No free lunch in data privacy

Kifer, Daniel; Machanavajjhala, Ashwin

doi:10.1145/1989323.1989345

Cited by 489 publications

(406 citation statements)

References 32 publications

(56 reference statements)

Supporting

Mentioning

390

Contrasting

Unclassified

Order By: Relevance

“…The definition of semantic privacy given in this paper provides guarantees on how a Bayesian adversary's posterior distribution compares to its prior, under assumptions on the form of the adversary's prior. Such assumptions are known to be necessary (Dwork, 2006;Dwork and Naor, 2010;Kifer and Machanavajjhala, 2011). In contrast, one may also formulate definitions by comparing the adversary's posterior distributions in different settings (say, assuming that someone's data was or was not used in the computation) ; Bassily et al (2013).…”

Section: Interpreting Differential Privacymentioning

confidence: 99%

Calibrating Noise to Sensitivity in Private Data Analysis

Dwork

McSherry

Nissim

et al. 2017

JPC

570

962

View full text Add to dashboard Cite

We continue a line of research initiated in Dinur and Nissim (2003); Dwork and Nissim (2004); Blum et al. (2005) on privacy-preserving statistical databases.Consider a trusted server that holds a database of sensitive information. Given a query function f mapping databases to reals, the so-called true answer is the result of applying f to the database. To protect privacy, the true answer is perturbed by the addition of random noise generated according to a carefully chosen distribution, and this response, the true answer plus noise, is returned to the user.Previous work focused on the case of noisy sums, in which f = i g(x i ), where x i denotes the ith row of the database and g maps database rows to [0, 1]. We extend the study to general functions f , proving that privacy can be preserved by calibrating the standard deviation of the noise according to the sensitivity of the function f . Roughly speaking, this is the amount that any single argument to f can change its output. The new analysis shows that for several particular applications substantially less noise is needed than was previously understood to be the case.The first step is a very clean definition of privacy-now known as differential privacyand measure of its loss. We also provide a set of tools for designing and combining differentially private algorithms, permitting the construction of complex differentially private analytical tools from simple differentially private primitives.Finally, we obtain separation results showing the increased value of interactive statistical release mechanisms over non-interactive ones.

show abstract

Section: Interpreting Differential Privacymentioning

confidence: 99%

Calibrating Noise to Sensitivity in Private Data Analysis

Dwork

McSherry

Nissim

et al. 2017

JPC

570

962

View full text Add to dashboard Cite

show abstract

“…It is well known that data privacy against arbitrary priors cannot be guaranteed if some reasonable level of utility is to be achieved. This fact, known as the no-free-lunch-theorem, was first introduced by Kifer and Machanavajjhala [11], and reformulated by Li et al [14] as part of their framework. We now give the formal definition of γ-positive membership-privacy under a family of prior distributions D, which we denote as (γ, D)-PMP.…”

Section: Positive Membership-privacymentioning

confidence: 99%

Differential Privacy with Bounded Priors

Tramèr

Huang

Hubaux

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Differential privacy (DP) has become widely accepted as a rigorous definition of data privacy, with stronger privacy guarantees than traditional statistical methods. However, recent studies have shown that for reasonable privacy budgets, differential privacy significantly affects the expected utility. Many alternative privacy notions which aim at relaxing DP have since been proposed, with the hope of providing a better tradeoff between privacy and utility.At CCS'13, Li et al. introduced the membership privacy framework, wherein they aim at protecting against set membership disclosure by adversaries whose prior knowledge is captured by a family of probability distributions. In the context of this framework, we investigate a relaxation of DP, by considering prior distributions that capture more reasonable amounts of background knowledge. We show that for different privacy budgets, DP can be used to achieve membership privacy for various adversarial settings, thus leading to an interesting tradeoff between privacy guarantees and utility.We re-evaluate methods for releasing differentially private χ 2 -statistics in genome-wide association studies and show that we can achieve a higher utility than in previous works, while still guaranteeing membership privacy in a relevant adversarial setting.

show abstract

“…Kifer and Machanavajjhala [61] critically analysed the privacy protections under differential privacy via nonprivacy games. They addressed several popular misconceptions about differential privacy, including: that it makes no assumptions about how data are generated; that it protects an individual's information even if an attacker knows about all other individuals in the data; and that it is robust to arbitrary background knowledge.…”

Section: No Free Lunch In Data Privacymentioning

confidence: 99%

Differential Privacy in Practice

Nguyen

Kim

2013

Journal of Computing Science and Engineering

View full text Add to dashboard Cite

We briefly review the problem of statistical disclosure control under differential privacy model, which entails a formal and ad omnia privacy guarantee separating the utility of the database and the risk due to individual participation. It has born fruitful results over the past ten years, both in theoretical connections to other fields and in practical applications to real-life datasets. Promises of differential privacy help to relieve concerns of privacy loss, which hinder the release of community-valuable data. This paper covers main ideas behind differential privacy, its interactive versus non-interactive settings, perturbation mechanisms, and typical applications found in recent research. Category: Smart and intelligent computing

show abstract

No free lunch in data privacy

Cited by 489 publications

References 32 publications

Calibrating Noise to Sensitivity in Private Data Analysis

Calibrating Noise to Sensitivity in Private Data Analysis

Differential Privacy with Bounded Priors

Differential Privacy in Practice

Contact Info

Product

Resources

About