SLDP: Semi-Local Differential Privacy for Density-Adaptive Analytics

TL;DR

The paper tackles utility loss in Local Differential Privacy for density-aware, high-resolution analytics. It introduces Semi-Local Differential Privacy (SLDP), an interactive framework where privacy regions adapt to local data density and adjacency is defined by movement within a region, decoupling privacy cost from refinement depth. A two-party protocol privately discovers a data-dependent partition with $k$-anonymity and proves $(\varepsilon,\delta)$-SLDP for transcripts, enabling arbitrarily deep refinements without extra budget. Empirical results across mean estimation, classification, and spatial queries show SLDP outperforms standard LDP and approaches central DP in utility, with strong performance on real-world geospatial datasets. This framework offers a practical balance between privacy and utility for density-aware analytics in location-based and spatial domains.

Abstract

Density-adaptive domain discretization is essential for high-utility privacy-preserving analytics but remains challenging under Local Differential Privacy (LDP) due to the privacy-budget costs associated with iterative refinement. We propose a novel framework, Semi-Local Differential Privacy (SLDP), that assigns a privacy region to each user based on local density and defines adjacency by the potential movement of a point within its privacy region. We present an interactive $(\varepsilon, δ)$-SLDP protocol, orchestrated by an honest-but-curious server over a public channel, to estimate these regions privately. Crucially, our framework decouples the privacy cost from the number of refinement iterations, allowing for high-resolution grids without additional privacy budget cost. We experimentally demonstrate the framework's effectiveness on estimation tasks across synthetic and real-world datasets.

Figures (9)

• Figure 1: SLDP function-value release ($N=3\cdot 10^4$ points).From left to right: the private data-adaptive quadtree partition $\hat{\mathcal{F}}_{\mathcal{P}}(\mathbf{X})$ produced by SLDP (left); ground-truth signal $f(x)=\exp(-\|x\|^2/(2\sigma^2))$ evaluated at the samples; noisy function-value reports under our SLDP with total privacy budget $\varepsilon=1.0$ (and $\delta=0.05$ for SLDP); standard LDP with $\varepsilon=1.0$.
• Figure 2: Mean estimation performance under privacy. (a) Convergence comparison for Centralized DP, standard LDP, and SLDP. (b) Error distributions across $N$ and $\varepsilon$.
• Figure 3: Classification utility (F1-Score) on the California Housing dataset. Comparison of predictive performance across Random Forest, k-NN, and Logistic Regression classifiers trained on data perturbed by SLDP (Ours), Standard LDP, and Geo-Indistinguishability mechanisms. Results are averaged over 60 independent runs with varying privacy budgets $\varepsilon \in [0.1, 10]$. Shaded areas indicate the standard deviation.
• Figure 4: Accuracy of spatial range queries on real-world datasets. Mean Relative Error (MRE) vs. privacy budget ($\varepsilon$) for Brightkite, Geolife, Gowalla, and Porto Taxi datasets for ($N\in\{5\cdot 10^3, 20\cdot 10^3\}$).
• Figure 5: The plot illustrates the binary classification task: predicting whether a house value is above (red, Class 1) or below (blue, Class 0) the global median based on geospatial coordinates ($X_i \in [0, 1]^2$).

Theorems & Definitions (10)

• Example 2.1: DP mean estimator
• Example 2.2: LDP mean estimator
• Definition 3.1: Local Neighbors
• Definition 3.2: Semi-Local Differential Privacy (SLDP)
• Example 3.1: SLDP mean estimator
• Lemma 4.1
• proof
• Theorem 4.1: Algorithm is SLDP
• proof
• Remark 4.1