第17行: |
第17行: |
| Official statistics organizations are charged with collecting information from individuals or establishments, and publishing aggregate data to serve the public interest. For example, the [[1790 United States Census]] collected information about individuals living in the United States and published tabulations based on sex, age, race, and condition of servitude. Statistical organizations have long collected information under a promise of [[confidentiality]] that the information provided will be used for statistical purposes, but that the publications will not produce information that can be traced back to a specific individual or establishment. To accomplish this goal, statistical organizations have long suppressed information in their publications. For example, in a table presenting the sales of each business in a town grouped by business category, a cell that has information from only one company might be suppressed, in order to maintain the confidentiality of that company's specific sales. | | Official statistics organizations are charged with collecting information from individuals or establishments, and publishing aggregate data to serve the public interest. For example, the [[1790 United States Census]] collected information about individuals living in the United States and published tabulations based on sex, age, race, and condition of servitude. Statistical organizations have long collected information under a promise of [[confidentiality]] that the information provided will be used for statistical purposes, but that the publications will not produce information that can be traced back to a specific individual or establishment. To accomplish this goal, statistical organizations have long suppressed information in their publications. For example, in a table presenting the sales of each business in a town grouped by business category, a cell that has information from only one company might be suppressed, in order to maintain the confidentiality of that company's specific sales. |
| | | |
− | 官方统计机构负责收集个人或机构的信息并公布汇集数据,以服务公众利益。例如,1790年的美国人口普查收集了生活在美国的个人的信息,并公布了基于性别、年龄、种族和奴役情况的表格。统计机构长期保证收集信息的<font color="#ff8000">保密性Confidentiality</font>,即所提供的信息将用于统计目的,但出版物不会产生可追溯到具体个人或机构的信息。为了实现这一目标,统计机构长期以来一直在其出版物中压缩信息。例如,在按产业类别表示某个城镇中企业的销售情况的表格中,只有一家公司信息的单元格可能会被隐藏,从而对该公司的具体销售情况保密。
| + | 官方统计机构负责收集个人或机构的信息并公布汇集数据,以服务公众利益。例如,<font color="#ff8000">1790年的美国人口普查1790 United States Census</font>收集了生活在美国的个人的信息,并公布了基于性别、年龄、种族和奴役情况的表格。统计机构长期保证收集信息的<font color="#ff8000">保密性Confidentiality</font>,即所提供的信息将用于统计目的,但出版物不会产生可追溯到具体个人或机构的信息。为了实现这一目标,统计机构长期以来一直在其出版物中压缩信息。例如,在按产业类别表示某个城镇中企业的销售情况的表格中,只有一家公司信息的单元格可能会被隐藏,从而对该公司的具体销售情况保密。 |
| | | |
| The adoption of electronic information processing systems by statistical agencies in the 1950s and 1960s dramatically increased the number of tables that a statistical organization could produce and, in so doing, significantly increased the potential for an improper disclosure of confidential information. For example, if a business that had its sales numbers suppressed also had those numbers appear in the total sales of a region, then it might be possible to determine the suppressed value by subtracting the other sales from that total. But there might also be combinations of additions and subtractions that might cause the private information to be revealed. The number of combinations that needed to be checked increases exponentially with the number of publications, and it is potentially unbounded if data users are able to make queries of the statistical database using an interactive query system. | | The adoption of electronic information processing systems by statistical agencies in the 1950s and 1960s dramatically increased the number of tables that a statistical organization could produce and, in so doing, significantly increased the potential for an improper disclosure of confidential information. For example, if a business that had its sales numbers suppressed also had those numbers appear in the total sales of a region, then it might be possible to determine the suppressed value by subtracting the other sales from that total. But there might also be combinations of additions and subtractions that might cause the private information to be revealed. The number of combinations that needed to be checked increases exponentially with the number of publications, and it is potentially unbounded if data users are able to make queries of the statistical database using an interactive query system. |
第45行: |
第45行: |
| 自此,后续的研究展示了许多方法,可以在保证高度隐私的同时,从数据库中生成非常准确的统计数据。<ref name=":5" /><ref name=":6" /> | | 自此,后续的研究展示了许多方法,可以在保证高度隐私的同时,从数据库中生成非常准确的统计数据。<ref name=":5" /><ref name=":6" /> |
| | | |
− | == ε-differential privacy== | + | ==ε-differential privacy == |
| The 2006 Dwork, McSherry, Nissim and Smith article introduced the concept of ε-differential privacy, a mathematical definition for the privacy loss associated with any data release drawn from a statistical database. (Here, the term ''statistical database'' means a set of data that are collected under the pledge of confidentiality for the purpose of producing statistics that, by their production, do not compromise the privacy of those individuals who provided the data.) | | The 2006 Dwork, McSherry, Nissim and Smith article introduced the concept of ε-differential privacy, a mathematical definition for the privacy loss associated with any data release drawn from a statistical database. (Here, the term ''statistical database'' means a set of data that are collected under the pledge of confidentiality for the purpose of producing statistics that, by their production, do not compromise the privacy of those individuals who provided the data.) |
| | | |
| | | |
− | 2006年 Dwork、 McSherry、 Nissim 和 Smith 的文章引入了 ε- 差别隐私的概念,这是一个数学定义,用来定义从统计数据库中发布的任何数据所导致的隐私损失。(在这里,统计数据库一词是指根据保密承诺收集的一组数据,目的是编制统计数据,而编制这些数据不会损害提供数据的个人的隐私。)
| + | 2006年Dwork、McSherry、Nissim和Smith的文章引入了ε-差分隐私的概念,这是一个数学定义,用来定义从统计数据库中发布的任何数据所导致的隐私损失。(此处的统计数据库一词是指遵从保密性承诺收集的一组数据,目的是统计数据,同时不会因其数据的产生损害提供数据的个人的隐私。) |
| | | |
| | | |
| The intuition for the 2006 definition of ε-differential privacy is that a person's privacy cannot be compromised by a statistical release if their data are not in the database. Therefore, with differential privacy, the goal is to give each individual roughly the same privacy that would result from having their data removed. That is, the statistical functions run on the database should not overly depend on the data of any one individual. | | The intuition for the 2006 definition of ε-differential privacy is that a person's privacy cannot be compromised by a statistical release if their data are not in the database. Therefore, with differential privacy, the goal is to give each individual roughly the same privacy that would result from having their data removed. That is, the statistical functions run on the database should not overly depend on the data of any one individual. |
| | | |
− | 2006年对 ε- 差别隐私的定义的直觉是,如果一个人的数据不在数据库中,那么他的隐私就不会因为统计公布而受到损害。因此,差分隐私的目标是给每个人大致相同的隐私,这将导致他们的数据删除。也就是说,在数据库上运行的统计功能不应过分依赖于任何个人的数据。
| + | 2006年,人们对ε-差分隐私的定义的直觉认知是,如果一个人的数据不在数据库中,那么他的隐私就不会因为统计数据的公布而受到损害。因此,差分隐私的目标是给每个人大体相同的隐私性,这将导致他们的数据删除。也就是说,在数据库上运行的统计功能不应过分依赖于任何个人的数据。 |
| | | |
| Of course, how much any individual contributes to the result of a database query depends in part on how many people's data are involved in the query. If the database contains data from a single person, that person's data contributes 100%. If the database contains data from a hundred people, each person's data contributes just 1%. The key insight of differential privacy is that as the query is made on the data of fewer and fewer people, more noise needs to be added to the query result to produce the same amount of privacy. Hence the name of the 2006 paper, "Calibrating noise to sensitivity in private data analysis." | | Of course, how much any individual contributes to the result of a database query depends in part on how many people's data are involved in the query. If the database contains data from a single person, that person's data contributes 100%. If the database contains data from a hundred people, each person's data contributes just 1%. The key insight of differential privacy is that as the query is made on the data of fewer and fewer people, more noise needs to be added to the query result to produce the same amount of privacy. Hence the name of the 2006 paper, "Calibrating noise to sensitivity in private data analysis." |
| | | |
− | | + | 当然,任何个体对数据库查询结果的贡献率部分取决于该查询的数据来自的人员的数量。如果数据库只包含来自单个人的数据,则该人的数据贡献率为100% 。如果数据库包含来自100人的数据,则每个人的数据贡献率仅为1% 。差分隐私的主要观点是,由于查询的数据来自的人员数量越来越少,所以查询结果需要被添加更多的噪音以达到同样程度的隐私性。因此,这篇2006年的论文被命名为《隐私数据分析中噪声灵敏度的校准》。 |
− | 当然,任何个体对数据库查询结果的贡献程度部分取决于查询中涉及的人员数据的数量。如果数据库包含来自一个人的数据,那么该人的数据贡献率为100% 。如果数据库包含来自100人的数据,每个人的数据贡献率仅为1% 。差分隐私的主要观点是,由于查询是针对越来越少的人的数据进行的,所以需要在查询结果中添加更多的噪音来产生同样的隐私。因此,2006年的论文得名为《在私人数据分析中将噪声校准到灵敏度》
| |
| | | |
| The 2006 paper presents both a mathematical definition of differential privacy and a mechanism based on the addition of Laplace noise (i.e. noise coming from the [[Laplace distribution]]) that satisfies the definition. | | The 2006 paper presents both a mathematical definition of differential privacy and a mechanism based on the addition of Laplace noise (i.e. noise coming from the [[Laplace distribution]]) that satisfies the definition. |
| | | |
| | | |
− | 2006年的论文给出了差分隐私的数学定义,以及基于拉普拉斯噪音(即。拉普拉斯分布发出的噪音)。
| + | 这篇2006年的论文给出了差分隐私的数学定义,以及加入拉普拉斯噪音(i. e. 满足<font color="#ff8000">拉普拉斯分布Laplace Distribution</font>的噪音)后能够满足该定义的机制。 |
| | | |
− | === Definition of ε-differential privacy=== | + | ===Definition of ε-differential privacy=== |
| Let ε be a positive [[real number]] and <math>\mathcal{A}</math> be a [[randomized algorithm]] that takes a dataset as input (representing the actions of the trusted party holding the data). | | Let ε be a positive [[real number]] and <math>\mathcal{A}</math> be a [[randomized algorithm]] that takes a dataset as input (representing the actions of the trusted party holding the data). |
| Let <math>\textrm{im}\ \mathcal{A}</math> denote the [[image (mathematics)|image]] of <math>\mathcal{A}</math>. The algorithm <math>\mathcal{A}</math> is said to provide <math>\epsilon</math>-differential privacy if, for all datasets <math>D_1</math> and <math>D_2</math> that differ on a single element (i.e., the data of one person), and all subsets <math>S</math> of <math>\textrm{im}\ \mathcal{A}</math>: | | Let <math>\textrm{im}\ \mathcal{A}</math> denote the [[image (mathematics)|image]] of <math>\mathcal{A}</math>. The algorithm <math>\mathcal{A}</math> is said to provide <math>\epsilon</math>-differential privacy if, for all datasets <math>D_1</math> and <math>D_2</math> that differ on a single element (i.e., the data of one person), and all subsets <math>S</math> of <math>\textrm{im}\ \mathcal{A}</math>: |
第74行: |
第73行: |
| where the probability is taken over the [[randomness]] used by the algorithm.<ref name="DPBook" /> | | where the probability is taken over the [[randomness]] used by the algorithm.<ref name="DPBook" /> |
| | | |
− | Let ε be a positive real number and \mathcal{A} be a randomized algorithm that takes a dataset as input (representing the actions of the trusted party holding the data).
| + | 设 ε 是一个<font color="#ff8000">正实数Real Number</font>,而 <math>\mathcal{A}</math> 是一个以数据集作为输入(表示持有数据的受信任方的操作)的<font color="#ff8000">随机算法Randomized Algorithm</font>。让 <math>\textrm{im}\ \mathcal{A}</math>表示数学<math>\mathcal{A}</math>的映像。如果对于所有在单个元素上不同(例如一个人的数据)的数据集 <math>D_1</math>和<math>D_2</math> ,以及所有<math>\textrm{im}\ \mathcal{A}</math>的子集<math>S</math>满足: |
− | Let \textrm{im}\ \mathcal{A} denote the image of \mathcal{A}. The algorithm \mathcal{A} is said to provide \epsilon-differential privacy if, for all datasets D_1 and D_2 that differ on a single element (i.e., the data of one person), and all subsets S of \textrm{im}\ \mathcal{A}:
| |
| | | |
− | \Pr[\mathcal{A}(D_1) \in S] \leq \exp\left(\epsilon\right) \cdot \Pr[\mathcal{A}(D_2) \in S], | + | <math>\Pr[\mathcal{A}(D_1) \in S] \leq \exp\left(\epsilon\right) \cdot \Pr[\mathcal{A}(D_2) \in S],</math> |
| | | |
− | where the probability is taken over the randomness used by the algorithm.
| + | 其中概率取代了算法所使用的随机性,那么算法<math>\mathcal{A}</math>被认为实现了 <math>\epsilon</math>差分隐私。<ref name="DPBook" /> |
| | | |
− | 设 ε 是一个正实数,而 mathcal { a }是一个以数据集作为输入(表示持有数据的受信任方的操作)的随机化算法。让 textrm { im }数学{ a }表示数学{ a }的映像。算法数学{ a }被称为提供 epsilon-differentiation 保密性,如果对于所有数据集 d1和 d2在单个元素上不同(即,一个人的数据) ,以及所有 textrm { im }数学{ a }的子集 s: Pr [ mathcal { a }(d _ 1)在 s ] leq exp left (epon right) cdot Pr [数学{ a }(d _ 2)在 s ]中,其中概率取代了算法所使用的随机性。<ref name="DPBook" />
| |
| | | |
| Differential privacy offers strong and robust guarantees that facilitate modular design and analysis of differentially private mechanisms due to its [[#Composability|composability]], [[#Robustness to post-processing|robustness to post-processing]], and graceful degradation in the presence of [[#Group privacy|correlated data]]. | | Differential privacy offers strong and robust guarantees that facilitate modular design and analysis of differentially private mechanisms due to its [[#Composability|composability]], [[#Robustness to post-processing|robustness to post-processing]], and graceful degradation in the presence of [[#Group privacy|correlated data]]. |
| | | |
− | Differential privacy offers strong and robust guarantees that facilitate modular design and analysis of differentially private mechanisms due to its composability, robustness to post-processing, and graceful degradation in the presence of correlated data.
| + | 差异化隐私提供了稳健性和鲁棒性保证,其可组合性、对后处理的鲁棒性以及在相关数据存在的情况下的功能损耗,促进了差分隐私机制的模块化设计和分析。 |
− | | |
− | 由于其可组合性、对后处理的鲁棒性以及在相关数据存在时的优雅退化,差分隐私提供了强大而健壮的保证,可以促进模块化设计和差异专用机制的分析。
| |
| | | |
| ===Composability=== | | ===Composability=== |
− | (Self-)composability refers to the fact that the joint distribution of the outputs of (possibly adaptively chosen) differentially private mechanisms satisfies differential privacy.
| |
− |
| |
| (Self-)composability refers to the fact that the joint distribution of the outputs of (possibly adaptively chosen) differentially private mechanisms satisfies differential privacy. | | (Self-)composability refers to the fact that the joint distribution of the outputs of (possibly adaptively chosen) differentially private mechanisms satisfies differential privacy. |
| | | |
第108行: |
第101行: |
| 平行构图。如果前面的机制是在私有数据库的不相交子集上计算的,那么函数 g 将是(max _ i epsilon _ i)-微分私有。 | | 平行构图。如果前面的机制是在私有数据库的不相交子集上计算的,那么函数 g 将是(max _ i epsilon _ i)-微分私有。 |
| | | |
− | === Robustness to post-processing=== | + | ===Robustness to post-processing === |
| For any deterministic or randomized function <math>F</math> defined over the image of the mechanism <math>\mathcal{A}</math>, if <math>\mathcal{A}</math> satisfies ε-differential privacy, so does <math>F(\mathcal{A})</math>. | | For any deterministic or randomized function <math>F</math> defined over the image of the mechanism <math>\mathcal{A}</math>, if <math>\mathcal{A}</math> satisfies ε-differential privacy, so does <math>F(\mathcal{A})</math>. |
| | | |
第155行: |
第148行: |
| | | |
| Let d be a positive integer, \mathcal{D} be a collection of datasets, and f \colon \mathcal{D} \rightarrow \mathbb{R}^d be a function. The sensitivity of a function, denoted \Delta f, is defined by | | Let d be a positive integer, \mathcal{D} be a collection of datasets, and f \colon \mathcal{D} \rightarrow \mathbb{R}^d be a function. The sensitivity of a function, denoted \Delta f, is defined by |
− | :\Delta f=\max \lVert f(D_1)-f(D_2) \rVert_1, | + | : \Delta f=\max \lVert f(D_1)-f(D_2) \rVert_1, |
| where the maximum is over all pairs of datasets D_1 and D_2 in \mathcal{D} differing in at most one element and \lVert \cdot \rVert_1 denotes the \ell_1 norm. | | where the maximum is over all pairs of datasets D_1 and D_2 in \mathcal{D} differing in at most one element and \lVert \cdot \rVert_1 denotes the \ell_1 norm. |
| | | |
第189行: |
第182行: |
| | | |
| | | |
− | :frc { mathrm { pdf }(mathcal { t } _ { mathcal { a } ,d _ 1}(x) = t)}{ mathrm { pdf }(mathcal { t } _ { mathcal { a } ,d _ 2}(x) = t)} = frc { text { noise }(t-f (d _ 1))}{ text { noise }(t-f (d _ 2))} ,! | + | : frc { mathrm { pdf }(mathcal { t } _ { mathcal { a } ,d _ 1}(x) = t)}{ mathrm { pdf }(mathcal { t } _ { mathcal { a } ,d _ 2}(x) = t)} = frc { text { noise }(t-f (d _ 1))}{ text { noise }(t-f (d _ 2))} ,! |
| | | |
| which is at most <math>e^{\frac{|f(D_{1})-f(D_{2})|}{\lambda}}\leq e^{\frac{\Delta(f)}{\lambda}}\,\!</math>. We can consider <math>\frac{\Delta(f)}{\lambda}\,\!</math> to be the privacy factor <math>\epsilon\,\!</math>. Thus <math>\mathcal{T}\,\!</math> follows a differentially private mechanism (as can be seen from [[#ε-differential privacy|the definition above]]). If we try to use this concept in our diabetes example then it follows from the above derived fact that in order to have <math>\mathcal{A}\,\!</math> as the <math>\epsilon\,\!</math>-differential private algorithm we need to have <math>\lambda=1/\epsilon\,\!</math>. Though we have used Laplace noise here, other forms of noise, such as the Gaussian Noise, can be employed, but they may require a slight relaxation of the definition of differential privacy.<ref name="Dwork, ICALP 2006" /> | | which is at most <math>e^{\frac{|f(D_{1})-f(D_{2})|}{\lambda}}\leq e^{\frac{\Delta(f)}{\lambda}}\,\!</math>. We can consider <math>\frac{\Delta(f)}{\lambda}\,\!</math> to be the privacy factor <math>\epsilon\,\!</math>. Thus <math>\mathcal{T}\,\!</math> follows a differentially private mechanism (as can be seen from [[#ε-differential privacy|the definition above]]). If we try to use this concept in our diabetes example then it follows from the above derived fact that in order to have <math>\mathcal{A}\,\!</math> as the <math>\epsilon\,\!</math>-differential private algorithm we need to have <math>\lambda=1/\epsilon\,\!</math>. Though we have used Laplace noise here, other forms of noise, such as the Gaussian Noise, can be employed, but they may require a slight relaxation of the definition of differential privacy.<ref name="Dwork, ICALP 2006" /> |
第222行: |
第215行: |
| ||0 | | ||0 |
| |- | | |- |
− | | Phoebe | + | |Phoebe |
| ||0 | | ||0 |
| |- | | |- |
| |Chandler | | |Chandler |
− | || 1 | + | ||1 |
| |- | | |- |
| |Rachel | | |Rachel |
第237行: |
第230行: |
| |- | | |- |
| |Ross | | |Ross |
− | ||1 | + | || 1 |
| |- | | |- |
| |Monica | | |Monica |
− | || 1 | + | ||1 |
| |- | | |- |
| |Joey | | |Joey |
第248行: |
第241行: |
| ||0 | | ||0 |
| |- | | |- |
− | |Chandler | + | | Chandler |
| ||1 | | ||1 |
| |- | | |- |
− | |Rachel | + | | Rachel |
| ||0 | | ||0 |
| |} | | |} |
第284行: |
第277行: |
| #If tails, then toss the coin again and answer "Yes" if heads, "No" if tails. | | #If tails, then toss the coin again and answer "Yes" if heads, "No" if tails. |
| | | |
− | #Toss a coin. | + | # Toss a coin. |
| #If heads, then toss the coin again (ignoring the outcome), and answer the question honestly. | | #If heads, then toss the coin again (ignoring the outcome), and answer the question honestly. |
| #If tails, then toss the coin again and answer "Yes" if heads, "No" if tails. | | #If tails, then toss the coin again and answer "Yes" if heads, "No" if tails. |
第316行: |
第309行: |
| 虽然这个例子受到了随机化回答的启发,可能适用于微数据(例如,发布每个响应的数据集) ,但根据定义,差分隐私排除了微数据发布,并且只适用于查询(例如,将单个响应聚合成一个结果) ,因为这将违反要求,更具体地说,是一个主题参与或不参与的似是而非的否认。辛西娅。“为私人数据分析奠定坚实的基础。”美国计算机学会通讯54.1(2011) : 86-95,上注19,第91页. Bambauer,Jane,Krishnamurty Muralidhar,and Rathindra Sarathy。“愚人的黄金: 对差分隐私的插图式批评。”Vand.J. Ent.北京科技发展有限公司。L. 16(2013) : 701. | | 虽然这个例子受到了随机化回答的启发,可能适用于微数据(例如,发布每个响应的数据集) ,但根据定义,差分隐私排除了微数据发布,并且只适用于查询(例如,将单个响应聚合成一个结果) ,因为这将违反要求,更具体地说,是一个主题参与或不参与的似是而非的否认。辛西娅。“为私人数据分析奠定坚实的基础。”美国计算机学会通讯54.1(2011) : 86-95,上注19,第91页. Bambauer,Jane,Krishnamurty Muralidhar,and Rathindra Sarathy。“愚人的黄金: 对差分隐私的插图式批评。”Vand.J. Ent.北京科技发展有限公司。L. 16(2013) : 701. |
| | | |
− | ===Stable transformations === | + | === Stable transformations === |
| A transformation <math>T</math> is <math>c</math>-stable if the [[Hamming distance]] between <math>T(A)</math> and <math>T(B)</math> is at most <math>c</math>-times the Hamming distance between <math>A</math> and <math>B</math> for any two databases <math>A,B</math>. Theorem 2 in <ref name="PINQ" /> asserts that if there is a mechanism <math>M</math> that is <math>\epsilon</math>-differentially private, then the composite mechanism <math>M\circ T</math> is <math>(\epsilon \times c)</math>-differentially private. | | A transformation <math>T</math> is <math>c</math>-stable if the [[Hamming distance]] between <math>T(A)</math> and <math>T(B)</math> is at most <math>c</math>-times the Hamming distance between <math>A</math> and <math>B</math> for any two databases <math>A,B</math>. Theorem 2 in <ref name="PINQ" /> asserts that if there is a mechanism <math>M</math> that is <math>\epsilon</math>-differentially private, then the composite mechanism <math>M\circ T</math> is <math>(\epsilon \times c)</math>-differentially private. |
| | | |
第342行: |
第335行: |
| Several uses of differential privacy in practice are known to date: | | Several uses of differential privacy in practice are known to date: |
| *2008: [[United States Census Bureau|U.S. Census Bureau]], for showing commuting patterns.<ref name="MachanavajjhalaKAGV08" /> | | *2008: [[United States Census Bureau|U.S. Census Bureau]], for showing commuting patterns.<ref name="MachanavajjhalaKAGV08" /> |
− | * 2014: [[Google]]'s RAPPOR, for telemetry such as learning statistics about unwanted software hijacking users' settings. <ref name="RAPPOR" /><ref>{{Citation|title=google/rappor|date=2021-07-15|url=https://github.com/google/rappor|publisher=GitHub}}</ref> | + | *2014: [[Google]]'s RAPPOR, for telemetry such as learning statistics about unwanted software hijacking users' settings. <ref name="RAPPOR" /><ref>{{Citation|title=google/rappor|date=2021-07-15|url=https://github.com/google/rappor|publisher=GitHub}}</ref> |
| *2015: Google, for sharing historical traffic statistics.<ref name="Eland" /> | | *2015: Google, for sharing historical traffic statistics.<ref name="Eland" /> |
| *2016: [[Apple Inc.|Apple]] announced its intention to use differential privacy in [[iOS 10]] to improve its [[Intelligent personal assistant]] technology.<ref>{{cite web|title=Apple - Press Info - Apple Previews iOS 10, the Biggest iOS Release Ever|url=https://www.apple.com/pr/library/2016/06/13Apple-Previews-iOS-10-The-Biggest-iOS-Release-Ever.html|website=Apple|access-date=16 June 2016}}</ref> | | *2016: [[Apple Inc.|Apple]] announced its intention to use differential privacy in [[iOS 10]] to improve its [[Intelligent personal assistant]] technology.<ref>{{cite web|title=Apple - Press Info - Apple Previews iOS 10, the Biggest iOS Release Ever|url=https://www.apple.com/pr/library/2016/06/13Apple-Previews-iOS-10-The-Biggest-iOS-Release-Ever.html|website=Apple|access-date=16 June 2016}}</ref> |
| *2017: Microsoft, for telemetry in Windows.<ref name="DpWinTelemetry" /> | | *2017: Microsoft, for telemetry in Windows.<ref name="DpWinTelemetry" /> |
− | * 2019: Privitar Lens is an API using differential privacy.<ref>{{cite web|title=Privitar Lens|url=https://www.privitar.com/privitar-lens|access-date=20 February 2018}}</ref> | + | *2019: Privitar Lens is an API using differential privacy.<ref>{{cite web|title=Privitar Lens|url=https://www.privitar.com/privitar-lens|access-date=20 February 2018}}</ref> |
| *2020: LinkedIn, for advertiser queries.<ref name="DpLinkedIn" /> | | *2020: LinkedIn, for advertiser queries.<ref name="DpLinkedIn" /> |
| | | |
第357行: |
第350行: |
| *2017: Microsoft, for telemetry in Windows. | | *2017: Microsoft, for telemetry in Windows. |
| *2019: Privitar Lens is an API using differential privacy. | | *2019: Privitar Lens is an API using differential privacy. |
− | *2020: LinkedIn, for advertiser queries. | + | * 2020: LinkedIn, for advertiser queries. |
| | | |
| 2008: u.s. Census Bureau,for shows comforting patterns. 在实践中,差分隐私的几个用途已经为人所知: | | 2008: u.s. Census Bureau,for shows comforting patterns. 在实践中,差分隐私的几个用途已经为人所知: |
第393行: |
第386行: |
| *[[Protected health information]] | | *[[Protected health information]] |
| | | |
− | * Quasi-identifier | + | *Quasi-identifier |
| *Exponential mechanism (differential privacy) – a technique for designing differentially private algorithms | | *Exponential mechanism (differential privacy) – a technique for designing differentially private algorithms |
| *k-anonymity | | *k-anonymity |
第406行: |
第399行: |
| *受保护的健康信息 | | *受保护的健康信息 |
| | | |
− | ==References== | + | ==References == |
| {{Reflist|refs= | | {{Reflist|refs= |
| <ref name="DKMMN06"> | | <ref name="DKMMN06"> |
第515行: |
第508行: |
| *Dwork, Cynthia. 2006. Differential Privacy, 33rd International Colloquium on Automata, Languages and Programming, part II (ICALP 2006), Springer Verlag, 4052, 1-12, {{ISBN|3-540-35907-9}}. | | *Dwork, Cynthia. 2006. Differential Privacy, 33rd International Colloquium on Automata, Languages and Programming, part II (ICALP 2006), Springer Verlag, 4052, 1-12, {{ISBN|3-540-35907-9}}. |
| *Dwork, Cynthia and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science. Vol. 9, Nos. 3–4. 211–407, {{doi|10.1561/0400000042}}. | | *Dwork, Cynthia and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science. Vol. 9, Nos. 3–4. 211–407, {{doi|10.1561/0400000042}}. |
− | *Machanavajjhala, Ashwin, Daniel Kifer, John M. Abowd, Johannes Gehrke, and Lars Vilhuber. 2008. Privacy: Theory Meets Practice on the Map, International Conference on Data Engineering (ICDE) 2008: 277-286, {{doi|10.1109/ICDE.2008.4497436}}. | + | * Machanavajjhala, Ashwin, Daniel Kifer, John M. Abowd, Johannes Gehrke, and Lars Vilhuber. 2008. Privacy: Theory Meets Practice on the Map, International Conference on Data Engineering (ICDE) 2008: 277-286, {{doi|10.1109/ICDE.2008.4497436}}. |
| *Dwork, Cynthia and Moni Naor. 2010. On the Difficulties of Disclosure Prevention in Statistical Databases or The Case for Differential Privacy, Journal of Privacy and Confidentiality: Vol. 2: Iss. 1, Article 8. Available at: http://repository.cmu.edu/jpc/vol2/iss1/8. | | *Dwork, Cynthia and Moni Naor. 2010. On the Difficulties of Disclosure Prevention in Statistical Databases or The Case for Differential Privacy, Journal of Privacy and Confidentiality: Vol. 2: Iss. 1, Article 8. Available at: http://repository.cmu.edu/jpc/vol2/iss1/8. |
− | *Kifer, Daniel and Ashwin Machanavajjhala. 2011. No free lunch in data privacy. In Proceedings of the 2011 ACM SIGMOD International Conference on Management of data (SIGMOD '11). ACM, New York, NY, USA, 193-204. {{doi|10.1145/1989323.1989345}}. | + | * Kifer, Daniel and Ashwin Machanavajjhala. 2011. No free lunch in data privacy. In Proceedings of the 2011 ACM SIGMOD International Conference on Management of data (SIGMOD '11). ACM, New York, NY, USA, 193-204. {{doi|10.1145/1989323.1989345}}. |
| *Erlingsson, Úlfar, Vasyl Pihur and Aleksandra Korolova. 2014. RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 1054-1067. {{doi|10.1145/2660267.2660348}}. | | *Erlingsson, Úlfar, Vasyl Pihur and Aleksandra Korolova. 2014. RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 1054-1067. {{doi|10.1145/2660267.2660348}}. |
| *Abowd, John M. and Ian M. Schmutte. 2017 . Revisiting the economics of privacy: Population statistics and confidentiality protection as public goods. Labor Dynamics Institute, Cornell University, Labor Dynamics Institute, Cornell University, at https://digitalcommons.ilr.cornell.edu/ldi/37/ | | *Abowd, John M. and Ian M. Schmutte. 2017 . Revisiting the economics of privacy: Population statistics and confidentiality protection as public goods. Labor Dynamics Institute, Cornell University, Labor Dynamics Institute, Cornell University, at https://digitalcommons.ilr.cornell.edu/ldi/37/ |
第524行: |
第517行: |
| *Ding, Bolin, Janardhan Kulkarni, and Sergey Yekhanin 2017. Collecting Telemetry Data Privately, NIPS 2017. | | *Ding, Bolin, Janardhan Kulkarni, and Sergey Yekhanin 2017. Collecting Telemetry Data Privately, NIPS 2017. |
| *http://www.win-vector.com/blog/2015/10/a-simpler-explanation-of-differential-privacy/ | | *http://www.win-vector.com/blog/2015/10/a-simpler-explanation-of-differential-privacy/ |
− | *Ryffel, Theo, Andrew Trask, et. al. [[arxiv:1811.04017|"A generic framework for privacy preserving deep learning"]] | + | * Ryffel, Theo, Andrew Trask, et. al. [[arxiv:1811.04017|"A generic framework for privacy preserving deep learning"]] |
| | | |
| *A reading list on differential privacy | | *A reading list on differential privacy |
− | * Abowd, John. 2017. “How Will Statistical Agencies Operate When All Data Are Private?”. Journal of Privacy and Confidentiality 7 (3). (slides) | + | *Abowd, John. 2017. “How Will Statistical Agencies Operate When All Data Are Private?”. Journal of Privacy and Confidentiality 7 (3). (slides) |
− | * "Differential Privacy: A Primer for a Non-technical Audience", Kobbi Nissim, Thomas Steinke, Alexandra Wood, Micah Altman, Aaron Bembenek, Mark Bun, Marco Gaboardi, David R. O’Brien, and Salil Vadhan, Harvard Privacy Tools Project, February 14, 2018 | + | *"Differential Privacy: A Primer for a Non-technical Audience", Kobbi Nissim, Thomas Steinke, Alexandra Wood, Micah Altman, Aaron Bembenek, Mark Bun, Marco Gaboardi, David R. O’Brien, and Salil Vadhan, Harvard Privacy Tools Project, February 14, 2018 |
| *Dinur, Irit and Kobbi Nissim. 2003. Revealing information while preserving privacy. In Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems(PODS '03). ACM, New York, NY, USA, 202-210. . | | *Dinur, Irit and Kobbi Nissim. 2003. Revealing information while preserving privacy. In Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems(PODS '03). ACM, New York, NY, USA, 202-210. . |
| *Dwork, Cynthia, Frank McSherry, Kobbi Nissim, and Adam Smith. 2006. in Halevi, S. & Rabin, T. (Eds.) Calibrating Noise to Sensitivity in Private Data Analysis Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4–7, 2006. Proceedings, Springer Berlin Heidelberg, 265-284, . | | *Dwork, Cynthia, Frank McSherry, Kobbi Nissim, and Adam Smith. 2006. in Halevi, S. & Rabin, T. (Eds.) Calibrating Noise to Sensitivity in Private Data Analysis Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4–7, 2006. Proceedings, Springer Berlin Heidelberg, 265-284, . |
第542行: |
第535行: |
| *Ding, Bolin, Janardhan Kulkarni, and Sergey Yekhanin 2017. Collecting Telemetry Data Privately, NIPS 2017. | | *Ding, Bolin, Janardhan Kulkarni, and Sergey Yekhanin 2017. Collecting Telemetry Data Privately, NIPS 2017. |
| *http://www.win-vector.com/blog/2015/10/a-simpler-explanation-of-differential-privacy/ | | *http://www.win-vector.com/blog/2015/10/a-simpler-explanation-of-differential-privacy/ |
− | * Ryffel, Theo, Andrew Trask, et. al. "A generic framework for privacy preserving deep learning" | + | *Ryffel, Theo, Andrew Trask, et. al. "A generic framework for privacy preserving deep learning" |
| | | |
| 差分隐私上的阅读清单。2017.“当所有数据都是私人数据时,统计机构将如何运作?”。隐私与保密期刊7(3)。(幻灯片) | | 差分隐私上的阅读清单。2017.“当所有数据都是私人数据时,统计机构将如何运作?”。隐私与保密期刊7(3)。(幻灯片) |
第553行: |
第546行: |
| *Dwork、 Cynthia 和 Moni Naor。2010.关于统计数据库中的披露防范的困难或者差分隐私的案例,隐私和保密期刊: 第一卷。2: Iss.1,第8条。网址: http://repository.cmu.edu/jpc/vol2/iss1/8。 | | *Dwork、 Cynthia 和 Moni Naor。2010.关于统计数据库中的披露防范的困难或者差分隐私的案例,隐私和保密期刊: 第一卷。2: Iss.1,第8条。网址: http://repository.cmu.edu/jpc/vol2/iss1/8。 |
| *Kifer,Daniel and Ashwin Machanavajjhala.2011.数据隐私没有免费午餐。在2011年 ACM SIGMOD 国际数据管理会议记录(SIGMOD’11)。ACM,纽约,纽约,美国,193-204. 。 | | *Kifer,Daniel and Ashwin Machanavajjhala.2011.数据隐私没有免费午餐。在2011年 ACM SIGMOD 国际数据管理会议记录(SIGMOD’11)。ACM,纽约,纽约,美国,193-204. 。 |
− | * Erlingsson, Úlfar, Vasyl Pihur and Aleksandra Korolova.2014.RAPPOR: 随机可聚合隐私保护顺序响应。在2014年 ACM SIGSAC 计算机和通信安全会议(CCS’14)的会议记录中。ACM,纽约,纽约,美国,1054-1067。 | + | *Erlingsson, Úlfar, Vasyl Pihur and Aleksandra Korolova.2014.RAPPOR: 随机可聚合隐私保护顺序响应。在2014年 ACM SIGSAC 计算机和通信安全会议(CCS’14)的会议记录中。ACM,纽约,纽约,美国,1054-1067。 |
| *以上,约翰 · m · 施穆特和伊恩 · m · 施穆特。2017 .重温隐私经济学: 人口统计和保密性保护作为公共产品。劳动动力学研究所,康奈尔大学,劳动动力学研究所,康奈尔大学, https://digitalcommons.ilr.cornell.edu/ldi/37/。即将到来。作为社会选择的隐私权保护与统计准确性的经济学分析。美国经济评论》 , | | *以上,约翰 · m · 施穆特和伊恩 · m · 施穆特。2017 .重温隐私经济学: 人口统计和保密性保护作为公共产品。劳动动力学研究所,康奈尔大学,劳动动力学研究所,康奈尔大学, https://digitalcommons.ilr.cornell.edu/ldi/37/。即将到来。作为社会选择的隐私权保护与统计准确性的经济学分析。美国经济评论》 , |
| *苹果公司,2016。苹果预览 iOS 10,史上最大的 iOS 发布。新闻稿(六月十三日)。Https://www.apple.com/newsroom/2016/06/apple-previews-ios-10-biggest-ios-release-ever.html. | | *苹果公司,2016。苹果预览 iOS 10,史上最大的 iOS 发布。新闻稿(六月十三日)。Https://www.apple.com/newsroom/2016/06/apple-previews-ios-10-biggest-ios-release-ever.html. |
第572行: |
第565行: |
| | | |
| *Differential Privacy by Cynthia Dwork, ICALP July 2006. | | *Differential Privacy by Cynthia Dwork, ICALP July 2006. |
− | * The Algorithmic Foundations of Differential Privacy by Cynthia Dwork and Aaron Roth, 2014. | + | *The Algorithmic Foundations of Differential Privacy by Cynthia Dwork and Aaron Roth, 2014. |
− | *Differential Privacy: A Survey of Results by Cynthia Dwork, Microsoft Research, April 2008 | + | * Differential Privacy: A Survey of Results by Cynthia Dwork, Microsoft Research, April 2008 |
| *Privacy of Dynamic Data: Continual Observation and Pan Privacy by Moni Naor, Institute for Advanced Study, November 2009 | | *Privacy of Dynamic Data: Continual Observation and Pan Privacy by Moni Naor, Institute for Advanced Study, November 2009 |
| *Tutorial on Differential Privacy by Katrina Ligett, California Institute of Technology, December 2013 | | *Tutorial on Differential Privacy by Katrina Ligett, California Institute of Technology, December 2013 |
| *A Practical Beginner's Guide To Differential Privacy by Christine Task, Purdue University, April 2012 | | *A Practical Beginner's Guide To Differential Privacy by Christine Task, Purdue University, April 2012 |
− | *Private Map Maker v0.2 on the Common Data Project blog | + | * Private Map Maker v0.2 on the Common Data Project blog |
| *Learning Statistics with Privacy, aided by the Flip of a Coin by Úlfar Erlingsson, Google Research Blog, October 2014 | | *Learning Statistics with Privacy, aided by the Flip of a Coin by Úlfar Erlingsson, Google Research Blog, October 2014 |
| *Technology Factsheet: Differential Privacy by Raina Gandhi and Amritha Jayanti, Belfer Center for Science and International Affairs, Fall 2020 | | *Technology Factsheet: Differential Privacy by Raina Gandhi and Amritha Jayanti, Belfer Center for Science and International Affairs, Fall 2020 |
| | | |
| 差分隐私: Cynthia Dwork,ICALP July 2006。差分隐私的算法基础》 ,Cynthia Dwork 和 Aaron Roth,2014年。2013年12月,加州理工学院卡特里娜 · 利格特教授,差分隐私,差分隐私,差分隐私实用指南,克里斯汀 · 特拉克,普渡大学,2012年4月 | | 差分隐私: Cynthia Dwork,ICALP July 2006。差分隐私的算法基础》 ,Cynthia Dwork 和 Aaron Roth,2014年。2013年12月,加州理工学院卡特里娜 · 利格特教授,差分隐私,差分隐私,差分隐私实用指南,克里斯汀 · 特拉克,普渡大学,2012年4月 |
− | * 私人地图制作者 v0.2 on the Common Data Project Blog | + | *私人地图制作者 v0.2 on the Common Data Project Blog |
| *Learning Statistics with Privacy,added by the Flip of a Coin by úlfar Erlingsson,Google Research Blog,October 2014 | | *Learning Statistics with Privacy,added by the Flip of a Coin by úlfar Erlingsson,Google Research Blog,October 2014 |
− | *Technology Factsheet: 差分隐私地图制作者 Raina Gandhi and Amritha Jayanti,Belfer Center for Science and International Affairs,Fall 2020 | + | * Technology Factsheet: 差分隐私地图制作者 Raina Gandhi and Amritha Jayanti,Belfer Center for Science and International Affairs,Fall 2020 |
| | | |
| [[Category:Theory of cryptography]] | | [[Category:Theory of cryptography]] |