An Architecture for Privacy-Preserving Telemetry Scheme

TL;DR

This paper introduces a privacy-preserving telemetry aggregation system that combines local differential privacy, frequency estimation, and Oblivious HTTP to enhance data privacy during collection and analysis.

Contribution

It presents a novel architecture integrating local differential privacy with OHTTP for improved privacy guarantees in telemetry data collection.

Findings

Achieved stricter privacy safeguards compared to previous methods.

Implemented a frequency estimation system with enhanced privacy protections.

Demonstrated practical deployment with available open-source code.

Abstract

We present a privacy-preserving telemetry aggregation scheme. Our underlying frequency estimation routine works within the framework of differential privacy. The design philosophy follows a client-server architecture. Furthermore, the system uses a local differential privacy scheme where data gets randomized on the client before submitting the request to the resource server. This scheme allows for data analysis on de-identified data by carefully adding noise to prevent re-identification attacks, thereby facilitating public data release without compromising the identifiability of the individual record. This work further enhances privacy guarantees by leveraging Oblivious HTTP (OHTTP) to achieve increased privacy protection for data in transit that addresses pre-existing privacy vulnerabilities in raw HTTP. We provide an implementation that focuses on frequency estimation with a histogram of a known dictionary. Our resulting formulation based on OHTTP has provided stricter privacy safeguards when compared to trusting an organization to manually delete identifying information from the client's request in the ingestor as deployed in reference work~\cite{apple2017}. Code available at https://github.com/kenluck2001/miscellaneous/tree/master/src/Privacy-Preserving-Telemetry.