Local Pan-privacy for Federated Analytics

Vitaly Feldman, Audra Mcmillan, Guy N. Rothblum, Kunal Talwar
Proceedings of the 42nd International Conference on Machine Learning, PMLR 267:16573-16588, 2025.

Abstract

Pan-privacy was proposed by Dwork et al. (2010) as an approach to designing a private analytics system that retains its privacy properties in the face of intrusions that expose the system’s internal state. Motivated by Federated telemetry applications, we study local pan-privacy, where privacy should be retained under repeated unannounced intrusions on the local state. We consider the problem of monitoring the count of an event in a federated system, where event occurrences on a local device should be hidden even from an intruder on that device. We show that under reasonable constraints, the goal of providing information-theoretic differential privacy under intrusion is incompatible with collecting telemetry information. We then show that this problem can be solved in a scalable way using standard cryptographic primitives.

Cite this Paper

BibTeX
@InProceedings{pmlr-v267-feldman25a, title = {Local Pan-privacy for Federated Analytics}, author = {Feldman, Vitaly and Mcmillan, Audra and Rothblum, Guy N. and Talwar, Kunal}, booktitle = {Proceedings of the 42nd International Conference on Machine Learning}, pages = {16573--16588}, year = {2025}, editor = {Singh, Aarti and Fazel, Maryam and Hsu, Daniel and Lacoste-Julien, Simon and Berkenkamp, Felix and Maharaj, Tegan and Wagstaff, Kiri and Zhu, Jerry}, volume = {267}, series = {Proceedings of Machine Learning Research}, month = {13--19 Jul}, publisher = {PMLR}, pdf = {https://raw.githubusercontent.com/mlresearch/v267/main/assets/feldman25a/feldman25a.pdf}, url = {https://proceedings.mlr.press/v267/feldman25a.html}, abstract = {Pan-privacy was proposed by Dwork et al. (2010) as an approach to designing a private analytics system that retains its privacy properties in the face of intrusions that expose the system’s internal state. Motivated by Federated telemetry applications, we study local pan-privacy, where privacy should be retained under repeated unannounced intrusions on the local state. We consider the problem of monitoring the count of an event in a federated system, where event occurrences on a local device should be hidden even from an intruder on that device. We show that under reasonable constraints, the goal of providing information-theoretic differential privacy under intrusion is incompatible with collecting telemetry information. We then show that this problem can be solved in a scalable way using standard cryptographic primitives.} }
Endnote
%0 Conference Paper %T Local Pan-privacy for Federated Analytics %A Vitaly Feldman %A Audra Mcmillan %A Guy N. Rothblum %A Kunal Talwar %B Proceedings of the 42nd International Conference on Machine Learning %C Proceedings of Machine Learning Research %D 2025 %E Aarti Singh %E Maryam Fazel %E Daniel Hsu %E Simon Lacoste-Julien %E Felix Berkenkamp %E Tegan Maharaj %E Kiri Wagstaff %E Jerry Zhu %F pmlr-v267-feldman25a %I PMLR %P 16573--16588 %U https://proceedings.mlr.press/v267/feldman25a.html %V 267 %X Pan-privacy was proposed by Dwork et al. (2010) as an approach to designing a private analytics system that retains its privacy properties in the face of intrusions that expose the system’s internal state. Motivated by Federated telemetry applications, we study local pan-privacy, where privacy should be retained under repeated unannounced intrusions on the local state. We consider the problem of monitoring the count of an event in a federated system, where event occurrences on a local device should be hidden even from an intruder on that device. We show that under reasonable constraints, the goal of providing information-theoretic differential privacy under intrusion is incompatible with collecting telemetry information. We then show that this problem can be solved in a scalable way using standard cryptographic primitives.
APA
Feldman, V., Mcmillan, A., Rothblum, G.N. & Talwar, K.. (2025). Local Pan-privacy for Federated Analytics. Proceedings of the 42nd International Conference on Machine Learning, in Proceedings of Machine Learning Research 267:16573-16588 Available from https://proceedings.mlr.press/v267/feldman25a.html.

Related Material