U.S. Census Bureau, Office of the Deputy Director, Washington, DC 20233.
Department of Economics, Cornell University, Ithaca, NY 14853.
Proc Natl Acad Sci U S A. 2023 Oct 24;120(43):e2220558120. doi: 10.1073/pnas.2220558120. Epub 2023 Oct 13.
The use of formal privacy to protect the confidentiality of responses in the 2020 Decennial Census of Population and Housing has triggered renewed interest and debate over how to measure the disclosure risks and societal benefits of the published data products. We argue that any proposal for quantifying disclosure risk should be based on prespecified, objective criteria. We illustrate this approach to evaluate the absolute disclosure risk framework, the counterfactual framework underlying differential privacy, and prior-to-posterior comparisons. We conclude that satisfying all the desiderata is impossible, but counterfactual comparisons satisfy the most while absolute disclosure risk satisfies the fewest. Furthermore, we explain that many of the criticisms levied against differential privacy would be levied against any technology that is not equivalent to direct, unrestricted access to confidential data. More research is needed, but in the near term, the counterfactual approach appears best-suited for privacy versus utility analysis.
正式隐私的使用旨在保护 2020 年人口和住房十年普查中回复的机密性,这引发了人们对如何衡量已发布数据产品的披露风险和社会效益的重新关注和辩论。我们认为,任何量化披露风险的建议都应该基于预先规定的、客观的标准。我们通过实例说明了这种方法来评估绝对披露风险框架、差分隐私背后的反事实框架,以及先验后验比较。我们的结论是,满足所有理想条件是不可能的,但反事实比较满足的条件最多,而绝对披露风险满足的条件最少。此外,我们解释说,差分隐私所受到的许多批评也会针对任何与直接、不受限制地访问机密数据不相等的技术提出。还需要更多的研究,但在短期内,反事实方法似乎最适合隐私与效用分析。
