Models and Algorithms for Optimizing Cell Suppression in Tabular Data with Linear Constraints
Fisohetti, Matteo, Salazar Gonzalez, Juan Jose, Journal of the American Statistical Association
Cell suppression is a widely used technique for protecting sensitive information in statistical data presented in tabular form. Previous works on the subject mainly concentrate on two- and three-dimensional tables whose entries are subject to marginal totals. In this article we address the problem of protecting sensitive data in a statistical table whose entries are linked by a generic system of linear constraints. This very general setting covers, among others, k-dimensional tables with marginals, as well as hierarchical and linked tables. In particular, we address the optimization problem known in the literature as the (complementary or secondary) cell suppression problem, in which the information loss due to suppression must be minimized. We introduce a new integer linear programming model and outline an enumerative algorithm for its exact solution. The algorithm can also be used as a heuristic procedure to find near-optimal solutions. Extensive computational results on a test bed of 1,160 real world and r andomly generated instances are presented, showing the effectiveness of the approach. In particular, we were able to solve to proven optimality four-dimensional tables with marginals as well as linked tables. To our knowledge, tables of this kind have never been solved optimally by previous authors.
KEY WORDS: Confidentiality; Data protection; Integer linear programming; Polyhedral combinatorics; Statistical disclosure control.
A statistical agency collects data to be processed and published. Raw material is information obtained from individual respondents. Usually, these data are obtained under a pledge of confidentiality; statistical agencies have the responsibility of not releasing any data or data summaries from which individual respondent information can be revealed (sensitive data). On the other hand, statistical agencies aim at publishing as much information as possible. This results into a trade-off between privacy rights and information loss, an issue of primary importance in practice. (See, e.g., Willenborg and de Waal 1996 for an in-depth analysis of statistical disclosure control methodologies.)
Starting in 1996, the European Union supported through EUROSTAT (the European statistical office) a 3-year ESPRIT research project aimed at developing and testing new methodologies for statistical disclosure control. The project, coordinated by Leon Willenborg from the Central Bureau of Statistics (CBS), Voorburg, The Netherlands, involves several research groups from both academia and national statistical offices. We participate in the project for the definition of mathematical models and solution algorithms for protecting sensitive information in tabular data. A preliminary version of our codes, capable of dealing with two-, three-, and four-dimensional tables with marginals, has been embedded within [tau]-ARGUS, a prototype software package for statistical disclosure control under development at CBS.
Cell suppression is a widely used technique for disclosure avoidance. Here is an introductory example, taken from Willenborg and de Waal (1996). Figure 1(a) presents a table giving the investment of enterprises (per millions of guilders), classified by activity and region. Let us assume that the information in the cell (2, 3)--the one corresponding to activity II and region C--is considered confidential by the statistical office, according to a certain criterion (as discussed in, e.g., Willenborg and de Waal 1996). This cell is then viewed as a sensitive cell to be suppressed (primary suppression). But that is not enough; by using the marginal totals, an attacker interested in the disclosure of the sensitive cell can easily recompute its missing value. Then other table entries must be suppressed as well (secondary or complementary suppression). For example, with the missing entries in Figure 1(b), an attacker cannot disclose the nominal value of the sensitive cell exactly, although he or she still can comput e a range for the values of this cell that are consistent with the published entries. …