HTF: Homogeneous Tree Framework for Differentially Private Release of Large Geospatial Datasets with Self-tuning Structure Height

2.1 Differential Privacy

Consider two databases \(\mathcal {D}\) and \(\mathcal {D}^{\prime }\) that differ in a single record t, i.e., \(\mathcal {D}^{\prime }=\mathcal {D}\bigcup \lbrace t\rbrace\) or \(\mathcal {D}^{\prime }=\mathcal {D}\backslash \lbrace t\rbrace\). D and \(D^{\prime }\) are commonly referred to as neighboring or sibling.

Parameter \(\epsilon\) is referred to as privacy budget. \(\epsilon\)-DP requires that the output S obtained by executing mechanism \(\mathcal {A}\) does not significantly change by adding or removing one record in the database. Thus, an adversary is not able to infer with significant probability whether an individual’s record was included or not in the database.

There are two common methods to achieve differential privacy: the Laplace mechanism (LM) and the EM. Both approaches are closely related to the concept of sensitivity, which captures the maximal difference achieved in the output by adding or removing a single record from the database.

2.2 Problem Formulation

Consider a two-dimensional location dataset D discretized to an arbitrarily fine \(N\times M\) grid. Each point is represented by its corresponding rectangular cell in the grid. We study the problem of releasing DP-compliant histograms to answer count queries as accurately as possible. Cell counts are modeled via an \(N\times M\) frequency matrix, in which the entry in the \(i{\text{th}}\) row and \(j{\text{th}}\) column represents the number of records located inside cell \((i,j)\) of the grid.

A DP histogram is generated based on a non-overlapping partitioning of the frequency matrix by applying methods to preserve \(\epsilon\)-DP. The DP histogram consists of the boundary of partitions and their noisy counts, where each partition consists of a group of cells.

Let us denote the total count of a partition with q cells by c and its noisy count by \(\overline{c}\). There are two sources of error in answering a query. The first is referred to as noise error, which is due to Laplace noise added to the partition count. The second source of noise is referred to as uniformity error and arises when a query has partial overlap with a partition. An assumption of uniformity is made within the partition, and the answer per cell is calculated as \(\overline{c}/q\).

For example, consider the \(3\times 3\) grid shown in Figure 2(a), where each count represents the number of data points in the corresponding cell. The cells are grouped in four partitions \(C_1\), \(C_2\), \(C_3\), and \(C_4\), each entailing \(0,\, 12,\, 4,\) and 2 data points, respectively. Independent noise with the same magnitude is added to each partition’s count denoted by \(n_1\), \(n_2\), \(n_3\), and \(n_4\), and released to the public as a DP histogram. The result of the query shown by the dashed rectangle can be calculated as \((12+n_2)/4 + (2+n_4)/2\).

Fig. 2.

View Figure

In the past, several approaches have been developed for Problem 1. Still, current solutions have poor accuracy, which limits their practicality. Some methods tend to perform better when applied to specific datasets (e.g., uniform) and quite poorly when applied to others. Limitations of existing work have been thoroughly evaluated in Reference [14], and we review them in Section 8.

4.1 Homogeneity-based Partitioning

Previous approaches that used kd-tree variations for DP-compliant indexes preserved the original split heuristics of the kd-tree, namely, node splits were performed on either median or average values of the enclosed data points. To preserve DP, the split positions were computed using the exponential mechanism (Section 2), which computes a merit function for each candidate split. However, such an approach results in poor query accuracy [14].

We propose homogeneity as the key factor for guiding splits in the HTF index structure. This decision is based on the observation that if all data points are uniformly distributed within a node, then the uniformity error that results when intersecting that node with the query range is minimized. At each index node split, we aim to obtain two new nodes with a high degree of intra-node density homogeneity. Of course, since the decision is data-dependent, the split point must be computed in a DP-compliant fashion.

For a given node of the tree, suppose that the corresponding partition covers \(U\times V\) cells of the \(N\times M\) grid (i.e., frequency matrix), in which the count of data points located in its \(i{\text{th}}\) row and \(j{\text{th}}\) column is denoted by \(c_{ij}\). Without loss of generality, we discuss the partitioning method w.r.t. the horizontal axis (i.e., rows). The aim is to find an index k that groups rows 1 to k into one node and rows \(k+1\) to U into another, such that homogeneity is maximized within each of the resulting nodes (we also refer to resulting nodes as clusters). We emphasize that the input grid abstraction is used to obtain a finite set of candidate split points. This is different than alternate approaches that use grids to obtain DP-compliant releases. Furthermore, the frequency matrix can be arbitrarily fine-grained, so discretization does not impose a significant constraint.

The proposed split objective function is formally defined as (5) \(\begin{align} o_{k} = \sum _{i\texttt {=}1}^k \sum _{j\texttt {=}1}^V |c_{ij} - \mu _1| + \sum _{i\texttt {=}k+1}^U \sum _{j\texttt {=}1}^V |c_{ij} - \mu _2|, \end{align}\) where (6) \(\begin{equation} \mu _1 = \dfrac{\sum _{i\texttt {=}1}^k \sum _{j\texttt {=}1}^V c_{ij} }{k\times V},\;\;\;\;\;\; \mu _2 = \dfrac{\sum _{i\texttt {=}k+1}^U \sum _{j\texttt {=}1}^V c_{ij}}{(U-k)\times V}. \end{equation}\)

The optimal index \(k^*\) minimizes the objective function, (7) \(\begin{equation} k^* = \arg \min _{k}\;\; o_{k}. \;\;\; \end{equation}\)

Consider the example in Figure 2(b) and the partitioning conducted for node \(B_1\). There exist three possible ways to split rows of the frequency matrix: (i) separate the top row of cells resulting in clusters {[0,0]} and {[3,3],[3,3]} yielding the objective value of zero in Equation (5); (ii) separate the bottom row of cells resulting in two clusters {[0,0],[3,3]} and {[3,3]} yielding the objective value of 6, or (iii) no division is performed, yielding the objective value of 8. Therefore, the proposed algorithm will select the first option (\(k^*\,\texttt {=}\,2\)), generating two nodes \(C_1\) and \(C_2\).

Note that the value of \(k^*\) is not private, since individual location data were used in the process of calculating the optimal index. Hence, a DP mechanism is required to preserve privacy. Thus, we need to assess the sensitivity of \(k^*\), which represents the maximum change in the split coordinate that can occur when adding or removing a single data point. The sensitivity calculation is not trivial, since a single data point can cause the optimal split to shift to a new position far from the non-private value. Another challenge is that the exponential mechanism, commonly used in literature to select candidates from a set based on a cost function, tends to have high sensitivity, resulting in low accuracy.

4.1.2 Optimized Split Point Selection.

We propose an optimization that aims to minimize the number of split point candidate evaluations required, and searches for a local minimum rather than the global one. Algorithm 1 outlines the approach for a single split step along the y-axis (i.e., row split). Inputs to Algorithm 1 include (i) the frequency matrix \(F_{U\times V}\) of the parent node, (ii) the total budget allocated for the partitioning per level of the tree \(\epsilon _{\text{prt}}^{\prime }\), and (iii) variable T, which bounds the maximum number of objective function computations—a key factor indicating the extent of search, and thus of the budget per operation. The proposed approach is essentially a search tree, determining the candidate split to minimize the objective function’s output. The search starts from a wide range of candidates and narrows down within each interval until reaching a local minimum, similar to a binary search.

Let \(\lbrace l,\ldots ,r\rbrace\) represent the index range where the search is conducted, initially set to the first and last possible index of the input frequency matrix. At every iteration of the main “for” loop, the search interval is divided into four equal length sub-intervals, including three inner points and two boundary point. The inner points are referred to as split indices. The objective function is calculated for each of these candidates, and perturbed using Laplace noise to satisfy DP. The split corresponding to the minimum value is chosen as the center of the next search interval, and its immediate “before” and “after” split positions are assigned as the updated search boundaries l and r). Hence, in every iteration, two new computations of the objective function are performed, except the first run, which has a single computation. Therefore, the total number of private evaluations sums to \((2T+1)\) each perturbed with the privacy budget of \(\epsilon _{\text{prt}}^{\prime \prime } = \epsilon _{\text{prt}}^{\prime }/(2T+1)\).

4.2 HTF Index Structure Construction

Our proposed HTF index structure is built in accordance to the split point selection algorithm introduced in Section 4.1. The HTF construction pseudocode is presented in Algorithm 2. Each node stores the rectangular spatial extent of the node (node.region), its children (node.left and node.right), real data count (node.count), noisy count (node.ncount), and the node’s height in the tree.

The root of the tree represents the entire data domain (\(N\times M\) frequency matrix) and its height is denoted by h. Deciding the height of the tree is a challenging task: a large height will result in a smaller amount of privacy budget per level, whereas a small one does not provide sufficient granularity at the leaf level, decreasing query precision. We estimate an advantageous height value using a small amount of budget (\(\epsilon _{\text{height}}\)) to perturb the total number of data records based on the Laplace mechanism, (14) \(\begin{equation} \overline{|D|} = |D| + Lap(1/\epsilon _{\text{height}}). \end{equation}\) Next, we set the height to (15) \(\begin{equation} h = \log _2{\left(\dfrac{\overline{|D|} \epsilon _{\text{tot}}}{10}\right).} \end{equation}\)

The formula is motivated by the work in Reference [23]. The authors show that when data are uniformly distributed in space, using a grid with a lower granularity of \(\textstyle \sqrt {\tfrac{\overline{|D|} \epsilon _{\text{tot}}}{c_0}}\times \sqrt {\tfrac{\overline{|D|} \epsilon _{\text{tot}}}{c_0}}\) improves the mean relative error, where the value of constant \(c_0\) is set to 10 experimentally. We emphasize that the approach does not indicate that the number of leaves on the tree is \(\textstyle \dfrac{\overline{|D|} \epsilon _{\text{tot}}}{c_0}\), but the information contained in this number is merely used as an estimator of the tree’s height. This estimation is formally characterized in Reference [14] and referred to as scale-epsilon exchangeability property. The intuition is that the error due to decreasing the amount of budget used for the estimation is offset by having a larger number of data points in the entire dataset.

The last input to the algorithm is the budget allocated per level of the partitioning tree. We use uniform budget allocation to allocate the budget between levels denoted as \(\epsilon _{\text{prt}}^{\prime }= \epsilon _{\text{prt}}/h\).

Starting from the root node, the proposed algorithm recursively creates two child nodes and decreases height by one. This is done by splitting the underlying area of the node into two hyperplanes based on Algorithm 1. The division is done on the y dimension if the current height is an even number and in the x dimension otherwise. The algorithm continues until reaching the minimum height of zero, or to a point where no further splitting is possible.

4.3 Leaf Node Count Perturbation

Once the HTF structure is completed, the final step of our algorithm is to release DP-compliant counts for index nodes, so that answers to queries can be reconstructed from the noisy counts. The total partitioning budget adds up to \(\epsilon _{\text{height}}+ \epsilon _{\text{prt}}\), where \(\epsilon _{\text{height}}\) was used to estimate the tree height and \(\epsilon _{\text{prt}}\) budget to generate the private partitioning tree. The data perturbation step uses the remaining \(\epsilon _{\text{data}}\) amount of budget and releases node counts according to the Laplace mechanism.

One can choose various strategies to release index node counts. At one extreme, one can simply release a noisy count for each index node; in this case, the budget must be shared across nodes on the same path (sequential composition), and can be re-used across different paths (parallel composition). This approach has the advantage of simplicity, and may do well when queries exhibit large variance in size—it is well-understood that when perturbing large counts, the relative error is much lower, since the Laplace noise magnitude only depends on sensitivity, and not the actual count.

However, in practice, queries tend to be more localized, and one may want to allocate more budget to the lower levels of the structure, where the actual counts are smaller, thus decreasing relative error. In fact, as another extreme, one can concentrate the entire \(\epsilon _{\text{data}}\) on the leaf level. However, doing so can also decrease accuracy, since some leaf nodes have very small real counts.

Our approach takes a middle ground, where the available \(\epsilon _{\text{data}}\) is spent to (i) determine which nodes to publish and (ii) ensure sufficient budget remains for the noisy counts. Specifically, we publish only leaf nodes, but these are not the same leaves returned by the structure construction algorithm. Instead, we perform an additional pruning step, which uses the noisy counts of internal nodes to determine a stop condition, i.e., the level at which a node count is likely to be small enough that a further recursion along that path is not helpful to obtain good accuracy. Effectively, we perform pruning of the tree using a small fraction of the data budget, and then split the remaining budget among the non-pruned nodes along a path. This helps decrease the effective height of the tree across each path, and hence the resulting budget per level increases.

Next, we present in detail our approach that contributes two main ideas: (i) how to determine smart stop (or pruning) conditions based on noisy internal node counts, and (ii) how to allocate perturbation budget across shortened paths.

The proposed technique is summarized in Algorithm 3: it takes as inputs the root node of the tree generated in the data partitioning step; the remaining budget allocated for the perturbation of data (\(\epsilon _{\text{data}}\)); a tracker of accumulated budget (\(\epsilon _{\text{accu}}\)); a stop condition predicate denoted by cond; and the nominal tree height h as computed in Section 4.2. Similar to prior work [7], we use a geometric progression budget allocation strategy, but we enhance it to avoid wasting budget on unnecessarily long paths. The intuition behind this strategy is to assign more budget to the nodes located in the lower levels of the tree, since their actual counts are lower, and hence larger added noise impacts the relative error disproportionately high. Conversely, at the higher levels of the tree, where actual counts are much higher, the effect of the noise is negligible.

Equation (16) formulates this goal as a convex optimization problem, (16) \(\begin{align} \underset{\epsilon _0...\epsilon _h}{min}\;\;\;& \sum _{i\texttt {=}0}^h 2^{h-i}/\epsilon _i^2, \end{align}\) (17) \(\begin{align} \text{where} \end{align}\) (18) \(\begin{align} & \sum _{i\texttt {=}0}^h \epsilon _i=\epsilon , \;\; \epsilon _i\gt 0 \; \;\forall i=0...h. \end{align}\) Writing Karush-Kuhn-Tucker (KKT) [4] conditions, the optimal allocation of budget can be calculated as (19) \(\begin{align} L(\epsilon _1, \ldots ,\epsilon _h,\lambda) &= \sum _{i\texttt {=}0}^h 2^{h-i}/\epsilon _i^2 + \lambda \left(\sum _{i\texttt {=}0}^h \epsilon _i- \epsilon \right) \end{align}\) (20) \(\begin{align} &\Rightarrow \dfrac{\partial L}{\partial \epsilon _i} = - \dfrac{2^{h-i+1}}{\epsilon _i^3}+ \lambda =0 \end{align}\) (21) \(\begin{align} &\Rightarrow \epsilon _i = \dfrac{2^{h-i+1}}{\lambda ^{1/3}}, \end{align}\) and substituting \(\epsilon _i\)’s in the constraint of problem the optimal budget in the ith level is derived as (22) \(\begin{equation} \epsilon _i = \dfrac{2^{(h-i)/3}\,\epsilon \, (2^{1/3}-1)}{(2^{(h+1)/3}-1)}. \end{equation}\)

The algorithm starts the traversal from the partitioning tree’s root and recursively visits the descendent nodes. Once a new node is visited, the first step is to use the node’s height to determine the allocated budget (\(\epsilon _{\text{data}}^{\prime }\)) based on geometric progression. Recall that the nodes on the same level follow parallel decomposition of the budget as their underlying areas in space do not overlap. Additionally, the algorithm keeps track of the amount of budget used so far on the tree, optimizing the budget in later stages. Next, the computed value of \(\epsilon _{\text{data}}^{\prime }\) is utilized to perturb the node.count by adding Laplace noise, resulting in noisy count node.ncount.

The stop condition we use takes into account the noisy count in the current internal node (i.e., count threshold); and the spatial extent of the internal node threshold (i.e., extent threshold). If none of the thresholds is met for the current node, then the algorithm recursively visits the node’s children; otherwise, the algorithm prunes the tree considering that the current node should be a leaf node. In the latter case, the algorithm subtracts the accumulated budget used so far on that path from the root, and uses the entire remaining budget available to perturb the count. This significantly improves the utility, as geometric allocation tends to save most of the budget for the lower levels of the tree. Revisiting the example in Figure 2(b), suppose that the stop condition is to prune when the underlying area consists of less than four cells. During the data perturbation process, the node \(B_2\) is turned into a leaf node due to its low number of cells. At this point, the node’s children are removed, and its noisy count is determined based on the remaining budget available on the lower levels of the tree.

The computational complexity of the HTF algorithm is \(O((2T+1)\times 2^h)\). Each internal node of the tree leads to a split that requires \(O(2T+1)\) computations to search for the split index, and there are \(\sum _{i\texttt {=}1}^h 2^{h-i} = 2^h-1\) internal nodes.

7.1 Experimental Setup

We evaluate HTF on both real and synthetic datasets:

Real-world Datasets. We use the location measurements of cell phones provided by Veraset [29]² throughout the USA for performance evaluation. Primarily, we focus on collected data in Los Angeles covering a \(70 \times 70\) km\(^2\) area centered at latitude 34.05223 and longitude \(-118.24368\). The selected data generates a frequency matrix of 3.5 million data points during the time period of January 1–7, 2020. Additionally, we use the data collected in six cities—New York, San Francisco, Seatle, Denver, Detroit, and Phoenix—with the detailed statistics provided in Table 2.

Synthetic Datasets. We generate locations according to a Gaussian distribution as follows: a cluster center, denoted by \((x_c,y_c)\), is selected uniformly at random. Next, coordinates for each data point x and y are drawn from a Gaussian distribution with the mean of \(x_c\) and \(y_c\), respectively. We model three sparsity levels by using three standard deviation (\(\sigma\)) settings for Gaussian variables: low (\(\sigma = 20\)), medium (\(\sigma = 50\)), and high (\(\sigma = 100\)) sparsity.

We discretize the space to a 1,024 \(\times\) 1,024 frequency matrix. We use as performance metric the MRE for range queries. Similar to prior work [14, 23, 30, 34], we consider a smoothing factor of 20 for the relative error, to deal with cases when the true count for a query is zero (i.e., relative error is not defined). Each experimental run consists of 2,000 random rectangular queries with center selected uniformly at random. We vary the size of queries to a region covering \(\lbrace 2\%, 6\%, 10\%\rbrace\) of the dataspace.

7.2 HTF Versus Data Dependent Algorithms

Data-dependent algorithms aim to exploit users’ distribution to provide an enhanced partitioning of the map. The state-of-the-art data-dependent approach for DP-compliant location publication is the kd-tree technique from Reference [7]. The kd-tree algorithm generates the partitioning tree by splitting on median values, which are determined using the exponential mechanism. We have also included the smoothing post-processing step from References [15, 23], which resolves inconsistencies within the structure (e.g., using the fact that counts in a hierarchy should sum to the count of an ancestor).

Figure 4 presents the comparison of the HTF algorithm with kd-tree approaches, namely: (i) geometric budget allocation in addition to smoothing and post-processing labelled as KdTree (geo); (ii) uniform budget allocation including smoothing and post-processing labelled as KdTree (uniform); (iii) HTF algorithm with the partitioning budget per level set to \(\epsilon _{\text{prt}}^{\prime } = 5E-4\); and (iv) HTF algorithm with \(\epsilon _{\text{prt}}^{\prime } = 1E-3\). Recall that \(\epsilon _{\text{prt}}^{\prime }\) denotes the budget per level of partitioning, and therefore, given the tree’s height as h, the remaining budget for perturbation is derived as \(\epsilon _{\text{data}} = \epsilon _{\text{tot}} - \epsilon _{\text{prt}}^{\prime }\times h - \epsilon _{\text{height}}\). The value of \(\epsilon _{\text{height}}\) in the experiments is set to \(1E-4\), the HTF’s T value is set to 3, and stop condition thresholds are set to no less than 5 cells or 100 data points. Moreover, for the kd-tree algorithm, \(15\%\) of the total budget is allocated to implement the partitioning.

Fig. 4.

View Figure

In Figures 4(a), 4(b), and 4(c), the MRE performance is compared for different values of \(\epsilon _{\text{tot}}\) over a workload of uniformly located queries with random shape and size. HTF clearly outperforms kd-tree for all height settings. Looking at the MRE performance, the kd-tree algorithm follows a parabolic shape commonly occurring in tree-based algorithms, meaning that the MRE performance reaches its best values at a particular height, and further partitioning of the space increases the error. This is caused by excessive partitioning in low-density areas. HTF, on the other hand, is applying stop conditions to avoid the adverse effects of over-partitioning, and is able to estimate the optimal height beforehand. Figures 4(d), 4(e), and 4(f), show the results when varying query size (for square shape queries). HTF outperforms the kd-tree algorithm significantly, with an average improvement of \(89\%\) for \(\epsilon _{\text{prt}}^{\prime } = 1E-3\).

7.3 HTF Versus Grid-based Algorithms

Grid-based approaches are mostly data-independent, and they partition the space using regular grids. The UG approach uses a single-layer fixed size grid, whereas its successor AG method considers two layers of regular grids: the first layer is similar to UG, whereas the second uses a small amount of data-dependent information (i.e., noisy query results on the first layer) to tune the second layer grid granularity.

Figure 5 presents the comparison of HTF with AG and UG. For HTF, we consider several stop condition thresholds. HTF consistently outperforms grid-based approaches, especially when the total privacy budget is lower (i.e., more stringent privacy requirements). For example, the percentage of improvement for the HTF algorithm with \(\epsilon _{\text{prt}}^{\prime } = 1E-3\) compared to AG is \(28\%\), \(70\%\), and \(63\%\) for total privacy budgets of \(0.1,\,0.3,\) and 0.5, respectively. The impact of the stop count condition on HTF depends on the underlying distribution of data points. For the Los Angeles dataset, MRE is relatively larger for small values of \(\epsilon _{\text{tot}}\). The performance improves and reaches its near-optimal values around stop count 50, and ultimately worsens when the stop count becomes larger. This matches our expectation as, on one hand, small values of stop count result in over-partitioning, and on the other hand, when the stop count is too large, the partitioning tree cannot reach the ideal heights, resulting in high MRE values.

Fig. 5.

View Figure

Figures 5(d), 5(e), and 5(f), show the obtained results for varying query sizes (2, 6, and \(10\%\) of the data domain). HTF outperforms both AG and UG. Note that all three algorithms are adaptive and change their partitioning according to the number of data points. Therefore, in low privacy regimes, the structure of algorithms may cause fluctuations in the accuracy. However, as the privacy budget grows, the algorithms reach their maximum partitioning limit, and increasing the budget always results in lower MRE.

7.4 HTF Versus Data Independent Algorithms

The most prominent DP-compliant data-independent technique [7] uses QuadTrees. The technique recursively partitions the space into four equal size quadrants. Two commonly used budget allocation techniques used in Reference [7] are geometric budget allocation (geo) and uniform budget allocation. For a fair comparison, we have also included the smoothing post-processing step from References [23, 31].

Figure 6 presents the comparison results. Figures 6(a), 6(b), and 6(c) are generated using random shape and size queries, and several different height settings. Note that the fanout of QuadTrees is double the fanout of HTF, so the height represented by 2k in the figures corresponds to the implementation of QuadTree with the height of k. The error of the QuadTree approach is large for small heights, then improves to its optimal value, and rises again significantly as height further increases, due to over-partitioning. Similar to kd-trees, no systematic method has been developed for QuadTree to determine optimal height, whereas the HTF height selection heuristic yields levels 15, 16, and 17 for the allocated privacy budget of 0.1, 0.3, and 0.5, respectively. HTF outperforms QuadTree for all settings of \(\epsilon _{\text{tot}}\). As an example, the percentage of improvement in Figure 6(a) when the tree’s height is 16 reaches \(35\%\). Figures 6(d), 6(e), and 6(f) show the accuracy of HTF and QuadTree for square randomly placed queries of varying size. HTF outperforms in all cases.

Fig. 6.

View Figure

7.5 Additional Benchmarks

To further validate HTF performance, we run experiments on the Los Angeles dataset as well as six synthetic datasets generated using Gaussian distribution. Figure 7 presents the comparison of all algorithms with randomly generated query workload and a privacy budget of \(\epsilon _{\text{tot}}=0.1\). Three additional algorithms are used as comparison benchmarks, (i) Singular algorithm– preserving differential privacy by adding independent Laplace noise to each entry of the frequency matrix, (ii) Uniform algorithm in which Laplace noise is added to the total count of the grid with the assumption that data are uniformly distributed within the grid, and (iii) the Privlet [30] algorithm based on wavelet transformations.

Fig. 7.

View Figure

Figure 7 shows that HTF consistently outperforms existing approaches. For the denser datasets (\(sigma=20\)) the gain compared to approaches designed for uniform data (e.g., UG, AG, Quadtrees) is lower. As data sparsity grows, the difference in accuracy between HTF and the benchmarks increases. HTF performs best on a relative basis for lower \(\epsilon _{\text{prt}}^{\prime }\), i.e., more stringent privacy requirements.

Finally, in Figure 8, we present the execution time of all considered algorithms when applied to the LA dataset. The execution time also includes response time to 200 queries with random shape and size. As it can be seen in the figure, not only does HTF have a higher utility for the private dataset, but it is also the fastest. Such an advantage significantly helps the application of HTF to large-scale datasets.

Fig. 8.

View Figure

7.6 Performance Evaluation of Scaling Approach

We evaluate the approach introduced in Section 6 for scaling DP-compliant hierarchical structure construction to large datasets. The impact of the proposed scaling approach in conjunction with HTF is compared with two popular benchmarks on six datasets corresponding to cities throughout the USA (Table 2):

• Benchmark 1: Geometric budget allocation with fanout two [32]. In this case, the map is divided using a binary tree until reaching the 1M population threshold. Given the population of USA 328M, and the threshold of 1M, there are \(\lceil \log _2 (\dfrac{328\times 10^9}{1\times 10^9 })\rceil = 9\) levels before reaching the threshold of dynamic nodes. Therefore, \(h_{\text{arch}} = 9\), and the geometric progression is applied with the basis of 2, which is a special case of the problem formulated in Equation (33), where \(n_i = 2^i\) for all \(i=0...h_{\text{arch}}\).

• Benchmark 2: Geometric budget allocation with fanout of four, previously used in QuadTrees [7]. The total number of levels is \(\textstyle \lceil \log _4 (\dfrac{328\times 10^9}{1\times 10^9 })\rceil = 5\), leading to \(h_{\text{arch}} = 5\). This corresponds to solving the problem in Equation (33) when the division basis is set to four, resulting in \(n_i = 4^i\) for all \(i=0...h_{\text{arch}}\).

Dataset details are provided in Table 2. For each city, 1M data points are sampled from the GPS logs of the Veraset data. Central coordinates of the cities are given in the table, and the area range is selected as \(\pm 0.6\) of the center to generate a 1,024 \(\times\) 1,024 frequency matrix. The parameters selected for HTF follow Section 7.2 with \(\epsilon _{\text{prt}}^{\prime } = 1E-3\).

The results of the experiments are presented in Figure 9. The proposed architecture is labeled as Hierarchical in the figure, and the comparisons are provided for the total allocated budget of 0.5 and 1 to sanitize the whole map of the USA. For each city, the amount of budget is calculated based on the proposed hierarchical scheme and the two benchmarks. The improvement achieved in the utility of the published data is consistent among all six cities. Two key trends are observed: (1) by increasing the amount of budget, the MRE is reduced, and (2) increasing the fanout tends to preserve more budget for lower levels of the tree and therefore, results in better accuracy.

Fig. 9.

View Figure

7.7 Parameter Analysis

The performance of HTF depends on several internal and external parameters that can impact the utility of the published private histogram. In this subsection, we vary parameters one at a time to evaluate their influence on the algorithm’s performance. The default parameters include the Veraset LA dataset with 3.5M samples, total privacy budget \(\epsilon _{\text{tot}}=0.1\), height estimation budget \(\epsilon _{\text{height}}= 0.001\), per level partitioning budget \(\epsilon _{\text{prt}}^{\prime } = 1E-3\), stop count threshold 10, and \(T=3\).

Privacy Budget. Recall that the total privacy budget is the summation of sanitization budget (\(\epsilon _{\text{data}}\)), partitioning budget (\(\epsilon _{\text{prt}}\)) and the height estimation budget (\(\epsilon _{\text{height}}\)). The height estimation budget is negligible compared to sanitization and partitioning budgets, and we have already shown in the experiments that by increasing the total privacy budget, there is a clear trend of increase in utility demonstrating the privacy-utility trade-off. In Figure 10(a), we focus on understanding how the privacy budget should be distributed between sanitization and partitioning. The x-axis of the figure is per level of the tree, which by multiplying to the height h results in the total utilized budget for partitioning. Utility follows a parabolic trend relative to the budget. If the selected privacy budget is too low, then the algorithm fails to capture the impact of homogeneity, adversely affecting the utility. On the other hand, when the privacy budget increases to a higher level where the budget is almost equally distributed between sanitization and partitioning, the low sanitization budget plays a bigger role, significantly deteriorating utility.

Fig. 10.

View Figure

Per Level Computation T. The variable T denotes the number of times the homogeneity objective function is evaluated for each node split on the HTF tree. A higher value of T results in an increased number of split point candidates and finding the one that leads to more homogeneity. This comes with the drawback that less per computation budget remains, leading to a less accurate evaluation of the objective function (\(\epsilon _{\text{prt}}^{\prime \prime } = \epsilon _{\text{prt}}^{\prime }/(2T+1)\)). Figure 10(b) looks into the impact of variable T for low, medium, and high privacy regimes. For high privacy regimes, the impact of variation in T is less severe as the sanitization budget dominates partitioning. The role of the parameter becomes more significant when the privacy budget is limited. In such a scenario, the parabolic role impact on utility can be clearly seen in the graph. For low values of T, the number of computations is not enough to reach a good extent of homogeneity identification. Similarly, when the value grows too large, privacy deficiency disables the accurate identification of the objective function lowering the utility of the published private histogram.

Height. In Figure 10(c), we remove the height estimation mechanism, which is implemented before generating the HTF tree and run the algorithm for fixed given heights. Despite fluctuations due to the Laplace mechanism, the clear trend can be seen that significant utility loss is imposed on the histogram when the tree’s height is short. The performance improves as the height grows larger until it reaches the height 15 from which the performance enters the stabilization phase due to stop conditions. The optimal value can be seen to approximately coincide with the height estimation proposed for HTF (\(|\overline{D}|\approx |D|\)), (39) \(\begin{equation} h = \log _2{\left(\dfrac{|D| \epsilon _{\text{tot}}}{10}\right)} = \log _2{\left(\dfrac{3.5\times 10^6 \times 0.1}{10}\right)} \approx 15. \end{equation}\)

Stop Conditions. Despite its simplicity, the use of private stop conditions can critically refine or reduce utility. The discussion around how to handle postprocessing in the U.S. 2020 Census magnifies the importance of dealing with negative numbers. Our proposed method to apply private stop conditions is conducted in a private way as opposed to the approach taken by the bureau: suppressing all negative numbers in addition to allowing for more flexible constraints such as density and homogeneity. In Figure 10(d), we look at utility for a given stop condition applied on tree nodes. The experiments suggest that large values for stop conditions prevent HTF from efficiently partitioning the space by early pruning the tree. Based on our observations, the selection of stop conditions below total noise variance can efficiently improve the performance as a rule of thumb. In this case, given that the total privacy budget \(\epsilon _{\text{tot}}\), the variance of noise calculated as \(2/\epsilon _{\text{tot}}^2 = 200\). Note that, the empirical values obtained for the errors are confirming the validity of our theoretical analysis for leaf node thresholds in Section 5. The experiments show that the minimum error obtained for the stop count of 10 is very close to the one obtained for the theoretically indicated value of stop count 62.

Scale. Figure 10(e) evaluates the scale-epsilon exchangeability property for HTF. This principle dictates that increasing the scale (number of samples) has a similar effect as increasing the privacy budget. Instead of using all 3.5 million datapoints in the Los Angeles dataset, we sample data uniformly at random, generating 6 datasets with the population count of 0.5, 1, 1.5, 2, 2.5, 3 million samples. The clear trend of reduction in utility by increasing scale confirms that the algorithm is following scale-epsilon exchangeability as the same behavior is expected by increasing the privacy budget.