Differential Privacy: Limiting One Person's Influence on Statistics
📑 On this page
- A concrete example: population report
- Neighbouring datasets
- Epsilon
- Delta
- Sensitivity
- Noise mechanisms
- The unit of privacy
- Composition
- Privacy budget
- Accuracy tradeoffs
- Post-processing
- Central and local models
- Differentially private learning
- What it does not solve
- Verification and transparency
- Knowledge check
- The one idea to remember
Publishing an aggregate does not automatically protect everyone represented in it. A sequence of precise counts can reveal whether one person's record was included.
Differential privacy offers a measurable limit.
A differentially private mechanism makes its output distribution change only slightly when any one individual's data is added or removed.
It usually achieves this by adding randomness calibrated to the query and a chosen privacy budget.
A concrete example: population report
A city wants to publish how many residents in each district use a service.
Instead of releasing exact counts, the system adds carefully calibrated random noise. Large district trends remain useful, while an observer has limited ability to determine whether one particular resident participated.
The city accounts for every released statistic in a cumulative privacy budget.
Neighbouring datasets
The definition compares two neighbouring datasets that differ in one person's participation.
If outputs from those datasets are statistically similar, seeing the output reveals limited additional information about that person's inclusion.
The guarantee does not require guessing which external facts an attacker already knows, which is one reason the framework is powerful.
Epsilon
The parameter epsilon, written ε, controls the privacy bound in a common form of differential privacy.
Smaller epsilon generally means stronger privacy and more noise. Larger epsilon permits outputs to depend more strongly on one record, often improving accuracy but weakening protection.
There is no universally correct epsilon. Selection is a policy and risk decision that must consider composition and consequences.
Delta
Approximate differential privacy also uses δ, allowing a very small probability of behavior outside the strongest bound.
Delta should be chosen carefully relative to population and threat. It is not a general permission for frequent privacy failure.
Report both parameters and the exact privacy definition used.
Sensitivity
Sensitivity measures how much a query could change when one person's data changes.
A count has low sensitivity if each person contributes at most one. A sum can have unbounded sensitivity if one person can contribute any value.
Bound contributions before adding noise:
- limit records per person,
- clip numeric values,
- and define the unit of privacy.
Noise mechanisms
Common mechanisms add noise from distributions such as Laplace or Gaussian, calibrated to sensitivity and privacy parameters.
The mechanism must be implemented as a complete reviewed algorithm. Arbitrary noise does not create differential privacy, and weak randomness can undermine the guarantee.
The unit of privacy
Decide whether one protected unit is:
- one row,
- one person,
- one household,
- one device,
- or one organization.
If a person contributes hundreds of rows but the mechanism assumes one-row changes, the stated guarantee may not match the intended protection.
Composition
Privacy loss accumulates across releases.
Ten private queries are not equivalent to one. Composition theorems bound cumulative loss, and a privacy accountant tracks it.
Repeated dashboards, experiments, model training, and analyst queries must draw from an explicit budget rather than each being considered independently.
Privacy budget
A privacy budget controls how much total influence may be exposed for a dataset or population.
Governance should define:
- who allocates budget,
- which uses consume it,
- time period,
- reset or refresh conditions,
- and what happens when it is exhausted.
Budget is a scarce resource, not merely a technical parameter.
Accuracy tradeoffs
Noise affects small groups and rare events more strongly than large aggregates.
Improve utility by:
- asking fewer questions,
- choosing useful aggregations,
- using larger groups,
- allocating budget by importance,
- exploiting known consistency constraints safely,
- and collecting enough representative data.
Do not silently remove minority groups because their statistics are harder to publish accurately.
Post-processing
Once an output is differentially private, arbitrary processing that uses only that output does not spend additional privacy budget.
Formatting, visualization, and deterministic consistency adjustments can therefore be designed after the private mechanism, provided they do not return to the raw data.
This is called immunity to post-processing.
Central and local models
In central differential privacy, a trusted curator holds raw data and releases private outputs.
In local differential privacy, each participant randomizes data before the collector receives it. Local methods reduce trust in the collector but often require more data for similar accuracy.
The trust model must match the implementation.
Differentially private learning
Training algorithms can limit the influence of each example, often by clipping per-example gradients and adding noise.
The resulting model can carry a formal privacy guarantee under stated assumptions. Quality, training cost, accounting, and implementation complexity require careful evaluation.
What it does not solve
Differential privacy does not:
- secure the raw database,
- enforce purpose limitation,
- prevent biased conclusions,
- hide group-level facts,
- guarantee accurate statistics,
- or make unlimited querying safe.
It complements access control, minimization, governance, and security.
Verification and transparency
Record:
- mechanism,
- code version,
- privacy unit,
- clipping or contribution bounds,
- epsilon and delta,
- accounting method,
- budget consumption,
- and utility evaluation.
Independent review is valuable because small implementation mistakes can invalidate a formal claim.
Knowledge check
- What are neighbouring datasets?
- How does epsilon affect privacy and accuracy?
- Why must contributions be bounded?
- What is composition?
- Which problems remain outside differential privacy?
The one idea to remember
Differential privacy gives a mathematical bound on one protected unit's influence by calibrating randomness to sensitivity and tracking cumulative disclosure. Its usefulness depends on honest parameters, contribution limits, privacy accounting, utility testing, and wider data governance.