# Open Diffix demo - pg_diffix

This notebook demonstrates how to use the `pg_diffix`, a PostgreSQL extention that implements Diffix Elm anonymization.

> Diffix Elm used here is missing several features of the next version Fir, which is still a work in progress.

The notebook demonstrates
1. The SQL limitations imposed by Diffix Elm
2. How Diffix Elm perturbs data to achieve anonymization

Feel free to use this notebook as a starting point for playing with Diffix Elm.

## For more information

To read more about Diffix Elm, visit [open-diffix.org](https://open-diffix.org).
A good overview of Diffix Elm can be found [here](https://www.open-diffix.org/blog/diffix-elm-automates-what-statistics-offices-have-been-doing-for-decades/).
A detailed description is [available on ArXiv](https://arxiv.org/abs/2201.04351).
Besides including a **full specification**, the latter includes a complete privacy analysis and guidance for writing a risk assessment.

## How to run

To run this notebook locally you need `psycopg2` and `ipython-sql` installed. For the meta-commands you need `pgspecial`.

Below you can find connection details for 3 users in this database instance:

- `direct_user` with direct (non-anonymized) access to `banking`
- `trusted_user` with anonymized access to `banking` in trusted mode
- `untrusted_user` with anonymized access to `banking` in untrusted mode

In [1]:
%load_ext sql
%sql postgresql://direct_user:demo@demo-pg.open-diffix.org/banking
%sql postgresql://trusted_user:demo@demo-pg.open-diffix.org/banking
%sql postgresql://untrusted_user:demo@demo-pg.open-diffix.org/banking
%config SqlMagic.displaycon = False # No connection string in output.
%config SqlMagic.feedback = False   # No Done, rows affected.
print('Connected to database.')

Connected to database.


The dataset has the following tables:

In [2]:
%sql \dt

Schema,Name,Type,Owner
public,accounts,table,postgres
public,accounts_receivables,table,postgres
public,clients,table,postgres
public,credit_cards,table,postgres
public,dispositions,table,postgres
public,loans,table,postgres
public,loss_events,table,postgres
public,orders,table,postgres
public,transactions,table,postgres


You can explore columns of tables with `\d <table>`

In [3]:
%sql \d loans

Column,Type,Modifiers
loan_id,integer,not null
account_id,integer,
date,text,
amount,integer,
duration,integer,
payments,double precision,
status,text,


# Examples

Diffix Elm supports a very limited subset of SQL.

It supports only one aggregate, `count()`. Specifically, it supports `count(*)`, `count(column)`, and `count(distinct column)`.

It supports the following generalization functions for numeric and text columns:

- `diffix.floor_by(numeric_column, K)`
- `diffix.round_by(numeric_column, K)`
- `diffix.ceil_by(numeric_column, K)`
- `substring(text_column, index, length)`

Let's see what it looks like when data is queried by the trusted user (receives anonymized output) and the direct user (receives raw data).

In [4]:
%%sql direct_user@banking
SELECT status, count(*) AS real_count
FROM loans
GROUP BY status
ORDER BY status ASC

status,real_count
A,203
B,31
C,403
D,45


In [5]:
%%sql trusted_user@banking
SELECT status, count(*) AS anon_count
FROM loans
GROUP BY status
ORDER BY status ASC

status,anon_count
A,202
B,30
C,402
D,44


The two queries above are identical, but the anonymized results are slightly perturbed.

Diffix Elm perturbs data in three ways:

- Adding noise to counts
- Suppressing column values that pertain to too few individuals
- Hiding the impact of individuals that contribute disproportionately to counts

The following gives examples of these.

## Adding noise

Diffix Elm adds noise to the results of aggregates.
This is why the counts in the above two queries differ.

## Suppressing values with few individuals

Let us take another look at the `loans` table we queried above.
The following query shows that many of the loan dates are unique:

In [6]:
%%sql direct_user@banking
SELECT date, count(*)
FROM loans
GROUP BY date
HAVING count(*) = 1
LIMIT 10

date,count
971019,1
951002,1
980522,1
970519,1
980129,1
981201,1
950922,1
940825,1
981029,1
961024,1


In fact 457 out of the 682 loans in the table (or approximately 67%) had a date that only appeared once:

In [7]:
%%sql direct_user@banking
SELECT count(*) num_occurrences, count_loans_sharing_date
FROM (
  SELECT date, count(*) AS count_loans_sharing_date
  FROM loans
  GROUP BY date
) t
GROUP BY count_loans_sharing_date
ORDER BY count(*) DESC

num_occurrences,count_loans_sharing_date
457,1
84,2
15,3
3,4


This means that, without anonymization, if we know the date on which somebody went to the bank to take out a loan,
we could most likely learn the amount of the loan and other information:

In [8]:
%%sql direct_user@banking
SELECT date, amount, duration, status, count(*)
FROM loans
GROUP BY date, amount, duration, status
ORDER BY date
LIMIT 10

date,amount,duration,status,count
930705,96396,12,B,1
930711,165960,36,A,1
930728,127080,60,A,1
930803,105804,36,A,1
930906,274740,60,A,1
930913,87840,24,A,1
930915,52788,12,A,1
930924,174744,24,B,1
931013,154416,48,A,1
931104,117024,24,A,1


If we know that an individual has taken a loan on Sept. 6, 1993, then we learn that it is a 60 month loan for 274740 dollars.

When Diffix is used to anonymize the data, the system detects output rows that can be linked to a single or a small number of individuals,
and suppresses that information.

We can see this in practice by repeating the two queries we just ran on the raw dataset, but protected by Diffix Elm.

In [9]:
%%sql trusted_user@banking
SELECT date, count(*)
FROM loans
GROUP BY date

date,count
*,667
971208,3
960429,3
970307,3
970317,3
970503,3


Here we see that almost all of the data has been suppressed. 
Counts for only five dates are displayed.
These are dates where there are enough distinct individuals with loans to show the data.
All other dates have one or very loans. Diffix Elm automatically recognizes this and suppresses the dates,
merging them into a single bin with the value '`*`' which we call the _suppression bin_.

In [10]:
%%sql trusted_user@banking
SELECT date, amount, duration, status, count(*)
FROM loans
GROUP BY date, amount, duration, status

date,amount,duration,status,count
*,,,*,683


The query above, which attempts to display all columns, suppresses even more aggressively:
all of the data is suppressed and merged into a single suppression bin.
This is because the four column values taken together are distinct for every individual. 

The text columns of suppressed bins are denoted with the value '`*`' (this is configurable), while numeric columns are denoted with `NULL`.
Diffix Elm provides a custom function, `diffix.is_suppress_bin(*)`, which returns `True` for the suppression bin, and `False` otherwise:

In [11]:
%%sql trusted_user@banking
SELECT date, count(*), diffix.is_suppress_bin(*)
FROM loans
GROUP BY date

date,count,is_suppress_bin
*,667,True
971208,3,False
960429,3,False
970307,3,False
970317,3,False
970503,3,False


#### Generalization

The queries above are anonymous, but they are also useless. All of the data has been suppressed.
**Generalization** is used to avoid suppression.

For example, rather than attempt to count the number of loans for individual days,
we can generalize these to years using `substring()`:


In [12]:
%%sql trusted_user@banking
SELECT substring(date, 1, 2) AS year, count(*)
FROM loans
GROUP BY substring(date, 1, 2)

year,count
93,21
94,102
98,159
96,113
95,91
97,198


Here we see that while no data has been suppressed, it comes at the cost of a loss of precision.
We can improve this by generalizing to month (here showing only the first 10 rows):

In [13]:
%%sql trusted_user@banking
SELECT substring(date, 1, 4) AS year_month, count(*)
FROM loans
GROUP BY substring(date, 1, 4)
ORDER BY substring(date, 1, 4)
LIMIT 10

year_month,count
*,24
9312,7
9401,5
9403,7
9405,10
9406,13
9407,13
9408,7
9409,11
9410,6


Here only 3.5% of the data is suppressed (roughly 24 of 682 loans). 

Diffix Elm allows generalization of both text and numeric columns.
In the following, we use the `difix.floor_by(col, amount)` function to generate loan amount bins of 50000:

In [14]:
%%sql trusted_user@banking
SELECT diffix.floor_by(amount, 50000) AS amount, count(*)
FROM loans
GROUP BY diffix.floor_by(amount, 50000)
ORDER BY diffix.floor_by(amount, 50000)

amount,count
,5
0.0,125
50000.0,178
100000.0,89
150000.0,103
200000.0,57
250000.0,41
300000.0,35
350000.0,25
400000.0,10


#### Post Processing

Although Diffix Elm places strong SQL restrictions on anonymizing queries,
it allows arbitrary SQL when post-processing the result of an anonymized query.

The following post processes the anonymizing sub-query to make the output more readable.

In [15]:
%%sql trusted_user@banking
SELECT
  CASE WHEN anonymized.year = '*' THEN 'Other'
  ELSE '19' || anonymized.year
  END AS year,
  CASE WHEN anonymized.amount IS NULL THEN 'Other'
  ELSE anonymized.amount/1000 || 'k - ' || (anonymized.amount/1000 + 50) || 'k'
  END AS amount,
  count
FROM (
  SELECT substring(date, 1, 2) as year, diffix.floor_by(amount, 50000) AS amount, count(*) AS count
  FROM loans
  GROUP BY 1, 2
) AS anonymized
ORDER BY anonymized.year ASC, anonymized.amount ASC
LIMIT 10

year,amount,count
Other,Other,37
1993,50k - 100k,8
1994,0k - 50k,16
1994,50k - 100k,30
1994,100k - 150k,14
1994,150k - 200k,16
1994,200k - 250k,9
1994,250k - 300k,8
1994,300k - 350k,3
1995,0k - 50k,21


The following counts the number of unsuppressed bins in an output (including the suppression bin itself):

In [16]:
%%sql trusted_user@banking
SELECT count(*) AS number_of_unsuppressed_bins_including_suppress_bin
FROM (
  SELECT substring(date, 1, 4), count(*)
  FROM loans
  GROUP BY substring(date, 1, 4)
) t

number_of_unsuppressed_bins_including_suppress_bin
59


The following computes the min and max loan amount bins. Note that this may not the true min and max,
but simply the min and max of the bin value for unsuppressed bins. The true values may be more or less.

In [17]:
%%sql trusted_user@banking
SELECT min(amount_floor) AS min_loan_amount,
       max(amount_ceiling) AS max_loan_amount
FROM (
  SELECT diffix.floor_by(amount, 50000) AS amount_floor,
	     diffix.ceil_by(amount, 50000) AS amount_ceiling,
	     count(*)
  FROM loans
  GROUP BY 1, 2
) t

min_loan_amount,max_loan_amount
0.0,550000.0


The following computes the average number of transactions per user.

In [18]:
%%sql trusted_user@banking
SELECT total_transactions/total_users AS average_trans_per_user
FROM (
  SELECT count(DISTINCT account_id) AS total_users,
         count(*) AS total_transactions
  FROM transactions
) t

average_trans_per_user
234


#### Proportional Noise

Diffix Elm uses noise to hide the presence of absence of individuals.
If individuals contribute more to a count, then Diffix Elm recognizes this and increases the noise proprotionally.

As an example, consider the following query made on the `transactions` table for both the raw and anonymized answers.
This query counts the number of distinct individuals (as identified by their account_id) for each transaction type.

In [19]:
%%sql direct_user@banking
SELECT type, count(DISTINCT account_id)
FROM transactions
GROUP BY type
ORDER BY type

type,count
PRIJEM,4500
VYBER,1144
VYDAJ,4500


In [20]:
%%sql trusted_user@banking
SELECT type, count(DISTINCT account_id)
FROM transactions
GROUP BY type
ORDER BY type

type,count
PRIJEM,4501
VYBER,1143
VYDAJ,4500


The amount of noise is very small. This is because each individual contributes only one to the count.
The amount of noise needed to hide one user is quite small (roughly plus or minus five).

Now consider counting the number of transactions rather than the number of distince individuals:

In [21]:
%%sql direct_user@banking
SELECT type, count(*)
FROM transactions
GROUP BY type
ORDER BY type

type,count
PRIJEM,405083
VYBER,16666
VYDAJ,634571


In [22]:
%%sql trusted_user@banking
SELECT type, count(*)
FROM transactions
GROUP BY type
ORDER BY type

type,count
PRIJEM,405145
VYBER,16647
VYDAJ,634406


Here the counts differ by 62, 19, and 165 respectively.
To see why, let's look at the average number of transactions per individual per type:

In [23]:
%%sql direct_user@banking
SELECT type, count_transactions/count_users AS average_transactions
FROM (
  SELECT type,
         count(DISTINCT account_id) AS count_users,
         count(*) AS count_transactions,
         count(*)/count(distinct account_id) AS avg
  FROM transactions
  GROUP BY 1
) t

type,average_transactions
PRIJEM,90
VYBER,14
VYDAJ,141


We see that the amount of noise applied by Diffix Elm is proportional to the amount contributed by individuals.