Differential Privacy for Government Agencies - Are We There Yet?

Government agencies always need to carefully consider potential risks of disclosure whenever they publish statistics based on their data or give external researchers access to the collected data. For this reason, research on disclosure avoiding techniques has a long tradition at statistical agencies. In this context, the promise of formal privacy guarantees offered by concepts such as differential privacy seem to be the panacea enabling the agencies to exactly quantify and control the privacy loss incurred by any data release. Still, despite the excitement in academia and industry, most agencies– with the prominent exception of the U.S. Census Bureau–have been reluctant to even consider the concept for their data release strategy. This paper aims to shed some light on potential reasons for this. We argue that the requirements when implementing differential privacy approaches at government

[1]  G. King,et al.  Facebook Privacy-Protected Full URLs Data Set , 2020 .

[2]  Jun Tang,et al.  Privacy Loss in Apple's Implementation of Differential Privacy on MacOS 10.12 , 2017, ArXiv.

[3]  Úlfar Erlingsson,et al.  RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response , 2014, CCS.

[4]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[5]  Ben Jann,et al.  Sensitive Questions in Online Surveys: Experimental Results for the Randomized Response Technique (RRT) and the Unmatched Count Technique (UCT) , 2011 .

[6]  S. Edgell,et al.  Validity of Forced Responses in a Randomized Response Model , 1982 .

[7]  Jörg Drechsler,et al.  Evaluating the Potential of Differential Privacy Mechanisms for Census Data , 2013 .

[8]  S. Barnett,et al.  Philosophical Transactions of the Royal Society A : Mathematical , 2017 .

[9]  Ian Goodfellow,et al.  Deep Learning with Differential Privacy , 2016, CCS.

[10]  Marco Gaboardi,et al.  Controlling Privacy Loss in Survey Sampling (Working Paper) , 2020, ArXiv.

[11]  Frauke Kreuter,et al.  Differential Privacy and Social Science: An Urgent Puzzle , 2020, 2.1.

[12]  S. Vadhan,et al.  Towards a Modern Approach to Privacy-Aware Government Data Releases , 2016 .

[13]  Carl-Erik Särndal,et al.  Model Assisted Survey Sampling , 1997 .

[14]  Salil P. Vadhan,et al.  The Complexity of Differential Privacy , 2017, Tutorials on the Foundations of Cryptography.

[15]  L. Wasserman,et al.  A Statistical Framework for Differential Privacy , 2008, 0811.2501.

[16]  S L Warner,et al.  Randomized response: a survey technique for eliminating evasive answer bias. , 1965, Journal of the American Statistical Association.

[17]  Fang Liu,et al.  Comparative Study of Differentially Private Data Synthesis Methods , 2016, Statistical Science.

[18]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[19]  Ashwin Machanavajjhala,et al.  Privacy: Theory meets Practice on the Map , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[20]  Aaron Roth,et al.  The Algorithmic Foundations of Differential Privacy , 2014, Found. Trends Theor. Comput. Sci..

[21]  Gilles Barthe,et al.  Privacy Amplification by Subsampling: Tight Analyses via Couplings and Divergences , 2018, NeurIPS.

[22]  R. Sarathy,et al.  Fool's Gold: an Illustrated Critique of Differential Privacy , 2013 .

[23]  Stephen E. Fienberg,et al.  Differential Privacy and the Risk-Utility Tradeoff for Multi-dimensional Contingency Tables , 2010, Privacy in Statistical Databases.

[24]  John M. Abowd,et al.  The U.S. Census Bureau Adopts Differential Privacy , 2018, KDD.

[25]  Aleksandra Slavkovic,et al.  Structure and Sensitivity in Differential Privacy: Comparing K-Norm Mechanisms , 2018, Journal of the American Statistical Association.

[26]  Salil Vadhan,et al.  Differentially Private Simple Linear Regression , 2020, Proc. Priv. Enhancing Technol..

[27]  Tim Roughgarden,et al.  Universally utility-maximizing privacy mechanisms , 2008, STOC '09.

[28]  Steven Ruggles,et al.  Disclosure Avoidance in the Census Bureau's 2010 Demonstration Data Product , 2020, PSD.

[29]  Janardhan Kulkarni,et al.  Collecting Telemetry Data Privately , 2017, NIPS.

[30]  Vishesh Karwa,et al.  Inference using noisy degrees: Differentially private $\beta$-model and synthetic graphs , 2012, 1205.4697.

[31]  Steven Ruggles,et al.  Differential Privacy and Census Data: Implications for Social and Economic Research , 2019, AEA Papers and Proceedings.

[32]  Johannes A. Landsheer,et al.  Trust and Understanding, Two Psychological Aspects of Randomized Response , 1999 .

[33]  Kobbi Nissim,et al.  Is privacy privacy? , 2018, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[34]  Monika Taddicken,et al.  The 'Privacy Paradox' in the Social Web: The Impact of Privacy Concerns, Individual Characteristics, and the Perceived Social Relevance on Different Forms of Self-Disclosure1 , 2014, J. Comput. Mediat. Commun..

[35]  James Bailie,et al.  ABS Perturbation Methodology Through the Lens of Differential Privacy , 2019 .

[36]  Antje Kirchner,et al.  Validating Sensitive Questions: A Comparison of Survey and Register Data , 2015 .

[37]  Thomas Steinke,et al.  Bridging the Gap between Computer Science and Legal Approaches to Privacy , 2018 .