How Much Is Enough? Choosing ε for Differential Privacy

Differential privacy is a recent notion, and while it is nice conceptually it has been difficult to apply in practice. The parameters of differential privacy have an intuitive theoretical interpretation, but the implications and impacts on the risk of disclosure in practice have not yet been studied, and choosing appropriate values for them is non-trivial. Although the privacy parameter e in differential privacy is used to quantify the privacy risk posed by releasing statistics computed on sensitive data, e is not an absolute measure of privacy but rather a relative measure. In effect, even for the same value of e, the privacy guarantees enforced by differential privacy are different based on the domain of attribute in question and the query supported. We consider the probability of identifying any particular individual as being in the database, and demonstrate the challenge of setting the proper value of e given the goal of protecting individuals in the database with some fixed probability.

[1]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[2]  Irit Dinur,et al.  Revealing information while preserving privacy , 2003, PODS.

[3]  Cynthia Dwork,et al.  Privacy-Preserving Datamining on Vertically Partitioned Databases , 2004, CRYPTO.

[4]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[5]  Cynthia Dwork,et al.  Practical privacy: the SuLQ framework , 2005, PODS.

[6]  Moni Naor,et al.  Our Data, Ourselves: Privacy Via Distributed Noise Generation , 2006, EUROCRYPT.

[7]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[8]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[9]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[10]  Sofya Raskhodnikova,et al.  Smooth sensitivity and sampling in private data analysis , 2007, STOC '07.

[11]  Cynthia Dwork,et al.  Privacy, accuracy, and consistency too: a holistic solution to contingency table release , 2007, PODS.

[12]  Chris Clifton,et al.  Hiding the presence of individuals from shared databases , 2007, SIGMOD '07.

[13]  Adam D. Smith,et al.  A Note on Differential Privacy: Defining Resistance to Arbitrary Side Information , 2008, IACR Cryptol. ePrint Arch..

[14]  A. Blum,et al.  A learning theory approach to non-interactive database privacy , 2008, STOC.

[15]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[16]  Cynthia Dwork,et al.  Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17-20, 2008 , 2008, STOC.

[17]  Frank McSherry,et al.  Privacy integrated queries: an extensible platform for privacy-preserving data analysis , 2009, SIGMOD Conference.

[18]  Vitaly Shmatikov,et al.  Airavat: Security and Privacy for MapReduce , 2010, NSDI.

[19]  Chris Clifton,et al.  δ-Presence without Complete World Knowledge , 2010, IEEE Transactions on Knowledge and Data Engineering.