Sign In

Communications of the ACM

Review article

A Firm Foundation For Private Data Analysis

keyhole and information image

Credit: Brian Greenberg

What does it mean to preserve privacy?

The full text of this article is premium content


CACM Administrator

The following letter was published in the Letters to the Editor in the May 2011 CACM (
--CACM Administrator

Many thanks for Cynthia Dwork's article "A Firm Foundation for Private Data Analysis" (Jan. 2011), explaining why, in trying to formalize what is perfect privacy, we cannot use the late University of Stockholm economist Tore E. Dalenius's criterion that asking allowed queries of a statistical database, we should not be able to learn new (private) information about a particular individual. When preparing to discuss Dwork's article at a recent colloquium in our computer science department, we came up with an even simpler explanation of such an impossibility:

One important purpose of collecting statistical data is to help identify correlations between, say, weight and blood pressure. Suppose, for example, it turns out that blood pressure is equal to weight, and we know that person A (not in this database) weighs 180 pounds. Without the database, A's blood pressure might be private, but once we learn the perfect correlation from it, we can conclude that A's blood pressure is 180.

In real life, we never see such perfect correlation, but, by analyzing the database and discovering some correlation, we know more about the probability of different values of blood pressure than we would otherwise know.

Vladik Kreinovich and Luc Longpre
El Paso, TX

Akshay Bhat

" However, this is clearly insufficient: Suppose appearing in a subsample has terrible consequences. Then every time subsampling occurs some individual suffers horribly."

I don't understand this line of reasoning. In most randomized trial experiments, which are considered as a gold standard in both medical and social sciences this is ethically acceptable. At the same time appearing in a subsample might need not end up always horribly for the selected individual, it can also provide a benefit. The underlying assumption that appearance in a randomized subsample is somehow discriminatory goes completely against ethical norms followed by all other fields.

Akshay Bhat,
New York, NY

Displaying all 2 comments

Log in to Read the Full Article

Sign In

Sign in using your ACM Web Account username and password to access premium content if you are an ACM member, Communications subscriber or Digital Library subscriber.

Need Access?

Please select one of the options below for access to premium content and features.

Create a Web Account

If you are already an ACM member, Communications subscriber, or Digital Library subscriber, please set up a web account to access premium content on this site.

Join the ACM

Become a member to take full advantage of ACM's outstanding computing information resources, networking opportunities, and other benefits.

Subscribe to Communications of the ACM Magazine

Get full access to 50+ years of CACM content and receive the print version of the magazine monthly.

Purchase the Article

Non-members can purchase this article or a copy of the magazine in which it appears.