This paper describes a differentially private event-triggered sampling mechanism to select measurement samples from a data sequence whose dynamics can be modelled by a stochastic linear system. The mechanism produces subsequences that can be used to reestimate the original sequence relatively accurately and the differential privacy constraint guarantees that these subsequences are insensitive to certain variations in the input sequence. The subsampling process can be motivated by the presence of communication bandwidth constraints, but also provides an additional tool to explore achievable privacy-utility tradeoffs in privacy-preserving signal processing and control. Event-triggered sampling can offer benefits over periodic subsampling by attempting to select the most useful samples, but the fact that it leaks information when no sampling occurs must be carefully taken into account to meet the differential privacy requirement. We propose a design using a stochastic sampling threshold, leveraging the "sparse vector technique" from differential privacy to incur a privacy loss only when samples are actually released. This design includes a suboptimal but tractable recursive finite-dimensional estimator that can also be used to re-estimate the original sequence from the differentially private noisy subsequence.
Read full abstract