Differential privacy: an economic method for choosing epsilon

Justin Hsu; Marco Gaboardi; Andreas Haeberlen; Sanjeev Khanna; Arjun Narayan; Benjamin C. Pierce; Aaron Roth

doi:10.1109/CSF.2014.35

Differential privacy: an economic method for choosing epsilon

Justin Hsu, Marco Gaboardi, Andreas Haeberlen, Sanjeev Khanna, Arjun Narayan, Benjamin C. Pierce, Aaron Roth

Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

187 Citations (Scopus)

Abstract

Differential privacy is becoming a gold standard notion of privacy, it offers a guaranteed bound on loss of privacy due to release of query results, even under worst-case assumptions. The theory of differential privacy is an active research area, and there are now differentially private algorithms for a wide range of problems.

However, the question of when differential privacy works in practice has received relatively little attention. In particular, there is still no rigorous method for choosing the key parameter ε;, which controls the crucial trade off between the strength of the privacy guarantee and the accuracy of the published results.

In this paper, we examine the role of these parameters in concrete applications, identifying the key considerations that must be addressed when choosing specific values. This choice requires balancing the interests of two parties with conflicting objectives: the data analyst, who wishes to learn something about the data, and the prospective participant, who must decide whether to allow their data to be included in the analysis. We propose a simple model that expresses this balance as formulas over a handful of parameters, and we use our model to choose ε; on a series of simple statistical studies. We also explore a surprising insight: in some circumstances, a differentially private study can be more accurate than a non-private study for the same cost, under our model. Finally, we discuss the simplifying assumptions in our model and outline a research agenda for possible refinements.

Original language	English
Title of host publication	Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014
Publisher	IEEE Computer Society
Pages	398-410
Number of pages	13
ISBN (Print)	9781479942909
DOIs	https://doi.org/10.1109/CSF.2014.35
Publication status	Published - 2014
Event	27th IEEE Computer Security Foundations Symposium - Vienna, Austria Duration: 19 Jul 2014 → 22 Jul 2014 http://csf2014.di.univr.it/

Conference

Conference	27th IEEE Computer Security Foundations Symposium
Abbreviated title	CSF 2014
Country/Territory	Austria
City	Vienna
Period	19/07/14 → 22/07/14
Internet address	http://csf2014.di.univr.it/

Keywords

Differential privacy

ASJC Scopus subject areas

Software

Access to Document

10.1109/CSF.2014.35

Cite this

@inproceedings{bc6cc4f5c23049809e5c1e048bba814f,

title = "Differential privacy: an economic method for choosing epsilon",

abstract = "Differential privacy is becoming a gold standard notion of privacy, it offers a guaranteed bound on loss of privacy due to release of query results, even under worst-case assumptions. The theory of differential privacy is an active research area, and there are now differentially private algorithms for a wide range of problems. However, the question of when differential privacy works in practice has received relatively little attention. In particular, there is still no rigorous method for choosing the key parameter ε;, which controls the crucial trade off between the strength of the privacy guarantee and the accuracy of the published results. In this paper, we examine the role of these parameters in concrete applications, identifying the key considerations that must be addressed when choosing specific values. This choice requires balancing the interests of two parties with conflicting objectives: the data analyst, who wishes to learn something about the data, and the prospective participant, who must decide whether to allow their data to be included in the analysis. We propose a simple model that expresses this balance as formulas over a handful of parameters, and we use our model to choose ε; on a series of simple statistical studies. We also explore a surprising insight: in some circumstances, a differentially private study can be more accurate than a non-private study for the same cost, under our model. Finally, we discuss the simplifying assumptions in our model and outline a research agenda for possible refinements.",

keywords = "Differential privacy",

author = "Justin Hsu and Marco Gaboardi and Andreas Haeberlen and Sanjeev Khanna and Arjun Narayan and Pierce, {Benjamin C.} and Aaron Roth",

year = "2014",

doi = "10.1109/CSF.2014.35",

language = "English",

isbn = "9781479942909",

pages = "398--410",

booktitle = "Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014",

publisher = "IEEE Computer Society",

note = "27th IEEE Computer Security Foundations Symposium, CSF 2014 ; Conference date: 19-07-2014 Through 22-07-2014",

url = "http://csf2014.di.univr.it/",

}

Hsu, J, Gaboardi, M, Haeberlen, A, Khanna, S, Narayan, A, Pierce, BC & Roth, A 2014, Differential privacy: an economic method for choosing epsilon. in Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014 . IEEE Computer Society, pp. 398-410, 27th IEEE Computer Security Foundations Symposium, Vienna, Austria, 19/07/14. https://doi.org/10.1109/CSF.2014.35

TY - GEN

T1 - Differential privacy

T2 - 27th IEEE Computer Security Foundations Symposium

AU - Hsu, Justin

AU - Gaboardi, Marco

AU - Haeberlen, Andreas

AU - Khanna, Sanjeev

AU - Narayan, Arjun

AU - Pierce, Benjamin C.

AU - Roth, Aaron

PY - 2014

Y1 - 2014

N2 - Differential privacy is becoming a gold standard notion of privacy, it offers a guaranteed bound on loss of privacy due to release of query results, even under worst-case assumptions. The theory of differential privacy is an active research area, and there are now differentially private algorithms for a wide range of problems. However, the question of when differential privacy works in practice has received relatively little attention. In particular, there is still no rigorous method for choosing the key parameter ε;, which controls the crucial trade off between the strength of the privacy guarantee and the accuracy of the published results. In this paper, we examine the role of these parameters in concrete applications, identifying the key considerations that must be addressed when choosing specific values. This choice requires balancing the interests of two parties with conflicting objectives: the data analyst, who wishes to learn something about the data, and the prospective participant, who must decide whether to allow their data to be included in the analysis. We propose a simple model that expresses this balance as formulas over a handful of parameters, and we use our model to choose ε; on a series of simple statistical studies. We also explore a surprising insight: in some circumstances, a differentially private study can be more accurate than a non-private study for the same cost, under our model. Finally, we discuss the simplifying assumptions in our model and outline a research agenda for possible refinements.

AB - Differential privacy is becoming a gold standard notion of privacy, it offers a guaranteed bound on loss of privacy due to release of query results, even under worst-case assumptions. The theory of differential privacy is an active research area, and there are now differentially private algorithms for a wide range of problems. However, the question of when differential privacy works in practice has received relatively little attention. In particular, there is still no rigorous method for choosing the key parameter ε;, which controls the crucial trade off between the strength of the privacy guarantee and the accuracy of the published results. In this paper, we examine the role of these parameters in concrete applications, identifying the key considerations that must be addressed when choosing specific values. This choice requires balancing the interests of two parties with conflicting objectives: the data analyst, who wishes to learn something about the data, and the prospective participant, who must decide whether to allow their data to be included in the analysis. We propose a simple model that expresses this balance as formulas over a handful of parameters, and we use our model to choose ε; on a series of simple statistical studies. We also explore a surprising insight: in some circumstances, a differentially private study can be more accurate than a non-private study for the same cost, under our model. Finally, we discuss the simplifying assumptions in our model and outline a research agenda for possible refinements.

KW - Differential privacy

UR - http://www.scopus.com/inward/record.url?scp=84939603941&partnerID=8YFLogxK

U2 - 10.1109/CSF.2014.35

DO - 10.1109/CSF.2014.35

M3 - Conference contribution

AN - SCOPUS:84939603941

SN - 9781479942909

SP - 398

EP - 410

BT - Proceedings of the 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014

PB - IEEE Computer Society

Y2 - 19 July 2014 through 22 July 2014

ER -

Differential privacy: an economic method for choosing epsilon

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this