Choosing Epsilon for Privacy as a Service

Abstract

In many real world scenarios, terms of service allow a producer of a service to collect data from its users. Producers value data but often only compensate users for their data indirectly with reduced prices for the service. This work considers how a producer (data analyst) may offer differential privacy as a premium service for its users (data subjects), where the degree of privacy offered may itself depend on the user data. Along the way, it strengthens prior negative results for privacy markets to the pay-for-privacy setting and develops a new notion of endogenous differential privacy. A positive result for endogenous privacy is given in the form of a class of mechanisms for privacy-as-a-service markets that 1) determine ɛ using the privacy and accuracy preferences of a heterogeneous body of data subjects and a single analyst, 2) collect and distribute payments for the chosen level of privacy, and 3) privately analyze the database. These mechanisms are endogenously differentially private with respect to data subjects’ privacy preferences as well as their private data, they directly elicit data subjects’ true preferences, and they determine a level of privacy that is efficient given all parties’ preferences.