Collecting Telemetry Data Privately

TL;DR

This paper introduces new locally differentially private mechanisms for repeated collection of counter data, maintaining strong privacy guarantees over time while achieving accuracy comparable to single-round methods, validated through real-world datasets.

Contribution

The paper presents novel LDP algorithms specifically designed for repeated data collection, ensuring formal privacy guarantees over long periods, and demonstrates their effectiveness and deployment at scale.

Findings

Mechanisms achieve accuracy comparable to single-round LDP methods.

Empirical results confirm theoretical privacy and accuracy guarantees.

Deployed by Microsoft for telemetry collection on millions of devices.

Abstract

The collection and analysis of telemetry data from users' devices is routinely performed by many software companies. Telemetry collection leads to improved user experience but poses significant risks to users' privacy. Locally differentially private (LDP) algorithms have recently emerged as the main tool that allows data collectors to estimate various population statistics, while preserving privacy. The guarantees provided by such algorithms are typically very strong for a single round of telemetry collection, but degrade rapidly when telemetry is collected regularly. In particular, existing LDP algorithms are not suitable for repeated collection of counter data such as daily app usage statistics. In this paper, we develop new LDP mechanisms geared towards repeated collection of counter data, with formal privacy guarantees even after being executed for an arbitrarily long period of time. For two basic analytical tasks, mean estimation and histogram estimation, our LDP mechanisms for repeated data collection provide estimates with comparable or even the same accuracy as existing single-round LDP collection mechanisms. We conduct empirical evaluation on real-world counter datasets to verify our theoretical results. Our mechanisms have been deployed by Microsoft to collect telemetry across millions of devices.