There is a disconnect between how researchers and practitioners handle privacy-utility tradeoffs. Researchers primarily operate from a privacy first perspective, setting strict privacy requirements and minimizing risk subject to these constraints. Practitioners often desire an accuracy first perspective, possibly satisfied with the greatest privacy they can get subject to obtaining sufficiently small error. Ligett et al. have introduced a "noise reduction" algorithm to address the latter perspective. The authors show that by adding correlated Laplace noise and progressively reducing it on demand, it is possible to produce a sequence of increasingly accurate estimates of a private parameter while only paying a privacy cost for the least noisy iterate released. In this work, we generalize noise reduction to the setting of Gaussian noise, introducing the Brownian mechanism. The Brownian mechanism works by first adding Gaussian noise of high variance corresponding to the final point of a simulated Brownian motion. Then, at the practitioner's discretion, noise is gradually decreased by tracing back along the Brownian path to an earlier time. Our mechanism is more naturally applicable to the common setting of bounded $\ell_2$-sensitivity, empirically outperforms existing work on common statistical tasks, and provides customizable control of privacy loss over the entire interaction with the practitioner. We complement our Brownian mechanism with ReducedAboveThreshold, a generalization of the classical AboveThreshold algorithm that provides adaptive privacy guarantees. Overall, our results demonstrate that one can meet utility constraints while still maintaining strong levels of privacy.

翻译：研究者与实践者在处理隐私-效用权衡时存在脱节。研究者主要从隐私优先的视角出发，设定严格的隐私要求并在这些约束下最小化风险。而实践者通常更倾向于精度优先的视角，即希望在获得足够小误差的前提下尽可能提高隐私保护水平。Ligett等人提出了一种"噪声缩减"算法来应对后一种视角。他们证明，通过添加相关拉普拉斯噪声并逐步按需降低噪声，可以生成对隐私参数精度递增的估计序列，且仅需为最终发布的噪声最小的迭代付出隐私成本。本文将该噪声缩减方法推广至高斯噪声场景，提出了布朗机制。该机制首先模拟布朗运动的终点，添加具有高方差的高斯噪声；随后，实践者可沿布朗路径回溯至更早的时间点，逐步降低噪声。该机制天然适用于有界ℓ2灵敏度这一常见场景，在常规统计任务上实证表现优于现有方法，并能根据实践者与系统的整体交互灵活控制隐私损失。我们还提出了ReducedAboveThreshold算法作为经典AboveThreshold算法的推广，提供自适应隐私保证。总体而言，我们的研究结果表明：即使强隐私保护水平下，仍可满足效用约束。