Distributed Hypothesis Testing with Privacy Constraints

We revisit the distributed hypothesis testing (or hypothesis testing with communication constraints) problem from the viewpoint of privacy. Instead of observing the raw data directly, the transmitter observes a sanitized or randomized version of it. We impose an upper bound on the mutual information between the raw and randomized data. Under this scenario, the receiver, which is also provided with side information, is required to make a decision on whether the null or alternative hypothesis is in effect. We first provide a general lower bound on the type-II exponent for an arbitrary pair of hypotheses. Next, we show that if the distribution under the alternative hypothesis is the product of the marginals of the distribution under the null (i.e., testing against independence), then the exponent is known exactly. Moreover, we show that the strong converse property holds. Using ideas from Euclidean information theory, we also provide an approximate expression for the exponent when the communication rate is low and the privacy level is high. Finally, we illustrate our results with a binary and a Gaussian example

Universal Privacy Gurantees for Smart Meters

Smart meters (SMs) provide advanced monitoring of consumer energy usage, thereby enabling optimized management and control of electricity distribution systems. Unfortunately, the data collected by SMs can reveal information about consumer activity, such as the times at which they run individual appliances. Two approaches have been proposed to tackle the privacy threat posed by such information leakage. One strategy involves manipulating user data before sending it to the utility provider (UP); this approach improves privacy at the cost of reducing the operational insight provided by the SM data to the UP. The alternative strategy employs rechargeable batteries or local energy sources at each consumer site to try decouple energy usage from energy requests. This thesis investigates the latter approach. Understanding the privacy implications of any strategy requires an appropriate privacy metric. A variety of metrics are used to study privacy in energy distribution systems. These include statistical distance metrics, differential privacy, distortion metrics, maximal leakage, maximal $\alpha$-leakage and information measures like mutual information. We here use mutual information to measure privacy both because its well understood fundamental properties and because it provides a useful bridge to adjacent fields such as hypothesis testing, estimation, and statistical or machine learning. Privacy leakage under mutual information measures has been studied under a variety of assumptions on the energy consumption of the user with a strong focus on i.i.d. and some exploration of markov processes. Since user energy consumption may be non-stationary, here we seek privacy guarantees that apply for general random process models of energy consumption. Moreover, we impose finite capacity bounds on batteries and include the price of the energy requested from the grid, thus minimizing the information leakage subject to a bound on the resulting energy bill. To that aim we model the energy management unit (EMU) as a deterministic finite-state channel, and adapt the Ahlswede-Kaspi coding strategy proposed for permuting channels to the SM privacy setting. Within this setting, we derive battery policies providing privacy guarantees that hold for any bounded process modelling the energy consumption of the user, including non-ergodic and non-stationary processes. These guarantees are also presented for bounded processes with a known expected average consumption. The optimality of the battery policy is characterized by presenting the probability law of a random process that is tight with respect to the upper bound. Moreover, we derive single letter bounds characterizing the privacy-cost trade off in the presence of variable market price. Finally it is shown that the provided results hold for mutual information, maximal leakage, maximal-alpha leakage and the Arimoto and Sibson channel capacity