Differential Privacy Meets Invariant Statistics: Some Conundrums in Quantifying Trade-offs

This work was inspired by the question of whether data swapping, a popular form of statistical disclosure control used to protect many data products including three recent US Decennial Censuses, can satisfy differential privacy (DP). Given the existence of more than 200 formulations of DP (and counting), as a precondition to answering this question one must precisely specify what it actually means to be DP. Motivated by this observation, we first conduct a theoretical investigation into DP’s fundamental essence, resulting in a five-building-block system explicating the who, where, what, how and how much aspects of DP. Instantiating this system in the context of the US Decennial Census, we then demonstrate the broad applicability and relevance of DP by comparing a swapping strategy like that used in 2010 with the TopDown Algorithm—a DP method adopted in the 2020 Census. This chapter provides nontechnical summaries of these two pieces of work (developed elsewhere), as well as extended discussions on a number of issues they unearth that complicate the formulation and the navigation of the so-called privacy-utility tradeoff: How can greater awareness of the five building blocks thwart privacy theatrics? How can invariants (statistics that are released as-is without any privacy protection) align with DP’s philosophy of relative privacy? How do our results bridging traditional statistical disclosure control and DP allow a data custodian to reap the benefits of both these fields? How can removing the implicit reliance on aleatoric uncertainty lead to new generalizations of DP? Our ultimate goal with these discussions is to deepen the theoretical basis, broaden the practical applicability and reduce the misperception of DP—all without shaking its core foundations.