On 2017-08-23 16:33, Alex Gaynor wrote:
I had the same question, but it looks like RAPPOR has gotten significantly more advanced since I originally learned about the "just boolean questions" version. https://arxiv.org/pdf/1503.01214.pdf explains how to build privacy preserving measurements without knowing the values of the population.
So if I understand things correctly from the paper, you create a bloom filter for the URL/hostname you want to send, then randomly change it, store that. And each time they ask about the URL/hostname you take the stored version, randomly change it and that's what you send.
What I understand from that is that you don't get to learn the URL/hostname at all, but can query if a URL/hostname has been submitted. You don't get to learn what the population is, but the whole population can be send.
Is that accurate? Kurt _______________________________________________ governance mailing list governance@lists.mozilla.org https://lists.mozilla.org/listinfo/governance
