Evaluating the Potential of Differential Privacy Mechanisms for Census Data

Despite its undeniable attractiveness as the only data protection mechanism with formal privacy guarantees, the concept of differential privacy has been repeatedly criticized because of the deteriorating effects of currently available differential privacy mechanisms. Due to the strong assumptions regarding the knowledge of a potential data intruder, the amount of noise that needs to be added to sufficiently protect the data is often so large that any inference based on the perturbed data will basically be considered useless. This is especially true if the micro-data should be released to the public. However, we argue in this paper that the situation might be different for Census data. The large number of available records coupled with a limited set of only a few (often categorical) variables will ensure that most of the cells defined by cross-classifying the different attributes still contain an ample number of records. Thus, the noise that needs to be added to fulfill the differential privacy requirements might have only minor effects on data quality. To enable the release of detailed geographical information we propose a differentially private procedure based on a micro-aggregation algorithm with a fixed minimal cluster size. We evaluate whether meaningful results can be obtained with this approach using administrative data gathered by the German Federal Employment Agency. Detailed geocoding information has been added to this database recently and plans call for making this valuable source of information available to the scientific community. We expect that the proposed micro-aggregation algorithm will enable us to release detailed geocoding information while offering strong differential privacy guarantees.