Local Differential Privacy

Peter Kairouz

Department of Electrical & Computer EngineeringUniversity of Illinois at Urbana-Champaign

Joint work with Sewoong Oh (UIUC) and Pramod Viswanath (UIUC)

1 / 33

Wireless Communication

The fundamental limits of digital communication are well understood

2 / 33

Rise of the Planet of the Apps!

3 / 33

Rise of the Planet of the Apps!

3 / 33

Rise of the Planet of the Apps!

3 / 33

Rise of the Planet of the Apps!

we study the fundamental trade-off between privacy and utility

3 / 33

Does Privacy Matter? [Greenwald 2014]

“If you’re doing something that you don’t want other people to know,maybe you shouldn’t be doing it in first place”

“Privacy is no longer a social norm!”4 / 33

Recent Privacy Leaks

from anonymous faces to social security numbers

5 / 33

Recent Privacy Leaks

deanonymizing Netflix data

5 / 33

Recent Privacy Leaks

deanonymizing Netflix data, identifying personal genomes, etc.

5 / 33

Privacy is a fundamental human right!

6 / 33

The Ultimate Protection

“The future of privacy is lying”

randomizing = systematic lying

7 / 33

Privacy via Plausible Deniability [Warner 1965]

“Have you ever used illegal drugs?”

say yes answer truthfully

8 / 33

Privacy via Plausible Deniability [Warner 1965]

0

1

0

1

12

1

12

Q: privatization mechanism

instead of X = x, share Y = y w.p. Q (y|x)Q : |X | × |Y| stochastic mapping

8 / 33

The Local Privacy Model [Duchi, et. al., 2012]

1X

2X

1Y

2Y

Clients

PrivatizationQ

PrivatizationQ

Data Analyst

clients receive a service if they share their data

clients do not trust data analysts

9 / 33

Inference of Information

X ∈ X = {0, 1} Y ∈ YPrivatizationQ

X : input alphabet

Y: output alphabet

Given Y = y and Q, detect whether X = 0 or X = 1

10 / 33

Inference of Information

given Y and Q, detect whether X = 0 or X = 1

two types of error: false alarm and missed detection

S0: X = 0

S1: X = 1

Y: output alphabet

PFA = P (Y ∈ S1|X = 0) and PMD = P (Y ∈ S0|X = 1)

10 / 33

Inference of Information

Case 1: Q1

0

1

0

1

110

110

910

910

FAP

MDP

R1

10 / 33

Inference of Information

Case 2: Q2

0

1

0

1

310

310

710

710

FAP

MDP

R2

10 / 33

Inference of Information

FAP

MDP

FAP

MDP

R1 R2

if R2 ⊂ R1, Q2 guarantees more privacy

10 / 33

Local Differential Privacy (Binary Data)

FAP

MDP

1

1

010 1 0.5

0.5

1

1 e

1

1 e

R(ε,δ)

11 / 33

Local Differential Privacy (Binary Data)

FAP

MDP

1

1

010 1 0.5

0.5

1

1 e

1

1 e

R(ε,δ)

RQ

Q is (ε, δ)-differentially private if RQ ⊆ R(ε,δ)

11 / 33

Local Differential Privacy

Q is ε-locally differentially private iff for all x, x′ ∈ X and y ∈ Y

e−ε ≤ Q(y|x)Q(y|x′)

≤ eε

ε controls the level of privacy

ε ↓ =⇒ more private

ε ↑ =⇒ less private

12 / 33

Local Differential PrivacyQ is ε-locally differentially private iff for all x, x′ ∈ X

PFA + eεPMD ≥ 1

eεPFA + PMD ≥ 1

FAP

MDP

Rε RQ1

1+eε

11+eε

Q is ε-DP iff RQ ⊆ Rε for all x, x′ ∈ X12 / 33

Privacy vs. Utility

the more private you want to be, the less utility you get

there is a fundamental trade-off between privacy and utility

maximizeQ

U(Q)

subject to Q ∈ Dε

U(Q): application dependent utility function

Dε: set of all ε-locally differentially private mechanisms

13 / 33

Summary of Results

Binary data: |X | = 2

The Binary Randomized Response

w.p. 11+eε lie w.p. eε

1+eε answer truthfully

optimal for all ε

optimal for all U(Q) obeying the data processing inequality

14 / 33

Summary of Resultsk-ary data: |X | = k > 2

Locally Differentially Private Mechanisms

Staircase Mechanisms

Binary Mechanism (BM)

Randomized Response (RM)

staircase mechanisms are optimal for all ε and a rich class of utilities

BM and RR are optimal in the high and low privacy regimes

14 / 33

CASE 1: BINARY DATA

15 / 33

Utility Functions

U

X ∈ XU (Q)

Y ∈ YU (QW )

Z ∈ ZQ W

utility functions obeying the data processing inequality:

U (QW ) ≤ U (Q) ≤ U

further randomization can only reduce utility

note: Q ∈ Dε =⇒ QW ∈ Dε

16 / 33

Main Result [Kairouz, et. al., 2014]

The binary randomized response is optimal

0

1

0

1

11+eε

11+eε

eε

1+eε

eε

1+eε

FAP

MDP

RQBRR= Rε1

1+eε

11+eε

=⇒ ∀U obeying the data processing inequality: U(Q) ≤ U(QRR)

17 / 33

CASE 2: k-ARY DATA

18 / 33

Information Theoretic Utility Functions

|X | = k > 2

focus on a rich set of convex utility functions

maximizeQ

U (Q)

subject to Q ∈ Dε

includes all f-divergences, mutual information, etc.

19 / 33

Statistical Data Model

1 ~X P

2 ~X P

1 ~Y

M

2~

Y

M

Clients

PrivatizationQ

PrivatizationQ

Data Analyst

analyst interested in statistics of data rather than individual samples

privatized data: Yi ∼Mν(Y = y) =∑

x∈X Q(Y = y|x)Pν(X = x)

20 / 33

Hypothesis Testing

1 ~X P

2 ~X P

1 ~X

P

2~

X

P

ClientsData Analyst

Given {Xi}ni=1, detect whether ν = 0 or ν = 1

performance is a function of distance between P0 from P1

Chernoff-Stein’s lemma: PFA ≈ e−nDkl(P0||P1)

21 / 33

Private Hypothesis Testing

1 ~X P

2 ~X P

1 ~Y

M

2~

Y

M

Clients

PrivatizationQ

PrivatizationQ

Data Analystˆ {0,1}

Given {Yi}ni=1, detect whether ν = 0 or ν = 1

performance is a function of distance between M0 from M1

Chernoff-Stein’s lemma: PFA ≈ e−nDkl(M0||M1)

22 / 33

f-Divergences

A rich family of measures of differences between distributions:

maximizeQ

Df ( QP0︸︷︷︸M0

‖ QP1︸︷︷︸M1

)

subject to Q ∈ Dε

KL divergence Dkl(M0||M1)

total variation ‖M0 −M1‖TV

minimax rates and error exponents

23 / 33

Staircase Mechanisms

Recall that:Q is ε-locally differentially private iff for all x, x′ ∈ X and y ∈ Y

e−ε ≤ Q(y|x)Q(y|x′)

≤ eε

ε controls the level of privacy

ε ↓ =⇒ more private

ε ↑ =⇒ less private

24 / 33

Staircase Mechanisms

Q is a staircase mechanism if for all x, x′ ∈ X and y ∈ Y:

Q(y|x)Q(y|x′)

∈{e−ε, 1, eε

}

Locally Differentially Private Mechanisms

Staircase Mechanisms

Binary Mechanism (BM)

Randomized Response (RM)

24 / 33

Main Result [Kairouz, et. al., 2014]

maximizeQ

Df ( QP0︸︷︷︸M0

‖ QP1︸︷︷︸M1

) = maximizeQ

Df ( QP0︸︷︷︸M0

‖ QP1︸︷︷︸M1

)

subject to Q ∈ Dε subject to Q ∈ Sε

Sε: set of all staircase mechanisms with |Y| ≤ |X |

staircase mechanisms are optimal

no gain in larger output alphabets

there are finitely many staircase mechanisms

same result holds for a rich set of convex utility functions

25 / 33

Binary Mechanisms

y = 0

1

x = 1 2 3 4 5

eε

1+eε

11+eε

maps k-ary inputs to binary outputs

26 / 33

Binary Mechanisms

A deterministic binary mapping followed by a randomized response

0

1

0

1

11+eε

11+eε

eε

1+eε

eε

1+eε

X ∈ S =⇒ Y = 0

X ∈ Sc =⇒ Y = 1

X ∈ X Y

a highly quantized version of the original data

26 / 33

Optimality of Binary Mechanisms (High Privacy)

QB(0|x) =

{ eε

1+eε if P0(x) ≥ P1(x)1

1+eε if P0(x) < P1(x)

QB(1|x) =

{ eε

1+eε if P0(x) < P1(x)1

1+eε if P0(x) ≥ P1(x)

∀ P0,P1, ∃ ε(P0, P1) > 0 such that ∀ε ≤ ε(P0, P1), QB is optimal

27 / 33

Randomized Response

y = 1

2

3

4

x = 1 2 3 4

eε

3+eε

13+eε

maps k-ary inputs to k-ary outputs

28 / 33

Randomized Response

w.p. |X |−1|X |−1+eε lie w.p. eε

|X |−1+eε answer truthfully

lie = choose another character in X uniformly at random

can be viewed as a k-ary extension to the binary randomized response

28 / 33

Optimality of Randomized Response (Low Privacy)

QRR(y|x) =

{eε

|X |−1+eε if y = x1

|X |−1+eε if y 6= x

∀ P0,P1, ∃ ε(P0, P1) > 0 such that ∀ε ≥ ε(P0, P1), QRR is optimal

note that QRR does not depend on P0 and P1

29 / 33

Numerical Example for KL Divergence

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 1 2 3 4 5 6 7 8 9 10

binary mechanismrandomized response

Dkl(QP0‖QP1)Dkl(QoptP0‖Dkl(QoptP1)

ε

|X | = 6

100 random pairs of (P0, P1)

30 / 33

Numerical Example for KL Divergence

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 1 2 3 4 5 6 7 8 9 10

optimal mechanismbinary mechanism

randomized responsegeometric mechanism

Dkl(QP0‖QP1)Dkl(P0‖P1)

ε

|X | = 6

averaged over 100 random pairs of (P0, P1)

30 / 33

Big Picture

local differential privacy is crucial for data collection applications

we studied a broad class of information theoretic utilities

we provided explicit constructions of optimal mechanisms

more results on local privacy:

“Extremal mechanisms for local differential privacy”, NIPS 2014“The composition theorem for differential privacy”, ICML 2015“Optimality of non-interactive randomized response”, arXiv:1407.1546

31 / 33

Big Picture

local differential privacy is crucial for data collection applications

we studied a broad class of information theoretic utilities

we provided explicit constructions of optimal mechanisms

more results on local privacy:

“Extremal mechanisms for local differential privacy”, NIPS 2014“The composition theorem for differential privacy”, ICML 2015“Optimality of non-interactive randomized response”, arXiv:1407.1546

31 / 33

Big Picture

local differential privacy is crucial for data collection applications

we studied a broad class of information theoretic utilities

we provided explicit constructions of optimal mechanisms

more results on local privacy:

“Extremal mechanisms for local differential privacy”, NIPS 2014“The composition theorem for differential privacy”, ICML 2015“Optimality of non-interactive randomized response”, arXiv:1407.1546

31 / 33

Big Picture

local differential privacy is crucial for data collection applications

we studied a broad class of information theoretic utilities

we provided explicit constructions of optimal mechanisms

more results on local privacy:

“Extremal mechanisms for local differential privacy”, NIPS 2014“The composition theorem for differential privacy”, ICML 2015“Optimality of non-interactive randomized response”, arXiv:1407.1546

31 / 33

Going Forward

private green button

private genomic data sharing

private RAPPOR

32 / 33

Thank YouQuestions?

33 / 33