The private collection of multiple statistics from a population is a
fundamental statistical problem. One possible approach to realize this is to
rely on the local model of differential privacy (LDP). Numerous LDP protocols
have been developed for the task of frequency estimation of single and multiple
attributes. These studies mainly focused on improving the utility of the
algorithms to ensure the server performs the estimations accurately. In this
paper, we investigate privacy threats (re-identification and attribute
inference attacks) against LDP protocols for multidimensional data following
two state-of-the-art solutions for frequency estimation of multiple attributes.
To broaden the scope of our study, we have also experimentally assessed five
widely used LDP protocols, namely, generalized randomized response, optimal
local hashing, subset selection, RAPPOR and optimal unary encoding. Finally, we
also proposed a countermeasure that improves both utility and robustness
against the identified threats. Our contributions can help practitioners aiming
to collect users' statistics privately to decide which LDP mechanism best fits
their needs.Comment: Accepted at VLDB 202