Plausible Deniability Guarantees for Whistleblowers
Abstract
Whistleblowers are a key safeguard against organizational wrongdoing, but the threat of retaliation deters reporting.
Existing whistleblower-protection proposals lack formal privacy guarantees, and existing differential privacy mechanisms do not directly target the natural threat model -- one in which the audited organization itself observes auditor selection decisions and uses them to identify reporters.
We formalize protection against a strong-adversary threat model as per-report $(0, \delta)$-differential privacy on the transcript of audit selections.
Within this framework we prove that a natural approach -- randomized response applied at the selection step -- can never outperform uniform random auditing by more than $\delta$ at any horizon.
We then give a generic mechanism that reduces private auditing to private continual counting: any $(0, \delta)$-DP continual counter plugs in by post-processing, and the audit transcript inherits the same per-report guarantee.
Instantiating the reduction with a recent work in continual counting yields per-report $(0, \delta)$-DP with noise scaling as $O(\sqrt{\log T})$ across a horizon of $T$ audit decisions.
A utility theorem shows that the selection error vanishes whenever the noisy report gap between the most-reported organization and the runner-up grows faster than $\sqrt{\log T}$.
Simulations show a substantial improvement over randomized response.
이 뉴스, 어떠셨어요?
탭 한 번으로 반응 · 로그인 불필요