Skip to main content

2020 Census Data Products: Data Needs and Privacy Considerations Proceedings of a Workshop (2020) / Chapter Skim
Currently Skimming:

10 Panel Discussion on Key Privacy Issues
Pages 127-144

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 127...
... Sloan Foundation) moderated the discussion, stating in opening remarks that the workshop presentations on the broad applications of census data were genuinely impressive, conducted with great care and dedication to data quality and naturally concerned about the utility of the census data.
Read the entire page →
From page 128...
... So he posed the challenge of this workshop as asking: What can we truthfully tell people about participating in the census, and how can we help our fellow residents and our fellow census users understand exactly how data releases can actually protect both utility and privacy by trading some of one against the other? As illustration, Goroff walked through a brief explanation of the guarantee made by differential privacy, interpreting in terms of privacy.
Read the entire page →
From page 129...
... Trying to figure out what is happening in this moment as far as revising the approach to disclosure avoidance, then, is important to do publicly. She said that her request to census data user stakeholders is to think through all the different layers of this puzzle.
Read the entire page →
From page 130...
... Immigration and Customs Enforcement "Will Find You and Deport You! " The graphic underscores the severity of the problem, that there are groups at work who actively want to deter census participation, telling potential respondents that their data are going to be used by government officials to directly and meaningfully harm them.
Read the entire page →
From page 131...
... Census data might only link with these commercial data sources "at statistical levels right now," but boyd said that this is the whole point: the data ostensibly only for statistical purposes can still be used in harmful ways. These commercial data entities and data brokers want to drill down into personal information -- individual elements -- and they want to do so to be able to sell that matched data back to various entities.
Read the entire page →
From page 132...
... Tene noted that, in the workshop session preceding this panel, William O'Hare had closed his remarks by saying that he himself did not feel any great sensitivity about his age, race, and sex being known. That might be true, and decennial census information might not seem incredibly sensitive in itself, but in the presence of very rich commercial datasets and possibilities for data linkage, knowledge of basic census information on age, race, and sex is key to revealing one's health conditions, prescriptions, purchases, Internet click-stream, locations visited, and more.
Read the entire page →
From page 133...
... poses "a very grave issue for undocumented immigrants." He closed by noting that concerns over privacy might produce another impact on the utility of the data beyond the tradeoff between privacy and accuracy in disclosure avoidance. Knowledge of reidentification risk may incentivize respondents to do their own disclosure avoidance, providing incorrect answers or failing to answer all questions.
Read the entire page →
From page 134...
... because they are legitimate rules: they serve purposes subject to fundamental values. In the census example, the purposes range from apportionment and redistricting to fund allocation, but they also include the general concept of "understanding the nation" and providing useful data to crucial social sectors.
Read the entire page →
From page 135...
... is equivalent to the current situation in which it has been demonstrated that, using aggregate and public products from the 2010 Census, it is possible to recreate individual data records and attach legal identifiers. Nissenbaum asked rhetorically about the solution space here and suggested that doing nothing to change the disclosure limitation routines used in the census is not the same as "maintaining the status quo." That status quo is untenable because of the factors already mentioned at the workshop: the new science of big data and the ready access of computing power and auxiliary data.
Read the entire page →
From page 136...
... and Nissenbaum's basic point that "the Census Bureau is not allowed to do nothing," that the status quo is untenable, that the new data processing world is such that doing disclosure avoidance as it has been done in past censuses is a violation of the legal prohibition on providing identifiable information. Ohm commended the Census Bureau for saying as much as they have about the way things were done in the 1970 through 2010 Censuses, including table suppression and data swapping.
Read the entire page →
From page 137...
... . Ohm argued that the Census Bureau should be commended for respecting fundamental human rights, respecting the law, and creating "such a welcome change" in "implementing this very difficult thing that they've been asked to do." He also said that he is overjoyed about what the Census Bureau's work means for the research in the field of statistically provable privacy, serving as "the shot in the arm that this field needed." He closed by noting his expectation that "landmark advances in privacy protection" would be made based on what the Census Bureau has put in motion now and that the Census Bureau is "probably going to find ways to extract more utility out of these techniques as well." 10.5 LESSONS FROM PRIVACY WORK IN HEALTH DATA Making a brief introduction, Goroff joked that, on one hand, health data can help find cures and improve lives, while on the other it has become clear from this discussion that "my personal health data can be used against me." How is census participation different?
Read the entire page →
From page 138...
... . Census data, he argued, are an invaluable public good, serving as the foundation for many political, social, and scientific purposes.
Read the entire page →
From page 139...
... We can talk about "disclosure avoidance," he said, but "perhaps ‘disclosure reduction' is better language." Barth-Jones cast the difference between traditional statistical disclosure limitation work and differential privacy as the difference between focusing on a limited set of quasi-identifiers -- data details that are assessed for their replicability, accessibility, and distinguishability in evaluating reidentification risk -- and making the assumption that "everything is personally identifiable information." That is, differential privacy makes the assumption that all data elements are potentially knowable by intruders and are consequentially equally useful for reidentification and equally sensitive (or capable of inflicting privacy harm)
Read the entire page →
From page 140...
... Finally, he noted, differential privacy approaches are still potentially susceptible to some avenues of attack. Repeated instantiations of the process (such as multiple runs of the planned 2020 Census Disclosure Avoidance System)
Read the entire page →
From page 141...
... Perhaps that's an alarming concept, she said, but that method of building in more accountability for what people do with the data products should be on the table as something that could give. Tene and Ohm both took turns in response, though both addressed topics other than census blocks.
Read the entire page →
From page 142...
... . The cultural clash notwithstanding, which he though was similar to that playing out in the workshop room, the commission ultimately agreed to a framework that sounds like what he understood Nissenbaum to be driving towards: "the notion that you can inject friction in meaningful ways that serves multiple purposes simultaneously," in ways that force everyone to consider the privacy of the person on the other side as not just burden but a person whose individual rights deserve respect.
Read the entire page →
From page 143...
... That said, those researchers and stakeholders are slowly becoming aware that switching to differential privacy– based methods will result in some "discontinuities," that is, differences that mean real things to people and their communities. Krieger says that there needs to be real resources on training and education about this transition because it can't be a matter of waiting for the new, next, more privacy-familiar generation "come up and say great, whoopee, we never knew what the old data were like, anyway." She noted her own personal alarm that many census data users are not yet aware of the change that is coming and asked the panel for their thoughts about what attention and what resources are going to be available to actually make this transition happen.
Read the entire page →
From page 144...
... "I think this community will adapt." Nissenbaum acknowledged Evans-Lomayesva and Krieger's "really excellent concerns," and again suggested restructuring access to the full census tabulations by restricting it to those "who are responsible and can swear to only utilizing it for the particular purposes")
Read the entire page →

Key Terms

  • census data
  • data products
  • disclosure avoidance
  • decennial census
  • census information

  • health data
  • commercial data
  • data user
  • user community
  • status quo

  • census form
  • census act
  • census blocks
  • data users
  • privacy act

  • disclosure limitation
  • fundamental human
  • fundamental values
  • contextual integrity
  • human rights

  • ohm argued
  • census participation
  • basic census
  • data records
  • demonstration data

  • data brokers
  • statistical disclosure
  • entire population
  • workshop presentations
  • reconstruction attack


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.