A Partitioned Recoding Scheme for Privacy Preserving Data Publishing

Abstract

There is growing interest in Differential Privacy as a disclosure limitation mechanism for statistical data. The increased attention has brought to light a number of subtleties in the definition and mechanisms. We explore an interesting dichotomy in parallel composition, where a subtle difference in the definition of a “neighboring database” leads to significantly different results. We show that by “pre-partitioning” the data randomly into disjoint subsets, then applying well-known anony-mization schemes to those pieces, we can eliminate this dichotomy. This provides potential operational benefits, with some interesting implications that give further insight into existing privacy schemes. We explore the theoretical limits of the privacy impacts of pre-partitioning, in the process illuminating some subtle distinctions in privacy definitions. We also discuss the resulting utility, including empirical evaluation of the impact on released privatized statistics.

Appendix: Proof of Theorem 2

We first fix some notation. Let \(\mathcal {A}\) be a \(\varepsilon \)-differentially private mechanism. Let D be a dataset with \(|D| = n\) and choose an integer \(n' < n\). Fix some tuple \(t \in D\). We denote by \(Y_t\) the set of all subdatasets \(D_s \subset D\) with \(|D_s| = n'\) and \(t \in D_s\) and by \(N_t\) the set of all subdatasets \(D_s \subset D\) with \(|D_s| = n'\) and \(t \notin D_s\). We observe

$$|Y_t| = {{n-1}\atopwithdelims (){n'-1}} \qquad |N_t| = {{n-1}\atopwithdelims (){n'}}.$$

For \(D' = D\setminus \{t\}\cup \{t'\}\) a neighbor of D, we define \(Y'_t\) and \(N'_t\) analogously. We observe that \(N_t = N'_t\).

We will need the following lemma.

Lemma 3

Let \(t \in D\) and \(S \subset {\text {range}}(\mathcal {A})\). Then

$$ \sum _{D_s \in Y_t}\frac{P(\mathcal {A}(D_s)\in S)}{|Y_t|} \le e^\varepsilon \sum _{D_s \in N_t}\frac{P(\mathcal {A}(D_s) \in S)}{|N_t|}. $$

Proof

For each \(D_s \in Y_t\), we can replace the tuple t by any of the \(n-n'\) tuples in \(D\setminus D_s\) to create a dataset in \(N_t\) that is a neighbor of \(D_s\). Similarly, given any \(D_s \in N_t\), we can replace any of the \(n'\) tuples in \(D_s\) with t to create a dataset in \(Y_t\) that is a neighbor of \(D_s\).

Now consider

$$(n-n')\sum _{D_s \in Y_t} P(\mathcal {A}(D_s) \in S)$$

as counting each \(D_s \in Y_t\) with multiplicity \(n-n'\). Thus we replace the \(n-n'\) copies of \(D_s \in Y_t\) in this sum with its \(n-n'\) neighbors in \(N_t\). By differential privacy, each such change causes the probability to grow by no more than \(e^\varepsilon \). Moreover, each dataset in \(N_t\) will occur \(n'\) times in the new sum. Thus

$$ (n-n') \sum _{D_t \in Y_t}P(\mathcal {A}(D_t) \in S) \le e^\varepsilon n' \sum _{D_t \in N_t}P(\mathcal {A}(D_t) \in S). $$

The result now follows from the observation that \(\frac{n'}{n-n'} = \frac{|Y_t|}{|N_t|}\).

This lemma captures the reason we have assumed the size of the subdataset to be fixed. In the unbounded case, if we delete a tuple t to pass from dataset D to \(D'\), then for each \(D_s \subseteq D\) with \(t \in D_s\), there is a unique \(D'_s \subseteq D'\) with \(d(D_s,D'_s) = 1\). Lemma 3 is our generalization of this fact to the unbounded case.

We are now ready to prove Theorem 2, which we restate here for convenience.

Theorem 2

Let \(\mathcal {A}\) satisfy \(\varepsilon \)-DP. Let D be a dataset with \(|D| = n\) and choose an integer \(n' < n\). We denote \(\beta = n'/n\). Choose a subdataset \(D' \subset D\) with \(|D'| = n'\) uniformly at random. Then the mechanism which returns \(\mathcal {A}(D')\) satisfies \(\varepsilon '\)-DP, where

$$\varepsilon ' = \ln \left( \frac{e^\varepsilon \beta + 1 - \beta }{1 - \beta }\right) .$$

Proof

Let \(S \subset {\text {range}}(\mathcal {A})\) and let \(D' = D\setminus \{t\}\cup \{t'\}\) be a neighbor of D. We will use the law of total probability twice, conditioning first on whether \(t \in D_s\) (i.e. on whether \(D_s \in Y_t\) or \(D_s \in N_t\)), then on the specific subdataset chosen as \(D_s\). This gives

$$\begin{aligned} P(\mathcal {A}(D_s) \in S)= & {} \beta \sum _{D_t \in Y_t}\frac{P(\mathcal {A}(D_t) \in S)}{|Y_t|} + (1-\beta )\sum _{D_t \in N_t}\frac{P(\mathcal {A}(D_t) \in S)}{|N_t|}\\\le & {} \beta e^\varepsilon \sum _{D_t \in N_t}\frac{P(\mathcal {A}(D_t)\in S)}{|N_t|} + (1-\beta ) \sum _{D_t \in N_t}\frac{P(\mathcal {A}(D_t)\in S)}{|N_t|}\\= & {} (\beta e^\varepsilon + 1-\beta ) \sum _{D_t \in N_t}\frac{P(\mathcal {A}(D_t) \in S)}{|N_t|}\\= & {} (\beta e^\varepsilon + 1-\beta ) \sum _{D'_s \in N'_{t}}\frac{P(\mathcal {A}(D'_s) \in S)}{|N'_{t}|}. \end{aligned}$$

by the lemma and the fact that \(N_t = N'_t\). By analogous reasoning, we have

$$\begin{aligned} P(\mathcal {A}(D'_s) \in S)= & {} \beta \sum _{D'_t \in Y'_t} \frac{P(\mathcal {A}(D'_t) \in S)}{|Y'_t|} + (1-\beta )\sum _{D'_t \in N'_t}\frac{P(\mathcal {A}(D'_t) \in S)}{|N'_t|}\\ {}\ge & {} (1-\beta ) \sum _{D'_t \in N'_t}\frac{P(\mathcal {A}(D'_t) \in S)}{|N'_t|}. \end{aligned}$$

Combining these two inequalities yields

$$ P(\mathcal {A}(D_s)\in S) \le \frac{\beta e^\varepsilon + 1-\beta }{1-\beta }P(\mathcal {A}(D'_s)\in S). $$