20
0

Smooth Sensitivity for Geo-Privacy

Abstract

Suppose each user ii holds a private value xix_i in some metric space (U,dist)(U, \mathrm{dist}), and an untrusted data analyst wishes to compute if(xi)\sum_i f(x_i) for some function f:URf : U \rightarrow \mathbb{R} by asking each user to send in a privatized f(xi)f(x_i). This is a fundamental problem in privacy-preserving population analytics, and the local model of differential privacy (LDP) is the predominant model under which the problem has been studied. However, LDP requires any two different xi,xix_i, x'_i to be ε\varepsilon-distinguishable, which can be overly strong for geometric/numerical data. On the other hand, Geo-Privacy (GP) stipulates that the level of distinguishability be proportional to dist(xi,xi)\mathrm{dist}(x_i, x_i'), providing an attractive alternative notion of personal data privacy in a metric space. However, existing GP mechanisms for this problem, which add a uniform noise to either xix_i or f(xi)f(x_i), are not satisfactory. In this paper, we generalize the smooth sensitivity framework from Differential Privacy to Geo-Privacy, which allows us to add noise tailored to the hardness of the given instance. We provide definitions, mechanisms, and a generic procedure for computing the smooth sensitivity under GP equipped with a general metric. Then we present three applications: one-way and two-way threshold functions, and Gaussian kernel density estimation, to demonstrate the applicability and utility of our smooth sensitivity framework.

View on arXiv
Comments on this paper