 81 slides
Home Mortgage Disclosure Act: Auditing Tips 1 2 Regulation Overview Regulation Overview

Home Mortgage Disclosure Act: Auditing Tips 1 2 Regulation Overview Regulation Overview

3/13/20 Regulation Overview Home Mortgage Disclosure Act: Auditing Tips 1 2 Regulation Overview Regulation Overview Requires certain financial institutions to collect, report, and disclose The data are submitted electronically to the

250 views • 6 slides
SOME STATISTICAL TESTS Overview Theory of statistical tests Test for a difference in mean

SOME STATISTICAL TESTS Overview Theory of statistical tests Test for a difference in mean

R course Tuesday, March 12 2013 SOME STATISTICAL TESTS Overview Theory of statistical tests Test for a difference in mean Test for dependence Nominal variables Continuous variables Ordinal variables Power of a test

641 views • 26 slides
Forum Shopping in Marine Casualty Cases by David McInnes, Partner Content: Limitation of

Forum Shopping in Marine Casualty Cases by David McInnes, Partner Content: Limitation of

Forum Shopping in Marine Casualty Cases by David McInnes, Partner Content: Limitation of liability conventions Introduction 1957 Brussels Limitation Convention 1976 London Convention on the Limitation of Liability for Maritime

1.08k views • 18 slides
Statistical Paradigm Many problems can be posed as pattern recognition Image

Statistical Paradigm Many problems can be posed as pattern recognition Image

EE 6882 Overview of Statistical Models for Video Indexing Prof. Shih-Fu Chang Columbia University TA: Eric Zavesky Fall 2007, Lecture 4 Course web site: http:/ / www.ee.columbia.edu/ ~ sfchang/ course/ svia 1 Statistical Paradigm Many

288 views • 28 slides
Towards real-time simulations of Cardiac Arrhythmias Lawrence Mitchell EPCC

Towards real-time simulations of Cardiac Arrhythmias Lawrence Mitchell EPCC

Towards real-time simulations of Cardiac Arrhythmias Lawrence Mitchell EPCC lawrence.mitchell@ed.ac.uk Overview CARP is a finite element code that models cardiac electrophysiology In-silico modelling of treatments for cardiovascular

503 views • 16 slides

More recommend