A Learning Theory Approach to Non-Interactive Database Privacy
Avrim Blum, Katrina Ligett, Aaron Roth
Introduction
As large-scale collection of personal information becomes easier, the problem of database privacy is increasingly important. In many cases, we might hope to learn useful information from sensitive data (for example, we might learn a correlation between smoking and lung cancer from a collection of medical records). However, for legal, financial, or moral reasons, administrators of sensitive datasets might not want to release their data. If those with the expertise to learn from large datasets are not the same as those who administer the datasets, what is to be done? In order to study this problem theoretically, it is important to quantify what exactly we mean by “privacy.”
A series of recent papers [DN04, BDMN05, DMNS06] formalizes the notion of differential privacy. A database privatization mechanism (which may be either interactive or non-interactive) satisfies differential privacy if the addition or removal of a single database element does not change the probability of any outcome of the privatization mechanism by more than some small amount. The definition is intended to capture the notion that “distributional information is not private”—we may reveal that smoking correlates to lung cancer, but not that any individual has lung cancer. Individuals may submit their personal information to the database secure in the knowledge that (almost) nothing can be discovered from the database with their information that could not have been discovered without their information.
In this paper, motivated by learning theory, we propose the study of privacy-preserving mechanisms that are useful for all queries in a particular class (such as all conjunction queries or all halfspace queries). In particular, we focus on counting queries of the form, “what fraction of the database entries satisfy predicate ?” and say that a sanitized output is useful for a class if the answers to all queries in have changed by at most some .
Building on the techniques of Kasiviswanathan et al. [KLN+08], we show that for discretized domains, for any concept class that admits an -net , it is possible to privately release synthetic data that is useful for the class, with error that grows proportionally to the logarithm of the size of . As a consequence, we show that it is possible to release data useful for a set of counting queries with error that grows proportionally to the VC-dimension of the class of queries. The algorithm is not in general computationally efficient. We are able to give a different algorithm that efficiently releases synthetic data for the class of interval queries (and more generally, axis-aligned rectangles in fixed dimension) that achieves guarantees in a similar range of parameters.
Unfortunately, we show that for non-discretized domains, under the above definition of usefulness, it is impossible to publish a differentially private database that is useful for even quite simple classes such as interval queries. We next show how, under a natural relaxation of the usefulness criterion, one can release information that can be used to usefully answer (arbitrarily many) halfspace queries while satisfying privacy. In particular, instead of requiring that useful mechanisms answer each query approximately correctly, we allow our algorithm to produce an answer that is approximately correct for some nearby query. This relaxation is motivated by the notion of large-margin separators in learning theory [AB99, Vap98, SS02]; in particular, queries with no data points close to the separating hyperplane must be answered accurately, and the allowable error more generally is a function of the fraction of points close to the hyperplane.
We also introduce a new concept, distributional privacy, which makes explicit the notion that when run on a database drawn from a distribution, privacy-preserving mechanisms should reveal only information about the underlying distribution, and nothing else. Given a distribution over database points, a database privatization mechanism satisfies distributional privacy if with high probability, drawing an entirely new database from does not change the probability of any outcome of the privatization mechanism by more than some small amount. We show that distributional privacy is a strictly stronger guarantee than differential privacy by showing that any mechanism that satisfies distributional privacy also satisfies differential privacy, but that there are some functions that can be answered accurately while satisfying differential privacy, and yet reveal information about the particular database (although not about any particular database element) that is not “distributional.”
Recent work on theoretical guarantees for data privacy was initiated by [DN03]. The notion of differential privacy, finally formalized by [DMNS06], separates issues of privacy from issues of outside information by defining privacy as indistinguishability of neighboring databases. This captures the notion that (nearly) anything that can be learned if your data is included in the database can also be learned without your data. This notion of privacy ensures that users have very little incentive to withhold their information from the database. The connection between data privacy and incentive-compatibility was formalized by McSherry and Talwar [MT07].
Much of the initial work focused on lower bounds. Dinur and Nissim [DN03] showed that any mechanism that answers substantially more than a linear number of subset-sum queries with error yields what they called blatant non-privacy – i.e. it allows an adversary to reconstruct all but a fraction of the original database. Dwork et al. [DMT07] extend this result to the case in which the private mechanism can answer a constant fraction of queries with arbitrary error, and show that still if the error on the remaining queries is , the result is blatant non-privacy. Dwork and Yekhanin [DY08] give further improvements. These results easily extend to the case of counting queries which we consider here.
Dwork et al. [DMNS06], in the paper that defined differential privacy, show that releasing the answers to low sensitivity queries with noise drawn independently from the Laplace distribution with scale preserves -differential privacy. Unfortunately, the noise scales linearly in the number of queries answered, and so this mechanism can only answer a sub-linear number of queries with non-trivial accuracy. Blum et al. [BDMN05] consider a model of learning and show that concept classes that are learnable in the statistical query (SQ) model are also learnable from a polynomially sized dataset accessed through an interactive differential-privacy-preserving mechanism. We note that such mechanisms still access the database by asking counting-queries perturbed with independent noise from the Laplace distribution, and so can still only make a sublinear number of queries. In this paper, we give a mechanism for privately answering counting queries with noise that grows only logarithmically with the number of queries asked (or more generally with the VC-dimension of the query class). This improvement allows an analyst to answer an exponentially large number of queries with non-trivial error, rather than only linearly many.
Most similar to this paper is the work of Kasiviswanathan et al. [KLN+08]. Kasiviswanathan et al. study what can be learned privately when what is desired is that the hypothesis output by the learning algorithm satisfies differential privacy. They show that in a PAC learning model in which the learner has access to the private database, ignoring computational constraints, anything that is PAC learnable is also privately PAC learnable. We build upon the technique in their paper to show that in fact, it is possible to privately release a dataset that is simultaneously useful for any function in a concept class of polynomial VC-dimension. Kasiviswanathan et al. also study several restrictions on learning algorithms, show separation between these learning models, and give efficient algorithms for learning particular concept classes.
1.2 Subsequent Work
Since the original publication of this paper in STOC 2008 [BLR08] there has been a substantial amount of follow up work. A sequence of papers by Dwork et al. [DNR+09, DRV10] give a non-interactive mechanism for releasing counting queries with accuracy that depends in a similar way to the mechanism presented in this paper on the total number of queries asked, but has a better dependence on the database size. This comes at the expense of relaxing the notion of -differential privacy to an approximate version called -differential privacy. The mechanism of [DRV10] also extends to arbitrary low-sensitivity queries rather than only counting queries. This extension makes crucial use of the relaxation to -privacy, as results such as those given in this paper cannot be extended to arbitrary low-sensitivity queries while satisfying -differential privacy as shown recently by De [De11].
Roth and Roughgarden [RR10] showed that bounds similar to those achieved in this paper can also be achieved in the interactive setting, in which queries are allowed to arrive online and must be answered before the next query is known. In many applications, this gives a large improvement in the accuracy of answers, because it allows the analyst to pay for those queries which were actually asked in the course of a computation (which may be only polynomially many), as opposed to all queries which might potentially be asked, as is necessary for a non-interactive mechanism. Hardt and Rothblum [HR10] gave an improved mechanism for the interactive setting based on the multiplicative weights framework which achieves bounds comparable to the improved bounds of [DRV10], also in the interactive setting. An offline version of this mechanism (constructed by pairing the online mechanism with an agnostic learner for the class of queries of interest) was given by Gupta et al. [GHRU11], and an experimental evaluation on real data was done by Hardt, Ligett, and McSherry [HLM11]. Gupta, Roth, and Ullman unified the online mechanisms of [RR10, HR10] into a generic framework (and improved their error bounds) by giving a generic reduction from online learning algorithms in the mistake bound model to private query release algorithms in the interactive setting [GRU11]. [GRU11] also gives a new mechanism based on this reduction that achieves improved error guarantees for the setting in which the database size is comparable to the size of the data universe.
Following this work, there has been significant attention paid to the problem of releasing the class of conjunctions (a special case of counting queries) with low error using algorithms with more efficient run-time than the one given in this paper. Gupta et al [GHRU11] give an algorithm which runs in time polynomial in the size of the database, and releases the class of conjunctions to average error while preserving differential privacy. Hardt, Rothblum, and Servedio [HRS11] give an algorithm which runs in time proportional (for databases over a data universe and releases conjunctions of most variables with worst-case error guarantees. Their algorithm improves over the Laplace mechanism (which also requires run-time ) because it only requires that the database size be proportional to (The Laplace mechanism would require a database of size ). As a building block for this result, they also give a mechanism with run-time proportional to which gives average-case error guarantees. Kasiviswanathan et al. [KRSU10] extend the lower bounds [DN03] from arbitrary subset-sum queries to hold also for an algorithm that only releases conjunctions.
Xiao et al. [XWG10] gave an algorithm for releasing range queries, which extends the class of constant-dimensional interval queries which we consider in this paper.
There has also been progress in proving lower bounds. Dwork et al. [DNR+09] show that in general, the problem of releasing synthetic data giving non-trivial error for arbitrary classes of counting queries requires run-time that is linear in the size of the data universe and the size of the query class (modulo cryptographic assumptions). This in particular precludes improving the run-time of the general mechanism presented in this paper to be only polynomial in the size of the database. Ullman and Vadhan [UV11] extend this result to show that releasing synthetic data is hard even for the simple class of conjunctions of at most 2 variables. This striking result emphasizes that output representation is extremely important, because it is possible to release the answers to all of the (at most ) conjunctions of size 2 privately and efficiently using output representations other than synthetic data. Hardt and Talwar showed how to prove lower bounds for differentially query release using packing arguments, and gave an optimal lower bound for a certain range of parameters [HT10]. De recently refined this style of argument and extended it to wider settings [De11]. Gupta et al. [GHRU11] showed that the class of queries that can be released by mechanisms that access the database using only statistical queries (which includes almost all mechanisms known to date, with the exception of the parity learning algorithm of [KLN+08]) is equal to the class of queries that can be agnostically learned using statistical queries. This rules out a mechanism even for releasing conjunctions to subconstant error which accesses the data using only a polynomial number of statistical queries.
2 Motivation from Learning Theory
3 Organization
Definitions
We consider databases which are -tuples from some abstract domain : i.e. . We will write for the size of the database. We think of as the set of all possible data-records. For example, if data elements are represented as bit-strings of length , then would be the boolean hypercube in dimensions. These tuples are not endowed with an ordering: they are simply multi-sets (they can contain multiple copies of the same element ).
A database access mechanism is a randomized mapping , where is some arbitrary range. We say that outputs synthetic data if its output is itself a database: i.e. if .
Our privacy solution concept will be the by now standard notion of differential privacy. Crucial to this definition will be the notion of neighboring databases. We say that two databases are neighboring if they differ in only a single data element: i.e. they are neighbors if their symmetric difference .
A database access mechanism is -differentially private if for all neighboring pairs of databases and for all outcome events , the following holds:
In Section 7, we propose an alternate definition of privacy, distributional privacy, and show that it is strictly stronger than differential privacy. For simplicity, however, in the main body of the paper, we use the standard definition, differential privacy. All of these proofs can be adapted to the distributional privacy notion.
The global sensitivity of a query is its maximum difference when evaluated on two neighboring databases:
In this paper, we consider the private release of information useful for classes of counting queries.
A counting query , defined in terms of a predicate is defined to be
It evaluates to the fraction of elements in the database that satisfy the predicate .
For any predicate , the corresponding counting query has global sensitivity
Let be neighboring databases. Then:
Where the inequality follows by the definition of neighboring databases. Similarly, . The observation then follows. ∎
We remark that everything in this paper easily extends to the case of more general linear queries, which can are defined analogously to counting queries, but involve real valued predicates . For simplicity we restrict ourselves to counting queries in this paper, but see [Rot10] for the natural extension to linear queries.
A key measure of complexity that we will use for counting queries is VC-dimension. VC-dimension is strictly speaking a measure of complexity of classes of predicates, but we will associate the VC-dimension of classes of predicates with their corresponding class of counting queries.
A class of predicates shatters a collection of points if for every , there exists an such that . That is, shatters if for every one of the subsets of , there is some predicate in that labels exactly those elements as positive, and does not label any of the elements in as positive.
We can now define our complexity measure for counting queries.
A collection of predicates has VC-dimension if there exists some set of cardinality such that shatters , and does not shatter any set of cardinality . We can denote this quantity by . We abuse notation and also write where is a class of counting queries, to denote the VC-dimension of the corresponding collection of predicates.
Dwork et al. [DMNS06] give a mechanism which can answer any single low-sensitivity query while preserving differential privacy:
The Laplace mechanism responds to a query by returning where is a random variable drawn from the Laplace distribution: .
The Laplace distribution with scale , which we denote by , has probability density function
The Laplace mechanism preserves -differential privacy.
This mechanism answers queries interactively, but for a fixed privacy level, its accuracy guarantees degrade linearly in the number of queries that it answers. The following composition theorem is useful: it tells us that a mechanism which runs -differentially private subroutines is -differentially private.
If mechanisms are each -differentially private, then the mechanism defined by the (string) composition of the mechanisms: is -differentially private.
We propose to construct database access mechanisms which produce one-shot (non-interactive) outputs that can be released to the public, and so can necessarily be used to answer an arbitrarily large number of queries. We seek to do this while simultaneously preserving privacy. However, as implied by the lower bounds of Dinur and Nissim [DN03], we cannot hope to be able to usefully answer arbitrary queries. We instead seek to release synthetic databases which are “useful” (defined below) for restricted classes of queries .
A database access mechanism is -useful with respect to queries in class if for every database , with probability at least , the output of the mechanism satisfies:
In this paper, we will derive -useful mechanisms from small -nets:
An -net of databases with respect to a class of queries is a set such that for all , there exists an element of the -net such that:
We write to denote an -net of minimum cardinality among the set of all -nets for .
General release mechanism
In this section we present our general release mechanism. It is an instantiation of the exponential mechanism of McSherry and Talwar [MT07].
The exponential mechanism selects and outputs an element with probability proportional to .
McSherry and Talwar showed that the exponential mechanism preserves differential privacy. It is important to note that the exponential mechanism can define a complex distribution over a large arbitrary domain, and so it may not be possible to implement the exponential mechanism efficiently when the range of is super-polynomially large in the natural parameters of the problem. This will be the case with our instantiation of it.
The exponential mechanism preserves -differential privacy.
We first observe that the Net mechanism preserves -differential privacy.
The Net mechanism is -differentially private.
The Net mechanism is simply an instantiation of the exponential mechanism. Therefore, privacy follows from Theorem 3.2. ∎
We may now analyze the usefulness of the net mechanism.
For any class of queries (not necessarily counting queries) the Net Mechanism is -useful for any such that:
First observe that the sensitivity of the quality score .
By the definition of an -net, we know that there exists some such that . By the definition of the exponential mechanism, this is output with probability proportional to at least . Similarly, there are at most databases such that (simply because ). Hence, by a union bound, the probability that the exponential mechanism outputs some with is at most . Therefore, if we denote by the event that the net mechanism outputs some with , and denote by the event that the net mechanism outputs some with , we have:
Note that if this ratio is at least , then we will have proven that the net mechanism is useful with respect to . Solving for , we find that this is condition is satisfied so long as
We have therefore reduced the problem of giving upper bounds on the usefulness of differentially private database access mechanisms to the problem of upper bounding the sensitivity of the queries in question, and the size of the smallest -net for the set of queries in question. Recall that for counting queries on databases of size , we always have . Therefore we have the immediate corollary:
For any class of counting queries the Net Mechanism is -useful for any such that:
To complete the proof of utility for the net mechanism for counting queries, it remains to prove upper bounds on the size of minimal -nets for counting queries. We begin with a bound for finite classes of queries.
For any finite class of counting queries :
In order to prove this theorem, we will show that for any collection of counting queries and for any database , there is a “small” database of size that approximately encodes the answers to every query in , up to error . Crucially, this bound will be independent of .
For any and for any finite collection of counting queries , there exists a database of size
Let We will construct a database by taking uniformly random samples from the elements of . Specifically, for let be a random variable taking value with probability , and let be the database containing elements . Now fix any and consider the quantity . We have: . We note that each term of the sum is a bounded random variable taking values , and that the expectation of is:
Therefore, we can apply a standard Chernoff bound which gives:
Taking a union bound over all of the counting queries , we get:
Plugging in makes the right hand side smaller than (so long as ), proving that there exists a database of size satisfying the stated bound, which completes the proof of the lemma. ∎
Now we can complete the proof of Theorem 3.6.
By Lemma 3.7, we have that for any there exists a database with such that . Therefore, if we take to be the set of every database of size , we have an -net for . Since
and by definition , we have proven the theorem. ∎
For infinite concept classes , we can replace lemma 3.7 with the following lemma:
For any and for any collection of counting queries , there exists a database of size
This lemma straightforwardly gives an analogue of Theorem 3.6:
Note that we always have for finite classes of counting queries, and so Theorem 3.9 is strictly stronger than Theorem 3.6.
Finally, we can instantiate Corollary 3.5 to give our main utility theorem for the Net Mechanism.
For any class of counting queries the Net Mechanism is -useful for any such that:
Solving for , the Net Mechanism is -useful for:
Theorem 3.10 shows that a database of size is sufficient in order to output a set of points that is -useful for a concept class , while simultaneously preserving -differential privacy. If we were to view our database as having been drawn from some distribution , this is only an extra factor larger than what would be required to achieve -usefulness with respect to , even without any privacy guarantee!
The results in this section only apply for discretized database domains, and may not be computationally efficient. We explore these two issues further in the remaining sections of the paper.
We just gave an -differentially private mechanism that is -useful with respect to any set of counting queries , when given a database of size . In this section, we show that the dependence on the VC-dimension of the class is tight. Namely:
For any class of counting queries , for any bounded away from by a constant, for any , if is an -differentially private mechanism that is useful for given databases of size , then .
Fix a class of counting queries corresponding to a class of predicates of VC-dimension . Let denote a set of universe elements of size that are shattered by , as guaranteed by the definition of VC-dimension. We will consider all subsets of size . Denote this set by For each such , let be the predicate such that:
as guaranteed by the definition of shattering, and let be the corresponding counting query.
For every pair :
where the last equality follows from the fact that . ∎
This lemma will allow a sufficiently useful mechanism for the class of queries to be used to reconstruct a database selected from with high accuracy.
For any bounded away from by a constant, let be an -useful mechanism for . Given as input where is any database , there is a procedure which with constant probability reconstructs a database with .
Write . With probability at least , we have . For the rest of the argument, assume this event occurs. For each , define:
Let . We have:
by the accuracy of the mechanism. By combining the accuracy of the mechanism with Lemma 3.12, We also have:
Combining these two inequalities yields a database such that: as claimed. ∎
We can now complete the proof. Let be a set selected uniformly at random, let be an element of selected uniformly at random, and let be an element of selected uniformly at random. Note that the marginal distributions on and are identical: both are uniformly random elements from . Let be the set obtained by swapping elements and . Note that is also distributed uniformly at random from . Let be the set reconstructed from as in lemma 3.13, and let be the set reconstructed from . Assume that and that , which occurs except with probability at most . We now have:
Now recall that and so by the fact that is -differentially private, we also know:
Because we also have , we can solve to find . ∎
Interval queries
In this section we give an efficient algorithm for privately releasing a database useful for the class of interval queries over a discretized domain, given a database of size only polynomial in our privacy and usefulness parameters. We note that our algorithm is easily extended to the class of axis-aligned rectangles in dimensional space for a constant; we present the case of for clarity.
Consider a database of points in a discrete interval (in Corollary 5.2 we show some discretization is necessary). Given , both in , let be the indicator function corresponding to the interval . That is:
An interval query is defined to be
Note that , and we may answer interval queries while preserving -differential privacy by adding noise proportional to .
We now give the algorithm. We will assume for simplicity that all points are distinct, but this condition can be easily discarded.
The algorithm 2 is very simple. It repeatedly performs a binary search to partition the unit interval into regions that have approximately an fraction of the point mass in them. It then releases a database that has exactly an -fraction of the point mass in each of the intervals that it has discovered. There are at most such intervals, and each binary search terminates after at most rounds (because the interval consists of at most points). Therefore, the algorithm requires only accesses to the database, and each one is performed in a privacy preserving manner using noise from the Laplace mechanism. The privacy of the mechanism then follows immediately:
ReleaseIntervals is -differentially private.
The algorithm runs a binary search at most times. Each time, the search halts after queries to the database using the Laplace mechanism. Each query is -differentially private (the sensitivity of an interval query is since it is a counting query). Privacy then follows from the definition of and the fact that the composition of differentially private mechanisms is differentially private. ∎
ReleaseIntervals is -useful for databases of size:
By a union bound and the definition of the Laplace distribution, if the database size satisfies the hypothesis of the theorem, then except with probability at most , none of the draws from the Laplace distribution have magnitude greater than . That is, at every step, we have except with probability . Conditioned on this event occurring, for each interval Bounds,Bounds for , . In the synthetic database released, each such interval contains exactly an fraction of the database elements. We can now analyze the error incurred on any query when evaluated on the synthetic database instead of on the real database. Any interval Bounds,Bounds will contribute error at most to the total, and any interval Bounds,Bounds that also intersects with contributes error at most to the total. Note that there are at most 2 intervals of this second type. Therefore, on any query we have:
We note that although the class of intervals (and more generally, low dimensional axis-aligned rectangles) is a simple class of functions, it nevertheless contains exponentially many queries, and so it is not feasible to simply ask all possible interval queries using an interactive mechanism.
Lower bounds
Could we possibly modify the results of Sections 4 and 3 to hold for non-discretized databases? Suppose we could usefully answer an arbitrary number of queries in some simple concept class representing interval queries on the real line (for example, “How many points are contained within the following interval?”) while still preserving privacy. Then, for any database containing single-dimensional real valued points, we would be able to answer median queries with values that fall between the percentile of database points by performing a binary search on using (where is some small constant depending on the usefulness parameter ). However, answering such queries is impossible while guaranteeing differential privacy. Unfortunately, this would seem to rule out usefully answering queries in simple concept classes such as halfspaces and axis-aligned rectangles, that are generalizations of intervals.
We say that a mechanism answers a median query usefully if it outputs a real value such that falls within the percentile of points in database for some .
No mechanism can answer median queries with outputs that fall between the percentile with positive probability on any real valued database , while still preserving -differential privacy, for and any .
Consider real valued databases containing elements in the interval $D_{0}=(0,\ldots,0)nA\Pr[A(D_{0},M)=0]>0D_{0}v\in\Pr[A(D_{0},M)=v]=0D_{n}=(v,\ldots,v)nv\Pr[A(D_{n},M)=v]>01D_{i}=(\underbrace{0,\ldots,0}_{n-i},\underbrace{v,\ldots,v}_{i})i\Pr[A(D_{i},M)=v]=0\Pr[A(D_{i+1},M)=v]>0D_{i}D_{i+1}$ differ only in a single element, this violates differential privacy. ∎
No mechanism can be -useful for the class of interval queries, nor for any class that generalizes interval queries to higher dimensions (for example, halfspaces, axis-aligned rectangles, or spheres), while preserving -differential privacy, for any and any .
Consider any real valued database containing elements in the interval $A(\alpha,\delta)A^{\prime}A^{\prime}\widehat{D}=A(D)\widehat{D}[0,a]n/2\pm\alpha nDA\epsilon\widehat{D}\pm\alpha\alpha<1/2$, the result follows. ∎
We may get around the impossibility result of Corollary 5.2 by relaxing our definitions. One approach is to discretize the database domain, as we do in Sections 3 and 4. Another approach, which we take in Section 6, is to relax our definition of usefulness.
Answering Halfspace Queries
With respect to a database, a halfspace can have a certain margin :
Before we present the algorithm, we will introduce a useful fact about random projections, called the Johnson-Lindenstrauss lemma. It states, roughly, that the norm of a vector is accurately preserved with high probability when the vector is projected into a lower dimensional space with a random linear projection.
For our purposes, the relevant fact will be that norm preserving projections also preserve pairwise inner products with high probability. The following corollary is well known.
Consider the two vectors and . We apply Theorem 6.3 to and . By a union bound, except with probability we have: and . Therefore:
An identical calculation shows that , which completes the proof. ∎
Instead of outputting synthetic data, our algorithm will output a datastructure based on a collection of random projections.
A dimensional projected halfspace data structure of size , consists of three parts:
A projected halfspace data structure can be used to evaluate a halfspace query as follows. We write to denote this evaluation:
For each compute
Output
First we bound the size of the needed net for halfspaces.
ReleaseHalfspaces preserves -differential privacy.
Privacy follows from the fact that the composition of -differentially private mechanisms is -differentially private The algorithm makes calls to the Laplace mechanism, and each call preserves -differential privacy (since each query has sensitivity ). ∎
By linearity of expectation, the expected number of points in moved by more than with respect to in any projection is at most :
Let . Because , we have for any :
In other words, . Moreover, for each , is an independent random variable taking values in the bounded range $y^{\prime}$:
Taking a union bound over all vectors and plugging in our chosen value of , and recalling our bound on we find that:
Also note that the algorithm makes draws from the distribution during its run, assigning these draws to values . Except with probability at most , we have for all :
Therefore, conditioning on for all and applying another Chernoff bound, we find that for any sequence of indices :
Again taking a union bound and plugging in our value of , we find that:
Finally, conditioning on these three events (which together occur except with probability ), we have for any :
Distributional Privacy
In this section we give an alternative privacy definition, motivated by learning theory, and show that it is a strengthening of differential privacy.
For any subset of the universe of size , we say that two databases are -neighbors if they were both drawn at random without replacement from .
We say that a mechanism satisfies -distributional privacy if for any , and for any pair of databases of size which are -neighbors, with probability over the draw of the databases we have for all events :
For example, suppose that a collection of hospitals in a region each treats a random sample of patients with disease . A hospital can release information with a guarantee of distributional privacy, which is informative about patients in the region, without revealing which hospital the data came from. Actually, our main motivation is that this definition is particularly natural from the perspective of learning theory: given a sample of points drawn from some distribution , one would like to reveal no more information about the sample than is inherent in itself.
We will typically think of as being exponentially small, whereas must be for to be useful.
It is not a priori clear whether either differential privacy or distributional privacy is a stronger notion than the other, or if the two are equivalent, or distinct. On the one hand, differential privacy only provides a guarantee when and differ in a single element,We get -differential privacy for and that differ in elements. whereas distributional privacy can provide a guarantee for two databases and that differ in all of their elements. On the other hand, distributional privacy makes the strong assumption that the elements in and are drawn from some distribution , and allows for privacy violations with some exponentially small probability (necessarily: with some small probability, two databases drawn from the same distribution might nevertheless possess very different statistical properties). However, as we show, distributional privacy is a strictly stronger guarantee than differential privacy.
If satisfies -distributional privacy for any , then satisfies -differential privacy.
Consider any database drawn from domain , and any neighboring database that differs from in only a single element . Let be a set of size . Consider two -neighbors and ’, then with probability we have , and so if , we have with certainty that for all events :
Since this holds for all pairs of neighboring databases, satisfies -differential privacy. ∎
Define the mirrored mod function as follows:
For a database , define the query
Note that the global sensitivity of any query satisfies . Therefore, the mechanism that answers queries by where is drawn from satisfies -differential privacy.
There exist mechanisms that satisfy -differential privacy, but do not satisfy -distributional privacy for any (that is, for any meaningful values of ).
Consider databases with elements drawn from and the query . As observed above, a mechanism such that for satisfies -differential privacy for any . Note however that with constant probability, two databases drawn from have . Therefore, for any output , we have that with constant probability over draws of two neighbors and :
Therefore the mechanism does not satisfy -distributional privacy. ∎
Although there are simpler functions for which preserving distributional privacy requires more added noise than preserving differential privacy, the mirrored-mod function above is an example of a function for which it is possible to preserve differential privacy usefully, but yet impossible to reveal any useful information while preserving distributional privacy.
We note that in order for distributional privacy to imply differential privacy, it is important that in the definition of distributional privacy, database elements are drawn from some distribution without replacement. Otherwise, for any non-trivial distribution, there is some database that is drawn with probability at most , and we may modify any distributional-privacy preserving mechanism such that for every query , , and for any , behaves as before. Since this new behavior occurs with probability over draws from for , still preserves distributional privacy, but no longer preserves differential privacy (which requires that the privacy guarantee hold for every pair of neighboring databases).
Conclusions and Open Problems
In this paper we have shown a very general information theoretic result: that small nets are sufficient to certify the existence of accurate, differentially private mechanisms for a class of queries. For counting queries, this allows algorithms which can accurately answer queries from a class given a database that is only logarithmic in the size of , or linear its VC-dimension. We then also gave an efficient algorithm for releasing the class of interval queries on a discrete interval, and for releasing large-margin halfspace queries in the unit sphere.
The main question left open by our work is the design of algorithms which achieve utility guarantees comparable to our net mechanism, but have running time only polynomial in , the size of the input database. This question is extremely interesting even for very specific classes of queries. Is there such a mechanism for the class of conjunctions? For the class of parity queries?
Acknowledgments
We thank David Abraham, Cynthia Dwork, Shiva Kasiviswanathan, Adam Meyerson, Ryan O’Donnell, Sofya Raskhodnikova, Amit Sahai, and Adam Smith for many useful discussions.