Local Pan-Privacy for Federated Analytics

Pan-privacy was proposed by Dwork et al. as an approach to designing a private analytics system that retains its privacy properties in the face of intrusions that expose the system's internal state. Motivated by federated telemetry applications, in this talk we will define local pan-privacy, where privacy should be retained under repeated unannounced intrusions on the local state. We will consider the problem of monitoring the count of an event in a federated system, where event occurrences on a local device should be hidden even from an intruder on that device. We’ll show that under reasonable constraints, the goal of providing information-theoretic differential privacy under intrusion is incompatible with collecting telemetry information. Finally we’ll discuss how this problem can be solved in a scalable way using standard cryptographic primitives. Joint work with Vitaly Feldman, Guy Rothblum and Kunal Talwar.