Plausible Deniability Guarantees for Whistleblowers

📅 2026-07-15
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the risk of retaliation against whistleblowers in internal organizational audits due to potential identity disclosure by formally introducing, for the first time, a (0,δ)-differential privacy guarantee for each report under a strong adversary model that can observe audit selections. By reducing private auditing to the problem of private continual counting and leveraging post-processing techniques, the authors propose a general mechanism that overcomes the performance limitations of traditional randomized response methods. The mechanism introduces only O(√log T) noise over T audit rounds, and when the disparity in report counts grows faster than √log T, the error in audit selection vanishes asymptotically. Empirical simulations demonstrate that this approach significantly outperforms existing methods in terms of accuracy and utility.
📝 Abstract
Whistleblowers are a key safeguard against organizational wrongdoing, but the threat of retaliation deters reporting. Existing whistleblower-protection proposals lack formal privacy guarantees, and existing differential privacy mechanisms do not directly target the natural threat model -- one in which the audited organization itself observes auditor selection decisions and uses them to identify reporters. We formalize protection against a strong-adversary threat model as per-report $(0, δ)$-differential privacy on the transcript of audit selections. Within this framework we prove that a natural approach -- randomized response applied at the selection step -- can never outperform uniform random auditing by more than $δ$ at any horizon. We then give a generic mechanism that reduces private auditing to private continual counting: any $(0, δ)$-DP continual counter plugs in by post-processing, and the audit transcript inherits the same per-report guarantee. Instantiating the reduction with a recent work in continual counting yields per-report $(0, δ)$-DP with noise scaling as $O(\sqrt{\log T})$ across a horizon of $T$ audit decisions. A utility theorem shows that the selection error vanishes whenever the noisy report gap between the most-reported organization and the runner-up grows faster than $\sqrt{\log T}$. Simulations show a substantial improvement over randomized response.
Problem

Research questions and friction points this paper is trying to address.

whistleblower protection
plausible deniability
differential privacy
audit selection
strong adversary
Innovation

Methods, ideas, or system contributions that make the work stand out.

differential privacy
whistleblower protection
continual counting
plausible deniability
private auditing
🔎 Similar Papers
No similar papers found.