Differential Privacy

Motivation & Historical Context

Privacy in statistical databases is the foundational problem: how to release useful aggregate information about a population without leaking information about individuals. Pre-DP approaches all failed under composition with auxiliary information.

Dalenius's Desideratum

"Anything that can be learned about a respondent from the statistical database should be learnable without access to the database." ~ Tore Dalenius, 1977

Impossibility result (Dwork 2006): This semantic notion is unachievable for any non-trivial database utility. The proof is essentially a Bayesian argument: if the database is informative, releasing it shifts posteriors over individuals, even for individuals not in the database. Example: a study showing "smoking causes cancer" reveals information about a smoker not in the study.

This forced the field to move from absolute privacy to relative privacy — i.e., the database's release should not significantly increase what an adversary learns about any individual compared to a counterfactual world where that individual opted out. This is the conceptual seed of DP.

[!note] The opt-out semantics DP guarantees: your privacy loss is bounded by the marginal effect of your data being in the database. It does not guarantee that an adversary cannot learn things about you — only that they learn essentially the same things whether you participated or not.

Why Anonymization Fails

k-anonymity (Samarati–Sweeney 1998): Each record indistinguishable from k−1 others on quasi-identifiers. ℓ-diversity (Machanavajjhala 2007): Each equivalence class has ℓ "well-represented" sensitive values. t-closeness (Li 2007): Distribution of sensitive attributes in each class close to global distribution.

All three fall to linkage attacks with auxiliary information:

GIC Massachusetts (1997): Latanya Sweeney re-identified Governor Weld from "anonymized" hospital records using voter rolls (ZIP + DOB + sex).
AOL search log release (2006): Searcher #4417749 → Thelma Arnold.
Netflix Prize (2008): Narayanan–Shmatikov linked Netflix ratings to IMDb profiles.
Genome-wide association studies: Homer et al. (2008) detected presence in pooled allele frequencies.

The deeper lesson: syntactic privacy guarantees (about the data format) cannot survive arbitrary auxiliary information; only semantic guarantees (about the mechanism) can.

Core Definitions

Neighboring Datasets

Two datasets $D, D^{'} \in X^{n}$ are neighbors, written $D \sim D^{'}$ , if they differ in one record. Two conventions:

Convention	Definition	Notes
Add/Remove (unbounded DP)	$D^{'}$ obtained by adding or removing one record; $D \neq = D^{'}$	Hides participation; standard in theory
Replace (bounded DP)	$D, D^{'}$ same size, differ in one record's value	Hides record value; assumed in many applied papers

These differ by a factor of 2 in sensitivity for many queries. Always check which convention a paper uses. The Census 2020 release uses bounded.

ε-Differential Privacy

A randomized mechanism $M : X^{n} \to Y$ is ε-differentially private if for all neighboring $D \sim D^{'}$ and all measurable $S \subseteq Y$ : $Pr [M (D) \in S] \leq e^{ε} \cdot Pr [M (D^{'}) \in S]$

This is the pure DP definition (Dwork–McSherry–Nissim–Smith 2006). The privacy budget $ε \geq 0$ is the only parameter. Smaller $ε$ = more privacy.

Interpretation via likelihood ratio: $ε$ bounds the log-likelihood ratio of the output under any two neighbor inputs: $sup_{y} lo g \frac{P r [ M ( D ) = y ]}{P r [ M ( D ^{'} ) = y ]} \leq ε$

This makes DP a hypothesis-testing statement: no test of " $D$ vs $D^{'}$ " can do significantly better than chance.

(ε,δ)-Differential Privacy

$M$ is (ε,δ)-DP if for all $D \sim D^{'}$ and all $S$ : $Pr [M (D) \in S] \leq e^{ε} \cdot Pr [M (D^{'}) \in S] + δ$

Semantic meaning of δ: with probability at most $δ$ , the pure ε-DP guarantee fails catastrophically. Standard rule: $δ ≪ 1/ n$ (often $δ = n^{- ω (1)}$ or cryptographically small), otherwise "release a uniformly random record with probability δ" satisfies (0, δ)-DP — clearly not private.

[!tip] Picking δ A common choice in DP-ML is $δ = 1 0^{- 5}$ for $n \approx 1 0^{6}$ users. The "δ should be sub-polynomial in n" heuristic is a safety check, not a theorem.

Privacy Loss Random Variable

For neighbors $D, D^{'}$ and output $y \sim M (D)$ , the privacy loss: $L_{M, D, D^{'}} (y) = lo g \frac{P r [ M ( D ) = y ]}{P r [ M ( D ^{'} ) = y ]}$

ε-DP says $∣ L ∣ \leq ε$ pointwise. (ε,δ)-DP can be characterized as: $Pr [L > ε] \leq δ$ in a certain sense (this is roughly the statement, modulo δ-on-both-sides subtleties).

This RV-based view is the gateway to Rényi DP, CDP, and f-DP.

Fundamental Properties

Post-Processing Immunity

If $M$ is (ε,δ)-DP and $f$ is any (possibly randomized) function on $Y$ , then $f \circ M$ is (ε,δ)-DP.

This is the most useful property in practice: once data is privatized, any downstream computation preserves the guarantee. No need to track privacy through ML training, plotting, summary tables, etc., as long as the original release was DP and no fresh data is touched.

Proof sketch: For any $S$ , $f^{- 1} (S)$ is measurable, then apply DP definition to that set.

Group Privacy

If $M$ is ε-DP and $D, D^{'}$ differ in $k$ records, then: $Pr [M (D) \in S] \leq e^{k ε} \cdot Pr [M (D^{'}) \in S]$

So DP degrades gracefully for correlated groups (families, social network ties) — but linearly in $k$ . For tightly correlated populations (e.g., genomes of identical twins), the effective privacy degrades by the correlation horizon.

This is the formal sense in which DP "fails" for correlated data — see Pufferfish Privacy for explicit correlation modeling.

Composition Theorems

[!note] Composition is the heart of DP accounting. Every released statistic, every gradient step, every query consumes privacy budget.

Basic (Sequential) Composition: If $M_{1}$ is $ε_{1}$ -DP and $M_{2}$ is $ε_{2}$ -DP (possibly adaptive on $M_{1}$ 's output), then their composition is $(ε_{1} + ε_{2})$ -DP.

Advanced Composition (Dwork–Rothblum–Vadhan 2010): $k$ adaptive $(ε, δ)$ -DP mechanisms compose to: $(2 k lo g (1/ δ^{'}) \cdot ε + k ε (e^{ε} - 1), k δ + δ^{'}) -DP$

The key gain: the $ε$ -term scales as $k$ instead of $k$ — a CLT-style improvement. Proof uses Azuma/martingale concentration on the privacy-loss RV.

Optimal Composition (Kairouz–Oh–Viswanath 2017): There is an exact formula for the tightest valid $(ε^{*}, δ^{*})$ after composing $k$ copies of $(ε, δ)$ -DP. The formula is #P-hard to compute exactly for heterogeneous compositions (Murtagh–Vadhan 2016), but tractable in homogeneous cases.

Parallel Composition: If $M_{i}$ acts on disjoint subsets of $D$ , the overall privacy is $max_{i} ε_{i}$ (no summation). Used in histogram releases.

[!tip] Why advanced composition matters for DP-SGD A training run of $T = 1 0^{5}$ steps with per-step $ε = 0.1$ would naively cost $ε_{total} = 1 0^{4}$ — useless. Advanced composition gives $\approx T \cdot 0.1 \cdot const \approx 30$ — still too high. Modern accountants (RDP, GDP, PRV) push this much lower.

Convexity

The set of DP mechanisms is closed under convex combinations: if $M_{1}, M_{2}$ are ε-DP and $p \in [0, 1]$ , then $p M_{1} + (1 - p) M_{2}$ is ε-DP. Useful for randomized mechanism selection but does NOT mean ε is preserved under data-dependent mixing.

Sensitivity & Basic Mechanisms

Global Sensitivity

For a query $f : X^{n} \to R^{d}$ : $Δ_{p} f = sup_{D \sim D^{'}} ∥ f (D) - f (D^{'}) ∥_{p}$

$Δ_{1}$ used for Laplace, $Δ_{2}$ for Gaussian. The sup is over the worst-case pair of neighbors — this is what makes DP a worst-case guarantee.

Examples:

Query	$Δ_{1}$
Count	1
Sum of values in $[0, M]$	$M$
Mean of values in $[0, M]$	$M / n$
Histogram (add/remove)	1
Histogram (replace)	2
Median	unbounded in general (use smooth sensitivity)

Laplace Mechanism

$M_{Lap} (D) = f (D) + (Y_{1}, \dots, Y_{d}), Y_{i} \sim Lap (Δ_{1} f / ε)$

where $Lap (b)$ has density $\frac{1}{2 b} e^{- ∣ x ∣/ b}$ .

Theorem: $M_{Lap}$ is ε-DP.

Proof is one line: the ratio of Laplace densities at $f (D) + y$ vs $f (D^{'}) + y$ is at most $e^{∥ f (D) - f (D^{'}) ∥_{1} / b} \leq e^{ε}$ .

Gaussian Mechanism

$M_{Gauss} (D) = f (D) + N (0, σ^{2} I_{d})$

Classical Theorem: $M_{Gauss}$ is $(ε, δ)$ -DP if $σ \geq \frac{Δ _{2} f \cdot 2 l o g ( 1.25/ δ )}{ε}$

for $ε \in (0, 1)$ . (The classical bound has a known gap; the Analytic Gaussian Mechanism of Balle–Wang 2018 gives tight $σ$ for any $ε$ .)

Mechanism	Privacy	Noise scale	Use when
Laplace	Pure ε-DP	$Δ_{1} / ε$	Low-dim, want pure DP
Gaussian	(ε,δ)-DP	$Δ_{2} 2 lo g (1/ δ) / ε$	High-dim, composes well

The Gaussian wins in high dimensions because $Δ_{2} \leq Δ_{1} \leq d Δ_{2}$ — the $ℓ_{2}$ sensitivity can be $d$ smaller.

Exponential Mechanism

For utility function $u : X^{n} \times Y \to R$ with sensitivity $Δ u = sup_{y, D \sim D^{'}} ∣ u (D, y) - u (D^{'}, y) ∣$ : $Pr [M_{Exp} (D) = y] \propto exp (\frac{ε \cdot u ( D , y )}{2Δ u})$

Theorem: ε-DP. Used for selecting from a discrete set (e.g., picking a "best" model, releasing a median, mechanism design).

Utility guarantee: with probability $\geq 1 - β$ , $u (D, M_{Exp} (D)) \geq OPT - \frac{2Δ u}{ε} (lo g ∣ Y ∣ + lo g (1/ β))$

[!note] Connection to Boltzmann/Gibbs measures The exponential mechanism is just the Gibbs distribution at temperature $T = 2Δ u / ε$ over utilities. This is not coincidental: see McSherry–Talwar 2007 for the connection to mechanism design, where the exponential mechanism gives approximately truthful mechanisms because the player's gain from misreporting is bounded by their privacy loss.

This last point is exactly relevant to your work: DP gives a clean notion of "approximate truthfulness" for free, since changing one's report changes one's output by at most $e^{ε}$ .

Randomized Response

The original DP mechanism (Warner 1965, predating the formalism by 40 years). For a yes/no question:

With probability $p > 1/2$ , answer truthfully.
With probability $1 - p$ , flip a fair coin and answer.

This is $lo g \frac{p}{1 - p}$ -DP at the individual level. Foundational for Local DP.

Sparse Vector Technique (SVT)

Answers a stream of threshold queries $f_{i} (D) ≷ T$ but only pays privacy for the YES answers.

Algorithm: Add noise to the threshold $T$ once, then add fresh noise to each $f_{i} (D)$ . Output "above" if noisy $f_{i}$ exceeds noisy $T$ ; stop after $c$ "above"s.

Privacy: $(ε, 0)$ -DP with budget independent of the number of NO answers — pay only for $c$ above-threshold answers. Foundational for monitoring rare events.

[!question] Why is SVT subtle? The original "improvements" in literature were buggy: Lyu–Su–Li (2017) catalog six wrong variants in published papers, including the original textbook version. Always verify SVT proofs carefully.

Refined Privacy Notions

The classical $(ε, δ)$ definition has poor compositional properties (need messy advanced composition). Modern variants give tighter accounting.

Concentrated DP (CDP)

Dwork–Rothblum 2016: A mechanism is $ρ$ -CDP if the privacy loss RV has subgaussian tails. More precisely, for all $λ > 0$ : $E [e^{λ L}] \leq e^{λ^{2} ρ /2}$

Zero-Concentrated DP (zCDP) (Bun–Steinke 2016): Defined via Rényi divergence (see below). Equivalent characterizations.

Composition is additive in $ρ$ : $k$ mechanisms with $ρ_{i}$ compose to $\sum ρ_{i}$ . No $k$ tricks needed.

Conversion: $ρ$ -zCDP $\Rightarrow$ $(ρ + 2 ρ lo g (1/ δ), δ)$ -DP.

Rényi Differential Privacy (RDP)

Mironov 2017: Defined via Rényi divergence: $D_{α} (P ∥ Q) = \frac{1}{α - 1} lo g E_{x \sim Q} [(\frac{P ( x )}{Q ( x )})^{α}]$

$M$ is $(α, ε)$ -RDP if for all $D \sim D^{'}$ : $D_{α} (M (D) ∥ M (D^{'})) \leq ε$ .

Key properties:

$α = 1$ : KL divergence
$α = \infty$ : max divergence = pure DP
Composition: additive in $ε$ at fixed $α$
Gaussian mechanism: $(α, α Δ_{2}^{2} / (2 σ^{2}))$ -RDP for all $α > 1$

This last identity is huge: it gives closed-form RDP for Gaussian, which makes RDP the dominant accounting framework for DP-SGD.

Conversion: $(α, ε)$ -RDP $\Rightarrow$ $(ε + lo g (1/ δ) / (α - 1), δ)$ -DP for any $δ > 0$ . Optimize over $α$ .

f-Differential Privacy / Gaussian DP

Dong–Roth–Su 2019: Define DP directly via the hypothesis-testing tradeoff.

For trade-off function $f : [0, 1] \to [0, 1]$ with $f (α) =$ optimal type-II error at type-I error $α$ , mechanism is $f$ -DP if its testing tradeoff curve dominates $f$ .

Gaussian DP: special case where $f = G_{μ}$ is the tradeoff curve of $N (0, 1)$ vs $N (μ, 1)$ . A mechanism is $μ$ -GDP if its tradeoff dominates this Gaussian curve.

Central Limit Theorem for DP: Compositions converge to Gaussian DP — composition of $T$ mechanisms each $μ_{i}$ -GDP gives $\sum μ_{i}^{2}$ -GDP. This is the cleanest composition theorem in DP.

Notion	Composition	Mechanism characterization	Tightness
$(ε, δ)$ -DP	Advanced composition (lossy)	Original	Loose under composition
zCDP / RDP	Additive	Closed-form for Gaussian	Tight for Gaussian
$f$ -DP / GDP	"Hockey-stick" or CLT	Tight via tradeoff function	Tightest known
PRV accountant	Numerical	Privacy Loss Distribution	Numerically tight

Privacy Loss Distribution (PLD) Accountants

Koskela–Jälkö–Honkela 2020, Gopi–Lee–Wutschitz 2021: Numerically track the entire distribution of $L_{M}$ , then compose via FFT-based convolution. Currently the tightest practical accountant, used in Opacus and TF-Privacy.

Local Differential Privacy

Local DP

Mechanism $M : X \to Y$ is ε-LDP if for all $x, x^{'} \in X$ , all $S$ : $Pr [M (x) \in S] \leq e^{ε} Pr [M (x^{'}) \in S]$ .

Each user perturbs their own data before sending. No trusted aggregator needed.

Tradeoff: LDP requires $Ω (n)$ more samples than central DP for the same accuracy (Duchi–Jordan–Wainwright 2013). The information-theoretic price of removing the trusted curator.

Implementations:

Google's RAPPOR (Erlingsson–Pihur–Korolova 2014): Chrome telemetry. Uses randomized response on Bloom filters.
Apple iOS: Emoji counts, Safari crash reports. Used ε per query of 1–4, with potentially thousands of queries — controversial.
Microsoft: Windows telemetry.

Shuffle DP

Cheu–Smith–Ullman–Zeber–Zhilyaev 2019: Intermediate trust model — users add LDP noise, a shuffler anonymizes, then aggregation.

Amplification by shuffling: A user's $ε_{LDP}$ becomes $\approx ε_{LDP} / n$ in the central view. Closes much of the LDP–central gap without a fully trusted curator.

DP in Machine Learning

DP-SGD

Abadi–Chu–Goodfellow–McMahan–Mironov–Talwar–Zhang 2016: The dominant approach to training DP models.

for batch in batches:
    grads = []
    for x in batch:
        g = compute_per_example_gradient(x)
        g = g * min(1, C / ||g||_2)   # per-example clipping
        grads.append(g)
    g_sum = sum(grads)
    g_sum = g_sum + N(0, sigma^2 * C^2 * I)   # Gaussian noise
    theta = theta - lr * g_sum / batch_size

Key ingredients:

Per-example gradient clipping to bound $Δ_{2}$ to $C$
Gaussian noise scaled to $C$ for $(ε, δ)$ -DP
Privacy amplification by subsampling: a $(ε, δ)$ -DP mechanism applied to a $q$ -Poisson-subsample of $D$ is $(O (q ε), q δ)$ -DP for small $ε$ (Beimel et al. 2014, Balle et al. 2018)
RDP accounting across steps

Practical reality: Strong DP guarantees ( $ε \leq 1$ ) cost ~10-20% accuracy on ImageNet-scale tasks (De et al. 2022, Berrada et al. 2023). Recent work (Sander et al., Bu et al.) closes much of this gap via large batches, foundation-model fine-tuning, and architectural choices (group normalization beats batch normalization).

Privacy Amplification

Technique	Amplification	Reference
Subsampling	$ε \to O (q ε)$ at rate $q$	Beimel et al. 2014
Shuffling	$ε \to O (ε lo g (1/ δ) / n)$	Erlingsson et al. 2019
Iteration (PABI)	Decaying $ε$ under strong convexity	Feldman–Mironov–Talwar–Thakurta 2018

PATE

Papernot et al. 2017: Privacy-preserving aggregation of teachers. Train $k$ models on disjoint partitions, aggregate predictions via noisy voting, distill into a student. Achieves strong privacy because individual records affect only one teacher, and the noisy aggregation provides DP.

Theoretical Foundations

Reconstruction Attacks

Dinur–Nissim 2003 (pre-DP, motivating the field): Releasing $O (n)$ subset-sum queries with noise $o (n)$ allows reconstructing $\geq (1 - o (1))$ fraction of the database. This is the fundamental lower bound that forces $Ω (n)$ noise per query in any private mechanism.

Generalized to: Bun–Ullman–Vadhan 2014, Dwork–Smith–Steinke–Ullman 2017 — modern "fingerprinting codes" give tight lower bounds.

The Census 2020 redistricting controversy was downstream of this: the Census reconstruction attack by Garfinkel et al. showed that the 2010 SF1 summary file allowed reconstruction of microdata for $\approx 50%$ of US population — driving the move to DP for 2020.

Sample Complexity Lower Bounds

For ε-DP estimation of a $d$ -dim parameter:

Mean estimation: $n = Ω (d / ε)$ for $(ε, δ)$ -DP
Histogram release: $n = Ω (lo g ∣ X ∣/ ε)$ for $(ε, 0)$ -DP
PAC learning: $n = Ω (VCdim (H) / ε)$ for proper learning

Pure ε-DP often costs an extra $lo g ∣ X ∣$ vs $(ε, δ)$ — this is one of the main reasons to admit small δ.

DP and Generalization

Dwork–Feldman–Hardt–Pitassi–Reingold–Roth 2015: If a model is selected from a $(ε, δ)$ -DP procedure, then its empirical and population losses are close with high probability. This is the foundation of adaptive data analysis:

[!note] DP $\Rightarrow$ Generalization If a hypothesis $\hat{h}$ is output by a $(ε, δ)$ -DP algorithm with $ε \leq α /4$ , $δ \leq α β /8$ , then $∣ \hat{L} (\hat{h}) - L (\hat{h}) ∣ \leq α$ w.p. $\geq 1 - β$ .

DP gives a stability-based generalization bound that survives adversarial query reuse — this is what makes DP relevant outside privacy proper, e.g., for safely re-using validation sets.

This is also why DP is sometimes proposed as a route to robust statistics and even safety: DP-trained models are by construction less sensitive to individual training points.

Variants & Extensions

Pufferfish Privacy

Kifer–Machanavajjhala 2014: Generalizes DP to handle:

Secrets $S$ : discriminating pairs of facts to hide
Discriminative pairs $Q$ : which secrets are sensitive
Data evolution model $Θ$ : distribution over inputs (handles correlations)

A mechanism is $ε$ -Pufferfish if for all $s_{i}, s_{j} \in S$ in $Q$ and all priors $θ \in Θ$ : $e^{- ε} \leq \frac{P r [ M ( D ) = y ∣ s _{i} , θ ]}{P r [ M ( D ) = y ∣ s _{j} , θ ]} \leq e^{ε}$

DP is recovered as the Pufferfish instance where secrets = "record $i$ takes value $v$ " and the data model is i.i.d. Pufferfish gives the correct notion for correlated/sequential data.

Geo-Indistinguishability

Andrés–Bordenabe–Chatzikokolakis–Palamidessi 2013: DP variant for location data, where neighboring datasets are replaced by neighboring points in $R^{2}$ . A mechanism is $ε$ -geo-indistinguishable if for all locations $x, x^{'}$ with $∥ x - x^{'} ∥ \leq r$ : $Pr [M (x) \in S] \leq e^{ε r} Pr [M (x^{'}) \in S]$

Implemented via planar Laplace noise. Used in Apple Maps and several research systems.

Distributed/Federated DP

Federated learning naturally pairs with DP to give two layers of protection. Two variants:

Central DP under FL: Server adds noise to aggregated gradients (still needs trusted server).
Local DP per client: Each client adds noise; needs aggregation tricks (secure aggregation + DP) to recover utility.

Combination with secure aggregation (cryptographic MPC) lets the server see only the noisy sum, getting central-DP utility with local-DP trust.

DP, Mechanism Design & Game Theory

[!note] Direct link to your research DP is mechanism design under a specific objective (privacy as a property of the mechanism), and the proof techniques migrate in both directions.

Privacy as Approximate Truthfulness

McSherry–Talwar 2007: If $M$ is $ε$ -DP and an agent's utility is bounded in $[- 1, 1]$ , then for any agent $i$ and any misreport $x_{i}^{'}$ : $E [u_{i} (M (D))] \geq e^{- ε} \cdot E [u_{i} (M (D_{- i}, x_{i}^{'}))]$

So any ε-DP mechanism is approximately dominant-strategy truthful with multiplicative slack $e^{ε}$ . Exponential mechanism thereby gives a generic approach to approximately truthful mechanism design.

This is significantly weaker than VCG (it's $e^{ε}$ -truthful, not exactly truthful), but it gives truthfulness in settings VCG cannot handle — e.g., when payments cannot be assumed or there are no transferable utilities.

Joint Differential Privacy

Kearns–Pai–Roth–Ullman 2014: Allows agent $i$ 's own output to depend strongly on their input (e.g., they receive their allocation), but the joint output to others is DP in $i$ . This is the right notion for matching markets, congestion games, and large-game equilibrium computation.

Application: JDP mechanisms compute approximate correlated equilibria of large anonymous games. Connection point with your mechanism-design-for-AI-cooperation work: in multi-agent settings with strategic LLM agents, JDP might be the right notion of "private mechanism" since each agent observes its own action recommendation.

Mechanism Design via DP

Nissim–Smorodinsky–Tennenholtz 2012: Use DP to compute approximate equilibria in digital goods auctions, matching with constraints, and facility location when exact truthful mechanisms don't exist.

The pattern: DP gives mechanisms that are robust to a single agent's misreport, which is essentially the definition of approximate strategyproofness. This trade — privacy for truthfulness — is a candidate framework for incentive-compatible AI agent protocols under your Cooperation Gap framework, where contractual incompleteness already forces approximate guarantees.

[!tip] Speculative connection to your work Your Irreducibility Theorem shows that mechanisms cannot fully substitute for $λ$ -cooperative preferences under contractual incompleteness. DP-style approximate truthfulness might be exactly the right quantitative refinement: ask whether $ε$ -DP mechanisms close the gap up to $O (ε)$ utility loss. This would parallel the way "smoothed analysis" gave a quantitative refinement to worst-case complexity.

Practical Realities & Critiques

What does ε mean in practice?

ε has no universally agreed semantics. Common heuristics:

ε ≤ 1: Strong privacy, recommended by Dwork.
ε ∈ [1, 10]: "Moderate," used in DP-SGD ML papers.
ε > 10: Effectively no meaningful pure-DP guarantee, though some hypothesis-testing interpretation remains.

Apple's per-query ε of 4–8: Defensible only because of (a) bounded query rate and (b) the use of LDP, where one bad query cannot fully leak any user.

Census 2020 PLB: Privacy Loss Budget per geographic level — different for total, P1, P2, … (P1 = sex by age, P2 = race, etc.) Total ε across all queries is small per person but compositional accounting is fragile.

Critiques

Tao Xu, Lin Liu et al.: DP guarantees rely on the worst-case adversary, but real adversaries may be weaker — DP overcorrects in some settings.
Cynthia Dwork on δ: "δ is a probability of completely embarrassing failure" — needs to be cryptographically small.
Kohli–Laskowski 2018: Survey participants don't understand ε; "differential privacy" becomes marketing.
Bagdasaryan–Poursaeed–Shmatikov 2019: DP-SGD has disparate impact — minorities suffer larger accuracy loss because their data is more "atypical" and gets clipped/noised more.

[!question] Open question Is there a notion of group-fair DP that controls per-subgroup accuracy loss? Recent work by Yaghini, Mironov et al. on "individual privacy accounting" partially addresses this.

Drawbacks

Worst-case sensitivity often dominates noise scale; smooth/local sensitivity helps but is harder to use.
Strong assumption: single-record sensitivity is the right unit. Households, time-series, social networks break this.
Hard to set ε from first principles (privacy budget allocation is an art).
Composition can quickly exhaust budget; once $ε$ is spent, you cannot re-query.

Connections & Further Reading

Robust Statistics: DP estimators are automatically robust to single-point contamination; explicit connection via the "propose-test-release" framework (Dwork–Lei 2009).
Stability and Generalization: DP $\subseteq$ "perfect stability" in the sense of Bousquet–Elisseeff.
Mechanism Design: Approximate truthfulness via exponential mechanism; JDP for large games.
Information Theory: Hypothesis-testing tradeoff function $f$ -DP makes the connection to Le Cam–style le bounds explicit.
Cryptography: DP $\neq =$ secure computation. MPC + DP gives strongest joint guarantee. The "shuffle model" is essentially a weak MPC primitive.
Algorithmic Fairness: Some tensions (disparate impact of DP-SGD) and some synergies (DP as a form of stability that helps generalize fairness constraints).
Pufferfish Privacy: The right generalization for correlated data (genomes, time series, networks).
Your Cooperation Gap framework: DP-style $ε$ -truthfulness may give a quantitative version of "how close can mechanisms get to substituting cooperation" under contractual incompleteness.

Key References

Dwork–Roth 2014: The Algorithmic Foundations of Differential Privacy — the canonical monograph.
Vadhan 2017: The Complexity of Differential Privacy — theoretical survey.
Near–Abuah 2021: Programming Differential Privacy — applied/computational perspective.
Mironov 2017 (RDP), Bun–Steinke 2016 (zCDP), Dong–Roth–Su 2019 (f-DP) — modern accounting trio.
Abadi et al. 2016 — DP-SGD.
McSherry–Talwar 2007 — DP in mechanism design.