Observations on the Bias of Nonnegative Mechanisms for Differential Privacy

We study two methods for differentially private analysis of bounded data and extend these to nonnegative queries. We first recall that for the Laplace mechanism, boundary inflated truncation (BIT) applied to nonnegative queries and truncation both lead to strictly positive bias. We then consider a generalization of BIT using translated ramp functions. We explicitly characterise the optimal function in this class for worst case bias. We show that applying any square-integrable post-processing function to a Laplace mechanism leads to a strictly positive maximal absolute bias. A corresponding result is also shown for a generalisation of truncation, which we refer to as restriction. We also briefly consider an alternative approach based on multiplicative mechanisms for positive data and show that, without additional restrictions, these mechanisms can lead to infinite bias.

(Communicated by the associate editor name) Abstract. We study two methods for differentially private analysis of bounded data and extend these to nonnegative queries. We first recall that for the Laplace mechanism, boundary inflated truncation (BIT) applied to nonnegative queries and truncation both lead to strictly positive bias. We then consider a generalization of BIT using translated ramp functions. We explicitly characterise the optimal function in this class for worst case bias. We show that applying any square-integrable post-processing function to a Laplace mechanism leads to a strictly positive maximal absolute bias. A corresponding result is also shown for a generalisation of truncation, which we refer to as restriction. We also briefly consider an alternative approach based on multiplicative mechanisms for positive data and show that, without additional restrictions, these mechanisms can lead to infinite bias.

1.
Introduction. There has been substantial interest in the past two decades in the development and analysis of formal privacy frameworks for the release and analysis of personal data [5,21]. Differential privacy (DP) [3] provides very strong, provable privacy guarantees and is one of the most important privacy frameworks from both a practical and theoretical standpoint. Since its introduction, many results have been derived on the fundamental theory of DP and its relation to other privacy concepts (see for instance [5,8,19,2,20,12]). Some of the most important differentially private mechanisms proposed in the literature include the Laplace, Gaussian, and Exponential mechanisms [17]. Numerous other mechanisms have also been proposed, including, for example, the discrete Laplace [20], Staircase, and Generalized Gaussian mechanisms [15].
Since its introduction, differential privacy has been used in a diverse range of applications. For example, [13] describes applications to control theory while [11] considers differential privacy for randomized response surveys. A high-profile and important application of differential privacy that is relevant to the problems considered here is its use for census data. Recently, the US Census Bureau announced a plan to use differential privacy for the 2020 census results [1]. Several researchers have noted specific challenges that arise in the use of differential privacy in such contexts. In particular, the nonnegative, discrete, nature of the count data in a census makes standard mechanisms unsuitable and requires either new mechanisms or appropriate ways of adapting existing ones [18,6]. It is fundamentally important that mechanisms for constrained data (such as integer-valued, nonnegative or hierarchical data) respect these constraints; otherwise the outputs from the mechanisms may be unrealistic. The recent paper [18] presents a novel mechanism for count queries on census-type data. The framework developed is for approximate or relaxed (ε, δ)-differential privacy and can be used to design integer-valued mechanisms with specified range and error probability. A related line of work in [6] describes an optimization-based approach using the geometric distribution that respects integral as well as hierarchical constraints between groups in the dataset. Both of these approaches are suitable for count queries arising in connection with census data.
In this paper, our interest is in adapting existing mechanisms so that they respect nonnegativity constraints. We focus on two methods, post-processing and restriction (with the latter being equivalent to rejection sampling), for the, admittedly limited, but practically important case of the Laplace mechanism. This is arguably the most widely used and studied mechanism for ε-differential privacy and realvalued queries; according to the authors of [9], it is the "workhorse of differential privacy". The range of Laplace random variables is R, making it unsuitable for queries and data subject to constraints. For bounded queries, taking values in some interval [l, u] ⊂ R for example, it is necessary to adapt the mechanism to ensure realistic, meaningful outputs. Recent work describing ways of addressing this issue for bounded queries can be found in [9,14].
Two approaches to construct bounded ε-differentially private mechanisms from the Laplace mechanism are described in [14]: namely, truncation and boundary inflated truncation. Boundary inflated truncation works by setting values outside the query range to the nearest boundary value; this is an application of the general principle that differential privacy is not affected by post-processing with deterministic functions [5]. Truncation resamples from the Laplace distribution until a value in the specified range is obtained. As noted in [14], this is equivalent to a form of rejection sampling. These methods were also studied for the Generalized Gaussian mechanism in [15]. In [9], the authors studied truncated Laplace mechanisms (they refer to them as bounded Laplace mechanisms) and derived conditions for these mechanisms to satisfy relaxed (ε, δ) differential privacy. The bias formulae derived for truncation and boundary inflated truncation in [14] motivate our work here.
Our motivation stems from control theory [13], in particular so-called positive systems [23] which arise in applications such as population dynamics and transportation. For this reason, we focus on constructions for nonnegative-valued queries. Moreover, with the application to control systems in mind, we do not assume a priori that the data or query outputs are bounded. This contrasts with the recent, interesting, results in [24] motivated by the hierarchical constraints arising in applications to census data. This latter paper studies the effect of post-processing for queries constrained to bounded feasible sets described by linear equations. It is shown that when a particular class of post-processing functions, known as projections, is applied to the Laplace mechanism, bias is specifically the result of the addition of a nonnegativity constraint. While outside the scope of this paper, it is important to note that there are other possible approaches to the problem of private data analysis on nonnegative or otherwise constrained data. In particular, as suggested by one of the anonymous reviewers of this paper, a Bayesian framework [22] could be used to construct posterior distributions for the query output based on the noisy outputs and the analyst's knowledge of the mechanism used and data constraints.

Summary of Contributions
The contributions of the paper are qualitative in nature and concern the bias of nonnegative post-processed Laplace mechanisms and general restricted mechanisms. Our two main results, Proposition 5 and Proposition 6 establish a fundamental limitation for post-processing and restriction by showing that bias is unavoidable for both approaches.
In Section 3, we present simple adaptations of the formulae for bias and MSE from [14] for queries taking values in [0, ∞) and briefly consider a type of multiplicative mechanism introduced in [13], for strictly positive queries. We show that without additional restrictions, these mechanisms can have infinite worst case bias.
The simplest approach to post-processing for nonnegative queries is to postprocess with the standard ramp function. In Section 4, we demonstrate that nonnegative mechanisms with improved worst-case bias can be obtained using alternative post-processing functions; we show this by considering the simple case of translated ramp functions and determine the optimal such function for worst case bias. We prove that positive bias is inevitable for any post-processed Laplace mechanism in Proposition 4 and prove the stronger result that the worst case bias is bounded away from zero for any such mechanism in Proposition 5. These initial results suggest several directions for future research. In particular, the problems of determining the optimal post-processing function and, more generally, the optimal mechanism for nonnegative queries, for the worst case bias are interesting theoretically and practically.
We prove a similar fundamental limitation for restricted mechanisms in Proposition 6. Here we show that for any initial mechanism (not necessarily the Laplace mechanism) the maximal absolute bias of the restricted mechanism is again positive. Taken together, these results establish important, fundamental properties and limitations of the generalizations of truncated and boundary inflated truncated mechanisms studied here. From a practical point of view, they show that if an unbiased nonnegative mechanism is required, then alternative approaches need to be considered. They also suggest several interesting directions for future research, some of which we describe in our concluding remarks.
2. Background and Notation. We briefly recall some key definitions and results on differential privacy; broadly, we follow the formalism in the paper [10]. (Ω, F , P) denotes a probability space where F is a σ-algebra of subsets of Ω and P is a probability measure on Ω. For a real-valued random variable X : Ω → R, E[X] denotes its expectation.
D is a set representing the possible databases of interest and we assume it is equipped with a symmetric, reflexive (but not transitive) adjacency relation ∼; this defines the notion of similarity for databases. A (real-valued) query is a mapping Q : D → R. Given a query Q, a mechanism is a collection of random variables In a slight abuse of notation, we shall often refer to the mechanism X Q,d .
We only consider output perturbation mechanisms here: if Q has range Q(D), such a mechanism is defined by a family {Y q : q ∈ Q(D)} of random variables Given ε > 0, the mechanism X Q,d is ε-differentially private if It is well known [5] that for any measurable, deterministic, function φ : The sensitivity of the query Q : D → R is given by: Recall, that a Laplace random variable with mean q ∈ R and scale parameter b > 0 is defined by the probability density function (pdf): We shall use L b to denote a Laplace random variable with mean 0 and scale parameter b. The following result concerning the Laplace mechanism and differential privacy is well known; see [4], [5].
The Laplace mechanism is determined by the family of random variables {Y q = q + L b : q ∈ Q(D)}. This notation (for the case where Q(D) = [0, ∞)) will be used frequently in the paper. Note that q denotes the 'true' query response and Throughout the paper, we are concerned with the following general setup. We are given a nonnegative valued query Q : D → [0, ∞) with sensitivity ∆, and a mech- We assume X Q,d is ε-differentially private. For the majority of the paper, Y q will be a Laplace random variable. We study the bias properties of two generalisations of boundary inflated truncation and truncation for constructing nonnegative mech-anismsX Q,d =Ŷ Q(d) . Essentially, we construct a nonnegative (derived) familyŶ q from the given family Y q such that the associated output perturbation mechanism is differentially private. Motivated by the bias calculations in [14] we consider the worst case bias of these nonnegative mechanisms. Boundary inflated truncation is generalized by considering arbitrary post-processing functions; the mechanisms are referred to as post-processed mechanisms. We use the terminology restriction for our generalisation of truncation (bounded) Laplace mechanisms. The most significant contributions in this paper show that bias is inevitable for both of these generalized constructions. We first recall the relevant definitions.
The bias ofŶ q is given by E[Ŷ q ] − q for q ≥ 0. In order to analyse the question of whether some bias is inevitable for nonnegative mechanisms, we use the maximal absolute bias of the family {Ŷ q : q ≥ 0} which is defined as follows.
Definition 2.1. The maximal absolute bias of {Ŷ q : q ≥ 0} is given by 3. Bias and nonnegative/positive mechanisms. In this section we briefly recall the core ideas of truncation and boundary inflated truncation from [14], suitably adapted for nonnegative queries. We also discuss a multiplicative mechanism from [13] which was introduced for strictly positive queries. Boundary inflated truncation works by post-processing [5] with the standard (deterministic) ramp function For Laplace random variables {Y q = q + L b : q ≥ 0} with b ≥ ∆ ε , the mechanism corresponding toŶ q = τ (Y q ) is ε-differentially private as τ is measurable [10,5].
It is a relatively straightforward calculation (and a limiting case of results in [14]) that the expectation of the random variableŶ q = τ (Y q ) is given by Thus the bias ofŶ q is b 2 e −q b and the maximal absolute bias is b 2 . By viewing boundary inflated truncation as post-processing with τ , we can consider alternative functions which may give improved performance. We see that this is indeed possible in the next section.
Remark: Note that for ε differential privacy, we should take b = ∆ ε ; the bias of

Truncation/Restriction
Our adaptation of truncated, or (as they are referred to in [9]) bounded, Laplace mechanisms in [14,9] relies on the following simple result. The proof of this is essentially identical to that used in the construction of the exponential mechanism [17]; we include it here in the interests of completeness.
Proposition 2. Let X Q,d : Ω → R be an ε-differentially private mechanism for the query Q : D → [0, ∞). If the family of measurable mappingsX Q,d : for all d ∈ D and all measurable subsets Proof. Let d ∼ d ′ be given and let A ⊆ [0, ∞) be measurable. Then as X Q,d is ε-differentially private: Combining the two above inequalities we see that If we start from a Laplace mechanism defined by the random variables Y q = q+L b , q ≥ 0, b ≥ ∆ ε , the random variables defining the associated restricted mechanism satisfy for Borel sets A ⊆ [0, ∞) and q ≥ 0. It is reasonably straightforward to use this equation to obtain an expression for the distribution function and pdf ofŶ q . Using these, we can show that: The bias ofŶ q satisfying (8) is given by In order to compare mechanisms with the same guaranteed level of differential privacy, for the post-processed mechanism, we take the scale parameter b = ∆ ε , while for the restricted Laplace mechanism, we should take b = 2∆ ε . Consider the ratio between B 1 = ∆ 2ε e (the bias of the restricted mechanism). After some algebraic manipulation, we find that: This simple calculation shows that post-processing leads to a bias that is always strictly less than that caused by restriction for the Laplace mechanism.

Positivity and Log-Laplace Random
Variables. An alternative approach to constructing positive mechanisms was previously studied in [13] in order to release models of control systems in a differentially private manner. To preserve the stability properties of the system, the mechanisms should not change the sign of certain key parameters. Multiplicative mechanisms based on the log-Laplace distribution are introduced; these can be applied provided the queries and adjacency relation considered satisfy certain technical assumptions. We note here that these mechanisms are not appropriate for the general setting we consider. We first recall the key aspects of the setup in [13]. Q : D → (0, ∞) is a positive valued query. It is assumed that there is some K > 0 such that for all d ∼ d ′ : This then implies that the query log(Q) : D → R will have sensitivity bounded above by K. Hence the mechanism X Q,d = log(Q(d)) + L b is ε-differentially private where L b is a Laplace random variable with mean 0 and b = K ε . It follows that the post-processed, positive mechanism is also ε-differentially private.
There are several issues with using this approach for the more general setting considered here.
• From the form of (10) queries cannot take the value 0.
• Even when the query is strictly positive, the bound K may be significantly larger than the sensitivity of the query itself, leading to noisier mechanisms. In fact, it may not be possible to obtain a finite bound K. To see this, take D = (0, 1] n and Q : D → (0, 1] given by the mean Q(d) = n i=1 di n . The sensitivity of Q is 1 n . On the other hand, set d = (γ, γ, . . . , γ) and d ′ = (1, γ, γ, . . . , γ) and consider the standard adjacency relation given by By choosing γ sufficiently small, we see that there is no finite K for which (10) will be satisfied in this case. • Following on from the last point, the next result illustrates that even if the query Q satisfies (10) for some finite K > 0, the multiplicative mechanism will fail to have finite expectation unless K satisfies additional restrictions leading to infinite bias.
The integral above is finite if and only if b < 1. The result follows immediately.
Remark: The previous result shows that even for queries satisfying (10), the multiplicative mechanism will have an infinite bias if K > ε. An identical calculation shows thatX Q,d will have finite variance if and only if K < ε 2 . From a practical viewpoint, these simple observations mean that for a given query satisfying (10), it is only possible to design ε-differentially private mechanisms with finite mean and variance for values of ε > 2K. This is in marked contrast to mechanisms obtained by post-processing and restriction.

4.
Optimising bias over translated ramp functions. Consider again a Laplace random variable L b with mean 0 and scale parameter b > 0. Let Y q = q + L b for q ≥ 0. For α ≥ 0, consider the translated ramp function τ α (x) = τ (x − α). For q ≥ 0, the expected value of the post-processed random variable τ α (Y q ) is given by We know that for α = 0, corresponding to the standard ramp function, the . This also means that the maximal absolute bias of the family {τ (Y q ) : q ≥ 0} is b 2 . It is readily verified that the derivative of G with respect to α is given by G ′ (α) = − 1 2b ∞ α e − |x−q| b dx < 0. Thus for any fixed q, G(α) is a decreasing function of α. Moreover, for every q, the bias of τ (Y q ) is strictly positive, meaning that G(0) > 0. These observations suggest that it may be possible to reduce the bias of τ (Y q ) by instead considering τ α (Y q ) for α > 0.
Remark: As α * > 0, the maximal absolute bias of {τ α * (Y q ) : q ≥ 0}, given by b 2 e − α * b is clearly less than b 2 corresponding to the standard ramp function.

5.
Bias is inevitable for post-processing and restriction. In Section 3, we noted that the maximal absolute bias of nonnegative mechanisms constructed by either restriction or post-processing with the ramp function is strictly positive. In this section, we prove that this is a fundamental property of any post-processed, nonnegative Laplace mechanism and any nonnegative restricted mechanism (irrespective of what the original mechanism is).

5.1.
Bias and post-processed Laplace mechanisms. We first consider the maximal absolute bias for post-processed Laplace mechanisms. Throughout this subsection, {Y q : q ≥ 0} is a set of Laplace random variables with scale parameter b > 0; each Y q has the pdf given by (2). Let φ : R → [0, ∞) be a measurable function and define the post-processed familyŶ φ,q byŶ φ,q = φ(Y q ) for q ≥ 0. In order to ensure that eachŶ φ,q q ≥ 0, has finite first and second moments, we consider post-processing functions in the Hilbert space V = L 2 (e − |x| b dx): The cone of nonnegative valued functions φ in V is denoted by V + . It is straightfor- In the following lemma we note that given φ ∈ V + , the first and second moments ofŶ φ,q are finite for all q ≥ 0.
Lemma 5.1. Let φ ∈ V + be given. Then for any q ≥ 0: for p = 1, 2. The result now follows from a simple application of the triangle inequality as We now consider the mapping from V into R which takes a function φ to the maximal absolute bias given by (3). Formally, for φ ∈ V : The following result establishes that B(φ) > 0 for any φ ∈ V + .
Proof. Consider q = 0. Then as φ ∈ V + and f 0 (x) > 0 for all x, it follows that unless φ = 0 almost everywhere. If φ is not zero a.e., it follows immediately that On the other hand, if φ = 0 a.e. then for all q ≥ 0 which means that B(φ) = ∞ in this case.
Remark: The last result shows that the maximal absolute bias, B(φ), of any post-processed Laplace mechanism (with finite first and second moments) must be positive. In the next result, we establish the stronger fact that the maximal absolute bias of such mechanisms is bounded away from zero; formally inf{B(φ) : φ ∈ V + } > 0.
Proposition 5. Let B(φ) be given by (12) for φ ∈ V + . Then Proof. We argue by contradiction. If the infimum was equal to 0, there would exist some sequence of functions φ n in V + such that B(φ n ) < 1 n for all n. From the definition of B(φ), this would mean that for all q ∈ [0, ∞) and all n ≥ 0, For q = 0 this implies that for all n, This implies that for all q ∈ [0, ∞), n ≥ 0: n .
We can now use this and φ n ∈ V + to conclude that for all q, n: n .
This clearly contradicts (13) as together they would imply that for all q, n q < 1 n (e q b + 1) which is impossible.

5.2.
Bias and restricted mechanisms. We now consider the maximal absolute bias of general restricted mechanisms. Let a family of continuous real-valued random variables {Y q : q ≥ 0} with associated pdfs f q , q ≥ 0 be given. We make the following assumptions for all q ≥ 0: Thus, we are assuming that the base mechanism is unbiased and has range given by R.
LetŶ q denote the restricted family of nonnegative random variables satisfying (8).
We will show that forŶ q , the maximal bias given by (3) also satisfies B > 0. The proof of this makes use of the standard coupling technique from probability theory (see Section 4.12 of [7]) to construct a common space Ω 1 on whichŶ q and a copy of Y q can be defined for all q ≥ 0. Proposition 6. Let a family of random variables {Y q : q ≥ 0} satisfying (14), (15) and a restricted familyŶ q satisfying (8) be given. Then the maximal absolute bias B given by (3) satisfies B > 0.
Proof. For q ≥ 0, let F q denote the cumulative distribution function of Y q and F R q the cdf ofŶ q . AsŶ q takes values in [0, ∞), F R q (t) = 0 for t < 0. Moreover, it follows from (8) that for t ≥ 0: We now show that F R q (t) < F q (t) for all t ∈ R. This is trivially true for t < 0. For t ≥ 0, As f q (x) > 0 for all x in R, it follows that F q (t) < 1 for all t ∈ R and F q (0) < 1. This immediately implies that F R q (t) < F q (t) for t ≥ 0 also. Therefore, the restricted mechanismŶ q stochastically dominates Y q [7] for all q ≥ 0. This means that we can construct a probability space (Ω 1 , F 1 , P 1 ) and random variablesŶ 1 q , Y 1 q for q ≥ 0 such that 1.Ŷ 1 q has the same distribution (cdf) asŶ q and Y 1 q has the same distribution as Y q for all q ≥ 0; 2.Ŷ 1 q (ω) ≥ Y 1 q (ω) for all q ≥ 0 and all ω ∈ Ω 1 . We make a slight adaptation of a standard construction in order to strengthen statement 2 slightly and prove thatŶ 1 q has strictly positive bias. We set Ω 1 = [0, 1], take F 1 to be the Borel subsets of [0, 1], and define P 1 to be the Lebesgue measure on [0, 1]. For q ≥ 0, we define random variablesŶ 1 q , Y 1 q on Ω 1 by setting: As each of the cdfs, F R q , F q for q ≥ 0 is continuous and non-decreasing, it is not difficult to see that for t ∈ R,Ŷ 1 q (ω) ≤ t ⇔ ω ≤ F R q (t), and Y 1 q (ω) ≤ t ⇔ ω ≤ F q (t). These two facts imply that It follows immediately that asŶ 1 q has the same distribution asŶ q , Furthermore, as F R q (t) < F q (t) for all t ∈ R,Ŷ 1 q (ω) ≥ Y 1 q (ω) for all ω ∈ [0, 1]. We next show that for every q ≥ 0, there exists some subset S q of (0, 1) of positive measure with the property that As F q (t) = t −∞ f q (x)dx with f q (x) > 0 for x ∈ (−∞, ∞) by assumption, it follows that we can choose K > 0 and α > 0 such that F q (−K) = α. This immediately implies that Y 1 q (ω) ≤ −K for ω ∈ (0, α). Moreover, by construction Y 1 q (ω) ≥ 0 for all ω ∈ (0, 1) and hence taking S q = (0, α), we have that Y 1 q (ω) − Y 1 q (ω) ≥ K, ∀ω ∈ S q . It now follows immediately that: Here S c q = Ω 1 \S q . The argument above shows that, for any q ≥ 0 E[Ŷ q ] > E[Y q ] = q and hence the maximal absolute bias B satisfies: B = sup{|E[Ŷ q ] − q| : q ≥ 0} > 0. 6. Conclusions and Discussion. An advantage of viewing boundary inflated truncation (to use the terminology of [14]) as post-processing with the ramp function, τ , is that this opens up the possibility of using alternative post-processing functions in order to reduce bias for nonnegative, post-processed mechanisms. The results presented in Section 4 show that this is indeed possible even by using simple translations of the ramp function. We have given an explicit characterisation of the optimal post-processing function within this class of functions. The work of Section 5 proves that the maximum absolute bias of any nonnegative post-processed mechanism must be strictly positive. We have also derived a corresponding result for restricted mechanisms constructed from any initial mechanism.
The results here suggest a number of directions for future work. The result of Proposition 5 shows that the worst case bias of any nonnegative post-processed Laplace mechanism is positive. This means that the infimal or minimal value over all post-processing functions is positive. An interesting problem is to quantitatively characterise this infimum and determine whether it is attained by some postprocessing function (in essence, derive a theorem guaranteeing the existence of a minimiser). If such a function exists, providing an explicit, or implicit, characterisation of it would also be interesting, both practically and theoretically. The more general question of characterising the optimal mechanism for nonnegative queries is a natural extension of this line of work. Corresponding questions for the restrictionbased mechanisms can also be investigated.