Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Data Collection with Self-Enforcing Privacy

Philippe Golle, Frank McSherry, and Ilya Mironov


Consider a pollster who wishes to collect private, sensitive data from a number of distrustful individuals. How might the pollster convince the respondents that it is trustworthy? Alternately, what mechanism could the respondents insist upon to ensure that mismanagement of their data is detectable and publicly demonstrable?

We detail this problem, and provide simple data submission protocols with the properties that a) leakage of private data by the pollster results in evidence of the transgression and b) the evidence cannot be fabricated without breaking cryptographic assumptions. With such guarantees, a responsible pollster could post a “privacy-bond,” forfeited to anyone who can provide evidence of leakage. The respondents are assured that appropriate penalties are applied to a leaky pollster, while the protection from spurious indictment ensures that any honest pollster has no disincentive to participate in such a scheme.


Publication typeArticle
Published inACM Trans. Inf. Syst. Secur.

Previous versions

Philippe Golle, Frank McSherry, and Ilya Mironov. Data Collection With Self-Enforcing Privacy, ACM, October 2006.

> Publications > Data Collection with Self-Enforcing Privacy