Obtaining $(\epsilon,\delta)$-differential privacy guarantees when using a Poisson mechanism to synthesize contingency tables

Differential privacy (DP) (Dwork et al., 2006) is a property of a perturbation mechanism that formally quantifies how accurately any individual’s true values can be established, given all other individuals’ true values are known. Originally developed as a way to protect the privacy of summary statistics (queries), it soon expanded as a way to protect entire data sets. Differentially private data synthesis (DIPS) has since become a popular area of research; see, for example, Abowd and Vilhuber (2008); Machanavajjhala et al. (2008); Charest (2011); McClure and Reiter (2012); Bowen and Liu (2020); Quick (2021); Drechsler (2023).

In Jackson et al. (2022b, a), we proposed a synthesis approach for \replacedcontingency tablescategorical data sets, which takes place at the tabular level, and that uses saturated count models. This approach effectively uses a count distribution to apply noise to the counts in the original data’s contingency table, and therefore shares traits with DP mechanisms which apply noise in a similar way. \addedNote that as microdata composed entirely of categorical variables can be expressed in contingency table format, this approach is suitable in the case of categorical data more generally.

In this paper, we consider the ability to obtain DP-guarantees when using the Poisson distribution to synthesize counts in \replacedcontingency tablestabular data (contingency tables). We show that although $\epsilon$-DP cannot be satisfied, $(\epsilon,\delta)$-DP guarantees can be obtained through the use of the Poisson’s cumulative distribution function (CDF).

\added

The motivation behind this work is that, with the exception of Quick (2021), the use of count distributions has largely been overlooked as a way to satisfy DP. An obvious benefit of using count distributions is that negative counts cannot be obtained. As the Poisson has only one parameter and hence is likely to be sub-optimal, the intention is that in the future the Poisson could be replaced with more complex count distributions, such as the (discretised) gamma family distribution, where additional parameters provide scope for fine-tuning.

The paper is structured as follows. Section 2 introduces some terminology and definitions. Section 3 looks at existing DP mechanisms for contingency tables, such as the (discretised) Laplace and Gaussian mechanisms. Section 4 gives our novel contribution, the ability to obtain $(\epsilon,\delta)$-DP guarantees when using a Poisson synthesis mechanism. Section 5 gives an empirical example using an administrative database. Section 6 gives some concluding remarks.

Rinott et al. (2018) set out how DP extends into a contingency table setting. Following their notation, let $\mathbf{a}=(a_{k},\ldots,a_{K})\in\mathcal{A}$ and $\mathbf{b}=(b_{k},\ldots,b_{K})\in\mathcal{B}$ denote vectors of \deletedcell counts in the original and synthetic data’s contingency tables, respectively, where $K$ denotes the number of cells and $\mathcal{A}$ and $\mathcal{B}$ denote the range of obtainable original and synthetic counts (respectively). For contingency tables, we suppose that $\mathcal{A}=\mathcal{B}=\mathbb{Z}_{\geq 0}^{K}$, where $\mathbb{Z}_{\geq 0}$ is the set of non-negative integers.

Moreover, we describe $\mathbf{a}$ and $\mathbf{a}^{\prime}$ as neighbours, denoted by $\mathbf{a}\sim\mathbf{a}^{\prime}$, whenever all but one of the counts in $\mathbf{a}$ and $\mathbf{a}^{\prime}$ are identical and the differing count differs by exactly one. Henceforth, without loss of generality, we suppose $\mathbf{a}$ and $\mathbf{a}^{\prime}$ differ in their $k$th element only, i.e. $a_{k}^{\prime}={a}_{k}-1$ and $a_{i}=a_{i}^{\prime}$ for $i=1,\ldots,K$, $i\neq k$. Thus $\mathbf{a}^{\prime}$ represents the data held by the intruder (who knows all but one of the individuals’ true values) and $\mathbf{a}$ represents the completed data where the “unknown individual” has been added to the cell in which they truly belong.

The $\epsilon$-DP definition revolves around the likelihood ratio, or, more accurately, around a series of likelihood ratios.

Definition 1 is the special case of the standard DP definition, given in Dwork et al. (2006), for when the range of $\mathcal{A}$ and $\mathcal{B}$ are discrete. \addedAlthough we appreciate that in some instances the denominator in (1) could be equal to zero, for the mechanisms we consider here this probability is always non-zero.

For any $\mathbf{a}$, $\mathbf{a}^{\prime}$ and $\mathbf{b}$, whenever the ratio ${\mathbb{P}(\mathcal{M}(\mathbf{a})=b)}/{\mathbb{P}(\mathcal{M}(\mathbf{a^{\prime}})=b)}$ is either small or large, relatively too much is gleaned about the unknown individual’s true values. It is worth noting, too, that the above definition considers all possible synthetic data sets in $\mathcal{B}$, illustrating that DP is not a risk metric for a particular synthetic data set but rather a property of a synthesis mechanism.

Somewhat confusingly, there are two similar but different relaxations of $\epsilon$-DP. The first is $(\epsilon,\delta)$-differential privacy (Dwork and Roth, 2014). The second is known as $(\epsilon,\delta)$-probabilistic differential privacy (Machanavajjhala et al., 2008). These are given below in Definitions 2 and 3. In the remainder of this paper, we focus on $(\epsilon,\delta)$-probabilistic DP. Yet whenever $(\epsilon,\delta)$-probabilistic DP is satisfied, $(\epsilon,\delta)$-DP is also satisfied (Goetz et al., 2012).

We now give examples of existing DP mechanisms suitable for synthesizing counts in contingency tables. \addedNote that for the Laplace and Gaussian mechanisms, discretised noise needs to be added (unless one is willing to accept non-integer “counts”). This can simply involve adding continuous noise before rounding the adjusted values to the nearest integer. Similarly, negative values can be rounded to zero.

A random variable $X\sim$ Laplace$(\mu,d)$ has probability density function $f_{L}$:

$\displaystyle f_{L}(x;\mu,d)$

$\displaystyle={\frac{1}{2d}}\exp\left(-{\frac{|x-\mu|}{d}}\right).$

The Laplace mechanism $\mathcal{M}_{L}$ satisfies $\epsilon$-DP by using the Laplace distribution to add random noise to the original counts $\mathbf{a}$. \addedSpecifically, for every original count $a_{i}$, the Laplace mechanism generates a Laplace$(a_{i},1/\epsilon)$ random variate. To show that this mechanism does indeed satisfy DP, we suppose that $a_{i}=a_{i}^{\prime}$ for $i=1,\ldots,k-1,k+1,\ldots,K$ and that $a_{k}^{\prime}=a_{k}-1$ (\addedi.e. the assumptions made in Section 2). Firstly, when $b_{k}>a_{k}$:

	$\displaystyle\frac{\mathbb{P}(\mathcal{M}_{L}(\mathbf{a})=\mathbf{b})}{\mathbb{P}(\mathcal{M}_{L}(\mathbf{a}^{\prime})=\mathbf{b})}$	$\displaystyle=\frac{\exp\left(-{\epsilon|b_{k}-a_{k}|}\right)}{\exp\left(-{\epsilon|b_{k}-a_{k}^{\prime}|}\right)}$
		$\displaystyle=\frac{\exp\left(-{\epsilon|b_{k}-a_{k}|}\right)}{\exp\left(-{\epsilon|b_{k}-(a_{k}-1)|}\right)}$
		$\displaystyle=\exp{(\epsilon)}.$		(4)

Similarly, when $a_{k}>b_{k}$, (4) is equal to exp(-$\epsilon$), and when $a_{k}=b_{k}$ it is equal to exp(0). Hence the DP definition in (1) holds.

A random variable $X\sim$ Normal$(\mu,\sigma^{2})$ has probability density function $f_{G}$:

$\displaystyle f_{G}(x;\mu,\sigma^{2})$

$\displaystyle=\frac{1}{\sigma\sqrt{2\pi}}\exp\left[-\frac{1}{2}\left({\frac{x-\mu}{\sigma}}\right)^{2}\right]$

In a similar way to the Laplace mechanism, the Gaussian mechanism, say $\mathcal{M}_{G}$, applies Normal(0,  $\sigma^{2}$) random noise to the original counts, resulting in a mechanism that satisfies $(\epsilon,\delta)$-differential privacy. Using the same assumptions and notation as previous, it follows that:

	$\displaystyle\frac{\mathbb{P}(\mathcal{M}_{G}(\mathbf{a})=b)}{\mathbb{P}(\mathcal{M}_{G}(\mathbf{a^{\prime}})=b)}$	$\displaystyle=\frac{{\frac{1}{\sigma{\sqrt{2\pi}}}}\exp\left[{-{\frac{1}{2}}\left({\frac{b_{k}-a_{k}}{\sigma}}\right)^{2}}\right]}{{\frac{1}{\sigma{\sqrt{2\pi}}}}\exp\left[{-{\frac{1}{2}}\left({\frac{b_{k}-a_{k}+1}{\sigma}}\right)^{2}}\right]}$
		$\displaystyle=\exp\left[-{\frac{1}{2\sigma^{2}}}(2a_{k}-2b_{k}-1)\right].$
Recall that $(\epsilon,\delta)$-probabilistic DP is satisfied whenever
	$\displaystyle\frac{1}{\exp{(\epsilon)}}$	$\displaystyle\leq\frac{\mathbb{P}(\mathcal{M}(\mathbf{a})=b)}{\mathbb{P}(\mathcal{M}(\mathbf{a^{\prime}})=b)}\leq\exp{(\epsilon)}\quad\text{with probability $1-\delta$,}$
which, in this instance, occurs whenever
	$\displaystyle-\epsilon$	$\displaystyle\leq-{\frac{1}{2\sigma^{2}}}(2a_{k}-2b_{k}-1)\leq\epsilon\quad\text{with probability $1-\delta$}.$

The probability $1-\delta$ can be obtained from $\Phi$, the normal distribution’s CDF (Balle and Wang, 2018), as $b_{k}\sim\text{Normal}(a_{k},\sigma^{2})$.

	$\displaystyle 1-\delta$	$\displaystyle=\mathbb{P}(-\epsilon\leq-{\frac{1}{2\sigma^{2}}}(2a_{k}-2b_{k}-1)\leq\epsilon)$
		$\displaystyle=\mathbb{P}(a_{k}-\sigma^{2}\epsilon-{1}/{2}\leq b_{k}\leq a_{k}+\sigma^{2}\epsilon-{1}/{2})$
		$\displaystyle=\Phi\left(\frac{a_{k}+\sigma^{2}\epsilon-{1}/{2}-a_{k}}{\sigma}\right)-\Phi\left(\frac{a_{k}-\sigma^{2}\epsilon-{1}/{2}-a_{k}}{\sigma}\right)$
		$\displaystyle=\Phi\left({\sigma\epsilon-{1}/{(2\sigma)}}\right)-\Phi\left(-\sigma\epsilon-{1}/{(2\sigma)}\right)$

A multinomial-Dirichlet synthesis mechanism (Abowd and Vilhuber, 2008), say $\mathcal{M}_{MD}$, can also yield DP guarantees. The original counts $\mathbf{a}$ can be converted to cell probabilities $\boldsymbol{\pi}$ simply by dividing by $n$ (the number of individuals in the data). A Dirichlet prior with concentration parameters $\boldsymbol{\alpha}=(\alpha_{k},\alpha_{2},\ldots,\alpha_{K})$ is placed on $\boldsymbol{\pi}$ (see Abowd and Vilhuber (2008) for more on this approach). Using the same “without loss of generality” assumptions as previous, it follows that

	$\displaystyle\frac{\mathbb{P}(\mathcal{M}_{MD}(\mathbf{a})=\mathbf{b})}{\mathbb{P}(\mathcal{M}_{MD}(\mathbf{a}^{\prime})=\mathbf{b})}$	$\displaystyle=\frac{\Gamma(b_{k}+a_{k}+\alpha_{k})}{\Gamma(a_{k}+\alpha_{k})}\cdot\frac{\Gamma(a_{k}^{\prime}+\alpha_{k})}{\Gamma(b_{k}+a_{k}^{\prime}+\alpha_{k})}$
		$\displaystyle=\frac{\Gamma(b_{k}+a_{k}+\alpha_{k})}{\Gamma(a_{k}+\alpha_{k})}\cdot\frac{\Gamma(a_{k}-1+\alpha_{k})}{\Gamma(b_{k}+a_{k}-1+\alpha_{k})}$
		$\displaystyle=\frac{b_{k}+a_{k}-1+\alpha_{k}}{a_{k}-1+\alpha_{k}}.$		(5)
Recall again that DP is satisfied whenever
	$\displaystyle\frac{1}{\exp{(\epsilon)}}$	$\displaystyle\leq\frac{\mathbb{P}(\mathcal{M}(\mathbf{a})=\mathbf{b})}{\mathbb{P}(\mathcal{M}(\mathbf{a}^{\prime})=\mathbf{b})}\leq{\exp{(\epsilon)}}.$
As the expression in (5) is always greater than or equal to one, and hence always greater than 1/exp($\epsilon$), DP is satisfied whenever
	$\displaystyle\frac{b_{k}+a_{k}-1+\alpha_{k}}{a_{k}-1+\alpha_{k}}$	$\displaystyle\leq{\exp{(\epsilon)}}.$
As $a_{k}\geq 1$ and $b_{k}\leq n$, this simplifies to
	$\displaystyle\frac{n+\alpha_{k}}{\alpha_{k}}$	$\displaystyle\leq{\exp{(\epsilon)}}\quad\Rightarrow\quad\alpha_{k}\geq\frac{n}{\exp{(\epsilon)}-1}.$
Considering all counts $a_{1},\ldots,a_{K}$ gives that DP is satisfied whenever
	$\displaystyle\text{max}_{i}\alpha_{i}$	$\displaystyle\geq\frac{n}{\exp{(\epsilon)}-1},\quad\text{a result from \cite[cite]{\@@bibref{Authors Phrase1YearPhrase2}{machanavajjhala2008privacy}{\@@citephrase{(}}{\@@citephrase{)}}}.}$

When using saturated count models to synthesize contingency tables, as set out in Jackson et al. (2022b), a count distribution, e.g. the Poisson, applies noise to original counts. We assume that a constant pseudocount $\alpha>0$ is added to every element of $\mathbf{a}$ (i.e. to all original counts, not just to zero counts as in Jackson et al. (2022b)), which opens up the possibility that original counts of zero can be synthesized to non-zeros. When using the Poisson we apply the following mechanism, which we denote by $\mathcal{M}_{P}$, to obtain a set of synthetic counts:

	$\displaystyle{b}_{i}\mid{a}_{i},\alpha$	$\displaystyle\sim\text{Poisson}(a_{i}+\alpha),\quad i=1,\ldots,K,$
	$\displaystyle\text{i.e.}\quad\mathbb{P}(\mathcal{M}_{P}(a_{i})=b_{i})$	$\displaystyle=\frac{\exp{(-a_{i}-\alpha)}(a_{i}+\alpha)^{b_{i}}}{b_{i}!},\quad i=1,\ldots,K.$
Supposing once again that $\mathbf{a}$ and $\mathbf{a}^{\prime}$ differ in their $k$th element only, we have:
	$\displaystyle\frac{\mathbb{P}(\mathcal{M}_{P}(\mathbf{a})=\mathbf{b})}{\mathbb{P}(\mathcal{M}_{P}(\mathbf{a}^{\prime})=\mathbf{b})}$	$\displaystyle=\exp{(-1)}\bigg{(}\frac{a_{k}+\alpha}{a_{k}-1+\alpha}\bigg{)}^{b_{k}}.$		(6)

This quantity is bounded below by exp(-1), with this minimum occurring when $b_{k}=0$. It is unbounded above, however, as $b_{k}$ can take any integer up to infinity; i.e. the expression in (6) tends to infinity as $b_{k}$ tends to infinity. Thus $\epsilon$-DP cannot be satisfied.

Instead, we now consider the $(\epsilon,\delta)$-probabilistic DP relaxation, first considering the left-hand inequality of the DP definition (Def. 1):

$\displaystyle\frac{1}{\exp{(\epsilon)}}\leq$

$\displaystyle\;\frac{\mathbb{P}(\mathcal{M}_{P}(\mathbf{a})=\mathbf{b})}{\mathbb{P}(\mathcal{M}_{P}(\mathbf{a}^{\prime})=\mathbf{b})}\quad\Rightarrow\quad b_{k}\geq\frac{1-\epsilon}{\text{log}\left(\frac{a_{k}+\alpha}{a_{k}-1+\alpha}\right)}.$

When $\epsilon\geq 1$, this inequality holds with probability 1. When $0<\epsilon<1$, the probability that this inequality holds can be determined through the Poisson’s CDF, since $b_{k}$ is a realization from a Poisson random variable. This probability is given as:

$\displaystyle 1-F_{a_{k}+\alpha}^{P}\left[\frac{1-\epsilon}{\text{log}\left(\frac{a_{k}+\alpha}{a_{k}-1+\alpha}\right)}\right],$

(7)

where $F_{a_{k}+\alpha}^{P}$ is the CDF of the Poisson distribution with mean $a_{k}+\alpha$.

We next consider the right-hand inequality of Def. 1:

$\displaystyle\frac{\mathbb{P}(\mathcal{M}_{P}(\mathbf{a})=\mathbf{b})}{\mathbb{P}(\mathcal{M}_{P}(\mathbf{a}^{\prime})=\mathbf{b})}\leq$

$\displaystyle\;{\exp{(\epsilon)}}\quad\Rightarrow\quad b_{k}\leq\frac{1+\epsilon}{\text{log}\left(\frac{a_{k}+\alpha}{a_{k}-1+\alpha}\right)}.$

For all $\epsilon$, this inequality holds with probability

$\displaystyle F_{a_{k}+\alpha}^{P}\left[\frac{1+\epsilon}{\text{log}\left(\frac{a_{k}+\alpha}{a_{k}-1+\alpha}\right)}\right].$

(8)

Recall that in $(\epsilon,\delta)$-probabilistic DP, $1-\delta$ is the probability that DP is satisfied, i.e. the probability that both inequalities hold. A non-trivial question when $0<\epsilon<1$ is how to combine the probabilities given in (7) and (8) and hence compute $\delta$? This is an area of future research.

When $\epsilon>1$, however, the left-hand inequality of Def. 1 always holds, thus we need only focus on (8). Although non-trivial for any $\epsilon\geq 1$ and $\alpha>0$, (8) is minimised when $a_{k}=1$ (when $a_{k}^{\prime}=0$). Note, a formal proof has been omitted here but extensive empirical simulation results have been undertaken. Thus,

$\displaystyle 1-\delta=F_{1+\alpha}^{P}\left[\frac{1+\epsilon}{\text{log}\left(\frac{1+\alpha}{\alpha}\right)}\right].$

(9)

This also demonstrates the role of $\alpha$ as a tuning parameter for risk. In general, a larger $\alpha$ value corresponds to a lower $\delta$ value. Yet $\delta$ is not a decreasing function of $\alpha$. For a very brief explanation, this is because increasing $\alpha$ increases the value of the expression inside the squared bracket in (9), but it also increases the mean of the Poisson random variable from which a synthetic count is drawn. Figure 1 illustrates the nature of the relationship between $\alpha$ and $\delta$ for different values of $\epsilon$. For example, setting $\alpha=0.1$ satisfies approximately (3,0.3)-probabilistic DP and (1.5,0.6)-probabilistic DP.

In contingency tables where there are no zero counts, a $(\epsilon,\delta)$-DP guarantee can be obtained when $\alpha=0$. In this instance, $\delta$ is determined by the smallest original count, i.e.:

$\displaystyle 1-\delta=F_{a_{i}+\alpha}^{P}\left[\frac{1+\epsilon}{\text{log}\left(\frac{\text{min}_{i}a_{i}+1}{\text{min}_{i}a_{i}}\right)}\right].$

(10)

In a sense, in this example we have violated the traditional $(\epsilon,\delta)$-probabilistic DP definition given in (3) because $\delta$ is dependent on a particular set of original counts $\mathbf{a}$ – not all original counts.

We can easily replace the Poisson with any other count distribution (e.g. the negative binomial, Poisson inverse-Gaussian, Delaporte, Sichel, etc.), which of course would lead to a different expression for the ratio in (6).

To summarise, in this paper we have shown how to obtain $(\epsilon,\delta)$-DP guarantees when using a Poisson synthesis mechanism to protect the privacy of counts in contingency tables. \addedFor a given $\epsilon>1$, the corresponding value of $\delta$ that is achievable with the Poisson is relatively high; much higher than that which is achievable with other DP mechanisms. Going forward, we believe other count distributions, such as the negative binomial, are likely to be more favourable (i.e. will give better utility results), while also providing the same DP-type risk guarantees, because such distributions would introduce further tuning parameters in addition to $\alpha$. Previous work suggests that such tuning parameter apply noise in a more efficient fashion (Jackson et al., 2022a). These tuning parameters could be set to obtain certain $\epsilon$ or $\delta$ values.

We end with an interesting note in relation to DP. Somewhat counterintuitively, the reason why multinomial-based synthesis mechanisms (e.g. the multinomial Dirichlet synthesizer) can satisfy $\epsilon$-DP – but the Poisson cannot – is because with multinomial mechanisms have a maximum synthetic count that any original count can take, namely $n$. With count distributions, any original count can be synthesized to any non-negative integer. To help explain why this causes the DP definition to fail, recall that, with contingency tables, DP definitions effectively assume that the intruder is trying to locate the cell to which just one individual belongs; i.e. in the intruder’s data set one, and only one, cell count is one less than it actually is. Suppose that a particular count in the intruder’s data set is equal to 1, but that the corresponding synthetic count – generated by simulating from the Poisson with $\alpha=0$ – has a count of 5. It is 11.7 times more likely that this synthetic count originated from a cell with a count of 2 than from a count of 1, therefore the intruder can infer that that particular cell is a likely origin of the target. It is interesting therefore that, with DP, disclosure risk is deemed to be at its greatest when the scope for potential movement between original and synthetic counts is at its greatest. This largely goes against the objectives of traditional SDC methods, which typically reduce risk by increasing the divergence from the original counts.