Abstract: A secure enclave may be used to satisfy privacy requirements and audit requirements. Code may be loaded into the secure enclave. The code may generate a predefined report based on data and added noise. The pre-defined report may be subject to audit requirements. The data may be subject to the privacy requirements. The secure enclave may generate an encryption key and a decryption key based on the code. Only the secure enclave may have access to the decryption key. And the secure enclave may allow only a verified copy of the code to access the decryption key. With the added noise, the report may satisfy a pre-defined differential privacy guarantee. Encrypting the code and ensuring that the report satisfies the differential privacy guarantee may satisfy the privacy requirements. Retaining the report, the code, the secure enclave, and the encrypted data may satisfy the audit requirements.

Abstract: A secure enclave may be used to satisfy privacy requirements and audit requirements. Code may be loaded into the secure enclave. The code may generate a predefined report based on data and added noise. The pre-defined report may be subject to audit requirements. The data may be subject to the privacy requirements. The secure enclave may generate an encryption key and a decryption key based on the code. Only the secure enclave may have access to the decryption key. And the secure enclave may allow only a verified copy of the code to access the decryption key. With the added noise, the report may satisfy a pre-defined differential privacy guarantee. Encrypting the code and ensuring that the report satisfies the differential privacy guarantee may satisfy the privacy requirements. Retaining the report, the code, the secure enclave, and the encrypted data may satisfy the audit requirements.

Abstract: A secure enclave may be used to satisfy privacy requirements and audit requirements. Code may be loaded into the secure enclave. The code may generate a predefined report based on data and added noise. The pre-defined report may be subject to audit requirements. The data may be subject to the privacy requirements. The secure enclave may generate an encryption key and a decryption key based on the code. Only the secure enclave may have access to the decryption key. And the secure enclave may allow only a verified copy of the code to access the decryption key. With the added noise, the report may satisfy a pre-defined differential privacy guarantee. Encrypting the code and ensuring that the report satisfies the differential privacy guarantee may satisfy the privacy requirements. Retaining the report, the code, the secure enclave, and the encrypted data may satisfy the audit requirements.

Abstract: This document relates to hardware protection of differential privacy techniques. One example obtains multiple instances of encrypted telemetry data within a secure enclave and processes the encrypted telemetry data to obtain multiple instances of unencrypted telemetry data. The example also processes, within the secure enclave, the multiple instances of unencrypted telemetry data to obtain a perturbed aggregate. The example also releases the perturbed aggregate from the secure enclave.

Abstract: Methods, systems, apparatuses, and computer-readable storage medium are described herein for remotely analyzing testing results based on LDP-based data obtained from client devices in order to determine an effect of a software application with respect to its features and/or the population in which the application is tested. The analysis is based on a series of statistical computations for conducting hypothesis tests to compare population means, while ensuring LDP for each user. For example, an LDP scheme is used on the client-side that privatizes a measured value corresponding to a usage of a resource of the client. A data collector receives the privatized data from two sets of populations. Each population's clients have a software application that may differ in terms of features or user group. The privatized data received from each population is analyzed to determine an effect of the difference between the software applications of the different populations.

Abstract: Methods, systems, apparatuses, and computer-readable storage medium are described herein for remotely analyzing testing results based on LDP-based data obtained from client devices in order to determine an effect of a software application with respect to its features and/or the population in which the application is tested. The analysis is based on a series of statistical computations for conducting hypothesis tests to compare population means, while ensuring LDP for each user. For example, an LDP scheme is used on the client-side that privatizes a measured value corresponding to a usage of a resource of the client. A data collector receives the privatized data from two sets of populations. Each population's clients have a software application that may differ in terms of features or user group. The privatized data received from each population is analyzed to determine an effect of the difference between the software applications of the different populations.

Abstract: This document relates to hardware protection of differential privacy techniques. One example obtains multiple instances of encrypted telemetry data within a secure enclave and processes the encrypted telemetry data to obtain multiple instances of unencrypted telemetry data. The example also processes, within the secure enclave, the multiple instances of unencrypted telemetry data to obtain a perturbed aggregate. The example also releases the perturbed aggregate from the secure enclave.