20,857 research outputs found
The Utility Cost of Robust Privacy Guarantees
Consider a data publishing setting for a data set with public and private
features. The objective of the publisher is to maximize the amount of
information about the public features in a revealed data set, while keeping the
information leaked about the private features bounded. The goal of this paper
is to analyze the performance of privacy mechanisms that are constructed to
match the distribution learned from the data set. Two distinct scenarios are
considered: (i) mechanisms are designed to provide a privacy guarantee for the
learned distribution; and (ii) mechanisms are designed to provide a privacy
guarantee for every distribution in a given neighborhood of the learned
distribution. For the first scenario, given any privacy mechanism, upper bounds
on the difference between the privacy-utility guarantees for the learned and
true distributions are presented. In the second scenario, upper bounds on the
reduction in utility incurred by providing a uniform privacy guarantee are
developed
Privacy Games: Optimal User-Centric Data Obfuscation
In this paper, we design user-centric obfuscation mechanisms that impose the
minimum utility loss for guaranteeing user's privacy. We optimize utility
subject to a joint guarantee of differential privacy (indistinguishability) and
distortion privacy (inference error). This double shield of protection limits
the information leakage through obfuscation mechanism as well as the posterior
inference. We show that the privacy achieved through joint
differential-distortion mechanisms against optimal attacks is as large as the
maximum privacy that can be achieved by either of these mechanisms separately.
Their utility cost is also not larger than what either of the differential or
distortion mechanisms imposes. We model the optimization problem as a
leader-follower game between the designer of obfuscation mechanism and the
potential adversary, and design adaptive mechanisms that anticipate and protect
against optimal inference algorithms. Thus, the obfuscation mechanism is
optimal against any inference algorithm
Prochlo: Strong Privacy for Analytics in the Crowd
The large-scale monitoring of computer users' software activities has become
commonplace, e.g., for application telemetry, error reporting, or demographic
profiling. This paper describes a principled systems architecture---Encode,
Shuffle, Analyze (ESA)---for performing such monitoring with high utility while
also protecting user privacy. The ESA design, and its Prochlo implementation,
are informed by our practical experiences with an existing, large deployment of
privacy-preserving software monitoring.
(cont.; see the paper
Asymptotically Truthful Equilibrium Selection in Large Congestion Games
Studying games in the complete information model makes them analytically
tractable. However, large player interactions are more realistically
modeled as games of incomplete information, where players may know little to
nothing about the types of other players. Unfortunately, games in incomplete
information settings lose many of the nice properties of complete information
games: the quality of equilibria can become worse, the equilibria lose their
ex-post properties, and coordinating on an equilibrium becomes even more
difficult. Because of these problems, we would like to study games of
incomplete information, but still implement equilibria of the complete
information game induced by the (unknown) realized player types.
This problem was recently studied by Kearns et al. and solved in large games
by means of introducing a weak mediator: their mediator took as input reported
types of players, and output suggested actions which formed a correlated
equilibrium of the underlying game. Players had the option to play
independently of the mediator, or ignore its suggestions, but crucially, if
they decided to opt-in to the mediator, they did not have the power to lie
about their type. In this paper, we rectify this deficiency in the setting of
large congestion games. We give, in a sense, the weakest possible mediator: it
cannot enforce participation, verify types, or enforce its suggestions.
Moreover, our mediator implements a Nash equilibrium of the complete
information game. We show that it is an (asymptotic) ex-post equilibrium of the
incomplete information game for all players to use the mediator honestly, and
that when they do so, they end up playing an approximate Nash equilibrium of
the induced complete information game. In particular, truthful use of the
mediator is a Bayes-Nash equilibrium in any Bayesian game for any prior.Comment: The conference version of this paper appeared in EC 2014. This
manuscript has been merged and subsumed by the preprint "Robust Mediators in
Large Games": http://arxiv.org/abs/1512.0269
An Economic Analysis of Privacy Protection and Statistical Accuracy as Social Choices
Statistical agencies face a dual mandate to publish accurate statistics while protecting respondent privacy. Increasing privacy protection requires decreased accuracy. Recognizing this as a resource allocation problem, we propose an economic solution: operate where the marginal cost of increasing privacy equals the marginal benefit. Our model of production, from computer science, assumes data are published using an efficient differentially private algorithm. Optimal choice weighs the demand for accurate statistics against the demand for privacy. Examples from U.S. statistical programs show how our framework can guide decision-making. Further progress requires a better understanding of willingness-to-pay for privacy and statistical accuracy
When the Hammer Meets the Nail: Multi-Server PIR for Database-Driven CRN with Location Privacy Assurance
We show that it is possible to achieve information theoretic location privacy
for secondary users (SUs) in database-driven cognitive radio networks (CRNs)
with an end-to-end delay less than a second, which is significantly better than
that of the existing alternatives offering only a computational privacy. This
is achieved based on a keen observation that, by the requirement of Federal
Communications Commission (FCC), all certified spectrum databases synchronize
their records. Hence, the same copy of spectrum database is available through
multiple (distinct) providers. We harness the synergy between multi-server
private information retrieval (PIR) and database- driven CRN architecture to
offer an optimal level of privacy with high efficiency by exploiting this
observation. We demonstrated, analytically and experimentally with deployments
on actual cloud systems that, our adaptations of multi-server PIR outperform
that of the (currently) fastest single-server PIR by a magnitude of times with
information theoretic security, collusion resiliency, and fault-tolerance
features. Our analysis indicates that multi-server PIR is an ideal
cryptographic tool to provide location privacy in database-driven CRNs, in
which the requirement of replicated databases is a natural part of the system
architecture, and therefore SUs can enjoy all advantages of multi-server PIR
without any additional architectural and deployment costs.Comment: 10 pages, double colum
- …