Privacy Against Many Arbitrary Low-Sensitivity Queries

We consider privacy-preserving data analysis, in which a trusted curator, holding an n-row database filled with personal information, is presented with a large set Q of queries about the database. Each query is a function, mapping the database to a real number. The curator's task is to return relatively accurate responses to all queries, while simultaneously protecting the privacy of the individual database rows.An active area of research on this topic seeks algorithms ensuring differential privacy, a powerful notion of privacy that protects against all possible linkage attacks and composes automtically and obliviously, in a manner whose worst-case behavior is easily understood. Highly accurate differentially private algorithms exist for many types of datamining tasks and analyses, beginning with counting queries of the form "How many rows in the database satsify Property P?" Accuracy must decrease as the number of queries grows. For the special case of counting queries known techniques permit distortion whose dependence on n and vertical bar Q vertical bar is Theta(n(2/3) log vertical bar Q vertical bar) [1] or Theta(root nlog(2) vertical bar Q vertical bar) [8]. This paper describes the first solution for large sets Q of arbitrary queries for which the presence or absence of a single datum has small effect on the outcome.