RAPID: Risk of Attribute Prediction-Induced Disclosure in Synthetic Microdata

TL;DR

RAPID addresses the gap in measuring attribute-inference risk in fully synthetic microdata by quantifying per-record disclosure vulnerability under a realistic attacker who trains predictors on synthetic data. It formalizes both categorical and continuous sensitive attributes through baseline-normalized confidence and tolerance-based errors, respectively, and returns a bounded, interpretable risk metric with threshold-based reporting. The method supports rigorous threshold calibration, uncertainty quantification, and diagnostic analyses (e.g., quasi-identifier attribution), while remaining agnostic to the specific synthesizer and learning algorithm. RAPID complements differential privacy by providing a practical, attacker-focused risk diagnostic that informs release decisions and risk-mutility trade-offs in public-use synthetic data.

Abstract

Statistical data anonymization increasingly relies on fully synthetic microdata, for which classical identity disclosure measures are less informative than an adversary's ability to infer sensitive attributes from released data. We introduce RAPID (Risk of Attribute Prediction--Induced Disclosure), a disclosure risk measure that directly quantifies inferential vulnerability under a realistic attack model. An adversary trains a predictive model solely on the released synthetic data and applies it to real individuals' quasi-identifiers. For continuous sensitive attributes, RAPID reports the proportion of records whose predicted values fall within a specified relative error tolerance. For categorical attributes, we propose a baseline-normalized confidence score that measures how much more confident the attacker is about the true class than would be expected from class prevalence alone, and we summarize risk as the fraction of records exceeding a policy-defined threshold. This construction yields an interpretable, bounded risk metric that is robust to class imbalance, independent of any specific synthesizer, and applicable with arbitrary learning algorithms. We illustrate threshold calibration, uncertainty quantification, and comparative evaluation of synthetic data generators using simulations and real data. Our results show that RAPID provides a practical, attacker-realistic upper bound on attribute-inference disclosure risk that complements existing utility diagnostics and disclosure control frameworks.

Figures (5)

• Figure 1: Synthetic data generation and evaluation workflow. Original data is used to train a synthetic data generator, which produces synthetic records. These records are evaluated for privacy risk and statistical utility. If acceptable, the synthetic data is released to data users for analysis; otherwise, the generator is recalibrated or the data is edited.
• Figure 2: Inferential disclosure threat model. A data custodian releases synthetic data [$\mathbf{X}^s$, $\mathbf{y}^s$] generated from original data containing quasi-identifiers ($\mathbf{X}$) and a sensitive attribute ($\mathbf{y}$). An adversary with access to the released synthetic data and external knowledge of individuals' quasi-identifiers ($\tilde{\mathbf{X}}$, which may or may not include individuals from the original sample) trains a predictive model to infer sensitive attributes.
• Figure 3: Threshold sensitivity curve for the UCI Adult dataset. RAPID (proportion of records at risk) as a function of the normalized gain threshold $\tau$, averaged across 5 synthetic replicates generated via CART synthesis using synthpop raab2024synthpop. The vertical dashed line marks the default threshold ($\tau=0.3$). The curve demonstrates how disclosure risk decreases as stricter thresholds are imposed, with approximately 70% of records flagged at $\tau=0.3$ and less than 5% at $\tau=0.9$. Shaded region indicates range across replicates.
• Figure 4: Impact of dependency strength and normalized gain threshold on RAPID: (a) RAPID and attacker accuracy increase monotonically with dependency strength $\kappa$. RAPID rises from 0.25 at $\kappa=0$ to 0.97 at $\kappa=100$, with steepest increases at low $\kappa$ values ($\tau=0.3$). This S-shaped growth demonstrates that attribute-inference risk escalates rapidly when transitioning from weak to moderate quasi-identifier--sensitive attribute relationships, then saturates as dependencies approach deterministic levels. (b) RAPID vs. normalized gain threshold $\tau$ for varying $\kappa$. At low dependency ($\kappa=0$, gray), the curve is convex, reflecting diffuse attacker confidence where most records are filtered out at moderate thresholds. At high dependency ($\kappa \geq 5$, blue/red), curves become concave, remaining elevated until stringent thresholds ($\tau > 0.7$) are applied. This transition reflects a qualitative shift in attacker confidence distributions as dependencies strengthen. Both panels: Mean $\pm$ 1 SD over 10 simulations; $n=1000$ records, CART synthesizer, Random Forest attacker.
• Figure 5: Quasi-identifier attribution analysis. Predicted log-odds of attribute inference risk from logistic regression across 50 simulations ($\kappa=10$, $\tau=0.3$, $n=1000$). Top: Marginal effects. Middle: Two-way interactions at specified conditioning values. Bottom: Three-way interaction at three age levels (30, 50, 70). Y-axes individually trimmed to enhance visibility; some extreme outliers not shown.