Select a privacy-preserving approach for reporting statistics

[jonathanmayer]

Seems like we're leaning toward decentralized differential privacy with prespecified statistics.

Some related work:

• Apple
  • https://machinelearning.apple.com/docs/learning-with-privacy-at-scale/appledifferentialprivacysystem.pdf
• Microsoft
  • http://papers.nips.cc/paper/6948-collecting-telemetry-data-privately.pdf
• Google
  • https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/42852.pdf
  • https://content.sciendo.com/view/journals/popets/2016/3/article-p41.xml
• SIGMOD Tutorial
  • https://dl.acm.org/citation.cfm?id=3197390
  • https://www.youtube.com/watch?v=LQ8f0cV-Qdk
  • https://www.youtube.com/watch?v=sztL9G4RE-w
  • https://www.youtube.com/watch?v=x_UiFuNqcOQ
• Recent Academic Papers
  • https://dl.acm.org/citation.cfm?id=2746632
  • https://dl.acm.org/citation.cfm?id=2746632
  • https://dl.acm.org/citation.cfm?id=2978409
  • https://www.ndss-symposium.org/wp-content/uploads/2017/09/efficient-private-statistics-with-succinct-sketches.pdf
  • http://proceedings.mlr.press/v48/kairouz16.pdf
  • http://papers.nips.cc/paper/6823-practical-locally-private-heavy-hitters.pdf
  • https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-wang-tianhao.pdf
  • https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-avent.pdf
  • https://dl.acm.org/citation.cfm?id=3196981
  • https://ieeexplore.ieee.org/document/8418600

[rhelmer]

Apologies if I missed it, but we have https://crypto.stanford.edu/prio/paper.pdf implemented in Firefox (and exposed to privileged JS) as well as some server side and analysis tools, both implemented using https://github.com/mozilla/libprio

So it would be worth considering :)

[jonathanmayer]

Closing this out. After a number of discussions, the current privacy model is a combination of informed consent, strict access controls, and client-side aggregation where possible. We'll explore the feasibility of local differential privacy in future.