Statistical Disclosure Control

From Simson Garfinkel
Revision as of 06:11, 27 September 2017 by Simson (talk | contribs) (→‎US Census Bureau)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

There are two main approaches to SDC: principles-based and rules-based.[1] In principles-based systems, disclosure control attempts to upload a specific set of fundamental principles---for example, "no person should be identifiable in released microdata." Rules-based systems, in contrast, are evidenced by a specific set of rules that a person performing disclosure control follows, after which the data are presumed to be safe to release. Using this taxonomy, proposed by Ritchie and Elliot in 2013, disclosure control based on differential privacy can be seen as a principles-based approach, whereas controls based on de-identification, such as the US Health Insurance Portability and Accountability Act's Privacy Rule's Safe Harbor method for de-identifying Protected health information can be seen as a rule-based system.


Presentations

How-to Guides

  • Statistical Policy Working Paper 22, Federal Committee on Statistical Methodology, Originally Prepared by Subcommittee on Disclosure Limitation Methodology 1994 Revised by Confidentiality and Data Access Committee 2005

Papers

US Census Bureau

Below are papers that the US Census Bureau has written on statistical Disclosure Control

Review Articles

  • Fienberg, Stephen, "Confidentiality and Disclosure Limitation," Encyclopedia of Social Measurement, Volume 1, 2005. A good overview article about statistical disclosure limitation, not too much math. No mention of differential privacy, of course.

Critiques

Many contemporary statistical disclosure control techniques, such as generalization and cell suppression, have been shown to be vulnerable to attack by a hypothetical data intruder. For example, Cox showed in 2009 that Complementary cell suppression typically leads to "over-protected" solutions because of the need to suppress both primary and complementary cells, and even then can lead to the compromise of sensitive data when exact intervals are reported.[2]


References

  1. Template:Cite journal
  2. Lawrence H. Cox, Vulnerability of Complementary Cell Suppression to Intruder Attack, Journal of Privacy and Confidentiality (2009) 1, Number 2, pp. 235–251 http://repository.cmu.edu/cgi/viewcontent.cgi?article=1017