pith. sign in

arxiv: 2605.21378 · v2 · pith:ZQFLV32Unew · submitted 2026-05-20 · 💻 cs.CR · cs.CY

Auditing Apple's DifferentialPrivacy.framework: Implementation Bugs, Misconfigurations, and Practical Risks

Rishav Chourasia , Ergute Bao , Uzair Javaid , Xiaokui Xiao This is my paper

Pith reviewed 2026-05-22 09:41 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords differential privacyimplementation auditfloating-point vulnerabilitiessecure aggregationApple macOSprivacy guaranteesdata leakagerandom sampling
0
0 comments X

The pith

Apple's DifferentialPrivacy framework fails to deliver its advertised privacy guarantees due to floating-point sampling bugs and misconfigurations.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper reverse-engineers the closed-source DifferentialPrivacy framework binaries on recent macOS versions and builds runtime tests to check whether the actual mechanisms match Apple's differential privacy claims. It shows that every mechanism using floating-point noise addition relies on insecure samplers that are known to be vulnerable, so the outputs do not satisfy the stated privacy bounds. The audit also finds secure-aggregation paths where local differential privacy is disabled, leaving raw records exposed in logs. These flaws affect the large majority of analytics data collected from users, including Safari domains, keyboard signals, and health reports. A reader would care because the company's long-standing privacy assurances for device analytics rest on these mechanisms.

Core claim

Every audited mechanism that relies on floating-point noise fails to meet its advertised DP or zero-knowledge proof guarantee, due to insecure samplers with known floating-point vulnerabilities. We also find secure-aggregation configurations with local DP disabled, exposing pre-aggregation records to any party with access to those logs. Overall, we find DP violations in 5 of 9 audited mechanisms, affecting 87% of data collection in macOS Sonoma and 68% in Sequoia. Public leaked iPhone logs can be decoded to recover private information including Safari domains and keyboard emoji signals.

What carries the argument

Reverse-engineered Objective-C interfaces and runtime harnesses that execute Apple's deployed mechanisms and compare their outputs against the advertised privacy guarantees.

If this is right

  • Analytics data such as Safari domains and keyboard events can be recovered from logs despite the privacy claims.
  • Health reports and photo attributes sent by the framework lack the intended protection in the affected mechanisms.
  • Zero-knowledge proofs attached to some mechanisms do not hold because of the sampler flaws.
  • Pre-aggregation records in certain secure-aggregation configurations are visible to anyone with log access.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same floating-point sampler issues could appear in other closed-source differential privacy deployments from different vendors.
  • Making the privatization code open source would allow continuous external checks that the guarantees actually hold in practice.
  • Future macOS updates that replace the current samplers with cryptographically secure alternatives could restore the original privacy targets.

Load-bearing premise

The reverse-engineered Objective-C interfaces and runtime harnesses accurately reproduce the behavior of the production binaries deployed on user devices without modification or omission of critical paths.

What would settle it

Running controlled inputs through the framework's samplers and verifying that the resulting noise distributions satisfy the claimed differential privacy bounds for the stated epsilon values would disprove the violations.

Figures

Figures reproduced from arXiv: 2605.21378 by Ergute Bao, Rishav Chourasia, Uzair Javaid, Xiaokui Xiao.

Figure 1
Figure 1. Figure 1: Distribution of DP mechanisms identified within macOS Sonoma [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the design of DifferentialPrivacy.framework. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: A program demonstrating how to dynamically load Apple’s DifferentialPrivacy.framework and access its NumberRandomizer functionality. [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Result of our audit on Apple’s NumberRandomizer with DP [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Result of our audit on Apple’s Prio++ algorithm, which uses [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Illustration of our privacy audit on Apple’s Prio implementa [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Decoding analytics data from our test iPhone device. The logs [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Illustration of our decoder for Apple’s Count Median Sketch [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Sample record generated by Count Median Sketch that appears [PITH_FULL_IMAGE:figures/full_fig_p013_9.png] view at source ↗
read the original abstract

Since 2016, Apple has claimed that device analytics collected to improve user experience are protected by differential privacy (DP). Apple's DifferentialPrivacy framework is deployed across its operating systems and handles sensitive signals such as Safari domains, keyboard events, photo attributes, and health-related reports. Because Apple has not open-sourced its privatization algorithms, these privacy claims have been difficult to verify independently. We present a client-side audit of Apple's DP framework on macOS Sonoma 14.2 and Sequoia 15.6. We reverse engineer the shipped binaries, recover Objective-C interfaces, build runtime harnesses that execute Apple's deployed mechanisms, and test whether their outputs match the advertised privacy guarantees. Our audit covers nearly all active deployed mechanisms, including Count Median Sketch, Hadamard-CMS, randomized-response mechanisms, and Prio-style secure aggregation. We find multiple implementation bugs and misconfigurations. Every audited mechanism that relies on floating-point noise fails to meet its advertised DP or zero-knowledge proof guarantee, due to insecure samplers with known floating-point vulnerabilities. We also find secure-aggregation configurations with local DP disabled, exposing pre-aggregation records to any party with access to those logs. Overall, we find DP violations in 5 of 9 audited mechanisms, affecting 87% of data collection in macOS Sonoma and 68% in Sequoia. We also identify public leaked iPhone logs that can be decoded to recover private information, including Safari domains and keyboard emoji signals.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The manuscript audits Apple's DifferentialPrivacy.framework on macOS Sonoma 14.2 and Sequoia 15.6. The authors reverse-engineer the shipped binaries, recover Objective-C interfaces, build runtime harnesses, and execute the deployed mechanisms (Count Median Sketch, Hadamard-CMS, randomized response, Prio-style secure aggregation) to test against advertised DP guarantees. They report that all floating-point noise mechanisms fail due to insecure samplers, secure-aggregation configurations disable local DP, yielding DP violations in 5 of 9 mechanisms that affect 87% of data collection in Sonoma and 68% in Sequoia, plus decodable public iPhone logs exposing Safari domains and keyboard signals.

Significance. If the empirical results hold, the work is significant for privacy engineering and systems security. Direct execution of production binaries supplies concrete evidence of implementation bugs in floating-point DP samplers and misconfigurations in secure aggregation from a major vendor. The broad coverage of active mechanisms and identification of practical risks (recoverable private signals from logs) are strengths. The audit underscores challenges of verifying closed-source DP deployments and supplies falsifiable, reproducible test cases that could drive improvements in noise generation and configuration practices.

major comments (1)
  1. [§4] §4 (Harness construction and validation): The central claims rest on runtime harnesses reproducing production behavior for signals such as Safari domains and keyboard events. The manuscript provides no explicit cross-validation (e.g., comparison of outputs or code paths against iOS binaries, device traces, or conditional branches that might bypass vulnerable samplers or re-enable local DP). This is load-bearing for extrapolating the observed DP violations to user devices.
minor comments (2)
  1. [Abstract] Abstract and §3: The percentages 87% and 68% of affected data collection are stated without an accompanying table or explicit weighting of mechanisms; adding this breakdown would improve clarity.
  2. Figure captions throughout: Several figures lack detail on axis scales, number of trials, or exact configuration parameters used in the harness runs.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their careful review and for recommending minor revision. We address the single major comment below.

read point-by-point responses

  1. Referee: [§4] §4 (Harness construction and validation): The central claims rest on runtime harnesses reproducing production behavior for signals such as Safari domains and keyboard events. The manuscript provides no explicit cross-validation (e.g., comparison of outputs or code paths against iOS binaries, device traces, or conditional branches that might bypass vulnerable samplers or re-enable local DP). This is load-bearing for extrapolating the observed DP violations to user devices.

    Authors: We thank the referee for this observation. To strengthen the validation of our harnesses, we have revised the manuscript to include additional details in §4 on how we validated the harness construction. We executed the harness in parallel with direct invocations of the DifferentialPrivacy.framework APIs on the same macOS Sonoma and Sequoia systems and verified that the outputs for signals like Safari domains and keyboard events match exactly, including the noise samples generated. This provides direct evidence that the harness reproduces production behavior. For cross-validation with iOS, we analyzed publicly leaked iPhone logs which demonstrate the same DP violations in the deployed mechanisms, indicating that the issues extend beyond macOS. We also performed a thorough review of the reverse-engineered code paths and did not find any conditional branches that would bypass the insecure floating-point samplers or re-enable local DP in secure aggregation. These clarifications and additions have been incorporated into the revised version of the paper. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical audit rests on direct binary execution, not derivations or self-referential fits

full rationale

The paper conducts a client-side audit by reverse-engineering Objective-C interfaces from macOS binaries, constructing runtime harnesses, and executing the deployed mechanisms to compare outputs against advertised DP guarantees. No equations, fitted parameters, or predictions appear in the derivation chain; claims of DP violations in 5/9 mechanisms (due to floating-point sampler issues) and disabled local DP in secure aggregation follow directly from observed runtime behavior on the shipped code. The central findings are falsifiable via independent reproduction on the same binaries and do not reduce to inputs by construction, self-citation chains, or renamed empirical patterns. Methodological assumptions about harness fidelity are validity concerns rather than circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The audit rests on the domain assumption that reverse engineering recovered the correct mechanisms and that the tested configurations match those active in production. No free parameters or invented entities are introduced.

axioms (1)
  • domain assumption Reverse-engineered interfaces and runtime harnesses faithfully execute the same logic as production binaries on user devices.
    This premise is required for the test results to apply to real deployments; it is stated implicitly in the methods for binary recovery and harness construction.

pith-pipeline@v0.9.0 · 5808 in / 1201 out tokens · 31525 ms · 2026-05-22T09:41:09.559100+00:00 · methodology

Review history (2 revisions) →

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

63 extracted references · 63 canonical work pages · 3 internal anchors

  1. [1]

    Learning with privacy at scale,

    Differential Privacy Team, Apple Inc., “Learning with privacy at scale,”Apple Machine Learning Research, 2017. [Online]. Available: https://docs-assets.developer.apple.com/ml- research/papers/learning-with-privacy-at-scale.pdf

    work page 2017

  2. [2]

    Scenes: Differential privacy,

    A. M. L. Research, “Scenes: Differential privacy,” https: //machinelearning.apple.com/research/scenes-differential-privacy, 2024, accessed: 2024-10-07

    work page 2024

  3. [3]

    Differentially private stream processing at scale,

    B. Zhang, V . Doroshenko, P. Kairouz, T. Steinke, A. Thakurta, Z. Ma, E. Cohen, H. Apte, and J. Spacek, “Differentially private stream processing at scale,”arXiv preprint arXiv:2303.18086, 2023

    work page arXiv 2023

  4. [4]

    Data for good: New tools to help health researchers track and combat covid-19,

    K. Jin and L. McGorman, “Data for good: New tools to help health researchers track and combat covid-19,” 2020. [Online]. Available: https://about.fb.com/news/2020/04/data-for-good/

    work page 2020

  5. [5]

    Collecting telemetry data pri- vately,

    B. Ding, J. Kulkarni, and S. Yekhanin, “Collecting telemetry data pri- vately,”Advances in Neural Information Processing Systems, vol. 30, 2017

    work page 2017

  6. [6]

    The US Census Bureau adopts differential privacy,

    J. M. Abowd, “The US Census Bureau adopts differential privacy,” inProceedings of the 24th ACM SIGKDD international conference on knowledge discovery & data mining, 2018, pp. 2867–2867

    work page 2018

  7. [7]

    WWDC 2016 Keynote,

    WWDC 2016b, “WWDC 2016 Keynote,” June 2016. [Online]. Available: https://youtu.be/n5jXg NNiCA?t=6112

    work page 2016

  8. [8]

    Differential privacy using a count mean sketch,

    A. Bhowmick, A. H. Vyrros, and U. S. Vaishampayan, “Differential privacy using a count mean sketch,” Dec. 6 2018, US Patent App. 15/805,591

    work page 2018

  9. [9]

    Privatized machine learning using generative adversarial networks,

    A. Bhowmick, A. H. Vyrros, and R. M. Rogers, “Privatized machine learning using generative adversarial networks,” Aug. 8 2019, US Patent App. 15/892,246

    work page 2019

  10. [10]

    Private federated learning with protection against reconstruction,

    A. Bhowmick, J. Duchi, J. Freudiger, G. Kapoor, and R. M. Rogers, “Private federated learning with protection against reconstruction,” May 21 2024, US Patent 11,989,634

    work page 2024

  11. [11]

    Distributed labeling for supervised learning,

    A. Bhowmick, R. M. Rogers, U. S. Vaishampayan, and A. H. Vyrros, “Distributed labeling for supervised learning,” Jul. 25 2023, US Patent 11,710,035

    work page 2023

  12. [12]

    Emoji frequency detection and deep link frequency,

    A. G. Thakurta, A. H. Vyrros, U. S. Vaishampayan, G. Kapoor, J. Freudinger, V . V . Prakash, A. Legendre, and S. Duplinsky, “Emoji frequency detection and deep link frequency,” Jul. 11 2017, US Patent 9,705,908

    work page 2017

  13. [13]

    Learning new words,

    A. G. Thakurta, A. H. Vyrros, U. S. Vaishampayan, G. Kapoor, J. Freudiger, V . R. Sridhar, and D. Davidson, “Learning new words,” Mar. 14 2017, US Patent 9,594,741

    work page 2017

  14. [14]

    Differential pri- vacy for message text content mining,

    E. D. Friedman, R. K. Kumar, and L. Winstrom, “Differential pri- vacy for message text content mining,” Sep. 15 2020, US Patent 10,778,633

    work page 2020

  15. [15]

    Efficient implementation for differential privacy using cryptographic functions,

    Y . L. Sierra, A. G. Thakurta, U. S. Vaishampayan, J. C. Hurley, K. F. Mowery, and M. Brouwer, “Efficient implementation for differential privacy using cryptographic functions,” Mar. 12 2019, US Patent 10,229,282

    work page 2019

  16. [16]

    Understanding aggregate trends for apple intelligence using differential privacy,

    “Understanding aggregate trends for apple intelligence using differential privacy,” 2025, accessed: 2025-04-22. [Online]. Avail- able: https://machinelearning.apple.com/research/differential-privacy- aggregate-trends

    work page 2025

  17. [17]

    Differentially private heavy hitter detection using federated analytics,

    K. Chadha, J. Chen, J. Duchi, V . Feldman, H. Hashemi, O. Javidbakht, A. McMillan, and K. Talwar, “Differentially private heavy hitter detection using federated analytics,” in2024 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML). IEEE, 2024, pp. 512–533

    work page 2024

  18. [18]

    Lossless compression of efficient private local randomizers,

    V . Feldman and K. Talwar, “Lossless compression of efficient private local randomizers,” inInternational Conference on Machine Learn- ing. PMLR, 2021, pp. 3208–3219

    work page 2021

  19. [19]

    Private frequency estimation via projective geometry,

    V . Feldman, J. Nelson, H. Nguyen, and K. Talwar, “Private frequency estimation via projective geometry,” inInternational Conference on Machine Learning. PMLR, 2022, pp. 6418–6433

    work page 2022

  20. [20]

    Differential privacy, part 3: Extraordinary claims require extraordinary scrutiny,

    B. Cyphers, “Differential privacy, part 3: Extraordinary claims require extraordinary scrutiny,”Access Now, November 2017. [Online]. Available: https://www.accessnow.org/differential-privacy- part-3-extraordinary-claims-require-extraordinary-scrutiny/

    work page 2017

  21. [21]

    Apple’s emphasis on differential privacy,

    A. H. N. Forum, “Apple’s emphasis on differential privacy,” 2016, accessed: 2024-11-27. [Online]. Available: https://news.ycombinator. com/item?id=11903127

    work page 2016

  22. [22]

    Widespread underestimation of sensitivity in differentially private libraries and how to fix it,

    S. Casacuberta, M. Shoemate, S. Vadhan, and C. Wagaman, “Widespread underestimation of sensitivity in differentially private libraries and how to fix it,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 471–484

    work page 2022

  23. [23]

    On significance of the least significant bits for differential privacy,

    I. Mironov, “On significance of the least significant bits for differential privacy,” inProceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 650–661

    work page 2012

  24. [24]

    Avoiding pitfalls for privacy accounting of subsampled mechanisms under composition,

    C. J. Lebeda, M. Regehr, G. Kamath, and T. Steinke, “Avoiding pitfalls for privacy accounting of subsampled mechanisms under composition,”arXiv preprint arXiv:2405.20769, 2024

    work page arXiv 2024

  25. [25]

    Debugging differential privacy: A case study for privacy auditing,

    F. Tramer, A. Terzis, T. Steinke, S. Song, M. Jagielski, and N. Carlini, “Debugging differential privacy: A case study for privacy auditing,” arXiv preprint arXiv:2202.12219, 2022

    work page arXiv 2022

  26. [26]

    Understanding the sparse vector tech- nique for differential privacy,

    M. Lyu, D. Su, and N. Li, “Understanding the sparse vector tech- nique for differential privacy,”Proceedings of the VLDB Endowment, vol. 10, no. 6, pp. 637–648, 2017

    work page 2017

  27. [27]

    Detecting violations of differential privacy,

    Z. Ding, Y . Wang, G. Wang, D. Zhang, and D. Kifer, “Detecting violations of differential privacy,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 475–489

    work page 2018

  28. [28]

    Bayesian estima- tion of differential privacy,

    S. Zanella-Beguelin, L. Wutschitz, S. Tople, A. Salem, V . R ¨uhle, A. Paverd, M. Naseri, B. K ¨opf, and D. Jones, “Bayesian estima- tion of differential privacy,” inInternational Conference on Machine Learning. PMLR, 2023, pp. 40 624–40 636

    work page 2023

  29. [29]

    Prio: Private, robust, and scalable computation of aggregate statistics,

    H. Corrigan-Gibbs and D. Boneh, “Prio: Private, robust, and scalable computation of aggregate statistics,” in14th USENIX symposium on networked systems design and implementation (NSDI 17), 2017, pp. 259–282

    work page 2017

  30. [30]

    {PINE}: Efficient verification of a euclidean norm bound of a{Secret-Shared}vector,

    G. N. Rothblum, E. Omri, J. Chen, and K. Talwar, “{PINE}: Efficient verification of a euclidean norm bound of a{Secret-Shared}vector,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 6975–6992

    work page 2024

  31. [31]

    The composition theorem for differential privacy,

    P. Kairouz, S. Oh, and P. Viswanath, “The composition theorem for differential privacy,” inInternational conference on machine learning. PMLR, 2015, pp. 1376–1385

    work page 2015

  32. [32]

    Are we there yet? Timing and floating-point attacks on differential privacy systems,

    J. Jin, E. McMurtry, B. I. Rubinstein, and O. Ohrimenko, “Are we there yet? Timing and floating-point attacks on differential privacy systems,” in2022 IEEE Symposium on security and privacy (SP). IEEE, 2022, pp. 473–488

    work page 2022

  33. [33]

    Precision-based attacks and interval refining: How to break, then fix, differential privacy on finite computers,

    S. Haney, D. Desfontaines, L. Hartman, R. Shrestha, and M. Hay, “Precision-based attacks and interval refining: How to break, then fix, differential privacy on finite computers,”arXiv preprint arXiv:2207.13793, 2022

    work page arXiv 2022

  34. [34]

    Group and Attack: Auditing differential privacy,

    J. Lokna, A. Paradis, D. I. Dimitrov, and M. Vechev, “Group and Attack: Auditing differential privacy,” inProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Secu- rity, 2023, pp. 1905–1918

    work page 2023

  35. [35]

    Property testing for differential pri- vacy,

    A. C. Gilbert and A. McMillan, “Property testing for differential pri- vacy,” in2018 56th Annual Allerton Conference on Communication, Control, and Computing (Allerton). IEEE, 2018, pp. 249–258

    work page 2018

  36. [36]

    DP-Sniper: Black-box discovery of differential privacy violations using classi- fiers,

    B. Bichsel, S. Steffen, I. Bogunovic, and M. Vechev, “DP-Sniper: Black-box discovery of differential privacy violations using classi- fiers,” in2021 IEEE Symposium on Security and Privacy (SP). IEEE, 2021, pp. 391–409

    work page 2021

  37. [37]

    Privacy auditing with one (1) training run,

    T. Steinke, M. Nasr, and M. Jagielski, “Privacy auditing with one (1) training run,”Advances in Neural Information Processing Systems, vol. 36, 2024

    work page 2024

  38. [38]

    Auditingf-differential privacy in one run,

    S. Mahloujifar, L. Melis, and K. Chaudhuri, “Auditingf-differential privacy in one run,”arXiv preprint arXiv:2410.22235, 2024

    work page arXiv 2024

  39. [39]

    Tight auditing of differentially private machine learning,

    M. Nasr, J. Hayes, T. Steinke, B. Balle, F. Tram `er, M. Jagielski, N. Carlini, and A. Terzis, “Tight auditing of differentially private machine learning,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 1631–1648

    work page 2023

  40. [40]

    Pool inference attacks on local differential privacy: Quantify- ing the privacy guarantees of apple’s count mean sketch in practice,

    A. Gadotti, F. Houssiau, M. S. M. S. Annamalai, and Y .-A. de Mon- tjoye, “Pool inference attacks on local differential privacy: Quantify- ing the privacy guarantees of apple’s count mean sketch in practice,” in31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 501–518

    work page 2022

  41. [41]

    Privacy Loss in Apple's Implementation of Differential Privacy on MacOS 10.12

    J. Tang, A. Korolova, X. Bai, X. Wang, and X. Wang, “Privacy loss in Apple’s implementation of differential privacy on macOS 10.12,” arXiv preprint arXiv:1709.02753, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  42. [42]

    The algorithmic foundations of differential privacy,

    C. Dwork, A. Rothet al., “The algorithmic foundations of differential privacy,”Foundations and trends® in theoretical computer science, vol. 9, no. 3–4, pp. 211–407, 2014

    work page 2014

  43. [43]

    Local, private, efficient protocols for succinct histograms,

    R. Bassily and A. Smith, “Local, private, efficient protocols for succinct histograms,” inProceedings of the forty-seventh annual ACM symposium on Theory of computing, 2015, pp. 127–135

    work page 2015

  44. [44]

    Differential privacy,

    C. Dwork, “Differential privacy,” inInternational colloquium on automata, languages, and programming. Springer, 2006, pp. 1–12

    work page 2006

  45. [45]

    Pri- vate federated statistics in an interactive setting,

    A. McMillan, O. Javidbakht, K. Talwar, E. Briggs, M. Chatzidakis, J. Chen, J. Duchi, V . Feldman, Y . Goren, M. Hesseet al., “Pri- vate federated statistics in an interactive setting,”arXiv preprint arXiv:2211.10082, 2022

    work page arXiv 2022

  46. [46]

    On the Privacy Properties of Variants on the Sparse Vector Technique

    Y . Chen and A. Machanavajjhala, “On the privacy properties of variants on the Sparse Vector Technique,”arXiv preprint arXiv:1508.07306, 2015

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  47. [47]

    Verifiable Distributed Aggregation Functions,

    R. Barnes, D. Cook, C. Patton, and P. Schoppmann, “Verifiable Distributed Aggregation Functions,” Internet Engineering Task Force, Internet-Draft draft-irtf-cfrg-vdaf-17, Oct. 2025, work in Progress. [Online]. Available: https://datatracker.ietf.org/doc/draft- irtf-cfrg-vdaf/17/

    work page 2025

  48. [48]

    Distributed Aggregation Protocol for Privacy Preserving Measurement,

    T. Geoghegan, C. Patton, B. Pitman, E. Rescorla, and C. A. Wood, “Distributed Aggregation Protocol for Privacy Preserving Measurement,” Internet Engineering Task Force, Internet-Draft draft- ietf-ppm-dap-16, Sep. 2025, work in Progress. [Online]. Available: https://datatracker.ietf.org/doc/draft-ietf-ppm-dap/16/

    work page 2025

  49. [49]

    Anonymous artifact for auditing apple’s differentialpri- vacy.framework,

    “Anonymous artifact for auditing apple’s differentialpri- vacy.framework,” https://anonymous.4open.science/r/ios17-dyld- headers-DifferentialPrivacy-E187/, 2025, anonymous research artifact containing recovered headers and supporting code

    work page 2025

  50. [50]

    Secure noise generation,

    G. D. P. Team, “Secure noise generation,” June 2020. [Online]. Available: https://github.com/google/differential-privacy/ blob/main/common docs/Secure Noise Generation.pdf

    work page 2020

  51. [51]

    Securing floating-point arithmetic for noise addition,

    N. Holohan, S. Braghin, and M. Suliman, “Securing floating-point arithmetic for noise addition,” inProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024, pp. 1954–1966

    work page 2024

  52. [52]

    Secure noise sampling for DP in MPC with finite precision,

    H. Keller, H. M ¨ollering, T. Schneider, O. Tkachenko, and L. Zhao, “Secure noise sampling for DP in MPC with finite precision,” in Proceedings of the 19th International Conference on Availability, Reliability and Security, 2024, pp. 1–12

    work page 2024

  53. [53]

    Calibrating noise to sensitivity in private data analysis,

    C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” inTheory of cryptography conference. Springer, 2006, pp. 265–284

    work page 2006

  54. [54]

    J. E. Gentle,Random number generation and Monte Carlo methods. Springer, 2003

    work page 2003

  55. [55]

    Task Binding and In-Band Provisioning for DAP,

    S. Wang and C. Patton, “Task Binding and In-Band Provisioning for DAP,” Internet Engineering Task Force, Internet-Draft draft-ietf-ppm- dap-taskprov-03, Sep. 2025, work in Progress. [Online]. Available: https://datatracker.ietf.org/doc/draft-ietf-ppm-dap-taskprov/03/

    work page 2025

  56. [56]

    Differential secrecy for distributed data and applications to robust differentially secure vector summation,

    K. Talwar, “Differential secrecy for distributed data and applications to robust differentially secure vector summation,”arXiv preprint arXiv:2202.10618, 2022

    work page arXiv 2022

  57. [57]

    The discrete gaussian for differential privacy,

    C. L. Canonne, G. Kamath, and T. Steinke, “The discrete gaussian for differential privacy,”Advances in Neural Information Processing Systems, vol. 33, pp. 15 676–15 688, 2020

    work page 2020

  58. [58]

    Differential privacy in prac- tice: Expose your epsilons!

    C. Dwork, N. Kohli, and D. Mulligan, “Differential privacy in prac- tice: Expose your epsilons!”Journal of Privacy and Confidentiality, vol. 9, no. 2, 2019

    work page 2019

  59. [59]

    A statistical framework for differential privacy,

    L. Wasserman and S. Zhou, “A statistical framework for differential privacy,”Journal of the American Statistical Association, vol. 105, no. 489, pp. 375–389, 2010

    work page 2010

  60. [60]

    Gaussian Differential Privacy

    J. Dong, A. Roth, and W. J. Su, “Gaussian differential privacy,”arXiv preprint arXiv:1905.02383, 2019. Appendix A. Apple’s Response and Relation to Our Results This appendix summarizes Apple’s response to our dis- closure and explains how they relate to the results that we report. We note that all results in the paper concern the client-side, pre-aggregat...

    work page internal anchor Pith review Pith/arXiv arXiv 1905

  61. [61]

    mechanismMisf-DP

    Matching this, we did find CMS/HCMS mechanisms missing in the DP framework shipped on macOS Sequoia 15.6 (but were present in Sonoma 14.2). We keep our results for these mechanisms ashistoricalto illustrate how largeε materially weakens privacy, because other deployers may still use these designs. Our decoders and audits demonstrate the methodology withou...

    work page

  62. [62]

    Auditor executesMin a controlled environment to collect certain statisticsA(M)∈Ω

    work page

  63. [63]

    Otherwise, the auditorFAILS TO REJECT

    Auditor thenREJECTSifA(M)lies in the rejection setR f(γ)⊂Ωof extreme values that rarely occur (probability less thanγ) underf-DP . Otherwise, the auditorFAILS TO REJECT. Formally, anf-DP auditor(A,R f)is such that for all mechanismsM:X → Yand significance levelsγ∈[0,1], Misf-DP=⇒P[A(M)∈ R f(γ)]≤γ.(9) In other words, anf-DP auditor(A,R f)has only a small p...

    work page