Order-Invariant Cardinality Estimators Are Differentially Private

TL;DR

This paper demonstrates that many streaming cardinality estimation algorithms inherently satisfy differential privacy under certain conditions, broadening understanding of privacy guarantees in data streaming contexts.

Contribution

It proves that a wide class of cardinality estimators are differentially private with simple modifications, generalizing and tightening previous privacy bounds.

Findings

Algorithms satisfy $oldsymbol{}$-differential privacy with down-sampling.

Without modification, algorithms satisfy $(,)$-differential privacy, with $$ exponentially small.

Results apply to most popular cardinality estimation algorithms.

Abstract

We consider privacy in the context of streaming algorithms for cardinality estimation. We show that a large class of algorithms all satisfy $\epsilon$-differential privacy, so long as (a) the algorithm is combined with a simple down-sampling procedure, and (b) the cardinality of the input stream is $\Omega(k/\epsilon)$. Here, $k$ is a certain parameter of the sketch that is always at most the sketch size in bits, but is typically much smaller. We also show that, even with no modification, algorithms in our class satisfy $(\epsilon, \delta)$-differential privacy, where $\delta$ falls exponentially with the stream cardinality. Our analysis applies to essentially all popular cardinality estimation algorithms, and substantially generalizes and tightens privacy bounds from earlier works.