When random sampling preserves privacy

Abstract

Many organizations such as the U.S. Census publicly release samples of data that they collect about private citizens. These datasets are first anonymized using various techniques and then a small sample is released so as to enable "do-it-yourself" calculations. This paper investigates the privacy of the second step of this process: sampling. We observe that rare values - values that occur with low frequency in the table - can be problematic from a privacy perspective. To our knowledge, this is the first work that quantitatively examines the relationship between the number of rare values in a table and the privacy in a released random sample. If we require ∈-privacy (where the larger ∈ is, the worse the privacy guarantee) with probability at least 1 - δ, we say that a value is rare if it occurs in at most Õ(1/∈) rows of the table (ignoring log factors). If there are no rare values, then we establish a direct connection between sample size that is safe to release and privacy. Specifically, if we select each row of the table with probability at most ∈ then the sample is O(∈)-private with high probability. In the case that there are t rare values, then the sample is Õ(∈δ/t)- private with probability at least 1 - δ. © International Association for Cryptologic Research 2006.