Secure attribute sharing of linked microdata

Highlights：

• Secure sharing of linked microdata attributes can add considerable value to organizations.

• The SASH procedure enables two parties to share microdata without either party having to provide true values of attribute data.

• The masked data by SASH preserves the statistical characteristics of the original data and minimizes the disclosure risk.

• An ad hoc approach such as data swapping, cannot achieve privacy without sacrificing usefulness or vice versa.

• The SASH procedure has the following specific characteristics:(a)Predictable analytical validity and security based on a sound theoretical basis (conditional distribution approach).(b)Flexibility in determining which (if any) attributes to share based on security considerations(c)Robustness to distributional assumptions as much of the information exchanged is rank-based and consequently non-parametric.(d)Better user acceptance because reverse-mapping maintains marginal characteristics, alleviating concerns about “artificial data”.(e)Clear and immediate practical utility, enabling individual customer-level decisions rather than just group-level decisions.

摘要

Two organizations that have records on the same collection of individuals can benefit from sharing attributes on these individuals. The combined data, with records linked on certain common identifying information, is termed linked microdata. Linked microdata attributes can add considerable value to organizations by enabling them to perform analysis that can provide important information on individual (or record-level) data items. We illustrate practical examples of the need and benefits of sharing linked microdata and identify important privacy issues relating to this context. Based on a conditional distribution approach, we develop a procedure (SASH) for sharing masked attributes in linked microdata that addresses these privacy issues. Our experimental results show that SASH achieves a priori expectations of analytical usefulness, without either party having to provide true values of attribute data. Our results also show that an ad hoc approach such as data swapping, cannot achieve privacy without sacrificing usefulness or vice versa. Our study should provide immediate practical benefits to organizations interested in secure attribute sharing of linked microdata.