This 2014 paper by Ulfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova at Google described RAPPOR, one of the first large-scale deployments of local differential privacy. It was shipped in the Chrome browser to gather statistics about Chrome installations and settings while giving each user a strong, mathematically defined privacy guarantee.
RAPPOR builds on a very old idea from survey research called randomized response. Instead of reporting your true answer, your device flips its answer randomly according to a fixed probability before sending anything. Any single report is therefore plausibly noise and reveals little about you, yet because the randomization is well understood, a server collecting millions of such noisy reports can still recover accurate aggregate statistics. RAPPOR extended this to arbitrary strings using a clever encoding with Bloom filters, and added a second layer of randomization so that even a user who reports the same value repeatedly cannot be tracked across reports. The key distinction from earlier differential privacy work is that the noise is applied on the device, before the data is sent, so the server never holds anyone’s true value, a model now called local differential privacy.
This matters because it changes who has to be trusted. In central differential privacy, users must trust the data collector to hold raw data responsibly. In the local model RAPPOR popularized, there is no trusted collector to compromise, because the raw data never leaves the device intact.
For a business reader, RAPPOR is the canonical example of collecting useful telemetry, crash rates, feature usage, settings, without building a database of individual behavior that could leak, be subpoenaed, or be abused. It set the template that Apple and others later followed for privacy-respecting analytics at scale.