Search papers, labs, and topics across Lattice.
This paper addresses the critical issue of whistleblower protection by introducing a formal framework for ensuring plausible deniability against retaliation from organizations. By applying $(0, δ)$-differential privacy to the audit selection process, the authors demonstrate that traditional methods like randomized response are inferior to uniform random auditing in terms of privacy guarantees. Their proposed mechanism, which leverages continual counting, achieves a significant improvement in privacy with noise scaling as $O(\sqrt{\log T})$, effectively enhancing the safety of whistleblowers over time.
Whistleblower protections can be significantly strengthened using a novel $(0, δ)$-differential privacy framework that outperforms traditional methods in safeguarding against organizational retaliation.
Whistleblowers are a key safeguard against organizational wrongdoing, but the threat of retaliation deters reporting. Existing whistleblower-protection proposals lack formal privacy guarantees, and existing differential privacy mechanisms do not directly target the natural threat model -- one in which the audited organization itself observes auditor selection decisions and uses them to identify reporters. We formalize protection against a strong-adversary threat model as per-report $(0, δ)$-differential privacy on the transcript of audit selections. Within this framework we prove that a natural approach -- randomized response applied at the selection step -- can never outperform uniform random auditing by more than $δ$ at any horizon. We then give a generic mechanism that reduces private auditing to private continual counting: any $(0, δ)$-DP continual counter plugs in by post-processing, and the audit transcript inherits the same per-report guarantee. Instantiating the reduction with a recent work in continual counting yields per-report $(0, δ)$-DP with noise scaling as $O(\sqrt{\log T})$ across a horizon of $T$ audit decisions. A utility theorem shows that the selection error vanishes whenever the noisy report gap between the most-reported organization and the runner-up grows faster than $\sqrt{\log T}$. Simulations show a substantial improvement over randomized response.