Abstract: A method is provided for a device participating in a data aggregation service. The device receives, from at least one requesting server, a participant homomorphic encryption key, and a request for data to perform a computation. The device encrypts requested data, including a location identifier, with the participant homomorphic encryption key, and sends, to an aggregation service, the encrypted requested data.

Abstract: A method is provided for a device participating in a data aggregation service. The device receives, from at least one requesting server, a participant homomorphic encryption key, and a request for data to perform a computation. The device encrypts requested data, including a location identifier, with the participant homomorphic encryption key, and sends, to an aggregation service, the encrypted requested data.

Abstract: Systems and methods are disclosed for determining whether a message received by a client may be spam, in a computing environment that preserves privacy. The message may be encrypted. A client invokes the methods when a message is received from a sender that is not known to the client. A client can decrypt the message, break the message into chunks, and apply a differentially private algorithm to the set of chunks. The client transmits the differentially private message sketches to an aggregation server. The aggregation server receives a large collection of such message sketches for a large plurality of clients. The aggregation server returns aggregated message chunk (e.g. frequency) information to the client to assist the client in determining whether the message may be spam. The client can process the message based on the determination without disclosing the message content to the server.

Abstract: Systems and methods are disclosed for determining whether a message received by a client may be spam, in a computing environment that preserves privacy. The message may be encrypted. A client invokes the methods when a message is received from a sender that is not known to the client. A client can decrypt the message, break the message into chunks, and apply a differentially private algorithm to the set of chunks. The client transmits the differentially private message sketches to an aggregation server. The aggregation server receives a large collection of such message sketches for a large plurality of clients. The aggregation server returns aggregated message chunk (e.g. frequency) information to the client to assist the client in determining whether the message may be spam. The client can process the message based on the determination without disclosing the message content to the server.

Abstract: Techniques for identifying change points in health data are described herein. Health data during a first time sub-window is compared to health data from a second time sub-window. The health data is evaluated with respect to a set of change point criteria to determine that a first change is a first change point in the health data. A notification including information about the change point and information about a second change point is generated.

Abstract: Systems and methods are disclosed for determining whether a message received by a client may be spam, in a computing environment that preserves privacy. The message may be encrypted. A client invokes the methods when a message is received from a sender that is not known to the client. A client can decrypt the message, break the message into chunks, and apply a differentially private algorithm to the set of chunks. The client transmits the differentially private message sketches to an aggregation server. The aggregation server receives a large collection of such message sketches for a large plurality of clients. The aggregation server returns aggregated message chunk (e.g. frequency) information to the client to assist the client in determining whether the message may be spam. The client can process the message based on the determination without disclosing the message content to the server.

Abstract: The subject technology for maintaining differential privacy for database query results receives a query for a database that contains user data. The subject technology determines that the query is permitted for the database based at least in part on a privacy policy associated with the database. The subject technology determines that performing the query will not exceed a query budget for the database. The subject technology, when the query is permitted and performing the query will not exceed the query budget, performs the query on the database and receiving results from the query. The subject technology selects a differential privacy algorithm for the results based at least in part on a query type of the query. The subject technology applies the selected differential privacy algorithm to the results to generate differentially private results. The subject technology provides the differentially private results.

Abstract: A method is provided for a device participating in a data aggregation service. The device receives, from at least one requesting server, a participant homomorphic encryption key, and a request for data to perform a computation. The device encrypts requested data, including a location identifier, with the participant homomorphic encryption key, and sends, to an aggregation service, the encrypted requested data.

Abstract: A user device can verify a user's identity to a server while protecting user privacy by not sharing personal data with any other device. To ensure user privacy, the user device performs an enrollment process in which the user performs an action sequence. The user device collects action data from the action sequence and uses the action data locally to generate a set of public/private key pairs (or other representation) from which information about the action sequence cannot be extracted. The public keys, but not the underlying action data, are sent to a server to store. To verify user identity, a user device can repeat the collection of action data and the generation of the key pairs. If the device can prove to the server its possession of the private keys to a sufficient degree, the user's identity can be verified.

Abstract: The subject technology for maintaining differential privacy for database query results receives a query for a database that contains user data. The subject technology determines that the query is permitted for the database based at least in part on a privacy policy associated with the database. The subject technology determines that performing the query will not exceed a query budget for the database. The subject technology, when the query is permitted and performing the query will not exceed the query budget, performs the query on the database and receiving results from the query. The subject technology selects a differential privacy algorithm for the results based at least in part on a query type of the query. The subject technology applies the selected differential privacy algorithm to the results to generate differentially private results. The subject technology provides the differentially private results.

Abstract: The subject technology for maintaining differential privacy for database query results receives a query for a database that contains user data. The subject technology determines that the query is permitted for the database based at least in part on a privacy policy associated with the database. The subject technology determines that performing the query will not exceed a query budget for the database. The subject technology, when the query is permitted and performing the query will not exceed the query budget, performs the query on the database and receiving results from the query. The subject technology selects a differential privacy algorithm for the results based at least in part on a query type of the query. The subject technology applies the selected differential privacy algorithm to the results to generate differentially private results. The subject technology provides the differentially private results.

Abstract: A user device can verify a user's identity to a server while protecting user privacy by not sharing any personal data with any other device. To ensure user privacy and to allow multiple independent enrollments, the user device performs an enrollment process in which the user device locally collects and uses biometric data together with a random salt to generate a set of public/private key pairs from which biometric information cannot be extracted. The public keys and the salt, but not the biometric data, are sent to a server to store. To verify user identity, a user device can repeat the collection of biometric data from the user and the generation of public/private key pairs using the salt obtained from the server. If the device can prove to the server its possession of at least a minimum number of correct private keys, the user's identity can be verified.

Abstract: Systems and methods are described for rate-limiting a message-sending client interacting with a message service based on dynamically calculated risk assessments of the probability that the client is, or is not, a sender of a spam messages. The message service sends a proof of work problem to a sending client device with a difficulty level that is related to a risk assessment that the client is a sender of spam messages. The message system limits the rate at which a known or suspected spammer can send messages by giving the known or suspected spammer client harder proof of work problems to solve, while minimizing the burden on normal users of the message system by given them easier proof of work problems to solve that can typically be solved by the client within the time that it takes to type a message.

Abstract: Systems and methods are described for rate-limiting a message-sending client interacting with a message service based on dynamically calculated risk assessments of the probability that the client is, or is not, a sender of a spam messages. The message service sends a proof of work problem to a sending client device with a difficulty level that is related to a risk assessment that the client is a sender of spam messages. The message system limits the rate at which a known or suspected spammer can send messages by giving the known or suspected spammer client harder proof of work problems to solve, while minimizing the burden on normal users of the message system by given them easier proof of work problems to solve that can typically be solved by the client within the time that it takes to type a message.