Persuasive Privacy

A game-theoretic framework for data privacy

The Sender–Receiver privacy game
Private data

Sender’s sensitive data, held privately and never shared.

x \in \mathsf{X}

Mechanism

A (deterministic or randomised) mechanism.

M: (\mathsf{X}, \mathcal{T}) \rightarrow [0,1]

Markov kernel w.r.t. measurable space (\mathsf{T}, \mathcal{T}).

Statistic

Generated from mechanism and shared with Receiver.

T \sim M(x, \cdot)

Privacy guarantee

Shared with Receiver for transparency, so that the privacy of M can be verified externally.


Assumption 1 dictates that the privacy guarantee can not depend on x directly. This prevents information leakage about the data through transparency. As such, communication of the guarantee to Receiver does not affect the data-posterior.

Privacy function

The privacy function encodes how Receiver’s decision affect the privacy of Sender.


Under the data-posterior Q_T, with Receiver’s optimal decision d^{Q_T}, the realised privacy for Sender is

\rho(d^{Q_T},x).

Data-prior

The receiver’s assumed prior over the data is

Q \in \mathcal{P}(\mathsf{X}).


In Assumption 5 we have a class of prior distributions \mathcal{Q}_x \subset \mathcal{P}(\mathsf{X}) for which Q \in \mathcal{Q}_x and Sender assesses the worst case.

Data-posterior

Receiver’s posterior given the release of T is

Q_T = Q(\,\cdot \mid T), which will depend on the chosen mechanism M.


By Assumption 1, Q_T does not depend on \mathfrak{C}.

Receiver decision

Receiver’s decision is formed by posterior Q_T and loss \ell.

d^{Q_T} \in \arg\inf_{d \in \mathcal{D}} \mathbb{E}_{z \sim Q_T}[ \ell(d,z)]

Assumption 3 dictates that \ell = \rho.

Receiver loss

Receiver’s loss function for decision making.


Assumption 3 dictates that \ell = \rho. In other words, Receiver directly targets Sender’s notion of privacy.

Sender

Custodian of sensitive data x. Chooses M to persuade Receiver to make decisions with limited impact on privacy.


Sender conducts a robust assessment of privacy. These are formalised in Assumption 4 and Assumption 5.

Receiver

Receiver is a potential adversary who will make a decision after observing output T \sim M(x,\cdot).


Receiver is Bayes rational by Assumption 2. Therefore, they hold a prior Q over (unknown) data x, and make decisions with respect to some loss function \ell.

Joshua J. Bon1, James Bailie2, Judith Rousseau3, Christian P. Robert4 5

Forty-Third International Conference on Machine Learning (ICML 2026)

Privacy as persuasion

We propose a two-player Stackelberg game between a Sender (custodian of the sensitive data) and a Receiver (adversary) to construct a new class of privacy definitions. The construction is closely related to Bayesian persuasion (Kamenica et al., 2011), but differs in three key ways: information asymmetry, related utility functions, and semi-robustness.

We assess the privacy of a mechanism M, a Markov kernel with output T \sim M(x,\cdot), where M(x,\cdot) is a distribution on (\mathsf{T},\mathcal{T}) for the Sender’s private data x \in \mathsf{X}.

NoteWhy persuasive?

Sender chooses M to persuade Receiver to make decisions with limited privacy impact.

Example players

TipSender

A government agency releases small area statistics on a disease.

WarningReceiver

An insurance company raises premiums using inferred disease prevalence in a small town.

Why a new privacy framework?

Differential privacy [DP; Dwork et al. (2006)] and its variants (Desfontaines et al., 2020) are the de facto standard, but face persistent challenges — hard-to-interpret parameters (Cummings et al., 2023) and large, potentially vacuous, privacy budgets in practice. We develop a framework to:

  1. Generate privacy definitions that are fit for purpose and rigorously justified;
  2. Assess existing privacy guarantees and their properties with a game-theoretic approach;
  3. Evaluate the privacy of deterministic algorithms.

Unlike DP, whose semantic interpretations are constructed post-hoc, our agent-based game is a semantics-first approach where each assumption can be tested against real-world considerations. Moreover, deterministic algorithms are incompatible with DP, yet central to releasing invariant statistics (e.g. the US Decennial Census) (Abowd et al., 2022).

Privacy functions

Sender measures privacy with a privacy function \rho, depending on Receiver’s decision d \in \mathcal{D} and the data value x \in \mathsf{X},

\rho: (\mathcal{D},\mathsf{X}) \rightarrow \mathbb{R}.

The privacy function orders Sender’s preferences over Receiver’s decisions: if Sender prefers d_1 to d_2 given x, then \rho(d_1,x) > \rho(d_2,x). That is, \rho is positively oriented.

TipExample 1: interval privacy function

Let \mathcal{D} = \{[a,b]: a,b \in \mathbb{R}, a \leq b\} and \mathsf{X}=\mathbb{R}. Given s > 0,

\rho(d,x) = \begin{cases} 0 & \text{if } x\in d \text{ and } \vert d \vert \leq s,\\ 1 & \text{otherwise}. \end{cases}

TipExample 2: negative log-probability privacy function

Let \mathcal{D} be the set of probability density functions on \mathsf{X}=\mathbb{R} with respect to some measure \mu. For d \in \mathcal{D} and x \in \mathsf{X}, the negative log-probability privacy function is \rho(d,x) = -\log d(x).

Transparency

Transparency is typically required so that the privacy status of M can be externally verified. Sharing some (yet to be specified) privacy definition \mathrm{D} is equivalent to sharing \mathfrak{C} = \{\text{Markov kernels}~M~\text{satisfying}~\mathrm{D}\}.

NoteAssumption 1: Transparency

Sender shares the mechanism M and privacy class \mathfrak{C}, for which M \in \mathfrak{C}, with Receiver. Further, the definitions of M and \mathfrak{C} do not depend on the data.

Receiver model

NoteAssumption 2: Bayesian adversary

Receiver is Bayes rational.

Under Assumption 2, Receiver will hold a data-prior Q expressing their uncertainty about the true value of x. They will also make decisions with respect to some loss function \ell.

Receiver’s best response

Under the data-prior, Receiver’s best response is

d^{Q} \in \arg\inf_{d \in \mathcal{D}} \mathbb{E}_{z\sim Q}\left[ \ell(d,z) \right].

After observing T \sim M(x,\cdot), Receiver forms the data-posterior Q_T = Q(\,\cdot \mid T) and their best response is

d^{Q_T} \in \arg\inf_{d \in \mathcal{D}} \mathbb{E}_{z\sim Q_T}\left[ \ell(d,z) \right].

The following assumption, links Sender’s privacy function and Receiver’s loss.

NoteAssumption 3: Adversarial loss function

Receiver’s loss function satisfies \ell(d,x) = \rho(d,x) for all d \in \mathcal{D} and x \in \mathsf{X}.

Setting Receiver’s loss as \ell = \rho can be interpreted as the data-averaged worst case privacy outcome for Sender (see Proposition 1 in paper).

Sender’s attained privacy

Sender’s attained privacy is \rho(d^{Q_T}, x), conditional on output T, data-prior Q, and the true value x. When \ell = \rho (from Assumption 3), the attained privacy is a (negatively-oriented) proper scoring rule (Gneiting et al., 2007; Grünwald et al., 2004),

S(P,x) = \rho(d^{P}, x),

measuring how well Receiver’s belief P predicts x. We use privacy scores due to this equivalence. Privacy attained under the data-prior and data-posterior are S(Q,x) and S(Q_T,x) respectively.

WarningPrivacy score equivalence

In our framework privacy functions naturally lead to privacy scores (proper scoring rules). Further, a proper scoring rule will always have a dual privacy function. Therefore, designing a privacy score or a privacy function are both appropriate strategies.

We continue with privacy score perspective for simplicity.

Sender’s privacy assessment

Sender must assess privacy with respect to (possible) stochasticity in T, potential data-priors Q \in \mathcal{Q}_x held by Receiver, and all potential datasets x \in \mathsf{X} (due to Assumption 1). We use two robust assessment assumptions for Sender, though others are possible.

The relative privacy loss is defined as

\Delta(Q,T,x) = S(Q,x) - S(Q_T,x), measuring the change in privacy score from the data-prior Q to data-posterior Q_T.

NoteAssumption 4

For a given data-prior Q and dataset x, Sender considers a mechanism M private only if

\mathbb{P}_x\left[\Delta(Q,T,x) \leq \kappa \right] \geq 1 - \delta, \tag{1}

with \Delta(Q,T,x) = S(Q,x) - S(Q_T,x), for some maximum acceptable privacy loss \kappa\geq0 and probability of failure 0 \leq \delta \ll 1. The probability \mathbb{P}_x is with respect to M(x,\cdot).

NoteAssumption 5

Sender considers M private if (1) holds uniformly for all data-priors Q \in \mathcal{Q}_x and datasets x \in \mathsf{X}.

Persuasive Privacy (PP)

Fix a non-empty set of privacy scores \mathcal{S} on \mathsf{X}, a class of data-priors \mathcal{Q}_x \subset \mathcal{P}(\mathsf{X}), a maximum acceptable privacy loss \kappa \geq 0, and a small probability of failure 0\leq\delta \ll 1.

Assumptions 1, 2, 3, 4, 5 define Persuasive Privacy as follows.

NotePersuasive Privacy

A mechanism M is (\mathcal{S}, \mathcal{Q}_x, \kappa, \delta)\text{-PP} if

\inf_{S\in\mathcal{S}}\;\inf_{x\in\mathsf{X}}\;\inf_{Q\in\mathcal{Q}_x} \mathbb{P}_x\!\left[\Delta_S(Q,T,x) \leq \kappa \right] \geq 1 - \delta,

for \Delta_S(Q,T,x) = S(Q,x) - S(Q_{T},x).

Multiple scoring rules (equivalent to multiple privacy functions) are allowed by considering all S\in \mathcal{S}.

Differential Privacy as a special case

TipExample 3: Probabilistic DP

Probabilistic DP [PDP; Machanavajjhala et al. (2008)] is exactly recovered. Let L be the (discrete) negative log-probability score and \mathcal{H} the class of two-point neighbouring alternative hypothesis data-priors, \mathcal{H} = \{Q : \exists\, (x,x^\prime)\in\mathfrak{N},\ Q(\{x,x^\prime\})=1\}, for some neighbour relation \mathfrak{N}. Then

M~\text{is}~(\varepsilon,\delta)\text{-PDP} \quad\Longleftrightarrow\quad M~\text{is}~(L,\mathcal{H},\varepsilon,\delta)\text{-PP}.

Since pure \varepsilon-DP is a special case of PDP when \delta=0, we also recover \varepsilon-DP.

TipExample 4: Rényi DP

Changing Assumption 4 from a tail-probability condition to an expected-value condition instead recovers Rényi DP (Mironov, 2017) under otherwise identical settings. See Appendix C in the paper.

Post-processing: two notions

Our framework enables separation of two properties conflated as “post-processing”:

  • Receiver post-processing (M \in \mathfrak{C} \Rightarrow M \otimes K \in \mathfrak{C}): Receiver cannot extract more about x by transforming the output. All PP guarantees satisfy this.
  • Sender post-processing (M \in \mathfrak{C} \Rightarrow MK \in \mathfrak{C}, “chaining”): not satisfied by PP in general. But Sender can trivially preserve the guarantee by releasing from M \otimes K instead of MK.

PDP does not satisfy (Sender) post-processing (Kifer et al., 2012). Distinguishing Receiver/Sender post-processing reveals this is not a drawback for the adversarial protections afforded by PDP, but rather a restriction of (Sender) post-processing as a mathematical tool for establishing a PDP guarantee.

Deterministic mechanism: No noise empirical average

TipExample 5

Let \mathsf{X} = \mathbb{R}^n where x_i is a sensitive value for each individual in the dataset. Consider the marginal Dawid–Sebastiani score (Dawid et al., 1999) for each i\in [1:n],

D_i(Q,x) = \log \sigma_i^2(Q) + \frac{[x_i - \mu_i(Q)]^2}{\sigma^{2}_i(Q)},

where \mu_i(Q) = \mathbb{E}_{X\sim Q}[X_i] and \sigma_i^2(Q) = \mathrm{Var}_{X\sim Q}[X_i], the ith marginal mean and variance of Q. Define the data-prior class

\mathcal{G}_x^r =\left\{ \mathcal{N}(\mu,\Sigma)\in \mathcal{P}(\mathbb{R}^n): \frac{(\bar{x}-\bar{\mu})^2}{\overline{\Sigma}} \leq r_1,\; c_\Phi \leq r_2 \left(1-\frac{\max_i\sigma_i^2}{\Vert\sigma\Vert_2^2}\right)\right\},

bounding Receiver’s strength via mean and correlation-variance constraints, where c_\Phi is the condition number of the correlation matrix of \Sigma and \sigma^2 = \text{diag}(\Sigma). Denoting \mathcal{I} = \{D_i\}_{i=1}^n,

M(x,\cdot) = \delta_{\bar{x}}~\text{is}~(\mathcal{I},\,\mathcal{G}_x^r,\,r_1 + \log r_2,\,0)\text{-PP}.

Interpretation: releasing the average with no noise is private if Receiver’s prior guess for \bar{x} is not too poor, no single marginal prior variance dominates, and the data-prior is not too correlated.

Conclusion

  • Persuasive Privacy is a semantics-first game-theoretic framework for defining privacy.
  • Recovers Pure & Probabilistic DP; Rényi and f-divergence privacy with a small change.
  • Certifies deterministic mechanisms, enabling better privacy–utility trade-offs.
  • See the paper for the composition property, a deterministic cell-suppression example, and the data-averaged worst-case justification of Assumption 3.
  • Ongoing work: utility-optimal mechanisms; investigating framework settings in applications.

References

Abowd, J. M., Ashmead, R., Cumings-Menon, R., Garfinkel, S., Heineck, M., Heiss, C., Johns, R., Kifer, D., Leclerc, P., Machanavajjhala, A., Moran, B., Sexton, W., Spence, M., & Zhuravlev, P. (2022). The 2020 census disclosure avoidance system TopDown algorithm. Harvard Data Science Review, Special Issue 2. doi: 10.1162/99608f92.529e3cb9
Cummings, R., & Sarathy, J. (2023). Centering policy and practice: Research gaps around usable differential privacy. 2023 5th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), 122–135. doi: 10.1109/TPS-ISA58951.2023.00025
Dawid, A. P., & Sebastiani, P. (1999). Coherent dispersion criteria for optimal experimental design. The Annals of Statistics, 27(1), 65–81. doi: 10.1214/aos/1018031102
Desfontaines, D., & Pejó, B. (2020). SoK: Differential privacies. Proceedings on Privacy Enhancing Technologies, 2020(2), 288–313. doi: 10.2478/popets-2020-0028
Dwork, C., Kenthapadi, K., McSherry, F., Mironov, I., & Naor, M. (2006). Our data, ourselves: Privacy via distributed noise generation. S. Vaudenay (Ed.), Advances in cryptology - EUROCRYPT 2006 (pp. 486–503). Berlin, Heidelberg: Springer Berlin Heidelberg.
Gneiting, T., & Raftery, A. E. (2007). Strictly proper scoring rules, prediction, and estimation. J. American Statistical Assoc., 102(477), 359–378.
Grünwald, P. D., & Dawid, A. P. (2004). Game theory, maximum entropy, minimum discrepancy and robust Bayesian decision theory. Annals of Statistics, 32(4), 1367–1433.
Kamenica, E., & Gentzkow, M. (2011). Bayesian persuasion. American Economic Review, 101(6), 2590–2615.
Kifer, D., & Lin, B.-R. (2012). An axiomatic view of statistical privacy and utility. Journal of Privacy and Confidentiality, 4(1), 5–49. doi: 10.29012/jpc.v4i1.610
Machanavajjhala, A., Kifer, D., Abowd, J., Gehrke, J., & Vilhuber, L. (2008). Privacy: Theory meets practice on the map. Proceedings of the 2008 IEEE 24th International Conference on Data Engineering (ICDE), 277–286. doi: 10.1109/ICDE.2008.4497436
Mironov, I. (2017). Rényi differential privacy. 2017 IEEE 30th Computer Security Foundations Symposium (CSF), 263–275. doi: 10.1109/CSF.2017.11

Footnotes

  1. Adelaide University↩︎

  2. Chalmers University of Technology↩︎

  3. Université Paris–Dauphine PSL↩︎

  4. Université Paris–Dauphine PSL↩︎

  5. University of Warwick↩︎