Minimax randomized response methods for protecting respondent's privacy
Randomized response (RR) is a common privacy protection tool. It perturbs each true response using a probabilistic mechanism. Local differential privacy (LDP) is a rigorous privacy protection criterion that demands a guarantee that no intruder will get much new information about any respondent'...
Saved in:
Published in | Communications in statistics. Theory and methods Vol. 52; no. 10; pp. 3429 - 3451 |
---|---|
Main Authors | , |
Format | Journal Article |
Language | English |
Published |
Philadelphia
Taylor & Francis
19.05.2023
Taylor & Francis Ltd |
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Randomized response (RR) is a common privacy protection tool. It perturbs each true response using a probabilistic mechanism. Local differential privacy (LDP) is a rigorous privacy protection criterion that demands a guarantee that no intruder will get much new information about any respondent's true value from its perturbed value. Considering linear unbiased estimation of multinomial probabilities under LDP and squared error loss, we derive minimax RR methods. We address optimal choices for both the RR mechanism (or design) and the estimator. Our minimax design has a particular structure, which is used to define t-subset designs. We describe and study properties of t-subset designs including their practical implementation. We also study mixtures of t-subset designs and examine the RAPPOR method, which is used notably by Google and Apple. We note inadmissibility of the RAPPOR design and offer some suggestions for improving both the design and the customary estimator. |
---|---|
ISSN: | 0361-0926 1532-415X |
DOI: | 10.1080/03610926.2021.1973503 |