RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response (1407.6981v2)

Abstract: Randomized Aggregatable Privacy-Preserving Ordinal Response, or RAPPOR, is a technology for crowdsourcing statistics from end-user client software, anonymously, with strong privacy guarantees. In short, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees. By applying randomized response in a novel manner, RAPPOR provides the mechanisms for such collection as well as for efficient, high-utility analysis of the collected data. In particular, RAPPOR permits statistics to be collected on the population of client-side strings with strong privacy guarantees for each client, and without linkability of their reports. This paper describes and motivates RAPPOR, details its differential-privacy and utility guarantees, discusses its practical deployment and properties in the face of different attack models, and, finally, gives results of its application to both synthetic and real-world data.

• The paper introduces RAPPOR, a novel two-step randomized response mechanism that protects individual privacy in crowdsourced data collection.
• It utilizes Permanent and Instantaneous Randomized Responses with Bloom filter encoding and LASSO-based decoding to accurately reconstruct population statistics.
• It demonstrates practical deployment in systems like Google Chrome, offering robust differential privacy guarantees for secure, large-scale data analytics.

RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response

In the paper "RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response," Erlingsson, Korolova, and Pihur present a comprehensive framework for anonymous data collection that ensures strong privacy guarantees for individual users, while enabling the aggregation and analysis of statistical information from large populations of client devices. This technology addresses the pressing need for privacy-preserving mechanisms in crowdsourced data collection, especially relevant for entities such as Cloud service providers.

Overview and Motivation

RAPPOR (Randomized Aggregatable Privacy-Preserving Ordinal Response) leverages the concept of randomized response, originally introduced in the 1960s for sensitive surveys, to protect individual privacy while aggregating data from numerous clients. Traditional methods for privacy preservation, such as standard differential privacy techniques, rely on trusted third parties, which RAPPOR purposefully avoids by performing data randomization directly on client devices.

The motivation behind RAPPOR stems from the necessity for Cloud service operators to collect usage statistics and performance metrics from users to improve service quality and security. RAPPOR allows these operators to gather meaningful insights without compromising user privacy. For example, it can be used to identify the prevalence of specific browser settings or the incidence of malware-infected preferences while ensuring that the data cannot be traced back to any individual user.

RAPPOR Mechanism

RAPPOR functions through a two-step randomized response process comprising a Permanent Randomized Response and an Instantaneous Randomized Response:

1. Permanent Randomized Response: This step introduces initial randomization to a client’s true value and memoizes this modified response. It effectively ensures longitudinal privacy by preventing an attacker from deducing the original value even if the process is repeated.
2. Instantaneous Randomized Response: It introduces further randomization on the memoized value for each report. This step is crucial for preventing linkability and tracking through unique identifier leakage over multiple submissions.

The use of Bloom filters within RAPPOR enhances data compactness and adds an additional layer of obfuscation, making it harder for attackers to infer the original data values.

Differential Privacy Guarantees

The paper rigorously proves that RAPPOR satisfies differential privacy guarantees in both one-time and longitudinal data collection scenarios. For one-time data collection, privacy is ensured through the noise introduced in both randomization steps, quantified by an $\epsilon$-differential privacy bound. For longitudinal collections, the memoization of the Permanent Randomized Response provides privacy guarantees over repeated reports from the same client.

Decoding and Utility

Decoding aggregated RAPPOR reports to extract meaningful statistics requires sophisticated statistical techniques. The paper details a high-utility decoding framework that uses LASSO regression to identify candidate strings from Bloom filter-encoded reports, which are then refined through least-squares estimation and hypothesis testing. This approach allows for the scalable and accurate reconstruction of population-level statistics despite the introduced noise.

Applications and Experimental Results

RAPPOR has seen practical deployment in real-world applications, such as in Google's Chrome browser, where it has been used to collect information on user settings and detect security-relevant anomalies. Experimental evaluations demonstrate that RAPPOR can effectively identify frequent and rare strings, providing insights into application usage and prevalence of security issues while preserving individual privacy.

Implications and Limitations

RAPPOR offers a robust, scalable solution for privacy-preserving crowdsourced data collection, suitable for a wide range of applications in data analytics and security monitoring. By decentralizing data privacy and eliminating the need for trusted third parties, RAPPOR aligns well with modern data privacy standards and regulations.

However, the paper also acknowledges limitations. While RAPPOR is designed to protect against various attack models, its efficacy diminishes when handling correlated data or when clients participate multiple times without unique identifiers. Future work may address these concerns by refining the parameter selection and randomization strategies for enhanced privacy protection.

Future Directions

Enhancements to RAPPOR may involve advanced techniques to reduce the correlation impact and further optimize the balance between privacy and utility. Exploring adaptive mechanisms for dynamic query contexts and integrating RAPPOR with other privacy-preserving computation methods could broaden its applicability and effectiveness.

In summary, RAPPOR represents a significant advancement in the domain of privacy-preserving data collection. It balances robust privacy guarantees with high-utility analytical capabilities, making it a valuable tool for researchers and practitioners in data privacy and security.