The Probability of Identification: Applying Ideas from Forensic Statistics to Disclosure Risk Assessment

Skinner, Chris J.

doi:10.1111/j.1467-985x.2006.00457.x

Cited by 7 publications

(10 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this case, we have | ( ) Skinner and Shlomo (2008) discuss methods for the specification of the model in (10). Skinner (2007) discusses the possible dependence of the measure on the search method employed by the intruder.…”

Section: File-level Measures Of Identification Riskmentioning

confidence: 99%

Statistical Disclosure Control for Survey Data

Skinner¹

2009

Handbook of Statistics

View full text Add to dashboard Cite

Statistical disclosure control refers to the methodology used in the design of the statistical outputs from a survey for protecting the confidentiality of respondents' answers. The threat to confidentiality is assumed to come from a hypothetical intruder who has access to these outputs and seeks to use them to disclose information about a survey respondent. One key concern relates to identity disclosure, which would occur if the intruder were able to link a known individual (or other unit) to an element of the output. Another main concern relates to attribute disclosure, which would occur if the intruder could determine the value of some survey variable for an identified individual (or other unit) using the statistical output. Measures of the probability of disclosure are called disclosure risk. If this level of risk is deemed unacceptable then it may be necessary to apply a method of statistical disclosure control to the output. The choice of which method and how much protection to apply depends not just on the impact on disclosure risk but also on the impact on the utility of the output to users. This paper provides a review of statistical disclosure control methodology for two main types of survey output: (i) tables of estimates of population parameters and (ii) microdata, often released as a rectangular file of variables by analysis units. For each of these types of output, the definition and estimation of disclosure risk is discussed as well as methods for statistical disclosure control. 1 Statistical Disclosure Control for Survey Data Chris Skinner University of Southampton AbstractStatistical disclosure control refers to the methodology used in the design of the statistical outputs from a survey for protecting the confidentiality of respondents' answers. The threat to confidentiality is assumed to come from a hypothetical intruder who has access to these outputs and seeks to use them to disclose information about a survey respondent. One key concern relates to identity disclosure, which would occur if the intruder were able to link a known individual (or other unit) to an element of the output. Another main concern relates to attribute disclosure, which would occur if the intruder could determine the value of some survey variable for an identified individual (or other unit) using the statistical output. Measures of the probability of disclosure are called disclosure risk. If this level of risk is deemed unacceptable then it may be necessary to apply a method of statistical disclosure control to the output. The choice of which method and how much protection to apply depends not just on the impact on disclosure risk but also on the impact on the utility of the output to users. This paper provides a review of statistical disclosure control methodology for two main types of survey output: (i) tables of estimates of population parameters and (ii) microdata, often released as a rectangular file of variables by analysis units. For each of these types of output, the definition and estimation of disclosure...

show abstract

Section: File-level Measures Of Identification Riskmentioning

confidence: 99%

Statistical Disclosure Control for Survey Data

Skinner¹

2009

Handbook of Statistics

View full text Add to dashboard Cite

show abstract

“…Too conservative risk assessment needlessly sacrifices data utility in favor of individual anonymity; risk assessment that errs on the other side risks disclosure of sensitive information. This has been described as the over-and under fitting of risk estimates and is the main thrust of research in risk disclosure and development of the two-way interaction model (Skinner, 2007).…”

Section: Sage Openmentioning

confidence: 99%

Avoiding Disclosure of Individually Identifiable Health Information

et al. 2011

View full text Add to dashboard Cite

Achieving data and information dissemination without harming anyone is a central task of any entity in charge of collecting data. In this article, the authors examine the literature on data and statistical confidentiality. Rather than comparing the theoretical properties of specific methods, they emphasize the main themes that emerge from the ongoing discussion among scientists regarding how best to achieve the appropriate balance between data protection, data utility, and data dissemination. They cover the literature on de-identification and reidentification methods with emphasis on health care data. The authors also discuss the benefits and limitations for the most common access methods. Although there is abundant theoretical and empirical research, their review reveals lack of consensus on fundamental questions for empirical practice: How to assess disclosure risk, how to choose among disclosure methods, how to assess reidentification risk, and how to measure utility loss.Keywords public use files, disclosure avoidance, reidentification, de-identification, data utility 2 SAGE Open inferential disclosure (i.e., information that can be inferred about a record in a data set with better accuracy). There is significant literature on each of these topics, which are beyond the scope of this article.Our article is divided into six sections, of which this "Introduction" is the first. The second section presents "The Policy and Academic Context" surrounding the discussion. The third section discusses the state of the art in "De-Identification Methods," while the fourth emphasizes the state of the art in "Reidentification Methods." The fifth section presents the conclusions from the literature on the different ways in which users may "Access" public data, stressing the trade-offs between (a) confidentiality and utility and (b) confidentiality and ease of access. The last section presents the "Conclusion." The Policy and Academic Context Historic PerspectiveConcerns about privacy and confidentiality in governmental efforts to collect and disseminate information are not new. As a review by Anderson and Seltzer (2009) suggests, "the roots of the modern concept of federal statistical confidentiality can be traced directly back to the late nineteenth century" (p. 8). Notwithstanding this history, the literature on statistical disclosure methods is fairly recent by modern standards (Dalenius, 1977, is considered the seminal paper). In 1975, the U.S. Federal Committee on Statistical Methodology (FCSM) was organized by the Office of Management and Budget (OMB) to investigate issues of data quality affecting federal statistics. As part of this effort, the Subcommittee on Disclosure Limitation Methodology, created within the FCSM, published its 1994 Statistical Policy Working Paper 22 (SPWP22). This paper, which was revised in 2005 by the Confidentiality and Data Access Committee (CDAC, 2005), sets good practice guidelines and recommendations for all agencies regarding confidentiality protection. Defining Confidentiality ...

show abstract

“…[14]. It is common to argue, however, that agencies should design release strategies so that an intruder could not know the value of j F from external information [10]. Note that, in particular, this requires assuming that 2 s P ≠ .…”

Section: Example 1(continued) Exact Matching With No Misclassificationmentioning

confidence: 99%

“…( ) [10]. It has also been shown that an intruder may be able to estimate these probabilities reliably under certain assumptions.…”

mentioning

confidence: 99%

“…Identification risk is defined as the probability that a match is correct, conditional on data assumed available to the intruder, c.f. [9,10], and it is required that this probability can be estimated reliably from these data. We suppose that the agency might use empirical proportions of correct matches as a means of validating these estimates but not as a direct means of estimation.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation