Differential data privacy
First Claim
1. A method for controlling privacy loss of a privacy principal, comprising:
- determining first information that would be available to an adversary with access to a database query output, said database not containing data associated with the privacy principal;
determining second information that would be available to said adversary with access to a second database query output, said second database containing data associated with the privacy principal; and
determining a distribution of noise values to combine with a database query output such that said second information differs from said first information by an amount associated with a privacy parameter.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided for controlling privacy loss associated with database participation. In general, privacy loss can be evaluated based on information available to a hypothetical adversary with access to a database under two scenarios: a first scenario in which the database does not contain data about a particular privacy principal, and a second scenario in which the database does contain data about the privacy principal. Such evaluation can be made for example by a mechanism for determining sensitivity of at least one database query output to addition to the database of data associated with a privacy principal. An appropriate noise distribution can be calculated based on the sensitivity measurement and optionally a privacy parameter. A noise value is selected from the distribution and added to query outputs.
-
Citations
20 Claims
-
1. A method for controlling privacy loss of a privacy principal, comprising:
-
determining first information that would be available to an adversary with access to a database query output, said database not containing data associated with the privacy principal;
determining second information that would be available to said adversary with access to a second database query output, said second database containing data associated with the privacy principal; and
determining a distribution of noise values to combine with a database query output such that said second information differs from said first information by an amount associated with a privacy parameter. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for interactively controlling privacy loss, comprising:
-
an interface for accepting at least one privacy parameter from at least one privacy principal, wherein the privacy parameter is associated with an amount of privacy loss that is acceptable to said privacy principal;
a database;
a mechanism for determining sensitivity of at least one database query output to addition to the database of data associated with said privacy principal; and
a mechanism for combining noise with database query outputs, wherein the noise is selected from a distribution that is calculated using said privacy parameter and said sensitivity of the database. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer readable medium bearing instructions for preserving privacy of a privacy principal that contributes data to a database, comprising:
instructions for combining noise with database query outputs, wherein the noise is selected from a noise distribution, wherein said noise distribution is calculated using an output sensitivity and a privacy parameter, said output sensitivity being a measure of change in a database query output due to addition to the database of data associated with said privacy principal, and said privacy parameter being associated with an amount of privacy loss. - View Dependent Claims (16, 17, 18, 19, 20)
Specification