research-article

Open access

RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response

Authors:

Úlfar Erlingsson,

Vasyl Pihur, and

Aleksandra KorolovaAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

Pages 1054 - 1067

https://doi.org/10.1145/2660267.2660348

Published: 03 November 2014 Publication History

Abstract

Randomized Aggregatable Privacy-Preserving Ordinal Response, or RAPPOR, is a technology for crowdsourcing statistics from end-user client software, anonymously, with strong privacy guarantees. In short, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees. By applying randomized response in a novel manner, RAPPOR provides the mechanisms for such collection as well as for efficient, high-utility analysis of the collected data. In particular, RAPPOR permits statistics to be collected on the population of client-side strings with strong privacy guarantees for each client, and without linkability of their reports. This paper describes and motivates RAPPOR, details its differential-privacy and utility guarantees, discusses its practical deployment and properties in the face of different attack models, and, finally, gives results of its application to both synthetic and real-world data.

References

[1]

Charu C. Aggarwal and Philip S. Yu. On privacy-preservation of text and sparse binary data with sketches. In Proceedings of the 2007 SIAM International Conference on Data Mining (SDM), pages 57--67, 2007.

[2]

Istemi Ekin Akkus, Ruichuan Chen, Michaela Hardt, Paul Francis, and Johannes Gehrke. Non-tracking web analytics. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS), pages 687--698, 2012.

Digital Library

[3]

Yoav Benjamini and Yosef Hochberg. Controlling the false discovery rate: A practical and powerful approach to multiple testing. Journal of the Royal Statistical Society Series B (Methodological), 57(1):289--300, 1995.

[4]

Giuseppe Bianchi, Lorenzo Bracciale, and Pierpaolo Loreti. 'Better Than Nothing' privacy with Bloom filters: To what extent? In Proceedings of the 2012 International Conference on Privacy in Statistical Databases (PSD), pages 348--363, 2012.

Digital Library

[5]

Burton H. Bloom. Space/time trade-offs in hash coding with allowable errors. Commun. ACM, 13(7):422--426, July 1970.

Digital Library

[6]

Andrei Z. Broder and Michael Mitzenmacher. Network applications of Bloom filters: A Survey. Internet Mathematics, 1(4):485--509, 2003.

[7]

T.-H. Hubert Chan, Mingfei Li, Elaine Shi, and Wenchang Xu. Differentially private continual monitoring of heavy hitters from distributed streams. In Proceedings of the 12th International Conference on Privacy Enhancing Technologies (PETS), pages 140--159, 2012.

Digital Library

[8]

Ruichuan Chen, Alexey Reznichenko, Paul Francis, and Johannes Gehrke. Towards statistical queries over distributed private user data. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (NSDI), pages 169--182, 2012.

Digital Library

[9]

Chromium.org. Design Documents: RAPPOR (Randomized Aggregatable Privacy Preserving Ordinal Responses). http://www.chromium.org/developers/design-documents/rappor.

[10]

Cynthia Dwork. A firm foundation for private data analysis. Commun. ACM, 54(1):86--95, January 2011.

Digital Library

[11]

Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor. Our data, ourselves: Privacy via distributed noise generation. In Proceedings of 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), pages 486--503, 2006.

Digital Library

[12]

Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In Proceedings of the 3rd Theory of Cryptography Conference (TCC), pages 265--284, 2006.

Digital Library

[13]

Cynthia Dwork, Moni Naor, Toniann Pitassi, and Guy N. Rothblum. Differential privacy under continual observation. In Proceedings of the 42nd ACM Symposium on Theory of Computing (STOC), pages 715--724, 2010.

Digital Library

[14]

Cynthia Dwork, Moni Naor, Toniann Pitassi, Guy N. Rothblum, and Sergey Yekhanin. Pan-private streaming algorithms. In Proceedings of The 1st Symposium on Innovations in Computer Science (ICS), pages 66--80, 2010.

[15]

Justin Hsu, Marco Gaboardi, Andreas Haeberlen, Sanjeev Khanna, Arjun Narayan, Benjamin C. Pierce, and Aaron Roth. Differential privacy: An economic method for choosing epsilon. In Proceedings of 27th IEEE Computer Security Foundations Symposium (CSF), 2014.

[16]

Justin Hsu, Sanjeev Khanna, and Aaron Roth. Distributed private heavy hitters. In Proceedings of the 39th International Colloquium Conference on Automata, Languages, and Programming (ICALP) - Volume Part I, pages 461--472, 2012.

Digital Library

[17]

Krishnaram Kenthapadi, Aleksandra Korolova, Ilya Mironov, and Nina Mishra. Privacy via the Johnson-Lindenstrauss transform. Journal of Privacy and Confidentiality, 5(1):39--71, 2013.

[18]

Daniel Keren, Guy Sagy, Amir Abboud, David Ben-David, Assaf Schuster, Izchak Sharfman, and Antonios Deligiannakis. Monitoring distributed, heterogeneous data streams: The emergence of safe zones. In Proceedings of the 1st International Conference on Applied Algorithms (ICAA), pages 17--28, 2014.

Digital Library

[19]

Daniel Kifer and Ashwin Machanavajjhala. No free lunch in data privacy. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 193--204, 2011.

Digital Library

[20]

Bin Liu, Yurong Jiang, Fei Sha, and Ramesh Govindan. Cloud-enabled privacy-preserving collaborative learning for mobile sensing. In Proceedings of the 10th ACM Conference on Embedded Network Sensor Systems (SenSys), pages 57--70, 2012.

Digital Library

[21]

Frank McSherry and Kunal Talwar. Mechanism design via differential privacy. In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS), pages 94--103, 2007.

Digital Library

[22]

Darakhshan J. Mir, S. Muthukrishnan, Aleksandar Nikolov, and Rebecca N. Wright. Pan-private algorithms via statistics on sketches. In Proceedings of Symposium on Principles of Database Systems (PODS), pages 37--48, 2011.

Digital Library

[23]

Ilya Mironov. On significance of the least significant bits for differential privacy. In Proceedings of ACM Conference on Computer and Communications Security (CCS), pages 650--661, 2012.

Digital Library

[24]

Nina Mishra and Mark Sandler. Privacy via pseudorandom sketches. In Proceedings of Symposium on Principles of Database Systems (PODS), pages 143--152, 2006.

Digital Library

[25]

Aaron Roth and Tim Roughgarden. Interactive privacy via the median mechanism. In Proceedings of the 42nd ACM Symposium on Theory of Computing (STOC), pages 765--774, 2010.

Digital Library

[26]

Robert Tibshirani. Regression shrinkage and selection via the Lasso. Journal of the Royal Statistical Society, Series B, 58:267--288, 1994.

[27]

Stanley L. Warner. Randomized response: A survey technique for eliminating evasive answer bias. Journal of the American Statistical Association, 60(309):pp. 63--69, 1965.

[28]

Wikipedia. Randomized response. http://en.wikipedia.org/wiki/Randomized_response.

Cited By

Yao ZTan LYi JFu LZhang ZTan XXie JShe KYang PWu WYe DYu Z(2024)Sensitive Data Privacy Protection of Carrier in Intelligent Logistics SystemSymmetry10.3390/sym1601006816:1(68)Online publication date: 4-Jan-2024
https://doi.org/10.3390/sym16010068
Jiang YRezazadeh Baee MSimpson LGauravaram PPieprzyk JZia TZhao ZLe Z(2024)Pervasive User Data Collection from Cyberspace: Privacy Concerns and CountermeasuresCryptography10.3390/cryptography80100058:1(5)Online publication date: 31-Jan-2024
https://doi.org/10.3390/cryptography8010005
Shi RWei LZhang L(2024)More Efficient and Verifiable Privacy-Preserving Aggregation Scheme for Internet of Things-Based Federated LearningApplied Sciences10.3390/app1413536114:13(5361)Online publication date: 21-Jun-2024
https://doi.org/10.3390/app14135361
Show More Cited By

Index Terms

RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response
1. Mathematics of computing
  1. Information theory
    1. Coding theory
2. Security and privacy
  1. Cryptography
    1. Mathematical foundations of cryptography

Recommendations

A Privacy Protection Evaluation Mechanism for Dynamic Data Based on Chunk-Confusion

Nowadays big data security plays a major issue in cloud computing. Chunk-confusion-based privacy protection mechanism (CCPPM) protects the privacy of the tenants in plaintext. But both multi-tenant applications' data and tenants' privacy requirements ...
Read More
A novel anonymization algorithm: Privacy protection and knowledge preservation

In data mining and knowledge discovery, there are two conflicting goals: privacy protection and knowledge preservation. On the one hand, we anonymize data to protect privacy; on the other hand, we allow miners to discover useful knowledge from ...
Read More
Privacy consensus in anonymization systems via game theory
DBSec'12: Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy

Privacy protection appears as a fundamental concern when personal data is collected, stored, and published. Several anonymization methods have been proposed to address privacy issues in private datasets. Every anonymization method has at least one ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1,025
Total Citations
View Citations
9,942
Total Downloads

Downloads (Last 12 months)1,640
Downloads (Last 6 weeks)144

Other Metrics

View Author Metrics

Citations

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents