Table of Contents
Fetching ...

DPolicy: Managing Privacy Risks Across Multiple Releases with Differential Privacy

Nicolas Küchler, Alexander Viand, Hidde Lycklama, Anwar Hithnawi

TL;DR

DPolicy tackles the challenge of managing cumulative privacy loss across multiple data releases by moving beyond per-release DP guarantees to an organization-wide privacy semantics framework. It introduces a high-level policy language to encode desired privacy semantics and derives concrete DP guarantees via base and extension rules. A scalable enforcement pipeline with rule pruning and a policy decision point enables tracking budgets across multiple scopes and multiple privacy units, including time-based units. Evaluations against Cohere show DPolicy can yield higher utility while respecting contextual privacy budgets, illustrating practical adoption for complex real-world releases.

Abstract

Differential Privacy (DP) has emerged as a robust framework for privacy-preserving data releases and has been successfully applied in high-profile cases, such as the 2020 US Census. However, in organizational settings, the use of DP remains largely confined to isolated data releases. This approach restricts the potential of DP to serve as a framework for comprehensive privacy risk management at an organizational level. Although one might expect that the cumulative privacy risk of isolated releases could be assessed using DP's compositional property, in practice, individual DP guarantees are frequently tailored to specific releases, making it difficult to reason about their interaction or combined impact. At the same time, less tailored DP guarantees, which compose more easily, also offer only limited insight because they lead to excessively large privacy budgets that convey limited meaning. To address these limitations, we present DPolicy, a system designed to manage cumulative privacy risks across multiple data releases using DP. Unlike traditional approaches that treat each release in isolation or rely on a single (global) DP guarantee, our system employs a flexible framework that considers multiple DP guarantees simultaneously, reflecting the diverse contexts and scopes typical of real-world DP deployments. DPolicy introduces a high-level policy language to formalize privacy guarantees, making traditionally implicit assumptions on scopes and contexts explicit. By deriving the DP guarantees required to enforce complex privacy semantics from these high-level policies, DPolicy enables fine-grained privacy risk management on an organizational scale. We implement and evaluate DPolicy, demonstrating how it mitigates privacy risks that can emerge without comprehensive, organization-wide privacy risk management.

DPolicy: Managing Privacy Risks Across Multiple Releases with Differential Privacy

TL;DR

DPolicy tackles the challenge of managing cumulative privacy loss across multiple data releases by moving beyond per-release DP guarantees to an organization-wide privacy semantics framework. It introduces a high-level policy language to encode desired privacy semantics and derives concrete DP guarantees via base and extension rules. A scalable enforcement pipeline with rule pruning and a policy decision point enables tracking budgets across multiple scopes and multiple privacy units, including time-based units. Evaluations against Cohere show DPolicy can yield higher utility while respecting contextual privacy budgets, illustrating practical adoption for complex real-world releases.

Abstract

Differential Privacy (DP) has emerged as a robust framework for privacy-preserving data releases and has been successfully applied in high-profile cases, such as the 2020 US Census. However, in organizational settings, the use of DP remains largely confined to isolated data releases. This approach restricts the potential of DP to serve as a framework for comprehensive privacy risk management at an organizational level. Although one might expect that the cumulative privacy risk of isolated releases could be assessed using DP's compositional property, in practice, individual DP guarantees are frequently tailored to specific releases, making it difficult to reason about their interaction or combined impact. At the same time, less tailored DP guarantees, which compose more easily, also offer only limited insight because they lead to excessively large privacy budgets that convey limited meaning. To address these limitations, we present DPolicy, a system designed to manage cumulative privacy risks across multiple data releases using DP. Unlike traditional approaches that treat each release in isolation or rely on a single (global) DP guarantee, our system employs a flexible framework that considers multiple DP guarantees simultaneously, reflecting the diverse contexts and scopes typical of real-world DP deployments. DPolicy introduces a high-level policy language to formalize privacy guarantees, making traditionally implicit assumptions on scopes and contexts explicit. By deriving the DP guarantees required to enforce complex privacy semantics from these high-level policies, DPolicy enables fine-grained privacy risk management on an organizational scale. We implement and evaluate DPolicy, demonstrating how it mitigates privacy risks that can emerge without comprehensive, organization-wide privacy risk management.
Paper Structure (25 sections, 1 theorem, 15 equations, 4 figures, 1 table, 2 algorithms)

This paper contains 25 sections, 1 theorem, 15 equations, 4 figures, 1 table, 2 algorithms.

Key Result

Theorem 5.1

In a poset $(R, \preceq)$, a rule $r_i = (\phi_i, u_i, B_i) \in R$ is non-constraining if $\exists r_j \in R \setminus \{r_i\}$ such that $r_i \preceq r_j$ and $B_i \geq B_j$.

Figures (4)

  • Figure 1: An example set in DPolicy, demonstrating a custom defining a global user budget, per-attribute and per-category and an extension for differentiating between standard and "black-box" ML contexts.
  • Figure 2: Hasse diagram of a poset $(R, \preceq)$: non-constraining are shown in grey, with the path to the more general under a stricter budget highlighted in bold.
  • Figure 3: Privacy cost (top) and utility (bottom) for DPolicy and Cohere in our three scenarios. For the , we report the global user-level privacy cost. For the , we show the privacy cost of the high-risk category with the largest privacy cost. Finally, for the , we show the user-month privacy cost (for time-based data) for the month with the highest privacy cost. We also show the maximum privacy costs acceptable under the 's policy as a dashed line. For Cohere, we indicate privacy costs that violate the 's with hatched bars. Similarly, we show Cohere's utility in a lighter tone if it was achieved by violating the 's .
  • Figure 4: Privacy cost for the largest-cost high-risk attribute (top) and utility (bottom) for DPolicy and Cohere.

Theorems & Definitions (4)

  • Definition 5.1
  • Theorem 5.1
  • proof
  • proof