How Much Is Enough? Choosing ε for Differential Privacy
Differential privacy is a recent notion, and while it is nice conceptually it has been difficult to apply in practice. The parameters of differential privacy have an intuitive theoretical interpretation, but the implications and impacts on the risk of disclosure in practice have not yet been studied, and choosing appropriate values for them is non-trivial. Although the privacy parameter ε in differential privacy is used to quantify the privacy risk posed by releasing statistics computed on sensitive data, ε is not an absolute measure of privacy but rather a relative measure. In effect, even for the same value of ε, the privacy guarantees enforced by differential privacy are different based on the domain of attribute in question and the query supported. We consider the probability of identifying any particular individual as being in the database, and demonstrate the challenge of setting the proper value of ε given the goal of protecting individuals in the database with some fixed probability.
KeywordsDifferential Privacy Privacy Parameter ε
Unable to display preview. Download preview PDF.
- 1.Barak, B., Chaudhuri, K., Dwork, C., Kale, S., McSherry, F., Talwar, K.: Privacy, accuracy, and consistency too: a holistic solution to contingency table release. In: Proceedings of the Twenty-Sixth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, pp. 273–282. ACM, New York (2007)CrossRefGoogle Scholar
- 3.Blum, A., Ligett, K., Roth, A.: A learning theory approach to non-interactive database privacy. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 609–618. ACM, New York (2008)Google Scholar
- 4.Dalenius, T.: Towards a methodology for statistical disclosure control. Statistik Tidskrift 15(429-444), 2–1 (1977)Google Scholar
- 11.Kasiviswanathan, S., Smith, A.: A note on differential privacy: Defining resistance to arbitrary side information. Arxiv preprint arXiv:0803.3946 (2008)Google Scholar
- 13.Nergiz, M.E., Clifton, C.: δ-presence without complete world knowledge. IEEE Transactions on Knowledge and Data Engineering 22(6), 868–883 (2010), http://doi.ieeecomputersociety.org/10.1109/TKDE.2009.125 CrossRefGoogle Scholar
- 14.Nergiz, M., Atzori, M., Clifton, C.: Hiding the presence of individuals from shared databases. In: Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data, Beijing, China, June 11-14, pp. 665–676 (2007), http://doi.acm.org/10.1145/1247480.1247554
- 15.Nissim, K., Raskhodnikova, S., Smith, A.: Smooth sensitivity and sampling in private data analysis. In: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, pp. 75–84. ACM, New York (2007)Google Scholar
- 16.Roy, I., Setty, S., Kilzer, A., Shmatikov, V., Witchel, E.: Airavat: Security and privacy for MapReduce. In: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, p. 20. USENIX Association (2010)Google Scholar