RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response
This addresses privacy concerns for users in data collection scenarios, offering a practical solution for secure statistics gathering, though it builds on existing randomized response techniques.
The paper tackles the problem of anonymously crowdsourcing statistics from end-user clients with strong privacy guarantees, by introducing RAPPOR, which applies randomized response in a novel way to enable high-utility analysis while preventing individual data linkage.
Randomized Aggregatable Privacy-Preserving Ordinal Response, or RAPPOR, is a technology for crowdsourcing statistics from end-user client software, anonymously, with strong privacy guarantees. In short, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees. By applying randomized response in a novel manner, RAPPOR provides the mechanisms for such collection as well as for efficient, high-utility analysis of the collected data. In particular, RAPPOR permits statistics to be collected on the population of client-side strings with strong privacy guarantees for each client, and without linkability of their reports. This paper describes and motivates RAPPOR, details its differential-privacy and utility guarantees, discusses its practical deployment and properties in the face of different attack models, and, finally, gives results of its application to both synthetic and real-world data.