PRIVACY PROTECTION AGAINST CURIOUS RECOMMENDERS

FIELD OF THE INVENTION

The present invention is related to protecting privacy information while allowing a recommender to provide relevant personalized recommendations.

BACKGROUND OF THE INVENTION

Several recent publications study the threat of inferring demographics from user-generated data. Closest to the present invention, Weinsberg et al., Blurme: inferring and obfuscating user gender based on ratings, Proceedings of the Sixth ACM Conference on Recommender Systems, 2012 shows that gender can be inferred from movie ratings and proposes heuristics for mitigating the resulting privacy risk. However, Weinsberg's proposed obfuscation method specifically targets a logistic regression method for inferring gender. In contrast, the present invention follows a principled approach, allowing proving strong privacy guarantees against an arbitrary inference method.

The definition of privacy in the present invention is motivated by, and a limiting case of, the notion of differential privacy. Differential privacy has been applied to fields such as data mining, social recommendations and recommender systems. These works assume a trusted database owner and focus on making the output of the application differentially private. In contrast, in the present invention, a setup is studied where the recommender is curious, and users wish to protect against statistical inference of private information from feedback they submit to the recommender.

Several theoretical frameworks that model privacy against statistical inference under accuracy constraints exist. These approaches assume a general probabilistic model linking private and non-private variables, and ensure privacy by distorting the non-private variables prior to their release. Although general, the application of these frameworks requires knowledge of the joint distribution between private data and data to be released, which may be difficult to obtain in a practical setting. The assumption of a linear model in the present invention, which is strongly supported by empirical evidence, renders the problem tractable. Most importantly, it allows the method of the present invention to characterize the extent of data disclosure necessary on the recommender's side to achieve an optimal privacy-accuracy trade-off, an aspect that is absent from all of the aforementioned works.

SUMMARY OF THE INVENTION

Recommender systems can infer demographic information such as gender, age or political affiliation from user feedback. The present invention proposes a framework for data exchange protocols (steps, acts) between recommenders and users, capturing the tradeoff between the accuracy of recommendations, user privacy and the information disclosed by the recommender.

The present invention allows a user to communicate a distorted version of his/her ratings to a recommender system, in such a way that the recommender has no way of inferring some demographic information the user wishes to hide, while allowing the recommender to still provide relevant, personalized recommendations to the user.

Users of online services are routinely asked to provide feedback about their experience and preferences. This feedback can be either implicit or explicit, and can take numerous forms, from a full review to a five-star rating, to choices from a menu. Such information is routinely used by recommender systems to provide targeted recommendations and personalize the content that is provided to the user. Often, the statistical methods used to generate recommendations produce a user ‘profile’ or feature vector. Such a profile can expose personal information that the user might consider private, such as their age, gender, and political orientation. This possibility has been extensively documented on public datasets. Such a possibility calls for mechanisms that allow privacy-conscious users to benefit from recommender systems, while also ensuring that information they wish to protect is not inadvertently disclosed or leaked through their feedback, thereby incentivizing user participation in the service.

A common approach to reducing such disclosure or leakage is by distorting the feedback reported to the recommender. There is a natural tradeoff between recommendation quality and user privacy. Greater distortion may lead to better obfuscation but also less accurate profiles. A contribution of the present invention is to identify that there is a third term in this tradeoff, which is the data the recommender discloses to the users in order to obscure their private values. To illustrate this, notice that absolute privacy could be achieved if the recommender discloses to the user all of the data and algorithms used to produce a user profile. The user may then be able to run a local copy of the recommendation system without ever sending any feedback to the recommender. This is clearly private. However, it is also untenable from the recommender's perspective, both for practical reasons (efficiency and code maintenance) and crucially, for commercial reasons since the recommender may be charging a fee, monetizing both the data that it has collected and the algorithms that it has developed. Disclosing the data and algorithms to the user or possible competitors is clearly a disadvantage.

On the other hand, some data disclosure is also necessary. If a user wishes to hide his/her political affiliation prior to releasing his/her feedback, the knowledge of any bias brought by political affiliation can be used by the user to negate this effect. The recommender detecting such bias from collected data can reveal it to privacy-conscious users.

This state of affairs raises several questions. What is the minimal amount and nature of information the recommender needs to disclose to privacy-conscious users to incentivize their participation? How can this information be used to distort one's feedback, to protect one's private features (such as gender, age, political affiliation etc.) while allowing the recommender to estimate the remaining on-private features? What estimation method yields the highest accuracy when applied to distorted feedback? The present invention proposes a formal mathematical framework for addressing the above questions, encompassing three protocols:

(a) Data disclosure in which the recommender engages

(b) The obfuscation method applied to the user's ratings, and

The specific implementation of the above three protocols provides perfect protection to the user's private information, while also ensuring that the recommender estimates non-private information with the best possible accuracy. Crucially, the date disclosure of the recommender is minimal No smaller disclosure can lead to an accuracy equal to or better than the proposed implementation.

The proposed protocols were evaluated on real datasets establishing that they indeed provide excellent privacy guarantees in practice, without significantly affecting the recommendation accuracy.

A method and apparatus for protecting user privacy in a recommender system are described including determining what information to release to a user for a movie, transmitting the information to the user, accepting obfuscated input from the user and estimating the user's non-private feature vector. Also described are a method and apparatus for protecting user privacy in a recommender system including receiving movie information, accepting a user's movie feedback, accepting user's private information, calculating an obfuscation value and transmitting the obfuscation value.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is best understood from the following detailed description when read in conjunction with the accompanying drawings. The drawings include the following figures briefly described below:

FIGS. 1(
a) and 1(b) show the distribution of inference probabilities for males and females before obfuscation after the standard obfuscation scheme with selection using the MovieLens dataset and logistic inference.

FIG. 1(
c) shows the RMSE-AUC tradeoff.

FIG. 2 is a flowchart of the recommender system of the present invention.

FIG. 3 is an enlarged view of the recommender portion of the recommender system of the present invention.

FIG. 4 is an enlarged view of the user portion of the recommender system of the present invention.

FIG. 5 is a block diagram of the recommender portion of the recommender system of the present invention.

FIG. 6 is a block diagram of the user portion of the recommender system of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The setup considered in the present invention comprises a recommender and a user. The recommender solicits user feedback on items which, for the sake of concreteness, are referred to as ‘movies’. The user's feedback (e.g., 1-5 star ratings) for each item is sampled independently from a probability distribution parameterized by two vectors: a movie profile v_iand a user profile x. The user profile x is of the form (x₀; x), where x₀is distinguishable binary feature that the user wishes to keep private (e.g., his/her gender), and x is a non-private component. It should be noted that though the user knows x₀, he/she is unaware of x: this would be the case if e.g., the features used by the recommender are unknown to the user, or even computed through a process called matrix factorization and are therefore latent.

The recommender knows the movie profiles v_iand wishes to learn the user's profile x. The recommender's purpose is to predict the user's feedback for other movies and make recommendations. The user wishes to benefit from recommendations, but is privacy-conscious with respect to his/her variable x₀, and does not wish to release this to the recommender. To incentivize the user's participation, the goal of the present invention is to design a protocol for exchanging information between the recommender and the user that has three salient properties. Informally, the three salient properties are:

(a) At the conclusion of the protocol, the recommender estimates x, the non-private component of x, as accurately as possible.

(b) The recommender learns nothing about x₀, the user's private variable.

The first property ensures that, at the conclusion of the protocol, the recommender learns the non-private component of a user's profile, and can use it to suggest new movies to the user, which enables the main functionality of the recommender. The second property ensures that a privacy-conscious user benefits from recommendations without disclosing his/her private variable, thereby incentivizing participation. Finally, the third property ensures that movie profiles are not made publicly available in their entirety. This ensures that the recommender's competitors cannot use profiles, whose computation requires resources and which are monetized through recommendations.

To highlight the interplay between these three properties, three “non-solutions” are discussed. First, consider the protocol in which the user discloses his/her feedback to the recommender “in the clear”: this satisfies (a) and (c) but not (b), as it would allow the recommender to estimate both x and x₀through appropriate inference methods. In the second protocol, the recommender first reveals all movie profiles v_ito the user; the recommender estimates x locally, again through inference, and subsequently sends this to the recommender. This satisfies (a) and (b), but not (c). Finally, the “empty” protocol (no information exchange) satisfies (b) and (c), but not (a).

More specifically, it is assumed that the user is characterized by a feature vector xε custom-character ^d+1. This feature vector has one component that corresponds to a characteristic that the user wants to keep private. It is assumed that this feature is binary, the generalization to multiple binary features being straightforward. Formally, x=(x₀,x), where x=(x₁, . . . , x_d)ε^dand x₀ε{1+1,−1} is the private feature. As a running example, it can be assumed that the user wants to keep private his/her gender, that is encoded as x₀ε{+1,−1}.

The recommender solicits feedback for M movies, whose set is denoted by [M]≡{1, . . . , M}. In particular, each movie is characterized by a feature vector v_i=(v_i0,v_i)ε custom-character ^d+1, where v_i=(v_i1, . . . , v_id)ε^d. Attention is restricted to vectors v_isuch that _iε0. The set of all such vectors is denoted by ₋₀^d+1={(v₀,v)ε^d+1: v≠0} and the feature vector of movies for which feedback is solicited by ν≡{v_i,iε[M]}⊂₋₀^d+1.

It is assumed that the recommender maintains the feature vectors in a database. Constructing such a database is routinely done by recommender algorithms. Features are typically computed through a combination of matrix factorization techniques (and are, hence, latent), as well as explicit functions of the movie descriptors (such as, e.g., genres, plot summaries, or the popularity of cast members). In both cases, these vectors (or even the features identified as relevant) can be used by a competitor, and are, hence, subject to non-disclosure.

The user feedback for movie iε[M] is denoted by r_iε custom-character . r_iis restricted to a specific bi-linear model, whose for is known to both the recommender and the user. In particular, let <a,b>≡Σ_i=1^ka_ib_ithe usual scalar product in ^k. It is assumed that there exists a probability distribution Q on , such that for all iε[M]:

r
_i
=<v
_i
,x>+z
_i
=<v
_i
,x>+v
_i0
+z
_i
,z
_i
˜Q (1)

where z_iare independent “noise” variables, with E(z)=0, E(z²)=σ²<∞.

Despite its simplicity, this model is strongly supported by empirical evidence. Indeed, it is the underlying model for numerous prediction methods based on low-tank approximation, such as matrix factorization, singular value decomposition etc. It should be noted that the restriction to movie vectors in custom-character ₀^d+1makes sense under (1). Indeed, if the purpose of the recommender is to retrieve x, the feedback for a movie for which v=0 is clearly uninformative. It is assumed that the recommender maintains feature vectors ν in a database. Constructing such a database is routinely done by recommender algorithms. Features are typically computed through a combination of matrix factorization techniques (and, hence, latent), as well as explicit functions of the movie descriptors such as genres, plot summaries or the popularity of cast members. These vectors (or even the features identified as relevant) can be used by a competitor, and are, hence, subject to non-disclosure.

The user does not have access to this database, and does not know a priori values of these feature vectors. In addition, the user knows his/her private variable x₀and either knows or can easily generate her feedback r_ito each movie iε[M]. Nevertheless, the user does not know a-priori the remaining feature values xε custom-character ^d, as “features” corresponding to each coordinate of v_iare either “latent” or not disclosed.

The privacy preserving recommendation method and system of the present invention includes the following protocol between the user and the recommender, comprising three steps:

- 1. Data Disclosure Protocol. This is a mapping L: ₋₀^d+1→, with being a generic set. and will be measurable spaces, which include ^k. This mapping is implemented at the recommender and describes the amount of data disclosed from its database νpublicly. In particular, for each movie iε[M], the recommender releases to the user some information l_i=L(v_i)ε. L(ν) denotes the vector lε^Mwith coordinates l_i, iε[M]. In practice, L(ν) is made public, as it is needed by all potential privacy-conscious users that wish to interact with the recommender.
- 2. Obfuscation Protocol. This is a mapping Y: ^M×{+1,−1}×^M→y, for y, where is again a generic set. The mapping describes how the user feedback is modified (obfuscated) before being released to the recommender. The mapping is implemented as a program on the user's own computer. In particular, the user (algorithm on the user's computer) enters his/her vector of feedback values r=(r₁, . . . , r_M)ε^M, his/her private characteristic x₀as well as the data disclosure l=(ν)ε^M. The program combines these quantities and returns to the recommender the obfuscated value y=Y(r,x₀,l)εy.
- 3. Estimator. This is a mapping of the form: p: y×₋₀^(d+1))^M→^d. Given the movie feature vectors ν⊂₋₀^d+1and the corresponding obfuscated user feedback yεy, the mapping yields an estimate p(y,ν) of the user's non-private feature vector x. The estimator is implemented as a program at the recommender.

The triplet R=(L,Y,p) is referred to as a recommendation system. Note that the functional forms of all three of these components are known to both parties: e.g., the recommender knows the obfuscation protocol Y. Both parties are honest but curious: both parties (recommender and user) follow the protocol, but if at any step either party can extract more information than what is intentionally revealed, they do so. Both protocols L and Y can be randomized. In the following, the probability and expectation with respect to the feedback model as well as protocol randomization, given x, ν is denoted by P_x,ν, E_x,ν.

Next, the basic quality metrics for a privacy-preserving recommendation system, including accuracy of the recommendation system, privacy of the user, and data disclosure extent, corresponding to the properties (a)-(c) discussed above.

Formalization of privacy for the obfuscated feedback Y is motivated by differential privacy. The context of the present invention differs from the prior art in that Y(r,x₀,l) depends on x, l and x₀, but the present invention is only concerned with the privacy with respect to the private information x₀.

Definition 1.

A recommendation system is ε-differentially private if, for any xεX and any vεν, the following occurs. If l=(l₁, . . . , l_M) denotes the information leaked or divulged from database ν, and rε custom-character ^Mthe user feedback, then for any event A⊂y,

$\begin{matrix} e^{- ɛ} \leq \frac{P_{(+ 1, x), v} (Y (r, + 1, l) \in A)}{P_{(- 1, x), v} (Y (r, - 1, l) \in A)} \leq e^{ɛ} . & (2) \end{matrix}$

It can be said that the system is privacy preserving or private if it is s-differentially private with ε=0.

The focus of the present invention is on privacy preserving recommendation systems, i.e., systems for which ε=0. Intuitively, in privacy preserving system the obfuscation Y is a random variable that does not depend on x₀. The distribution of Y is the same, irrespective of the user's gender. The second definition states that an estimator p has optimal accuracy if it reconstructs the user's non-private features with minimum l₂loss. This choice is natural; nevertheless, reasons for quantifying accuracy through l₂loss in the supplement are discussed.

Definition 2.

It can be said that a recommendation system R=(L,Y,p) is more accurate than R′=(L′,Y′,p′) if, for all items v⊂ custom-character ₋₀^d+1, sup_{x0ε{±1},xεX}E_(x0,x),ν{∥p(y,ν)−x∥₂²}≦sup_{x0ε{±1},xεX}E_(x0,x),ν{∥p′(y′,ν)−x∥₂²}, where y=Y(r,x₀,L(ν)), y′=Y′(r,x₀,L′(ν)). Further, it can be said that it is strictly more accurate if the above inequality holds strictly for some ν⊂ custom-character ₋₀^d+1.

Finally, an ordering between data disclosure protocols can be defined. Intuitively, a protocol L discloses as much information as L′ if L′ can be retrieved from L.

Definition 3.

It can be said that the recommendation system R=(L,R,p) discloses as much information as the system R′=(L′,Y′,p′) if there exists a measurable mapping φ: custom-character →′ such that L′=φ∘L (i.e., L′(v)=φ(L(v)) for each vε₋₀^d+1). It can be said that R=(L,Y,p) and R′=(L′,Y′,p′) disclose the same amount of information if L=φ∘L′ and L′=φ′∘L for some φ, φ′. Finally, it can be said that R=(L,Y,p) discloses strictly more information than R′=(L′,Y′,p′) if L′=φ∘L for some φ but there exists no φ′ such that L=φ∘L′.

Below, it is shown that, under the linear model, the following recommendation system—that shall be referred to as the ‘standard scheme’ has optimality properties.

- 1. The data disclosure protocol releases the entry v₀corresponding to the private user feature x₀, i.e., =and for all (v₀,v)ε₋₀^d+1, L((v₀,v))≡v₀.
- 2. The obfuscation protocol subtracts the contribution of the private feature of from each feedback r_iand discloses this value to the recommender. Namely, y=^M, and for l=L(ν), R(r,x₀,l)≡(r₁−x₀l₁, . . . , r_M−x₀l_M).
- 3. Finally, the estimation method amounts to solving the least squares problem:

p(y,ν)≡arg min_xε custom-character _d{Σ_i=1^k(y_i^k−<v_i,x>)²}. (3)

- - where, y_iis i-th component of the obfuscated feedback yε^M—i.e., y_i=rⁱ−x₀l_i.

The estimator in (3) is referred to as the least squares estimator, and is denoted by p_LS. It is noted that, under (1), the accuracy of the standard scheme is given by the following l₂loss: for all xε custom-character ^d,

E
_(x0,x),
ν{∥p
_LS(y,ν)−x∥₂²}=σ²tr[(Σ_iε[M]v_iv_i^T)⁻¹], (4)

where σ²the noise variance in (1) and tr( ) is the trace.

The following theorem summarizes the standard scheme's properties:

Theorem 1.

Under the linear model:

- 1. The standard scheme is privacy preserving.
- 2. Assume that the noise in (1) is Gaussian. Then, there is no privacy preserving recommendation system that is strictly more accurate than the standard scheme.
- 3. Any privacy preserving recommendation system that does not disclose as much information as the standard scheme must also be strictly less accurate.

The theorem is proved below. The second and third statements establish formally the optimality of the standard scheme. Under Gaussian noise, no privacy preserving system achieves better accuracy. Surprisingly, this is true even among schemes that disclose strictly more information than the standard scheme. There is no reason to disclose more than v_i0for each movie. The third statement implies that, to achieve the same accuracy, the recommender system must disclose at least v_i0. In fact, the proof establishes that, in such a scenario, an l₂loss that was finite under the standard scheme can become unbounded.

Proof of Theorem 1:

- Privacy: To see that Theorem 1.1 holds, recall that the user releases y_i=r_i−v_0ix₀=v_i,x+z_i, for each iεM. The distribution of y, thus does not depend on x₀, so the standard scheme is clearly privacy preserving.
- Maximal Accuracy: Theorem 1.2 is proved by contradiction, using the following standard result.
- Lemma 1. Let (y_i,v_i)ε^d+1, iε[M], be a set of points such that y_i=v_i,x+z_i, with z_iindependent and identically distributed zero-mean Gaussian random variables, and let p_LSbe the least squares estimator p=arg min_xε_dΣ_i(y_i−v_i,x)². Then, for any estimator p, sup_xE{∥p(y₁v₁; . . . ; y_M,v_M)−x∥₂²}≧sup_xE(∥p_LS(y₁,v₁; . . . ; y_M,v_M)−x∥₂²).
- Suppose that there exists a privacy preserving recommendation system R′=(L′,Y′,p′) that is strictly more accurate than the standard scheme R=(L,Y,p). Let {tilde over (v)}₀=(v₁₀, . . . , v_M0)=L(ν)ε^Mbe the disclosure under the standard scheme, and l′=L′(ν) the disclosure in R′. Let also p_i=r_i−x₀v_0i=<v_i,x>+z_ibe the obfuscated value for iε[M] under the standard scheme, and denote by pε^Mthe vector (p₁, . . . , p_M). Since the system R′ is privacy preserving, its obfuscation satisfies:

Y′(p+{tilde over (v)}₀,+1,l′ custom-character Y′(p−{tilde over (v)}₀,−1,l′), (5)

i.e., the two random outputs are equal in distribution.

- L′, Y′ and p′ will be used to construct an estimator that has a lower l₂loss than the least squares estimator. In particular, consider a new recommendation system R″=(L″,Y″,p″) for which: (a) L″(v_i)=(L(v_i),L′(v_i)), i.e., the recommender discloses the same information as in R′ as well as L(v_i)=v_i0, (b) Y″=Y, i.e., obfuscation is as in the standard scheme and y_i″=p_i=r_i−v_i0x₀, for iε[M], are released, and (c) the recommender estimates x by executing the following two steps. First, it applies the obfuscation Y′ to p assuming the gender is +1, computing w=Y(p+{tilde over (v)}₀,+1,l′)εy′. Second, it applies the estimator p′ to this output. In summary: p″(p,ν))=p′(w(p,ν),ν), where w(p,ν)=Y(p+{tilde over (v)}₀,+1,(L′(ν)). Note that, crucially, the new system R″ has the same accuracy as R′. This is because the input w to the estimator p′ is identically distributed as the inputs y′. This is trivially true if x₀=+1, but also holds for x₀=1 by (5). This means, however, that an estimator p″ that yields a loss sup_xE_y{∥p″(y₁″,v₁; . . . ; y_M″,v_M)−x∥₂²} strictly smaller than the corresponding loss under the least squares estimator can be constructed, a contradiction to Lemma 1.
- Minimal Disclosure: Finally, Theorem 1.3 is proved, establishing formally that the disclosure L(v_i)=v_i0is minimal Any “less-informative” disclosure leads to a loss of accuracy. Consider a privacy preserving recommendation system R′=(L′,Y′,p′) that does not disclosure as much information as the standard scheme R=(L,Y,p). Consider a setup where M=d, the dimension of the feature profiles. Assume also that is such that the matrix V=[v_i]_iε[d]ε^d×dis invertible, and denote by {tilde over (v)}₀ε^dthe vector with coordinates v_i0.
- For any x₀ε{+1,−1}, sε^d, l′ε(′)^d, let Z_x0(s,l)εy′ be a random variable with distribution given by Z_x0(s,l′)Y′(s+z,x₀,l′), where zε^Ma vector of independent and identically distributed coordinates sampled from distribution Q. That is, Z_x0(s,l) is the output of obfuscation when Vx+x₀{tilde over (v)}₀=sε^d, L′(ν)=l′, and the gender is x₀. The following then holds.
- Lemma 2. Assume M=d, and that the matrix V=[v_i]_iε[d]ε^d×dis invertible. Let l=L′(ν). Then, for all sεR^d, X₊(s,l′)Z₋(s−2{tilde over (v)}₀,l′).
- Proof. By Eq. (5), for all xε^d, Y′(Vx+v₀+z,+1,l′)Y′(Vx−v₀+z,−1,l′). The claim follows by the definition of Z_± for x=V⁻¹(s−v₀).
- As R′ does not leak (divulge, disclose) as much information as the standard scheme, by definition, there is no map φ such that v₀=(L′(v)) for all vε₋₀^d+1. In particular, there exist vectors v,v′ε₋₀^d+1such that v₀≠v₀′ and yet L′(v)=L′(v). Consider the following two cases:
- Case 1. The supports of v,v′ intersect, i.e. there exists a kε[d] such that v_k≠0 and v_k′≠0. In this case, consider a scenario in which ν={v}∪U_{1≦l≦d,l≠k}, {e_l}, where e_lε₋₀^d+1a vector whose l-th coordinate is 1 and all other coordinates are zero. Clearly, M=|ν|=d, and V=[v_i]_iε[d]is invertible. Let l*=L′(ν) By Lemma 2, for all sε, Z₊(s+2v₀e₁,l*)Z₋(s,l*), where e₁ε^dis 1 at coordinate 1 and 0 everywhere else. Similarly, in a scenario in which ν′={v′}∪U_{1≦l≦d,l≠k,}{e_l}, the conditions of Lemma 2 are again satisfied. Crucially L′(ν′)=L(ν)=l*, so again Z₊(s+2v₀′e₁,l*)Z₋(s,l*), for all sε^d. These two equations imply that, for all sε^d:

Z
₊(s+ξe₁,l*) custom-character Z₊(s,l*) (6)

- where ξ≡2(v₀−v₀′). In other words, the obfuscation is periodic with respect to the rating for movie v.
- Observe that for any xε{−1,+1}×^dand any Mε₊, a x′ε{−1,+1}×^dand a Kε can be constructed such that (a) x,x′ differ only at coordinate kε{1, 2, . . . , d}, (b) v,x−x′=Kξ, and (c) ∥x−x′∥₂≧M. To see this, let K be a large enough integer such that

$\frac{K \langle ξ \rangle}{\langle v_{ik} \rangle} > M .$

Taking, x_k′=x_k+Kξ/v_k, and x′_l=x_lfor all other l in {0, 1, . . . , d} yields a x′ that satisfies the desired properties.

- Suppose thus that the recommendation system R is applied to ν={v}∪U_{1≦l≦d,≠k}{e_l} for a user with x₀=+1. Fix a large M>0. For each x and x′ constructed as above, by (6), the obfuscated values generated by Y′ have an identical distribution. Hence, irrespectively of how the estimator p′ is implemented, the maximum between max (E{∥p′(y′,ν)−x∥₂²and E{∥p(y′,ν)−x∥₂²}) must be Ω(M²) which, in turn, implies that sup_{x0ε[±1],xε}^dE{∥p(y′,ν)−x∥₂²=∞. In contrast, since the profiles in ν are linearly independent, Σ_iv_iv_i^Tis positive definite and hence invertible. As such, the loss (4) of the standard scheme is finite and the theorem follows.
- Case 2. The supports of v,v′ are disjoint. In this case v,v′ are linearly independent, as both belong to ₋₀^d+1, and, in particular, there exist 1≦k,k′≦d, k≠k′, such that v_k≠0 and v_k′≠0. ν={v}∪{v′}U_{1≦l≦d,l≠k,l≠k′}{e_l} can be constructed, then, |ν|=d and the matrix V=[v_i]_iε[d]are again invertible. As such, by swapping the positions of v and v′ it can be shown using a similar argument as in Case 1 that for all sε^d: Z₊(s+ξ(e₁−e₂),l*)Z₊(s,l*) where ξ≡2(v₀−v₀′) and l*=L(ν), i.e., Z₊ is periodic in the direction e₁−e₂. Moreover, for any xε{−1,+1}×R^dand any Mε₊, similarly a x′ε{−1,+1}×^dand a Kε can be constructed such that (a) x,x′ differ only at coordinates k,k′ε{1, 2, . . . , d}, and (b) v,x−x′=−v′,x−x′=Kξ and (c) ∥x−x′∥₂≧M. The construction adds Kξ/v_kat the k-th coordinate subtracts Kξ/v_k′′ from the k′-th coordinate, where K>M max (v_k,v′_k′)/ξ. A similar argument as in Case 1 therefore yields the theorem.

Several aspects of the model of the present invention call for a more detailed discussion.

Leakage (Disclosure, Divulgation) Interpretation.

In the standard scheme, the disclosed (divulged, leaked) information v_i0is the parameter that gauges the impact of the private feature on the user's feedback. In the running example, it is the impact of the gender on the user's appreciation of movie i. For the linear model (1), this parameter has a simple interpretation, if in a population of users for which the other features x are distributed independently of the gender. Indeed, assume a prior distribution on (x₀,x) such that x is independent of x₀. Then: E{r_i|x₀=+}−E{r_i|x₀=−}= custom-character v,E{x|x₀=+}−E{x|x₀=−}+2v_i0=2v_i0. Hence, given access to a dataset of user feedback, in which users are not privacy-conscious, and have disclosed their gender, the recommender need only compute the average rating of a movie per gender. Disclosing v_joamounts to releasing the half distance between these two values.

Inference from Movie Selection.

In practice, generating all ratings in [M] may correspond to a high cost in time. It thus makes sense to consider the following constraint: there exists a set S₀(e.g., the movies the user has viewed) such that the obfuscated set of ratings must satisfy S532S₀. In this case, S₀itself might reveal the user's gender.

A solution is presented when viewing events are independent, i.e.: P_x0(S₀=A)=Π_iεAp_i^x₀Π_ipA(1−p_i^x₀), where p_i^x₀is the probability that the user has viewed movie i, conditioned on the value of his/her gender x₀. Consider the following obfuscation protocol. First, given S₀, the user generates and discloses feedback for movie iεS₀independently, constructing thusly a set S, whereby:

P(iεS|iεS₀)=max(1,p_i^x₀/p_i^x₀), (7)

for x₀is the complement of x₀. Ratings for iεS are revealed after applying the standard scheme.

This obfuscation has the following desirable properties. First, S⊂S₀. Second, it is privacy preserving. To see this note that P_x0(iεS)=max(1,p_i^x₀/p_i^x₀)×p_i^x₀=min(p_i^x₀,p_i^x₀), i.e., it does not depend on x₀. Finally, the set S is maximal: there is no privacy preserving method for generating a set S′⊂S₀such that E′{|S′|}>E{|S|}. To see this, note that, for any scheme such that if E{|S′|}>E{|S|}, there exists an i such that P_x0(iεS′)>P_x0(iεS)=min(p_i⁺,p_i⁻). If the scheme is privacy preserving, this must be true for both x₀; however, as S⊂S₀, it must be that P_x0(iεS)≦p_i^x₀for both x₀, a contradiction. Motivated by the maximality of this obfuscation scheme, it is used below as a means select only a subset of the movies rated by a user.

The standard scheme of the present invention is evaluated on a movie recommender system. Users of the system provide an integer rating between 1 and 5 for the movies they have watched, and in turn expect the system to provide useful recommendations. Gender is defined as the private value that users do not want to reveal to the recommender, which is known to be inferable from movie ratings with high accuracy. Datasets from two movie rating services are used: MovieLens and Flixster. Both contain the gender of every user. The datasets are restricted to users that rated at least 20 movies and movies that were rated by at least 20 users. As a result, the MovieLens dataset has 6K users (4319 males, 1703 females), 3043 movies, and 995K ratings. The Flixster dataset has 26K users (9604 males, 16433 females), 9921 movies, and 5.6M ratings.

To assess the success of obfuscation in practice, several standard methods are applied to infer gender from ratings, including Naïve Bayes (NB), Logistic Regression (LR) and Support Vector Machines (SVM) and a new method similar to Linear Discriminant Analysis (LDA) is proposed. The latter method is based on the linear model (1), and assumes a Gaussian prior on x and a Bernoulli prior on the gender x₀. Under these priors, ratings are normally distributed with a mean determined by x₀, and the maximum likelihood estimator of x₀is precisely LDA in a space with dimension of the number of movies viewed. Each inference method is evaluated in terms of the area under the curve (AUC). The input to the LR, NB and SVM methods comprises the ratings of all movies given by the user as well as zeros for movies not rated. LDA on the other hand operates only on the ratings that the user provided.

The standard obfuscation scheme is studied both with and without the selection scheme, which is performed using the maximal scheme (7) discussed above. The movie vectors are constructed as follows. For each movie, gender biases v₀are computed as the half distance between the average movie ratings per each gender. Using these values, the remaining features v were computed through matrix factorization with d=20. These are computed from the non-obfuscated ratings. Matrix factorization was performed using gradient descend, 20 iterations, regularization parameter of 0.02, selected through cross validation.

When using the standard scheme, the new rating may not be an integer value, and potentially may even be outside of the range of rating values which is expected by the recommender system. To that end, a variation that rounds the rating value to an integer in range [1,5] is considered. Given a non-integer obfuscated rating r, which is between two integers k=└r┘ and k+1, rounding is performed by assigning the rating k with probability r−k and the rating k+1 with probability 1−(r−k), which on expectation gives the desired rating r, if ratings higher than 5 or lower than 1 are truncated to 5 or 1, respectively. For brevity, this entire process is referred to as “Rounding”. Two baselines for obfuscation are also considered. The movie average scheme replaces a user's rating with the average rating of the movie. The gender average scheme replaces the user's rating with the average rating provided by males or females, each with probability 0.5.

The accuracy of the recommendations in terms of the root mean square error (RMSE) of the ratings is measured. To this end, the user's ratings are split to training and evaluation sets. First the obfuscation method is applied to the training set, and then x is estimated through ridge regression over the obfuscated ratings with regularization parameter of 0.1. Ratings of the movies in the evaluation set are predicted using the linear model (1), where x₀is provided from the LDA inference method. Experiments with the other inference methods were conducted with similar results.

The proposed obfuscation and inference methods were run on both datasets. A 10-fold cross validation on the users was used, and the mean AUC and RMSE were computed across the folds. The summary of all the evaluations is shown in Table 1. The table provides the AUC obtained by the different inference methods under the various obfuscation methods detailed above, as well the RMSE for each obfuscation method.

Several observations are consistent across the two datasets. First, inference methods are affected differently by the obfuscation methods, with LR, NB and SVM being mostly affected by the selection scheme whereas LDA is mostly affected by the standard obfuscation scheme of the present invention. However, when both selection and the standard obfuscation scheme are used, the AUC of all methods reduces to roughly 0.5. Furthermore, the impact of the obfuscation methods on the RMSE is not high, with a maximum increase of 1.5%. This indicates that although the obfuscation schemes manage to hide the gender, rating prediction is almost unaffected. The standard obfuscation scheme of the present invention performs almost exactly the same when rounding is introduced. Compared to the standard scheme (SS), baseline schemes result in a similar AUC but higher RMSE, indicating that aggressive obfuscation comes at a cost of losing the recommendation accuracy without considerable benefits in AUC.

To illustrate how obfuscation affects the inference accuracy, FIGS. 1(a) and 1(b) show the distribution of log (P_Male/P_Female), with P_Maleand P_Femaleobtained through logistic regression, before obfuscation and after obfuscation with the standard scheme and selection, respectively. Prior to obfuscation, there is a clear separation between the distributions of males and females, enabling a successful gender inference. However, after obfuscation, the two distributions become indistinguishable.

TABLE 1

Obfuscation Results. SS denotes the Standard Scheme.

MovieLens

Flixster

Inference

Inference

Obfuscation
Methods (AUC)
RMSE
Methods (AUC)
RMSE

Method
LDA
LR
NB
SVM

LDA
LR
NB

No
0.810
0.850
0.780
0.859
0.897
0.801
0.851
0.747
0.878

obfuscation

SS
0.545
0.820
0.764
0.831
0.900
0.575
0.815
0.728
0.883

SS
0.579
0.823
0.766
0.834
0.900
0.608
0.821
0.731
0.885

w/Rounding

Movie
0.762
0.801
0.790
0.849
0.990
0.755
0.811
0.665
1.044

Average

Gender
0.782
0.838
0.777
0.847
0.990
0.762
0.836
0.735
1.044

Average

Selection
0.717
0.532
0.555
0.554
0.899
0.735
0.581
0.576
0.884

Selection +
0.450
0.473
0.531
0.504
0.904
0.518
0.533
0.554
0.890

SS

Selection +
0.486
0.487
0.532
0.509
0.905
0.548
0.539
0.557
0.892

SS

w/Rounding

Selection +
0.558
0.466
0.538
0.467
0.990
0.497
0.503
0.546
1.049

Movie

Average

Selection +
0.561
0.431
0.531
0.469
0.992
0.601
0.495
0.542
1.049

Gender

Average

The privacy-accuracy tradeoff is studied by applying an obfuscation scheme with probability a, and releasing the real rating with probability 1−α. FIG. 1(c) shows the resulting RMSE-AUC tradeoff curves for the three obfuscation schemes. The figure shows that the standard scheme combined with selection provides the best privacy-accuracy tradeoff, and consistently obtains better accuracy (lower RMSE) for the same privacy (inference AUC). Finally, as also seen in Table 1, rounding has no significant effect on the results and the curves almost completely overlap.

It is natural to extend the questions we introduced in this work to more general inference setting beyond the linear model we study here. In particular, quantifying the amount of information whose release is necessitated to ensure privacy and accuracy under more general parametric problems remains an interesting open question. In addition, our focus here was on privacy-preserving recommendation systems. There are several ways of relaxing our privacy constraint, including the use of differential privacy, with ε>0.

FIG. 2 is a flowchart of the recommender system of the present invention. The recommender system includes a user portion and a recommender portion. FIG. 2 is a flowchart of the overall operation of an exemplary embodiment of the recommender system. The goal of the recommender system is to provide the user with accurate recommendation while preserving the user's private information. The present invention has been explained above using gender as the private information (characteristic, feature) but other features may include age, political affiliation etc. that is, the present invention is not so limited as to use gender alone as the user's private information. At 205 the data protocol portion of the recommender system is executed. At 210 the obfuscation protocol portion of the recommender system is executed. At 215 the estimator protocol portion of the recommender system is executed.

FIG. 3 is an enlarged view of the recommender portion of the recommender system of the present invention. Specifically, FIG. 3 includes an enlargement of elements 205 and 215 of FIG. 2. At 305, there is a mapping L: custom-character ₋₀^d+1→. A determination is made as to what information is released to the user for each movie i. This, of course, includes releasing (transmitting, transferring, forwarding, sending) the information to the user. Movie information may be a movie profile or movie feature vectors. At 310 the recommender portion of the recommender system receives (accepts) the obfuscated user information. At 315 there is a mapping of the form: p: y×( custom-character ₋₀^(d+1))^M→^d. The recommender portion of the recommender system estimates the user's non-private feature vector.

FIG. 4 is an enlarged view of the user portion of the recommender system of the present invention. Specifically, FIG. 4 is an enlargement of element 210 of FIG. 2. At 405, the user portion of the recommender system receives (accepts) the movie information from the recommender portion (data disclosure protocol portion) of the recommender system. At 410, the user portion of the recommender system accepts (receives) user feedback values. At 415, the user portion of the recommender system accepts (receives) user private information (characteristics, features, values, data). At 420, the user portion of the recommender system calculates an obfuscation value. This is done by subtracting the contribution of the user's private information (features, characteristics, values, data) from each feedback. At 425, the calculated obfuscation value is transmitted to the recommender portion of the recommender system.

FIG. 5 is a block diagram of the recommender portion of the recommender system of the present invention. The recommender portion of the recommender system of the present invention may be implemented on a mainframe computer or on a desktop, laptop, tablet, iPod, iPhone, iPod, dual mode smart phone or any other wired or wireless computing device. The recommender portion of the recommender system includes at least one of a wired communications interface and a wireless communications interface and may include both types of communications interfaces. A wireless communications interface also includes appropriate antennas. The communications interfaces operate to accept data (information, features, values) and to transmit (send, forward) data (information, features, values). The data disclosure module and the estimator module may be implemented on separate processors or a single processor. The data disclosure module and the estimator module are in bi-directional communication with each other (if not implemented on a single processor) and with the communications interfaces. The data disclosure module and the estimator module are also in bi-directional communication with a storage or memory system, which may be any form of memory including removable and fixed storage systems. The data disclosure module includes the means for determining what information to release to a user for a movie. The communications interfaces (wired or wireless) include means for transmitting said information to the user and means for accepting obfuscated input from the user. The estimator module includes means for estimating the user's non-private feature vector.

FIG. 6 is a block diagram of the user portion of the recommender system of the present invention. The user portion of the recommender system of the present invention may be implemented on a desktop, laptop, tablet, iPod, iPhone, iPod, dual mode smart phone or any other wired or wireless computing device. The user portion of the recommender system includes at least one of a wired communications interface and a wireless communications interface and may include both types of communications interfaces. A wireless communications interface also includes appropriate antennas. The communications interfaces operate to accept data (information, features, values) and to transmit (send, forward) data (information, features, values). The obfuscation module may be implemented on one or more processors. The obfuscation module is in bi-directional communication with the communications interfaces. The obfuscation module is also in bi-directional communication with a storage or memory system, which may be any form of memory including removable and fixed storage systems. The obfuscation module includes means for calculating an obfuscation value. The communications interfaces (wired or wireless) include means for accepting a user's movie feedback, means for accepting user's private information and means for transmitting the obfuscation value.

It is to be understood that the present invention may be implemented in various forms of hardware, software, firmware, special purpose processors, or a combination thereof. Special purpose processors may include application specific integrated circuits (ASICs), reduced instruction set computers (RISCs) and/or field programmable gate arrays (FPGAs). Preferably, the present invention is implemented as a combination of hardware and software. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage device. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (CPU), a random access memory (RAM), and input/output (I/O) interface(s). The computer platform also includes an operating system and microinstruction code. The various processes and functions described herein may either be part of the microinstruction code or part of the application program (or a combination thereof), which is executed via the operating system. In addition, various other peripheral devices may be connected to the computer platform such as an additional data storage device and a printing device.

It is to be further understood that, because some of the constituent system components and method steps depicted in the accompanying figures are preferably implemented in software, the actual connections between the system components (or the process steps) may differ depending upon the manner in which the present invention is programmed. Given the teachings herein, one of ordinary skill in the related art will be able to contemplate these and similar implementations or configurations of the present invention.

	Number	Date	Country
	61761330	Feb 2013	US
	61761330	Feb 2013	US

PRIVACY PROTECTION AGAINST CURIOUS RECOMMENDERS

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

CROSS-REFERENCE

PCT Information

Provisional Applications (2)