Privacy-Utility Trade-offs Under Multi-Level Point-Wise Leakage Constraints

Abstract

An information-theoretic privacy mechanism design is studied, where an agent observes useful data Y which is correlated with the private data X. The agent wants to reveal the information to a user, hence, the agent utilizes a privacy mechanism to produce disclosed data U that can be revealed. We assume that the agent has no direct access to X, i.e., the private data is hidden. We study privacy mechanism design that maximizes the disclosed information about Y, measured by the mutual information between Y and U, while satisfying a point-wise constraint with different privacy leakage budgets. We introduce a new measure, called the multi-level point-wise leakage, which allows us to impose different leakage levels for different realizations of U. In contrast to previous studies on point-wise measures, which use the same leakage level for each realization, we consider a more general scenario in which each data point can leak information up to a different threshold. As a result, this concept also covers cases in which some data points should not leak any information about the private data, i.e., they must satisfy perfect privacy. In other words, a combination of perfect privacy and non-zero leakage can be considered. When the leakage is sufficiently small, concepts from information geometry allow us to locally approximate the mutual information. We show that when the leakage matrix PX|Y is invertible, utilizing this approximation leads to a quadratic optimization problem that has closed-form solution under some constraints. In particular, we show that it is sufficient to consider only binary U to attain the optimal utility. This leads to simple privacy designs with low complexity which are based on finding the maximum singular value and singular vector of a matrix.