Abstract

A mechanism for releasing information about a statistical database with sensitive data must resolve a trade-off between utility and privacy. Publishing fully accurate information maximizes utility while minimizing privacy, while publishing random noise accomplishes the opposite. Privacy can be rigorously quantified using the framework of differential privacy, which requires that a mechanism's output distribution is nearly the same whether a given database row is included. The goal of this paper is to formulate and provide strong and general utility guarantees, subject to differential privacy. We pursue mechanisms that guarantee near-optimal utility to every potential user, independent of its side information (modeled as a prior distribution over query results) and preferences (modeled via a symmetric and monotone loss function). Our main result is the following: for each fixed count query and differential privacy level, there is a geometric mechanism $M^*$---a discrete variant of the simple and well-studied mechanism that adds random noise from a Laplace distribution---that is simultaneously expected loss-minimizing for every possible user, subject to the differential privacy constraint. This is an extremely strong utility guarantee: every potential user $u$, no matter what its side information and preferences, derives as much utility from $M^*$ as from interacting with a differentially private mechanism $M_u$ that is optimally tailored to $u$. More precisely, for every user $u$ there is an optimal mechanism $M_u$ for it that factors into a user-independent part (the geometric mechanism $M^*$) and a user-specific postprocessing step that depends only on the output of the geometric mechanism and not on the underlying database. The first part of our proof of this result characterizes the optimal differentially private mechanism for a user as a certain basic feasible solution to a linear program with a user-specific objective function and user-independent constraints that encode differential privacy. The second part shows that all of the relevant vertices of the feasible region (ranging over all possible users) are derivable from the geometric mechanism via suitable remappings of its range.

Keywords

  1. differential privacy
  2. utility maximization
  3. geometric

MSC codes

  1. 68Q99

Get full access to this article

View all available purchase options and get full access to this article.

References

1.
U. S. Census Bureau $2008$ statistical abstract, http://www.census.gov/compendia/statab/.
2.
L. Backstrom, C. Dwork, and J. Kleinberg, Wherefore art thou r$3579$x?: Anonymized social networks, hidden patterns, and structural steganography, in Proceedings of the 16th International Conference on World Wide Web (WWW), 2007, pp. 181--190.
3.
B. Barak, K. Chaudhuri, C. Dwork, S. Kale, F. McSherry, and K. Talwar, Privacy, accuracy, and consistency too: A holistic solution to contingency table release, in Proceedings of the 26th ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems (PODS), 2007, pp. 273--282.
4.
D. Bertsimas and J. N. Tsitsiklis, Introduction to Linear Optimization, Athena Scientific, Nashua, NH, 1997.
5.
A. Blum, C. Dwork, F. McSherry, and K. Nissim, Practical privacy: The SuLQ framework, in Proceedings of the 24th ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems (PODS), 2005, pp. 128--138.
6.
A. Blum, K. Ligett, and A. Roth, A learning theory approach to non-interactive database privacy, in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC), 2008, pp. 609--618.
7.
H. Brenner and K. Nissim, Impossibility of differentially private universally optimal mechanisms, in Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (FOCS), 2010, pp. 71--80.
8.
I. Dinur and K. Nissim, Revealing information while preserving privacy, in Proceedings of the 22nd ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems (PODS), 2003, pp. 202--210.
9.
C. Dwork, F. McSherry, K. Nissim, and A. Smith, Calibrating noise to sensitivity in private data analysis, in Third Theory of Cryptography Conference (TCC), Lecture Notes in Comput. Sci. 3876, Springer, New York, 2006, pp. 265--284.
10.
C. Dwork, F. McSherry, and K. Talwar, The price of privacy and the limits of LP decoding, in Proceedings of the 39th Annual ACM Symposium on Theory of Computing (STOC), 2007, pp. 85--94.
11.
C. Dwork and K. Nissim, Privacy-preserving datamining on vertically partitioned databases, in Proceedings of the 24th Annual International Cryptology Conference (CRYPTO), Lecture Notes in Comput. Sci. 3152, Springer, New York, 2004, pp. 528--544.
12.
C. Dwork, Differential privacy, in Proceedings of the 33rd Annual International Colloquium on Automata, Languages, and Programming (ICALP), Lecture Notes in Comput. Sci. 4051, Springer, New York, 2006, pp. 1--12.
13.
C. Dwork, Differential privacy: A survey of results, in 5th International Conference on Theory and Applications of Models of Computation (TAMC), Lecture Notes in Comput. Sci. 4978, Springer, New York, 2008, pp. 1--19.
14.
M. Gupte and M. Sundararajan, Universally optimal privacy mechanisms for minimax agents, in Proceedings of the 29th ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems of Data (PODS), 2010, pp. 135--146.
15.
M. Hardt and K. Talwar, On the geometry of differential privacy, in Proceedings of the 42nd ACM Symposium on Theory of Computing (STOC), 2010, pp. 705--714.
16.
S. P. Kasiviswanathan, H. K. Lee, K. Nissim, S. Raskhodnikova, and A. Smith, What can we learn privately?, in Proceedings of the 49th Annual IEEE Symposium on Foundations of Computer Science (FOCS), 2008, pp. 531--540.
17.
S. P. Kasiviswanathan and A. Smith, A note on differential privacy: Defining resistance to arbitrary side information, http://arxiv.org/abs/0803.3946v1, 2008.
18.
A. Mas-Colell, M. D. Whinston, and J. R. Green, Microeconomic Theory, Oxford University Press, New York, 1995.
19.
F. McSherry and K. Talwar, Mechanism design via differential privacy, in Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS), 2007, pp. 94--103.
20.
A. Narayanan and V. Shmatikov, Robust de-anonymization of large sparse datasets, in Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP), 2008, pp. 111--125.
21.
K. Nissim, S. Raskhodnikova, and A. Smith, Smooth sensitivity and sampling in private data analysis, in Proceedings of the 39th Annual ACM Symposium on Theory of Computing (STOC), 2007, pp. 75--84.
22.
A. Roth and T. Roughgarden, Interactive privacy via the median mechanism, in Proceedings of the 42nd ACM Symposium on Theory of Computing (STOC), 2010, pp. 765--774.
23.
Wikipedia, AOL search data scandal, http://en.wikipedia.org/wiki/AOL_search_data_scandal.

Information & Authors

Information

Published In

cover image SIAM Journal on Computing
SIAM Journal on Computing
Pages: 1673 - 1693
ISSN (online): 1095-7111

History

Submitted: 17 August 2009
Accepted: 1 June 2011
Published online: 18 December 2012

Keywords

  1. differential privacy
  2. utility maximization
  3. geometric

MSC codes

  1. 68Q99

Authors

Affiliations

Metrics & Citations

Metrics

Citations

If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.

Cited By

View Options

View options

PDF

View PDF

Media

Figures

Other

Tables

Share

Share

Copy the content Link

Share with email

Email a colleague

Share on social media