Disclosure‐protected Inference Using Generalised Linear Models

Vast amounts of data that could be used in the development and evaluation of policy for the benefit of society are collected by statistical agencies. It is therefore no surprise that there is very strong demand from analysts, within business, government, universities and other organisations, to access such data. When allowing access to micro‐data, a statistical agency is obliged, often legally, to ensure that it is unlikely to result in the disclosure of information about a particular person or organisation. Managing the risk of disclosure is referred to as statistical disclosure control (SDC). This paper describes an approach to SDC for output from analysis using generalised linear models, including estimates of regression parameters and their variances, diagnostic statistics and plots. The Australian Bureau of Statistics has implemented the approach in a remote analysis system, which returns analysis output from remotely submitted queries. A framework for measuring disclosure risk associated with a remote server is proposed. The disclosure risk and utility of approach are measured in two real‐life case studies and in simulation.     

Statistical Disclosure Risk: Separating Potential and Harm

Statistical agencies are keen to devise ways to provide research access to data while protecting confidentiality. Although methods of statistical disclosure risk assessment are now well established in the statistical science literature, the integration of these methods by agencies into a general scientific basis for their practice still proves difficult. This paper seeks to review and clarify the role of statistical science in the conceptual foundations of disclosure risk assessment in an agency’s decision making. Disclosure risk is broken down into disclosure potential, a measure of the ability to achieve true disclosure, and disclosure harm. It is argued that statistical science is most suited to assessing the former. A framework for this assessment is presented. The paper argues that the intruder’s decision making and behaviour may be separated from this framework, provided appropriate account is taken of the nature of potential intruder attacks in the definition of disclosure potential.     

A Summary of Attack Methods and Confidentiality Protection Measures for Fully Automated Remote Analysis Systems

This paper presents a summary of the current state of research on reducing the risk of disclosure related to what may be called “non‐traditional” outputs for statistical agencies. Whereas traditional outputs include frequency tables, magnitude tables and public use microdata files, non‐traditional outputs include outputs associated with user‐defined exploratory data analysis and statistical modelling offered through a remote analysis system. In remote analysis, a system accepts a query from an analyst, runs it on data held in a secure environment, and then returns the results to the analyst. There is a considerable current interest in fully automated remote analysis systems, because these have the potential to enable agencies to respond to growing researcher demand for more and more detailed data. In practice, a range of protective measures is most effective in remote analysis, and the choice of this range depends heavily on the context including the regulatory environment, the dataset itself, and the purpose of the access. This paper provides a summary of known attack methods on remote analysis system outputs, focussing on exploratory data analysis and linear regression. The paper also summarizes the associated suggested protective measures designed to prevent disclosures and thwart attacks in fully automated remote analysis systems. Some commentary on the attacks and measures is provided.     

GPRS与UMTS系统网络接入安全机制的比较与研究

详细介绍了GPRS与UMTS系统的网络接入安全机制，分析了GPRS系统中存在的安全漏洞及UMTS较GPRS在网络接入安全性方面的改善，最后分析了UMTS系统中存在的安全缺陷。     

Using Multiple Imputation to Integrate and Disseminate Confidential Microdata

In data integration contexts, two statistical agencies seek to merge their separate databases into one file. The agencies also may seek to disseminate data to the public based on the integrated file. These goals may be complicated by the agencies' need to protect the confidentiality of database subjects, which could be at risk during the integration or dissemination stage. This article proposes several approaches based on multiple imputation for disclosure limitation, usually called synthetic data, that could be used to facilitate data integration and dissemination while protecting data confidentiality. It reviews existing methods for obtaining inferences from synthetic data and points out where new methods are needed to implement the data integration proposals.