Differential privacy is becoming a gold standard notion of privacy, it offers a guaranteed bound on loss of privacy due to release of query results, even under worst-case assumptions. The theory of differential privacy is an active research area, and there are now differentially private algorithms for a wide range of problems.
However, the question of when differential privacy works in practice has received relatively little attention. In particular, there is still no rigorous method for choosing the key parameter ε;, which controls the crucial trade off between the strength of the privacy guarantee and the accuracy of the published results.
In this paper, we examine the role of these parameters in concrete applications, identifying the key considerations that must be addressed when choosing specific values. This choice requires balancing the interests of two parties with conflicting objectives: the data analyst, who wishes to learn something about the data, and the prospective participant, who must decide whether to allow their data to be included in the analysis. We propose a simple model that expresses this balance as formulas over a handful of parameters, and we use our model to choose ε; on a series of simple statistical studies. We also explore a surprising insight: in some circumstances, a differentially private study can be more accurate than a non-private study for the same cost, under our model. Finally, we discuss the simplifying assumptions in our model and outline a research agenda for possible refinements.
|Title of host publication||Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014|
|Publisher||IEEE Computer Society|
|Number of pages||13|
|Publication status||Published - 2014|
|Event||27th IEEE Computer Security Foundations Symposium - Vienna, Austria|
Duration: 19 Jul 2014 → 22 Jul 2014
|Conference||27th IEEE Computer Security Foundations Symposium|
|Abbreviated title||CSF 2014|
|Period||19/07/14 → 22/07/14|
- Differential privacy