Adjust privacy controls¶

Step 1: Adjust privacy domains¶

Before adjusting the privacy budget, you should consider adjusting the privacy domain set on the columns of the privacy-protected table. Snowflake introduces enough noise to obscure all values in a column, so the wider the range of values, the more noise that must be introduced. Follow these guidelines:

• If you want to increase the noise, broaden the range to include values that are greater or less than the actual values. Remember, the privacy domain defines all possible values, not actual values.

• If you want to decrease the noise, narrow the privacy domain to exclude or clamp values outside a useful range. For information about how values outside the privacy domain are treated, see Values outside a privacy domain.

Step 2: Adjust MAX_BUDGET_PER_AGGREGATE parameter¶

If you’ve adjusted the privacy domain, but still need to fine-tune your privacy controls, you can start modifying settings that affect the privacy budget. Adjusting the MAX_BUDGET_PER_AGGREGATE parameter in the body of a privacy policy controls how much of a privacy budget can be spent on each aggregate in a query (that is, how much privacy loss an aggregate can incur). Adjusting this parameter changes the amount of noise added to each aggregate query, as well as the number of aggregates that can be executed before the privacy budget limit is reached.

The parameter sets the level for each aggregate, not each query. As an example, the query SELECT COUNT(*), AVG(a) ... has two aggregates: COUNT(*) and AVG(a).

To adjust the maximum privacy loss incurred by each aggregate in a query, use the ALTER PRIVACY POLICY command to set a new value for the MAX_BUDGET_PER_AGGREGATE parameter. For example:

ALTER PRIVACY POLICY users_policy SET BODY ->
  PRIVACY_BUDGET(BUDGET_NAME=>'analysts', MAX_BUDGET_PER_AGGREGATE=>0.1);

Step 3: Adjust limit of the privacy budget¶

If adjusting other privacy controls doesn’t give you the results you’re looking for, you can adjust the privacy budget’s limit on privacy loss. While the other privacy controls affect the amount of noise in query results, adjusting the budget limit affects how many queries an analyst can run.

Each time an analyst runs a query with aggregate functions against a privacy-protected table, the analyst’s cumulative privacy loss is incremented, and the estimated number of remaining aggregates is decremented. When the cumulative privacy loss reaches the privacy budget’s limit, the analysts cannot run another query. If you want to maximize the usefulness of your data to the analyst, you can base your budget limit on how many queries you think analysts will run during each budget window.

The ESTIMATE_REMAINING_DP_AGGREGATES function helps estimate the number of queries remaining for a privacy budget. In general, this number is based on the number of aggregates in each query and the value of the MAX_BUDGET_PER_AGGREGATE parameter that you specified in the body of the privacy policy. For an extended example of using the ESTIMATE_REMAINING_DP_AGGREGATES function to see the effects of queries on the privacy budget, see Tracking privacy budget spending.

After you have used the ESTIMATE_REMAINING_DP_AGGREGATES function to get an idea of how much privacy budget is spent on a series of queries, you can adjust the BUDGET_LIMIT parameter in the body of the privacy policy to set a new privacy budget limit. For example:

ALTER PRIVACY POLICY users_policy SET BODY ->
  PRIVACY_BUDGET(BUDGET_NAME=>'analysts',
  BUDGET_LIMIT=>300,
  MAX_BUDGET_PER_AGGREGATE=>0.1);