Universally Optimal Privacy Mechanisms for Minimax Agents

A scheme that publishes aggregate information about sensitive data must resolve the trade-off between utility to information consumers and privacy of the database participants. Differential privacy is a well-established definition of privacy–this is a universal guarantee against all attackers, whatever their side-information or intent. In this paper, we present a universal treatment of utility based on the standard minimax rule from decision theory (in contrast to the utility model in, which is Bayesian). In our model, information consumers are minimax (risk-averse) agents, each possessing some side-information about the query, and each endowed with a loss-function which models their tolerance to inaccuracies. Further, information consumers are rational in the sense that they actively combine information from the mechanism with their side-information in a way that minimizes their loss. Under this assumption of rational behavior, we show that for every fixed count query, a certain geometric mechanism is universally optimal for all minimax information consumers. Additionally, our solution makes it possible to release query results at multiple levels of privacy in a collusion-resistant manner.

💡 Research Summary

The paper tackles the classic privacy‑utility trade‑off in differential privacy by adopting a decision‑theoretic minimax framework rather than the more common Bayesian utility model. Each information consumer is modeled as a risk‑averse (minimax) agent who possesses side‑information about a count query and a loss function that quantifies tolerance to inaccuracy. Consumers are assumed to behave rationally: they combine the noisy answer returned by the mechanism with their prior knowledge in a way that minimizes their worst‑case loss.

Under these assumptions the authors focus on a single count query (the number of records satisfying a predicate) and propose the discrete geometric mechanism: for a true count k the released value is k + Z where Z follows a two‑sided geometric distribution with parameter ε, i.e.,
 Pr