Data Sanitisation Protocols for the Privacy Funnel with Differential Privacy Guarantees

TL;DR

This paper introduces efficient local differential privacy protocols that improve data sanitisation for open data sharing, balancing privacy guarantees with utility, and addresses computational challenges in the Privacy Funnel approach.

Contribution

It proposes optimal local privacy protocols under differential privacy metrics, introduces Side-channel Resistant Local Information Privacy, and presents Conditional Reporting for practical scenarios.

Findings

Efficient protocols under Local Differential Privacy and Local Information Privacy.

Side-channel Resistant Local Information Privacy for multi-attribute data.

Conditional Reporting protocol performs well on real and synthetic data.

Abstract

In the Open Data approach, governments and other public organisations want to share their datasets with the public, for accountability and to support participation. Data must be opened in such a way that individual privacy is safeguarded. The Privacy Funnel is a mathematical approach that produces a sanitised database that does not leak private data beyond a chosen threshold. The downsides to this approach are that it does not give worst-case privacy guarantees, and that finding optimal sanitisation protocols can be computationally prohibitive. We tackle these problems by using differential privacy metrics, and by considering local protocols which operate on one entry at a time. We show that under both the Local Differential Privacy and Local Information Privacy leakage metrics, one can efficiently obtain optimal protocols. Furthermore, Local Information Privacy is both more closely aligned to the privacy requirements of the Privacy Funnel scenario, and more efficiently computable. We also consider the scenario where each user has multiple attributes, for which we define Side-channel Resistant Local Information Privacy, and we give efficient methods to find protocols satisfying this criterion while still offering good utility. Finally, we introduce Conditional Reporting, an explicit LIP protocol that can be used when the optimal protocol is infeasible to compute, and we test this protocol on real-world and synthetic data. Experiments on real-world and synthetic data confirm the validity of these methods.