Skip to content

PET Composition

Real systems combine PETs. The hard part is not naming the stack; it is explaining how guarantees interact, degrade, or leave gaps.

FL + DP + Secure Aggregation

Field Card
Problem What does it mean to compose FL, DP, and secure aggregation?
The itch Teams describe the stack as if each PET simply adds privacy, but each one protects a different artifact under different assumptions.
Why it matters Misstated guarantees lead to bad architecture reviews and overconfident deployment claims.
Current workaround List all PETs used and add caveats separately.
Why the workaround is insufficient It does not explain which adversary sees updates, aggregates, final models, logs, and outputs.
What good progress would look like A composition template that maps each PET to protected assets, adversaries, assumptions, and residual leakage.
Difficulty Medium
Good for Privacy engineer, ML researcher, systems builder
Related PETs FL, DP, secure aggregation
Possible first contribution Draw one FL + secure aggregation + DP architecture and annotate every privacy claim with protected artifact and failure mode.

Guarantee Degradation Across Chains

Field Card
Problem How do guarantees degrade when PETs are chained?
The itch A pipeline may use DP statistics, synthetic data, clean-room joins, and model training, but the end-to-end claim is unclear.
Why it matters Users hear the strongest component guarantee and assume it applies to the whole system.
Current workaround Review each component independently.
Why the workaround is insufficient Component reviews miss composition, repeated releases, auxiliary information, and output reuse.
What good progress would look like A method for tracing privacy units, assumptions, outputs, and composition costs across a pipeline.
Difficulty Hard
Good for Privacy engineer, policy researcher, cryptographer
Related PETs DP, synthetic data, clean rooms, MPC
Possible first contribution Analyze one synthetic-data pipeline from raw data to release and identify where the strongest claim stops applying.

Trust-Boundary Architecture Diagrams

Field Card
Problem How can architecture diagrams include explicit trust boundaries?
The itch PET diagrams often show data flows but omit who controls code, keys, logs, policies, and outputs.
Why it matters Reviewers cannot evaluate a privacy claim if they cannot see where trust changes.
Current workaround Add prose threat-model notes after the diagram.
Why the workaround is insufficient Prose gets separated from the design and misses changes during implementation.
What good progress would look like A diagram notation for actors, trust zones, protected artifacts, allowed outputs, and assumption labels.
Difficulty Good first research problem
Good for Systems builder, privacy engineer, technical writer
Related PETs All PETs
Possible first contribution Redraw three existing PET diagrams with trust boundaries, control points, and output leakage notes.

Composition Test Cases

Field Card
Problem What test cases reveal broken PET composition?
The itch A composed PET stack may pass component tests while leaking through logs, outputs, repeated queries, or small cohorts.
Why it matters Builders need tests that catch architecture-level privacy failures before launch.
Current workaround Security review and manual red-team exercises.
Why the workaround is insufficient It is expensive and not reusable across projects.
What good progress would look like Reusable privacy test cases for common compositions such as FL + DP, PSI + clean room, and TEE + RAG.
Difficulty Medium
Good for Privacy engineer, benchmark maintainer, systems builder
Related PETs FL, DP, PSI, TEEs, clean rooms
Possible first contribution Create five failure-mode tests for a confidential RAG demo: overbroad retrieval, prompt logging, citation leakage, attestation bypass, and answer exfiltration.