Differential privacy offers a formal framework for reasoning about the privacy and accuracy of computations on private data. It also offers a rich set of building blocks for constructing private data analyses. When carefully calibrated, these analyses simultaneously guarantee the privacy of the individuals contributing their data, and the accuracy of the data analysis results, inferring useful properties about the population. The compositional nature of differential privacy has motivated the design and implementation of several programming languages to ease the implementation of differentially private analyses. Even though these programming languages provide support for reasoning about privacy, most of them disregard reasoning about the accuracy of data analyses. To overcome this limitation, we present DPella, a programming framework providing data analysts with support for reasoning about privacy, accuracy, and their trade-offs. The distinguishing feature of DPella is a novel component that statically tracks the accuracy of different data analyses. To provide tight accuracy estimations, this component leverages taint analysis for automatically inferring statistical independence of the different noise quantities added for guaranteeing privacy. We evaluate our approach by implementing several classical queries from the literature and showing how data analysts can calibrate the privacy parameters to meet the accuracy requirements, and vice versa.

中文翻译：

---

具有准确性估计的数据隐私编程语言

差分隐私提供了一个正式的框架，用于推理私有数据计算的隐私和准确性。它还提供了一组丰富的构建块，用于构建私有数据分析。经过仔细校准后，这些分析同时保证了提供数据的个人的隐私，以及数据分析结果的准确性，从而推断出关于人口的有用属性。差分隐私的组合性质推动了几种编程语言的设计和实现，以简化差分隐私分析的实现。尽管这些编程语言提供了对隐私推理的支持，但它们中的大多数都忽略了对数据分析准确性的推理。为了克服这个限制，我们提出了 DPella，一个编程框架，为数据分析师提供关于隐私、准确性及其权衡的推理支持。DPella 的显着特点是一个新颖的组件，可以静态跟踪不同数据分析的准确性。为了提供严格的准确度估计，该组件利用污点分析自动推断统计独立性为保证隐私而添加的不同噪声量。我们通过实施文献中的几个经典查询来评估我们的方法，并展示数据分析师如何校准隐私参数以满足准确性要求，反之亦然。