Speaker
Description
Differential privacy (DP) has become the de facto data protection mechanism due to its strong privacy guarantees. The mathematical foundation of $\epsilon$-DP is based on the principle that the presence or absence of any record in a data set should not influence the protected result by more than an exponential factor determined by the parameter $\epsilon$. Even though DP was originally designed for interactive settings, where the DP masking mechanism acts as an intermediary between users making statistical queries and a remote database providing responses, DP has attracted the interest of researchers and practitioners in many areas, including data analytics, statistics, and machine learning. However, a significant drawback of DP is the severe reduction in utility of the protected outcomes it often entails, an issue that has limited its applicability to real-world scenarios.
To assess the suitability of DP as a practical solution, we conducted an in-depth critical analysis of real-world DP deployments by top-tier companies and institutions in the last 10 years. Our analysis reveals significant issues in most applications, such as weak or unsafe privacy parameters used across the board in an attempt to keep protected data reasonably useful, inaccurate assessment of the attained privacy guarantees, or significant implementation challenges in large-scale scenarios. This limits its applicability for scenarios different from the--quite specific--ones DP was designed for, that is, protecting aggregated responses.
We conclude that, despite the considerable evolution that DP has undergone over the years, in most real-world use cases apart from the interactive setting, DP is far from offering a definitive solution to all privacy challenges due to its limitations and complexity. For continuous private data collection scenarios, DP has the drawback of cumulative privacy degradation over time, while for data releases, DP cannot deliver acceptable utility without compromising privacy based on its foundational principles, especially at the individual level, where large global sensitivities are associated with detailed data.
