# Anonymization Primitives aka Diffix Toolbox

This notebook will showcase current features of the Diffix PostgreSQL extension.

The functionality presented below is the raw interface to Diffix, intended only for people who know what they're doing.
I like to think of it as a "Diffix Level 0" or "Diffix Toolbox".

To run this notebook locally you need `psycopg2`, `ipython-sql`, and of course a PostgreSQL database with the extension installed.

Let's connect to a database that has `pg_diffix` installed.

In [1]:
%load_ext sql
%sql postgresql://edon:secret@localhost:5432/diffixdb
%config SqlMagic.displaycon = False # No connection string in output.
%config SqlMagic.feedback = False   # No Done, rows affected.
# Make sure pg_diffix is installed and loaded.
%sql load 'pg_diffix'
print('Connected to database.')

Connected to database.


## Setting up the dataset

Let's create a table `purchases` with some columns.

In [2]:
%%sql
DROP TABLE IF EXISTS purchases;
CREATE TABLE purchases (
  uid     INTEGER,
  product TEXT,
  brand   TEXT,
  price   FLOAT
);

[]

We'll use this helper function to insert many copies of a row at once.

In [3]:
def insert(how_many, row):
    uid, product, brand, price = row
    for i in range(how_many):
        %sql \
          INSERT INTO purchases (uid, product, brand, price) \
          VALUES (:uid, :product, :brand, :price)

Let's insert some data.

In [4]:
# User 1
insert(3, [ 1, 'phone',  'apple',   1000 ])
insert(1, [ 1, 'laptop', 'apple',   2000 ])
insert(1, [ 1, 'chair',  'ikea',      50 ])

# User 2
insert(1, [ 2, 'phone',  'samsung',  600 ])
insert(2, [ 2, 'laptop', 'dell',    1000 ])
insert(1, [ 2, 'chair',  'ikea',      50 ])

# User 3
insert(1, [ 3, 'phone',  'apple',    900 ])
insert(7, [ 3, 'phone',  'samsung',  400 ])
insert(1, [ 3, 'chair',  'ikea',      50 ])

# User 4
insert(2, [ 4, 'phone',  'samsung',  500 ])
insert(1, [ 4, 'laptop', 'hp',      1000 ])
insert(1, [ 4, 'chair',  'ikea',      50 ])

# User 5
insert(1, [ 5, 'phone',  'apple',   1000 ])
insert(1, [ 5, 'laptop', 'hp',      1000 ])
insert(1, [ 5, 'chair',  'ikea',      50 ])
insert(1, [ 5, 'candy',  'milka',      1 ])

# User 6
insert(2, [ 6, 'phone',  'apple',    800 ])
insert(1, [ 6, 'laptop', 'asus',    1000 ])
insert(4, [ 6, 'candy',  'milka',      1 ])
insert(2, [ 6, 'candy',  'kitkat',     1 ])
insert(1, [ 6, 'candy',  'snickers',   1 ])
insert(2, [ 6, 'candy',  'mars',       1 ])
insert(1, [ 6, 'candy',  'm&m',        1 ])

# User 7
insert(1, [ 7, 'phone',  'samsung',  500 ])
insert(1, [ 7, 'laptop', 'hp',      1000 ])
insert(1, [ 7, 'chair',  'ikea',      50 ])
insert(1, [ 7, 'rocket', 'spacex',   1e9 ])

print('Done')

Done


Let's get an overview of products and how many times they have been purchased.
No anonymization yet - these are regular counts.

In [5]:
%%sql
SELECT product, count(*) as sales, count(distinct uid) as unique_buyers
FROM purchases
GROUP BY product

product,sales,unique_buyers
candy,11,2
chair,6,6
laptop,7,6
phone,18,7
rocket,1,1


We notice that some products have few unique buyers.
Our goal is to protect their identity by applying anonymizing aggregates.

The anonymizing version of the `count()` aggregate is `diffix_count()`.

`diffix_x()` aggregates accept the AID as their first argument, followed by other possible arguments.

In this case, `count(*)` becomes `diffix_count(uid)` and an aggregate such as `count(price)` becomes `diffix_count(uid, price)`.

Let's see it in action.

In [6]:
%%sql
SELECT product, count(*) as true_count, diffix_count(uid)
FROM purchases
GROUP BY product

product,true_count,diffix_count
laptop,7,7
chair,6,5
phone,18,12
candy,11,3
rocket,1,2


Some results are lower than their real count. Let's find out why that happened.

`diffix_x()` functions include an `explain_diffix_x()` helper for debugging.

In [7]:
%%sql
SELECT product, explain_diffix_count(uid)
FROM purchases
GROUP BY product

product,explain_diffix_count
laptop,"uniq=6, seed=e02c556f5e0f top=[2➔2, 1➔1 | 4➔1, 5➔1, 6➔1, 7➔1] true=7, flat=6, final=7"
chair,"uniq=6, seed=d6ce455f4e08 top=[1➔1, 2➔1 | 3➔1, 4➔1, 5➔1, 7➔1] true=6, flat=6, final=5"
phone,"uniq=7, seed=c33a827d3c7e top=[3➔8, 1➔3 | 4➔2, 6➔2, 2➔1, 5➔1, 7➔1] true=18, flat=10, final=12"
candy,"uniq=2, seed=f7f7a7d92a5a top=[6➔10 | 5➔1] true=11, flat=2, final=3"
rocket,"uniq=1, seed=842059fe8157 top=[7➔1] true=1, flat=0, final=2"


We see that some rows have too few AIDs (`candy`, `rocket`) or they have individuals with large contributions (`phone`).

We should filter out rows that have too few AIDs from the result set.
We do that by using the `diffix_lcf(aid)` aggregate.

In [8]:
%%sql
SELECT product, diffix_count(uid)
FROM purchases
GROUP BY product
HAVING diffix_lcf(uid)

product,diffix_count
laptop,7
chair,5
phone,12


Rows `candy` and `rocket` are gone.

How does `diffix_lcf` work? Let's see.

In [9]:
%%sql
SELECT product, explain_diffix_lcf(uid)
FROM purchases
GROUP BY product

product,explain_diffix_lcf
laptop,"uniq=6, seed=fbd63230ac41 thresh=4, pass=true"
chair,"uniq=6, seed=630013b163d5 thresh=5, pass=true"
phone,"uniq=7, seed=9e8c7f3f93c7 thresh=4, pass=true"
candy,"uniq=2, seed=ebb4a2ec3ca5 thresh=5, pass=false"
rocket,"uniq=1, seed=bff99cd5977f thresh=5, pass=false"


Great! By using `diffix_count` and `diffix_lcf` have achieved our basic goal of anonymizing the count and hiding underrepresented buckets.

Let's check out how many buckets have been suppressed in the process.


In [10]:
%%sql
SELECT count(*) as suppressed
FROM (
    SELECT product, diffix_lcf(uid) as passes_lcf
    FROM purchases
    GROUP BY product
) x
WHERE not x.passes_lcf

suppressed
2


Let's try something else. Let's find out from what brands our products are sold from.

In [11]:
%%sql
SELECT product, string_agg(DISTINCT brand, ', ') as brands
FROM purchases
GROUP BY product

product,brands
candy,"kitkat, mars, milka, m&m, snickers"
chair,ikea
laptop,"apple, asus, dell, hp"
phone,"apple, samsung"
rocket,spacex


Some products have few brands. We'll try to apply anonymization with the goal of protecting the brands' identity. In this case we'll use `brand` as the AID.

In [12]:
%%sql
SELECT product, diffix_count(brand)
FROM purchases
GROUP BY product

product,diffix_count
laptop,4
chair,2
phone,2
candy,9
rocket,2


The result is different from the `uid` anonymized count we had earlier.

Let's compare the results and see what happened.

In [13]:
%%sql
SELECT product,
       count(*)            as true_count,
       diffix_count(uid)   as by_uid,
       diffix_count(brand) as by_brand
FROM purchases
GROUP BY product

product,true_count,by_uid,by_brand
laptop,7,7,4
chair,6,5,2
phone,18,12,2
candy,11,3,9
rocket,1,2,2


In [14]:
%%sql
SELECT product, 
       explain_diffix_count(uid)   as by_uid,
       explain_diffix_count(brand) as by_brand
FROM purchases
GROUP BY product

product,by_uid,by_brand
laptop,"uniq=6, seed=e02c556f5e0f top=[2➔2, 1➔1 | 4➔1, 5➔1, 6➔1, 7➔1] true=7, flat=6, final=7","uniq=4, seed=097d1f3ed09b top=[hp➔3, dell➔2 | apple➔1, asus➔1] true=7, flat=4, final=4"
chair,"uniq=6, seed=d6ce455f4e08 top=[1➔1, 2➔1 | 3➔1, 4➔1, 5➔1, 7➔1] true=6, flat=6, final=5","uniq=1, seed=741a3c802039 top=[ikea➔6] true=6, flat=0, final=2"
phone,"uniq=7, seed=c33a827d3c7e top=[3➔8, 1➔3 | 4➔2, 6➔2, 2➔1, 5➔1, 7➔1] true=18, flat=10, final=12","uniq=2, seed=9c4771a1c67f top=[samsung➔11, apple➔7 | ] true=18, flat=0, final=2"
candy,"uniq=2, seed=f7f7a7d92a5a top=[6➔10 | 5➔1] true=11, flat=2, final=3","uniq=5, seed=ccbd9692e7da top=[milka➔5 | kitkat➔2, mars➔2, snickers➔1, m&m➔1] true=11, flat=8, final=9"
rocket,"uniq=1, seed=842059fe8157 top=[7➔1] true=1, flat=0, final=2","uniq=1, seed=c8d7aed4b124 top=[spacex➔1 | ] true=1, flat=0, final=2"


Let's see what we get if we also include the overall count.

In [15]:
%%sql
SELECT product, 
       explain_diffix_count(uid)   as by_uid,
       explain_diffix_count(brand) as by_brand
FROM purchases
GROUP BY GROUPING SETS (
    (product),
    ()
)

product,by_uid,by_brand
,"uniq=7, seed=c33a827d3c7e top=[6➔13, 3➔9 | 1➔5, 2➔4, 4➔4, 5➔4, 7➔4] true=43, flat=29, final=31","uniq=12, seed=6f888ae1c421 top=[samsung➔11 | apple➔8, ikea➔6, milka➔5, hp➔3, dell➔2] true=43, flat=37, final=37"
laptop,"uniq=6, seed=e02c556f5e0f top=[2➔2, 1➔1 | 4➔1, 5➔1, 6➔1, 7➔1] true=7, flat=6, final=7","uniq=4, seed=097d1f3ed09b top=[hp➔3, dell➔2 | apple➔1, asus➔1] true=7, flat=4, final=4"
chair,"uniq=6, seed=d6ce455f4e08 top=[1➔1, 2➔1 | 3➔1, 4➔1, 5➔1, 7➔1] true=6, flat=6, final=5","uniq=1, seed=741a3c802039 top=[ikea➔6] true=6, flat=0, final=2"
phone,"uniq=7, seed=c33a827d3c7e top=[3➔8, 1➔3 | 4➔2, 6➔2, 2➔1, 5➔1, 7➔1] true=18, flat=10, final=12","uniq=2, seed=9c4771a1c67f top=[samsung➔11, apple➔7 | ] true=18, flat=0, final=2"
candy,"uniq=2, seed=f7f7a7d92a5a top=[6➔10 | 5➔1] true=11, flat=2, final=3","uniq=5, seed=ccbd9692e7da top=[milka➔5 | kitkat➔2, mars➔2, snickers➔1, m&m➔1] true=11, flat=8, final=9"
rocket,"uniq=1, seed=842059fe8157 top=[7➔1] true=1, flat=0, final=2","uniq=1, seed=c8d7aed4b124 top=[spacex➔1 | ] true=1, flat=0, final=2"


## Choosing an AID

As we just saw, the choice of AID matters.

Considering these are regular aggregates, we could combine them in a primitive attempt to anonymize by both AIDs.

For each bucket, we take the lowest anonymized count and only print those rows that have sufficient unique AIDs of both types.

In [16]:
%%sql
SELECT product, least( diffix_count(uid), diffix_count(brand) ) as anon_count
FROM purchases
GROUP BY product
HAVING diffix_lcf(uid) AND diffix_lcf(brand)

product,anon_count
laptop,4
phone,2


The results are pretty poor. Let's try if we can get something better if we take the overall count.

In [17]:
%%sql
SELECT
  count(*)                                        as true_count,
  least( diffix_count(uid), diffix_count(brand) ) as anon_count
FROM purchases

true_count,anon_count
43,31


That's not too bad!

## Configuring Diffix

Running the same query multiple times returns the same results because we are using pseudorandom sequences derived from AIDs and a base seed.

Let's see our current seed.

In [18]:
%%sql
SHOW pg_diffix.noise_seed

pg_diffix.noise_seed
diffix


Let's compare results when using different seeds.

In [19]:
%%sql
SET pg_diffix.noise_seed = 'some seed';

SELECT explain_diffix_lcf(uid)
FROM purchases;

explain_diffix_lcf
"uniq=7, seed=307da96580c4 thresh=3, pass=true"


In [20]:
%%sql
SET pg_diffix.noise_seed = 'some other seed';

SELECT explain_diffix_lcf(uid)
FROM purchases;

explain_diffix_lcf
"uniq=7, seed=e41c45431789 thresh=4, pass=true"


Let's return it to default value.

In [21]:
%%sql
RESET pg_diffix.noise_seed;
SHOW  pg_diffix.noise_seed;

pg_diffix.noise_seed
diffix


Here are all parameters that we can customize. Only superusers are allowed to modify these.

In [22]:
%%sql
SELECT name, setting, short_desc FROM pg_settings
WHERE name LIKE 'pg_diffix.%'

name,setting,short_desc
pg_diffix.low_count_threshold_max,5,Maximum low count threshold (inclusive).
pg_diffix.low_count_threshold_min,2,Minimum low count threshold (inclusive).
pg_diffix.noise_seed,diffix,Seed used for initializing noise layers.
pg_diffix.noise_sigma,1,Standard deviation of noise added to aggregates.
pg_diffix.outlier_count_max,2,Maximum outlier count (inclusive).
pg_diffix.outlier_count_min,1,Minimum outlier count (inclusive).
pg_diffix.top_count_max,6,Maximum top contributors count (inclusive).
pg_diffix.top_count_min,4,Minimum top contributors count (inclusive).
