Data Swapping is a statistical disclosure control (SDC) procedure that randomly perturbs tabular data subject to common features. It is the predominant SDC method used in the 1990 through 2010 U.S. Decennial Censuses. The 2020 Decennial Census deprecated swapping was deprecated in favor of a suite of methods that “us[e] differential privacy for privacy-loss accounting” (Abowd et al., 2022) which, if one reads between the lines, is not the same as saying that the methods are differentially private. What are we missing?

This talk presents a two-part inquiry that harmonizes the conflict between the desirable properties that formal privacy may confer on SDC and the pragmatic constraints that SDC must respect within an application context. Part one traces the etymological evolution of differential privacy to its core as a Lipschtiz condition on data release mechanisms. The constituent elements of a differential privacy specification are “who” (protection domain), “where” (scope of protection), “what” (protection unit), “how” (standard of protection), and “how much” (privacy-loss accounting). Choices along these dimensions characterize privacy differentials over which differential privacy exerts control. Part two delineates the privacy parameters of a randomized swapping algorithm, constructed to be compatible with known features of the 1990 through 2010 Decennial Census swapping procedure, and analyzes its privacy guarantee alongside that offered by the 2020 Decennial Census TopDown algorithm.

This study makes precise the vocabulary necessary to confer benefits of formal privacy, including provability and transparency, to a wide range of SDC practices that originated outside of the differential privacy literature with minimal hinderance on the operations of statistical data curators and the usability of their data products. It underscores the deficiency in simplistically equating privacy guarantees with their nominal privacy loss, and offers a constructive framework to compare and modify privacy protection procedures.