We do need a way to get sensitive data sets to researchers, there is a lot of public good and discovery to be had when we do.
Cynically, when we were finding that de-identification of data was not a cryptographically secure or a viable solution for providing data sets to researchers who couldn't be trusted to protect them, a nagging voice would suggest k-anonymity and now DP were a way to obfuscate the distribution of risk in the solutions through layered niche abstractions, and use the ensuing confusion to get the data toothpaste out of the tube.
Today, I like the idea that DP provides a set of information theoretic criteria for candidate algorithms for protecting privacy and anonymity. It also appears to provide practical tools for technologists to reason about information theory problems in their day to day work.
It's hard to imagine it was acceptable to say, "sure you can do cancer/autism/health research, but first we need a viable generalized homomorphic encryption solution before we share our data with you," but that was the state of health information security up to even recently.
The need for a class of non-cryptological (e.g. not certified algos), and non-zero-sum information privacy protection tools reflects how we actually use data today.
I am still wary that project types will wave DP around like a talisman to ward off security analysts threatening their deadlines, but that's not DP's fault.
There is a joke in here about how the response of security people to DP and privacy is often snark, but I will leave that as an exercise to the reader.
FHE and DP aren't concerned with the same definition of privacy. FHE aims to guarantee exactly what is revealed. DP tries to guarantee what can be inferred from what is revealed.
Indeed, and I think the definition of privacy that security technologists were applying to health data (in my example) implied FHE or other solutions that were out of reach, as a barrier to doing important research.
It was worth emphasizing these are very different concepts. My association of them was because they are posed as potential solutions in the same business problem domains.
Cynically, when we were finding that de-identification of data was not a cryptographically secure or a viable solution for providing data sets to researchers who couldn't be trusted to protect them, a nagging voice would suggest k-anonymity and now DP were a way to obfuscate the distribution of risk in the solutions through layered niche abstractions, and use the ensuing confusion to get the data toothpaste out of the tube.
Today, I like the idea that DP provides a set of information theoretic criteria for candidate algorithms for protecting privacy and anonymity. It also appears to provide practical tools for technologists to reason about information theory problems in their day to day work.
It's hard to imagine it was acceptable to say, "sure you can do cancer/autism/health research, but first we need a viable generalized homomorphic encryption solution before we share our data with you," but that was the state of health information security up to even recently.
The need for a class of non-cryptological (e.g. not certified algos), and non-zero-sum information privacy protection tools reflects how we actually use data today.
I am still wary that project types will wave DP around like a talisman to ward off security analysts threatening their deadlines, but that's not DP's fault.
There is a joke in here about how the response of security people to DP and privacy is often snark, but I will leave that as an exercise to the reader.