towards an axiomatization of privacy and utility
play

Towards an Axiomatization of Privacy and Utility Daniel Kifer - PowerPoint PPT Presentation

Oct 12, 2023 •19 likes •409 views

Towards an Axiomatization of Privacy and Utility Daniel Kifer Bing-Rong Lin Department of Computer Science & Engineering Penn State University D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 1 / 37 Motivation D.

  1. Towards an Axiomatization of Privacy and Utility Daniel Kifer Bing-Rong Lin Department of Computer Science & Engineering Penn State University D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 1 / 37

  2. Motivation D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 2 / 37

  3. Guiding Principles? SSN Gender Age Zip Code Disease 111111111 M 25 90210 AIDS 222222222 F 43 90211 AIDS 333333333 M 29 90212 Cancer 456456456 M 41 90213 AIDS 567867867 F 41 07620 Cancer 654321566 F 40 33109 Cancer 799999999 F 40 07620 Flu 800000000 F 24 33109 None 934587938 M 48 07620 None 109494949 F 40 07620 Flu 112525252 M 48 33109 Flu 121111111 M 49 33109 None D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 3 / 37

  4. Guiding Principles? We know this is not enough SSN Gender Age Zip Code Disease / 111111111 / / / / / / / / / / / / / / M 25 90210 AIDS / 222222222 / / / / / / / / / / / / / / F 43 90211 AIDS / 333333333 / / / / / / / / / / / / / / M 29 90212 Cancer / 456456456 / / / / / / / / / / / / / / M 41 90213 AIDS / 567867867 / / / / / / / / / / / / / / F 41 07620 Cancer / 654321566 / / / / / / / / / / / / / / F 40 33109 Cancer / 799999999 / / / / / / / / / / / / / / F 40 07620 Flu / 800000000 / / / / / / / / / / / / / / F 24 33109 None / 934587938 / / / / / / / / / / / / / / M 48 07620 None / 109494949 / / / / / / / / / / / / / / F 40 07620 Flu / 112525252 / / / / / / / / / / / / / / M 48 33109 Flu / 121111111 / / / / / / / / / / / / / / M 49 33109 None D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 4 / 37

  5. So what happens? Aug 6, 2006 - AOL releases data 20 Million Search Queries from 3 months 650,000 users How is data protected: Change AOL id to a number. What happened? NYT identified user # 4417749 People search for names of friends/relatives/self People search for locations “What to do in State College” Age-related searches Many people got fired. D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 5 / 37

  6. Introduction Outline Introduction 1 Axiomatizing Privacy 2 A framework Privacy Axioms Application to Differential Privacy Axiomatizing Utility 3 Counterexample Axioms and Examples Insights D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 6 / 37

  7. Introduction Statistical Privacy Art of turning sensitive data into nonsensitive data suitable for public release. Sensitive data: Cannot release sensitive data directly. Detailed information about individuals (search logs, health records, census/tax data, etc.) Proprietary secrets (search logs, network traces, machine debug info) Want to release useful but non-private information from this data. Typical user web search behavior Demographics Information that can be used to build models Information that can be used to design & evaluate algorithms Mechanism : a (randomized) algorithm that converts sensitive into nonsensitive data. Goal: Design a mechanism that protects privacy and provides utility. D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 7 / 37

  8. Introduction Privacy & Utility What does privacy mean? Many, many privacy definitions in the literature. How do I compare them? How do I identify strengths and weaknesses? How do I customize them (for an application)? How do I design one? Does it really do what I want it to do? What statements are/aren’t privacy definitions? What does utility mean? Many, many measures of utility in the literature: KL-divergence. Expected (Bayesian) utility. Minimax estimation error. Task-specific measures. Which one should I choose? Does it do what I want it to do? How do I design one? Does it make sense in statistical privacy? D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 8 / 37

  9. Introduction A Common Approach 1 Start with a privacy mechanism. Generalization (e.g. coarsen “state college” → “Pennsylvania”) Suppression (remove parts of data items) Add random noise 2 Create privacy definition that feels most natural with this privacy mechanism. 3 Create utility measure that feels most natural for this mechanism. # of generalizations # of suppressions variance of noise anything we can borrow from statistics often can’t compare utility across mechanisms 4 (Usually) Find flaws, revise steps 2 and 3. D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 9 / 37

  10. Introduction The Axiomatic Approach What if we did this in reverse? For a given application: 1 Identify properties we think a privacy definition should satisfy. 2 Identify properties we think a utility metric should satisfy. 3 Find a privacy mechanism that satisfies those properties. Benefits of axiomatization: Apples to apples comparison of properties of privacy definitions. Small set of axioms easier to study than large set of privacy definitions. Abstract approaches yield general results and insights (e.g. group theory, vector spaces, etc.) Can study relationships between axioms. Easier to identify weaknesses. Design mechanisms by picking axioms depending on application. Can study consequences of omitting axioms. Is it really necessary for privacy and utility? Let’s look at some illustrative results. D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 10 / 37

  11. Axiomatizing Privacy Outline Introduction 1 Axiomatizing Privacy 2 A framework Privacy Axioms Application to Differential Privacy Axiomatizing Utility 3 Counterexample Axioms and Examples Insights D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 11 / 37

  12. Axiomatizing Privacy Axioms for Privacy Hard to create a good privacy definition. Simple things usually don’t work. Different applications have different privacy requirements. Instead of starting from a privacy definition: Identify axioms you want it to support. Determine the privacy definition implied by axioms Let axioms be the building blocks. It is easier to reason about axioms that about entire privacy definitions. Efficiency: insights into 1 axiom lead to insights into many privacy definitions. Example: how to relax differential privacy. D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 12 / 37

  13. Axiomatizing Privacy A framework Some definitions Abstract input space I (all possible data). Semantics (e.g. neighboring databases in differential privacy) should be given by axioms. Abstract output space O . Semantics (e.g. query answers, synthetic data, utility) should be given by axioms. Definition (Randomized Algorithm) A randomized algorithm A is a regular conditional probability distribution P ( O | I ) with O ⊂ O and I ⊂ I Privacy definition: intentionally undefined (all parameters must be instantiated). Definition (Privacy Mechanism for D ) A privacy mechanism M is a randomized algorithm that satisfies privacy definition D . D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 13 / 37

  14. Axiomatizing Privacy Privacy Axioms Two Simple Privacy Axiom Intuition: postprocessing the output of a privacy mechanism should still maintain privacy. Axiom (Transformation Invariance) Given a privacy mechanism M and a randomized algorithm A (independent of the data and M ), the composition A ◦ M is a privacy mechanism. Intuition: it does not matter which privacy mechanism I choose. Axiom (choice) If M 1 and M 2 are privacy mechanisms for D, then the process of choosing M 1 with probability c and M 2 with probability 1 − c (with randomness independent of the data, M 1 , and M 2 ) results in a privacy mechanism for D. D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 14 / 37

  15. Axiomatizing Privacy Privacy Axioms Two Simple Privacy Axiom Axiom (Transformation Invariance) Given a privacy mechanism M and a randomized algorithm A (independent of the data and M ), the composition A ◦ M is a privacy mechanism. Axiom (choice) If M 1 and M 2 are privacy mechanisms for D, then the process of choosing M 1 with probability c and M 2 with probability 1 − c (with randomness independent of the data, M 1 , and M 2 ) results in a privacy mechanism for D. Consistency conditions for privacy definitions Thus privacy definitions should discuss how they are affected by postprocessing. Privacy definitions cannot focus only on deterministic mechanisms. Many privacy definitions do not satisfy these axioms! D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 15 / 37

  16. Axiomatizing Privacy Application to Differential Privacy Applications Differential Privacy Definition (Differential Privacy [Dwo06, DMNS06]) M satisfies ǫ -differential privacy if P ( M ( i 1 ) ∈ S ) ≤ e ǫ P ( M ( i 2 ) ∈ S ) for all measurable S ⊂ O and all neighboring input databases i 1 , i 2 ∈ I . There has been interest in relaxing differential privacy. For example: For example: P ( M ( i 1 ) ∈ S ) ≤ e ǫ P ( M ( i 2 ) ∈ S ) + δ D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 16 / 37

  17. Axiomatizing Privacy Application to Differential Privacy Example a = P ( M ( i 1 ) ∈ S ) b = P ( M ( i 2 ) ∈ S ) a ≤ 2 b D. Kifer, B. Lin (Penn State) Axiomatization of Privacy & Utility 17 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Commentary on Privacy, Utility, and Potential Application of Differential Privacy to Census Data

Commentary on Privacy, Utility, and Potential Application of Differential Privacy to Census Data

Commentary on Privacy, Utility, and Potential Application of Differential Privacy to Census Data Kirk Wolter, Federal Economic Statistics Advisory Committee December 14, 2018 Ill discuss A couple of preliminaries Four concerns

228 views • 18 slides
DIFFERENTIAL PRIVACY and some of its relatives BETTER DEFINITIONS or: Why you should I answer

DIFFERENTIAL PRIVACY and some of its relatives BETTER DEFINITIONS or: Why you should I answer

DIFFERENTIAL PRIVACY and some of its relatives BETTER DEFINITIONS or: Why you should I answer your survey? THE PROBLEM Statistical databases provide some utility, ...often at odds with privacy concerns. Utility for who? - Government,

808 views • 42 slides
Learning the Privacy-Utility Trade-off with Bayesian Optimization Borja Balle Joint work with B.

Learning the Privacy-Utility Trade-off with Bayesian Optimization Borja Balle Joint work with B.

Learning the Privacy-Utility Trade-off with Bayesian Optimization Borja Balle Joint work with B. Avent, J. Gonzalez, T. Diethe and A. Paleyes Utility Privacy <latexit

532 views • 35 slides
Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location Information for Epidemiologic Research Daniel C. Barth-Jones, M.P.H., Ph.D. Center for Healthcare Effectiveness Research Wayne State University (

652 views • 61 slides
Middleware for Pervasive Spaces: Balancing Privacy and Utility D. Massaguer , B. Hore, M. H.

Middleware for Pervasive Spaces: Balancing Privacy and Utility D. Massaguer , B. Hore, M. H.

Middleware for Pervasive Spaces: Balancing Privacy and Utility D. Massaguer , B. Hore, M. H. Diallo, S. Mehrotra, and N. Venkatasubramanian Presenter: Daniel Massaguer PhD candidate dani.massaguer@gmail.com Bo Xing: A Middleware Approach to

461 views • 35 slides
OSL : Online Structure Learning using Background Knowledge Axiomatization Evangelos

OSL : Online Structure Learning using Background Knowledge Axiomatization Evangelos

OSL : Online Structure Learning using Background Knowledge Axiomatization Evangelos Michelioudakis 1 , Anastasios Skarlatidis 1 , Georgios Paliouras 1 and Alexander Artikis 2 , 1 1 Institute of Informatics and Telecommunications, NCSR

723 views • 43 slides
Complete Axiomatization for the Bisimilarity Distance on MCs Giorgio Bacci , Giovanni Bacci, Kim

Complete Axiomatization for the Bisimilarity Distance on MCs Giorgio Bacci , Giovanni Bacci, Kim

Complete Axiomatization for the Bisimilarity Distance on MCs Giorgio Bacci , Giovanni Bacci, Kim G. Larsen, and Radu Mardare Dept. of Computer Science, Aalborg University, DK CONCUR 2016 Introduction Kleenes Theorem : fundamental

1.02k views • 75 slides
Contents 1 The virtues of first order categoricity in power 1 2 Axiomatization vrs

Contents 1 The virtues of first order categoricity in power 1 2 Axiomatization vrs

Outline Contents 1 The virtues of first order categoricity in power 1 2 Axiomatization vrs Formalization 3 3 First Order Logic/Formalization as a Mathematical Tool 5 3.1 Classes of Theories . . . . . . . . . . . . . . . . . . . . . . . .

459 views • 9 slides
Alternative Titles: What are the practical implications of the HIPAA privacy rules for

Alternative Titles: What are the practical implications of the HIPAA privacy rules for

Protecting the Privacy of Healthcare Data While Preserving the Utility of Geographic Location Information for Epidemiologic Research Daniel C. Barth-Jones, M.P.H., Ph.D. Center for Healthcare Effectiveness Research Wayne State University (

448 views • 31 slides
Identities of Kauffman monoids: finite axiomatization and algorithms Mikhail Volkov (with Karl

Identities of Kauffman monoids: finite axiomatization and algorithms Mikhail Volkov (with Karl

Identities of Kauffman monoids: finite axiomatization and algorithms Mikhail Volkov (with Karl Auinger, Yuzhu Chen, Xun Hu, Yanfeng Luo, and Nikita Kitov) Ural Federal University, Ekaterinburg, Russia April 27th, 2019 Mikhail Volkov

1.71k views • 135 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Differential Equation Axiomatization The Impressive Power of Differential Ghosts Andr e

Differential Equation Axiomatization The Impressive Power of Differential Ghosts Andr e

Differential Equation Axiomatization The Impressive Power of Differential Ghosts Andr e Platzer Yong Kiam Tan 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e Platzer, Yong Kiam Tan (CMU) Differential Equation Axiomatization

1.16k views • 48 slides
Dynamic Bayesian Influenza Forecasting James Gattiker gatt@lanl.gov David Osthus Los Alamos

Dynamic Bayesian Influenza Forecasting James Gattiker gatt@lanl.gov David Osthus Los Alamos

Dynamic Bayesian Influenza Forecasting James Gattiker gatt@lanl.gov David Osthus Los Alamos National Laboratory Statistical Sciences Group ISDA 2019 January 23 rd Slide 1 Managed by Triad National Security, LLC for the U.S. Department of

441 views • 27 slides
Clinical Challenges in Dose Selection for CombinationTherapy 12 May 2017 Mark Pegram, M.D.

Clinical Challenges in Dose Selection for CombinationTherapy 12 May 2017 Mark Pegram, M.D.

Clinical Challenges in Dose Selection for CombinationTherapy 12 May 2017 Mark Pegram, M.D. Susy Yuan-Huey Hung Professor of Oncology Associate Director for Clinical Research Director, Stanford Breast Oncology Program Associate Dean for

677 views • 29 slides
Mathematical Neuroscience: from neurons to networks Part I Cortex Steve Coombes School of

Mathematical Neuroscience: from neurons to networks Part I Cortex Steve Coombes School of

Mathematical Neuroscience: from neurons to networks Part I Cortex Steve Coombes School of Mathematical Sciences Neurons: pyramidal cells Hodgkin and Huxley (1950s) express (and subsequently fit) the dynamics of gating variables

835 views • 48 slides
Potential Distinguishing Characteristics of Human Aural Pattern Recognition James Rogers and

Potential Distinguishing Characteristics of Human Aural Pattern Recognition James Rogers and

1 RecHul07 Potential Distinguishing Characteristics of Human Aural Pattern Recognition James Rogers and Marc D. Hauser Dept. of Computer Science Earlham College Slide 1 this work completed, in part, while at the Radcliffe

317 views • 16 slides
CS70: Jean Walrand: Lecture 23. Conditional Probability: Review Conditional Probability: Pictures

CS70: Jean Walrand: Lecture 23. Conditional Probability: Review Conditional Probability: Pictures

A B A B b B A CS70: Jean Walrand: Lecture 23. Conditional Probability: Review Conditional Probability: Pictures Illustrations: Pick a point uniformly in the unit square Recall: 1 Pr [ A | B ] = Pr [ A B ] 1 1 Pr [ B ] .

327 views • 3 slides
sizes of non-null hypotheses Jennifer Brennan, Ramya Korlakai Vinayak, Kevin Jamieson

sizes of non-null hypotheses Jennifer Brennan, Ramya Korlakai Vinayak, Kevin Jamieson

Estimating the number and effect sizes of non-null hypotheses Jennifer Brennan, Ramya Korlakai Vinayak, Kevin Jamieson jrb@cs.washington.edu ICML 2020 Example: Fruit Fly Genetics Hao et al. (2008) measured the effect of 13,000 fruit fly genes

862 views • 49 slides
Binomial Distribution Binomial Experiment 1 The same experiment is repeated a fixed number of

Binomial Distribution Binomial Experiment 1 The same experiment is repeated a fixed number of

Binomial Distribution Binomial Experiment 1 The same experiment is repeated a fixed number of times. 2 There are only two possible outcomes, success and failure.; P ( success ) = p , P ( failure ) = 1 p . 3 The repeated trials are independent,

478 views • 22 slides
Life in the Fast Lane: the confluence lens George Varghese, Microsoft Research I drive fast

Life in the Fast Lane: the confluence lens George Varghese, Microsoft Research I drive fast

Life in the Fast Lane: the confluence lens George Varghese, Microsoft Research I drive fast only when . . Only drug I use is . . . But I do like to make things run fast Algorithmics to speed abstractions Example 1: Virtual

667 views • 50 slides

More recommend