# Lecture worksheet 25 solutions

## Question 1

### Q1.1 True/False

(a) If we can make privacy guarantees about our data collection and/or analysis, then we have resolved any and all ethical concerns around using the data.

**SOLUTION**: False. Privacy alone is not enough of a guarantee: there are many unethical uses of data that preserve privacy protections (e.g., building discriminatory algorithms).

(b) If an algorithm is $\epsilon$-differentially private, then we can find out whether a certain individual is in the dataset with probability $\epsilon$.

**SOLUTION**: False: this is not the definition of differential privacy.

(c) A linkage attack `JOIN`s a publicly available dataset with an "anonymized" one to re-identify individuals.

**SOLUTION**: True: this is the definition of a linkage attack.

### Q1.2 How identifiable are you?

*Note: if you do not feel comfortable submitting any information to the sites below, you may skip parts or all of this question, but note that your privacy-paranoid instructor trusts the organizations and institutions who run the sites. -Ramesh*

Please do **not** put your personally identifiable information in your submission!

(a) Try the EFF's [Cover Your Tracks](https://coveryourtracks.eff.org/) site, which tells you how uniquely identifiable your browser is as you use the internet. Do the results surprise you?

(b) Try Latanya Sweeney's [How Unique Am I?](https://aboutmyinfo.org/identity) tool. Before you click submit, try to guess how many other people will have the same values as you. Do the results surprise you?

## Question 2: Laplace mechanism

One of the most widely used mechanisms for differential privacy is the Laplace mechanism. The idea is as follows. Suppose that we want to report a statistic $f(\cdot)$, which takes as input a database. For example, $D$ could be a database with the salaries of all residents of Berkeley, and $f(D)$ could be the average salary in $D$. Denote by $D$ and $D'$ generic neighboring databases (meaning they are only one entry different). Define the sensitivity of f as:

$$
\Delta_f = \max_{D, D' \text{neighbors}} |f(D)−f(D')|
$$

The Laplace mechanism reports 
$$
A_{Lap}(D) = f(D) + Z_\epsilon,
$$ 

where $Z_\epsilon$ is distributed according to the zero-mean Laplace distribution with parameter $\frac{\Delta_f}{\epsilon}$ , denoted $\text{Lap}\left(0, \frac{\Delta_f}{\epsilon}\right)$. 

The Laplace distribution $\text{Lap}(\mu, b)$ is given by the following density: 

$$
  p(x)= \frac{1}{2b}\exp\left\{{−\frac{|x−\mu|}{b}}\right\}
$$

The Laplace distribution is essentially a two-sided exponential distribution: see [Wikipedia](https://en.wikipedia.org/wiki/Laplace_distribution) for more.


### Q2.1

Prove that the Laplace mechanism is $\epsilon$-differentially private. More precisely, show
that for all $D'$ that are neighboring to our database $D$, we have

$$
\frac{P(A_{Lap}(D) = a)}{P(A_{Lap}(D') = a)} ≤ e^{\epsilon}
$$

**SOLUTION**:

*Note: because $A_{Lap}$ is continuous, the probabilities above are technically zero. Instead, we'll consider the ratio of probabilities that $A_{Lap}$ is between $a$ and some infinitesimally close value $a + \alpha$, so that we can use the ratio of densities.*

We know that $A_{Lap}$ produces a noisy version of $f$:

$$
A_{Lap}(D) = f(D) + Z_\epsilon \\
A_{Lap}(D') = f(D') + Z_\epsilon \\
$$

Since $f(D)$ is a constant, $A$ produces a shifted Laplace distribution:

$$
A_{Lap}(D) \sim \text{Laplace}\left(f(D), \frac{\Delta_f}{\epsilon}\right) \\
A_{Lap}(D') \sim \text{Laplace}\left(f(D'), \frac{\Delta_f}{\epsilon}\right)
$$

Now, we have all the information we need to begin:

\begin{align}
\frac{P(A_{Lap}(D) = a)}{P(A_{Lap}(D') = a)} 
    &= \frac{%
        \frac{1}{2b}\exp\left\{{−\frac{|a−f(D)|}{\Delta_f\,/\,\epsilon}}\right\}}{%
        \frac{1}{2b}\exp\left\{{−\frac{|a−f(D')|}{\Delta_f\,/\,\epsilon}}\right\}} \\
    &= \exp\left\{\frac{\epsilon}{\Delta_f}\left[\left|a−f(D')\right| - \left|a-f(D)\right|\right]\right\}
\end{align}

Now, we have to relate the quantity $\left|a−f(D')\right| - \left|a-f(D)\right|$, as it appears above, to the quantities we know about. In particular, we know from the definition of $\Delta_f$ that $|f(D)−f(D')| \leq \Delta_f$. So, we'll use a version of the [triangle inequality](https://en.wikipedia.org/wiki/Triangle_inequality#Metric_space), which states that 

$$
|A - B| - |A-C| \leq |B-C|
$$

Try proving it yourself by drawing out $A$, $B$, and $C$ on a number line.

\begin{align}
\frac{P(A_{Lap}(D) = a)}{P(A_{Lap}(D') = a)} 
    &\leq \exp\left\{\frac{\epsilon}{\Delta_f}|f(D) - f(D')|\right\}\\
    &\leq \exp\left\{\frac{\epsilon}{\Delta_f}\Delta_f\right\} \\
    &= e^{\epsilon}
\end{align}


### Q2.2 

Privacy alone isn't useful unless our answer is also accurate: after all, we could always just report random noise. We also would like to guarantee that $A_{Lap}(D)$ is close to $f(D)$ with high probability.

(a) (Optional) If $X \sim \text{Lap}(0, b)$, show that $P(|X| \geq t) \leq e^{-\frac{t}{b}}$.

**SOLUTION**: By symmetry, we can compute $P(X \geq t)$ (for $t > 0$) and double the result.

\begin{align}
P(X \geq t) &= \int_t^\infty \frac{1}{2b} \exp\left\{-\frac{|x|}{b}\right\}\,dx
\end{align}

Over the domain of the integral, $x$ is always positive, so $|x| = x$. Evaluating the integral, we find:

$$
\begin{align}
P(X \geq t) 
    &= \left[-\frac{1}{2} \exp\left\{-\frac{x}{b}\right\}\right]_t^\infty \\
    &= \frac{1}{2}e^{-t/b}
\end{align}
$$

By symmetry, $P(X \leq -t) = P(X \geq t)$, and $P(|X| \geq t) = P(X \leq -t) + P(X \geq t)$. So, $P(|X| \geq t) = e^{-\frac{t}{b}}$.

(b) Using the fact stated in (a), prove that:

$$
P\left(|A_{Lap}(D) - f(D)| \geq t\right) \leq 2\exp\left\{-\frac{t\epsilon}{\Delta_f}\right\}
$$

**SOLUTION**: We know that $A_{Lap}(D) = f(D) + Z_\epsilon$. So, $A_{Lap}(D) - f(D) = Z_\epsilon$. And from above, we know that $Z \sim \text{Lap}\left(0, \frac{\Delta_f}{\epsilon}\right)$:

$$
\begin{align}
P\left(|A_{Lap}(D) - f(D)| \geq t\right)
    &= P\left(|Z_\epsilon| \geq t\right) \\
    &= \exp\left\{-\frac{t\epsilon}{\Delta_f}\right\}
\end{align}
$$

(c) For a fixed level of privacy $\epsilon$, what can you conclude about the tradeoff between sensitivity $\Delta_f$ and accuracy? Does the result make intuitive sense?

**SOLUTION**: The quantity from part (b) (i.e., the RHS of the concentration inequality) gives us a measure of accuracy: the smaller the number, the more accurate $A_{Lap}$ is. We can see that as $\Delta_f$ increases from $0$ to $\infty$, the quantity being exponentiated goes from $-\infty$ to $0$: in other words, our bound goes from 0 to 1. To interpret this, small values of $\Delta_f$ give us good accuracy, while large values of $\Delta_f$ result in poor accuracy.

This makes intuitive sense: if we have a function $f$ that isn't very sensitive to removing a row from the data, then we don't need to add very much noise. But if our function is very sensitive, then we need more noise to ensure differential privacy.

## Question 3: Post-processing and differential privacy

An important property of differential privacy is that it is preserved under post-processing. In other words, if $A(D)$ is an $\epsilon$-differentially private statistic, then for any function $g$, $g(A(D))$ is still differentially private.

Prove this fact.