Differential privacy is the study of how to make mechanisms which act on databases (i.e., make queries) secure from leaking information.

Intuitively, a differentially private mechanism should be one which is not excessively reactive to small changes in the dataset. Let $D$ be the set of all databases, and consider a function $g$ which acts on $D$. (Think of a database as just some big data table where, e.g., each row corresponds to a different user.) For instance, given a database $x∈D$, $g(x)$ might be the size of $x$, or the total amount user deposits in $x$, or it might ask for the number of users with some property (a “counting query”). We want to add noise to $g$ in such a way that, regardless of how it queries the database, it cannot back out sensitive information.

Formally, we call a (randomized) mechanism $f$ which acts on databases $(ϵ,δ)$-differentially private if, for all outputs $A⊂Range(f)$ and all databases $x$ and $z$ such that $x$ and $z$ differ by one row,

$P(f(x)∈A)≤e_{ϵ}P(f(z)∈A)+δ.$

If $δ=0$, we call $f$ $ϵ$-differentially private.

The intuition behind the definition is easier to grasp if we negate it. If $f$ is *not* differentially private, this means there exists some $A$ such that $P(f(x)∈A)≫P(f(z)∈A)$. That is, swapping just a single row of $x$ to $z$ changed the output distribution considerably, meaning that $f$ is sensitive to the data. If $f$ is differentiably private then, roughly speaking, small changes in the input result in small changes in the output.

A popular to write $ϵ$-differential privacy is as the likelihood ratio

$A∈image(f)sup x_{1},x_{2}:x_{1}∈δ_{1}(x_{2})sup P(f(x_{2})∈A)P(f(x_{1})∈A) ≤e_{ϵ},$where $δ_{1}(x)$ is the set of databases which different by at most 1 row from $x$.

# Example: The Laplace Mechanism

Consider a deterministic function $g:D→R_{k}$. Define

$Δ=x,y:x∈δ_{1}(x)sup ∣∣g(x)−g(y)∣∣_{1}=x,y:x∈δ_{1}(y)sup i=1∑k ∣g(x)_{i}−g(y)_{i}∣.$$Δ$ is often called the $ℓ_{1}$-*sensitivity* of $g$. The Laplace mechanism is defined as

where $Y_{1},…,,Y_{k}∼Lap(0,Δ/ϵ)$ independently. Recall that the Laplacian distribution $Lap(a,b)$ has pdf $p(x)=(2b)_{−1}exp(−∣x−a∣/b)$. To show that this mechanism is differentially private, we show that

$∫_{A}P(f(x)=z)dz≤e_{ϵ}∫_{A}P(f(y)=z)dz,$for all $x∈δ_{1}(y)$. To see this, it suffices to show that for all $z∈A$, $P(f(z)=z)≤e_{ϵ}P(f(y)=z$) and then to integrate over $A$. Note that,

$P(f(x)=z) =i=1∏k P(M(x)_{i}=z_{i})=i=1∏k P(Y_{i}=z_{i}−g(x)_{i})=i=1∏k Δϵ exp(−Δϵ ∣z_{i}−g(x)_{i}∣). $Therefore, by the reverse triangle inequality,

$P(f(y)=z)P(f(x)=z) =i=1∏k exp(Δϵ (∣z_{i}−g(y)_{i}∣−∣z_{i}−g(x)_{i}∣))≤i=1∏k exp(Δϵ (∣g(y)_{i}−g(x)_{i}∣))=exp(Δϵ i=1∑k ∣g(y)_{i}−g(x)_{i}∣)≤exp(ϵ). $# Composition

One immediate question is how differentially private mechanisms behave under composition. For instance, can we employ multiple differentially private algorithms in tandem and retain differential privacy? Sort of.

Suppose $f_{1},f_{2}$ are $(ϵ_{1},δ_{1})$, $(ϵ_{2},δ_{2})$ differentially private, respectively. Considering concatenating the output so that, given a database $x$, we construct a new map $g$ such that $g(x)=(f_{1}(x),f_{2}(x))$, where we run $f_{1}$ and $f_{2}$ independently of one another. Will $g$ be differentially private?

It turns out that $g$ will be $(ϵ_{1}+ϵ_{2},δ_{1}+δ_{2})$ differentially private. You’ll often see this result referred to as “the epsilons and deltas add up.” Unfortunately, when people cite this result, they typically cite Theorem 1 of this paper, which has an incorrect proof. There is a corrected proof in the book by Dwork and Roth, but I think it’s more complicated than necessary. Here’s a simpler proof.

Note the range of $g$ is the product space $range(f_{1})×range(f_{2})$. Since we run $f_{1}$ and $f_{2}$ independently, we have, for any $A×B∈range(g)$ and any neighboring databases $x$ and $z$,

$P(g(x)∈A×B) =P((f_{1}(x),f_{2}(x))∈A×B)=P(f_{1}(x)∈A)P(f_{2}(x)∈B)≤min{e_{ϵ_{1}}P(f_{1}(z)∈A+δ_{1},1}P(f_{2}(x)∈B)≤(min{e_{ϵ_{1}}P(f_{1}(z)∈A),1}+δ_{1})P(f_{2}(x)∈B)≤min{e_{ϵ_{1}}P(f_{1}(z)∈A),1}P(f_{2}(x)∈B)+δ_{1}≤min{e_{ϵ_{1}}P(f_{1}(z)∈A),1}(e_{ϵ_{2}}P(f_{2}(z)∈B)+δ_{2})+δ_{1}≤min{e_{ϵ_{1}}P(f_{1}(z)∈A),1}(e_{ϵ_{2}}P(f_{2}(z)∈B)+δ_{2}+δ_{1}≤e_{ϵ_{1}+ϵ_{2}}P(f_{1}(z)∈A)P(f_{2}(z)∈B)+δ_{1}+δ_{2}=e_{ϵ_{1}+ϵ_{2}}P(g(z)∈A×B)+δ_{1}+δ_{2}. $Here we’ve just used basic facts of the min function and recognized that probabilities can be at most 1. Of course, we can extend this result by induction and conclude that given finitely many mechanisms ${f_{i}}$ where $f_{i}$ is $(ϵ_{i},δ_{i})$-differentially private, then the mechanism $g:X→⨂_{i}range(f_{i})$ given by $g:x↦⊗_{i}f_{i}(x)$ is $(∑_{i}ϵ_{i},∑_{i}δ_{i})$ differentially private.

We can also consider deterministic composition, and demonstrate that it does not affect the privacy guarantees. Indeed, suppose $f:D→U$ is $(ϵ,δ)$ private and let $g:U→V$ be deterministic and invertible. Then for any $W⊂V$,

$P(f∘g(x)∈W) =P(f(x)∈g_{−1}(W))≤e_{ϵ}P(f(y)∈g_{−1}(W))=P(f∘g(y)∈W), $so $f∘g$ is $(ϵ,δ)$ private.

# DP in practice

Differential privacy is now used in a lot of applications. Apple started using it in macOS Sierra and has since expanded its application to Safari. Google used differential privacy when gathering insights from searches related to Covid-19, and for their Covid-19 mobility reports. Other examples include LinkedIn, Microsoft and Uber.