pith. sign in

arxiv: 2605.21378 · v1 · pith:ZQFLV32Unew · submitted 2026-05-20 · 💻 cs.CR · cs.CY

Auditing Apple's DifferentialPrivacy.framework: Implementation Bugs, Misconfigurations, and Practical Risks

Rishav Chourasia , Ergute Bao , Uzair Javaid , Xiaokui Xiao This is my paper

Pith reviewed 2026-05-21 03:42 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords differential privacyApple macOSimplementation bugsfloating-point vulnerabilitiessecure aggregationprivacy auditdata collection
0
0 comments X

The pith

Apple's differential privacy mechanisms break their guarantees due to floating-point sampler bugs

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper conducts a client-side audit of Apple's DifferentialPrivacy.framework by reverse engineering the binaries on macOS Sonoma and Sequoia. It tests the actual deployed mechanisms for count sketches, randomized response, and secure aggregation to see if they deliver the advertised privacy. The results indicate that all mechanisms using floating-point noise fail to satisfy differential privacy or zero-knowledge guarantees because of insecure samplers. These problems affect five out of nine mechanisms and cover the bulk of data collection in the operating systems. The audit also uncovers cases where local differential privacy is turned off in aggregation logs.

Core claim

The audit finds that every mechanism relying on floating-point noise fails to meet its advertised DP or zero-knowledge proof guarantee due to insecure samplers with known floating-point vulnerabilities. This leads to DP violations in 5 of 9 audited mechanisms, impacting 87% of data collection in macOS Sonoma and 68% in Sequoia, along with public logs that leak private signals.

What carries the argument

Insecure floating-point noise samplers that fail to produce the required noise distributions for differential privacy.

If this is right

  • User signals such as Safari domains and keyboard events are collected with weaker privacy than promised.
  • Analytics data in recent macOS versions is exposed to higher risks of inference attacks.
  • Secure aggregation configurations can expose pre-aggregation records to parties with log access.
  • Leaked iPhone logs can be used to recover private user information.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar floating-point issues could affect differential privacy implementations in other proprietary systems.
  • Replacing floating-point arithmetic with fixed-point methods might restore the intended privacy levels.
  • Independent audits of closed-source privacy frameworks are essential to verify vendor claims.

Load-bearing premise

The reverse-engineered Objective-C interfaces and runtime behavior accurately match the production code paths used for real user data collection on the tested macOS versions.

What would settle it

Direct examination of the noise generation code or statistical testing of output distributions that either confirms the vulnerabilities or shows they are not present in production use.

Figures

Figures reproduced from arXiv: 2605.21378 by Ergute Bao, Rishav Chourasia, Uzair Javaid, Xiaokui Xiao.

Figure 1
Figure 1. Figure 1: Distribution of DP mechanisms identified within macOS Sonoma [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the design of DifferentialPrivacy.framework. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: A program demonstrating how to dynamically load Apple’s DifferentialPrivacy.framework and access its NumberRandomizer functionality. [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Result of our audit on Apple’s NumberRandomizer with DP [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Result of our audit on Apple’s Prio++ algorithm, which uses [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Illustration of our privacy audit on Apple’s Prio implementa [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Decoding analytics data from our test iPhone device. The logs [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Illustration of our decoder for Apple’s Count Median Sketch [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Sample record generated by Count Median Sketch that appears [PITH_FULL_IMAGE:figures/full_fig_p013_9.png] view at source ↗
read the original abstract

Since 2016, Apple has claimed that device analytics collected to improve user experience are protected by differential privacy (DP). Apple's DifferentialPrivacy.framework is deployed across its operating systems and handles sensitive signals such as Safari domains, keyboard events, photo attributes, and health-related reports. Because Apple has not open-sourced its privatization algorithms, these privacy claims have been difficult to verify independently. We present a client-side audit of Apple's DP framework on macOS Sonoma 14.2 and Sequoia 15.6. We reverse engineer the shipped binaries, recover Objective-C interfaces, build runtime harnesses that execute Apple's deployed mechanisms, and test whether their outputs match the advertised privacy guarantees. Our audit covers nearly all active deployed mechanisms, including Count Median Sketch, Hadamard-CMS, randomized-response mechanisms, and Prio-style secure aggregation. We find multiple implementation bugs and misconfigurations. Every audited mechanism that relies on floating-point noise fails to meet its advertised DP or zero-knowledge proof guarantee, due to insecure samplers with known floating-point vulnerabilities. We also find secure-aggregation configurations with local DP disabled, exposing pre-aggregation records to any party with access to those logs. Overall, we find DP violations in 5 of 9 audited mechanisms, affecting 87% of data collection in macOS Sonoma and 68% in Sequoia. We also identify public leaked iPhone logs that can be decoded to recover private information, including Safari domains and keyboard emoji signals.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript conducts a client-side audit of Apple's DifferentialPrivacy.framework on macOS Sonoma 14.2 and Sequoia 15.6 by reverse-engineering shipped binaries, recovering Objective-C interfaces, and constructing runtime harnesses to execute the deployed mechanisms (Count Median Sketch, Hadamard-CMS, randomized response, and Prio-style secure aggregation). It reports that every floating-point noise sampler fails to meet advertised DP or zero-knowledge guarantees due to known vulnerabilities, identifies secure-aggregation configurations with local DP disabled, finds DP violations in 5 of 9 mechanisms affecting 87% of data collection on Sonoma and 68% on Sequoia, and notes publicly leaked logs that can decode private signals such as Safari domains and keyboard events.

Significance. If the empirical findings hold, the work is significant for independently verifying long-standing closed-source DP claims in a widely deployed system handling sensitive user signals. The concrete identification of floating-point sampler failures and the quantification of affected collection volume provide actionable evidence of practical privacy risks, while the use of shipped binaries and executable harnesses offers a reproducible audit methodology that strengthens the results beyond documentation review alone.

major comments (2)
  1. [Abstract and §4] Abstract and §4 (Harness Execution and Results): The central claim that DP violations affect 87% of data collection in Sonoma and 68% in Sequoia rests on the tested samplers and configurations being exactly those invoked for real signals. The manuscript recovers interfaces and builds harnesses that execute the binaries, but provides no production telemetry, log comparison, or source-level confirmation that the exercised paths match the live analytics pipelines for Safari domains, keyboard events, or other signals. This assumption is load-bearing for the reported percentages and violation counts.
  2. [§5.2] §5.2 (Secure Aggregation Configurations): The finding that local DP is disabled in certain Prio-style setups, exposing pre-aggregation records, is presented as a misconfiguration. However, the manuscript does not detail how these configurations were identified in the binaries or whether they are reachable under default device settings, which directly affects the practical risk assessment.
minor comments (2)
  1. [Abstract] The abstract states 'nearly all active deployed mechanisms' are covered, but the manuscript should include an explicit table or appendix listing all 9 mechanisms with their coverage status and the basis for the 87%/68% impact figures.
  2. [Figures and §3] Figure captions and harness descriptions would benefit from additional detail on how floating-point outputs were sampled and compared against the advertised ε bounds to allow independent reproduction.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the thorough and constructive review of our manuscript. We address each major comment below with point-by-point responses and indicate where revisions will be made to the next version.

read point-by-point responses

  1. Referee: [Abstract and §4] Abstract and §4 (Harness Execution and Results): The central claim that DP violations affect 87% of data collection in Sonoma and 68% in Sequoia rests on the tested samplers and configurations being exactly those invoked for real signals. The manuscript recovers interfaces and builds harnesses that execute the binaries, but provides no production telemetry, log comparison, or source-level confirmation that the exercised paths match the live analytics pipelines for Safari domains, keyboard events, or other signals. This assumption is load-bearing for the reported percentages and violation counts.

    Authors: We thank the referee for this observation. The reported percentages are estimates based on the coverage of the audited mechanisms (Count Median Sketch, Hadamard-CMS, randomized response, and Prio-style aggregation) within the DifferentialPrivacy.framework binaries we analyzed, cross-referenced against the framework's public interface documentation and the signals it is known to handle. We agree that absent production telemetry or source-level confirmation, we cannot definitively prove that every exercised path matches live pipelines in all cases. We will revise the abstract and §4 to qualify these figures explicitly as coverage-based estimates, add a limitations paragraph discussing the lack of internal telemetry access, and emphasize that the core empirical findings (floating-point sampler failures and configuration issues) were obtained by direct execution of the shipped binaries regardless of exact invocation frequency. revision: yes

  2. Referee: [§5.2] §5.2 (Secure Aggregation Configurations): The finding that local DP is disabled in certain Prio-style setups, exposing pre-aggregation records, is presented as a misconfiguration. However, the manuscript does not detail how these configurations were identified in the binaries or whether they are reachable under default device settings, which directly affects the practical risk assessment.

    Authors: We appreciate the referee drawing attention to the need for additional methodological detail in §5.2. The configurations were located through static disassembly of the DifferentialPrivacy.framework binaries on both Sonoma and Sequoia using standard reverse-engineering tools, followed by recovery of the relevant Objective-C classes implementing the Prio protocol and inspection of the initialization flags that control local DP noise addition. These flags were observed to be disabled for certain signal categories in the default binary images. We will expand §5.2 with a new subsection describing the disassembly steps, specific binary locations, and evidence that the configurations are reachable under default device settings (including how the framework selects them for standard analytics collection). This will strengthen the practical risk assessment without altering the underlying finding. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical audit of shipped binaries with no derivations or self-referential reductions

full rationale

The paper performs a client-side audit by reverse-engineering Objective-C interfaces from macOS Sonoma and Sequoia binaries, constructing runtime harnesses, and directly executing the deployed mechanisms to compare outputs against advertised DP guarantees. All central claims (DP violations in 5 of 9 mechanisms, affecting 87%/68% of collection) rest on these empirical observations of actual binary behavior rather than any equations, fitted parameters, predictions derived from inputs, or self-citation chains. No load-bearing step reduces a result to its own inputs by construction; the work is self-contained against external benchmarks (Apple's public claims and the tested binaries themselves).

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The audit rests on the domain assumption that decompiled interfaces and runtime tests faithfully represent production behavior; no free parameters or invented entities are introduced.

axioms (1)
  • domain assumption Reverse-engineered Objective-C interfaces and executed mechanisms match the production code paths used for real analytics collection.
    Central to all violation claims; invoked when mapping test outputs to advertised guarantees.

pith-pipeline@v0.9.0 · 5810 in / 1216 out tokens · 47004 ms · 2026-05-21T03:42:35.787116+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

63 extracted references · 63 canonical work pages · 3 internal anchors

  1. [1]

    Learning with privacy at scale,

    Differential Privacy Team, Apple Inc., “Learning with privacy at scale,”Apple Machine Learning Research, 2017. [Online]. Available: https://docs-assets.developer.apple.com/ml- research/papers/learning-with-privacy-at-scale.pdf

    work page 2017

  2. [2]

    Scenes: Differential privacy,

    A. M. L. Research, “Scenes: Differential privacy,” https: //machinelearning.apple.com/research/scenes-differential-privacy, 2024, accessed: 2024-10-07

    work page 2024

  3. [3]

    Differentially private stream processing at scale,

    B. Zhang, V . Doroshenko, P. Kairouz, T. Steinke, A. Thakurta, Z. Ma, E. Cohen, H. Apte, and J. Spacek, “Differentially private stream processing at scale,”arXiv preprint arXiv:2303.18086, 2023

    work page arXiv 2023

  4. [4]

    Data for good: New tools to help health researchers track and combat covid-19,

    K. Jin and L. McGorman, “Data for good: New tools to help health researchers track and combat covid-19,” 2020. [Online]. Available: https://about.fb.com/news/2020/04/data-for-good/

    work page 2020

  5. [5]

    Collecting telemetry data pri- vately,

    B. Ding, J. Kulkarni, and S. Yekhanin, “Collecting telemetry data pri- vately,”Advances in Neural Information Processing Systems, vol. 30, 2017

    work page 2017

  6. [6]

    The US Census Bureau adopts differential privacy,

    J. M. Abowd, “The US Census Bureau adopts differential privacy,” inProceedings of the 24th ACM SIGKDD international conference on knowledge discovery & data mining, 2018, pp. 2867–2867

    work page 2018

  7. [7]

    WWDC 2016 Keynote,

    WWDC 2016b, “WWDC 2016 Keynote,” June 2016. [Online]. Available: https://youtu.be/n5jXg NNiCA?t=6112

    work page 2016

  8. [8]

    Differential privacy using a count mean sketch,

    A. Bhowmick, A. H. Vyrros, and U. S. Vaishampayan, “Differential privacy using a count mean sketch,” Dec. 6 2018, US Patent App. 15/805,591

    work page 2018

  9. [9]

    Privatized machine learning using generative adversarial networks,

    A. Bhowmick, A. H. Vyrros, and R. M. Rogers, “Privatized machine learning using generative adversarial networks,” Aug. 8 2019, US Patent App. 15/892,246

    work page 2019

  10. [10]

    Private federated learning with protection against reconstruction,

    A. Bhowmick, J. Duchi, J. Freudiger, G. Kapoor, and R. M. Rogers, “Private federated learning with protection against reconstruction,” May 21 2024, US Patent 11,989,634

    work page 2024

  11. [11]

    Distributed labeling for supervised learning,

    A. Bhowmick, R. M. Rogers, U. S. Vaishampayan, and A. H. Vyrros, “Distributed labeling for supervised learning,” Jul. 25 2023, US Patent 11,710,035

    work page 2023

  12. [12]

    Emoji frequency detection and deep link frequency,

    A. G. Thakurta, A. H. Vyrros, U. S. Vaishampayan, G. Kapoor, J. Freudinger, V . V . Prakash, A. Legendre, and S. Duplinsky, “Emoji frequency detection and deep link frequency,” Jul. 11 2017, US Patent 9,705,908

    work page 2017

  13. [13]

    Learning new words,

    A. G. Thakurta, A. H. Vyrros, U. S. Vaishampayan, G. Kapoor, J. Freudiger, V . R. Sridhar, and D. Davidson, “Learning new words,” Mar. 14 2017, US Patent 9,594,741

    work page 2017

  14. [14]

    Differential pri- vacy for message text content mining,

    E. D. Friedman, R. K. Kumar, and L. Winstrom, “Differential pri- vacy for message text content mining,” Sep. 15 2020, US Patent 10,778,633

    work page 2020

  15. [15]

    Efficient implementation for differential privacy using cryptographic functions,

    Y . L. Sierra, A. G. Thakurta, U. S. Vaishampayan, J. C. Hurley, K. F. Mowery, and M. Brouwer, “Efficient implementation for differential privacy using cryptographic functions,” Mar. 12 2019, US Patent 10,229,282

    work page 2019

  16. [16]

    Understanding aggregate trends for apple intelligence using differential privacy,

    “Understanding aggregate trends for apple intelligence using differential privacy,” 2025, accessed: 2025-04-22. [Online]. Avail- able: https://machinelearning.apple.com/research/differential-privacy- aggregate-trends

    work page 2025

  17. [17]

    Differentially private heavy hitter detection using federated analytics,

    K. Chadha, J. Chen, J. Duchi, V . Feldman, H. Hashemi, O. Javidbakht, A. McMillan, and K. Talwar, “Differentially private heavy hitter detection using federated analytics,” in2024 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML). IEEE, 2024, pp. 512–533

    work page 2024

  18. [18]

    Lossless compression of efficient private local randomizers,

    V . Feldman and K. Talwar, “Lossless compression of efficient private local randomizers,” inInternational Conference on Machine Learn- ing. PMLR, 2021, pp. 3208–3219

    work page 2021

  19. [19]

    Private frequency estimation via projective geometry,

    V . Feldman, J. Nelson, H. Nguyen, and K. Talwar, “Private frequency estimation via projective geometry,” inInternational Conference on Machine Learning. PMLR, 2022, pp. 6418–6433

    work page 2022

  20. [20]

    Differential privacy, part 3: Extraordinary claims require extraordinary scrutiny,

    B. Cyphers, “Differential privacy, part 3: Extraordinary claims require extraordinary scrutiny,”Access Now, November 2017. [Online]. Available: https://www.accessnow.org/differential-privacy- part-3-extraordinary-claims-require-extraordinary-scrutiny/

    work page 2017

  21. [21]

    Apple’s emphasis on differential privacy,

    A. H. N. Forum, “Apple’s emphasis on differential privacy,” 2016, accessed: 2024-11-27. [Online]. Available: https://news.ycombinator. com/item?id=11903127

    work page 2016

  22. [22]

    Widespread underestimation of sensitivity in differentially private libraries and how to fix it,

    S. Casacuberta, M. Shoemate, S. Vadhan, and C. Wagaman, “Widespread underestimation of sensitivity in differentially private libraries and how to fix it,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 471–484

    work page 2022

  23. [23]

    On significance of the least significant bits for differential privacy,

    I. Mironov, “On significance of the least significant bits for differential privacy,” inProceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 650–661

    work page 2012

  24. [24]

    Avoiding pitfalls for privacy accounting of subsampled mechanisms under composition,

    C. J. Lebeda, M. Regehr, G. Kamath, and T. Steinke, “Avoiding pitfalls for privacy accounting of subsampled mechanisms under composition,”arXiv preprint arXiv:2405.20769, 2024

    work page arXiv 2024

  25. [25]

    Debugging differential privacy: A case study for privacy auditing,

    F. Tramer, A. Terzis, T. Steinke, S. Song, M. Jagielski, and N. Carlini, “Debugging differential privacy: A case study for privacy auditing,” arXiv preprint arXiv:2202.12219, 2022

    work page arXiv 2022

  26. [26]

    Understanding the sparse vector tech- nique for differential privacy,

    M. Lyu, D. Su, and N. Li, “Understanding the sparse vector tech- nique for differential privacy,”Proceedings of the VLDB Endowment, vol. 10, no. 6, pp. 637–648, 2017

    work page 2017

  27. [27]

    Detecting violations of differential privacy,

    Z. Ding, Y . Wang, G. Wang, D. Zhang, and D. Kifer, “Detecting violations of differential privacy,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 475–489

    work page 2018

  28. [28]

    Bayesian estima- tion of differential privacy,

    S. Zanella-Beguelin, L. Wutschitz, S. Tople, A. Salem, V . R ¨uhle, A. Paverd, M. Naseri, B. K ¨opf, and D. Jones, “Bayesian estima- tion of differential privacy,” inInternational Conference on Machine Learning. PMLR, 2023, pp. 40 624–40 636

    work page 2023

  29. [29]

    Prio: Private, robust, and scalable computation of aggregate statistics,

    H. Corrigan-Gibbs and D. Boneh, “Prio: Private, robust, and scalable computation of aggregate statistics,” in14th USENIX symposium on networked systems design and implementation (NSDI 17), 2017, pp. 259–282

    work page 2017

  30. [30]

    {PINE}: Efficient verification of a euclidean norm bound of a{Secret-Shared}vector,

    G. N. Rothblum, E. Omri, J. Chen, and K. Talwar, “{PINE}: Efficient verification of a euclidean norm bound of a{Secret-Shared}vector,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 6975–6992

    work page 2024

  31. [31]

    The composition theorem for differential privacy,

    P. Kairouz, S. Oh, and P. Viswanath, “The composition theorem for differential privacy,” inInternational conference on machine learning. PMLR, 2015, pp. 1376–1385

    work page 2015

  32. [32]

    Are we there yet? Timing and floating-point attacks on differential privacy systems,

    J. Jin, E. McMurtry, B. I. Rubinstein, and O. Ohrimenko, “Are we there yet? Timing and floating-point attacks on differential privacy systems,” in2022 IEEE Symposium on security and privacy (SP). IEEE, 2022, pp. 473–488

    work page 2022

  33. [33]

    Precision-based attacks and interval refining: How to break, then fix, differential privacy on finite computers,

    S. Haney, D. Desfontaines, L. Hartman, R. Shrestha, and M. Hay, “Precision-based attacks and interval refining: How to break, then fix, differential privacy on finite computers,”arXiv preprint arXiv:2207.13793, 2022

    work page arXiv 2022

  34. [34]

    Group and Attack: Auditing differential privacy,

    J. Lokna, A. Paradis, D. I. Dimitrov, and M. Vechev, “Group and Attack: Auditing differential privacy,” inProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Secu- rity, 2023, pp. 1905–1918

    work page 2023

  35. [35]

    Property testing for differential pri- vacy,

    A. C. Gilbert and A. McMillan, “Property testing for differential pri- vacy,” in2018 56th Annual Allerton Conference on Communication, Control, and Computing (Allerton). IEEE, 2018, pp. 249–258

    work page 2018

  36. [36]

    DP-Sniper: Black-box discovery of differential privacy violations using classi- fiers,

    B. Bichsel, S. Steffen, I. Bogunovic, and M. Vechev, “DP-Sniper: Black-box discovery of differential privacy violations using classi- fiers,” in2021 IEEE Symposium on Security and Privacy (SP). IEEE, 2021, pp. 391–409

    work page 2021

  37. [37]

    Privacy auditing with one (1) training run,

    T. Steinke, M. Nasr, and M. Jagielski, “Privacy auditing with one (1) training run,”Advances in Neural Information Processing Systems, vol. 36, 2024

    work page 2024

  38. [38]

    Auditingf-differential privacy in one run,

    S. Mahloujifar, L. Melis, and K. Chaudhuri, “Auditingf-differential privacy in one run,”arXiv preprint arXiv:2410.22235, 2024

    work page arXiv 2024

  39. [39]

    Tight auditing of differentially private machine learning,

    M. Nasr, J. Hayes, T. Steinke, B. Balle, F. Tram `er, M. Jagielski, N. Carlini, and A. Terzis, “Tight auditing of differentially private machine learning,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 1631–1648

    work page 2023

  40. [40]

    Pool inference attacks on local differential privacy: Quantify- ing the privacy guarantees of apple’s count mean sketch in practice,

    A. Gadotti, F. Houssiau, M. S. M. S. Annamalai, and Y .-A. de Mon- tjoye, “Pool inference attacks on local differential privacy: Quantify- ing the privacy guarantees of apple’s count mean sketch in practice,” in31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 501–518

    work page 2022

  41. [41]

    Privacy Loss in Apple's Implementation of Differential Privacy on MacOS 10.12

    J. Tang, A. Korolova, X. Bai, X. Wang, and X. Wang, “Privacy loss in Apple’s implementation of differential privacy on macOS 10.12,” arXiv preprint arXiv:1709.02753, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  42. [42]

    The algorithmic foundations of differential privacy,

    C. Dwork, A. Rothet al., “The algorithmic foundations of differential privacy,”Foundations and trends® in theoretical computer science, vol. 9, no. 3–4, pp. 211–407, 2014

    work page 2014

  43. [43]

    Local, private, efficient protocols for succinct histograms,

    R. Bassily and A. Smith, “Local, private, efficient protocols for succinct histograms,” inProceedings of the forty-seventh annual ACM symposium on Theory of computing, 2015, pp. 127–135

    work page 2015

  44. [44]

    Differential privacy,

    C. Dwork, “Differential privacy,” inInternational colloquium on automata, languages, and programming. Springer, 2006, pp. 1–12

    work page 2006

  45. [45]

    Pri- vate federated statistics in an interactive setting,

    A. McMillan, O. Javidbakht, K. Talwar, E. Briggs, M. Chatzidakis, J. Chen, J. Duchi, V . Feldman, Y . Goren, M. Hesseet al., “Pri- vate federated statistics in an interactive setting,”arXiv preprint arXiv:2211.10082, 2022

    work page arXiv 2022

  46. [46]

    On the Privacy Properties of Variants on the Sparse Vector Technique

    Y . Chen and A. Machanavajjhala, “On the privacy properties of variants on the Sparse Vector Technique,”arXiv preprint arXiv:1508.07306, 2015

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  47. [47]

    Verifiable Distributed Aggregation Functions,

    R. Barnes, D. Cook, C. Patton, and P. Schoppmann, “Verifiable Distributed Aggregation Functions,” Internet Engineering Task Force, Internet-Draft draft-irtf-cfrg-vdaf-17, Oct. 2025, work in Progress. [Online]. Available: https://datatracker.ietf.org/doc/draft- irtf-cfrg-vdaf/17/

    work page 2025

  48. [48]

    Distributed Aggregation Protocol for Privacy Preserving Measurement,

    T. Geoghegan, C. Patton, B. Pitman, E. Rescorla, and C. A. Wood, “Distributed Aggregation Protocol for Privacy Preserving Measurement,” Internet Engineering Task Force, Internet-Draft draft- ietf-ppm-dap-16, Sep. 2025, work in Progress. [Online]. Available: https://datatracker.ietf.org/doc/draft-ietf-ppm-dap/16/

    work page 2025

  49. [49]

    Anonymous artifact for auditing apple’s differentialpri- vacy.framework,

    “Anonymous artifact for auditing apple’s differentialpri- vacy.framework,” https://anonymous.4open.science/r/ios17-dyld- headers-DifferentialPrivacy-E187/, 2025, anonymous research artifact containing recovered headers and supporting code

    work page 2025

  50. [50]

    Secure noise generation,

    G. D. P. Team, “Secure noise generation,” June 2020. [Online]. Available: https://github.com/google/differential-privacy/ blob/main/common docs/Secure Noise Generation.pdf

    work page 2020

  51. [51]

    Securing floating-point arithmetic for noise addition,

    N. Holohan, S. Braghin, and M. Suliman, “Securing floating-point arithmetic for noise addition,” inProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024, pp. 1954–1966

    work page 2024

  52. [52]

    Secure noise sampling for DP in MPC with finite precision,

    H. Keller, H. M ¨ollering, T. Schneider, O. Tkachenko, and L. Zhao, “Secure noise sampling for DP in MPC with finite precision,” in Proceedings of the 19th International Conference on Availability, Reliability and Security, 2024, pp. 1–12

    work page 2024

  53. [53]

    Calibrating noise to sensitivity in private data analysis,

    C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” inTheory of cryptography conference. Springer, 2006, pp. 265–284

    work page 2006

  54. [54]

    J. E. Gentle,Random number generation and Monte Carlo methods. Springer, 2003

    work page 2003

  55. [55]

    Task Binding and In-Band Provisioning for DAP,

    S. Wang and C. Patton, “Task Binding and In-Band Provisioning for DAP,” Internet Engineering Task Force, Internet-Draft draft-ietf-ppm- dap-taskprov-03, Sep. 2025, work in Progress. [Online]. Available: https://datatracker.ietf.org/doc/draft-ietf-ppm-dap-taskprov/03/

    work page 2025

  56. [56]

    Differential secrecy for distributed data and applications to robust differentially secure vector summation,

    K. Talwar, “Differential secrecy for distributed data and applications to robust differentially secure vector summation,”arXiv preprint arXiv:2202.10618, 2022

    work page arXiv 2022

  57. [57]

    The discrete gaussian for differential privacy,

    C. L. Canonne, G. Kamath, and T. Steinke, “The discrete gaussian for differential privacy,”Advances in Neural Information Processing Systems, vol. 33, pp. 15 676–15 688, 2020

    work page 2020

  58. [58]

    Differential privacy in prac- tice: Expose your epsilons!

    C. Dwork, N. Kohli, and D. Mulligan, “Differential privacy in prac- tice: Expose your epsilons!”Journal of Privacy and Confidentiality, vol. 9, no. 2, 2019

    work page 2019

  59. [59]

    A statistical framework for differential privacy,

    L. Wasserman and S. Zhou, “A statistical framework for differential privacy,”Journal of the American Statistical Association, vol. 105, no. 489, pp. 375–389, 2010

    work page 2010

  60. [60]

    Gaussian Differential Privacy

    J. Dong, A. Roth, and W. J. Su, “Gaussian differential privacy,”arXiv preprint arXiv:1905.02383, 2019. Appendix A. Apple’s Response and Relation to Our Results This appendix summarizes Apple’s response to our dis- closure and explains how they relate to the results that we report. We note that all results in the paper concern the client-side, pre-aggregat...

    work page internal anchor Pith review Pith/arXiv arXiv 1905

  61. [61]

    mechanismMisf-DP

    Matching this, we did find CMS/HCMS mechanisms missing in the DP framework shipped on macOS Sequoia 15.6 (but were present in Sonoma 14.2). We keep our results for these mechanisms ashistoricalto illustrate how largeε materially weakens privacy, because other deployers may still use these designs. Our decoders and audits demonstrate the methodology withou...

    work page

  62. [62]

    Auditor executesMin a controlled environment to collect certain statisticsA(M)∈Ω

    work page

  63. [63]

    Otherwise, the auditorFAILS TO REJECT

    Auditor thenREJECTSifA(M)lies in the rejection setR f(γ)⊂Ωof extreme values that rarely occur (probability less thanγ) underf-DP . Otherwise, the auditorFAILS TO REJECT. Formally, anf-DP auditor(A,R f)is such that for all mechanismsM:X → Yand significance levelsγ∈[0,1], Misf-DP=⇒P[A(M)∈ R f(γ)]≤γ.(9) In other words, anf-DP auditor(A,R f)has only a small p...

    work page