Optimal disclosure limitation strategy in statistical databases: Deterringtracker attacks through additive noise

Disclosure limitation methods transform statistical databases to protect co nfidentiality, a practical concern of statistical agencies. A statistical d atabase responds to queries with aggregate statistics. The database adminis trator should maximize legitimate data access while keeping the risk of dis closure below an acceptable level. Legitimate users seek statistical inform ation, generally in aggregate form; malicious users-the data snoopers-attem pt to infer confidential information about an individual data subject. Trac ker attacks are of special concern for databases accessed online. This arti cle derives optimal disclosure limitation strategies under tracker attacks for the important case of data masking through additive noise. Operational measures of the utility of data access and of disclosure risk are developed The utility of data access is expressed so that trade-offs can be made bet ween the quantity and the quality of data to be released. Application is ma de to Ohio data from the 1990 census. The article derives conditions under which an attack by a data snooper is better thwarted by a combination of qu ery restriction and data masking than by either disclosure limitation metho d separately. Data masking by independent noise addition and data perturbat ion are considered as extreme cases in the continuum of data masking using positively correlated additive noise. Optimal strategies are for the data s nooper. Circumstances are determined under which adding autocorrelated nois e is preferable to using existing methods of either independent noise addit ion or data perturbation. Both moving average and autoregressive noise addi tion are considered.