|
Abstract:
|
2003 was the year the cryptography community first considered safe systems for publication from confidential data. The initial message was a strong result: most of the confidentiality protection systems used by statistical agencies around the world, known as statistical disclosure limitation, cannot defend against a database reconstruction attack, which recreates increasingly accurate record-level images of the confidential data as an agency publishes more and more accurate statistics from the same database. Why are we still talking about this theorem fifteen years hence? What is required to modernize our disclosure limitation systems? The answer is recognizing that the database reconstruction theorem identified a real constraint on agency publication systems-there is only a finite amount of information in any confidential database. We can't repeal that constraint. It must be reconciled with the public-good mission of statistical agencies to publish data that are suitable for their intended uses. Incorporating an information budget constraint into the decision-making processes of statistical agencies means explicitly balancing data accuracy and privacy loss.
|
