Pufferfish differential privacy
The ABS is conducting research to maximise data utility while providing state of the art privacy protection to data providers. Under the Census and Statistics (Information Release and Access) Determination 2018, the ABS provides passive confidentiality - which protects data providers who can demonstrate that the release of an ABS statistical output would be likely to allow their identification. These data providers are called passive claimants.
The current confidentiality method for protecting passive claimants is suppression; an aggregate statistic (e.g. a total) is not published if a passive claimant’s value that contributes to the statistic is sensitive. One suppression leads to more suppressions to prevent the calculation of the original suppressed value based on related statistics. This limits the ABS’s ability to meet an increasing user demand for more detailed business statistics. While suppression has performed well in the past, the ABS is continually striving to improve data confidentiality methods.
A privacy method that the ABS is currently investigating is log-Laplace multiplicative perturbation. This technique allows more detailed statistics to be safely published compared to suppression as it perturbs the passive claimant’s value before it is used to produce aggregate statistics. Additional processes are not required to protect final statistical outputs. As a result, log-Laplace multiplicative perturbation is easier to implement than suppression, even when datasets and statistical outputs become complex. Furthermore, this approach protects against geospatial differencing risks where the passive claimant’s value may be recovered from differencing aggregate outputs from overlapping regions.
Another advantage of the log-Laplace multiplicative perturbation is that it fits within a form of Pufferfish differential privacy (DP) framework. Our form of Pufferfish DP offers a privacy protection guarantee by connecting the p% rule with the Pufferfish DP framework. The p% rule is widely used at the ABS and other national statistical offices to determine if a passive claimant’s value requires privacy protection. The p% rule is defined as follows; if a passive claimant’s value can be estimated to within p% of its reported value, then it requires protection. In our form of Pufferfish DP, “secrets” are statements that take a form of “passive claimant A’s reported value is within p% of the value x”. Log-Laplace multiplicative perturbation protects these “secrets” by ensuring users of our statistical outputs cannot confidently estimate a passive claimant’s sensitive value to within p% of its reported value.
Preliminary results using Agriculture Statistics as a test case showed that log-Laplace multiplicative perturbation provides more data utility than suppression. Research is underway to explore its effectiveness with other datasets.
For more information, please contact Cedric Wong at firstname.lastname@example.org.