Utility-Preserving Privacy Mechanisms for Counting Queries
Natasha Fernandes, Kacem Lefki, Catuscia Palamidessi

TL;DR
This paper introduces a geometric noise-based local differential privacy mechanism that improves utility in estimating counting queries, reducing the utility gap compared to existing LPD methods.
Contribution
It proposes a novel LDP mechanism using geometric noise, demonstrating improved statistical utility over previous approaches.
Findings
Geometric noise provides better utility than other LPD mechanisms.
The proposed method effectively estimates counting queries from noisy data.
Improved privacy-utility trade-off in local differential privacy settings.
Abstract
Differential privacy (DP) and local differential privacy (LPD) are frameworks to protect sensitive information in data collections. They are both based on obfuscation. In DP the noise is added to the result of queries on the dataset, whereas in LPD the noise is added directly on the individual records, before being collected. The main advantage of LPD with respect to DP is that it does not need to assume a trusted third party. The main disadvantage is that the trade-off between privacy and utility is usually worse than in DP, and typically to retrieve reasonably good statistics from the locally sanitized data it is necessary to have a huge collection of them. In this paper, we focus on the problem of estimating counting queries from collections of noisy answers, and we propose a variant of LDP based on the addition of geometric noise. Our main result is that the geometric noise has a…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Cryptography and Data Security · Data Quality and Management
11institutetext: INRIA University of Paris Saclay INRIA
Utility-Preserving Privacy Mechanisms for Counting Queries
Natasha Fernandes Kacem Lefki Catuscia Palamidessi
Abstract
Differential privacy (DP) and local differential privacy (LPD) are frameworks to protect sensitive information in data collections. They are both based on obfuscation. In DP the noise is added to the result of queries on the dataset, whereas in LPD the noise is added directly on the individual records, before being collected. The main advantage of LPD with respect to DP is that it does not need to assume a trusted third party. The main disadvantage is that the trade-off between privacy and utility is usually worse than in DP, and typically to retrieve reasonably good statistics from the locally sanitized data it is necessary to have a huge collection of them. In this paper, we focus on the problem of estimating counting queries from collections of noisy answers, and we propose a variant of LDP based on the addition of geometric noise. Our main result is that the geometric noise has a better statistical utility than other LPD mechanisms from the literature.
1 Introduction
With the ever-increasing use of internet-connected devices, personal data are collected in larger and larger amounts, and then stored and manipulated for the most diverse purposes. Undeniably, the big-data technology provides enormous benefits to industry, individuals and society. On the other hand, however, the collection and manipulation of personal data raises alarming privacy issues. Not surprisingly, therefore, the investigation of mechanisms to protect privacy has become a very active field of research.
Differential privacy (DP) [3] and local differential privacy (LDP) [2] represent the cutting-edge of research on privacy. DP aims at protecting the individuals’ data while allowing to answer queries on the aggregate information, and it achieves this goal by adding controlled noise to the query outcome. LDP is a distributed variant in which the data are sanitized at the user’s end before being collected. One of the main reason of their success is that DP and LPD are compositional, i.e., robust to attacks based on combining the information from different sources. Furthermore LPD has the additional advantage that there is no need to assume that the entities collecting and storing data are trusted, because they can only see, stock and analyze the already sanitized data.
LDP is having a considerable impact, especially now that large companies such as Apple and Google have adopted it for collecting their customers’s data for statistical purposes.
In this paper we consider the problem of statistical utility, namely how precisely can we retrieve the original distribution from the collection of noisy data. Reconstruct the original distribution is important in order to make precise statistical analyses.
The notion of -privacy has been advocated in a recent work [1] as a variant of LDP able to provide a good trade-off between privacy and statistical utility. In this paper, we consider a particular -private mechanism: the geometric noise distribution. We explore its properties and we show that indeed, in terms of trade-off privacy-utility, it compares favorably to the typical LPD mechanism, the -Randomized-Responses (RR) [2].
2 Preliminaries
In this section we recall some basic notions. We will consider only finite sets and discrete mechanisms. Given a set , a probability distribution on is a function such that and . We denote by the set of all possible distributions on . We use to denote .
2.1 Differential privacy
Let denote collections of data (datasets), the set of all datasets of interest, and let represent the adjacency relation between datasets. Namely, means that and differ only for the value of a single record. Given a query , a mechanism for is a probabilistic function which, for every , gives a reported answer with a certain probability distribution that depends on the true answer to the query. Let denote the probability that applied to reports the answer . We say that satisfies -DP, where is a non-negative real number denoting the level of privacy, if for every pairs of adjacent datasets , and for every , we have:
[TABLE]
2.2 Local differential privacy and Randomized Responses
In LDP the idea is that the mechanism obfuscates directly the value of the data rather than the answer to a query. In this setting, let denote the set of all possible values for the data. A mechanism is a probabilistic function which, for every , returns a reported value with a certain probability distribution that depends on the true value . Let be the probability that applied to reports . provides -LPD if for all we have:
[TABLE]
A typical mechanism to implement LDP is the Randomized Responses (RR), where represents the size of . In its simplest variant it is defined as follows:
[TABLE]
2.3 -privacy
In -privacy, like in LDP, mechanism obfuscates directly the value of the data. The main difference is that the domain is assumed to be a metric space, namely be endowed with a notion of distance , where is the set of non-negative real numbers.
A mechanism provides --privacy if for every we have:
[TABLE]
2.4 Generalized counting queries
In DP, a counting query is a function such that gives the number of records in that satisfy a certain property. ( denotes the set of integers between [math] and .) In this paper, we will adopt a more general notion of counting query, suitable for LPD. Namely, we assume that associates a number to each element of . The idea is that each represents a certain person, and could return, for example, the age (in years), or the number of children, or the monthly salary (in Euros), etc.
A mechanism for , in this context, associates to each value a value chosen randomly according to a probability distribution. We denote by the probability that . Note that represent the conditional probability of given , hence the values form a stochastic matrix (where is the element at the intersection of the -th row and -th column). From now on for notational simplicity we will use rather than .
2.5 Geometric mechanism
In the following, for simplicity we use to indicate , where is the level of privacy. Note that . The geometric mechanism (for a counting query) is represented by an infinite matrix with rows indexed by and columns indexed by (the set of integers), and whose elements are given by:
[TABLE]
In order to avoid dealing with an infinite output domain, we consider the truncated version of a mechanism. The idea is that the probability mass of the negative element is remapped in [math], and the probability mass of the elements greater than is remapped in . The truncated geometric mechanism will be denoted by and it is defined as:
[TABLE]
The truncated geometric is --private:
Proposition 1
[4]** If is the domain and is the difference between integers, then is a -private mechanism on .
The following is another important property of the truncated geometric:
Proposition 2
[4]** The matrix is invertible.
3 Reconstructing the original distribution from a collection of noisy data
Assume that we have a collection of noisy data representing the result of the independent application of the geometric mechanism to the data of a certain population. Each datum (as well as each noisy datum) is a number in . Let be the prior distribution on the original data. The set of original data is generated by a sequence of random variables independent and identically distributed (i.i.d.), according to . To each of the we apply the geometric mechanism , thus obtaining a sequence of random variables . Let be the empirical distribution determined by . I.e., is obtained by counting the frequencies of the value in . Namely, .
The task we consider here is how best to reconstruct the original distribution from . To this purpose, we consider the following iterative procedure, which is inspired by the Bayes theorem. In the definition of this procedure, represents an arbitrary probability distribution with full support.
Definition 1
Let be the sequence defined inductively as follows:
[TABLE]
The interest of the above definition relies in the following result:
Theorem 3.1
[4]** Let be the sequence of distributions constructed according to Definition 1. Then:
The sequence converges, i.e., exists. 2. 2.
* is the Maximum Likelihood Estimator (MLE) of given .*
We will denote by the limit of the sequence , i.e., . Theorem 3.1(2) means that for all possible distributions , the probability that the distribution induced from the noisy data (sanitized with ) is when the prior is is higher than or equal to the same probability when the prior is .
Furthermore, can be characterized using . For a distribution and a matrix , let be the product of and . Namely, .
Proposition 3
[4]** If is a probability distribution, then .
4 Comparison between the Geometric and Randomized Response mechanisms
In this section we compare the truncated geometric and the RR mechanisms from the point of view of the trade-off between privacy and statistical utility.
In order to make a fair comparison, we first need to calibrate the privacy parameters of these mechanisms so that they represent the same level of privacy. Indeed, although both are expressed in terms of a parameter , they do not have the same meaning: the first satisfies --privacy, while the second satisfies -LPD.
To demonstrate, consider the RR mechanism with parameter operating over integer-valued input and output domains with range . The privacy guarantee provided by this mechanism is given by the upper bound , representing the maximum likelihood ratio between any possible reported value and the true value. This upper bound is realised for every pair of different values in the input and output domains. By comparison, the truncated geometric mechanism with the same would provide such an upper bound only for values immediately adjacent to the true one. For values further away, the bound is smaller (making more distance values less likely). If we want to provide the same upper bound on the entire domain, then we would have to set to a value times smaller, namely , which would result in a very flat curve, making the true value almost indistinguishable from a large part of the other values.
However, we argue that it is not necessary to inject so much noise, as this destroys the utility-by-design of the geometric mechanism. As a compromise we will require the upper bound on a restricted subset of elements, for instance those in a radius from the true value. This can be achieved by setting to . Figure 1 illustrates the situation.
As for statistical utility, intuitively it should account for how well we can approximate statistics on the original data by using only the collected noisy data. This can be formalized in terms of the distance between the original distribution and the most likely one given the noisy data, which can be estimated by applying the IBU (Definition 1). As for the notion of distance, we propose to use the Kantorovich metric (based on the standard distance between natural numbers as the ground distance). As argued in [1], in fact, this metric is related to a large class of statistical functions. We recall the definition of the Kantorovich distance:
Definition 2
Let be a metric space and let . The Kantorovich distance based on between and is defined as follows:
[TABLE]
where is the set of the Lipshitz functions on , namely if and only if .
4.1 Experimental Results
We now present the results of experiments designed to assess the statistical utility of each of these mechanisms using the IBU method outlined in Section 3.
As above, we assume integer-valued inputs and outputs in the range . We constructed two different mechanisms to output noisy values: a truncated geometric mechanism parametrised by and a RR mechanism parametrised by .
We ran our experiments on 2 sets of data. The first set consisted of samples of size 1000, 10000, 50000 and 100000 drawn from a binomial distribution. The second set consisted of the same sample sizes drawn from a “4-point” distribution (i.e. a random distribution over 4 ‘points’ in the output range). For each of the 8 samples we conducted 20 experiments using the following method:
Obfuscate the sample using each of the (geometric and RR) mechanisms to produce 2 obfuscated sets. 2. 2.
Convert each set into an empirical distribution over outputs using the frequency counts of elements in each set. 3. 3.
Run IBU for 5000 iterations over each empirical distribution to compute the maximum likelihood estimate (MLE) for the true distribution. 4. 4.
Compare the Kantorovich distance between the MLE and the true distribution as an estimate of the error caused by the obfuscation.
In Figure 2 we present some sample runs of IBU for each mechanism and distribution. Interestingly, the reconstructed distribution for kRR is much better for the ‘4-point’ sample than for the binomial sample. Conversely, the reconstructed distribution for the geometric mechanism is much closer to the binomial sample.
However, the computed Kantorovich distances at the 5000 iteration point for each run tell a different story. These results are shown in Figure 3. We computed the Kantorovich distance between the estimated distribution and the true distribution, providing an approximation of the distance between the true distribution and the distribution resulting from obfuscation. We can see that the average Kantorovich distances for the geometric mechanism are significantly lower (up to 5 times) than the corresponding distances for the kRR mechanism. We conjecture that this is because the errors caused by kRR are randomly distributed over the entire output space, which directly affects the Kantorovich distance since it depends on the ground distance between points. This means that for statistical applications in which the ground distance is important, the geometric mechanism is still preferred to the kRR mechanism.
Another interesting observation we make is in the convergence rates for the IBU method when applied to the different distributions. This is graphed in Figure 4. For each iteration of IBU we computed the ‘log likelihood’ function
[TABLE]
where is the current estimated distribution, is the empirical distribution and is the mechanism represented as a channel matrix. 111The notation indicates the dot product of with the th column of . The log likelihood function indicates how close the current estimate is to the true MLE. The results for one particular run are shown in Figure 4. We can see that the geometric mechanism converges to a close approximation of the MLE within 10 iterations, whereas the convergence for kRR is linear and almost flat. This may also explain the better performance of the kRR output on the ‘4-point’ sample, since there were far fewer ‘skyscrapers’ in the original distribution to estimate. The shape of the geometric mechanism seemed to favour the more ‘natural’ shape of the binomial distribution sample.
5 Conclusion
In this paper, we have investigated the properties of the truncated geometric mechanism in relation to the reconstruction from noisy data of the original distribution on the real data. We have provided an iterative algorithm to approximate the original distribution, and we have given a characterization of the fixed point in terms of the inverse of the matrix. Finally, we have compared the trade-off between privacy and utility of the the truncated geometric mechanism and of the kRRs, obtaining favorable results.
Acknowledgements
The work of Catuscia Palamidessi has been partially supported by the ANR project REPAS.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Mário S. Alvim, Konstantinos Chatzikokolakis, Catuscia Palamidessi, and Anna Pazii. Local differential privacy on metric spaces: Optimizing the trade-off with utility. In 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9-12, 2018 , pages 262–267. IEEE Computer Society, 2018.
- 2[2] John C. Duchi, Michael I. Jordan, and Martin J. Wainwright. Local privacy and statistical minimax rates. In Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science (FOCS) , pages 429–438. IEEE Computer Society, 2013.
- 3[3] Cynthia Dwork, Frank Mcsherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In Shai Halevi and Tal Rabin, editors, In Proceedings of the Third Theory of Cryptography Conference (TCC) , volume 3876 of Lecture Notes in Computer Science , pages 265–284. Springer, 2006.
- 4[4] Lefki Kacem and Catuscia Palamidessi. Geometric noise for locally private counting queries. In Proceedings of the 13th Workshop on Programming Languages and Analysis for Security , PLAS ’18, pages 13–16, New York, NY, USA, 2018. ACM.
