Sunday, June 19, 2011

Postdoc in Economics of Privacy at UPenn

We have another postdoc position available at Penn for theorists interested in studying the foundations of privacy, and developing a theory of how privacy and economic incentives should interact!

Applications are invited for a postdoc position in the theory of privacy and economics at the University of Pennsylvania. An outline of the hosting project is below.

The ideal candidate will have a Ph.D. in Computer Science, Economics, or Statistics and a strong record of publication. To apply, please send a CV, research statement, and the names of three people who can be asked for letters of reference to Aaron Roth ( Both the term of the postdoc and the starting date are negotiable.

Inquiries can be directed to any of the PIs:
Sham Kakade
Michael Kearns
Mallesh Pai
Aaron Roth

In the last decade private data has become a commodity: it is gathered, bought and sold, and contributes to the primary business of many Internet and information technology companies. At the same time, various formalizations of the notion of ‘privacy’ have been developed and studied by computer scientists. Nevertheless, to date, we lack a theory for the economics of digital privacy, and we propose to close this important gap.

Concretely, we propose to develop the theory to address the following questions:

How should a market for private data be structured? How can we design an auction that accommodates issues specific to private data analysis: that the buyer of private data often wishes to buy from a representative sample from the population, and that individuals value for their privacy can itself be a very sensitive piece of information?

How should we structure other markets to properly account for participants concerns about privacy? How should we properly model privacy in auction settings, and design markets to address issues relating to utility for privacy?

Studying economic interactions necessitates studying learning – but what is the cost of privacy on agent learning? How does the incomplete information that is the necessary result of privacy preserving mechanisms affect how individuals engaged in a dynamic interaction can learn and coordinate, and how do perturbed measurements affect learning dynamics in games? How can market research be conducted both usefully and privately?

Our investigation of these questions will blend models and methods from several relevant fields, including computer science, economics, algorithmic game theory and machine learning.

The proposed research directly addresses one of the most important tensions that the Internet era has thrust upon society: the tension between the tremendous societal and commercial value of private and potentially sensitive data about individual citizens, and the interests and rights of those individuals to control their data. Despite the attention and controversy this tension has evoked, we lack a comprehensive and coherent science for understanding it. Furthermore, science (rather than technology alone) is required, since the technological and social factors underlying data privacy are undergoing perpetual change. Within the field of computer science, the recently introduced subfield of privacy preserving computation has pointed the way to potential advances. The proposed research aims to both broaden and deepen these directions.

Thursday, June 02, 2011

Differential Privacy Postdoc at UPenn

We are building a differential privacy group at UPenn! Below is the announcement for a postdoc position in the theory and practice of differential privacy. If you are a theorist who wants to actually put your contributions into practice as well, please apply.

There will be another announcement soon for another pure-theory postdoc position in the exciting new area of "privacy and economics". Stay tuned, and contact me if you are interested.


Applications are invited for a postdoc position in the theory and practice of differential privacy at the University of Pennsylvania. An outline of the hosting project is below.

The ideal candidate will have a Ph.D. in Computer Science, a combination of strong theoretical and practical interests, and expertise in at least two of: programming languages, theoretical computer science, and systems software. The position is for one year in the first instance, with possible renewal up to four years. Starting date is negotiable. Applications from women and members of other under-represented groups are particularly welcome.

To apply, please send a CV, research statement, and the names of three people who can be asked for letters of reference to Benjamin Pierce ( Inquiries can be directed to any of the PIs:

Andreas Haeberlen
Benjamin C. Pierce
Aaron Roth

Putting Differential Privacy to Work

A wealth of data about individuals is constantly accumulating in various databases in the form of medical records, social network graphs, mobility traces in cellular networks, search logs, and movie ratings, to name only a few. There are many valuable uses for such datasets, but it is difficult to realize these uses while protecting privacy. Even when data collectors try to protect the privacy of their customers by releasing anonymized or aggregated data, this data often reveals much more information than intended. To reliably prevent such privacy violations, we need to replace the current ad-hoc solutions with a principled data release mechanism that offers strong, provable privacy guarantees. Recent research on DIFFERENTIAL PRIVACY has brought us a big step closer to achieving this goal. Differential privacy allows us to reason formally about what an adversary could learn from released data, while avoiding the need for many assumptions (e.g. about what an adversary might already know), the failure of which have been the cause of privacy violations in the past. However, despite its great promise, differential privacy is still rarely used in practice. Proving that a given computation can be performed in a differentially private way requires substantial manual effort by experts in the field, which prevents it from scaling in practice.

This project aims to put differential privacy to work---to build a system that supports differentially private data analysis, can be used by the average programmer, and is general enough to be used in a wide variety of applications. Such a system could be used pervasively and make strong privacy guarantees a standard feature wherever sensitive data is being released or analyzed. Specific contributions will include ENRICHING THE FUNDAMENTAL MODEL OF DIFFERENTIAL PRIVACY to address practical issues such as data with inherent correlations, increased accuracy, privacy of functions, or privacy for streaming data; DEVELOPING A DIFFERENTIALLY PRIVATE PROGRAMMING LANGUAGE, along with a compiler that can automatically prove programs in this language to be differentially private, and a runtime system that is hardened against side-channel attacks; and SHOWING HOW TO APPLY DIFFERENTIAL PRIVACY IN A DISTRIBUTED SETTING in which the private data is spread across many databases in different administrative domains, with possible overlaps, heterogeneous schemata, and different expectations of privacy. The long-term goal is to combine ideas from differential privacy, programming languages, and distributed systems to make data analysis techniques with strong, provable privacy guarantees practical for general use. The themes of differential privacy are also being integrated into Penn's new undergraduate curriculum on Market and Social Systems Engineering.