Randomized Aggregatable Privacy-Preserving Ordinal Response, or RAPPOR, is a
technology for crowdsourcing statistics from end-user client software, anonymously,
with strong privacy guarantees. In short, RAPPORs allow the forest of client data
to be studied, without permitting the possibility of looking at individual trees.
By applying randomized response in a novel manner, RAPPOR provides the mechanisms
for such collection as well as for efficient, high-utility analysis of the
collected data. In particular, RAPPOR permits statistics to be collected on the
population of client-side strings with strong privacy guarantees for each client,
and without linkability of their reports. This paper describes and motivates
RAPPOR, details its differential-privacy and utility guarantees, discusses its
practical deployment and properties in the face of different attack models, and,
finally, gives results of its application to both synthetic and real-world data.