Differential Privacy and the 2020 US Census
Simson Garfinkel
Abstract
In 2017 the US Census Bureau announced that it would update the statistical methods it used to meet its statutory obligation to protect the confidentiality of information furnished to the agency. The new system would be based on an approach called "differential privacy" that was invented in 2006 in the context of cryptography. Unlike the Census Bureau's previous system-a technique based on swapping responses from easy-to-identify residential units-the confidentiality protection afforded by differential privacy involves adding carefully structured random values (called "noise") to every intermediate computation, and then implementing "postprocessing" algorithms to make the noise-infused data resemble the legacy data produced by the previous Census Bureau methods. 1 Although for decades the Census Bureau intentionally added error to the decennial census tables and publicly released microdata to protect the privacy of respondents, it had never revealed how much error was added nor the exact mechanism. For 2020, the Census Bureau decided to engage stakeholders directly and tell data users how much error would be introduced. As the Census Bureau raced against the clock to implement the new system, thousands of stakeholders became alarmed that differential privacy might introduce so much randomness into the published data that they would be unusable for many purposes, including drawing new districts for the US House of Representatives as well as academic research in demography and economics. In the interest of transparency, the Census Bureau produced multiple Demonstration Data Products (DDP) using the 2010 Census data.