Differential privacy (DP) enables private data analysis. In a typical DP deployment, controllers manage individuals' sensitive data and are responsible for answering analysts' queries while protecting individuals' privacy. They do so by choosing the privacy parameter $ε$, which controls the degree of privacy for all individuals in all possible datasets. However, it is challenging for controllers to choose $ε$ because of the difficulty of interpreting the privacy implications of such a choice on the within-dataset individuals. To address this challenge, we first derive a relative disclosure risk indicator (RDR) that indicates the impact of choosing $ε$ on the within-dataset individuals' disclosure risk. We then design an algorithm to find $ε$ based on controllers' privacy preferences expressed as a function of the within-dataset individuals' RDRs, and an alternative algorithm that finds and releases $ε$ while satisfying DP. Lastly, we propose a solution that bounds the total privacy leakage when using the algorithm to answer multiple queries without requiring controllers to set the total privacy budget. We evaluate our contributions through an IRB-approved user study that shows the RDR is useful for helping controllers choose $ε$, and experimental evaluations showing our algorithms are efficient and scalable.
翻译:差分隐私(DP)支持隐私保护的数据分析。在典型的DP部署中,数据控制者负责管理个体的敏感数据,其职责是在保护个体隐私的前提下回答分析者的查询。他们通过选择隐私参数$ε$来实现这一目标,该参数控制着所有可能数据集中所有个体的隐私保护程度。然而,由于难以解读所选$ε$对数据集内个体隐私影响的具体含义,控制者在选择$ε$时面临挑战。为解决这一难题,我们首先推导出一种相对披露风险指标(RDR),该指标能够反映$ε$的选择对数据集内个体披露风险的影响。随后,我们设计了一种算法,该算法能够根据控制者以数据集内个体RDR函数形式表达的隐私偏好来确定$ε$;同时提出了另一种在满足DP约束条件下确定并发布$ε$的替代算法。最后,我们提出一种解决方案,可在使用该算法回答多个查询时限定总隐私泄露量,且无需控制者预先设定总隐私预算。我们通过机构审查委员会批准的用户研究评估了所提方法的有效性,结果表明RDR能有效协助控制者选择$ε$;实验评估进一步验证了所提算法的高效性与可扩展性。