Unifying Re-Identification, Attribute Inference, and Data Reconstruction Risks in Differential Privacy

TL;DR

This paper introduces a unified, interpretable framework for assessing various privacy risks in differential privacy, enabling more accurate calibration of privacy parameters and improved utility in data analysis.

Contribution

It presents a unified, consistent, and tunable bounds on privacy attack success across multiple risks using the $f$-DP framework, improving over prior methods.

Findings

Tighter bounds than prior DP methods.

20% noise reduction at same risk level.

Increased accuracy from 52% to 70% in text classification.

Abstract

Differentially private (DP) mechanisms are difficult to interpret and calibrate because existing methods for mapping standard privacy parameters to concrete privacy risks -- re-identification, attribute inference, and data reconstruction -- are both overly pessimistic and inconsistent. In this work, we use the hypothesis-testing interpretation of DP ($f$-DP), and determine that bounds on attack success can take the same unified form across re-identification, attribute inference, and data reconstruction risks. Our unified bounds are (1) consistent across a multitude of attack settings, and (2) tunable, enabling practitioners to evaluate risk with respect to arbitrary, including worst-case, levels of baseline risk. Empirically, our results are tighter than prior methods using $\varepsilon$-DP, R\'enyi DP, and concentrated DP. As a result, calibrating noise using our bounds can reduce the required noise by 20% at the same risk level, which yields, e.g., an accuracy increase from 52% to 70% in a text classification task. Overall, this unifying perspective provides a principled framework for interpreting and calibrating the degree of protection in DP against specific levels of re-identification, attribute inference, or data reconstruction risk.