Realisation-Level Privacy Filtering

Justin Coon; Praneeth Vippathalla; Sophie Taylor

arxiv: 2604.08630 · v1 · submitted 2026-04-09 · 💻 cs.CR · cs.IT· math.IT

Realisation-Level Privacy Filtering

Sophie Taylor , Praneeth Vippathalla , Justin Coon This is my paper

Pith reviewed 2026-05-10 17:23 UTC · model grok-4.3

classification 💻 cs.CR cs.ITmath.IT

keywords differential privacyprivacy filtersrealisation-level accountingadaptive queriesstopping timescomposition theoremsutility

0 comments

The pith

A realisation-level privacy filter stops data releases based on actual leakage to guarantee differential privacy with improved utility.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces realisation-level accounting for privacy in sequential database queries, where a filter decides stopping times according to the privacy loss that has actually materialised rather than bounding every possible outcome in advance. This allows the data handler to select target privacy parameters ε and δ, and the filter ensures the overall process meets those parameters even for adaptive mechanisms. A reader would care because standard methods waste budget on worst-case assumptions, limiting the number of useful releases, while this promises more output for the same privacy level. The authors design a specific filter and prove its guarantee holds despite the mathematical difficulties of conditioning on observed realisations and random stopping times. They also provide numerical simulations showing utility gains and note that the approach works for any mechanism.

Core claim

We study differentially private data release through successive adaptive queries and propose a realisation-level filtering approach to determine stopping times. We design one such filter and prove that it guarantees (ε, δ)-differential privacy with parameters chosen by the data handler, overcoming challenges from conditioning on realisations and stopping times. Numerical evidence shows better utility than mechanism-level methods, and the filter applies to arbitrary mechanisms including those poorly behaved under Rényi differential privacy.

What carries the argument

The realisation-level privacy filter that uses observed privacy losses to set adaptive stopping times for the sequence of data releases.

If this is right

The filter applies to any mechanism, even those without good Rényi DP behavior.
Data handlers can directly choose the overall ε and δ they want to achieve.
Numerical results indicate higher utility for the same privacy budget compared to composition based on per-round worst cases.
It supports adaptive queries where each mechanism can depend on prior outputs.
The approach provides a path to refined privacy accounting beyond worst-case composition theorems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Adopting this could lead to more efficient privacy budget usage in applications with variable leakage across queries.
The method could be tested in specific domains like private data analysis pipelines to measure practical gains.
Stopping times based on realisations might interact with data-dependent mechanisms in ways that require further analysis for full safety.

Load-bearing premise

The technical challenges from conditioning on realisations and stopping times can be resolved in a way that preserves the (ε, δ)-differential privacy guarantee.

What would settle it

Constructing a pair of neighboring databases and an adaptive query sequence where the probability of outputs after the filter stops violates the (ε, δ) bound for some chosen ε and δ.

Figures

Figures reproduced from arXiv: 2604.08630 by Justin Coon, Praneeth Vippathalla, Sophie Taylor.

**Figure 1.** Figure 1: Adaptive data privacy problem Mi(R1, . . . , Ri , Y1, . . . , Yi−1, X). We assume a fixed series of allowable sets R1, R2 . . . , and a fixed family of conditional distributions PX(Y1|R1), PX(Y1|R1, R2, Y2), . . . defining the mechanisms M1,M2, . . . a priori; the mechanisms are adaptive in the standard sense that, at each round, the distribution of the output is conditioned on all previous requests and o… view at source ↗

**Figure 2.** Figure 2: Stopping time survival P(T ≥ t) of mechanism-level privacy filters compared with our realisation-level privacy filter. Let us first examine Y˜ i( ˜δ), dropping the explicit dependencies on x ∼ x ′ for brevity. The inner probability in (16) is Px [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗

read the original abstract

We study differentially private data release, where a database is accessed through successive, possibly adaptive queries and mechanisms. Existing composition theorems and privacy filters combine worst case per-round privacy parameters, leaving room for more refined accounting based on realised leakage, which we term realisation-level accounting. We propose a realisation-level filtering approach to determine stopping times for data releases, and design one such filter. Despite technical challenges arising from conditioning on realisations and stopping time, we prove that the filter guarantees $(\epsilon, \delta)$-differential privacy, with $\epsilon$ and $\delta$ chosen by the data handler. Through numerical evidence, we demonstrate that realisation-level filtering provides a path to better utility beyond mechanism-level methods. Furthermore, our proposed filter applies to arbitrary mechanisms, including those that are badly behaved under R\'enyi differential privacy.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper gives a realization-level filter that stops queries based on observed privacy loss instead of worst-case bounds, claiming a proof for (ε, δ)-DP on arbitrary mechanisms and some numerical utility gains.

read the letter

The main thing here is a filter that tracks realized leakage per round and picks a data-dependent stopping time for the query sequence. This is meant to beat standard composition by not always assuming the worst privacy loss every time. They design one concrete filter, prove it still delivers (ε, δ)-DP with user-chosen parameters, and show numerical runs where it lets more queries through before the budget is exhausted. The approach is stated to work even for mechanisms that behave poorly under Rényi DP, which widens the scope beyond the usual suspects.

Referee Report

2 major / 2 minor

Summary. The paper studies differentially private data release under successive adaptive queries and mechanisms. It proposes a realisation-level filtering approach that determines stopping times based on realized leakage (rather than worst-case per-round parameters) and claims to prove that one such filter guarantees (ε, δ)-differential privacy for parameters chosen by the data handler, despite technical challenges from conditioning on realisations and stopping times. Numerical evidence is presented to demonstrate improved utility over mechanism-level methods, and the filter is asserted to apply to arbitrary mechanisms, including those badly behaved under Rényi DP.

Significance. If the central proof is correct, this would be a significant contribution to differential privacy accounting. Realisation-level filtering could enable substantially higher utility in adaptive query settings by avoiding overly conservative worst-case composition, while the claimed applicability to arbitrary mechanisms (without RDP assumptions) broadens its scope beyond many existing filters. The numerical evidence, if detailed and reproducible, would provide concrete support for practical advantages.

major comments (2)

[Proof of the main theorem] The abstract asserts a proof that the filter guarantees (ε, δ)-DP despite conditioning on realisations and stopping times, but the derivation must explicitly bound the privacy-loss random variable at the data-dependent stopping time τ with respect to the filtration generated by the stopping rule itself. If the argument relies only on per-round bounds or an unadjusted martingale without addressing the information revealed by the stopping decision, the guarantee can fail for adaptive mechanisms—the precise setting the paper targets. Please provide the full proof (or key steps) with explicit handling of optional stopping.
[Numerical experiments section] The numerical evidence is invoked to show a path to better utility, but without details on the experimental setup (mechanisms tested, baseline filters, number of trials, stopping-time distributions, or quantitative utility metrics), it is impossible to assess whether the gains are substantive or merely illustrative. This evidence is load-bearing for the practical claim.

minor comments (2)

[Introduction] Define 'realisation-level accounting' and 'realisation-level filtering' with a short concrete example in the introduction to distinguish them clearly from mechanism-level composition.
[Preliminaries and notation] Ensure consistent notation for stopping times, filtrations, and privacy-loss random variables throughout; add a notation table if the paper is long.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their careful reading of the manuscript and for identifying these important points. We address each major comment below and will incorporate the requested clarifications and expansions in the revised version.

read point-by-point responses

Referee: [Proof of the main theorem] The abstract asserts a proof that the filter guarantees (ε, δ)-DP despite conditioning on realisations and stopping times, but the derivation must explicitly bound the privacy-loss random variable at the data-dependent stopping time τ with respect to the filtration generated by the stopping rule itself. If the argument relies only on per-round bounds or an unadjusted martingale without addressing the information revealed by the stopping decision, the guarantee can fail for adaptive mechanisms—the precise setting the paper targets. Please provide the full proof (or key steps) with explicit handling of optional stopping.

Authors: We agree that the handling of the optional stopping time and the associated filtration must be made fully explicit. The proof of the main result (Theorem 3.1) constructs a privacy-loss process that is a martingale with respect to the filtration generated by the sequence of realized privacy losses and the stopping decisions. The stopping time τ is a bounded stopping time (the filter enforces termination once the cumulative realized leakage reaches the target budget), and we invoke the optional stopping theorem to bound the expectation of the privacy-loss random variable at τ. The measurability of the stopping decision with respect to the filtration ensures that no additional information is leaked beyond what is already accounted for in the martingale increments. We will expand the proof section to include these steps in full detail, along with the explicit application of the optional stopping theorem, so that the argument is self-contained and addresses the referee's concern directly. revision: yes
Referee: [Numerical experiments section] The numerical evidence is invoked to show a path to better utility, but without details on the experimental setup (mechanisms tested, baseline filters, number of trials, stopping-time distributions, or quantitative utility metrics), it is impossible to assess whether the gains are substantive or merely illustrative. This evidence is load-bearing for the practical claim.

Authors: We acknowledge that the current presentation of the numerical results is insufficiently detailed. We will revise the experiments section to provide a complete description of the setup, including the specific mechanisms and query types considered, the baseline filters used for comparison, the number of independent trials performed, the observed distributions of stopping times, and quantitative utility metrics (such as average number of queries released and effective error on the released answers). We will also include a statement on reproducibility and make the simulation code available. revision: yes

Circularity Check

0 steps flagged

No circularity: proof of DP guarantee stands as independent derivation

full rationale

The paper asserts a proof that its realisation-level filter guarantees (ε, δ)-DP for arbitrary mechanisms despite conditioning on realisations and stopping times. No equations, fitted parameters, or self-citations are exhibited that reduce this guarantee to a self-definition, renamed input, or load-bearing prior result by the same authors. The derivation is presented as resolving the technical challenges of the filtration and stopping rule directly from the standard DP definition, without tautological re-use of the target bound. This is the normal case of a self-contained proof claim.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Review performed on abstract only; full technical details unavailable.

axioms (1)

standard math Standard definitions and composition properties of (ε, δ)-differential privacy
The work builds directly on existing DP theory for adaptive queries.

invented entities (1)

Realisation-level privacy filter no independent evidence
purpose: Stopping rule that uses observed leakage to decide when to halt data releases
New construct proposed to achieve better utility while preserving the privacy guarantee.

pith-pipeline@v0.9.0 · 5431 in / 1226 out tokens · 40120 ms · 2026-05-10T17:23:48.036766+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

11 extracted references · 11 canonical work pages

[1]

Our data, ourselves: Privacy via distributed noise generation,

C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor, “Our data, ourselves: Privacy via distributed noise generation,” inAdvances in Cryptology - EUROCRYPT 2006, S. Vaudenay, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 486–503

work page 2006
[2]

Boosting and differential privacy,

C. Dwork, G. N. Rothblum, and S. Vadhan, “Boosting and differential privacy,” in2010 IEEE 51st Annual Symposium on Foundations of Computer Science, 2010, pp. 51–60

work page 2010
[3]

Dwork and A

C. Dwork and A. Roth,The Algorithmic Foundations of Differential Privacy, ser. Foundations and Trends in Theoretical Computer Science. Now Publishers Inc., 2014, vol. 9, no. 3–4

work page 2014
[4]

R ´enyi differential privacy,

I. Mironov, “R ´enyi differential privacy,” in2017 IEEE 30th Computer Security Foundations Symposium (CSF), 2017, pp. 263–275

work page 2017
[5]

Computing tight differential privacy guarantees using FFT,

A. Koskela, J. J ¨alk¨o, and A. Honkela, “Computing tight differential privacy guarantees using FFT,” inInternational Conference on Artificial Intelligence and Statistics. PMLR, 2020, pp. 2560–2569

work page 2020
[6]

Tight differential privacy for discrete-valued mechanisms and for the subsampled gaus- sian mechanism using FFT,

A. Koskela, J. J ¨alk¨o, L. Prediger, and A. Honkela, “Tight differential privacy for discrete-valued mechanisms and for the subsampled gaus- sian mechanism using FFT,” inInternational Conference on Artificial Intelligence and Statistics. PMLR, 2021, pp. 3358–3366

work page 2021
[7]

The saddle-point method in differential privacy,

W. Alghamdi, J. F. Gomez, S. Asoodeh, F. Calmon, O. Kosut, and L. Sankar, “The saddle-point method in differential privacy,” inInterna- tional Conference on Machine Learning. PMLR, 2023, pp. 508–528

work page 2023
[8]

Privacy odometers and filters: Pay-as-you-go composition,

R. Rogers, A. Roth, J. Ullman, and S. Vadhan, “Privacy odometers and filters: Pay-as-you-go composition,” 2021. [Online]. Available: https://arxiv.org/abs/1605.08294

work page arXiv 2021
[9]

Individual privacy accounting via a renyi filter,

V . Feldman and T. Zrnic, “Individual privacy accounting via a renyi filter,”Advances in Neural Information Processing Systems, vol. 34, pp. 28 080–28 091, 2021

work page 2021
[10]

Practical Privacy Filters and Odome- ters with Rényi Differential Privacy and Applications to Differentially Private Deep Learning

M. L ´ecuyer, “Practical privacy filters and odometers with r ´enyi differ- ential privacy and applications to differentially private deep learning,” arXiv preprint arXiv:2103.01379v2, 2021

work page arXiv 2021
[11]

Privacy odometers and filters: pay-as-you-go composition,

R. Rogers, A. Roth, J. Ullman, and S. Vadhan, “Privacy odometers and filters: pay-as-you-go composition,” inProceedings of the 30th International Conference on Neural Information Processing Systems, ser. NIPS’16. Red Hook, NY , USA: Curran Associates Inc., 2016, p. 1929–1937

work page 2016

[1] [1]

Our data, ourselves: Privacy via distributed noise generation,

C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor, “Our data, ourselves: Privacy via distributed noise generation,” inAdvances in Cryptology - EUROCRYPT 2006, S. Vaudenay, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 486–503

work page 2006

[2] [2]

Boosting and differential privacy,

C. Dwork, G. N. Rothblum, and S. Vadhan, “Boosting and differential privacy,” in2010 IEEE 51st Annual Symposium on Foundations of Computer Science, 2010, pp. 51–60

work page 2010

[3] [3]

Dwork and A

C. Dwork and A. Roth,The Algorithmic Foundations of Differential Privacy, ser. Foundations and Trends in Theoretical Computer Science. Now Publishers Inc., 2014, vol. 9, no. 3–4

work page 2014

[4] [4]

R ´enyi differential privacy,

I. Mironov, “R ´enyi differential privacy,” in2017 IEEE 30th Computer Security Foundations Symposium (CSF), 2017, pp. 263–275

work page 2017

[5] [5]

Computing tight differential privacy guarantees using FFT,

A. Koskela, J. J ¨alk¨o, and A. Honkela, “Computing tight differential privacy guarantees using FFT,” inInternational Conference on Artificial Intelligence and Statistics. PMLR, 2020, pp. 2560–2569

work page 2020

[6] [6]

Tight differential privacy for discrete-valued mechanisms and for the subsampled gaus- sian mechanism using FFT,

A. Koskela, J. J ¨alk¨o, L. Prediger, and A. Honkela, “Tight differential privacy for discrete-valued mechanisms and for the subsampled gaus- sian mechanism using FFT,” inInternational Conference on Artificial Intelligence and Statistics. PMLR, 2021, pp. 3358–3366

work page 2021

[7] [7]

The saddle-point method in differential privacy,

W. Alghamdi, J. F. Gomez, S. Asoodeh, F. Calmon, O. Kosut, and L. Sankar, “The saddle-point method in differential privacy,” inInterna- tional Conference on Machine Learning. PMLR, 2023, pp. 508–528

work page 2023

[8] [8]

Privacy odometers and filters: Pay-as-you-go composition,

R. Rogers, A. Roth, J. Ullman, and S. Vadhan, “Privacy odometers and filters: Pay-as-you-go composition,” 2021. [Online]. Available: https://arxiv.org/abs/1605.08294

work page arXiv 2021

[9] [9]

Individual privacy accounting via a renyi filter,

V . Feldman and T. Zrnic, “Individual privacy accounting via a renyi filter,”Advances in Neural Information Processing Systems, vol. 34, pp. 28 080–28 091, 2021

work page 2021

[10] [10]

Practical Privacy Filters and Odome- ters with Rényi Differential Privacy and Applications to Differentially Private Deep Learning

M. L ´ecuyer, “Practical privacy filters and odometers with r ´enyi differ- ential privacy and applications to differentially private deep learning,” arXiv preprint arXiv:2103.01379v2, 2021

work page arXiv 2021

[11] [11]

Privacy odometers and filters: pay-as-you-go composition,

R. Rogers, A. Roth, J. Ullman, and S. Vadhan, “Privacy odometers and filters: pay-as-you-go composition,” inProceedings of the 30th International Conference on Neural Information Processing Systems, ser. NIPS’16. Red Hook, NY , USA: Curran Associates Inc., 2016, p. 1929–1937

work page 2016