csharrison
commented
4 years ago Hey! Great question. We landed on differential privacy as a good potential way of achieving the high level goals of an aggregation service, though we are open to considering alternatives if we feel they also reach the goals. Note that the service described in that doc could be the backend for the one described in this API.
I definitely don't think that all reporting needs to be differentially private. In particular, if we can be confident the reports don't contain sensitive cross-site data joins then it may be reasonable to report them without any noise, etc. Additionally for some mechanisms full DP may be infeasible.
In terms of epsilon levels, I think we don't know until we hear more about the use-cases and the impact. Query-level epsilons will also vary wildly depending on other API parametrization (e.g. query limits for records, maximum user contributions, etc).
The need for a differential private reporting scheme was mentioned several times during the discussions at the W3C and in some issues (e.g by you on issue #3 ).
Can you please clarify if any reporting system will have to be based on differential privacy?
If the answer is yes, could you please share the level of differential privacy you have in mind? In other words, what order of magnitude of epsilon are you considering?