I’ve been thinking about what it really means to guarantee something. With a guarantee, you are assuring someone that some condition will hold in the future, but in truth you can never be completely certain of the future!

So, looking at your wording:

Now is a good time to point out that PINQ’s privacy guarantee is expansive, but in a very specific way. Nothing in the universe will change as a result of any one person’s data.

I’d say that PINQ is really making sure that only a small change will happen in the universe if you submit your data. (After all, at the very least some bits are changing in a computer files somewhere when you do that).

Continuing this mini-ramble, it seems to me that guarantees usually have some cost to the guarantor if the future doesn’t turn out as expected. For example, if I buy a new toaster at a guaranteed lowest price, the seller is willing to pay me some money if I find a lower price for that toaster elsewhere. Presumably, that seller is pretty confident in that condition, (i.e. of lowest price), but he or she is willing to pay a financial cost for being wrong.

In the case of a failed privacy guarantee, one cost would be in lost reputation, and potentially financial penalties could be extracted via legal action (or threat thereof). I’m not sure if this is a useful way of thinking about the question, though.

This is the rationale behind boycotting the census (it unfairly apportions tax dollars to illegal immigrants) and locking down data that could help schools evaluate teachers (it could be used as a way to censor “un-American” teachers) and fighting access to patient data to evaluate doctors and hospitals (it could violate patient privacy).

These are all valid concerns that any data collection effort will need to address independent of the issue of guaranteeing privacy for those who choose to contribute their information.