19-EFT.WP.Methods.SynthData v1.0 | Chapter 10 — Privacy, Security & De-identification (DP/MI/Linkability)

Home ／ Docs-Technical WhitePaper ／ 19-EFT.WP.Methods.SynthData v1.0

Chapter 10 — Privacy, Security & De-identification (DP/MI/Linkability)

I. Scope & Targets

1. Goals
   • Establish an end-to-end privacy and security baseline for synthetic data: DP(eps, delta) budgeting, membership inference (MI) and linkability risk assessments, and release/rollback strategies.
   • Model and measure leakage surfaces in both training and sampling to produce an auditable manifest.synth.privacy.*.
   • Incorporate time-base and arrival-time semantics into privacy assessment to keep cross-modal and cross-batch conventions consistent.
2. Applies to
   • Statistical and deep generators (copula / VAE / GAN / flow / diffusion / SCM), for offline batches and online streaming.
   • Single-modal datasets and multimodal bundles (see Chapter 9), including linkable datasets with foreign keys and time columns.
3. Outputs
   Budget accounting report, attack simulations with risk scores, compliance assertions, and a release manifest.

II. Terms & Variables

• Mechanisms & budgets: DP(eps, delta), RDP(alpha, eps_alpha), cDP, accountant.
• Training controls: C (clip norm), sigma (noise std), q (subsample rate), T (steps).
• Risks & metrics: Adv_MI (membership advantage), AUC_MI, reid_rate@k, LSR@k (linkability success rate), k_anonymity, l_diversity.
• Time & arrival: tau_mono, ts, offset/skew/J, T_arr, delta_form.
• Manifest keys: manifest.synth.privacy.{dp_mech, eps_total, delta_total, sigma, C, q, steps, accountant, attacks, risk_scores}.

*III. Axioms P410- **

• P410-1 (Explicit Budgeting): Every release batch must disclose eps_total, delta_total, and the accounting method.
• P410-2 (Controllable Training): For privacy-aware training, clip all gradients with clip(C) and add noise sigma; record q and T.
• P410-3 (Compositional Conservation): Accumulate budgets across multiple synthesis rounds and multi-view aggregation per composition rules using the tightest upper bounds.
• P410-4 (Attack-Surface Coverage): At minimum, include MI threshold and shadow-model attacks and key/time-based linkability attacks.
• P410-5 (Unified Time Base): Run privacy evaluation on tau_mono windows and publish on ts; for path-involved modalities record both T_arr formulations with delta_form.
• P410-6 (Units & Dimensions): All privacy-related physical quantities and injected noise must pass check_dim(expr).
• P410-7 (Minimum Disclosure): Manifests and released samples must contain only the minimally necessary information required by contracts.
• P410-8 (Reproducibility & Signature): Persist seed/rng and the accounting trail; both must be reproducible and signed.
• P410-9 (Cross-Modal Consistency): For multimodal bundles, account privacy budgets on the joint view—per-modal under-reporting is forbidden.

*IV. Minimal Equations S410- **

1. S410-1 (Gaussian DP Noise Calibration)
   • sigma = ( C * sqrt( 2 * log(1.25/delta) ) ) / eps。
   • With subsampling q and multiple steps T, use the accountant to compose: (eps_total, delta_total) = accountant(q, C, sigma, T)。
2. S410-2 (RDP → (eps, delta) Conversion)
   eps_total(delta) = min_{alpha>1} ( eps_RDP(alpha) + ( log(1/delta) ) / ( alpha - 1 ) )。
3. S410-3 (Privacy Amplification)
   eps_sub ≈ log( 1 + q * ( exp(eps) - 1 ) )，delta_sub ≈ q * delta。
4. S410-4 (Membership Advantage)
   Adv_MI = | P( attack=1 | member ) - P( attack=1 | nonmember ) |，AUC_MI = AUC( score_member, score_nonmember )。
5. S410-5 (Linkability Success Rate)
   For candidate size k and a cost matrix C_link, LSR@k = P( rank_true ≤ k ) with rank_true computed by sorting on similarity or matching cost。
6. S410-6 (Dual Arrival Forms & Consistency)
   • T_arr = ( 1 / c_ref ) * ( ∫ n_eff d ell )；T_arr = ( ∫ ( n_eff / c_ref ) d ell )；
     delta_form = | ( 1 / c_ref ) * ( ∫ n_eff d ell ) - ( ∫ ( n_eff / c_ref ) d ell ) |。
   • Assert delta_form ≤ tol_Tarr to prevent time-side channels from inflating linkability.

V. Metrology Flow M40-10 (Privacy & De-identification Loop)

• Readiness & Classification
  Define data sensitivity and usage; choose dp_mech ∈ {Gaussian, Laplace, RDP, cDP} and set eps_budget, delta_budget.
• Training Controls
  Apply clip(C) and add noise sigma; configure q, T, and the accountant; log failure/retry policies to ensure alpha spend stays within budget.
• Sampling & Minimum Disclosure
  Respect post-processing immunity; redact highly linkable fields and, where necessary, apply k_anonymity / l_diversity transforms.
• Attack Simulation
  Run MI threshold & shadow-model attacks; build key/time/foreign-key-graph linkability scenarios; evaluate LSR@k and reid_rate@k.
• Risk Review & Rollback
  If Adv_MI, AUC_MI, or LSR@k exceed thresholds, increase noise or rebalance; if needed, narrow release granularity or remove high-risk slices.
• Persist & Freeze
  Emit manifest.synth.privacy.* with budgets, accounting traces, attack results, and assertions; sign and freeze.

VI. Contracts & Assertions C40-10xx

• C40-1001 (Budget Within Limits): eps_total ≤ eps_budget and delta_total ≤ delta_budget.
• C40-1002 (Controllable Training): C ∈ [C_min, C_max], sigma ≥ sigma_min, q ≤ q_max.
• C40-1003 (Attack Surface Pass): Adv_MI ≤ adv_max, AUC_MI ≤ auc_max; LSR@k ≤ lsr_max, reid_rate@k ≤ reid_max.
• C40-1004 (Minimum Disclosure): Released fields satisfy min_disclosure(policy)=true.
• C40-1005 (Time & Arrival Consistency): |offset| ≤ off_max, J ≤ J_max, and delta_form ≤ tol_Tarr.
• C40-1006 (Units & Dimensions): check_dim( sigma / C ) = [1] (dimensionless) and related expressions pass.
• C40-1007 (Reproducibility & Signature): hash_sha256(manifest) = signature.payload.
• C40-1008 (Joint Budgeting for Multimodal): eps_total_joint ≤ eps_budget_joint for joint releases.

VII. Implementation Bindings I40-10*

• train_with_dp(ds, model, C, sigma, q, T, accountant) -> engine_dp, log
• account_privacy(log, accountant, delta_budget) -> {eps_total, delta_total}
• simulate_attacks(ds_real, ds_syn, scenarios) -> {Adv_MI, AUC_MI, LSR@k, reid_rate@k}
• min_disclosure_transform(ds_syn, policy) -> ds_syn'
• timepath_hardening(ds_syn', sync_ref) -> ds_syn_t (write offset/skew/J, T_arr, delta_form)
• emit_privacy_manifest(results, policy) -> manifest.synth.privacy
• Invariants: eps_total increases monotonically with added steps; sum(weights)/N ≈ 1 (if reweighted); delta_form ≤ tol_Tarr; unit/dimension checks pass; logs are fully traceable.

VIII. Cross-References

• Methods.Cleaning v1.0: Chapter 10 (release freeze) and Chapters 5/6 (time & arrival).
• Methods.CrossStats v1.0: Chapter 7 (drift) and Chapter 14 (statistical SLOs).
• This volume: Chapter 12 (fidelity & utility evaluation) and Chapter 13 (release & manifests).

IX. Quality SLIs & Risk Control

1. Core SLIs
   eps_total, delta_total, Adv_MI, AUC_MI, LSR@k, reid_rate@k, latency_ms_p99 (accounting & evaluation), off/skew/J, delta_form.
2. Risk Strategies
   • Budget shortfall: increase sigma or reduce q/T; switch to a stronger accountant (e.g., RDP).
   • High MI risk: temperature annealing, stronger regularization, member balancing, confidence suppression, and threshold clipping.
   • Rising linkability: tighten jitter bounds, hash & bucket foreign keys, merge rare patterns.
   • Multimodal accounting: measure on the joint view; if needed, weight by view and raise noise.

Summary