Privacy Odometers and Filters: Pay-as-you-Go Composition

TL;DR

This paper introduces the concepts of privacy odometers and filters for adaptive composition in differential privacy, enabling dynamic privacy tracking and management during data analysis, with theoretical bounds and inherent limitations.

Contribution

It defines and analyzes privacy odometers and filters for adaptive privacy composition, establishing bounds and demonstrating a fundamental separation between these two approaches.

Findings

Privacy filters can match existing composition bounds.

Privacy odometers nearly match non-adaptive bounds but with a small loss.

A formal separation exists between odometers and filters in adaptive settings.

Abstract

In this paper we initiate the study of adaptive composition in differential privacy when the length of the composition, and the privacy parameters themselves can be chosen adaptively, as a function of the outcome of previously run analyses. This case is much more delicate than the setting covered by existing composition theorems, in which the algorithms themselves can be chosen adaptively, but the privacy parameters must be fixed up front. Indeed, it isn't even clear how to define differential privacy in the adaptive parameter setting. We proceed by defining two objects which cover the two main use cases of composition theorems. A privacy filter is a stopping time rule that allows an analyst to halt a computation before his pre-specified privacy budget is exceeded. A privacy odometer allows the analyst to track realized privacy loss as he goes, without needing to pre-specify a privacy budget. We show that unlike the case in which privacy parameters are fixed, in the adaptive parameter setting, these two use cases are distinct. We show that there exist privacy filters with bounds comparable (up to constants) with existing privacy composition theorems. We also give a privacy odometer that nearly matches non-adaptive private composition theorems, but is sometimes worse by a small asymptotic factor. Moreover, we show that this is inherent, and that any valid privacy odometer in the adaptive parameter setting must lose this factor, which shows a formal separation between the filter and odometer use-cases.