Differential Privacy: What, Why and When a Tutorial

Differential Privacy: What, Why and When A Tutorial

מוני נאור Moni Naor Weizmann Institute of Science

Slides credit: Guy Rothblum, Kobbi Nissim, Cynthia Dwork…

Crypto Innovation School (CIS 2018) Shenzhen Nov 29th 2018 What is Differential Privacy? • Differential Privacy is a concept – Motivation – Rigorous mathematical definition – Properties – A measurable quantity • Set of algorithmic techniques for achieving it • First defined in: – Dwork, McSherry, Nissim, and Smith, Calibrating Noise to Sensitivity in Private Data Analysis, Third Theory of Cryptography Conference, TCC 2006. – Earlier roots: Warner, Randomized Response, 1965 Why Differential Privacy?

• DP: Strong, quantifiable, composable mathematical privacy guarantee

• Provably resilient to known and unknown attack modes!

• Theoretically: DP enables many computations with personal data while preserving personal privacy – Practicality in first stages of validation Not a panacea Good References

• The Algorithmic Foundations of Differential Privacy Cynthia Dwork and Aaron Roth http://www.cis.upenn.edu/~aaroth/privacybook.html

• The Complexity of Differential Privacy, Salil Vadhan

• Differential Privacy: A Primer for a Non-technical Audience https://privacytools.seas.harvard.edu/files/privacytools/files/peda gogical-document-dp_new.pdf Privacy-Preserving Analysis: The Problem

Data Analysis Outcome Can be Distributed or encrypted! • Given dataset with sensitive personal info Health, social n/w, location, communication, • How to compute and release functions of the dataset Academic research, • While protecting individual privacy informed policy, national security Glorious Failures of Traditional Approaches to Data Privacy • Re-identification [Sweeney ’00, …] • Auditors [Kenthapadi, Mishra, Nissim ’05] • Genome-Wide association studies (GWAS) [Homer et al. ’08] • Netflix Prize [Narayanan, Shmatikov ‘08] • Social networks [Backstrom, Dwork, Kleinberg ‘11] • Attack on statistical aggregates [Dwork, Smith, Steinke, Ullman Vadhan ‘15] The Netflix Prize

• Netflix Recommends Movies to its Subscribers – Seek an improved recommendation system – Offered $1,000,000 for “10% improvement” – Published training data

Prize won in September 2009 “BellKor's Pragmatic Chaos team” Very influential competition in machine learning From the Netflix Prize Rules Page…

• “The training data set consists of more than 100 million ratings from over 480 thousand randomly-chosen, anonymous customers on nearly 18 thousand movie titles.”

• “The ratings are on a scale from 1 to 5 (integral) stars. To protect customer privacy, all personal information identifying individual customers has been removed and all customer ids have been replaced by randomly-assigned ids. The date of each rating and the title and year of release for each movie are provided.” Netflix Data Release [Narayanan-Shmatikov 2008]

• Ratings for subset of movies and users • Usernames replaced with random IDs • Some additional perturbation

Credit: Arvind Narayanan via Adam Smith A Source of Auxiliary Information

• Internet Movie Database (IMDb) – Individuals may register for an account and rate movies – Need not be anonymous • Probably want to create some web presence – Visible material includes ratings, dates, comments Use Public Reviews from IMDb.com

Alice Bob Charlie Danielle Erica Frank

Anonymized Public, incomplete NetFlix data IMDB data Alice Bob Charlie Danielle = Erica Frank

Credit: Arvind Narayanan via Adam Smith Identified Netflix Data De-anonymizing the Netflix Dataset Results of which 2 may be completely wrong • “With 8 movie ratings and dates that may have a 3-day error, 96% of Netflix subscribers whose records have been released can be uniquely identified in the dataset.” • “For 89%, 2 ratings and dates are enough to reduce the set of plausible records to 8 out of almost 500,000, which can then be inspected by a human for further deanonymization.” Consequences? Settled, March 2010 – Learn about movies that IMDB users didn’t want to tell the world about... Sexual orientation, religious beliefs US Video Privacy – Subject of lawsuits Protection Act 1988 Credit: Arvind Narayanan via Adam Smith Perfect Privacy?

Why not “Semantic Security”? [a la Goldwasser Micali] Anything that can be learned about a participant from sanitized data, can be learned without it [Dalenius77]

Unachievable: Auxiliary information is a problem [Dwork Naor] Common theme in privacy horror stories A “New” Approach to Privacy

Differential Privacy [DMNS06] Any outcome is equally likely when I’m in the database or out of the database Risk incurred by participation is low Learning Can Hurt

a1 q Data 2 a2 … Data Analyst Teachings vs. Participation

a1 q Data 2 a2 … Data Analyst Dwork, McSherry Nissim & Smith Differential Privacy 2006

Any outcome is equally likely when I’m in the database or out of the database

Algorithm 푨 guarantees 휺-differential privacy if for all DBs 퐷 and all events 푆: 휀 푃푟퐴[퐴(퐷 + 푚푒) ∈ 푆] ≤ 푒 ⋅ 푃푟퐴 퐴 퐷 − 푚푒 ∈ 푆 1 + 휀

Randomness introduced by 퐴 Differential Privacy

b1 b2 b3 b= M(b)  bn-1 b Neighboring: n M Distributions at One entry “distance” < ε modified b1 b2’ b3 b’= M(b’)  bn-1 b n M

Slide credit: Kobbi Nissim Dwork, McSherry Nissim & Smith Differential Privacy 2006

Any outcome is equally likely when I’m in the database or out of the database

Algorithm 푨 guarantees 휺-differential privacy if for all DBs 퐷 and all events 푆: 휀 푃푟퐴[퐴(퐷 + 푚푒) ∈ 푆] ≤ 푒 ⋅ 푃푟퐴 퐴 퐷 − 푚푒 ∈ 푆 + δ

Randomness introduced by 퐴 (휺, δ)-differential privacy Dwork, Kenthapady, McSherry, Mironov and Naor, 2007 Local Model

bn n

b a 1 bn-1

a2 b2

bn-2

b3 b4 Differential Privacy is a Success • Algorithms in many setting and for many tasks Important Properties: Programmable! • Group privacy: k privacy for a group of size k • Composability – Applying the sanitization several time: graceful degradation – proportional to number of applications – even prop. to squareroot of number of applications. • Robustness to side information Hard to quantify – No need to specify exactly what the adversary knows – Postprocessing Differential Privacy: A Tutorial • Basic composition Answering small numbers of queries

• Advanced composition Answering moderate numbers of queries

• Coordinated mechanisms Answering huge number of queries

• Example of Mixing MPC and DP for passwords Composition

Privacy maintained even under multiple analyses

Core issue The key to differential privacy’s success! • Unavoidable – In reality, there are multiple analyses • Makes DP “programmable” – Private subroutines make for private algorithms Composition

Privacy maintained even under multiple analyses How do we define it? [DworkRothblumVadhan10] • Adaptive, adversarial DBs and algorithms

0 1 (푥1 , 푥1 ), 푀1 Adversary 푏 푏 ∈ {0,1}

푀1(푥1 ) …

0 푏 = 0: real world Views under (푥 , 푥1), 푀 푘 푘 푘 푏 = 1: my data 푏 = 0 / 푏 = 1 푏 replaced with junk are DP 푀푘(푥푘 ) Basic Composition

• 푘 (adaptively chosen) algorithms, each 휀0-DP: taken together still 푘 ⋅ 휀0-DP

Application: answering multiple queries Basic Composition Proof

Define: 푀1,2 푥 = 푀1 푥 , 푀2 푥

Pr[푀1,2 푥 =(푧1,푧2)] Pr 푀1 푥 =푧1 Pr[푀2 푥 =푧2] = ≤ 푒휀1푒휀2 Pr[푀1,2 푦 = 푧1,푧2 ] Pr 푀1 푦 =푧1 Pr[푀2 푦 =푧2]

Property of the definition – Independent of the implementation – What about the adaptive case? Statistical queries

푞(퐷) = “how many in 퐷 satisfy predicate 푃?” 푃 is a Boolean predicate on universe 푈

statistical queries allow powerful data analyses

• Perceptron, ID3 decision trees, PCA/SVM, k-means [BlumDworkMcSherryNissim05] • any SQ-learning algorithm [Kearns98] – includes “most” known PAC-learning algorithms Data Analysis Model

query set Q

privacy-preserving Database 퐷 = multi-set Trusted synopsis S Untrusted over universe 푈 Curator accurate on Q Analyst Offline: non-interactive Online: interactive

Q a1

S q2

a2 … Answering a single counting query

푈 is set of tuples: (푛푎푚푒, 푡푎푔 ∈ {0,1}) Counting query: # of participants with 푡푎푔 = 1

A: output # of 1’s + noise Differentially private! For proper noise

Choose noise from Laplace distribution Laplacian Noise

Laplace distribution 푌 = 퐿푎푝 푏 density function 1 Pr 푌 = 푦 = 푒−|푦|/푏 2푏 Standard deviation: 푂(푏) Set 푏 = 1/휀, get that Pr 푌 = 푦 ∝ 푒−휀⋅|푦|

-4 -3 -2 -1 0 1 2 3 4 5 Laplacian Noise: 휀-Privacy

Take 푏 = 1/휀, get that Pr 푌 = 푦 ∝ 푒−휀⋅|푦| Release: 푞(퐷) + 퐿푎푝(1/휀)

For adjacent 푫, 푫’: |풒(푫) – 풒(푫’)| ≤ 1 −휺  For any 풛: 푒 ≤ 푷풓풃풚 푫[풛]/푷풓풃풚 푫’[풛] ≤ 푒

-4 -3 -2 -1 0 1 2 3 4 5 Laplacian Noise: Õ(1/휀)-Error

Take 푏 = 1/휀, get that Pr 푌 = 푦 ∝ 푒−휀⋅|푦| 푃푟 [|푦| > 푘 · 1/휀] = 푂(푒−푘) 푦~푌 Expected error is 1/휀, w.h.p error is Õ(1/휀)

-4 -3 -2 -1 0 1 2 3 4 5 Scaling Noise to Sensitivity [DMNS06]

Global sensitivity of query 푞: 푈푛 → [0, 푛] 퐺푆 = 푚푎푥 |푞(퐷) – 푞(퐷’)| 푞 퐷, 퐷’ For a counting query 푞: 퐺푆푞 = 1

Previous argument generalizes:

For query 푞, release 푞 퐷 + 퐿푎푝(퐺푆푞/휀) • 휀-private

• error Õ(퐺푆푞/휀) Answering 푘 Queries: Basic Composition

Answer 푘 queries, each with sensitivity 1

• Use Laplace with 휀0 = 휀/푘 privacy per query Better privacy, more noise per query (∼ Lap 푘/휀 ) • Composition: 휀-privacy for all 푘 answers

Error (roughly) linear in number of queries • E.g.: can answer 푛 queries with 푂෨( 푛 ) error Differential Privacy: A Tutorial

• Basic composition Answering small numbers of queries

• Advanced composition Answering moderate numbers of queries

• Coordinated mechanisms Answering huge number of queries

• Example of Mixing MPC and DP for passwords Advanced Composition [DRV10]

Composing 푘 algorithms, each 휀0-DP:

1 2 휀푔 = 푂 푘 ⋅ ln ⋅ 휀0 + 푘 ⋅ 휀0 훿푔 with all but 훿푔 probability. Simultaneously

Compare with: 휀푔 = 푘 ⋅ 휀0 (basic composition) 2 (think of 푘 < 1/휀0 ) Privacy Loss

Fix adjacent 퐷, 퐷′, draw 푦 ← 푀 퐷 Pr 푀 퐷 = 푦 푃푟푖푣푎푐푦퐿표푠푠 푦 = ln Pr[푀 퐷′ = 푦]

Can be positive, negative (or infinite)

19 20 Privacy Loss

Fix adjacent 퐷, 퐷′, draw 푦 ← 푀 퐷 Pr 푀 퐷 = 푦 푃푟푖푣푎푐푦퐿표푠푠 푦 = ln Pr[푀 퐷′ = 푦]

• random variable, has a mean • 휀, 0 − 퐷푃: w.p. 1 over 푦, 푃푟푖푣푎푐푦퐿표푠푠 퐶 ≤ 휀 • 휀, 훿 − 퐷푃∗: w.p. 1 − 훿 over 푦, 푃푟푖푣푎푐푦퐿표푠푠 퐶 ≤ 휀 Advanced Composition [DRV10]

Composing 푘 algorithms, each 휀0-DP:

1 2 휀푔 = 푂 푘 ⋅ ln ⋅ 휀0 + 푘 ⋅ 휀0 Fundamental훿 law푔 of information recovery [DN03]: Must have error 훀( 풏) with all but 훿푔 probability.

• Better composition,For all better 훿푔 simultaneously DP algorithms

• Answer 푛 queries, error Õ( 푛 ⋅ ln(1/훿푔)) – independent Laplace noise

• Will see: Answer 푘 queries, error Õ log 푘 ⋅ 푛 ⋅ ln(1/훿푔) – coordinated noise - Private Multiplicative Weights [HR10] Advanced Composition Proof

If 푀 is DP, then privacy loss RV has: • 퐸 푃푟푖푣푎푐푦퐿표푠푠 퐶 = 푂 휀2 (down to 휀2/2 [DR15]) • 푃푟푖푣푎푐푦퐿표푠푠 퐶 ≤ 휀

Model cumulative loss from 푀1 … 푀푘 as Martingale 푘 2 2 Pr ෍ 퐿표푠푠 퐶푖 > 푘휀 + 푘휀 ⋅ 푡 ≤ exp(−푡 /2) 푖=1 Advanced Composition of (휀, 훿)

Composing 푘 algorithms, each (휀0, 훿0)-DP:

1 2 휀푔 = 푂 푘 ⋅ ln ⋅ 휀0 + 푘 ⋅ 휀0 훿푒푟푟 with all but 훿푔 = 훿푒푟푟 + 푘 ⋅ 훿0 probability.

Generally: 훿’s add up Do Better for Some Query Sets?

Use sensitivity of answer vector [DMNS06] Example:

• Histograms, divide 푈 into 푑 disjoint bins 푆1 … 푆푑 푑 queries: 푞푖 counts #users in set 푆푖 • For adjacent 퐷, 퐷’, only two answers can change, and each can change by 1 • Global sensitivity of answer vector is 2 • Add only 퐿푎푝(2/휀) noise to each query, still get 휀-privacy Further Work: Not Today Some queries have high global sensitivity, but (usually) low local sensitivity – Example: Median Want noise ~ local sensitivity Problem: local sensitivity is itself sensitive! Smooth sensitivity [Nissim Raskhodnikova Smith 08] Compute “smoothed” diffP upper-bound on local sensitivity Propose Test Release [Dwork-Lei 09] diffP test of local sensitivity, fail if too high Differential Privacy: A Tutorial

• Basic composition Answering small numbers of queries

• Advanced composition Answering moderate numbers of queries

• Coordinated mechanisms Answering huge number of queries 푘-fold composition of

휀0-differential privacy?

Answer 1 Answer 2 [DMNS06] [DRV10]

휀0푘-differential privacy 휀0√푘 -differential privacy

Note: for small enough 휀0 can (privately) answer 푛 queries with error √푛 Do better for general queries?

Negative Results Cannot answer 푛 counting queries with error 표(√푛) [DiNi03, DwMcTa07,DwYe08]

In all these cases: strong privacy violation

What can we do? almost entire DB compromised Many Queries Question

Can we achieve error √풏 for 풌 >> 풏 queries • with any reasonable notion of privacy

Yes! Can answer huge numbers of queries with small error and differential privacy [BLR08,DNRRV09,DRV10,RR10,HR10] The Exponential Mechanism

Sometimes adding noise makes no sense e.g. output is not a number: – minimum cut in a graph – decision tree classifier

[McSherry-Talwar 2007] Motivation: auction design – DP implies approximate truthfulness Subsequently applied broadly and successfully – Can phrase any DP Mechanism as an instance of EM The Exponential Mechanism

Input 푥 output 푦 artbitrary Define for any possible input 푥 and output 푦 some measure of utility 푢(푦, 푥) - a real number • The larger 푢(푦, 푥) the better the result • Adjacent databases should have similar scores – Δ = max|푢 푥, 푦 − 푢 푥, 푦′ | small 푥,푥′푦 The mechanism: on input 푥, output 푦 w.p ∝ 푒휀푢(푦,푥)/Δ Simple Example: Private Lunch Preferences

DB of 푛 individuals, lunch options 1,2, … , 푘 , – each individual likes/dislikes each option (1 or 0) Goal: output a lunch option that many like Mechanism: Output option 푗 with probability ∝ 푒휀⋅ℓ(푗) Where ℓ(푗) = # who like 푗 푒휀⋅ℓ(푗) Actual probability: 휀⋅ℓ(푖) Σ푖푒 Normalizer Private Lunch: 2ε-Privacy

For each option 푗 ∈ [푘], ℓ(푗) = # who like 푗 Mechanism: 푒휀⋅ℓ(푗) Output 푗 with probability 휀⋅ℓ(푖) 훴푖푒

For adjacent DBs, ∀푗: ℓ(푗) can differ by 1 • 푒휀⋅ℓ(푗)changes by ≤ 푒휺 factor 휀⋅ℓ(푖) 휺 • (훴푖푒 ) changes by ≤ 푒 factor For every 푗, Pr[output = j] changes by ≤ 푒ퟐ휺 Private Lunch: Õ(log 푘/휀) −Utility For each option 푗 ∈ [푘], ℓ(푗) = # who like 푗 Mechanism: 푒휀⋅ℓ(푗) Output 푗 with probability 휀⋅ℓ(푖) 훴푖푒

휀푑 • If ℓ 푗1 < ℓ(푗2)– 푑, prob. of 푗1 is 푒 times smaller • If ℓ(푗) < max ℓ(푖) – (ln 푘 + 푏)/휀, 푖 Pr[표푢푡푝푢푡 푖푠 푗] ≤ 1/(푘 ⋅ 푒푥푝 푏 ) • Union bound over all 푗 ∈ [푘]: Pr[푎푛푠푤푒푟 < max − (ln 푘 + 푏)/휀] ≤ exp(−푏) Recap

• Notion of 휺-differential privacy and (휺, δ)-differential privacy • Composition: basic and advanced

– For 푘-fold composition of 휀0-dp: 휀0푘 and 휀0 푘 respectively – Laplace mechanism and answering low sensitivity queries • The size of database as bound on number of queries • The exponential mechanism The Exponential Mechanism

Answer any set 푄 of counting queries with diffP • Error is Õ(푛2/3푙표푔1/3|푄|) – uses exponential mechanism • algorithm outputs synthetic DB Input DB – Output is a (small) DB itself Synthetic DB

Hope for rich private analysis of small DBs! #푞푢푒푟푖푒푠 >> 퐷퐵 푠푖푧푒 The BLR Algorithm

Input DB 퐷 of size 푛, query set 푄: Input Sample DB of size 푚: (푚 < 푛) Sample DB 퐹 gets picked w.p. 푒−휀⋅푑푖푠푡(퐹,퐷)

Sample Input Utility For DBs 퐹 and 퐷 푑푖푠푡 퐹, 퐷 = max |푞(퐹) – 푞(퐷)| 푞∈푄 Intuition: far DBs get smaller probability Two samples that are approximately the same on 푄 get the same weight The BLR Algorithm: 2휀-Privacy

Input DB 퐷 of size 푛, query set 푄: Sample DB of size 푚: (푚 < 푛) DB 퐹 gets picked w.p. 푒−휀⋅푑푖푠푡(퐹,퐷) For adjacent 퐷, 퐷’ for every 퐹 |푑푖푠푡(퐹, 퐷) – 푑푖푠푡(퐹, 퐷’)| ≤ 1 • Probability of 퐹 by 퐷: −휀⋅푑푖푠푡 퐹,퐷 −휀⋅푑푖푠푡 퐺,퐷 푒 /Σ퐺 표푓 푠푖푧푒 푚푒 • Probability of 퐹 by 퐷’: – numerator and denominator can change by 푒휀 2휀-differential privacy BLR Algorithm: Error

Input DB 퐷 of size 푛, query set 푄: Sample DB of size 푚: (푚 < 푛) DB 퐹 gets picked w.p. 푒−휀⋅푑푖푠푡(퐹,퐷)

Fix desired error 훼, 푚 = Õ( 푛/훼 2 ⋅ log 푄 ) • ∃퐹∗ of size 푚 with 푑푖푠푡 퐹∗, 퐷 ≤ 훼 A random sample is 푃푟 퐹∗ ∝ 푒−휀훼 good whp! −2휀훼 • ∀퐹 푏푎푑 with dist 2훼, Pr 퐹푏푎푑 ∝ 푒 푚 −2휀훼 • Σ퐹푏푎푑푃 푟 퐹푏푎푑 ∝ 푈 ⋅ 푒 Take 훼 = Õ(푛2/3 ⋅ log1/3 |푄|),

푃푟[퐹푔표표푑] >> ∑ 푃푟[퐹푏푎푑] BLR Algorithm: Running Time

Input DB 퐷 of size 푛, query set 푄: Sample DB of size 푚: (푚 < 푛) DB 퐹 gets picked w.p. 푒−휀⋅푑푖푠푡(퐹,퐷)

Brute-force sampling: Need to enumerate every size-푚 database, where 푚 = Õ 푛\훼 2 ⋅ log 푄

2 Running time ≈ 푈 Õ( 푛\훼 ⋅푙표푔 |푄|) BLR algorithm: Conclusion

Offline algorithm • Error: Õ(푛2/3 ⋅ log1/3 |푄|/휀) 2/3 1/3 • Running time: 푈 Õ(푛 ⋅log |푄| /휀)

Private Multiplicative Weights Algorithm Online algorithm • Error Õ( 푛 ⋅ log |푄| /휀) • Running time: 푝표푙푦( 푈 , 푄 , 푛) Key Insight to increasing number of queries: Use Coordinated Noise

• If noise is added in with careful coordination, rather than independently #queries >> DB size can answer hugely many queries Wave of results showing: • Differential Privacy for every set Q of counting queries 1/2 • Error is Õ (n log|Q|) M ? – Even in the interactive case – – Private Multiplicative Weights Algorithm Represent database as a linear function

Data set 퐷 is distribution over universe 푈, 푈 = 푁

#푡푦푝푒 푖 푖푡푒푚푠 푖푛 퐷 퐷 푖 = . . . 푛 1 2 3 4 5 N

Statistical query 푞 is vector in 0,1 푁

1 푞 퐷 = < 푞, 퐷 >⋅ 푛 . . . 0 푞 퐷 ∈ [0,1] 1 2 3 4 5 N Maintaining State

Query q

State = Distribution D Hardt & Rothblum 2010 The PMW Algorithm Maintain a distribution D on universe U This is the state. Is completely public! Initialize D to be uniform on U Repeat up to k times Algorithm fails if more than k updates • Set T෡ ← T + Lap() •MultiplicativeRepeat while Weights no update occurs: • –PowerfulReceive querytool in q algorithms∈ Q design The true value • –LearnLet 푎ො a= Probabilityx(q) + Lap Distribution() iteratively • –InTest each: If round:|q(D)- 푎ො| ≤ T෡ output q(D). –• Elseeither(updatecurrent): distributionthe plus or is minus good are according to the sign of the error • •orOutputget a 푎lotො of information on distribution • Update distribution • Update D[i] / D[i] e±T/4q[i] and re-weight. Private Multiplicative Weights Accuracy: nearly optimal (in worst case) Privacy: differential privacy

Runtime: linear dependence on |푈|

• |푈| exponential in # attributes of data

When can we get 푝표푙푦(푛)?

Lower bounds based on tracing traitors Differential Privacy: A Tutorial

• Basic composition Answering small numbers of queries

• Advanced composition Answering moderate numbers of queries

• Coordinated mechanisms Answering huge number of queries

• Example of Mixing MPC and DP for passwords Applications/Implementations of Differential Privacy • US Census Bureau OnTheMap: gives researchers access to agency data. • Google’s RAPPOR: • Randomized Aggregatable Privacy-Preserving Ordinal Response Enabled collection of data • Open source Chrome avoided before • Local model • Apple: big news coverage, commitment to privacy • Applications to multiple hypothesis testing

Global vs. local How to hack Kaggle competitions Public policy • California Public Utilities Commission – Smart meters • Interpreting and implementing FERPA by Differential Privacy Family Educational Rights and Privacy Act Nissim and Wood

Understand how DP fits with existing regulatory framework. Problem: regulatory framework is not mathematically precise, Idea of de-identification is hard wired in it. Challenges

• Small Datasets • Massive Composition – global epsilon: event level vs user level • Work in conjunction with Secure Function Evaluation • Winning the hearts and minds of policy makers… Winning the hearts and minds of policy makers… • Widen scope of implementation and use. • Identify what are the next good use cases for DP. – Construct DP tools matching best the practices and education of users – Explain shortcomings of other methods and benefits of DP – Need to figure how DP works as one of the layers in a suit of privacy protections. – Less straightforward and intuitive than anonymity/de- identification and its variants