What is a Privacy-Loss Budget and How Is It used to Design Privacy Protection for a Confidential Database? (shared viewing of webinar; lunch served)
For statistical agencies, the Big Bang event in disclosure avoidance occurred in 2003 when Irit Dinur and Kobbi Nissim, two well-known cryptographers, turned their attention to properties of safe systems for data publication from confidential sources. The paradigm-shifting message was a very strong result showing that most of the confidentiality protection systems used by statistical agencies around the world, collectively known as statistical disclosure limitation, were not designed to defend against a database reconstruction attack. Such an attack recreates increasingly accurate record-level images of the confidential data as an agency publishes more and more accurate statistics from the same database. Why are we still talking about this theorem fifteen years later? What is required to modernize our disclosure limitation systems? The answer is recognizing that the database reconstruction theorem identified a real constraint on agency publication systems-there is only a finite amount of information in any confidential database. We can't repeal that constraint. But it doesn't help with the public-good mission of statistical agencies to publish data that are suitable for their intended uses. The hard work is incorporating the required privacy-loss budget constraint into the decision-making processes of statistical agencies. This means balancing the interests of data accuracy and privacy loss.
Lunch will be served.