Integrating Differential Privacy and Contextual Integrity
Sebastian Benthall, Rachel Cummings
TL;DR
This work proposes a unified framework that merges Contextual Integrity (CI) with Differential Privacy (DP) by introducing transmission properties, capturing algorithmic privacy within CI’s normative flow model. The integration yields context-aware guidance for tuning the DP privacy budget $\epsilon$ and extends CI to analyze multi-subject, aggregated data flows common in PET-enabled analytics. Through a Census-focused case study, the authors demonstrate how distinguishing DP from swapping requires explicit transmission properties and DP parameterization, enabling normative judgments about data-release appropriateness. The framework thus offers a practical bridge between policy-oriented privacy norms and algorithmic privacy guarantees, with potential applicability to other PETs beyond DP.
Abstract
In this work, we propose the first framework for integrating Differential Privacy (DP) and Contextual Integrity (CI). DP is a property of an algorithm that injects statistical noise to obscure information about individuals represented within a database. CI defines privacy as information flow that is appropriate to social context. Analyzed together, these paradigms outline two dimensions on which to analyze privacy of information flows: descriptive and normative properties. We show that our new integrated framework provides benefits to both CI and DP that cannot be attained when each definition is considered in isolation: it enables contextually-guided tuning of the epsilon parameter in DP, and it enables CI to be applied to a broader set of information flows occurring in real-world systems, such as those involving PETs and machine learning. We conclude with a case study based on the use of DP in the U.S. Census Bureau.