Differentially private survey research

Abstract

Survey researchers have long protected respondent privacy via de-identification (removing names and other directly identifying information) before sharing data. Unfortunately, recent research demonstrates that these procedures fail to protect respondents from intentional re-identification attacks, a problem that threatens to undermine vast survey enterprises in academia, government, and industry. This is especially a problem in political science because political beliefs are not merely the subject of our scholarship; they represent some of the most important information respondents want to keep private. We confirm the problem in practice by re-identifying individuals from a survey about a controversial referendum declaring life beginning at conception. We build on the concept of “differential privacy” to offer new data-sharing procedures with mathematical guarantees for protecting respondent privacy and statistical validity guarantees for social scientists analyzing differentially private data. The cost of these procedures is larger standard errors, which can be overcome with larger sample sizes.