The collection and sharing of genomic data are becoming increasingly
commonplace in research, clinical, and direct-to-consumer settings. The
computational protocols typically adopted to protect individual privacy include
sharing summary statistics, such as allele frequencies, or limiting query
responses to the presence/absence of alleles of interest using web-services
called Beacons. However, even such limited releases are susceptible to
likelihood-ratio-based membership-inference attacks. Several approaches have
been proposed to preserve privacy, which either suppress a subset of genomic
variants or modify query responses for specific variants (e.g., adding noise,
as in differential privacy). However, many of these approaches result in a
significant utility loss, either suppressing many variants or adding a
substantial amount of noise. In this paper, we introduce optimization-based
approaches to explicitly trade off the utility of summary data or Beacon
responses and privacy with respect to membership-inference attacks based on
likelihood-ratios, combining variant suppression and modification. We consider
two attack models. In the first, an attacker applies a likelihood-ratio test to
make membership-inference claims. In the second model, an attacker uses a
threshold that accounts for the effect of the data release on the separation in
scores between individuals in the dataset and those who are not. We further
introduce highly scalable approaches for approximately solving the
privacy-utility tradeoff problem when information is either in the form of
summary statistics or presence/absence queries. Finally, we show that the
proposed approaches outperform the state of the art in both utility and privacy
through an extensive evaluation with public datasets.