Optimal User-Centric Data Obfuscation

Perturbing information, before being shared with untrusted entities, is an effective and widely proposed approach to protect users’ privacy. However, the privacy of users and the utility of the obfuscated information are at odds with each other, and increasing one results in decreasing the other. In this paper, we propose a methodology for designing protection mechanisms that optimally trade utility for privacy, by maximizing one and guaranteeing a lower-bound on the other, while anticipating the optimal inference attack. We formulate the optimization problem of maximizing user’s utility and guaranteeing her privacy as a non zero-sum Stackelberg game. The defender (user) leads the game by designing and committing to a protection mechanism, and the adversary follows by making inference on the shared information. The solution of this game is optimal against any possible inference attack. We show that these games can be solved using linear programming. Our second contribution is to design optimal protection mechanisms using the ǫ-differential privacy metric. We find the values of ǫ that maximize privacy under utility constraints. Inversely, we design mechanisms that optimize utility for a given value of ǫ, as the bound on privacy. For a generic distance function between secrets, we design these optimal mechanisms for differential privacy using linear and quadratic programming. The Bayesian and differential privacy metrics complement each other, as the former measures the absolute privacy level of user due to a protection mechanism, and the latter measures the relative information leakage due to observation from the protection mechanism. A bound on one does not guarantee a bound on the other. Our third contribution is to combine the two notions. We design optimal obfuscation mechanisms that guarantee both Bayesian and differential privacy and maximize utility, or guarantee one of the privacy metrics and maximize the other under utility constraints. Our work fills the gap between Bayesian and differential privacy, and is the first work, to the best of our knowledge, that unifies different privacy metrics and provides a methodology to design optimal protection mechanisms in a generic case. Using simulation, we show that optimal differential protection mechanisms impose more utility cost, yet they are more robust to inference attacks and adversaries with accurate background knowledge. We show that the optimal joint Bayesian-differential mechanism is indeed superior to the two mechanisms individually. Keywords-Privacy Protection Mechanism Design; Obfuscation; Perturbation; Bayesian Privacy; Differential Privacy; Utility; Stackelberg Game; Optimization; Linear Programming