2,571 research outputs found
A Utility-Theoretic Approach to Privacy in Online Services
Online offerings such as web search, news portals, and e-commerce applications face the challenge of providing high-quality service to a large, heterogeneous user base. Recent efforts have highlighted the potential to improve performance by introducing methods to personalize services based on special knowledge about users and their context. For example, a user's demographics, location, and past search and browsing may be useful in enhancing the results offered in response to web search queries. However, reasonable concerns about privacy by both users, providers, and government agencies acting on behalf of citizens, may limit access by services to such information. We introduce and explore an economics of privacy in personalization, where people can opt to share personal information, in a standing or on-demand manner, in return for expected enhancements in the quality of an online service. We focus on the example of web search and formulate realistic objective functions for search efficacy and privacy. We demonstrate how we can find a provably near-optimal optimization of the utility-privacy tradeoff in an efficient manner. We evaluate our methodology on data drawn from a log of the search activity of volunteer participants. We separately assess usersā preferences about privacy and utility via a large-scale survey, aimed at eliciting preferences about peoplesā willingness to trade the sharing of personal data in returns for gains in search efficiency. We show that a significant level of personalization can be achieved using a relatively small amount of information about users
Is Geo-Indistinguishability What You Are Looking for?
Since its proposal in 2013, geo-indistinguishability has been consolidated as
a formal notion of location privacy, generating a rich body of literature
building on this idea. A problem with most of these follow-up works is that
they blindly rely on geo-indistinguishability to provide location privacy,
ignoring the numerical interpretation of this privacy guarantee. In this paper,
we provide an alternative formulation of geo-indistinguishability as an
adversary error, and use it to show that the privacy vs.~utility trade-off that
can be obtained is not as appealing as implied by the literature. We also show
that although geo-indistinguishability guarantees a lower bound on the
adversary's error, this comes at the cost of achieving poorer performance than
other noise generation mechanisms in terms of average error, and enabling the
possibility of exposing obfuscated locations that are useless from the quality
of service point of view
SoK: Differential Privacies
Shortly after it was first introduced in 2006, differential privacy became
the flagship data privacy definition. Since then, numerous variants and
extensions were proposed to adapt it to different scenarios and attacker
models. In this work, we propose a systematic taxonomy of these variants and
extensions. We list all data privacy definitions based on differential privacy,
and partition them into seven categories, depending on which aspect of the
original definition is modified.
These categories act like dimensions: variants from the same category cannot
be combined, but variants from different categories can be combined to form new
definitions. We also establish a partial ordering of relative strength between
these notions by summarizing existing results. Furthermore, we list which of
these definitions satisfy some desirable properties, like composition,
post-processing, and convexity by either providing a novel proof or collecting
existing ones.Comment: This is the full version of the SoK paper with the same title,
accepted at PETS (Privacy Enhancing Technologies Symposium) 202
Differentially Private Decomposable Submodular Maximization
We study the problem of differentially private constrained maximization of
decomposable submodular functions. A submodular function is decomposable if it
takes the form of a sum of submodular functions. The special case of maximizing
a monotone, decomposable submodular function under cardinality constraints is
known as the Combinatorial Public Projects (CPP) problem [Papadimitriou et al.,
2008]. Previous work by Gupta et al. [2010] gave a differentially private
algorithm for the CPP problem. We extend this work by designing differentially
private algorithms for both monotone and non-monotone decomposable submodular
maximization under general matroid constraints, with competitive utility
guarantees. We complement our theoretical bounds with experiments demonstrating
empirical performance, which improves over the differentially private
algorithms for the general case of submodular maximization and is close to the
performance of non-private algorithms
- ā¦