Vulnerability of Complementary Cell Suppression to Intruder Attack

Complementary cell suppression was the first and remains a popular method for disclosure limitation of magnitude data such as economic censuses data. We show that, when not solved in a rigorous mathematical way, suppression can fail to protect data, sometimes fatally. When solved properly as a mathematical programming problem, suppression is guaranteed to meet certain conditions related to protecting individual data, but we demonstrate that other vulnerabilities exist. Suppression sacrifices both confidential and nonconfidential data, forcing potentially significant degradation in data quality and usability. These effects are often compounded because mathematical relationships induced by suppression tend to produce "over-protected" solutions. To mitigate these effects, it has been suggested that the data releaser provide exact interval estimates of suppressed cell values. We demonstrate for two standard data sensitivity measures that, even when safe, exact intervals further threaten data security, in some situations completely.