dp relational databases a case study on census data
play

DP & Relational Databases: A case study on Census Data Ashwin - PowerPoint PPT Presentation

Aug 09, 2023 •223 likes •853 views

DP & Relational Databases: A case study on Census Data Ashwin Machanavajjhala ashwin@cs.duke.edu Aggregated Personal Data is made publicly available in many forms. Predictive models De-identified records Statistics (e.g.,

  1. DP & Relational Databases: A case study on Census Data Ashwin Machanavajjhala ashwin@cs.duke.edu

  2. Aggregated Personal Data … … is made publicly available in many forms. Predictive models De-identified records Statistics (e.g., advertising) (e.g., medical) (e.g., demographic)

  3. … but privacy breaches abound

  4. Differential Privacy [Dwork, McSherry, Nissim, Smith TCC 2006, Gödel Prize 2017] The output of an algorithm should be insensitive to adding or removing a record from the database. Think: Whether or not an individual is in the database

  5. Differential Privacy • Property of the privacy preserving computation. – Algorithms can’t be reverse-engineered. • Composition rules help reason about privacy leakage across multiple releases. – Maximize utility under a privacy budget. • Individual’s privacy risk is bounded despite prior knowledge about them from other sources *

  6. A decade later … • A few important practical deployments … OnTheMap [ICDE 2008] [CCS 2014] [Apple WWDC 2016] • … but little adoption beyond that. – Deployments have needed teams of experts – Supporting technology is not transferrable – Virtually no systems/software support

  7. This talk Theory & Systems Practice Algorithms No Free Lunch [SIGMOD11] LODES [SIGMOD17] DPBench [SIGMOD16] Pufferfish [TODS14] 2020 Census [ongoing] DPComp [SIGMOD16] Blowfish [SIGMOD14,VLDB15] IoT [CCS17, ongoing] Pythia [SIGMOD17] Ektelo [ongoing] Private-SQL [ongoing]

  8. This Talk • Theory to Practice – Utility cost of provable privacy on Census Bureau data • Practice to Systems – Ektelo: An operator based framework for describing differentially private computations

  9. Part 1: Theory to Practice • Can traditional algorithms for data release and analysis be replaced with provably private algorithms while ensuring little loss in utility ? Yes we can … on US Census Bureau Data

  10. The utility cost of provable privacy on US Census Bureau data • Current algorithm for data release with no provable guarantees and parameters used have to be kept secret

  11. The utility cost of provable privacy on US Census Bureau data ?? US Law: Pufferfish DP-like Noisy ≈ Title 13 Privacy Privacy Employer ← ← Section 9 Requirements Definition Statistics Comparable or lower error than current non-private methods

  12. The utility cost of provable privacy on US Census Bureau data SIGMOD 2017 ?? US Law: Pufferfish DP-like Noisy ≈ Title 13 Privacy Privacy Employer ← ← Section 9 Requirements Definition Statistics John Abowd Matthew Graham Mark Kutzbach Lars Vilhuber Sam Haney

  13. US Census Bureau’s OnTheMap Residences of Workers Employed in Employment in Lower Manhattan Lower Manhattan Available at http://onthemap.ces.census.gov/.

  14. OnTheMap

  15. Underlying Data: LODES Employer Jobs Worker Employer ID Start Date Worker ID Location End Date Age Ownership Worker ID Sex Industry Employer ID Race/Ethnicity Education Home Location

  16. Goal: Release Tabular Summaries Counting Queries • Count of jobs in NYC • Count of jobs held by workers age 30 who work in Boston. Marginal Queries • Count of jobs held by workers age 30 by work location (aggregated to county)

  17. Release of data about employers and employees is regulated by … • Title 13 Section 9 Neither the secretary nor any officer or employee … … make any publication whereby the data furnished by any particular establishment or individual under this title can be identified …

  18. Current Interpretation • The existence of a job held by a particular individual must not be disclosed. No exact re-identification of employee records … by an informed attacker. • The existence of an employer business as well as its type (or sector) and location is not confidential. Can release exact numbers of employers • The data on the operations of a particular business must be protected. Informed attackers must have an uncertainty of up to a multiplicative factor (1+ � ) about the workforce of an employer

  19. Can we use differential privacy (DP)? For every pair of For every output … Neighboring Tables D 1 D 2 O Should not be able to distinguish whether O was generated by D 1 or D 2 Pr[A(D 1 ) = O] log < ε ( ε >0) Pr[A(D 2 ) = O] .

  20. Neighboring tables for LODES? • Tables that differ in … – one employee? – one employer? – something else? • And how does DP (and its variants) compare to the current interpretation of the law? – Who is the attacker? Is he/she informed? – What is secret and what is not?

  21. The Pufferfish Framework [TOD [TODS 14] S 14] • What is being kept secret? A set of Discriminative Pairs (mutually exclusive pairs of secrets) • Who are the adversaries? A set of Data evolution scenarios (adversary priors) • What is privacy guarantee? Adversary can’t tell apart a pair of secrets any better by observing the output of the computation.

  22. Pufferfish Privacy Guarantee Posterior odds Prior odds of of s vs s’ s vs s’

  23. Advantages of Pufferfish • Gives a deeper understanding of the protections afforded by existing privacy definitions – Differential privacy is an instantiation • Privacy defined more generally in terms of customizable secrets rather than records • We can tailor the set of discriminative pairs, and the adversarial scenarios to specific applications – Fine grained knobs for tuning the privacy-utility tradeoff

  24. Customized Privacy for LODES • Discriminative Secrets : – ( w works at E , or w works at E’ ) – ( w works at E , w does not work) – (| E| = x, | E | = y), for all x <y <(1+ � )x – … • Data evolution scenarios : – All priors where employee records are independent of each other.

  25. Example of a formal privacy requirement (E MPLOYER S IZE R EQUIREMENT ). Let e D EFINITION 4.2 be any establishment in E . A randomized algorithm A protects establishment size against an informed attacker at privacy level ( ✏ , ↵ ) if, for every informed attacker ✓ 2 Θ , for every pair of num- bers x, y , and for every output of the algorithm ! 2 range ( A ) , � ◆� ✓ Pr θ ,A [ | e | = x | A ( D ) = ! ] � Pr θ [ | e | = x ] � � � log �  ✏ (4) � � Pr θ ,A [ | e | = y | A ( D ) = ! ] Pr θ [ | e | = y ] whenever x  y  d (1+ ↵ ) x e and Pr θ [ w = x ] , Pr θ [ w = y ] > 0 . We say that an algorithm weakly protects establishments against an

  26. Customized Privacy for LODES • Provides a differential privacy type privacy guarantee for all employees – Algorithm output is insensitive to addition or removal of one employee • Appropriate privacy for establishments – Can learn whether an establishment is large or small, but not exact workforce counts. • Satisfies sequential composition

  27. What is the utility cost? • Sample constructed from 3 states in US – 10.9 million jobs and 527,000 establishments • Q1: Marginal counts over all establishment characteristics – 33,000 counts are being released. • Utility Cost: error (new alg.)/error (current alg.)

  28. Utility Cost Three different algorithms No Worker Attributes Log − Laplace Smooth Laplace Smooth Gamma 100 L1 Error Ratio 10 α 0.01 0.05 Utility 0.1 0.15 Cost 0.2 1 0.1 0.25 0.5 1 2 4 0.25 0.5 1 2 4 0.25 0.5 1 2 4 Privacy ( � ) Privacy Loss Parameter, ε

  29. Utility Cost • For � ≥ 1, and � ≤ 5% utility cost is at most a No Worker Attributes Log − Laplace Smooth Laplace Smooth Gamma factor of 3. 100 • Can design a DP L1 Error Ratio 10 α algorithm that protects 0.01 0.05 both employer and 0.1 0.15 employee secrets. 0.2 1 It has uniformly high 0.1 cost for all epsilon 0.25 0.5 1 2 4 0.25 0.5 1 2 4 0.25 0.5 1 2 4 values. Privacy Loss Parameter, ε Privacy ( � )

  30. Summary: Theory to Practice • Can traditional algorithms for data release and analysis be replaced with provably private algorithms while ensuring little loss in utility ? • Yes we can … on US Census Bureau Data – Can release tabular summaries with comparable or better utility than current techniques!

  31. Takeaways

  32. Challenge 1: Policy to Math ??

  33. Challenge 2: Privacy for Relational Data Employer Jobs Worker Employer ID Start Date Worker ID Location End Date Age Ownership Worker ID Sex Industry Employer ID Education • Privacy for each entity • Constraints – Keys – Foreign Keys • Redefine neighbors – Inclusion dependencies – Functional Dependencies Xi He

  34. Challenge 3: Algorithm Design … without exception ad hoc, cumbersome, and difficult to use – they could really only be used by people having highly specialized technical skills … E. F. Codd on the state of databases in early 1970s

  35. Part 2: Practice to Systems • Can provably private data analysis algorithms with state-of-the-art utility be achieved by DP- non-experts ?

  36. Systems Vision Given a task specified in a high level language, and a privacy budget* synthesize an algorithm to complete the task with (near-)optimal accuracy, and with differential privacy guarantees.

  37. Systems Vision Given a relational schema, a set of SQL queries, and a privacy budget* synthesize an algorithm to answer these queries with (near-)optimal accuracy, and with differential privacy guarantees.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 154 LECTURE 13:RELATIONAL DATABASES AND SQL Relational databases relational database : A

CSE 154 LECTURE 13:RELATIONAL DATABASES AND SQL Relational databases relational database : A

CSE 154 LECTURE 13:RELATIONAL DATABASES AND SQL Relational databases relational database : A method of structuring data as tables associated to each other by shared attributes. a table row corresponds to a unit of data called a record ; a

521 views • 27 slides
CSE 154 LECTURE 22:RELATIONAL DATABASES AND SQL Relational databases relational database : A

CSE 154 LECTURE 22:RELATIONAL DATABASES AND SQL Relational databases relational database : A

CSE 154 LECTURE 22:RELATIONAL DATABASES AND SQL Relational databases relational database : A method of structuring data as tables associated to each other by shared attributes. a table row corresponds to a unit of data called a record ; a

602 views • 26 slides
CSC 337 LECTURE 20: RELATIONAL DATABASES AND SQL Relational databases relational database : A

CSC 337 LECTURE 20: RELATIONAL DATABASES AND SQL Relational databases relational database : A

CSC 337 LECTURE 20: RELATIONAL DATABASES AND SQL Relational databases relational database : A method of structuring data as tables associated to each other by shared attributes. a table row corresponds to a unit of data called a record ;

1.1k views • 30 slides
Introd u ction to relational databases IN TR OD U C TION TO IMP OR TIN G DATA IN P YTH ON H u

Introd u ction to relational databases IN TR OD U C TION TO IMP OR TIN G DATA IN P YTH ON H u

Introd u ction to relational databases IN TR OD U C TION TO IMP OR TIN G DATA IN P YTH ON H u go Bo w ne - Anderson Data Scientist at DataCamp What is a relational database ? Based on relational model of data First described b y Edgar Ted

634 views • 50 slides
CS371m - Mobile Computing Persistence - SQLite In case you have not taken 347: Data Management

CS371m - Mobile Computing Persistence - SQLite In case you have not taken 347: Data Management

CS371m - Mobile Computing Persistence - SQLite In case you have not taken 347: Data Management or worked with databases as part of a job, internship, or project: 2 Databases RDBMS relational data base management system Relational

759 views • 61 slides
CS378 - Mobile Computing Persistence - SQLite Databases RDBMS relational data base

CS378 - Mobile Computing Persistence - SQLite Databases RDBMS relational data base

CS378 - Mobile Computing Persistence - SQLite Databases RDBMS relational data base management system Relational databases introduced by E. F. Codd Turing Award Winner Relational Database data stored in tables

556 views • 34 slides
Neo4j and Spring Data Going from relational databases to databases with relations Michael

Neo4j and Spring Data Going from relational databases to databases with relations Michael

Neo4j and Spring Data Going from relational databases to databases with relations Michael Simons, @rotnroll666 2 Agenda About Neo4j My business domain Getting data into Neo4j Some options to access Neo4j on the JVM

1.13k views • 73 slides
Relational Databases Week 7 INFM 603 Agenda Questions Relational database design

Relational Databases Week 7 INFM 603 Agenda Questions Relational database design

Relational Databases Week 7 INFM 603 Agenda Questions Relational database design Microsoft Access MySQL Scalability Databases Database Collection of data, organized to support access Models some aspects of reality

1.04k views • 54 slides
MongoDB By Bharath Subramanyam Relational Databases started to become popular in the 80s and

MongoDB By Bharath Subramanyam Relational Databases started to become popular in the 80s and

MongoDB By Bharath Subramanyam Relational Databases started to become popular in the 80s and have been widely used since then Properties of Relational Databases- Relational Fixed Schema Databases High Level Query Language (SQL)

468 views • 25 slides
Introduction to relational databases Importing Data in Python What is a relational database?

Introduction to relational databases Importing Data in Python What is a relational database?

IMPORTING DATA IN PYTHON Introduction to relational databases Importing Data in Python What is a relational database? Based on relational model of data First described by Edgar Ted Codd Importing Data in Python Example:

596 views • 32 slides
Introduction to relational databases Importing Data in Python I What is a relational database?

Introduction to relational databases Importing Data in Python I What is a relational database?

IMPORTING DATA IN PYTHON I Introduction to relational databases Importing Data in Python I What is a relational database? Based on relational model of data First described by Edgar Ted Codd Importing Data in Python I Example:

729 views • 33 slides
Extending Relational Databases Toon Calders t.calders@tue.nl Last Lectures Relational query

Extending Relational Databases Toon Calders t.calders@tue.nl Last Lectures Relational query

Extending Relational Databases Toon Calders t.calders@tue.nl Last Lectures Relational query languages are limited Transitive closure cannot be expressed Gaifman-locality Also w.r.t. data storage relational model is limited

818 views • 37 slides
CE419 Session 26: NoSQL Databases Web Programming The Relational Model Relational database

CE419 Session 26: NoSQL Databases Web Programming The Relational Model Relational database

CE419 Session 26: NoSQL Databases Web Programming The Relational Model Relational database management systems require defined and clearly set schemas. Use SQL to query for data. Despite their strict nature of forming and handling

400 views • 19 slides
Relational Databases Week 13 LBSC 671 Creating Information Infrastructures Databases

Relational Databases Week 13 LBSC 671 Creating Information Infrastructures Databases

Relational Databases Week 13 LBSC 671 Creating Information Infrastructures Databases Database Collection of data, organized to support access Models some aspects of reality DataBase Management System (DBMS) Software to

732 views • 50 slides
Relational Databases for Answer a lot of XML Queries Easy/Auto Effective Efficient Querying

Relational Databases for Answer a lot of XML Queries Easy/Auto Effective Efficient Querying

11/3/2009 Manage XML Data using Relational DBMS Trend: XML represents most data on WWW Need: Relational Databases for Answer a lot of XML Queries Easy/Auto Effective Efficient Querying XML Documents: How: Use Relational

485 views • 11 slides
Chapter 3: Relational Model Structure of Relational Databases Relational Algebra Tuple

Chapter 3: Relational Model Structure of Relational Databases Relational Algebra Tuple

' $ Chapter 3: Relational Model Structure of Relational Databases Relational Algebra Tuple Relational Calculus Domain Relational Calculus Extended Relational-Algebra-Operations Modification of the Database Views &amp;

572 views • 32 slides
Implementing a Relational Database Joe Wood anjw@ceh.ac.uk Environmental Genomics Thematic

Implementing a Relational Database Joe Wood anjw@ceh.ac.uk Environmental Genomics Thematic

Implementing a Relational Database Joe Wood anjw@ceh.ac.uk Environmental Genomics Thematic Programme Data Centre http://envgen.nox.ac.uk Implementing a relational database establish requirements Data Requirements data analysis

576 views • 40 slides
Database Design Process Requirements analysis IT420: Database Management and Conceptual

Database Design Process Requirements analysis IT420: Database Management and Conceptual

Database Design Process Requirements analysis IT420: Database Management and Conceptual design: Entity-Relationship Organization Model Logical design: transform ER model into relational schema The Relational Model Schema

299 views • 4 slides
Registered Exporter System (REX) Conducted by the Department of Commerce Presentation Outline

Registered Exporter System (REX) Conducted by the Department of Commerce Presentation Outline

Awareness Programme on Registered Exporter System (REX) Conducted by the Department of Commerce Presentation Outline What is REX Main Functionalities of REX( Registration, Modification, Revocation and Publication) Statement on

737 views • 42 slides
S t o r a g e a n d D i s k s S t o r a g e a n d D i s k s G e n

S t o r a g e a n d D i s k s S t o r a g e a n d D i s k s G e n

S t o r a g e a n d D i s k s S t o r a g e a n d D i s k s G e n e r a l O v e r v i e w G e n e r a l O v e r v i e w R e l a t i o n a l m o d e l - S Q L F o

369 views • 10 slides
MongoDB and Mysql: Which one is a better fit for me? Room 204 - 2:20PM-3:10PM About us

MongoDB and Mysql: Which one is a better fit for me? Room 204 - 2:20PM-3:10PM About us

MongoDB and Mysql: Which one is a better fit for me? Room 204 - 2:20PM-3:10PM About us Adamo Tonete MongoDB Support Engineer Agustn Gallego MySQL Support Engineer Agenda What are MongoDB and MySQL; NoSQL

1.04k views • 55 slides
DM534: Introduction to Relational Databases (Part 2) 2019 Slides by Christian Wiwie (edits by

DM534: Introduction to Relational Databases (Part 2) 2019 Slides by Christian Wiwie (edits by

DM534: Introduction to Relational Databases (Part 2) 2019 Slides by Christian Wiwie (edits by Rolf Fagerberg) Relatjonal Query Languages Based on relatjonal algebra For relatjonal databases, i.e. relatjonal data model Relatjonal

804 views • 37 slides
A Parts/Suppliers Database Example Description of a parts/suppliers database: Each type of

A Parts/Suppliers Database Example Description of a parts/suppliers database: Each type of

Database Design 1 A Parts/Suppliers Database Example Description of a parts/suppliers database: Each type of part has a name and an identifying number, and may be supplied by zero or more suppliers. Each supplier may offer the part at a

490 views • 31 slides
CS 61: Database Systems Introduction to the relational model Adapted from Silberschatz, Korth,

CS 61: Database Systems Introduction to the relational model Adapted from Silberschatz, Korth,

CS 61: Database Systems Introduction to the relational model Adapted from Silberschatz, Korth, and Sundarshan unless otherwise noted Agenda 1. Big picture of relational database design 2. Relational algebra 3. Intro to SQL SELECT statement

963 views • 34 slides

More recommend