Understanding Disclosure Risk in Differential Privacy with Applications to Noise Calibration and Auditing (Extended Version)

Imagine you are the mayor of a town, and you want to publish a report on your citizens' habits (like how much they earn or what diseases they have) to help researchers. But you don't want anyone to figure out specifically who has what.

To protect privacy, you use a technique called Differential Privacy (DP). Think of this as adding a little bit of "static" or "fog" to the data before you publish it. The more fog you add, the harder it is to see individual faces, but the blurrier the whole picture becomes, making the report less useful.

The big question for the mayor is: How much fog is enough?

Too little fog? A sneaky hacker might still figure out your neighbor's salary.
Too much fog? The report becomes useless, and no one learns anything.

For a long time, experts used a ruler to measure this risk called ReRo (Reconstruction Robustness). But this paper argues that the old ruler is broken. It's like trying to measure the temperature of a room with a ruler that also counts how many people are in the room—it gives you a number, but it's the wrong number for the job.

Here is what this paper does, explained simply:

1. The Problem: The "Old Ruler" is Broken

The old method (ReRo) assumes the hacker knows nothing about the person they are trying to spy on. It assumes the hacker is looking at a blank wall.

But in the real world, hackers aren't blind. They have Auxiliary Knowledge.

Analogy: Imagine you are trying to guess your neighbor's secret recipe.
- Old Ruler (ReRo): Assumes the hacker has never seen your neighbor, doesn't know their name, and has never been to their house. It calculates the risk based on this "blind" scenario.
- Real Life: The hacker does know your neighbor. They know the neighbor is a vegetarian, they know the neighbor loves spicy food, and they saw the neighbor's grocery list on Facebook.

Because the old ruler ignores this extra info, it gets confused.

False Alarms: Sometimes, the old ruler screams "DANGER!" because the hacker guessed the recipe correctly just by knowing the neighbor is a vegetarian (imputation), not because the privacy fog failed. This makes the mayor add too much fog, ruining the report's usefulness.
Missed Dangers: Sometimes, the old ruler says "Safe," but because the hacker had that extra info (like the grocery list), they could actually break through the fog.

2. The Solution: A New, Smarter Ruler (RAD)

The authors introduce a new metric called Reconstruction Advantage (RAD).

Think of RAD as a Smart Detective.
Instead of just asking, "Did the hacker guess the recipe?" it asks, "Did the hacker guess the recipe better because they saw the foggy report, or did they just guess it because they already knew the neighbor loves spicy food?"

The "Advantage" Part: RAD only counts the risk that comes specifically from the data you released. If the hacker could have guessed the secret just by looking at public info (like a social media post), RAD says, "That's not our fault; we didn't leak that."
The Result: This gives a much fairer, more accurate picture of the actual risk.

3. Why This Matters: The "Goldilocks" Zone

Because the old ruler was broken, city planners (data scientists) were often adding way too much fog to be safe. They were throwing away valuable data just in case.

With the new RAD ruler:

Better Utility: You can use less fog while staying just as safe. This means the data reports are clearer and more useful for science and policy.
Better Auditing: If a company claims their data is private, you can now use this new tool to test them. You can say, "Hey, with your current settings, a hacker with a Facebook profile could still guess your secrets. You need to add a little more fog."

4. The "Perfect Attack" Strategy

The paper also figures out the perfect way a hacker would try to break the system.

Analogy: Imagine a lock. The authors didn't just guess how hard it is to pick; they built the perfect lock-picking tool and tested it on every type of lock (different privacy mechanisms).
By knowing exactly how the perfect tool works, they can calculate the exact amount of fog needed to stop it. This ensures you aren't wasting data (too much fog) or being too risky (too little fog).

Summary

The Old Way: Measured risk assuming hackers were blind. It often panicked and ruined data usefulness, or missed real dangers when hackers had extra info.
The New Way (RAD): Measures risk by asking, "How much did the data actually help the hacker?" It separates "guessing based on public info" from "stealing private info."
The Benefit: We can now share data that is safer (because we understand the real risks) and more useful (because we don't add unnecessary noise).

In short, this paper gives us a better way to balance the trade-off between keeping secrets and sharing knowledge, ensuring we don't throw the baby (useful data) out with the bathwater (privacy noise).

Here is a detailed technical summary of the paper "Understanding Disclosure Risk in Differential Privacy with Applications to Noise Calibration and Auditing."

1. Problem Statement

Differential Privacy (DP) is the standard for data sharing, offering formal guarantees against inference attacks. However, a critical gap exists between theoretical privacy parameters (specifically the privacy budget $\epsilon$ ) and the actual protection they provide against real-world attacks.

Limitations of Existing Metrics: The current state-of-the-art metric for assessing reconstruction risk is Reconstruction Robustness (ReRo). The paper identifies two fundamental flaws in ReRo:
1. Failure to Account for Auxiliary Knowledge: ReRo assumes attackers have no target-specific auxiliary information (e.g., demographic data, social media profiles). In reality, attackers often possess such knowledge, leading ReRo bounds to be violated (empirical risk exceeds theoretical bounds).
2. Overestimation via Imputation: ReRo measures raw success probability. It fails to distinguish between an attacker successfully reconstructing data due to the mechanism's leakage versus simply guessing based on background knowledge or statistical imputation. This leads to "privacy fallacies" where risk is overestimated, causing unnecessary utility loss when calibrating noise.
Auditing Challenges: Existing auditing tools often focus solely on Membership Inference Attacks (MIAs) or rely on learning-based strategies that lack mechanism-independent guarantees and struggle with high-dimensional categorical data.

2. Methodology

The authors propose a unified framework centered on a new risk metric and rigorous theoretical bounds.

A. Reconstruction Advantage (RAD)

The paper introduces $\eta$ -Reconstruction Advantage ( $\eta$ -RAD) as a unifying risk metric.

Definition: $\eta$ -RAD measures the increase in an attacker's success probability solely due to the target's participation in the dataset.
$\eta\text{-RAD} = \Pr[\text{Success} | \text{Target in } D] - \Pr[\text{Success} | \text{Target not in } D]$
Key Feature: It explicitly incorporates target-specific auxiliary knowledge ( $a(z)$ ). Unlike ReRo, which treats all targets equally, RAD allows the attacker to leverage specific knowledge (e.g., knowing a user's age or image label) to refine their reconstruction strategy.
Normalization: It naturally discounts success derived from background knowledge or imputation, ensuring that only participation-induced leakage is counted as risk.

B. Theoretical Bounds

The authors derive tight bounds linking DP noise to RAD:

Worst-Case Bound (Theorem 4.2): A bound independent of the attacker's auxiliary knowledge, derived using Total Variation (TV) distance. It serves as a safe upper bound when the attacker's knowledge is unknown.
Auxiliary-Dependent Tight Bound (Theorem 4.3): A universally tight bound that explicitly incorporates the mechanism's distribution and the attacker's specific auxiliary knowledge.
- Optimal Attack Strategy: The paper constructs an optimal attack algorithm (Algorithm 1) that achieves this bound. The strategy selects the candidate record that maximizes the posterior weight $w(\theta, z)\pi_z$ within the set of records consistent with the auxiliary knowledge.
Black-Box Bounds (Section 5): For scenarios where the mechanism is unknown (auditing external software) or for categorical data with perfect reconstruction ( $\eta=0$ ), the authors provide closed-form upper bounds (Theorem 5.5, Corollary 5.6) that are tighter than existing ReRo bounds.

C. Auditing Framework

The authors propose a RAD-based auditing framework:

Process: Run the optimal attack empirically to measure the observed RAD ( $\tilde{\gamma}$ ).
Inversion: Invert the theoretical bounds to estimate the empirical privacy budget ( $\tilde{\epsilon}$ ).
Advantage: This approach is mechanism-agnostic, scalable to high-dimensional categorical data (unlike learning-based auditors), and provides tighter estimates than previous tools.

3. Key Contributions

Introduction of $\eta$ -RAD: A consistent, unifying metric that generalizes membership and attribute advantages to arbitrary reconstruction attacks while correctly handling auxiliary knowledge and imputation.
Tight Theoretical Bounds:
- Proof of a universally tight bound (Theorem 4.3) for any mechanism and auxiliary knowledge.
- Derivation of closed-form black-box bounds for auditing unknown mechanisms.
Optimal Attack Construction: A formal proof and algorithm for the optimal adversary strategy, demonstrating that the derived bounds are achievable and cannot be improved.
Empirical Validation: Extensive experiments showing that:
- ReRo bounds are violated when auxiliary knowledge is present.
- ReRo significantly overestimates risk in imputation scenarios (where RAD correctly estimates 0 risk).
- RAD-based noise calibration yields significantly higher utility for the same risk level compared to ReRo-based calibration.
- The RAD auditing framework outperforms the state-of-the-art LDP Auditor in accuracy and scope.

4. Experimental Results

The paper validates its theory across three domains: Private Learning (DP-SGD), Aggregation (Laplace Mechanism), and Local DP (LDP).

ReRo vs. RAD on DP-SGD (MNIST/Fashion):
- When attackers have auxiliary knowledge (e.g., image labels), ReRo estimates exceed theoretical bounds (violating the guarantee), whereas RAD bounds remain tight and accurate.
- In membership inference (MIA) settings, ReRo reports high risk even for strong privacy budgets ( $\epsilon \le 4$ ), while RAD correctly identifies lower participation risk.
Imputation Attack (Census/Texas Datasets):
- An attack relying only on public data (no mechanism output) yielded a ReRo risk of ~0.73–0.81, suggesting a breach.
- RAD correctly estimated the risk as 0, proving that ReRo conflates statistical inference with privacy leakage.
Noise Calibration (Laplace Mechanism):
- Calibrating noise using RAD bounds resulted in significantly lower query error (higher utility) compared to ReRo-based calibration for the same target risk level (Figure 2).
LDP Auditing (GRR, OUE, SS):
- The RAD-based auditor provided near-perfect estimates of the empirical $\epsilon$ across the full range of values.
- In contrast, LDP Auditor failed to estimate high $\epsilon$ values (capped around $\epsilon \approx 2.5$ ) due to limitations in the Clopper-Pearson confidence interval method.
- The study confirmed that different mechanisms with the same $\epsilon$ (e.g., GRR vs. OUE) offer vastly different actual protection levels, which only RAD can accurately quantify.

5. Significance

This work fundamentally shifts the paradigm of DP risk assessment from a static parameter ( $\epsilon$ ) or a flawed probability metric (ReRo) to a dynamic, attack-centric advantage metric.

Practical Utility: By distinguishing between "guessing" and "leakage," organizations can reduce noise injection, thereby improving data utility without compromising actual privacy.
Robust Auditing: It provides the first general-purpose, mechanism-agnostic tool for auditing DP systems that handles high-dimensional categorical data and auxiliary knowledge, addressing a critical gap in deploying DP in industry and government.
Theoretical Rigor: The proof of universal tightness for the optimal attack strategy establishes a new gold standard for evaluating the resilience of DP mechanisms, moving beyond loose approximations to exact risk characterization.

In summary, the paper demonstrates that privacy risk is a function of the mechanism's structure and the attacker's specific knowledge, not just the nominal privacy budget. RAD provides the necessary tools to measure this accurately, enabling better trade-offs between privacy and utility.