Presentation is loading. Please wait.

Presentation is loading. Please wait.

No Free Lunch in Data Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 15: 590.03 Fall 12.

Published byPhebe Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "No Free Lunch in Data Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 15: 590.03 Fall 12."— Presentation transcript:

1 No Free Lunch in Data Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 15: 590.03 Fall 12

2 Outline Background: Domain-independent privacy definitions No Free Lunch in Data Privacy [Kifer-M SIGMOD ‘11] Correlations: A case for domain specific privacy definitions [Kifer-M SIGMOD ‘11] Pufferfish Privacy Framework [Kifer-M PODS’12] Defining Privacy for Correlated Data [Kifer-M PODS’12 & Ding-M ‘13] – Next class Lecture 15: 590.03 Fall 122

3 Data Privacy Problem 3 Individual 1 r1r1 Individual 2 r2r2 Individual 3 r3r3 Individual N rNrN Server DBDB Utility: Privacy: No breach about any individual Utility: Privacy: No breach about any individual Lecture 15: 590.03 Fall 12

4 Data Privacy in the real world iDASH Privacy Workshop 9/29/20124 ApplicationData CollectorThird Party (adversary) Private Information Function (utility) MedicalHospitalEpidemiologistDiseaseCorrelation between disease and geography Genome analysis HospitalStatistician/ Researcher GenomeCorrelation between genome and disease AdvertisingGoogle/FB/Y!AdvertiserClicks/Brows ing Number of clicks on an ad by age/region/gender … Social Recommen- dations FacebookAnother userFriend links / profile Recommend other users or ads to users based on social network

5 Semantic Privacy... nothing about an individual should be learnable from the database that cannot be learned without access to the database. T. Dalenius, 1977 5Lecture 15: 590.03 Fall 12

6 Can we achieve semantic privacy? … or is there one (“precious…”) privacy definition to rule them all? Lecture 15: 590.03 Fall 126

7 Defining Privacy In order to allow utility, a non-negligible amount of information about an individual must be disclosed to the adversary. Measuring information disclosed to an adversary involves carefully modeling the background knowledge already available to the adversary. … but we do not know what information is available to the adversary. 7 Lecture 15: 590.03 Fall 12

8 T-closeness Li et. al ICDE ‘07 K-Anonymity Sweeney et al. IJUFKS ‘02 Many definitions Linkage attack Background knowledge attack Minimality /Reconstruction attack de Finetti attack Composition attack Lecture 15: 590.03 Fall 12 8 L-diversity Machanavajjhala et. al TKDD ‘07 E-Privacy Machanavajjhala et. al VLDB ‘09 & several attacks Differential Privacy Dwork et. al ICALP ‘06

9 Differential Privacy [Dwork ICALP 06] For every output … OD2D2 D1D1 Adversary should not be able to distinguish between any D 1 and D 2 based on any O Pr[A(D 1 ) = O] Pr[A(D 2 ) = O]. Adversary should not be able to distinguish between any D 1 and D 2 based on any O Pr[A(D 1 ) = O] Pr[A(D 2 ) = O]. For every pair of inputs that differ in one row 0) log 9Lecture 15: 590.03 Fall 12

10 Composability [Dwork et al, TCC 06] Lecture 15: 590.03 Fall 1210 Theorem (Composability): If algorithms A 1, A 2, …, A k use independent randomness and each A i satisfies ε i -differential privacy, resp. Then, outputting all the answers together satisfies differential privacy with ε = ε 1 + ε 2 + … + ε k

11 Differential Privacy Domain independent privacy definition that is independent of the attacker. Tolerates many attacks that other definitions are susceptible to. – Avoids composition attacks – Claimed to be tolerant against adversaries with arbitrary background knowledge. Allows simple, efficient and useful privacy mechanisms – Used in a live US Census Product [M et al ICDE ‘08] Lecture 15: 590.03 Fall 1211

12 Outline Background: Domain independent privacy definitions. No Free Lunch in Data Privacy [Kifer-M SIGMOD ‘11] Correlations: A case for domain specific privacy definitions [Kifer-M SIGMOD ‘11] Pufferfish Privacy Framework [Kifer-M PODS’12] Defining Privacy for Correlated Data [Kifer-M PODS’12 & Ding-M ‘13] – Current research Lecture 15: 590.03 Fall 1212

13 No Free Lunch Theorem It is not possible to guarantee any utility in addition to privacy, without making assumptions about the data generating distribution the background knowledge available to an adversary 13 [Kifer-Machanavajjhala SIGMOD ‘11] Lecture 15: 590.03 Fall 12 [Dwork-Naor JPC ‘10]

14 Discriminant: Sliver of Utility Does an algorithm A provide any utility? w(k, A) > c if there are k inputs {D 1, …, D k } such that A(D i ) give different outputs with probability > c. Example: If A can distinguish between tables of size 1000000000, then w(2,A) = 1. 14

15 Discriminant: Sliver of Utility Theorem: The discriminant of Laplace mechanism is 1. Proof: Let Di = a database with n records and n∙i/k cancer patients Let Si = the range [n∙i/k – n/3k, n∙i/k + n/3k]. All Si are disjoint Let M be the laplace mechanism on the query “how many cancer patients are there”. Pr(M(Di) ε Si) = Pr(Noise 1 – e -n/3kε = 1 – δ Hence, discriminant w(k,M) > 1- δ As n tends to infinity, discriminant tends to 1. 15

16 Discriminant: Sliver of Utility Does an algorithm A provide any utility? w(k, A) > c if there are k inputs {D 1, …, D k } such that A(D i ) give different outputs with probability > c. If w(k, A) is close to 1 - we may get some utility after using A. If w(k, A) is close to 0 - we cannot distinguish any k inputs – no utility. 16

17 Non-privacy D is randomly drawn from P data. q is a sensitive query with k answers, s.t., knows P data but cannot guess value of q A is not private if: can guess q correctly based on P data and A 17

18 No Free Lunch Theorem Let A be a privacy mechanism with w(k,A) > 1- ε Let q be a sensitive query with k possible outcomes. There exists a data generating distribution P data, s.t. – q(D) is uniformly distributed, but – wins with probability greater than 1-ε 18

19 Outline Background: Domain independent privacy definitions No Free Lunch in Data Privacy [Kifer-M SIGMOD ‘11] Correlations: A case for domain specific privacy definitions [Kifer-M SIGMOD ‘11] Pufferfish Privacy Framework [Kifer-M PODS’12] Defining Privacy for Correlated Data [Kifer-M PODS’12 & Ding-M ‘13] – Current research Lecture 15: 590.03 Fall 1219

20 Correlations & Differential Privacy When an adversary knows that individuals in a table are correlated, then (s)he can learn sensitive information about individuals even from the output of a differentially private mechanism. Example 1: Contingency tables with pre-released exact counts Example 2: Social Networks Lecture 15: 590.03 Fall 1220

21 Contingency tables 21 22 28 D Count(, ) Each tuple takes k=4 different values Lecture 15: 590.03 Fall 12

22 Contingency tables 22 ?? ?? D Count(, ) Want to release counts privately Lecture 15: 590.03 Fall 12

23 Laplace Mechanism 23 2 + Lap(1/ε) 8 + Lap(1/ε) D Mean : 8 Variance : 2/ε 2 Guarantees differential privacy. Lecture 15: 590.03 Fall 12

24 Marginal counts 24 2 + Lap(1/ε) 4 8 + Lap(1/ε)10 4 D Does Laplace mechanism still guarantee privacy? Auxiliary marginals published for following reasons: 1.Legal: 2002 Supreme Court case Utah v. Evans 2.Contractual: Advertisers must know exact demographics at coarse granularities 4 10 4 Lecture 15: 590.03 Fall 12

25 Marginal counts 25 2 + Lap(1/ε) 4 8 + Lap(1/ε)10 4 D 2 + Lap(1/ε) Count (, ) = 8 + Lap(1/ε) Count (, ) = 8 - Lap(1/ε) Count (, ) = 8 + Lap(1/ε) Lecture 15: 590.03 Fall 12

26 Mean : 8 Variance : 2/ke 2 Marginal counts 26 2 + Lap(1/ε) 4 8 + Lap(1/ε)10 4 D 2 + Lap(1/ε) can reconstruct the table with high precision for large k Lecture 15: 590.03 Fall 12

27 Reason for Privacy Breach 27 Pairs of tables that differ in one tuple cannot distinguish them Tables that do not satisfy background knowledge Space of all possible tables Lecture 15: 590.03 Fall 12

28 Reason for Privacy Breach 28 can distinguish between every pair of these tables based on the output Space of all possible tables Lecture 15: 590.03 Fall 12

29 Correlations & Differential Privacy When an adversary knows that individuals in a table are correlated, then (s)he can learn sensitive information about individuals even from the output of a differentially private mechanism. Example 1: Contingency tables with pre-released exact counts Example 2: Social Networks Lecture 15: 590.03 Fall 1229

30 A count query in a social network Want to release the number of edges between blue and green communities. Should not disclose the presence/absence of Bob-Alice edge. 30 Bob Alice

31 Adversary knows how social networks evolve 31 Depending on the social network evolution model, (d 2 -d 1 ) is linear or even super-linear in the size of the network.

32 Differential privacy fails to avoid breach 32 Output (d 1 + δ) Output (d 2 + δ) δ ~ Laplace(1/ε) Adversary can distinguish between the two worlds if d 2 – d 1 is large.

33 Outline Background: Domain independent privacy definitions No Free Lunch in Data Privacy [Kifer-M SIGMOD ‘11] Correlations: A case for domain-specific privacy definitions [Kifer-M SIGMOD ‘11] Pufferfish Privacy Framework [Kifer-M PODS’12] Defining Privacy for Correlated Data [Kifer-M PODS’12 & Ding-M ‘13] – Current research Lecture 15: 590.03 Fall 1233

34 Why we need domain specific privacy? For handling correlations – Prereleased marginals & Social networks [Kifer-M SIGMOD ‘11] Utility driven applications – For some applications existing privacy definitions do not provide sufficient utility [M et al PVLDB ‘11] Personalized privacy & aggregate secrets [Kifer-M PODS ‘12] Qn: How to design principled privacy definitions customized to such scenarios? Lecture 15: 590.03 Fall 1234

35 Pufferfish Framework Lecture 15: 590.03 Fall 1235

36 Pufferfish Semantics What is being kept secret? Who are the adversaries? How is information disclosure bounded? Lecture 15: 590.03 Fall 1236

37 Sensitive Information Secrets: S be a set of potentially sensitive statements – “individual j’s record is in the data, and j has Cancer” – “individual j’s record is not in the data” Discriminative Pairs: Spairs is a subset of SxS. Mutually exclusive pairs of secrets. – (“Bob is in the table”, “Bob is not in the table”) – (“Bob has cancer”, “Bob has diabetes”) Lecture 15: 590.03 Fall 1237

38 Adversaries An adversary can be completely characterized by his/her prior information about the data – We do not assume computational limits Data Evolution Scenarios: set of all probability distributions that could have generated the data. – No assumptions: All probability distributions over data instances are possible. – I.I.D.: Set of all f such that: P(data = {r 1, r 2, …, r k }) = f(r 1 ) x f(r 2 ) x…x f(r k ) Lecture 15: 590.03 Fall 1238

39 Information Disclosure Mechanism M satisfies ε-Pufferfish(S, Spairs, D), if for every – w ε Range(M), – (s i, s j ) ε Spairs – Θ ε D, such that P(s i | θ) ≠ 0, P(s j | θ) ≠ 0 P(M(data) = w | s i, θ) ≤ e ε P(M(data) = w | s j, θ) Lecture 15: 590.03 Fall 1239

40 Pufferfish Semantic Guarantee Lecture 15: 590.03 Fall 1240 Prior odds of s i vs s j Posterior odds of s i vs s j

41 Assumptionless Privacy Suppose we want to make protect against any adversary – No assumptions about adversary’s background knowledge Spairs: – “record j is in the table with value x” vs “record j is not in the table” Data Evolution: All probability distributions over data instances are possible. A mechanism satisfies ε-Assumptionless Privacy if and only if for every pair of database D1, D2, and every output w P(M(D1) = w) ≤ e ε P(M(D2) = w) Lecture 15: 590.03 Fall 1241

42 Assumptionless Privacy A mechanism satisfies ε-Assumptionless Privacy if and only if for every pair of database D1, D2, and every output w P(M(D1) = w) ≤ e ε P(M(D2) = w) Suppose we want to compute the number of individuals having cancer. – D1: all individuals have cancer – D2: no individual has cancer – For assumptionless privacy, the output w should not be too different if the input was D1 or D2 – Therefore, need O(N) noise (where N = size of the input database). – Hence, not much utility. Lecture 15: 590.03 Fall 1242

43 Applying Pufferfish to Differential Privacy Spairs: – “record j is in the table” vs “record j is not in the table” – “record j is in the table with value x” vs “record j is not in the table” Data evolution: – Probability record j is in the table: π j – Probability distribution over values of record j: f j – For all θ = [f 1, f 2, f 3, …, f k, π 1, π 2, …, π k ] – P[Data = D | θ] = Π rj not in D (1-π j ) x Π rj in D π j x f j (r j ) Lecture 15: 590.03 Fall 1243

44 Applying Pufferfish to Differential Privacy Spairs: – “record j is in the table” vs “record j is not in the table” – “record j is in the table with value x” vs “record j is not in the table” Data evolution: – For all θ = [f 1, f 2, f 3, …, f k, π 1, π 2, …, π k ] – P[Data = D | θ] = Π rj not in D (1-π j ) x Π rj in D π j x f j (r j ) A mechanism M satisfies differential privacy if and only if it satisfies Pufferfish instantiated using Spairs and {θ} (as defined above) Lecture 15: 590.03 Fall 1244

45 Differential Privacy Sensitive information: All pairs of secrets “individual j is in the table with value x” vs “individual j is not in the table” Adversary: Adversaries who believe the data is generated using any probability distribution that is independent across individuals Disclosure: ratio of the prior and posterior odds of the adversary is bounded by e ε Lecture 15: 590.03 Fall 1245

46 Characterizing “good” privacy definition We can derive conditions under which a privacy definition resists attacks. For instance, any privacy definition that can be phrased as follows composes with itself. where I is the set of all tables. Lecture 15: 590.03 Fall 1246

47 Summary of Pufferfish A semantic approach to defining privacy – Enumerates the information that is secret and the set of adversaries. – Bounds the odds ratio of pairs of mutually exclusive secrets Helps understand assumptions under which privacy is guaranteed Provides a common framework to develop theory of privacy definitions – General sufficient conditions for composition of privacy (see paper) Lecture 15: 590.03 Fall 1247

48 Next Class Application of Pufferfish to Correlated Data Relaxations of differential privacy – E-Privacy – Crowd-blending privacy Lecture 15: 590.03 Fall 1248

49 References [M et al PVLDB’11] A. Machanavajjhala, A. Korolova, A. Das Sarma, “Personalized Social Recommendations – Accurate or Private?”, PVLDB 4(7) 2011 [Kifer-M SIGMOD’11] D. Kifer, A. Machanavajjhala, “No Free Lunch in Data Privacy”, SIGMOD 2011 [Kifer-M PODS’12] D. Kifer, A. Machanavajjhala, “A Rigorous and Customizable Framework for Privacy”, PODS 2012 [Ding-M ‘13] B. Ding, A. Machanavajjhala, “Induced Neighbors Privacy(Work in progress)”, 2012 Lecture 15: 590.03 Fall 1249

Download ppt "No Free Lunch in Data Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 15: 590.03 Fall 12."

Similar presentations

Wavelet and Matrix Mechanism CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 11 : 590.03 Fall 12.

Wavelet and Matrix Mechanism CompSci Instructor: Ashwin Machanavajjhala 1Lecture 11 : Fall 12.
Publishing Set-Valued Data via Differential Privacy Rui Chen, Concordia University Noman Mohammed, Concordia University Benjamin C. M. Fung, Concordia.

Publishing Set-Valued Data via Differential Privacy Rui Chen, Concordia University Noman Mohammed, Concordia University Benjamin C. M. Fung, Concordia.
Efficient Processing of Top- k Queries in Uncertain Databases Ke Yi, AT&T Labs Feifei Li, Boston University Divesh Srivastava, AT&T Labs George Kollios,

Efficient Processing of Top- k Queries in Uncertain Databases Ke Yi, AT&T Labs Feifei Li, Boston University Divesh Srivastava, AT&T Labs George Kollios,
Differentially Private Recommendation Systems Jeremiah Blocki Fall 2009 18739A: Foundations of Security and Privacy.

Differentially Private Recommendation Systems Jeremiah Blocki Fall A: Foundations of Security and Privacy.
Simulatability “The enemy knows the system”, Claude Shannon CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 6 : 590.03 Fall 12.

Simulatability “The enemy knows the system”, Claude Shannon CompSci Instructor: Ashwin Machanavajjhala 1Lecture 6 : Fall 12.
Private Analysis of Graph Structure With Vishesh Karwa, Sofya Raskhodnikova and Adam Smith Pennsylvania State University Grigory Yaroslavtsev

Private Analysis of Graph Structure With Vishesh Karwa, Sofya Raskhodnikova and Adam Smith Pennsylvania State University Grigory Yaroslavtsev
Raef Bassily Adam Smith Abhradeep Thakurta Penn State Yahoo! Labs Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds Penn.

Raef Bassily Adam Smith Abhradeep Thakurta Penn State Yahoo! Labs Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds Penn.
1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, 2013 © Ravi.

1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, © Ravi.
Privacy Enhancing Technologies

Privacy Enhancing Technologies
Seminar in Foundations of Privacy 1.Adding Consistency to Differential Privacy 2.Attacks on Anonymized Social Networks Inbal Talgam March 2008.

Seminar in Foundations of Privacy 1.Adding Consistency to Differential Privacy 2.Attacks on Anonymized Social Networks Inbal Talgam March 2008.
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)
Privacy without Noise Yitao Duan NetEase Youdao R&D Beijing China CIKM 2009.

Privacy without Noise Yitao Duan NetEase Youdao R&D Beijing China CIKM 2009.
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.

Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
Differential Privacy (2). Outline  Using differential privacy Database queries Data mining  Non interactive case  New developments.

Differential Privacy (2). Outline  Using differential privacy Database queries Data mining  Non interactive case  New developments.
Lecture II.  Using the example from Birenens Chapter 1: Assume we are interested in the game Texas lotto (similar to Florida lotto).  In this game,

Lecture II.  Using the example from Birenens Chapter 1: Assume we are interested in the game Texas lotto (similar to Florida lotto).  In this game,
Database Access Control & Privacy: Is There A Common Ground? Surajit Chaudhuri, Raghav Kaushik and Ravi Ramamurthy Microsoft Research.

Database Access Control & Privacy: Is There A Common Ground? Surajit Chaudhuri, Raghav Kaushik and Ravi Ramamurthy Microsoft Research.
Differentially Private Transit Data Publication: A Case Study on the Montreal Transportation System Rui Chen, Concordia University Benjamin C. M. Fung,

Differentially Private Transit Data Publication: A Case Study on the Montreal Transportation System Rui Chen, Concordia University Benjamin C. M. Fung,
Multiplicative Weights Algorithms CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 13 : 590.03 Fall 12.

Multiplicative Weights Algorithms CompSci Instructor: Ashwin Machanavajjhala 1Lecture 13 : Fall 12.
Privacy and trust in social network

Privacy and trust in social network

Similar presentations

Ads by Google