Working with privacy budgets¶
This topic describes the tasks that a data provider who has implemented differential privacy can perform to manage privacy budgets. For an introduction to privacy budgets and how they help prevent queries from revealing sensitive information about an entity, see Limiting privacy loss.
You do not create a privacy budget independent of a privacy policy. A privacy budget is created automatically when you define its name in the body of the privacy policy.
To manage a privacy budget, you need the OWNERSHIP privilege on the privacy policy that specifies the privacy budget.
Note
Currently, you cannot alter the privacy budget limit.
About the refresh period¶
Snowflake periodically resets the cumulative privacy loss of a privacy budget to 0 to let analysts run a new set of queries. This automatic refresh lets analysts access new data as it is added to a table. Theoretically, the analyst hasn’t learned any information about this new data, so it’s appropriate to let them run more queries.
View a privacy budget¶
Each privacy budget is namespaced to a privacy policy. There can be multiple privacy budgets with the same name, but each is unique to a privacy policy. Within a privacy policy, a privacy budget is further namespaced to the consumer account incurring privacy loss. As a result, multiple accounts can have a privacy budget with the same name and limit on privacy loss, but Snowflake tallies the cumulative privacy loss for each account separately.
Viewing a privacy budget lets you see its limit on privacy loss as well as the cumulative privacy loss incurred by users associated with the budget. You can use this information to determine whether the cumulative privacy loss is approaching the privacy budget’s limit.
Note
The cumulative privacy loss associated with a privacy budget does not include privacy loss incurred in accounts outside of the data provider’s account.
You have two options for viewing privacy budgets. You can use the PRIVACY_BUDGETS view in the Account Usage schema to query all privacy budgets in the account or you can use the CUMULATIVE_PRIVACY_LOSSES table function to view the privacy budgets associated with a particular privacy policy. For both methods, a privacy budget only appears if analysts associated with the privacy budget have incurred privacy loss or if an administrator has reset the privacy budget.
- PRIVACY_BUDGETS view
The PRIVACY_BUDGETS view in the ACCOUNT USAGE schema contains all privacy budgets in the account. You can use it to view privacy budgets associated with all of the privacy policies that you own, and can filter results to focus on specific privacy budgets by name. For example, to focus on a specific privacy budget associated with the
patients_policyprivacy policy, you might execute the following query:SELECT * FROM snowflake.account_usage.privacy_budgets WHERE policy_name='patients_policy' AND budget_name='analyst_budget';
- CUMULATIVE_PRIVACY_LOSSES function
You can use the CUMULATIVE_PRIVACY_LOSSES table function to retrieve privacy budgets associated with a particular privacy policy. When calling the function, the name of the privacy policy must be fully qualified.
For example, to view the privacy budgets that are specified in the
my_policy_privacypolicy, execute the following:SELECT * FROM TABLE(SNOWFLAKE.DATA_PRIVACY.CUMULATIVE_PRIVACY_LOSSES( 'my_policy_db.my_policy_schema.my_policy_privacy'));
Reset cumulative privacy loss¶
As analysts associated with a privacy budget execute queries, Snowflake tallies the cumulative privacy loss of those queries. You can call the RESET_PRIVACY_BUDGET stored procedure to reset the cumulative privacy loss to 0, letting the analysts execute additional queries.
The RESET_PRIVACY_BUDGET stored procedure is intended to reset the budget when analysts inadvertently incur privacy loss and want to start over. Remember that the privacy loss is automatically set to 0 when the privacy budget is refreshed.
Only the cumulative privacy loss associated with analysts in the specified account is reset to 0, even if the privacy budget is associated with analysts in multiple accounts.
Note
When calling RESET_PRIVACY_BUDGET, the cumulative privacy loss is not reset immediately. It is reset the next time a query incurs privacy loss. As a result, if you view the privacy budget after calling the function but before the first query incurs privacy loss, the cumulative privacy loss will not be 0.
Example¶
Suppose the my_policy privacy policy includes the analyst_budget privacy budget. To reset the cumulative privacy loss incurred by
users associated with the analysts_budget privacy budget who are executing their queries in the companyorg.account_123 account:
CALL SNOWFLAKE.DATA_PRIVACY.RESET_PRIVACY_BUDGET(
'my_policy_db.my_policy_schema.my_policy',
'analyst_budget',
'companyorg',
'account_123');