Achieving Dalenius' Goal of Data Privacy with Practical Assumptions

Recent studies show that differential privacy is vulnerable when different individuals' data in the dataset are correlated, and that there are many cases where differential privacy implies poor utility. In order to treat the two weaknesses, we traced the origin of differential privacy to Dalenius' goal, a more rigorous privacy measure. We formalized Dalenius' goal by using Shannon's perfect secrecy and tried to achieve Dalenius' goal with better utility. Our first result is that, if the independence assumption is true, then differential privacy is equivalent to Dalenius' goal, where the independence assumption assumes that each adversary has no knowledge of the correlation among different individuals' data in the dataset. This implies that the security of differential privacy is based on the independence assumption. Since the independence assumption is impractical, we introduced a new practical assumption, which assumes that each adversary is unknown to some data of the dataset if the dataset is large enough. Based on the assumption, we can achieve Dalenius' goal with better utility. Furthermore, we proved a useful result which can transplant results or approaches of information theory into data privacy protection. We then proved that several basic privacy mechanisms/channels satisfy Dalenuis' goal, such as the random response, the exponential, and the Gaussian privacy channels, which are respective counterparts of the random response, the exponential, and the Gaussian mechanisms of differential privacy. Moreover, the group and the composition properties were also proved. Finally, by using Yao's computational information theory, we extend our model to the computational-bounded case.