Bounded-Leakage Differential Privacy

We introduce and study a relaxation of differential privacy [Dwork et al., 2006] that accounts for mechanisms that leak some additional, bounded information about the database. We apply this notion to reason about two distinct settings where the notion of differential privacy is of limited use. First, we consider cases, such as in the 2020 US Census [Abowd, 2018], in which some information about the database is released exactly or with small noise. Second, we consider the accumulation of privacy harms for an individual across studies that may not even include the data of this individual. The tools that we develop for bounded-leakage differential privacy allow us reason about privacy loss in these settings, and to show that individuals preserve some meaningful protections

The digital glass house - Social networking and privacy

Since the explosion of the Internet age, nearly 2 billion people are connected to the World Wide Web, creating seemingly limitless opportunities for communication and collaboration including social networking. Communication is virtually instantaneous and vast amounts of information are available at the touch of a key.In such an open digital environment, we take it for granted that almost any information can be sourced online by anyone with Internet access.The rapid growth of the social networking sites (SNS) such as Facebook, which reaches 500 million users recently, has coincided with an increasing concern over personal privacy.This study examines how Facebook users' perceptions of privacy, frequency of use, and the disclosure of their personal information with other users. This study was guided by two research questions: What are the Facebook users' perceptions of privacy and what is the personal information they disclose to other users? Does the Facebook users' frequency of use affect their disclosure of personal information? 149 respondents from the researcher's own Facebook profile filled up a Web-based questionnaire in August 2010. The data was analyzed using descriptive and inferential statistics.The research hypothesized that higher levels of privacy perception will result in less disclosure of personal information and the more active a user is on Facebook, the greater will be the user's likelihood of maintaining a private profile. The results of chi-square tests and correlation analysis found significant positive relationships between privacy perception and the disclosure of personal information, and no significant relationships between frequency of use and disclosure of personal information. Recommendations for future researchers were also included

Mathematical techniques for the protection of patient's privacy in medical databases

In modern society, keeping the balance between privacy and public access to information is becoming a widespread problem more and more often. Valid data is crucial for many kinds of research, but the public good should not be achieved at the expense of individuals. While creating a central database of patients, the CSIOZ wishes to provide statistical information for selected institutions. However, there are some plans to extend the access by providing the statistics to researchers or even to citizens. This might pose a significant risk of disclosure of some private, sensitive information about individuals. This report proposes some methods to prevent data leaks. One category of suggestions is based on the idea of modifying statistics, so that they would maintain importance for statisticians and at the same time guarantee the protection of patient's privacy. Another group of proposed mechanisms, though sometimes difficult to implement, enables one to obtain precise statistics, while restricting such queries which might reveal sensitive information

Measuring Confidentiality Risks in Census Data

Two trends have been on a collision course over the recent past. The first is the increasing demand by researchers for greater detail and flexibility in outputs from the decennial Census of Population. The second is the need felt by the Census Offices to demonstrate more clearly that Census data have been explicitly protected from the risk of disclosure of information about individuals. To reconcile these competing trends the authors propose a statistical measure of risks of disclosure implicit in the release of aggregate census data. The ideas of risk measurement are first developed for microdata where there is prior experience and then modified to measure risk in tables of counts. To make sure that the theoretical ideas are fully expounded, the authors develop small worked example. The risk measure purposed here is currently being tested out with synthetic and a real Census microdata. It is hoped that this approach will both refocus the census confidentiality debate and contribute to the safe use of user defined flexible census output geographies

Evaluating 'Prefer not to say' Around Sensitive Disclosures

As people's offline and online lives become increasingly entwined, the sensitivity of personal information disclosed online is increasing. Disclosures often occur through structured disclosure fields (e.g., drop-down lists). Prior research suggests these fields may limit privacy, with non-disclosing users being presumed to be hiding undesirable information. We investigated this around HIV status disclosure in online dating apps used by men who have sex with men. Our online study asked participants (N=183) to rate profiles where HIV status was either disclosed or undisclosed. We tested three designs for displaying undisclosed fields. Visibility of undisclosed fields had a significant effect on the way profiles were rated, and other profile information (e.g., ethnicity) could affect inferences that develop around undisclosed information. Our research highlights complexities around designing for non-disclosure and questions the voluntary nature of these fields. Further work is outlined to ensure disclosure control is appropriately implemented around online sensitive information disclosures

Measuring Confidentiality Risks in Census Data

Two trends have been on a collision course over the recent past. The first is the increasing demand by researchers for greater detail and flexibility in outputs from the decennial Census of Population. The second is the need felt by the Census Offices to demonstrate more clearly that Census data have been explicitly protected from the risk of disclosure of information about individuals. To reconcile these competing trends the authors propose a statistical measure of risks of disclosure implicit in the release of aggregate census data. The ideas of risk measurement are first developed for microdata where there is prior experience and then modified to measure risk in tables of counts. To make sure that the theoretical ideas are fully expounded, the authors develop small worked example. The risk measure purposed here is currently being tested out with synthetic and a real Census microdata. It is hoped that this approach will both refocus the census confidentiality debate and contribute to the safe use of user defined flexible census output geographies

Revisiting the Economics of Privacy: Population Statistics and Confidentiality Protection as Public Goods

This paper has been replaced with http://digitalcommons.ilr.cornell.edu/ldi/37. We consider the problem of the public release of statistical information about a population–explicitly accounting for the public-good properties of both data accuracy and privacy loss. We first consider the implications of adding the public-good component to recently published models of private data publication under differential privacy guarantees using a Vickery-Clark-Groves mechanism and a Lindahl mechanism. We show that data quality will be inefficiently under-supplied. Next, we develop a standard social planner’s problem using the technology set implied by (ε, δ)-differential privacy with (α, β)-accuracy for the Private Multiplicative Weights query release mechanism to study the properties of optimal provision of data accuracy and privacy loss when both are public goods. Using the production possibilities frontier implied by this technology, explicitly parameterized interdependent preferences, and the social welfare function, we display properties of the solution to the social planner’s problem. Our results directly quantify the optimal choice of data accuracy and privacy loss as functions of the technology and preference parameters. Some of these properties can be quantified using population statistics on marginal preferences and correlations between income, data accuracy preferences, and privacy loss preferences that are available from survey data. Our results show that government data custodians should publish more accurate statistics with weaker privacy guarantees than would occur with purely private data publishing. Our statistical results using the General Social Survey and the Cornell National Social Survey indicate that the welfare losses from under-providing data accuracy while over-providing privacy protection can be substantial