Working Paper: NBER ID: w31995
Authors: John M. Abowd; Tamara Adams; Robert Ashmead; David Darais; Sourya Dey; Simson L. Garfinkel; Nathan Goldschlag; Daniel Kifer; Philip Leclerc; Ethan Lew; Scott Moore; Rolando A. RodrÃguez; Ramy N. Tadros; Lars Vilhuber
Abstract: Using only 34 published tables, we reconstruct five variables (census block, sex, age, race, and ethnicity) in the confidential 2010 Census person records. Using the 38-bin age variable tabulated at the census block level, at most 20.1% of reconstructed records can differ from their confidential source on even a single value for these five variables. Using only published data, an attacker can verify that all records in 70% of all census blocks (97 million people) are perfectly reconstructed. The tabular publications in Summary File 1 thus have prohibited disclosure risk similar to the unreleased confidential microdata. Reidentification studies confirm that an attacker can, within blocks with perfect reconstruction accuracy, correctly infer the actual census response on race and ethnicity for 3.4 million vulnerable population uniques (persons with nonmodal characteristics) with 95% accuracy, the same precision as the confidential data achieve and far greater than statistical baselines. The flaw in the 2010 Census framework was the assumption that aggregation prevented accurate microdata reconstruction, justifying weaker disclosure limitation methods than were applied to 2010 Census public microdata. The framework used for 2020 Census publications defends against attacks that are based on reconstruction, as we also demonstrate here. Finally, we show that alternatives to the 2020 Census Disclosure Avoidance System with similar accuracy (enhanced swapping) also fail to protect confidentiality, and those that partially defend against reconstruction attacks (incomplete suppression implementations) destroy the primary statutory use case: data for redistricting all legislatures in the country in compliance with the 1965 Voting Rights Act.
Keywords: census; confidentiality; data reconstruction; statistical disclosure limitation; privacy
JEL Codes: C19; J10
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| Reconstruction of microdata from the 2010 census is feasible (C80) | High-precision reidentification of individuals (C91) |
| Flawed assumption that aggregation prevents accurate microdata reconstruction (C81) | Weaker disclosure limitation methods (Y50) |
| SDL used for the 2010 census did not meet the census bureau's stated standards (C80) | Privacy violations (K24) |
| Reconstruction attacks can successfully identify vulnerable individuals with high precision (Y50) | Privacy violations (K24) |
| SDL procedures failed to limit the accuracy of reconstructed microdata (C81) | Privacy violations (K24) |