Protecting information about individual users
Differential privacy is an approach used to share statistical and aggregate data about users while limiting the amount of information disclosed about any individual user. Differential privacy is built into your DCN and helps you keep individual records private when collaborating with partners.
Differential privacy protections apply to incoming matches. They help prevent your match partners from learning information about individual records when your DCN shares aggregated information related to the outcome of a match.
Your DCN's differential privacy capabilities cannot protect the privacy of individual records shared outside of your DCN. Therefore you should avoid sharing exported identity cluster records, or disclosing information about individual users outside of the Optable platform.
Unless you've explicitly disabled differential privacy protection for a partner in the Differential Privacy UI, your DCN automatically adds noise to incoming secure match request results before sharing them with the partner.
The amount of noise added to each request result is sampled from a probability distribution such that the exact result is adjusted by some number between -300 and +300 for more than 99.5% of the requests. The accuracy of the noisy result will therefore be more significantly impacted for smaller match sizes (e.g., at most +/- 3% for match sizes in the order of 10 000, for more than 99% of requests).
Example: Your DCN receives a match request from one of your partners. Once the match completes you find out that you have matched on 10 000 identifiers. The partner initiating the match is shown a noisy result, such as 10 203 identifiers, whereas you will have access to both the noisy (10 203) and exact (10 000) results.
When receiving a secure match from a partner and once your DCN has added noise to the number of matched identifiers, the result is compared to a configured threshold number and, when below the threshold, the noisy result is replaced with a placeholder value prior to being shared with the partner. The placeholder value indicates that the result is below a threshold value, without revealing the real result. This makes it impossible for the partner to know whether the result is zero or some small number below the configured threshold.
Example: Your DCN receives a match request from one of your partners. Once the match completes you find out that you have matched 238 identifiers. The partner initiating the match is shown the placeholder result "< 3000", indicating that the actual matched number is between 0 and 2999. You will have access to both the exact (238) and thresholded (< 3000) results.
The privacy budget helps you limit the amount of information about audiences that you share with your partners during a 30 day window. By default, each connected partner is assigned a budget of 20 000 privacy points to begin with. Each time a secure match is received from the partner and noise is added to the result shared, your DCN calculates a privacy cost associated with the operation and deducts this cost from the remaining privacy budget associated with the partner.
The Differential Privacy UI in your DCN allows you to visualize and track the consumed privacy budgets associated with your partners, and warns you when you've depleted budgets and are at risk of leaking information about individuals to your partners.
Finally, as the audience data in your DCN changes, debited privacy points are automatically replenished to a partner's associated privacy budget within 30 days following each debit operation. Points replenishment is visible from within the Differential Privacy UI.
The Differential Privacy UI in your DCN allows you to disable or enable automatic noise and thresholding, as well as configure the minimum threshold value associated with each connected partner.
$ optable-cli settings update --differential-privacy-threshold=3000
$ optable-cli partner update <id> \