This article was downloaded by: [130.113.86.233] On: 23 February 2015, At: 06:45
Publisher: Institute for Operations Research and the Management Sciences (INFORMS)
INFORMS is located in Maryland, USA
Management Science
Publication details, including instructions for authors and subscription information:
http://pubsonline.informs.org
Data Shuffling—A New Masking Approach for Numerical
Data
Krishnamurty Muralidhar, Rathindra Sarathy,
To cite this article:
Krishnamurty Muralidhar, Rathindra Sarathy, (2006) Data Shuffling—A New Masking Approach for Numerical Data. Management
Science 52(5):658-670. http://dx.doi.org/10.1287/mnsc.1050.0503
Full terms and conditions of use: http://pubsonline.informs.org/page/terms-and-conditions
This article may be used only for the purposes of research, teaching, and/or private study. Commercial use
or systematic downloading (by robots or other automatic processes) is prohibited without explicit Publisher
approval, unless otherwise noted. For more information, contact permissions@informs.org.
The Publisher does not warrant or guarantee the article’s accuracy, completeness, merchantability, fitness
for a particular purpose, or non-infringement. Descriptions of, or references to, products or publications, or
inclusion of an advertisement in this article, neither constitutes nor implies a guarantee, endorsement, or
support of claims made of that product, publication, or service.
Copyright © 2006, INFORMS
Please scroll down for article—it is on subsequent pages
INFORMS is the largest professional society in the world for professionals in the fields of operations research, management
science, and analytics.
For more information on INFORMS, its publications, membership, or meetings visit http://www.informs.org
MANAGEMENT SCIENCE
informs
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
Vol. 52, No. 5, May 2006, pp. 658–670
issn 0025-1909 eissn 1526-5501 06 5205 0658
®
doi 10.1287/mnsc.1050.0503
© 2006 INFORMS
Data Shuffling—A New Masking Approach for
Numerical Data
Krishnamurty Muralidhar
Gatton College of Business and Economics, University of Kentucky, Lexington, Kentucky 40506, krishm@uky.edu
Rathindra Sarathy
Spears School of Business, Oklahoma State University, Stillwater, Oklahoma 74078, sarathy@okstate.edu
T
his study discusses a new procedure for masking confidential numerical data—a procedure called data
shuffling—in which the values of the confidential variables are “shuffled” among observations. The shuffled
data provides a high level of data utility and minimizes the risk of disclosure. From a practical perspective, data
shuffling overcomes reservations about using perturbed or modified confidential data because it retains all the
desirable properties of perturbation methods and performs better than other masking techniques in both data
utility and disclosure risk. In addition, data shuffling can be implemented using only rank-order data, and thus
provides a nonparametric method for masking. We illustrate the applicability of data shuffling for small and
large data sets.
Key words: camouflage; confidentiality; data masking; data swapping; obfuscation; privacy; perturbation
History: Accepted by Ramayya Krishnan, information systems; received August 26, 2004. This paper was with
the authors 3 months for 1 revision.
1.
Introduction
values that have been “modified” (Wall Street Journal
2001). This is likely to be particularly true of a typical
user in commercial organizations who may not have
the statistical sophistication of users of governmental data. Thus, techniques are needed that will foster
greater acceptance of masked data among the common user.
One data masking approach with the potential to
satisfy this requirement is data swapping. As the
name implies, data swapping exchanges values of
confidential variables between records (Dalenius and
Reiss 1982) without modifying the original values
of the confidential variables. Data swapping has the
intuitive appeal and ease of explanation that is not
available with other masking techniques, but compared with perturbation methods, existing data swapping methods for numerical variables have low data
utility or high disclosure risk (or both). Fienberg
(2002) observes that other techniques have surpassed
data swapping because it has performed poorly.
However, given its potential for greater user acceptance, we believe that data swapping techniques must
be brought to perform on par with other data masking techniques. Hence our objective in this paper is to
develop a technique that provides data utility and disclosure risk that is similar to perturbed data, without modifying the original values of confidential variables. In this
study, we develop such a new procedure and discuss
its underlying theory. Referred to as data shuffling,
this procedure will allow organizations to disseminate
Organizations derive many benefits from gathering,
analyzing, and disseminating data regarding customers, suppliers, and other entities. Simultaneously,
these activities raise issues of privacy and confidentiality of sensitive information. Unrestricted analysis, dissemination, and sharing of sensitive data could lead
to disclosure of confidential information, so organizations need analytically valid data that do not disclose
confidential information. Until recently, this problem
was important only for a few governmental agencies
(such as the Census Bureau) that released specialized
data sets for sophisticated users. Recently, however,
the scope of the problem has expanded to cover practically all organizations.
Research in statistical disclosure limitation techniques has led to the development of several tools and
techniques that enable disseminated data to be analyzed while protecting individual privacy and confidentiality (Willenborg and de Waal 2001). We shall
refer to these broadly as data masking techniques.
Most of these techniques were developed in the context of data dissemination by a governmental agency.
One such technique that enables data to be analyzed while preserving a high level of confidentiality is data perturbation. Perturbation techniques rely
on “perturbing” or changing the original values in
a manner that preserves analytical usability without
compromising confidentiality. Unfortunately, many
users look unfavorably (or possibly suspiciously) on
658
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
659
Management Science 52(5), pp. 658–670, © 2006 INFORMS
and share data for analysis, with minimal disclosure risk.
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
2.
Data Utility, Disclosure Risk, and
the Conditional Distribution
Approach
Important in the development of new masking techniques is an evaluation of the associated level of
data utility and disclosure risk. In this section, we
formally define measures of data utility and disclosure risk. Similar to Duncan and Pearson (1991), we
assume that users must be provided access to microdata (values of variables at the record level) without
access restrictions. Data masking techniques attempt
to provide users with access to microdata that provides analytical validity, but prevents disclosure of sensitive information.1
Analytical validity or data utility represents the
extent to which analyzing the masked data provides
similar results to those obtained by analyzing the
original data. A masking technique provides the highest possible level of data utility if, for any type of analysis, the results using the original and masked data
are identical. In practice, achieving this ideal is difficult. Instead, masking techniques are evaluated based
on how closely they maintain the joint distribution
of the confidential variables and nonconfidential variables. From a statistical perspective, it is important
that inferences reached using the masked data must
be the same as those using the original data.
In terms of disclosure risk, while all masking techniques prevent exact disclosure of values, they are
susceptible to inferential disclosure. Inferential disclosure risk (or simply disclosure risk) is measured by the
ability of an intruder or snooper to infer the identity of an entity to whom a particular record belongs
and/or the value of a confidential variable for a particular record. Inferential disclosure will occur even
without access to masked microdata (using nonconfidential microdata and aggregate information) and
cannot be prevented unless access to the entire data
set is prevented. Hence, Dalenius (1977) and Duncan
and Lambert (1986) define disclosure as the improvement in an intruder’s predictive ability when access is
provided to the masked microdata. This improvement
in predictive ability represents the disclosure risk that
can be attributed exclusively to the masking procedure. By this definition, disclosure risk occurs when
(1) the probability of correctly matching a particular deidentified record to an individual is higher with
1
The term “disclosure” is used to refer to disclosure of sensitive
information to authorized users who use their legitimate access to
compromise confidentiality. It does not refer to unauthorized users
(or hackers).
access to microdata, compared to the same probability
without access to the masked microdata, and/or
(2) the error bounds for the estimated value of a
confidential variable are smaller with access to microdata compared to the error bounds without access to
the masked microdata.
2.1.
The Conditional Distribution Approach for
Generating Masked Data
Muralidhar and Sarathy (2003a, b) have shown that in
order to satisfy the above requirements, the masked
variables must be generated in a specific manner.
Consider a data set with i = 1 N observations,
consisting of a set of j = 1 M confidential variables X and a set of k = 1 L nonconfidential variables S.2 It is assumed that the variables X and S have
a known pdf f X S . Let Y represent the masked variables. Using f X S , if the individual values in Y are
generated from the conditional density of X given S;
that is,
(1)
yi ∼ fXS X S = si then Y will be an independent realization from the
conditional distribution of fXS X S . In other words,
X and Y are conditionally independent given S. From
Equation (1), we can show
fY S Y S = fX S X S (2)
thereby maintaining ideal data utility, and that
fXS Y X S Y = fXS X S (3)
thereby minimizing disclosure risk (Muralidhar and
Sarathy 2003a). This ensures low disclosure risk for
such procedures. In other words, S provides the same
information about X as {S and Y} together. Hence, any
procedure that generates masked values based on the
conditional distribution in Equation (1) provides the
lowest possible level of disclosure risk, since access to
microdata with the masked variables Y provides the
intruder with no additional information (Dalenius 1977,
Duncan and Lambert 1986). We will refer to masking
2
For the remainder of this manuscript, we will use the following notation. Let xi j and x i j represent the ith (unordered)
and ith-ordered observation for the jth confidential variable (i.e.,
rank(x i j = i). Similarly, let si k and s i k represent the ith
(-unordered) and ith-ordered observation of the kth nonconfidential
variable. Let YP represent the perturbed set of j = 1 M confidential variables and Y represent the shuffled variables. As with X,
yiP j and yi j represent the ith observations of the jth perturbed
and shuffled variables, respectively, and y Pi j and y i j the ordered
observations. Let xi , si , and yiP , yi , represent 1×M , 1×L , 1×M ,
and 1×M single-observation vectors from X, S, YP , and Y, respectively. Let Xj , Sk , YjP , and Yj represent the N × 1 vector of a single
variable in X, S, YP , and Y, respectively, and X j , S k , Y Pj , and Y j
to represent the rank-ordered N × 1 vector of a single variable.
Let f and F represent the probability density and cumulative
distribution functions, respectively.
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
660
Management Science 52(5), pp. 658–670, © 2006 INFORMS
procedures that satisfy Equation (1) as being based on
the conditional distribution approach. Using the conditional distribution fXS X S for generating masked
values has been suggested by Fienberg et al. (1998a),
Fuller (1993), Little (1993), and Rubin (1993).
Our objective is to present a data swapping methodology based on the conditional distribution approach
(albeit with certain assumptions). Prior to describing
our new approach, we briefly describe existing methods for swapping numerical data.
2.2.
3.
Issues in Implementing the Conditional
Distribution Approach
There are several issues in implementing the conditional distribution approach in practice. The first issue
is that the joint distribution f X S is almost never
known. Second, even if f X S is known, deriving
the conditional density fXS X S may not be possible except in a few cases such as the multivariate normal. It is common to assume a joint density
for the original data and generate the perturbed values (Fienberg et al. 1998a, Muralidhar et al. 1999,
Sarathy et al. 2002, Raghunathan et al. 2003, Burridge
2003). Hence the implementation of almost all masking approaches is heuristic, relying on estimates of
the joint and/or conditional distribution of the variables. However, in these cases, we cannot truly claim
that the resulting perturbed values strictly satisfy
all the data utility requirements specified earlier. We
can ensure only that the masked data maintain certain properties based on the underlying assumptions
made in generating the masked values.
Note, however, that whether Y is generated from
the true, estimated, or assumed conditional distribution, as long as it is of the form
yi = g S = s i (4)
where g · is a function that represents the empirical
conditional density fXS X S estimated from the data
and the noise term is independent of X and S, we
can show that the resulting Y satisfies ideal disclosure risk requirements similar to Equation (3). In other
words, Equation (4) ensures that X and Y are conditionally independent given S, since the values of Y are
generated as function of S and an independent noise
term . The data shuffling procedure that we describe
in the following sections satisfies this requirement.
Another important consideration is the added variability because of random sampling from the conditional distribution and its impact on statistical
inference. Even if the true underlying distribution is
known, the random generation of the perturbed values results in variability that must be accounted for.
This variability approaches 0 as n → , and is relatively small for large n. Regardless the size of the data
set, the impact of the added variability on statistical
inferences reached using the masked data (compared
to that using the original data) must be addressed.
Only a few techniques address this issue directly
(Rubin 1993, Fienberg et al. 1998a, Burridge 2003).
Existing Methods for Swapping
Numerical Data
Dalenius and Reiss (1982) originally proposed data
swapping for masking confidential variables. Fienberg
and McIntyre (2005) comprehensively discuss data
swapping and its relationship to other methods. In this
section, we focus on methods for swapping numerical variables. Reiss et al. (1982) made the first attempt,
swapping the data using an optimization approach to
maintain the first- and second-order moments. This
approach is not based on the conditional distribution
approach. It is also known to be computationally difficult and its disclosure risk remains to be evaluated.
Moore (1996) describes the best-known data swapping procedure based on the data swapping algorithm Brian Greenberg proposes in an unpublished
manuscript. The rank-based proximity swap (hereafter referred to simply as data swapping) for numerical variables can be described as follows:
Sort the data by confidential variable j. Set the value
of y k j = x i j and y i j = x k j . Repeat the process for
every i and j to result in Yj and repeat the process of
every j to result in Y.
Moore (1996, p. 6) uses a masking parameter called the
“swapping distance” parameter, defined as follows:
Determine a value P a , with 0 ≤ P a ≤ 100. The intent
of the procedure is to swap the value of ai with that
of aj , so that the percentage difference of the indices,
i and j, is less than P a of N . That is i − j < P a ∗
N /100.
The larger the value of P a , the larger the value
of i − k, and the greater the distance between the
swapped values, and vice versa. Data swapping’s
biggest advantage is that the marginal distributions
of the individual confidential variables are identical to
those of the original variables. Assuming a uniform
distribution, Moore (1996) also shows an inverse relationship between swapping distance and data utility,
and a direct relationship between swapping distance
and disclosure risk, resulting in a trade-off.
Recently, Carlson and Salabasis (2002) (hereafter
referred to as C&S) describe a new method for
data swapping. For this procedure, first consider a
database D consisting of a set of variables S and X.
Assume that the database is randomly divided into
two (or even more) data sets D1 and D2 containing
S1 X1 and S2 X2 , respectively. C&S (2002) suggest
ranking both databases with respect to variable Xj .
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Since the two databases are independent samples,
the ordered values of Xj1 should be approximately
equal to Xj2 and the values of the masked variable Yj1
are created by replacing the ordered values of Xj1
by Xj2 . Similarly, another set of masked variables Yj2
may be created by replacing the ordered values of
Xj2 by Xj1 . The process is then repeated for all j to
∗
∗
result in Y1 and Y2 . Two new databases, D1 and D2 ,
are then created by combining S1 Y1 and S2 Y2 (Fienberg 2002). The two databases can then be potentially recombined to form D∗ . The authors also provide proof for this procedure as well as simulation
results demonstrating their asymptotic properties.
The C&S (2002) method, while innovative, focuses
almost exclusively on data utility and does not
directly address disclosure risk. The authors acknowledge that “the swap may not provide an acceptable
level of perturbation and effectively mask the data.”
Beyond this broad statement, no specific disclosure
risk measures were evaluated. As we show in §5, this
procedure provides practically no protection from either
identity or value disclosure.
Liew et al. (1985) proposed a method closely resembling the C&S (2002) method. They suggest that the
univariate marginal distribution of each confidential
variable be empirically identified. Using the respective distributions, n observations are generated for
each confidential variable. The rank ordered original
values are then replaced by the rank-ordered generated values for each variable. The Liew et al. (1985)
procedure also focuses on data utility without appropriate consideration of disclosure risk. Consequently,
it has been shown to have very high disclosure risk
(Adam and Wortmann 1989, Muralidhar et al. 1999).
The C&S (2002) method has two major advantages
compared with the Liew et al. (1985) procedure. First,
the Liew et al. (1985) procedure does not use the
original values in the database, but instead replaces
the values by randomly generated values. Second, the
Liew et al. (1985) procedure requires the identification of the underlying univariate distribution of each
confidential variable. The C&S (2002) method overcomes both these problems by dividing the database
and using the rank-ordered values within the subsets.
Dandekar et al. (2002) proposed a method called
Latin Hypercube sampling for data swapping. This
method attempts to recreate an independent data set
with the same marginal characteristics and the same
rank-order correlation as the original data set. Unfortunately, this procedure can be used only when all
the variables in the database are confidential and
must be swapped. When nonconfidential variables are
present, this procedure would require either swapping the nonconfidential variables also, or swapping
the confidential variables independently of the nonconfidential variables. Hence, this limits the method’s
applicability.
661
Thus the literature on data swapping reveals that
current procedures for swapping numerical variables
do not simultaneously address data utility and disclosure risk, because they are not based on the
conditional distribution approach. The conditional
distribution approach provides significant advantages
that outweigh the disadvantages. Fienberg et al.
(1998b) argue that this approach is preferable to using
ad hoc procedures, even with certain assumptions.
Our objective in this paper is to develop a data swapping procedure based on the conditional distribution
approach—a procedure that provides utility comparable with existing swapping methods without the
adverse disclosure risks.
4.
The Data Shuffling Procedure
The data shuffling procedure is based on the conditional distribution approach and can be described as
follows:
Step 1. Generate an observation yiP from the conditional distribution fXS X S = si such that given S =
si , YP is independent of X.
Step 2. Repeat the process for every observation in
the data set to obtain YP .
Step 3. Replace y Pi j with x i j , i = 1 N , j =
1 M to obtain Y. That is, perform reverse mapping Y j = Y Pj ← X j .
Step 4. Release the reordered (or shuffled) data set.
Steps 1 and 2 of the shuffling procedure are similar to
perturbation and “generate” a new set of values for
the confidential variables using the conditional density fXS X S . However, yiP j values generated in this
manner will, in general, be different from the observations in X. This “shortcoming” can be addressed
by taking advantage of the fact that FY YjP = FX Xj ,
j = 1 M. Hence, in Step 3, for each confidential
variable, we replace the ordered values of YjP with
the ordered original values of Xj , ensuring that the
shuffled data consists of the original values. Since
both YjP and Xj are independent realizations from the
same distribution, both have the same characteristics
in terms of both data utility and disclosure risk (C&S
2002, p. 38). In other words, the reverse mapping does
not alter the disclosure risk characteristics of the perturbed data. Thus, theoretically, the data shuffling procedure satisfies the ideal data utility and disclosure
risk requirements. However, as discussed earlier, the
joint distribution of X and S is unknowable in practice. Hence, heuristic approaches are needed to implement data shuffling.
4.1. Implementation of Data Swapping
We propose a heuristic implementation of data
shuffling based on the perturbation method proposed
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
662
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
by Sarathy et al. (2002) using the multivariate copula
to model the joint density of a data set, where the
variables have arbitrary marginal distributions and
specified dependence characteristics (Nelsen 1999).
Let R represent the rank-order correlation matrix of
X S. Define variables X∗ and S∗ as follows:
xi∗ j = −1 FXj xi j j = 1 M i = 1 N
si∗ k = −1 FSk si k k = 1 L i = 1 N and
(5)
where FXj and FSk represent the cumulative distribution functions of variables Xj and Sk , respectively, and
−1 represents the inverse of the standard normal distribution. The joint density of X∗ and S∗ is described
by a multivariate standard normal distribution with
correlation matrix , and the relationship between R
and can be described by (Clemen and Reilly 1999)
rij
ij = 2 sin
(6)
6
where rij are the elements R. Since X∗ and S∗ have a
joint multivariate normal distribution, it is now possible to generate the perturbed values Y∗ as
yi∗ = X∗ S∗ S∗ S∗
−1 ∗
si
+ ei (7)
where ei ∼ MVN 0 X∗ X∗ − XS S∗ S∗ −1 S∗ X∗ . The
values of Y∗ can then be retransformed back to the
original marginal distribution of YP by
yiP j = FX−1
yi∗ j j
j = 1 M i = 1 N (8)
The copula-based perturbation approach requires that
for a given data set X S with a rank-order correlation matrix R, the marginal distributions of X and S
are known, a random observation can be generated
from the specified marginal distribution. This step is
needed to generate a new value for the perturbed variable using Equation (8). However, in the data shuffling approach, we do not need to generate a new
value; we only need the rank of the perturbed value.
Hence, this procedure can be simplified further by
using the following transformation in place of one
used in Equation (5):
i − 05
−1
∗
si k = N
k = 1 L i = 1 N (9)
where i represents the rank order of si k . The values
of yi∗ are generated from
∗
yi∗ = X∗ S∗ −1
S∗ S∗ si + ei (10)
where e ∼ MVN 0 X∗ S∗ −1
S∗ S∗ S∗ X∗ . Since rank of
y ∗i j = rank of y Pi j , replacing y ∗i j with x i j , j =
1 M, i = 1 N results in Y. Note that Equation (10) maintains conditional independence, ensuring that given S, X, and Y are independent. Thus the
reverse-mapped values retain the same data utility
and disclosure risk as the original perturbed values
(C&S 2002). If all the variables in the data set are confidential, an independent, multivariate normal data
set with correlation matrix is generated, and reverse
mapping is performed on this data set. The simulation experiments to assess the disclosure risk characteristics of the data shuffling procedure (§§5.1 and 5.2)
provide empirical verification of this result.
The data shuffling approach does not require the
marginal distributions of X and S to be identified, nor
does it require any of the actual values in the data set
to be used in the process of masking. The only data
that is required is the rank-order correlation matrix of
the original variables and the ranks of the values of
the nonconfidential variables s i j . In many cases, the
owners of the data set may not have the necessary
expertise to perform the shuffling. The nonparametric
data shuffling approach provides a methodology by
which the shuffling can be performed securely using a
third party that would never have access to any actual
confidential data values.
4.2.
Impact of Sample Size and Sampling Error on
Data Shuffling
As with other techniques, data shuffling results add
variability to parameter estimates potentially affecting statistical inferences. This variability arises from
the noise term used to generate perturbed values
from the conditional distribution fXS X S and the
reverse mapping process. The variability is likely very
small for large data sets, but may be significant for
small data sets. The extent of this variability is difficult to predict theoretically. We provide an empirical evaluation in the next section. Just as perturbation
procedures have been modified to account for such
variability (Rubin 1993, Fienberg et al. 1998a, Burridge
2003), modifications may be developed for the data
shuffling procedure as well.
In summary, we view the data shuffling procedure presented in this study to be part of the evolution of data swapping. Data perturbation approaches
have also evolved from simple noise addition to
current approaches. As Fienberg (2002) suggests, an
important step in this evolution is developing a data
swapping technique with underlying principles that
are the same as perturbation techniques. Data shuffling combines the most recent (rank-based) copula
perturbation approach with the most recent swapping
approach (C&S 2002 method).3
3
Although we originally proposed data shuffling independently
of C&S (2002), we believe that the rank-ordered swapping of the
marginal represents the common link between the two methods.
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
5.
An Empirical Comparison of Data
Swapping Methods
In this section, we describe simulation experiments
to evaluate the relative performances of data swapping, the C&S (2002) method, and data shuffling. Data
swapping requires specifying a masking (or the proximity) parameter. Three different values of the proximity parameter were used P a = 010 050 100 ,
hereafter referred to as DS10%, DS50%, and DS100%.
Two sets of experiments were conducted to evaluate
data utility and disclosure risk.
5.1.
Impact of Data Set Size on Utility of
Masked Data
The objective of the first experiment was to investigate the impact of the size of the data set on
the product moment correlation of the masked
data compared to the original data (similar to the
experiment in C&S 2002, §5.4, p. 48). In the experiment, a data set of a size n =30 100 300 1000
was generated from a bivariate normal distribution with a specified population correlation coefficient =00 02 04 06 08 095 . It was assumed
that both variables in the data set were to be masked.
Five different masked data sets (C&S 2002 method,
data shuffling, and three different swaps) were generated. In implementing the C&S (2002) method, in
addition to the generated data set, it was assumed
that second independent data sets of the same size
were available (and generated for this purpose). The
rank-ordered values of both variables in the first set
were swapped for the rank-ordered values of the
respective variables in the second set. We chose this
implementation because C&S (2002) show that this
procedure results in lower bias than the swapping
from two different data sets. As in the C&S study,
we measured both the bias (which results in attenuation in correlation) and standard error (SE) of bias
using the sample correlation coefficient as the benchmark (see C&S 2002, p. 49). We replicated each combination of data set size and correlation coefficient
10,000 times, and computed the average bias and SE
of the sample correlation coefficient from the 10,000
replications.
Table 1 shows the results of the simulation experiment, which are almost identical to the results provided by C&S (2002, Tables 2–5, pp. 50–51). In terms
of data utility, both the C&S (2002) method and data
shuffling show attenuation in sample correlation coefficient for small n that quickly approaches zero as
n increases. For all three swapping methods, the
attenuation is higher and does not approach zero as
n increases. The attenuation is highest (and almost
equal to the specified correlation) for DS100%, followed by DS50%, and DS10%. This is to be expected
since DS100% represents the case where the values are
663
swapped randomly and almost completely destroys
any relationships that might have existed.
The results are similar when we evaluate SE. For
small n, the SE is rather high even for the C&S (2002)
method and data shuffling. Fienberg (2002) observes
the same with the C&S (2002) method. This indicates
that even though both the C&S method and data shuffling maintain correlations between variables asymptotically, for small data sets the correlation attenuation
in the masked data could be significant. Hence, for
small data sets, these methods must be used with
caution. The SEs of DS10%, DS50%, and DS100% are
higher than those observed for the C&S (2002) method
and data shuffling. Thus, purely from the perspective
of data utility as measured by the attenuation in correlation and the SE, it is hard to distinguish between
data shuffling and the C&S (2002) method. In terms
of relative performance, data shuffling and the C&S
(2002) method perform the best, followed by DS10%,
DS50%, and DS100%.
The similarity in performance of the C&S (2002)
method and data shuffling for the multivariate normal case is not surprising because the shuffled values
are generated from the true conditional distribution.
Generally, the C&S (2002) method does not make
assumptions regarding the joint distribution of X
and S, so it may provide better data utility than the
data shuffling procedure. However, in data shuffling,
the values of the confidential variables are perturbed prior
to the rank-ordered replacement. This is not the case for
the C&S (2002) method. As the following discussion
shows, this difference has a major impact on the disclosure risk of the two methods.
5.2. Assessing Risk of Value Disclosure
In this experiment, as a surrogate measure of value
disclosure, we computed the proportion of variability
that is explained in the confidential variable by using
the corresponding masked variable (R2X1 Y1 and R2X2 Y2
for all five masking methods (Fuller 1993). To satisfy
Equation (3), it is necessary that R2XS Y = R2XS . In this
case, since S is null, to minimize disclosure risk, it is
necessary that R2X1 Y1 = R2X2 Y2 = 0. Table 2 provides the
average R2X1 Y1 and R2X2 Y2 resulting from each combination of correlation coefficient and data set size for
all five masking methods.
From Table 2 it is evident that the C&S (2002)
method provides practically no security against risk
of value disclosure. Even for a data set of 30, the
proportion of variability in the confidential variable
explained using the masked variable is more than
93% in all cases. When the data set is 1,000, the
proportion of variability in the confidential variable
using the masked variable is more than 99.95% in
all cases. The poor disclosure risk performance of
the C&S (2002) method is not surprising. C&S (2002,
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
664
Table 1
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Bias and Standard Error Resulting from Simulation Experiment
Data set size
30
0.00
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
0.20
0.40
0.60
0.80
0.95
100
0.00
0.20
0.40
0.60
0.80
0.95
300
0.00
0.20
0.40
0.60
0.80
0.95
1,000
0.00
0.20
0.40
0.60
0.80
0.95
C&S (2002) method
Data shuffling
Data swapping (10%)
Data swapping (50%)
Data swapping (100%)
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
−0000641
0066915
−0013962
0066355
−0027262
0063791
−0036869
0057457
−0043728
0046396
−0034909
0030778
−0001352
0068458
−0013758
0067250
−0026777
0063063
−0037706
0057452
−0043730
0046919
−0035300
0031542
0000551
0108844
−0032443
0107363
−0065604
0101812
−0095700
0093522
−0118208
0079000
−0129913
0062850
−0001045
0233072
−0157984
0225624
−0307165
0217107
−0460840
0202012
−0610875
0186656
−0723215
0177532
−0000950
0263763
−0200020
0259527
−0396881
0245209
−0594337
0224294
−0793003
0201219
−0946191
0189804
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
−0000107
0022496
−0005065
0022104
−0010030
0021204
−0014155
0019108
−0016616
0015279
−0013024
0008828
−0000260
0022872
−0005090
0022358
−0009880
0021248
−0014178
0019010
−0016775
0015314
−0013062
0009120
−0000989
0050805
−0025164
0050074
−0049637
0047616
−0071887
0042576
−0090536
0036116
−0099643
0028103
−0001064
0124219
−0149044
0121077
−0296934
0116631
−0441791
0106818
−0582097
0096673
−0684039
0089905
−0000050
0142618
−0198753
0140435
−0397648
0133167
−0597483
0120205
−0797881
0106751
−0950754
0102096
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
−0000018
0007890
−0002102
0007752
−0004086
0007396
−0005704
0006826
−0006736
0005494
−0005026
0002974
0000340
0007869
−0001658
0007840
−0003557
0007498
−0005220
0006721
−0006326
0005365
−0004868
0002844
0000105
0027860
−0022744
0027705
−0045264
0026525
−0065764
0023619
−0082758
0019968
−0091490
0014765
0001819
0069805
−0146747
0067926
−0291108
0066483
−0434570
0059363
−0575702
0054769
−0674581
0051489
0001969
0082571
−0199422
0080740
−0398856
0075039
−0599187
0070232
−0800379
0061630
−0948211
0058183
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
−0000077
0002642
−0000823
0002587
−0001332
0000006
−0001884
0002223
−0002268
0001793
−0001740
0000916
0000031
0002622
−0000745
0002598
−0001518
0000006
−0001976
0002264
−0002264
0001676
−0001675
0000884
0000070
0015727
−0022539
0014937
−0043130
0000196
−0064120
0012245
−0079229
0010176
−0087542
0007910
−0001482
0038503
−0147750
0038802
−0292616
0001266
−0435326
0032524
−0572165
0030401
−0670493
0027450
0000286
0042941
−0200895
0042614
−0402256
0001493
−0600270
0035648
−0799787
0032682
−0949409
0031424
p. 38) observe, “Furthermore, since E Xr"1 = E Xr"2 ,
one would expect Xr"1 to be approximately equal
to Xr"2 for large n ” Conversely, this statement
also means that the masked value would be approximately equal to the original value. As the results in
Table 2 show, for large n, the level of masking would
be negligible, resulting in high risk of value disclosure. By contrast, Table 2 shows that data shuffling
provides good security against risk of value disclosure. In almost all cases, the proportion of variability explained in the confidential variable using the
masked variable is close to 0. The performance of
DS100% compares with that of data shuffling with
R2 close to 0 in all cases. Thus, data shuffling and
DS100% almost completely eliminate risk of value disclosure. DS50% and DS10% provide some information
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
665
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Table 2
Value Disclosure Results from Simulation Experiment
Proportion of variability explained
C&S (2002) method
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
Data set size
Data shuffling
Data swapping (10%)
Data swapping (50%)
Data swapping (100%)
X1 Y1
X2 Y 2
X1 Y 1
X2 Y2
X1 Y1
X2 Y 2
X1 Y 1
X2 Y 2
X1 Y1
X2 Y2
30
0.00
0.20
0.40
0.60
0.80
0.95
0.934529
0.934529
0.934529
0.935262
0.935456
0.934534
0.934854
0.934612
0.934200
0.935353
0.935104
0.934669
0.000000
0.000000
0.000000
0.000003
0.000001
0.000003
0.000001
0.000005
0.000000
0.000024
0.000001
0.000000
0.828411
0.828411
0.828411
0.827240
0.829357
0.828431
0.829045
0.829571
0.829046
0.828568
0.829117
0.828306
0.215126
0.215138
0.215148
0.215452
0.215700
0.214481
0.218040
0.217683
0.217049
0.216955
0.217574
0.217094
0.001025
0.001025
0.001025
0.001467
0.001096
0.000955
0.001145
0.001127
0.001121
0.001129
0.000835
0.001187
100
0.00
0.20
0.40
0.60
0.80
0.95
0.975144
0.975167
0.975144
0.975167
0.975139
0.975131
0.974946
0.974961
0.974972
0.974993
0.974975
0.975073
0.000000
0.000002
0.000001
0.000000
0.000000
0.000000
0.000017
0.000001
0.000000
0.000005
0.000001
0.000000
0.871473
0.871176
0.871473
0.871176
0.871086
0.871382
0.871500
0.871048
0.871071
0.871274
0.871613
0.871811
0.256386
0.256094
0.256386
0.256094
0.255945
0.256096
0.257803
0.257500
0.257524
0.257529
0.257399
0.257585
0.000108
0.000107
0.000108
0.000107
0.000113
0.000112
0.000097
0.000121
0.000102
0.000126
0.000101
0.000100
300
0.00
0.20
0.40
0.60
0.80
0.95
0.990210
0.990230
0.990233
0.990213
0.990236
0.990222
0.990387
0.990459
0.990371
0.990316
0.990177
0.990117
0.000001
0.000004
0.000004
0.000006
0.000000
0.000000
0.000000
0.000003
0.000001
0.000005
0.000002
0.000001
0.882647
0.882726
0.882849
0.882670
0.882766
0.882731
0.883192
0.883334
0.883464
0.883645
0.883278
0.882752
0.266160
0.266230
0.266252
0.266144
0.266151
0.266178
0.267111
0.267310
0.267737
0.267684
0.267329
0.267108
0.000012
0.000012
0.000014
0.000013
0.000012
0.000013
0.000006
0.000006
0.000006
0.000006
0.000006
0.000005
1,000
0.00
0.20
0.40
0.60
0.80
0.95
0.996733
0.996668
0.996650
0.996651
0.996690
0.996739
0.996673
0.996644
0.996619
0.996584
0.996558
0.996637
0.000000
0.000001
0.000000
0.000000
0.000000
0.000001
0.000000
0.000009
0.000005
0.000000
0.000001
0.000000
0.887913
0.887913
0.887913
0.887935
0.887943
0.887913
0.886925
0.886911
0.887015
0.887288
0.887658
0.887864
0.272723
0.272723
0.272723
0.272724
0.272744
0.272723
0.271392
0.271262
0.271304
0.271375
0.271563
0.271674
0.000000
0.000000
0.000000
0.000000
0.000000
0.000000
0.000033
0.000032
0.000031
0.000032
0.000030
0.000030
to the intruder (the proportion of variability is greater
than 0), but perform better than the C&S (2002)
method.
5.3. Assessing Risk of Identity Disclosure
We conducted an additional simulation experiment
to assess the risk of identity disclosure. In this simulation, a multivariate normal data set with k variables
and n observations was generated with a mean vector of 0 and identity covariance matrix. As before, the
data was masked using the five masking methods. For
each observation, we assumed that the intruder has
the vector of the original (unmasked) values. Using
this information, the intruder attempts to match the
true value vector to the masked data that is released
(see Fuller 1993, p. 388, Equation 11). The procedure
is then repeated for each observation. The percentage
of successful matches for each masking technique was
recorded. The entire procedure was replicated 1,000
times. The simulation experiment was conducted for
n = 30, 100, 300, and 1,000 and for k = 2 to 6. This
assessment of disclosure risk is similar to those used
by Fuller (1993) and Winkler (1998).
The results of the simulation experiment, provided
in Table 3, clearly show that the C&S (2002) method
performs poorly in preventing identity disclosure. Even
with just two variables, an intruder could reidentity
more than 60% of all observations in the data set. With
five or more variables, the probability of reidentification exceeds 99% for all data sets. In these cases, the
C&S (2002) method provides practically no security.
By contrast, data shuffling provides excellent security against risk of identity disclosure. In almost all
cases, the percentage of observations reidentified is
close to 1/n , the probability of reidentification by
chance alone. We performed a hypothesis test (with
the null hypothesis that the proportion of reidentified observations = 1/n versus the alternative hypothesis that the proportion of reidentified observations
is > 1/n) for the results of data shuffling. In all cases,
we were unable to reject the null hypothesis, indicating that the proportion of reidentified observations is
not significantly different from 1/n.
The reidentification results for the three data swapping techniques follow the expected pattern. DS100%
provides the best results, almost comparable to those
of data shuffling, followed by DS50%, and finally
DS10%. However, all three data swapping procedures
provide higher security than the C&S (2002) method.
An intruder could use more sophisticated techniques
for reidentification such as those described in Winkler
(1995a, b) and Fienberg et al. (1997). However, given
that data shuffling and DS100% outperform the other
methods by a significant margin, our overall conclusion is unlikely to change.
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
666
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Table 3
Identity Disclosure Results
Data set
size
Number of
variables
C&S (2002)
method (%)
Data
shuffle (%)
Data
swapping (10%)
Data
swapping (50%)
Data
swapping (100%)
30
2
3
4
5
6
7242
9366
9857
9973
9997
3.55
3.98
4.20
4.25
3.89
60.04
82.43
91.05
94.83
96.66
2661
4575
5606
6102
6182
4.29
3.98
4.03
4.10
4.10
100
2
3
4
5
6
6646
9385
9901
9986
9996
1.03
1.03
1.06
1.11
1.01
55.32
87.15
96.56
99.11
99.61
1037
2695
5032
7098
8431
1.14
1.14
1.21
1.24
1.21
300
2
3
4
5
6
6262
9513
9944
9993
9999
0.32
0.34
0.35
0.35
0.32
48.68
89.51
98.33
99.74
99.94
390
1155
2726
5055
7240
0.38
0.38
0.47
0.40
0.42
1,000
2
3
4
5
6
6118
9693
9966
9997
10000
0.11
0.09
0.10
0.10
0.12
37.01
88.97
98.63
99.88
99.99
133
443
1172
2550
4607
0.11
0.12
0.12
0.12
0.13
The results in Tables 2 and 3 also confirm another
important aspect of data shuffling. A key aspect
of perturbation based on the conditional distribution approach is the conditional independence of
X and Y given S. The results, shown in Tables 2
and 3, confirm empirically that the conditional independence assumption holds well even for small data
sets. Hence, data shuffling provides very high security against risk of both value and identity disclosure.
We also constructed the R-U confidentiality map
(Duncan et al. 2001) (see Figure 1) to illustrate the relative performance of the different methods for n = 100
and specified population correlation coefficient = 04.
As a surrogate measure of data utility, we used the
percentage absolute bias Bias/04 . We used value
disclosure as the measure of disclosure risk. The R-U
confidentiality map clearly shows that data shuffling
is superior to the other approaches. For the data
swapping methods, a trade-off appears between data
utility and disclosure risk. The C&S (2002) method
provides high data utility, but also high disclosure
risk. Data shuffling is the only method that simultaneously provides the highest possible data utility and
lowest disclosure risk. Although we present only one
graph, it can be easily verified that other n and combinations would provide similar results. In conclusion, data shuffling is preferable to the other techniques used in this study.
Figure 1
We conducted extensive simulation experiments to
investigate the sensitivity of data shuffling to the
number of nonconfidential variables in the data set
and the underlying distribution of the confidential
variables. Note that data shuffling was implemented
using only the values of the nonconfidential variables and
rank-order correlation among the variables. No prior information regarding the confidential variables was assumed,
and no attempt was made to estimate the marginal distribution or other characteristics of any of the variables.
In the simulation experiments, the number of nonconfidential variables was varied between 2, 4, and 6.
All nonconfidential variables were assumed to be
binary key variables and to be independent of one
another. The number of confidential variables was
100%
R-U Confidentiality Map for n = 100 and = 040
C&S (2002) method
Data swap 10%
Value disclosure risk
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
Percentage of observations reidentified
75%
50%
Data swap 50%
25%
Data shuffling
0%
0%
10%
Data swap 100%
20%
Absolute bias
30%
40%
6.
Sensitivity of Data Shuffling to
Data Set Characteristics
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
667
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
Management Science 52(5), pp. 658–670, © 2006 INFORMS
specified as two. Several distributions were used to
generate the confidential variables (normal, gamma,
lognormal, and Weibull). Three levels of correlation (0.0, 0.10, 0.20, and 0.30) were specified for the
relationships between the confidential variables and
between the nonconfidential and confidential variables. The rank-order correlations between nonconfidential variables were specified as 0.0. Four different
sample sizes were used (30, 100, 300, and 1,000). The
data were generated using the procedure suggested
by Clemen and Reilly (1999). Note that it is not possible to generate data sets for all correlation values
for the 4 and 6 categorical variables. For each generated data set, the rank-order correlation between each
nonconfidential and confidential variable was computed for the original and masked data. The difference in the rank-order correlation was computed and
recorded. The entire experiment was repeated 10,000
times. Because the objective of the procedure was to
investigate the sensitivity of data shuffling, only this
procedure was implemented.
Table 4 provides select results of the experiment for
all three correlation levels, two different sample sizes
(30 and 100), and one specification for the marginal
distribution of the confidential variables (Gamma and
Table 4
Lognormal). The results in Table 4 show no specific attenuation in the rank-order correlation. The difference between the correlation of the original and
masked data is negative in some cases and positive
in others. The results also indicate that both bias
and standard error approach zero as the sample size
increases. Table 4 shows that for a given sample size
and correlation and regardless of the number of nonconfidential variables, the bias and SE are the same.
The results of the other experiments also verified this
conclusion. A comparison of the results across experiments using different specifications for the marginal
distribution of the confidential variables also revealed
no differences. This is not surprising because we do
not need information regarding the marginal distribution of the variables to perform data shuffling; we
need only the ranks of the nonconfidential variables.
As with the nonconfidential variables, the bias and SE
were inversely related to sample size and independent of the marginal distribution of the confidential
variables. Hence, we can conclude that in terms of
maintaining relationships among variables, data shuffling is not sensitive to the number of nonconfidential
variables or the underlying distribution of the confidential variables.
Sensitivity of Data Shuffling in Maintaining Rank-Order Correlation
= 00
k
Rank-order
correlation
between
n = 30
= 02
n = 100
n = 30
= 030
n = 100
n = 30
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
Bias
SE
00041
00045
00039
00039
−00044
0.0420
0.0421
0.0424
0.0418
0.0629
00064
00065
00066
00060
−00003
0.0205
0.0204
0.0206
0.0202
0.0303
2
S1
S1
S2
S2
X1
& X1
& X2
& X1
& X2
& X2
−00003
−00001
00001
00005
−00002
0.0452
0.0452
0.0454
0.0453
0.0635
−00001
00001
−00001
00003
−00001
0.0222
0.0222
0.0226
0.0225
0.0312
00017
00019
00024
00028
−00041
0.0440
0.0439
0.0449
0.0442
0.0635
00038
00035
00031
00034
−00007
0.0215
0.0217
0.0215
0.0212
0.0316
4
S 1 & X1
S 1 & X2
S 2 & X1
S 2 & X2
S 3 & X1
S 3 & X2
S 4 & X1
S 4 & X2
X 1 & X2
00001
−00002
00000
00003
−00001
00000
00003
00007
−00005
0.0458
0.0454
0.0464
0.0458
0.0455
0.0454
0.0460
0.0456
0.0633
−00003
−00002
00002
00003
00000
−00004
00001
−00001
00000
0.0228
0.0224
0.0229
0.0227
0.0223
0.0226
0.0226
0.0226
0.0312
00035
00026
00017
00015
00031
00032
00022
00018
−00022
0.0440
0.0438
0.0438
0.0439
0.0433
0.0435
0.0432
0.0442
0.0629
00036
00037
00038
00038
00034
00036
00039
00038
−00001
0.0216
0.0218
0.0218
0.0217
0.0215
0.0217
0.0217
0.0219
0.0307
6
S1
S1
S2
S2
S3
S3
S4
S4
S5
S5
S6
S6
X1
00007
−00004
00002
00002
−00001
−00006
00003
00001
−00006
00003
−00004
00003
00007
0.0455
0.0456
0.0459
0.0458
0.0454
0.0456
0.0453
0.0454
0.0452
0.0453
0.0452
0.0454
0.0627
−00001
00000
−00001
−00001
00000
−00003
00000
−00001
00000
−00001
00001
00003
00000
0.0226
0.0223
0.0224
0.0222
0.0224
0.0222
0.0220
0.0227
0.0227
0.0224
0.0226
0.0224
0.0314
& X1
& X2
& X1
& X2
& X1
& X2
& X1
& X2
& X1
& X2
& X1
& X2
& X2
n = 100
668
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
7.
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Application in a Database Context
In this section, we illustrate the data shuffling procedure for a large data set such as, perhaps, for
data stored in data warehouses. The example consists of six variables (three nonconfidential and
three confidential variables). The three nonconfidential variables represent Gender (Male = 0, Female = 1),
Marital Status (Married = 0, Other = 1), and an ordinal discrete variable Age with integer values between
1 and 6 (in increasing order of Age). The confidential
variables consist of three continuous variables representing Home Value (Lognormal), Mortgage Balance (Gamma), and Total Net Asset Value (Normal).
A data set with 50,000 observations was created
using the procedure suggested by Clemen and Reilly
(1999) for generating a multivariate data set with nonnormal marginal distributions.4 Data shuffling was
performed using only the values of the nonconfidential variables and rank-order correlation (and without
any knowledge of the underlying characteristics of the population from which the data was generated). No attempt
was made to estimate the characteristics of any of the
variables.
Table 5 provides the rank-order correlation between
the variables pre- and postmasking. In these cases,
the results clearly show that the shuffling procedure
maintains rank-order correlation that is very close to
the original values. We also know from the results in
the previous section that the bias is likely to be close
to zero and the standard error is likely to be very
small. Considering that all rank-order correlations are
maintained, analyses performed on this data should
yield results that are very similar to those using the
original data. Users often issue ad hoc queries to organizational databases. To envision every type of query
that might be issued would be impossible. However,
the marginal characteristics of the variables remain
unmodified, and the results of all experiments consistently show that data shuffling maintains relationships among variables that are the same as before
masking. Hence we believe that responses to ad hoc
queries using the masked data would yield results
that are similar to the results that would be obtained
using the original data.
8.
Limitations and Future Research
The data shuffling approach is limited mainly by two
factors that were discussed in detail in §2; namely,
the assumption regarding the joint distribution of the
variables and the performance of the procedure for
small data sets. The results in this study show that
when we consider data utility and disclosure risk
4
The entire data set can be found at http://gatton.uky.edu/
faculty/muralidhar/MSShuffle.xls.
Table 5
Rank-Order Correlations for Original and Masked Data in
Example Database
Correlation between
Original
Shuffled
Home value and
Gender
Marital status
Age
Mortgage balance
Total net value of assets
−000373
−000187
057146
058229
068129
−000889
−000025
058779
058008
067958
Mortgage balance and
Gender
Marital status
Age
Total net value of assets
−000409
−000093
028334
078156
−000881
000210
028591
078105
Total net value of assets and
Gender
Marital status
Age
−000510
007426
037367
−000554
008377
037829
simultaneously, the data shuffling procedure outperforms existing swapping procedures. In practice, the
variables may have complex nonmonotonic relationships that data shuffling would not preserve. In addition, given the nature of the data shuffling (or for
that matter all masking approaches), it will be difficult
to implement the procedure on a constantly changing data base. Hence we envision implementing the
procedure on historical data sets such as those stored
in data warehouses rather than on “transactional”
databases that involve frequent changes. In such situations, alternative approaches such as the confidentiality via camouflage procedure (Gopal et al. 2002)
may be considered.
Another important issue worthy of further investigation is the added variability that results from the
data shuffling procedure and its impact on statistical inference using the masked data. Three studies have directly addressed this issue (Rubin 1993,
Fienberg et al. 1998a, Burridge 2003). The data shuffling approach proposed in this study can possibly be
modified according to the procedures used in those
studies.
An interesting related line of research is to formulate the entire data shuffling procedure as a mathematical programming problem. This problem is rather
complex, involving a large number of 0 1 variables
and nonlinear constraints. More important, this problem is also NP-complete (Riess et al. 1982). However, for small data sets, the optimization approach
may provide sufficient statistics and yield better solutions than the data shuffling procedure. For larger
problems, the shuffled data may provide a good initial solution to the optimization problem. The problem also has some unique structural aspects that
may benefit from a closer evaluation by optimization
experts.
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
9.
Conclusions
In this study, we have developed a new shuffling
procedure for masking confidential, numerical data—
a procedure that is based on the conditional distribution approach. The advantages of this approach can
be summarized as follows:
(1) The released data consist of the original values
of the confidential variables (i.e., the marginal distribution is maintained exactly).
(2) All pairwise monotonic relationships among the
variables in the released data are the same as those in
the original data.
(3) Providing access to the masked microdata does
not increase the risk of disclosure.
Existing methods of data swapping do not provide
these benefits. In addition, by using the conditional
distribution in generating the masked values, data
shuffling allows data swapping techniques to perform on par with perturbation techniques. The issue
of the added variability and its impact on inferences
obtained from the masked data remains unanswered
and is worthy of further investigation.
Selecting the appropriate method of masking
depends on the users’ needs. If the user desires that
the original values of the confidential variables are not
modified (i.e., univariate characteristics of the masked
and original data are identical), existing methods fail
to provide the same level of data utility and disclosure
risk characteristics that are available with perturbation methods. By combining the strengths of the most
recent method of data perturbation (copula-based perturbation) and data swapping (C&S 2002 method), the
data shuffling procedure described in this study fills
this gap—providing data utility and disclosure risk
comparable to perturbation methods.
Finally, as calls for preserving privacy and confidentiality increase, the needs for masking techniques
accelerate rapidly. Data swapping techniques appeal
intuitively because they do not modify original values. Data swapping is also easier to explain to the
common user than other techniques. Potentially, these
characteristics can make data swapping the masking
technique of choice. Among data swapping methods, only data shuffling provides the same data utility and disclosure risks as other advanced masking
techniques, particularly for large data sets where the
asymptotic requirements are likely to be satisfied.
Using data shuffling in these situations would not
only provide optimal results, but would also foster
greater user acceptance of masked data for analysis.
Acknowledgments
The authors thank the reviewers and editors for their
valuable comments and suggestions. They also thank
Dr. William Winkler of the U.S. Census Bureau for providing them with the record linkage software.
669
References
Adam, N. R., J. C. Wortmann. 1989. Security-control methods for
statistical databases: A comparative study. ACM Comput. Surveys 21 515–556.
Burridge, J. 2003. Information preserving statistical obfuscation.
Statist. Comput. 13 321–327.
Carlson, M., M. Salabasis. 2002. A data swapping technique for
generating synthetic samples: A method for disclosure control.
Res. Official Statist. 6 35–64.
Clemen, R. T., T. Reilly. 1999. Correlations and copulas for decision
and risk analysis. Management Sci. 45 208–224.
Dalenius, T. 1977. Towards a methodology for statistical disclosure
control. Statistisktidskrift 5 429–444.
Dalenius, T., S. P. Reiss. 1982. Data-swapping: A technique for disclosure control. J. Statist. Planning Inference 6 73–85.
Dandekar, R. A., M. Cohen, N. Kirkendall. 2002. Sensitive microdata protection using Latin hypercube sampling technique.
J. Domingo-Ferrer, ed. Inference Control in Statistical Databases.
Springer-Verlag, New York.
Duncan, G. T., D. Lambert. 1986. Disclosure-limited data dissemination. J. Amer. Statist. Assoc. 81 10–18.
Duncan, G. T., R. W. Pearson. 1991. Enhancing access to microdata while protecting confidentiality: Prospects for the future.
Statist. Sci. 6 219–239.
Duncan, G. T., S. A. Keller-McNulty, S. L. Stokes. 2001. Disclosure risk vs. data utility: The R-U confidentiality map. Technical report LA-UR-01-6428, Los Alamos National Laboratory,
Los Alamos, NM.
Fienberg, S. E. 2002. Comment on paper by Carlson and Salabasis:
“A data swapping technique for generating synthetic samples:
A method for disclosure control.” Res. Official Statist. 6 65–67.
Fienberg, S. E., J. McIntyre. 2005. Data swapping: Variations on a
theme by Dalenius and Reiss. J. Official Statist. 21 309–323.
Fienberg, S. E., U. E. Makov, A. P. Sanil. 1997. A Bayesian approach
to data disclosure: Optimal intruder behavior for continuous
data. J. Official Statist. 13 75–89.
Fienberg, S. E., U. E. Makov, A. P. Steele. 1998a. Disclosure limitation using perturbation and related methods for categorical
data. J. Official Statist. 14 485–502.
Fienberg, S. E., U. E. Makov, A. P. Steele. 1998b. Rejoinder. J. Official
Statist. 14 509–511.
Fuller, W. A. 1993. Masking procedures for microdata disclosure
limitation. J. Official Statist. 9 383–406.
Gopal, R., R. Garfinkel, P. Goes. 2002. Confidentiality via camouflage: The CVC approach to disclosure limitation when answering queries to databases. Oper. Res. 50 501–516.
Kooiman, P. 1998. Comment. J. Official Statist. 14 503–508.
Liew, C. K., U. J. Choi, C. J. Liew. 1985. A data distortion by probability distribution. ACM Trans. Database Systems 10 395–411.
Little, R. J. A. 1993. Statistical analysis of masked data. J. Official
Statist. 9 407–426.
Moore, R. A. 1996. Controlled data swapping for masking public
use microdata sets. Research report series no. RR96/04, U.S.
Census Bureau, Statistical Research Division, Washington, D.C.
Muralidhar, K., R. Sarathy. 2003a. A theoretical basis for perturbation methods. Statist. Comput. 13 329–335.
Muralidhar, K., R. Sarathy. 2003b. A rejoinder to the comments by
Polettini and Stander. Statist. Comput. 13 339–342.
Muralidhar, K., R. Parsa, R. Sarathy. 1999. A general additive data
perturbation method for database security. Management Sci. 45
1399–1415.
Muralidhar, K., R. Sarathy, R. Parsa. 2001. An improved security requirement for data perturbation with implications for
e-commerce. Decision Sci. 32 683–698.
Nelsen, R. B. 1999. An Introduction to Copulas. Springer, New York.
Downloaded from informs.org by [130.113.86.233] on 23 February 2015, at 06:45 . For personal use only, all rights reserved.
670
Muralidhar and Sarathy: Data Shuffling—A New Masking Approach for Numerical Data
Raghunathan, T. E., J. P. Reiter, D. B. Rubin. 2003. Multiple imputation for statistical disclosure limitation. J. Official Statist. 19 1–6.
Reiss, S. P., M. J. Post, T. Dalenius. 1982. Non-reversible privacy
transformations. Proc. ACM Sympos. Principles Database Systems,
Los Angeles, CA, 139–146.
Rubin, D. B. 1993. Discussion of statistical disclosure limitation.
J. Official Statist. 9 461–468.
Sarathy, R., K. Muralidhar, R. Parsa. 2002. Perturbing non-normal
confidential variables: The copula approach. Management Sci.
48 1613–1627.
Wall Street Journal. 2001. Bureau blurs data to keep names confidential. (February 14) B1–B2.
Management Science 52(5), pp. 658–670, © 2006 INFORMS
Willenborg, L., T. de Waal. 2001. Elements of Statistical Disclosure
Control. Springer, New York.
Winkler, W. E. 1995a. Advanced methods for record linkage. Proc.
Survey Res. Methods Section, American Statistical Association,
Alexandria, VA.
Winkler, W. E. 1995b. Matching and record linkage. B. G. Cox,
ed. Business Survey Methods. John Wiley and Sons, New York,
355–384.
Winkler, W. E. 1998. Producing public-user microdata that are analytically valid and confidential. Statistical research report series
no. RR98/02, U.S. Census Bureau, Statistical Research Division,
Washington, D.C.
