Blowfish Privacy: Tuning Privacy-Utility Trade-offs using Policies

TL;DR

Blowfish Privacy introduces a flexible framework that allows data publishers to customize privacy policies, balancing privacy and utility more effectively than traditional differential privacy methods.

Contribution

The paper formalizes Blowfish, a new privacy framework that incorporates policies with secrets and constraints, enabling tailored privacy-utility trade-offs and improved data analysis accuracy.

Findings

Blowfish mechanisms can reduce noise in k-means clustering, histograms, and range queries.

Policies under Blowfish can significantly improve utility over standard differential privacy.

The framework is validated both analytically and empirically on real datasets.

Abstract

Privacy definitions provide ways for trading-off the privacy of individuals in a statistical database for the utility of downstream analysis of the data. In this paper, we present Blowfish, a class of privacy definitions inspired by the Pufferfish framework, that provides a rich interface for this trade-off. In particular, we allow data publishers to extend differential privacy using a policy, which specifies (a) secrets, or information that must be kept secret, and (b) constraints that may be known about the data. While the secret specification allows increased utility by lessening protection for certain individual properties, the constraint specification provides added protection against an adversary who knows correlations in the data (arising from constraints). We formalize policies and present novel algorithms that can handle general specifications of sensitive information and certain count constraints. We show that there are reasonable policies under which our privacy mechanisms for k-means clustering, histograms and range queries introduce significantly lesser noise than their differentially private counterparts. We quantify the privacy-utility trade-offs for various policies analytically and empirically on real datasets.