Disclosure Risk vs. Data Utility: The R-U Confidentiality Map

Recognizing that deidentification of data is generally inadequate to protect their confidentiality against attack by a data snooper, information organizations (IOs) can apply a variety of disclosure limitation (DL) techniques, such as topcoding, noise addition and data swapping. Desirably, the resulting restricted data have both high data utility U to data users and low disclosure risk R from data snoopers. IOs lack a coherent framework for examining tradeoffs between R and U for a specific DL procedure. They also lack systematic ways of comparing the performance of distinct DL procedures. To provide this framework and facilitate comparisons, the R-U confidentiality map is introduced to trace the joint impact on R and U of changes in the parameters of a DL procedure. Implementation of an R-U confidentiality map is illustrated in real multivariate data cases for two DL techniques: topcoding and multivariate noise addition. Topcoding is examined for a Cobb-Douglas regression model, as fit to restricted data from the New York City Housing and Vacancy Survey. Multivariate additive noise is examined under various scenarios of attack, predicated on different knowledge states for a data snooper, and for different goals of a data analyst. We illustrate how simulation methods can be used to implement an empirical R-U confidentiality map, which is suitable for analytically intractable specifications of R, U and the disclosure limitation method. Application is made to the Schools and Staffing Survey, which is conducted by the National Center for Education Statistics.