Longitudinal attacks against iterative data collection with local differential privacy

Abstract

Local differential privacy (LDP) has recently emerged as an accepted standard for privacy -preserving collection of users' data from smartphones and IoT devices. In many practical scenarios, users' data needs to be collected repeatedly across multiple iterations. In such cases, although each collection satisfies LDP individually by itself, a longitudinal collection of multiple responses from the same user degrades that user's privacy. To demonstrate this claim, in this paper, we propose longitudinal attacks against iterative data collection with LDP. We formulate a general Bayesian adversary model, and then individually show the application of this adversary model on six popular LDP protocols: GRR, BLH, OLR, RAPPOR, OUE, and SS. We experimentally demonstrate the effectiveness of our attacks using two metrics, three datasets, and various privacy and domain parameters. The effectiveness of our attacks highlights the privacy risks associated with longitudinal data collection in a practical and quantifiable manner and motivates the need for appropriate countermeasures.