Differential Privacy
Xintao WuOct 31, 2012
Sanitization approaches
• Input perturbation– Add noise to data– Generalize data
• Summary statistics– Means, variances– Marginal totals– Model parameters
• Output perturbation– Add noise to summary statistics
Blending/hiding into a crowd
• K-anonymity based approaches
• Adversary may have various background knowledge to breach privacy
• Privacy models often assume “the adversary’s background knowledge is given”
Classic intuition for privacy
• Privacy means that anything can be learned about a respondent from the statistical database can be learned without access to the database.
• Security of encryption– Anything about the plaintext that can be learned
from a ciphertext can be learned without the ciphertext.
• Prior and posterior views about an individual should not change much
Motivation
• Publicly release statistical information about a dataset without compromising the privacy of any individual
Requirement
• Anything that can be learned about a respondent from a statistical database should be learnable without access to the database
• Reduce the knowledge gain of joining the database
• Require that the probability distribution on the public results is essentially the same independent of whether any individual opts in to, or opts out of the dataset
Definition
Sensitivity function
• Captures how great a difference must be hidden by the additive noise
LAP distribution noise
Guassian noise
Adding LAP noise
Proof sketch
Delta_f=1, epsilon varies
Delta_f=1 epsilon=0.01
Delta_f=1 epsilon=0.1
Delta_f=1 epsilon=1
Delta_f=1 epsilon=2
Delta_f=1 epsilon=10
Delta_f=2, epsilon varies
Delta_f=3, epsilon varies
Delta_f=10000, epsilon varies
Composition
• Sequential composition
• Parallel composition --for disjoint sets, the ultimate privacy
guarantee depends only on the worst of the guarantees of each analysis, not the sum.
Example
• Let us assume a table with 1000 customers and each record has attributes: name, gender, city, cancer, salary. – For attribute city, we assume the domain size is 10;
– for attribute cancer, we only record Yes or No for each customer;
– for attribute salary, the domain range is 0-10k.
– The privacy threshold \epsilon is a constant 0.1 set by data owner.
• For one single query “How many customers got cancer?”
• The adversary is allowed to ask three times of the query
shown the above.
Example (continued)
• “How many customers got cancer in each city?”
• For one single query “What is the sum of salaries across all customers?”
Type of computing (query)
• some are very sensitive, others are not
• single query vs. query sequence
• query on disjoint sets or not
• outcome expected: number vs. arbitrary
• interactive vs. not interactive
Sensitivity
• Global sensitivity
• Local sensitivity
• Smooth sensitivity
Different areas of DP
• PINQ
• DM with DP
• Optimizing linear counting queries under differential privacy.
-Matrix mechanism for answering a workload of predicate counting queries
PPDM interface--PINQ
• A programmable privacy preserving layer
• Add calibrated noise to each query
• Need to assign privacy cost budget
Data Mining with DP
• Previous study—privacy preserving interface ensures everything about DP
• Problems—inferior results if the interface is utilized simply during data mining
• Solution—consider both together• DP ID3
—noisy count
—evaluate all attributes in one exponential mechanism query using entire budget instead of splitting budget among multiple
DP in Social Networks
• Page 97-120 of pakdd11 tutorial
Recommended
