Local Pan-Privacy for Federated Analytics
This addresses privacy challenges in federated telemetry applications, offering a scalable solution for local pan-privacy, though it is incremental as it builds on existing pan-privacy and cryptographic concepts.
The paper tackled the problem of ensuring privacy for event counts in federated analytics under repeated intrusions on local devices, showing that information-theoretic differential privacy is incompatible with telemetry collection but can be solved scalably using cryptographic primitives.
Pan-privacy was proposed by Dwork et al. as an approach to designing a private analytics system that retains its privacy properties in the face of intrusions that expose the system's internal state. Motivated by federated telemetry applications, we study local pan-privacy, where privacy should be retained under repeated unannounced intrusions on the local state. We consider the problem of monitoring the count of an event in a federated system, where event occurrences on a local device should be hidden even from an intruder on that device. We show that under reasonable constraints, the goal of providing information-theoretic differential privacy under intrusion is incompatible with collecting telemetry information. We then show that this problem can be solved in a scalable way using standard cryptographic primitives.