Shuchi Chawla, Cynthia Dwork, Frank McSherry, Adam Smith, Larry Stockmeyer, Hoeteck Wee From Idiosyncratic to Stereotypical: Toward Privacy in Public Databases
Shuchi Chawla 2 Database Privacy Census data – a prototypical example Individuals provide information Census bureau publishes sanitized records Privacy is legally mandated; what utility can we achieve? Our Goal: What do we mean by preservation of privacy? Characterize the trade-off between privacy and utility – disguise individual identifying information – preserve macroscopic properties Develop a “good” sanitizing procedure with theoretical guarantees
Shuchi Chawla 3 An outline of this talk A mathematical formalism What do we mean by privacy? Prior work An abstract model of datasets Isolation; Good sanitizations A candidate sanitization A brief overview of results General argument for privacy of n-point datasets Open issues and concluding remarks
Shuchi Chawla 4 Privacy… a philosophical view-point [Ruth Gavison] … includes protection from being brought to the attention of others … Matches intuition; inherently desirable Attention invites further loss of privacy Privacy is assured to the extent that one blends in with the crowd Appealing definition; can be converted into a precise mathematical statement!
Shuchi Chawla 5 Database Privacy Statistical approaches Alter the frequency ( PRAN/DS/PERT ) of particular features, while preserving means. Additionally, erase values that reveal too much Query-based approaches involve a permanent trusted third party Query monitoring: dissallow queries that breach privacy Perturbation: Add noise to the query output [Dinur Nissim’03, Dwork Nissim’04] Statistical perturbation + adversarial analysis [Evfimievsky et al ’03] combine statistical techniques with analysis similar to query-based approaches
Shuchi Chawla 6 Everybody’s First Suggestion Learn the distribution, then output: A description of the distribution, or, Samples from the learned distribution Want to reflect facts on the ground Statistically insignificant facts can be important for allocating resources
Shuchi Chawla 7 A geometric view Abstraction : Points in a high dimensional metric space – say R d ; drawn i.i.d. from some distribution Points are unlabeled; you are your collection of attributes Distance is everything Real Database (RDB) – private n unlabeled points in d-dimensional space. Sanitized Database (SDB) – public n’ new points possibly in a different space.
Shuchi Chawla 8 The adversary or Isolator Using SDB and auxiliary information (AUX), outputs a point q q “isolates” a real point x, if it is much closer to x than to x’s neighbors, T-radius of x – distance to its T-nearest neighbor x is “safe” if x > (T-radius of x)/(c-1) B(q, c x ) contains x’s entire T-neighborhood (c-1) c – privacy parameter; eg. 4 q x cc large T and small c is good i.e., if B(q,c ) contains less than T RDB points
Shuchi Chawla 9 A good sanitization Sanitizing algorithm compromises privacy if the adversary is able to considerably increase his probability of isolating a point by looking at its output A rigorous (and too ideal) definition D I I ’ w.o.p RDB 2 R D n aux z x 2 RDB : | Pr[ I (SDB,z) isolates x] – Pr[ I ’ (z) isolates x] | · /n Definition of can be forgiving, say, 2 - (d) or (1 in a 1000) Quantification over x : If aux reveals info about some x, the privacy of some other y should still be preserved Provides a framework for describing the power of a sanitization method, and hence for comparisons
Shuchi Chawla 10 The Sanitizer The privacy of x is linked to its T-radius Randomly perturb it in proportion to its T-radius x’ = San(x) R S(x,T-rad(x)) Intuition: We are blending x in with its crowd If the number of dimensions (d) is large, there are “many” pre-images for x’. The adversary cannot conclusively pick any one. We are adding random noise with mean zero to x, so several macroscopic properties should be preserved.
Shuchi Chawla 11 Results on privacy.. An overview DistributionNum. of points Revealed to adversaryAuxiliary information Uniform on surface of sphere 2Both sanitized pointsDistribution, 1-radius Uniform over a bounding box or surface of sphere nOne sanitized point, all other real points Distribution, all real points Gaussian2 o(d) n sanitized pointsDistribution Gaussian2 (d) Work under progress
Shuchi Chawla 12 Results on utility… An overview Distributional/ Worst-case ObjectiveAssumptionsResult Worst-caseFind K clusters minimizing largest diameter - Optimal diameter as well as approximations increase by at most a factor of 3 DistributionalFind k maximum likelihood clusters Mixture of k Gaussians Correct clustering with high probability as long as means are pairwise sufficiently far
Shuchi Chawla 13 A special case - one sanitized point RDB = {x 1,…,x n } The adversary is given n-1 real points x 2,…,x n and one sanitized point x’ 1 ; T = 1; c=4; “flat” prior Recall: x’ 1 2 R S(x 1,|x 1 -y|) where y is the nearest neighbor of x 1 Main idea: Consider the posterior distribution on x 1 Show that the adversary cannot isolate a large probability mass under this distribution
Shuchi Chawla 14 Let Z = { p R d | p is a legal pre-image for x’ 1 } Q = { p | if x 1 =p then x 1 is isolated by q } We show that Pr[ Q ∩ Z | x’ 1 ] ≤ 2 - (d) Pr[ Z | x’ 1 ] Pr[x 1 in Q ∩ Z | x’ 1 ] = prob mass contribution from Q ∩ Z / contribution from Z = 2 1-d /(1/4) A special case - one sanitized point Q q x’ 1 x2x2 x3x3 x4x4 x5x5 Z Q∩ZQ∩Z x6x6 |p-q| · 1/3 |p-x’ 1 |
Shuchi Chawla 15 Contribution from Z Pr[x 1 =p | x’ 1 ] Pr[x’ 1 | x 1 =p] 1/r d (r = |x’ 1 -p|) Increase in r x’ 1 gets randomized over a larger area – proportional to r d. Hence the inverse dependence. Pr[x’ 1 | x 1 2 S] s S 1/r d solid angle subtended at x’ 1 Z subtends a solid angle equal to at least half a sphere at x’ 1 x’ 1 x2x2 x3x3 x4x4 x5x5 Z x6x6 S r p
Shuchi Chawla 16 Contribution from Q Å Z The ellipsoid is roughly as far from x’ 1 as its longest radius Contribution from ellipsoid is 2 -d x total solid angle Therefore, Pr[ x 1 2 Q Å Z ] / Pr[ x 1 2 Z ] 2 -d Q q x’ 1 x2x2 x3x3 x4x4 x5x5 Z Q∩ZQ∩Z x6x6 rr
Shuchi Chawla 17 The general case… n sanitized points Initial intuition is wrong: Privacy of x 1 given x 1 ’ and all the other points in the clear does not imply privacy of x 1 given x 1 ’ and sanitizations of others! Sanitization is non-oblivious – Other sanitized points reveal information about x, if x is their nearest neighbor Where we are now Consider some example of safe sanitization (not necessarily using perturbations) Density regions? Histograms? Relate perturbations to the safe sanitization Uniform distribution; histogram over fixed-size cells exponentially low probability of isolation
Shuchi Chawla 18 Future directions Extend the privacy argument to other “nice” distributions For what distributions is there no meaningful privacy— utility trade-off? Characterize acceptable auxiliary information Think of auxiliary information as an a priori distribution The low-dimensional case – Is it inherently impossible? Discrete-valued attributes Our proofs require a “spread” in all attributes Extend the utility argument to other interesting macroscopic properties – e.g. correlations
Shuchi Chawla 19 Conclusions A first step towards understanding the privacy- utility trade-off A general and rigorous definition of privacy A work in progress!
Shuchi Chawla 20 Questions?