Choosing Epsilon for Privacy as a Service

Open access


In many real world scenarios, terms of service allow a producer of a service to collect data from its users. Producers value data but often only compensate users for their data indirectly with reduced prices for the service. This work considers how a producer (data analyst) may offer differential privacy as a premium service for its users (data subjects), where the degree of privacy offered may itself depend on the user data. Along the way, it strengthens prior negative results for privacy markets to the pay-for-privacy setting and develops a new notion of endogenous differential privacy. A positive result for endogenous privacy is given in the form of a class of mechanisms for privacy-as-a-service markets that 1) determine ɛ using the privacy and accuracy preferences of a heterogeneous body of data subjects and a single analyst, 2) collect and distribute payments for the chosen level of privacy, and 3) privately analyze the database. These mechanisms are endogenously differentially private with respect to data subjects’ privacy preferences as well as their private data, they directly elicit data subjects’ true preferences, and they determine a level of privacy that is efficient given all parties’ preferences.

[1] J. M. Abowd and I. Schmutte. Revisiting the economics of privacy: Population statistics and confidentiality protection as public goods. Document 22, Labor Dynamics Institute, Jan. 2015.

[2] J. Brodkin. At&t offers gigabit internet discount in exchange for your web history., Posted: 12/11/2013.

[3] Y. Chen, S. Chong, I. A. Kash, T. Moran, and S. Vadhan. Truthful mechanisms for agents that value privacy. In Proceedings of the Fourteenth ACM Conference on Electronic Commerce, EC ‘13, pages 215–232, New York, NY, USA, 2013. ACM.

[4] E. H. Clarke. Multipart pricing of public goods. Public Choice, 11(1):17–33, 1971.

[5] P. Dandekar, N. Fawaz, and S. Ioannidis. Privacy auctions for inner product disclosures. CoRR, abs/1111.2885, 2011.

[6] C. Dwork and J. Lei. Differential privacy and robust statistics. In Proceedings of the 41st annual ACM symposium on Theory of computing, pages 371–380. ACM, 2009.

[7] C. Dwork, F. McSherry, K. Nissim, and A. Smith. Calibrating noise to sensitivity in private data analysis. In S. Halevi and T. Rabin, editors, Theory of Cryptography, volume 3876 of Lecture Notes in Computer Science, pages 265–284. Springer Berlin Heidelberg, 2006.

[8] L. Fleischer and Y.-H. Lyu. Approximately optimal auctions for selling privacy when costs are correlated with data. In ACM Conference on Electronic Commerce, pages 568–585, 2012.

[9] A. Ghosh and K. Ligett. Privacy and coordination: computing on databases with endogenous participation. In Proceedings of the Fourteenth ACM Conference on Electronic Commerce, EC ‘13, pages 543–560, New York, NY, USA, 2013. ACM.

[10] A. Ghosh and A. Roth. Selling privacy at auction. In Proceedings of the 12th ACM Conference on Electronic Commerce, EC ‘11, pages 199–208, New York, NY, USA, 2011. ACM.

[11] T. Groves. The Allocation of Resources Under Uncertainty: The Informational and Incentive Roles of Prices and Demands in a Team. Technical report (University of California, Berkeley. Center for Research in Management Science). University of California, 1970.

[12] T. Groves and J. O. Ledyard. Optimal allocation of public goods: a solution to the “free rider” problem. Econometrica, 45(4):783–809, May 1977.

[13] J. Hsu, M. Gaboardi, A. Haeberlen, S. Khanna, A. Narayan, B. C. Pierce, and A. Roth. Differential privacy: An economic method for choosing epsilon. CoRR, abs/1402.3329, 2014.

[14] K. Ligett and A. Roth. Take it or leave it: running a survey when privacy comes at a cost. In Proceedings of the 8th International Conference on Internet and Network Economics, WINE’12, pages 378–391, Berlin, Heidelberg, 2012. Springer-Verlag.

[15] K. Nissim, C. Orlandi, and R. Smorodinsky. Privacy-aware mechanism design. In Proceedings of the 13th ACM Conference on Electronic Commerce, EC ‘12, pages 774–789, New York, NY, USA, 2012. ACM.

[16] K. Nissim, S. Raskhodnikova, and A. Smith. Smooth sensitivity and sampling in private data analysis. In Proceedings of the Thirty-ninth Annual ACM Symposium on Theory of Computing, STOC ‘07, pages 75–84, New York, NY, USA, 2007. ACM.

[17] K. Nissim, R. Smorodinsky, and M. Tennenholtz. Approximately optimal mechanism design via differential privacy. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS ‘12, pages 203–213, New York, NY, USA, 2012. ACM.

[18] K. Nissim, S. Vadhan, and D. Xiao. Redrawing the boundaries on purchasing data from privacy-sensitive individuals. In Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, ITCS ‘14, pages 411–422, New York, NY, USA, 2014. ACM.

[19] Progressive. Snapshot plug-in device terms and conditions., Last updated: 5/11/2017.

[20] P. A. Samuelson. The pure theory of public expenditure. The Review of Economics and Statistics, 36(4):387–389, Nov. 1954.

[21] W. Vickrey. Counterspeculation, auctions, and competitive sealed tenders. Journal of Finance, 16(1):8–37, 03 1961.

[22] D. Xiao. Is privacy compatible with truthfulness? In In Proc. ITCS 2013, pages 67–86, 2013.

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 984 984 38
PDF Downloads 43 43 20