“…The main approaches to this problem involve perturbing the data so as to maintain their statistical characteristics but prevent their compromise [13,11,16], to perturb the responses for the same purpose, [2,8], to restrict the size or overlap of the statistical queries [10,9], or, finally (and closer to our concerns here), to audit the statistical queries in order to determine when enough information has been given out so that compromise becomes possible [3,4,5,12].…”