Releasing survey microdata with exact cluster locations and additional privacy safeguards

The paper addresses the privacy-utility trade-off in releasing georeferenced survey microdata. Traditional de-identification (e.g., deleting identifiers and geomasking survey cluster locations) protects privacy but diminishes utility for analyses that depend on precise geography and local augmentation with auxiliary data. Two trends exacerbate the problem: rising demand for granular, rapid information and proliferation of external data that increases re-identification risks. The authors propose a user-centric dissemination strategy: release (1) original microdata without small-area geographic identifiers (below strata) and (2) synthetic microdata in which non-spatial attributes are synthesized but exact cluster (zip code) locations are retained. They pose two key questions: (i) Can the synthetic dataset be exploited to infer the private small-area identifier in the original data, undermining privacy? (ii) Does synthesizing non-spatial attributes introduce less uncertainty for spatial analyses than perturbing (geomasking) locations? The study evaluates these questions using the 2011 Costa Rican census and satellite-derived covariates, comparing the proposed approach to standard geomasking.

The paper situates its contribution within privacy protection and synthetic data literature. For aggregated releases, differential privacy provides rigorous guarantees (Dwork, 2008). For microdata, common practices include deletion and perturbation, notably geomasking as implemented in DHS (Burgert et al., 2013), which displaces urban clusters up to 2 km and rural clusters up to 5–10 km. However, even small attribute sets can enable re-identification in pseudonymous datasets (Rocher et al., 2019), and location perturbation degrades compatibility with auxiliary geospatial data. Synthetic data methods attempt to capture joint distributions to generate realistic records: parametric imputation and hierarchical synthesis (Drechsler et al., 2008; Heldal & Iancu, 2019; Alfons et al., 2011; Templ et al., 2017), tree-based CART synthesis (Reiter, 2005; Wang & Reiter, 2012), and modern generative models including Bayesian networks, GANs, and copulas (Li et al., 2014; Rocher et al., 2019; Sun et al., 2019; Torkzadehmahani et al., 2019; Xu et al., 2019; Zhang et al., 2017). National statistical offices increasingly explore synthetic data: US Census Bureau uses ACS and SIPP synthetic data for small-area estimates; ONS piloted a synthetic Labor Force Survey; UNECE published a starter guide on synthetic data. The authors choose copulas due to theoretical clarity, interpretability, and computational efficiency compared to GANs, and the practical benefit that margins can be readily updated with new representative data.

Data and setting: A 10% random sample of the 2011 Costa Rican census (427,830 individuals, 106 attributes) serves as a pseudo-population. Administrative geography includes 2 zones, 6 regions, 81 cantons, and 473 districts (zip codes). Twelve strata are defined by region × urban/rural. The smallest geographic identifier available is the district (zip code). The target variable for augmentation is the Unsatisfied Basic Needs (NBI) index, a composite binary indicator constructed from ~19 binary indicators across four dimensions. Sampling design: From the pseudo-population, 100 repeated surveys are drawn using a stratified two-stage cluster design. Districts (zip codes) serve as PSUs (767 PSUs available). In each stratum, PSUs are selected with probability proportional to size, and at least 10 households per PSU are sampled by simple random sampling without replacement (PSUs with <10 households are excluded, ~4%). Sampling weights are defined as inverses of inclusion probabilities. Anonymization strategies compared:

• Benchmark (Geomasking): Emulates DHS displacement (Algorithm 1). For each sampled EA centroid within districts, displace by a random angle and distance: urban up to 2 km; rural up to 5 km, with 1% up to 10 km, using rejection sampling to stay within a larger administrative area. Households whose masked EA falls outside their original zip code are reassigned; about 30% of sampled EAs end up in new zip codes.
• Proposed strategy (Two datasets): (1) Synthetic survey D_syn with true zip codes retained and all other attributes synthesized via a Gaussian copula; (2) No Zip Code survey D_no where the original data are released but small-area identifiers (zip) are removed (kept up to strata only). Synthetic data generation (Algorithm 2): Categorical variables are transformed (frequency encoding/one-hot as needed). A Gaussian copula is fit on transformed attributes to separate marginal distributions from dependence structure: estimate means and covariance (Σ) assuming normal marginals (noting potential mis-specification). Constraints (e.g., non-negative ages; household composition sums) are enforced via rejection sampling. Sampling is done per cluster to match original cluster sample sizes, using conditional multivariate normals as needed. The synthetic dataset comprises Y_2..Y_m with true X_zip attached. Privacy attack (inference): To test whether synthetic data can reveal private attributes in the original, train random forest classifiers per stratum on anonymized datasets (geomasked or synthetic) to predict zip code labels. Apply the trained model to the original data without zips (D_no) to form a "Re-identified" dataset D_re and evaluate accuracy against true zip codes. Random guessing is a baseline. Evaluation metrics (100 simulation runs):
• Information loss: Normalized Kullback-Leibler (KL) divergence Z_KL between survey datasets and census distributions for each attribute × zip code.
• Privacy risks: (a) Re-identification accuracy of private zip codes via the inference attack; (b) Population uniqueness (share of survey respondents unique in the population for subsets of attributes) computed for D_true, D_geo, D_no, D_syn, and D_re across increasing numbers of attributes.
• Utility for survey augmentation: Using WorldPop satellite-derived features aggregated to zip codes (distances to land cover, roads, waterways; night-time lights; topography; settlement presence), combine with survey aggregates to estimate NBI at the zip level. Evaluate predictions versus census using adjusted R^2, bias, and mean squared error (MSE). A Fay-Herriot small-area model framework is used in supplementary analyses. Robustness checks (Supplementary): Fit copulas at different geographic levels (whole survey vs strata vs zip code), vary synthetic sample size to study shrinkage factor γ and adjusted R^2, test alternative categorical encodings and non-normal marginal families (selected by KS tests), and assess stability over fewer simulation rounds.

• Privacy protection: The proposed two-dataset strategy reduces respondents' re-identification risk by 60–80% across any number of disclosed attributes (as per abstract). Population uniqueness grows rapidly for true and geomasked data but remains almost flat for synthetic data, indicating substantially lower re-identification risk. Geomasking yields ~70% population uniqueness due to only the zip code being perturbed, whereas synthetic data provides strong privacy gains.
• Inference attack on private geocodes: Random forest models trained on geomasked data can often recover original zip codes; models trained on synthetic data perform close to random guessing, providing better protection against attribute re-identification.
• Information loss: Normalized KL divergence totals across attributes × zip codes show: True survey Z_KL ≈ 0.76, Synthetic ≈ 0.74, Geomasked ≈ 0.73. Synthetic data approximates census distributions nearly as well as the true survey and better than geomasked data.
• Impact of geomasking: Approximately 30% of displaced enumeration areas are reassigned to new zip codes, altering small-area aggregates and increasing uniqueness risk.
• Utility for survey augmentation (NBI): Synthetic data outperforms geomasked data and even the true survey when predicting zip code-level NBI against the census across 100 runs, with higher adjusted R^2, lower bias, and lower MSE. NBI distributions from synthetic data exhibit smaller tails, aligning more closely with the census than geomasked or true survey estimates.
• Composite indicator synthesis: While overall incidences of NBI and component indicators are well matched in distribution (high Z_KL, often ~0.98–1.00), Pearson correlations between synthetic and computed NBI at the individual level are low (e.g., ρ ≈ 0.07 for composite), indicating challenges in capturing fine-grained dependencies across components.
• Robustness: Results are stable by ~50 simulation runs; fitting at the strata level balances capturing regional variation and sample size; alternative encodings and marginal specifications have minor effects on Z_KL; increasing synthetic sample size increases adjusted R^2 and the Fay-Herriot shrinkage factor without clear overfitting bumps in this setup.

The findings show that releasing two datasets—a synthetic microdata file with true cluster locations and an original microdata file without small-area identifiers—provides a superior privacy-utility balance compared to geomasking. Exact cluster locations preserve spatial congruence for augmentation with auxiliary geospatial data, leading to better small-area estimates (e.g., NBI) than both geomasked and even the true microdata due to reduced influence of outliers and better alignment of distributions. Privacy is strengthened on two fronts: lower population uniqueness over increasing attribute sets and resistance to inference attacks on private geocodes. The approach offers plausible deniability and aligns with regulatory constraints by reducing re-identification risk, potentially expanding safe access to geolocated microdata. For data producers and mapping initiatives (e.g., WorldPop, GRID3), the method enhances product quality by enabling accurate spatial linkage without location perturbation. Separating margins from dependence structures also facilitates updates as new, nationally representative margins become available, supporting ongoing data releases.

This study introduces and empirically validates an alternative microdata dissemination strategy that retains exact cluster locations while safeguarding privacy via synthetic non-spatial attributes, complemented by an original dataset without small-area identifiers. In experiments with Costa Rican census data and satellite-derived covariates, the strategy substantially reduces re-identification risk (60–80%) while preserving or improving analytical utility, particularly for spatially augmented estimation of NBI. The approach can help statistical agencies and survey programs broaden data usability under stringent privacy regulations and support geospatial modeling efforts. Future work should: (i) improve generative modeling by using latent copulas, nonparametric marginals, and explicit hierarchical modeling to better capture multi-level dependencies; (ii) integrate formal privacy guarantees via differentially private synthesizers (e.g., PrivBayes, PrivSyn, PATE-GAN); (iii) extend evaluation to other countries and survey contexts; and (iv) formalize release processes with data protection impact assessments recognizing microdata as pseudonymous rather than fully anonymous.

• Modeling dependence: The Gaussian copula with normal marginals may mis-specify complex, non-normal, and hierarchical relationships; lower-level hierarchies (individuals within households) are imperfectly captured.
• Data quality dependence: Synthesis reproduces biases arising from small class sizes and high non-response in the source data.
• Composite indicators: Directly synthesized composite indicators may not be decomposable into components; reconstructing composites from synthesized components can misalign due to sensitivity to dependencies.
• Potential leakage: Synthetic data may leak information via generated value ranges; stronger guarantees require differentially private synthesis.
• Pseudonymity: Regardless of strategy, released microdata remain pseudonymous, necessitating data protection impact assessments and governance.
• Generalizability: Results are from one country and setting; applicability should be tested across other contexts and datasets.