Automatic Tuning of Privacy Budgets in Input-Discriminative Local Differential Privacy

Abstract

Local differential privacy (LDP) and its variants have been recently studied to analyze personal data collected from Internet of Things (IoT) devices while strongly protecting user privacy. In particular, a recent study proposes a general privacy notion called input-discriminative LDP (ID-LDP), which introduces a privacy budget for each input value to deal with different levels of sensitivity. However, it is unclear how to set an appropriate privacy budget for each input value, especially, in current situations where reidentification is considered a major risk, e.g., in GDPR. Moreover, the possible number of input values can be very large in IoT. Consequently, it is also extremely difficult to manually check whether a privacy budget for each input value is appropriate. In this article, we propose algorithms to automatically tune privacy budgets in ID-LDP so that obfuscated data strongly prevent reidentification. We also propose a new instance of ID-LDP called one-budget ID-LDP (OneID-LDP) to prevent reidentification with high utility. Through comprehensive experiments using four real data sets, we show that existing instances of ID-LDP lack either utility or privacy - they overprotect personal data or are vulnerable to reidentification attacks. Then, we show that our OneID-LDP mechanisms with our privacy budget tuning algorithm provide much higher utility than LDP mechanisms while strongly preventing reidentification.