PRIVACY PROTECTION AGAINST CURIOUS RECOMMENDERS

0Associated
Cases 
0Associated
Defendants 
0Accused
Products 
15Forward
Citations 
0
Petitions 
1
Assignment
First Claim
1. A method for protecting user privacy in a recommender system, said method comprising:
 determining what information to release to a user for a movie;
transmitting said information to said user;
accepting obfuscated input from said user; and
calculating said user'"'"'s nonprivate feature vector.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for protecting user privacy in a recommender system are described including determining what information to release to a user for a movie, transmitting the information to the user, accepting obfuscated input from the user and estimating the user'"'"'s nonprivate feature vector. Also described are a method and apparatus for protecting user privacy in a recommender system including receiving movie information, accepting a user'"'"'s movie feedback, accepting user'"'"'s private information, calculating an obfuscation value and transmitting the obfuscation value.
19 Citations
View as Search Results
PRIVACY AGAINST INFERENCE ATTACKS UNDER MISMATCHED PRIOR  
Patent #
US 20160006700A1
Filed 02/06/2014

Current Assignee
Thomson Licensing

Sponsoring Entity
Thomson Licensing

Emoji frequency detection and deep link frequency  
Patent #
US 9,705,908 B1
Filed 09/24/2016

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Emoji frequency detection and deep link frequency  
Patent #
US 9,712,550 B1
Filed 09/24/2016

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Emoji frequency detection and deep link frequency  
Patent #
US 9,894,089 B2
Filed 06/19/2017

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Learning new words  
Patent #
US 10,133,725 B2
Filed 04/03/2017

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Emoji frequency detection and deep link frequency  
Patent #
US 10,154,054 B2
Filed 06/30/2017

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Efficient implementation for differential privacy using cryptographic functions  
Patent #
US 10,229,282 B2
Filed 09/23/2016

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Systems and methods for privacypreserving generation of models for estimating consumer behavior  
Patent #
US 10,430,727 B1
Filed 04/03/2019

Current Assignee
NFL Enterprises LLC

Sponsoring Entity
NFL Enterprises LLC

Low privacy risk and high clarity social media support system  
Patent #
US 10,430,609 B2
Filed 09/23/2016

Current Assignee
International Business Machines Corporation

Sponsoring Entity
International Business Machines Corporation

Emoji frequency detection and deep link frequency  
Patent #
US 10,454,962 B2
Filed 10/12/2018

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Efficient implementation for differential privacy using cryptographic functions  
Patent #
US 10,552,631 B2
Filed 03/08/2019

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

User experience using privatized crowdsourced data  
Patent #
US 10,599,867 B2
Filed 11/07/2017

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

User experience using privatized crowdsourced data  
Patent #
US 10,599,868 B2
Filed 11/07/2017

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Learning new words  
Patent #
US 10,701,042 B2
Filed 10/12/2018

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Differential privacy using a multibit histogram  
Patent #
US 10,726,139 B2
Filed 09/30/2017

Current Assignee
Apple Inc.

Sponsoring Entity
Apple Inc.

Privacypreserving collaborative filtering  
Patent #
US 8,478,768 B1
Filed 12/08/2011

Current Assignee
Palo Alto Research Center Inc.

Sponsoring Entity
Palo Alto Research Center Inc.

System and methods for protecting the privacy of user information in a recommendation system  
Patent #
US 8,781,901 B2
Filed 12/04/2009

Current Assignee
Telefonaktiebolaget LM Ericsson

Sponsoring Entity
Telefonaktiebolaget LM Ericsson

PRIVACY PROTECTION IN RECOMMENDATION SERVICES  
Patent #
US 20140223575A1
Filed 04/17/2012

Current Assignee
AlcatelLucent SA

Sponsoring Entity
AlcatelLucent SA

Methods and apparatus to determine impressions using distributed demographic information  
Patent #
US 8,843,626 B2
Filed 11/30/2012

Current Assignee
Nielsen Company US LLC

Sponsoring Entity
Nielsen Company US LLC

26 Claims
 1. A method for protecting user privacy in a recommender system, said method comprising:
determining what information to release to a user for a movie; transmitting said information to said user; accepting obfuscated input from said user; and calculating said user'"'"'s nonprivate feature vector.  View Dependent Claims (2, 3)
 4. A method for protecting user privacy in a recommender system, said method comprising:
receiving movie information; accepting a user'"'"'s movie feedback; accepting user'"'"'s private information; calculating an obfuscation value; and transmitting said obfuscation value.  View Dependent Claims (5, 6, 7, 8)
 9. An apparatus for protecting user privacy in a recommender system, comprising:
means for determining what information to release to a user for a movie; means for transmitting said information to said user; means for accepting obfuscated input from said user; and means for calculating said user'"'"'s nonprivate feature vector.  View Dependent Claims (10, 11, 12)
 13. An apparatus for protecting user privacy in a recommender system, comprising:
means for receiving movie information; means for accepting a user'"'"'s movie feedback; means for accepting user'"'"'s private information; means for calculating an obfuscation value; and means for transmitting said obfuscation value.  View Dependent Claims (14, 15, 16)
 17. An apparatus for protecting user privacy in a recommender system, comprising:
a data disclosure module, determining what information to release to a user for a movie; a communications interface, transmitting said information to said user, said communications interface in communication with said data disclosure module; said communications interface, accepting obfuscated input from said user; and an estimator module, calculating said user'"'"'s nonprivate feature vector, said estimator module in bidirectional communication with said data disclosure module and also in communication with said communications interface.  View Dependent Claims (18, 19, 20)
 21. An apparatus for protecting user privacy in a recommender system, comprising:
a communications interface, receiving movie information; said communications interface, accepting a user'"'"'s movie feedback; said communications interface, accepting user'"'"'s private information; an obfuscation module, calculating an obfuscation value, said obfuscation module in bidirectional communication with said communications interface; and said communications interface, transmitting said obfuscation value.  View Dependent Claims (22, 23, 24, 25, 26)
1 Specification
This application claims priority to U.S. provisional application Ser. No. 61/761,330 filed on Feb. 6, 2013, entitled “PRIVACY PROTECTION AGAINST CURIOUS RECOMMENDERS”, incorporated herein by reference.
The present invention is related to protecting privacy information while allowing a recommender to provide relevant personalized recommendations.
Several recent publications study the threat of inferring demographics from usergenerated data. Closest to the present invention, Weinsberg et al., Blurme: inferring and obfuscating user gender based on ratings, Proceedings of the Sixth ACM Conference on Recommender Systems, 2012 shows that gender can be inferred from movie ratings and proposes heuristics for mitigating the resulting privacy risk. However, Weinsberg'"'"'s proposed obfuscation method specifically targets a logistic regression method for inferring gender. In contrast, the present invention follows a principled approach, allowing proving strong privacy guarantees against an arbitrary inference method.
The definition of privacy in the present invention is motivated by, and a limiting case of, the notion of differential privacy. Differential privacy has been applied to fields such as data mining, social recommendations and recommender systems. These works assume a trusted database owner and focus on making the output of the application differentially private. In contrast, in the present invention, a setup is studied where the recommender is curious, and users wish to protect against statistical inference of private information from feedback they submit to the recommender.
Several theoretical frameworks that model privacy against statistical inference under accuracy constraints exist. These approaches assume a general probabilistic model linking private and nonprivate variables, and ensure privacy by distorting the nonprivate variables prior to their release. Although general, the application of these frameworks requires knowledge of the joint distribution between private data and data to be released, which may be difficult to obtain in a practical setting. The assumption of a linear model in the present invention, which is strongly supported by empirical evidence, renders the problem tractable. Most importantly, it allows the method of the present invention to characterize the extent of data disclosure necessary on the recommender'"'"'s side to achieve an optimal privacyaccuracy tradeoff, an aspect that is absent from all of the aforementioned works.
Recommender systems can infer demographic information such as gender, age or political affiliation from user feedback. The present invention proposes a framework for data exchange protocols (steps, acts) between recommenders and users, capturing the tradeoff between the accuracy of recommendations, user privacy and the information disclosed by the recommender.
The present invention allows a user to communicate a distorted version of his/her ratings to a recommender system, in such a way that the recommender has no way of inferring some demographic information the user wishes to hide, while allowing the recommender to still provide relevant, personalized recommendations to the user.
Users of online services are routinely asked to provide feedback about their experience and preferences. This feedback can be either implicit or explicit, and can take numerous forms, from a full review to a fivestar rating, to choices from a menu. Such information is routinely used by recommender systems to provide targeted recommendations and personalize the content that is provided to the user. Often, the statistical methods used to generate recommendations produce a user ‘profile’ or feature vector. Such a profile can expose personal information that the user might consider private, such as their age, gender, and political orientation. This possibility has been extensively documented on public datasets. Such a possibility calls for mechanisms that allow privacyconscious users to benefit from recommender systems, while also ensuring that information they wish to protect is not inadvertently disclosed or leaked through their feedback, thereby incentivizing user participation in the service.
A common approach to reducing such disclosure or leakage is by distorting the feedback reported to the recommender. There is a natural tradeoff between recommendation quality and user privacy. Greater distortion may lead to better obfuscation but also less accurate profiles. A contribution of the present invention is to identify that there is a third term in this tradeoff, which is the data the recommender discloses to the users in order to obscure their private values. To illustrate this, notice that absolute privacy could be achieved if the recommender discloses to the user all of the data and algorithms used to produce a user profile. The user may then be able to run a local copy of the recommendation system without ever sending any feedback to the recommender. This is clearly private. However, it is also untenable from the recommender'"'"'s perspective, both for practical reasons (efficiency and code maintenance) and crucially, for commercial reasons since the recommender may be charging a fee, monetizing both the data that it has collected and the algorithms that it has developed. Disclosing the data and algorithms to the user or possible competitors is clearly a disadvantage.
On the other hand, some data disclosure is also necessary. If a user wishes to hide his/her political affiliation prior to releasing his/her feedback, the knowledge of any bias brought by political affiliation can be used by the user to negate this effect. The recommender detecting such bias from collected data can reveal it to privacyconscious users.
This state of affairs raises several questions. What is the minimal amount and nature of information the recommender needs to disclose to privacyconscious users to incentivize their participation? How can this information be used to distort one'"'"'s feedback, to protect one'"'"'s private features (such as gender, age, political affiliation etc.) while allowing the recommender to estimate the remaining onprivate features? What estimation method yields the highest accuracy when applied to distorted feedback? The present invention proposes a formal mathematical framework for addressing the above questions, encompassing three protocols:
(a) Data disclosure in which the recommender engages
(b) The obfuscation method applied to the user'"'"'s ratings, and
(c) The estimation method applied to infer the nonprivate user features.
The specific implementation of the above three protocols provides perfect protection to the user'"'"'s private information, while also ensuring that the recommender estimates nonprivate information with the best possible accuracy. Crucially, the date disclosure of the recommender is minimal No smaller disclosure can lead to an accuracy equal to or better than the proposed implementation.
The proposed protocols were evaluated on real datasets establishing that they indeed provide excellent privacy guarantees in practice, without significantly affecting the recommendation accuracy.
A method and apparatus for protecting user privacy in a recommender system are described including determining what information to release to a user for a movie, transmitting the information to the user, accepting obfuscated input from the user and estimating the user'"'"'s nonprivate feature vector. Also described are a method and apparatus for protecting user privacy in a recommender system including receiving movie information, accepting a user'"'"'s movie feedback, accepting user'"'"'s private information, calculating an obfuscation value and transmitting the obfuscation value.
The present invention is best understood from the following detailed description when read in conjunction with the accompanying drawings. The drawings include the following figures briefly described below:
The setup considered in the present invention comprises a recommender and a user. The recommender solicits user feedback on items which, for the sake of concreteness, are referred to as ‘movies’. The user'"'"'s feedback (e.g., 15 star ratings) for each item is sampled independently from a probability distribution parameterized by two vectors: a movie profile v_{i }and a user profile x. The user profile x is of the form (x_{0}; x), where x_{0 }is distinguishable binary feature that the user wishes to keep private (e.g., his/her gender), and x is a nonprivate component. It should be noted that though the user knows x_{0}, he/she is unaware of x: this would be the case if e.g., the features used by the recommender are unknown to the user, or even computed through a process called matrix factorization and are therefore latent.
The recommender knows the movie profiles v_{i }and wishes to learn the user'"'"'s profile x. The recommender'"'"'s purpose is to predict the user'"'"'s feedback for other movies and make recommendations. The user wishes to benefit from recommendations, but is privacyconscious with respect to his/her variable x_{0}, and does not wish to release this to the recommender. To incentivize the user'"'"'s participation, the goal of the present invention is to design a protocol for exchanging information between the recommender and the user that has three salient properties. Informally, the three salient properties are:
(a) At the conclusion of the protocol, the recommender estimates x, the nonprivate component of x, as accurately as possible.
(b) The recommender learns nothing about x_{0}, the user'"'"'s private variable.
(c) The user learns as little as possible about the movie profile v_{i }of each item i.
The first property ensures that, at the conclusion of the protocol, the recommender learns the nonprivate component of a user'"'"'s profile, and can use it to suggest new movies to the user, which enables the main functionality of the recommender. The second property ensures that a privacyconscious user benefits from recommendations without disclosing his/her private variable, thereby incentivizing participation. Finally, the third property ensures that movie profiles are not made publicly available in their entirety. This ensures that the recommender'"'"'s competitors cannot use profiles, whose computation requires resources and which are monetized through recommendations.
To highlight the interplay between these three properties, three “nonsolutions” are discussed. First, consider the protocol in which the user discloses his/her feedback to the recommender “in the clear”: this satisfies (a) and (c) but not (b), as it would allow the recommender to estimate both x and x_{0 }through appropriate inference methods. In the second protocol, the recommender first reveals all movie profiles v_{i }to the user; the recommender estimates x locally, again through inference, and subsequently sends this to the recommender. This satisfies (a) and (b), but not (c). Finally, the “empty” protocol (no information exchange) satisfies (b) and (c), but not (a).
More specifically, it is assumed that the user is characterized by a feature vector xε^{d+1}. This feature vector has one component that corresponds to a characteristic that the user wants to keep private. It is assumed that this feature is binary, the generalization to multiple binary features being straightforward. Formally, x=(x_{0},x), where x=(x_{1}, . . . , x_{d})ε^{d }and x_{0}ε{1+1,−1} is the private feature. As a running example, it can be assumed that the user wants to keep private his/her gender, that is encoded as x_{0}ε{+1,−1}.
The recommender solicits feedback for M movies, whose set is denoted by [M]≡{1, . . . , M}. In particular, each movie is characterized by a feature vector v_{i}=(v_{i0},v_{i})ε^{d+1}, where v_{i}=(v_{i1}, . . . , v_{id})ε^{d}. Attention is restricted to vectors v_{i }such that _{i}ε0. The set of all such vectors is denoted by _{−0}^{d+1}={(v_{0},v)ε^{d+1}: v≠0} and the feature vector of movies for which feedback is solicited by ν≡{v_{i},iε[M]}⊂_{−0}^{d+1}.
It is assumed that the recommender maintains the feature vectors in a database. Constructing such a database is routinely done by recommender algorithms. Features are typically computed through a combination of matrix factorization techniques (and are, hence, latent), as well as explicit functions of the movie descriptors (such as, e.g., genres, plot summaries, or the popularity of cast members). In both cases, these vectors (or even the features identified as relevant) can be used by a competitor, and are, hence, subject to nondisclosure.
The user feedback for movie iε[M] is denoted by r_{i}ε. r_{i }is restricted to a specific bilinear model, whose for is known to both the recommender and the user. In particular, let <a,b>≡Σ_{i=1}^{k}a_{i}b_{i }the usual scalar product in ^{k}. It is assumed that there exists a probability distribution Q on , such that for all iε[M]:
r_{i}=<v_{i},x>+z_{i}=<v_{i},x>+v_{i0}+z_{i},z_{i}˜Q (1)
where z_{i }are independent “noise” variables, with E(z)=0, E(z^{2})=σ^{2}<∞.
Despite its simplicity, this model is strongly supported by empirical evidence. Indeed, it is the underlying model for numerous prediction methods based on lowtank approximation, such as matrix factorization, singular value decomposition etc. It should be noted that the restriction to movie vectors in _{0}^{d+1 }makes sense under (1). Indeed, if the purpose of the recommender is to retrieve x, the feedback for a movie for which v=0 is clearly uninformative. It is assumed that the recommender maintains feature vectors ν in a database. Constructing such a database is routinely done by recommender algorithms. Features are typically computed through a combination of matrix factorization techniques (and, hence, latent), as well as explicit functions of the movie descriptors such as genres, plot summaries or the popularity of cast members. These vectors (or even the features identified as relevant) can be used by a competitor, and are, hence, subject to nondisclosure.
The user does not have access to this database, and does not know a priori values of these feature vectors. In addition, the user knows his/her private variable x_{0 }and either knows or can easily generate her feedback r_{i }to each movie iε[M]. Nevertheless, the user does not know apriori the remaining feature values xε^{d}, as “features” corresponding to each coordinate of v_{i }are either “latent” or not disclosed.
The privacy preserving recommendation method and system of the present invention includes the following protocol between the user and the recommender, comprising three steps:
 1. Data Disclosure Protocol. This is a mapping L: _{−0}^{d+1}→, with being a generic set. and will be measurable spaces, which include ^{k}. This mapping is implemented at the recommender and describes the amount of data disclosed from its database νpublicly. In particular, for each movie iε[M], the recommender releases to the user some information l_{i}=L(v_{i})ε. L(ν) denotes the vector lε^{M }with coordinates l_{i}, iε[M]. In practice, L(ν) is made public, as it is needed by all potential privacyconscious users that wish to interact with the recommender.
 2. Obfuscation Protocol. This is a mapping Y: ^{M}×{+1,−1}×^{M}→y, for y, where is again a generic set. The mapping describes how the user feedback is modified (obfuscated) before being released to the recommender. The mapping is implemented as a program on the user'"'"'s own computer. In particular, the user (algorithm on the user'"'"'s computer) enters his/her vector of feedback values r=(r_{1}, . . . , r_{M})ε^{M}, his/her private characteristic x_{0 }as well as the data disclosure l=(ν)ε^{M}. The program combines these quantities and returns to the recommender the obfuscated value y=Y(r,x_{0},l)εy.
 3. Estimator. This is a mapping of the form: p: y×_{−0}^{(d+1)})^{M}→^{d}. Given the movie feature vectors ν⊂_{−0}^{d+1 }and the corresponding obfuscated user feedback yεy, the mapping yields an estimate p(y,ν) of the user'"'"'s nonprivate feature vector x. The estimator is implemented as a program at the recommender.
The triplet R=(L,Y,p) is referred to as a recommendation system. Note that the functional forms of all three of these components are known to both parties: e.g., the recommender knows the obfuscation protocol Y. Both parties are honest but curious: both parties (recommender and user) follow the protocol, but if at any step either party can extract more information than what is intentionally revealed, they do so. Both protocols L and Y can be randomized. In the following, the probability and expectation with respect to the feedback model as well as protocol randomization, given x, ν is denoted by P_{x,ν}, E_{x,ν}.
Next, the basic quality metrics for a privacypreserving recommendation system, including accuracy of the recommendation system, privacy of the user, and data disclosure extent, corresponding to the properties (a)(c) discussed above.
Formalization of privacy for the obfuscated feedback Y is motivated by differential privacy. The context of the present invention differs from the prior art in that Y(r,x_{0},l) depends on x, l and x_{0}, but the present invention is only concerned with the privacy with respect to the private information x_{0}.
A recommendation system is εdifferentially private if, for any xεX and any vεν, the following occurs. If l=(l_{1}, . . . , l_{M}) denotes the information leaked or divulged from database ν, and rε^{M }the user feedback, then for any event A⊂y,
It can be said that the system is privacy preserving or private if it is sdifferentially private with ε=0.
The focus of the present invention is on privacy preserving recommendation systems, i.e., systems for which ε=0. Intuitively, in privacy preserving system the obfuscation Y is a random variable that does not depend on x_{0}. The distribution of Y is the same, irrespective of the user'"'"'s gender. The second definition states that an estimator p has optimal accuracy if it reconstructs the user'"'"'s nonprivate features with minimum l_{2 }loss. This choice is natural; nevertheless, reasons for quantifying accuracy through l_{2 }loss in the supplement are discussed.
It can be said that a recommendation system R=(L,Y,p) is more accurate than R′=(L′,Y′,p′) if, for all items v⊂_{−0}^{d+1}, sup_{x0ε{±1},xεX}E_{(x0,x),ν}{∥p(y,ν)−x∥_{2}^{2}}≦sup_{x0ε{±1},xεX}E_{(x0,x),ν}{∥p′(y′,ν)−x∥_{2}^{2}}, where y=Y(r,x_{0},L(ν)), y′=Y′(r,x_{0},L′(ν)). Further, it can be said that it is strictly more accurate if the above inequality holds strictly for some ν⊂_{−0}^{d+1}.
Finally, an ordering between data disclosure protocols can be defined. Intuitively, a protocol L discloses as much information as L′ if L′ can be retrieved from L.
It can be said that the recommendation system R=(L,R,p) discloses as much information as the system R′=(L′,Y′,p′) if there exists a measurable mapping φ: →′ such that L′=φ∘L (i.e., L′(v)=φ(L(v)) for each vε_{−0}^{d+1}). It can be said that R=(L,Y,p) and R′=(L′,Y′,p′) disclose the same amount of information if L=φ∘L′ and L′=φ′∘L for some φ, φ′. Finally, it can be said that R=(L,Y,p) discloses strictly more information than R′=(L′,Y′,p′) if L′=φ∘L for some φ but there exists no φ′ such that L=φ∘L′.
Below, it is shown that, under the linear model, the following recommendation system—that shall be referred to as the ‘standard scheme’ has optimality properties.
 1. The data disclosure protocol releases the entry v_{0 }corresponding to the private user feature x_{0}, i.e., =and for all (v_{0},v)ε_{−0}^{d+1}, L((v_{0},v))≡v_{0}.
 2. The obfuscation protocol subtracts the contribution of the private feature of from each feedback r_{i }and discloses this value to the recommender. Namely, y=^{M}, and for l=L(ν), R(r,x_{0},l)≡(r_{1}−x_{0}l_{1}, . . . , r_{M}−x_{0}l_{M}).
 3. Finally, the estimation method amounts to solving the least squares problem:
p(y,ν)≡arg min_{xε}_{d}{Σ_{i=1}^{k}(y_{i}^{k}−<v_{i},x>)^{2}}. (3)
 where, y_{i }is ith component of the obfuscated feedback yε^{M}—i.e., y_{i}=r^{i}−x_{0}l_{i}.
The estimator in (3) is referred to as the least squares estimator, and is denoted by p_{LS}. It is noted that, under (1), the accuracy of the standard scheme is given by the following l_{2 }loss: for all xε^{d},
E_{(x0,x),}ν{∥p_{LS}(y,ν)−x∥_{2}^{2}}=σ^{2}tr[(Σ_{iε[M]}v_{i}v_{i}^{T})^{−1}], (4)
where σ^{2 }the noise variance in (1) and tr( ) is the trace.
The following theorem summarizes the standard scheme'"'"'s properties:
Theorem 1.
Under the linear model:
 1. The standard scheme is privacy preserving.
 2. Assume that the noise in (1) is Gaussian. Then, there is no privacy preserving recommendation system that is strictly more accurate than the standard scheme.
 3. Any privacy preserving recommendation system that does not disclose as much information as the standard scheme must also be strictly less accurate.
The theorem is proved below. The second and third statements establish formally the optimality of the standard scheme. Under Gaussian noise, no privacy preserving system achieves better accuracy. Surprisingly, this is true even among schemes that disclose strictly more information than the standard scheme. There is no reason to disclose more than v_{i0 }for each movie. The third statement implies that, to achieve the same accuracy, the recommender system must disclose at least v_{i0}. In fact, the proof establishes that, in such a scenario, an l_{2 }loss that was finite under the standard scheme can become unbounded.
Proof of Theorem 1:
 Privacy: To see that Theorem 1.1 holds, recall that the user releases y_{i}=r_{i}−v_{0i}x_{0}=v_{i},x+z_{i}, for each iεM. The distribution of y, thus does not depend on x_{0}, so the standard scheme is clearly privacy preserving.
 Maximal Accuracy: Theorem 1.2 is proved by contradiction, using the following standard result.
 Lemma 1. Let (y_{i},v_{i})ε^{d+1}, iε[M], be a set of points such that y_{i}=v_{i},x+z_{i}, with z_{i }independent and identically distributed zeromean Gaussian random variables, and let p_{LS }be the least squares estimator p=arg min_{xε}_{d}Σ_{i}(y_{i}−v_{i},x)^{2}. Then, for any estimator p, sup_{x}E{∥p(y_{1}v_{1}; . . . ; y_{M},v_{M})−x∥_{2}^{2}}≧sup_{x}E(∥p_{LS}(y_{1},v_{1}; . . . ; y_{M},v_{M})−x∥_{2}^{2}).
 Suppose that there exists a privacy preserving recommendation system R′=(L′,Y′,p′) that is strictly more accurate than the standard scheme R=(L,Y,p). Let {tilde over (v)}_{0}=(v_{10}, . . . , v_{M0})=L(ν)ε^{M }be the disclosure under the standard scheme, and l′=L′(ν) the disclosure in R′. Let also p_{i}=r_{i}−x_{0}v_{0i}=<v_{i},x>+z_{i }be the obfuscated value for iε[M] under the standard scheme, and denote by pε^{M }the vector (p_{1}, . . . , p_{M}). Since the system R′ is privacy preserving, its obfuscation satisfies:
Y′(p+{tilde over (v)}_{0},+1,l′Y′(p−{tilde over (v)}_{0},−1,l′), (5)
i.e., the two random outputs are equal in distribution.
 L′, Y′ and p′ will be used to construct an estimator that has a lower l_{2 }loss than the least squares estimator. In particular, consider a new recommendation system R″=(L″,Y″,p″) for which: (a) L″(v_{i})=(L(v_{i}),L′(v_{i})), i.e., the recommender discloses the same information as in R′ as well as L(v_{i})=v_{i0}, (b) Y″=Y, i.e., obfuscation is as in the standard scheme and y_{i}″=p_{i}=r_{i}−v_{i0}x_{0}, for iε[M], are released, and (c) the recommender estimates x by executing the following two steps. First, it applies the obfuscation Y′ to p assuming the gender is +1, computing w=Y(p+{tilde over (v)}_{0},+1,l′)εy′. Second, it applies the estimator p′ to this output. In summary: p″(p,ν))=p′(w(p,ν),ν), where w(p,ν)=Y(p+{tilde over (v)}_{0},+1,(L′(ν)). Note that, crucially, the new system R″ has the same accuracy as R′. This is because the input w to the estimator p′ is identically distributed as the inputs y′. This is trivially true if x_{0}=+1, but also holds for x_{0}=1 by (5). This means, however, that an estimator p″ that yields a loss sup_{x}E_{y}{∥p″(y_{1}″,v_{1}; . . . ; y_{M}″,v_{M})−x∥_{2}^{2}} strictly smaller than the corresponding loss under the least squares estimator can be constructed, a contradiction to Lemma 1.
 Minimal Disclosure: Finally, Theorem 1.3 is proved, establishing formally that the disclosure L(v_{i})=v_{i0 }is minimal Any “lessinformative” disclosure leads to a loss of accuracy. Consider a privacy preserving recommendation system R′=(L′,Y′,p′) that does not disclosure as much information as the standard scheme R=(L,Y,p). Consider a setup where M=d, the dimension of the feature profiles. Assume also that is such that the matrix V=[v_{i}]_{iε[d]}ε^{d×d }is invertible, and denote by {tilde over (v)}_{0}ε^{d }the vector with coordinates v_{i0}.
 For any x_{0}ε{+1,−1}, sε^{d}, l′ε(′)^{d}, let Z_{x0}(s,l)εy′ be a random variable with distribution given by Z_{x0}(s,l′)Y′(s+z,x_{0},l′), where zε^{M }a vector of independent and identically distributed coordinates sampled from distribution Q. That is, Z_{x0}(s,l) is the output of obfuscation when Vx+x_{0}{tilde over (v)}_{0}=sε^{d}, L′(ν)=l′, and the gender is x_{0}. The following then holds.
 Lemma 2. Assume M=d, and that the matrix V=[v_{i}]_{iε[d]}ε^{d×d }is invertible. Let l=L′(ν). Then, for all sεR^{d}, X_{+}(s,l′)Z_{−}(s−2{tilde over (v)}_{0},l′).
 Proof. By Eq. (5), for all xε^{d}, Y′(Vx+v_{0}+z,+1,l′)Y′(Vx−v_{0}+z,−1,l′). The claim follows by the definition of Z_{±} for x=V^{−1}(s−v_{0}).
 As R′ does not leak (divulge, disclose) as much information as the standard scheme, by definition, there is no map φ such that v_{0}=(L′(v)) for all vε_{−0}^{d+1}. In particular, there exist vectors v,v′ε_{−0}^{d+1 }such that v_{0}≠v_{0}′ and yet L′(v)=L′(v). Consider the following two cases:
 Case 1. The supports of v,v′ intersect, i.e. there exists a kε[d] such that v_{k}≠0 and v_{k}′≠0. In this case, consider a scenario in which ν={v}∪U_{1≦l≦d,l≠k}, {e_{l}}, where e_{l}ε_{−0}^{d+1 }a vector whose lth coordinate is 1 and all other coordinates are zero. Clearly, M=ν=d, and V=[v_{i}]_{iε[d] }is invertible. Let l*=L′(ν) By Lemma 2, for all sε, Z_{+}(s+2v_{0}e_{1},l*)Z_{−}(s,l*), where e_{1}ε^{d }is 1 at coordinate 1 and 0 everywhere else. Similarly, in a scenario in which ν′={v′}∪U_{1≦l≦d,l≠k, }{e_{l}}, the conditions of Lemma 2 are again satisfied. Crucially L′(ν′)=L(ν)=l*, so again Z_{+}(s+2v_{0}′e_{1},l*)Z_{−}(s,l*), for all sε^{d}. These two equations imply that, for all sε^{d}:
Z_{+}(s+ξe_{1},l*)Z_{+}(s,l*) (6)
 where ξ≡2(v_{0}−v_{0}′). In other words, the obfuscation is periodic with respect to the rating for movie v.
 Observe that for any xε{−1,+1}×^{d }and any Mε_{+}, a x′ε{−1,+1}×^{d }and a Kε can be constructed such that (a) x,x′ differ only at coordinate kε{1, 2, . . . , d}, (b) v,x−x′=Kξ, and (c) ∥x−x′∥_{2}≧M. To see this, let K be a large enough integer such that
Taking, x_{k}′=x_{k}+Kξ/v_{k}, and x′_{l}=x_{l }for all other l in {0, 1, . . . , d} yields a x′ that satisfies the desired properties.
 Suppose thus that the recommendation system R is applied to ν={v}∪U_{1≦l≦d,≠k}{e_{l}} for a user with x_{0}=+1. Fix a large M>0. For each x and x′ constructed as above, by (6), the obfuscated values generated by Y′ have an identical distribution. Hence, irrespectively of how the estimator p′ is implemented, the maximum between max (E{∥p′(y′,ν)−x∥_{2}^{2 }and E{∥p(y′,ν)−x∥_{2}^{2}}) must be Ω(M^{2}) which, in turn, implies that sup_{x0ε[±1],xε}^{d}E{∥p(y′,ν)−x∥_{2}^{2}=∞. In contrast, since the profiles in ν are linearly independent, Σ_{i}v_{i}v_{i}^{T }is positive definite and hence invertible. As such, the loss (4) of the standard scheme is finite and the theorem follows.
 Case 2. The supports of v,v′ are disjoint. In this case v,v′ are linearly independent, as both belong to _{−0}^{d+1}, and, in particular, there exist 1≦k,k′≦d, k≠k′, such that v_{k}≠0 and v_{k}′≠0. ν={v}∪{v′}U_{1≦l≦d,l≠k,l≠k′}{e_{l}} can be constructed, then, ν=d and the matrix V=[v_{i}]_{iε[d] }are again invertible. As such, by swapping the positions of v and v′ it can be shown using a similar argument as in Case 1 that for all sε^{d}: Z_{+}(s+ξ(e_{1}−e_{2}),l*)Z_{+}(s,l*) where ξ≡2(v_{0}−v_{0}′) and l*=L(ν), i.e., Z_{+} is periodic in the direction e_{1}−e_{2}. Moreover, for any xε{−1,+1}×R^{d }and any Mε_{+}, similarly a x′ε{−1,+1}×^{d }and a Kε can be constructed such that (a) x,x′ differ only at coordinates k,k′ε{1, 2, . . . , d}, and (b) v,x−x′=−v′,x−x′=Kξ and (c) ∥x−x′∥_{2}≧M. The construction adds Kξ/v_{k }at the kth coordinate subtracts Kξ/v_{k′}′ from the k′th coordinate, where K>M max (v_{k},v′_{k′})/ξ. A similar argument as in Case 1 therefore yields the theorem.
Several aspects of the model of the present invention call for a more detailed discussion.
Leakage (Disclosure, Divulgation) Interpretation.
In the standard scheme, the disclosed (divulged, leaked) information v_{i0 }is the parameter that gauges the impact of the private feature on the user'"'"'s feedback. In the running example, it is the impact of the gender on the user'"'"'s appreciation of movie i. For the linear model (1), this parameter has a simple interpretation, if in a population of users for which the other features x are distributed independently of the gender. Indeed, assume a prior distribution on (x_{0},x) such that x is independent of x_{0}. Then: E{r_{i}x_{0}=+}−E{r_{i}x_{0}=−}=v,E{xx_{0}=+}−E{xx_{0}=−}+2v_{i0}=2v_{i0}. Hence, given access to a dataset of user feedback, in which users are not privacyconscious, and have disclosed their gender, the recommender need only compute the average rating of a movie per gender. Disclosing v_{jo }amounts to releasing the half distance between these two values.
Inference from Movie Selection.
In practice, generating all ratings in [M] may correspond to a high cost in time. It thus makes sense to consider the following constraint: there exists a set S_{0 }(e.g., the movies the user has viewed) such that the obfuscated set of ratings must satisfy S532S_{0}. In this case, S_{0 }itself might reveal the user'"'"'s gender.
A solution is presented when viewing events are independent, i.e.: P_{x0}(S_{0}=A)=Π_{iεA}p_{i}^{x}_{0}Π_{ipA}(1−p_{i}^{x}_{0}), where p_{i}^{x}_{0 }is the probability that the user has viewed movie i, conditioned on the value of his/her gender x_{0}. Consider the following obfuscation protocol. First, given S_{0}, the user generates and discloses feedback for movie iεS_{0 }independently, constructing thusly a set S, whereby:
P(iεSiεS_{0})=max(1,p_{i}^{x}_{0}/p_{i}^{x}_{0}), (7)
for x_{0 }is the complement of x_{0}. Ratings for iεS are revealed after applying the standard scheme.
This obfuscation has the following desirable properties. First, S⊂S_{0}. Second, it is privacy preserving. To see this note that P_{x0}(iεS)=max(1,p_{i}^{x}_{0}/p_{i}^{x}_{0})×p_{i}^{x}_{0}=min(p_{i}^{x}_{0},p_{i}^{x}_{0}), i.e., it does not depend on x_{0}. Finally, the set S is maximal: there is no privacy preserving method for generating a set S′⊂S_{0 }such that E′{S′}>E{S}. To see this, note that, for any scheme such that if E{S′}>E{S}, there exists an i such that P_{x0}(iεS′)>P_{x0}(iεS)=min(p_{i}^{+},p_{i}^{−}). If the scheme is privacy preserving, this must be true for both x_{0}; however, as S⊂S_{0}, it must be that P_{x0}(iεS)≦p_{i}^{x}_{0 }for both x_{0}, a contradiction. Motivated by the maximality of this obfuscation scheme, it is used below as a means select only a subset of the movies rated by a user.
The standard scheme of the present invention is evaluated on a movie recommender system. Users of the system provide an integer rating between 1 and 5 for the movies they have watched, and in turn expect the system to provide useful recommendations. Gender is defined as the private value that users do not want to reveal to the recommender, which is known to be inferable from movie ratings with high accuracy. Datasets from two movie rating services are used: MovieLens and Flixster. Both contain the gender of every user. The datasets are restricted to users that rated at least 20 movies and movies that were rated by at least 20 users. As a result, the MovieLens dataset has 6K users (4319 males, 1703 females), 3043 movies, and 995K ratings. The Flixster dataset has 26K users (9604 males, 16433 females), 9921 movies, and 5.6M ratings.
To assess the success of obfuscation in practice, several standard methods are applied to infer gender from ratings, including Naïve Bayes (NB), Logistic Regression (LR) and Support Vector Machines (SVM) and a new method similar to Linear Discriminant Analysis (LDA) is proposed. The latter method is based on the linear model (1), and assumes a Gaussian prior on x and a Bernoulli prior on the gender x_{0}. Under these priors, ratings are normally distributed with a mean determined by x_{0}, and the maximum likelihood estimator of x_{0 }is precisely LDA in a space with dimension of the number of movies viewed. Each inference method is evaluated in terms of the area under the curve (AUC). The input to the LR, NB and SVM methods comprises the ratings of all movies given by the user as well as zeros for movies not rated. LDA on the other hand operates only on the ratings that the user provided.
The standard obfuscation scheme is studied both with and without the selection scheme, which is performed using the maximal scheme (7) discussed above. The movie vectors are constructed as follows. For each movie, gender biases v_{0 }are computed as the half distance between the average movie ratings per each gender. Using these values, the remaining features v were computed through matrix factorization with d=20. These are computed from the nonobfuscated ratings. Matrix factorization was performed using gradient descend, 20 iterations, regularization parameter of 0.02, selected through cross validation.
When using the standard scheme, the new rating may not be an integer value, and potentially may even be outside of the range of rating values which is expected by the recommender system. To that end, a variation that rounds the rating value to an integer in range [1,5] is considered. Given a noninteger obfuscated rating r, which is between two integers k=└r┘ and k+1, rounding is performed by assigning the rating k with probability r−k and the rating k+1 with probability 1−(r−k), which on expectation gives the desired rating r, if ratings higher than 5 or lower than 1 are truncated to 5 or 1, respectively. For brevity, this entire process is referred to as “Rounding”. Two baselines for obfuscation are also considered. The movie average scheme replaces a user'"'"'s rating with the average rating of the movie. The gender average scheme replaces the user'"'"'s rating with the average rating provided by males or females, each with probability 0.5.
The accuracy of the recommendations in terms of the root mean square error (RMSE) of the ratings is measured. To this end, the user'"'"'s ratings are split to training and evaluation sets. First the obfuscation method is applied to the training set, and then x is estimated through ridge regression over the obfuscated ratings with regularization parameter of 0.1. Ratings of the movies in the evaluation set are predicted using the linear model (1), where x_{0 }is provided from the LDA inference method. Experiments with the other inference methods were conducted with similar results.
The proposed obfuscation and inference methods were run on both datasets. A 10fold cross validation on the users was used, and the mean AUC and RMSE were computed across the folds. The summary of all the evaluations is shown in Table 1. The table provides the AUC obtained by the different inference methods under the various obfuscation methods detailed above, as well the RMSE for each obfuscation method.
Several observations are consistent across the two datasets. First, inference methods are affected differently by the obfuscation methods, with LR, NB and SVM being mostly affected by the selection scheme whereas LDA is mostly affected by the standard obfuscation scheme of the present invention. However, when both selection and the standard obfuscation scheme are used, the AUC of all methods reduces to roughly 0.5. Furthermore, the impact of the obfuscation methods on the RMSE is not high, with a maximum increase of 1.5%. This indicates that although the obfuscation schemes manage to hide the gender, rating prediction is almost unaffected. The standard obfuscation scheme of the present invention performs almost exactly the same when rounding is introduced. Compared to the standard scheme (SS), baseline schemes result in a similar AUC but higher RMSE, indicating that aggressive obfuscation comes at a cost of losing the recommendation accuracy without considerable benefits in AUC.
To illustrate how obfuscation affects the inference accuracy,
The privacyaccuracy tradeoff is studied by applying an obfuscation scheme with probability a, and releasing the real rating with probability 1−α.
It is natural to extend the questions we introduced in this work to more general inference setting beyond the linear model we study here. In particular, quantifying the amount of information whose release is necessitated to ensure privacy and accuracy under more general parametric problems remains an interesting open question. In addition, our focus here was on privacypreserving recommendation systems. There are several ways of relaxing our privacy constraint, including the use of differential privacy, with ε>0.
It is to be understood that the present invention may be implemented in various forms of hardware, software, firmware, special purpose processors, or a combination thereof. Special purpose processors may include application specific integrated circuits (ASICs), reduced instruction set computers (RISCs) and/or field programmable gate arrays (FPGAs). Preferably, the present invention is implemented as a combination of hardware and software. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage device. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (CPU), a random access memory (RAM), and input/output (I/O) interface(s). The computer platform also includes an operating system and microinstruction code. The various processes and functions described herein may either be part of the microinstruction code or part of the application program (or a combination thereof), which is executed via the operating system. In addition, various other peripheral devices may be connected to the computer platform such as an additional data storage device and a printing device.
It is to be further understood that, because some of the constituent system components and method steps depicted in the accompanying figures are preferably implemented in software, the actual connections between the system components (or the process steps) may differ depending upon the manner in which the present invention is programmed. Given the teachings herein, one of ordinary skill in the related art will be able to contemplate these and similar implementations or configurations of the present invention.