"Differential privacy is the gold standard definition of privacy protection."
Differential privacy is nice, but it's still tracking and "less tracking" is absolutely not the gold standard definition of privacy protection. That title goes to "no tracking"
Privacy is not just relevant to advertising. There are a huge number of research opportunities in the social sciences that could benefit and can help make the world better.
Show me what data you've collected and would like to share, including metadata, and if you ask nicely then most of the time I'd be more than happy to share it.
Things like emoji usage, page navigations, feature uses, etc. Ideally anonymous; no IP, user agent, etc, just a small byte or two packed properly can go a long way.
The problem is that it's actually quite hard to reliably anonymize data especially once you start to begin combining data sets from multiple places. That's the problem differential privacy is trying to solve in a mathematically rigorous way.
See for example how researchers partially de-anonymized Netflix Prize data by cross-referencing it with IMDB reviews.
It's not possible to reliably anonymize data and still be able to infer something from it, the idea is just too logically broken. Because the whole reason for anonymity is to make sure no information about any individual or a set of individuals of the size decided by those seeking such protection can be inferred from the data by the parties that want to infer something from it. While "differential privacy" assumes that not being able to infer information about relatively small sized sets of individuals decided by the parties who want to infer something from the data is "privacy". It isn't of course, it's a pretty dystopian use of the word privacy. Hence why corporations love this stuff, privacy without privacy is godsent to them.
Each of these could be stored separately without metadata then aggregated no problem. Things marked * could be left out, and some things could be randomized up or down buckets and such.
Here's the fallacy: people think if they collect ALL the data, they will have the best results with whatever problem they're trying to solve.
Right now you're probably wondering, yeah, but there's this one problem that wouldn't have been solved if x or y....
But really it's just hoarding behavior. They're trying to collect it all. Statistical significance is reached very quickly and after that point they're doing harm to society.
This is roughly analogous to "abstinence is the best form of birth control". It's not wrong, but it also isn't particularly realistic or helpful. The reality is that people often do want to exchange data, some times because it is legally or morally mandated, and tools that allow this to be done as safely as possible are important.
I'm all for these tools being published and used where appropriate. I'm only criticizing their description as the "gold standard for privacy protection" which seems disingenuous.
Sex is a human need. Tracking people isn’t. Collecting data on people is rarely done because of a legal or moral reason. And for those cases (like medical studies) pseudonymisation and anonymisation already works well.
the focus of the project seems not to be on differential privacy as used by private companies but by scientists. in many cases you can't (US Census, medical records) or wouldn't want to (public health research) stop collecting the data. and allowing privacy-preserving statistical queries from outside researchers has the potential to be very useful.
> allowing privacy-preserving statistical queries from outside researchers has the potential to be very useful
This depends on how many researchers and queries per researcher that you want to allow. The privacy budget eventually runs out, so there are definitely drawbacks that prevent effective use of this data across enough outside researchers.
> The amount of information revealed from each query is calculated and deducted from an overall privacy budget to halt additional queries
this is why DP doesn't get used in any real system -- limited # of searches is a deal breaker for any service that wants to monetize
there are some applications where this could be okay, like in-company surveys where you want to enable employees to run stats queries without revealing individuals, but companies are (relatively) high trust environments and DP is overkill
DP is used in many large-scale production systems. For example, Google used it in their COVID-19 mobility reports [1].
Also, there are implementations of DP that do not rely on limiting queries. Lastly, most companies aren't "high trust" environments. There are tons of stories about employees routinely abuse their company's data. Companies with any sensitive data should be looking at DP and other anonymization techniques even if their data is only ever shown to their employees.
22 comments
[ 2.7 ms ] story [ 52.0 ms ] thread"Differential privacy is the gold standard definition of privacy protection."
Differential privacy is nice, but it's still tracking and "less tracking" is absolutely not the gold standard definition of privacy protection. That title goes to "no tracking"
Things like emoji usage, page navigations, feature uses, etc. Ideally anonymous; no IP, user agent, etc, just a small byte or two packed properly can go a long way.
The problem is that it's actually quite hard to reliably anonymize data especially once you start to begin combining data sets from multiple places. That's the problem differential privacy is trying to solve in a mathematically rigorous way.
See for example how researchers partially de-anonymized Netflix Prize data by cross-referencing it with IMDB reviews.
DDG:
iOS: Each of these could be stored separately without metadata then aggregated no problem. Things marked * could be left out, and some things could be randomized up or down buckets and such.Right now you're probably wondering, yeah, but there's this one problem that wouldn't have been solved if x or y....
But really it's just hoarding behavior. They're trying to collect it all. Statistical significance is reached very quickly and after that point they're doing harm to society.
"Everything you say can and will be used against you"
All they study is ways you are bad, and all they research is ways to keep you down.
If anyone reaches the wrong conclusion "maybe they are innocent.." Then it only takes two seconds, then they are fired.
Privacy from social scientists is one of the most important forms of privacy.
This is roughly analogous to "abstinence is the best form of birth control". It's not wrong, but it also isn't particularly realistic or helpful. The reality is that people often do want to exchange data, some times because it is legally or morally mandated, and tools that allow this to be done as safely as possible are important.
If you have free cycles, you can read more here:
https://github.com/frankmcsherry/blog/blob/master/posts/2017...
This depends on how many researchers and queries per researcher that you want to allow. The privacy budget eventually runs out, so there are definitely drawbacks that prevent effective use of this data across enough outside researchers.
this is why DP doesn't get used in any real system -- limited # of searches is a deal breaker for any service that wants to monetize
there are some applications where this could be okay, like in-company surveys where you want to enable employees to run stats queries without revealing individuals, but companies are (relatively) high trust environments and DP is overkill
It was used for the 2020 US Census.
There are some techniques like exposing randomized subsets for a limited number of queries.
how is access to the privacy prioritized?
Also, there are implementations of DP that do not rely on limiting queries. Lastly, most companies aren't "high trust" environments. There are tons of stories about employees routinely abuse their company's data. Companies with any sensitive data should be looking at DP and other anonymization techniques even if their data is only ever shown to their employees.
[1] https://www.google.com/covid19/mobility/