13.1. Toward practicing privacy 257
in many databases and many different computations, perhaps the real
worry is the combined threat of multiple exposures. This is captured by
privacy under composition. Concentrated differential privacy permits
better accuracy while yielding the same behavior under composition as
(ε, δ) (and (ε, 0)) differential privacy.
Differential privacy also faces a number of cultural challenges. One
of the most significant is non-algorithmic thinking. Differential privacy
is a property of an algorithm. However, many people who work with
data describe their interactions with the data in fundamentally non-
algorithmic terms, such as, “First, I look at the data.” Similarly, data
cleaning is often described in non-algorithmic terms. If data are rea-
sonably plentiful, and the analysts are energetic, then the “Raw Data”
application of the Subsample and Aggregate methodology described in
Example 7.3 suggests a path toward enabling non-algorithmic, inter-
actions by trusted analysts who will follow directions. In general, it
seems plausible that on high-dimensional and on internet-scale data
sets non-algorithmic interactions will be the exception.
What about ε? In Example 3.7 we applied Theorem 3.20 to con-
clude that to bound the cumulative lifetime privacy loss at ε = 1 with
probability 1 − e
−32
, over participation in 10, 000 databases, it is suf-
ficient that each database be (1/801, 0)-differentially private. While
k = 10, 000 may be an overestimate, the dependence on k is fairly
weak (
√
k), and in the worst case these bounds are tight, ruling out a
more relaxed bound than ε
0
= 1/801 for each database over the lifetime
of the database. This is simply too strict a requirement in practice.
Perhaps we can ask a different question: Fix ε, say, ε = 1 or
ε = 1/10; now ask: How can multiple ε’s be apportioned? Permitting
ε privacy loss per query is too weak, and ε loss over the lifetime of the
database is too strong. Something in between, say, ε per study or ε
per researcher, may make sense, although this raises the questions of
who is a “researcher” and what constitutes a “study.” This affords sub-
stantially more protection against accidental and intentional privacy
compromise than do current practices, from enclaves to confidentiality
contracts.
A different proposal is less prescriptive. This proposal draws from
second-generation regulatory approaches to reducing environmental