Confidentiality for business data is an understudied area of disclosure avoidance, where legacy methods struggle to provide acceptable results. Standard formal privacy techniques for person-level data, like differential privacy, are designed to protect against membership inference and hence do not provide suitable confidentiality/utility trade-offs due to the highly skewed nature of business data and because extreme outlier records are often important contributors to query answers. Prior proposals, therefore, took a personalized differential privacy approach that allowed privacy parameters to degrade for the outlying records -- larger establishments get weaker membership inference guarantees. However, providing guarantees to some entities that are strictly weaker than guarantees for others is problematic from a policy standpoint. In this paper, we propose a novel confidentiality framework for business data with a focus on interpretability for policy makers. Instead of protecting against membership inference, which is often not a concern in business data, we protect against attribute inferences that are too precise. In our framework, data curators specify a neighbor function that is used to define uncertainty interval bands around an establishment's attribute values and the privacy parameters govern the strength of indistinguishability between values within the same uncertainty interval.We propose two query-answering mechanisms under this framework and evaluate them on: (1) a confidential Quarterly Census of Employment and Wages (QCEW) dataset produced by the U.S. Bureau of Labor Statistics (this was done through a cooperative agreement), and (2) a substitute dataset that we created from public sources (and will publicly release).

翻译：企业数据的保密性是一个研究不足的披露规避领域，传统方法难以提供可接受的结果。针对个人数据的标准正式隐私技术（如差分隐私）旨在防止成员推断，但由于企业数据的高度偏态分布特性以及极端离群记录常是查询答案的重要贡献者，这些技术无法提供合适的保密性与实用性权衡。因此，此前的提议采用个性化差分隐私方法，允许离群记录的隐私参数退化——规模较大的企业获得较弱的成员推断保护。然而，从政策角度看，对部分实体提供严格弱于其他实体的保护存在争议。本文提出一种新颖的企业数据保密框架，重点关注面向政策制定者的可解释性。我们不针对通常并非企业数据关切点的成员推断进行保护，而是防范过于精确的属性推断。在该框架下，数据管理者指定一个邻域函数，用于定义企业属性值周围的不确定区间带，隐私参数则控制同一不确定区间内值之间不可区分性的强度。我们提出了该框架下的两种查询应答机制，并在以下数据集上进行了评估：（1）美国劳工统计局通过合作协议提供的机密季度就业与工资普查（QCEW）数据集；（2）我们根据公开来源创建并将公开发布的替代数据集。