Recent years have witnessed the adoption of differential privacy (DP) in practical database systems like PINQ, FLEX, and PrivateSQL. Such systems allow data analysts to query sensitive data while providing a rigorous and provable privacy guarantee. However, the existing design of these systems does not distinguish data analysts of different privilege levels or trust levels. This design can have an unfair apportion of the privacy budget among the data analyst if treating them as a single entity, or waste the privacy budget if considering them as non-colluding parties and answering their queries independently. In this paper, we propose DProvDB, a fine-grained privacy provenance framework for the multi-analyst scenario that tracks the privacy loss to each single data analyst. Under this framework, when given a fixed privacy budget, we build algorithms that maximize the number of queries that could be answered accurately and apportion the privacy budget according to the privilege levels of the data analysts.

翻译：近年来，差分隐私已在PINQ、FLEX和PrivateSQL等实际数据库系统中得到应用。这类系统允许数据分析师查询敏感数据，同时提供严格且可证明的隐私保障。然而，现有系统设计未区分不同权限等级或可信程度的数据分析师。若将所有分析师视为单一实体，这种设计可能导致隐私预算的不公平分配；若将其视为非串通独立方并分别应答其查询，则会造成隐私预算浪费。本文提出DProvDB——一种面向多分析师场景的细粒度隐私溯源框架，可追踪每位数据分析师的隐私损失。在该框架下，给定固定隐私预算时，我们构建了能最大化准确应答查询数量的算法，并根据数据分析师的权限等级分配隐私预算。