







Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The challenges of providing quality context-aware services while protecting user privacy in the era of data-driven platforms. It proposes a two-layer three-party game model to balance the trade-off between service quality and privacy loss. The document also formulates the interactions between asymmetric users and the platform-adversary system using a quasi-aggregative game model and a contract model. The main contributions of the paper include the analysis of optimal strategies for asymmetric users and platforms and the validation of the theoretical analysis through simulations.
Typology: Assignments
1 / 13
This page cannot be seen from the preview
Don't miss anything!








Yan Huang, Zhipeng Cai, and Anu G. Bourgeois
Georgia State University, Atlanta GA 3030, USA [email protected], {zcai,abourgeois}@gsu.edu
Abstract. In the era of context-aware services, users are enjoying re- markable services based on data collected from a multitude of users. However, in order to benefit from these services, users are enduring the risk of leaking private information. Game theory is a powerful method that is utilized to balance such tradeoff problems. The drawback is that most schemes consider the tradeoff problem from the aspect of the users, while the platform is the party that dominates the interaction in reality. There is also an oversight to formulate the interaction occurring between multiple users, as well as the mutual influence between any two parties involved, including the user, platform and adversary. In this paper, we propose a platform-centric two-layer three-party game model to protect the users’ privacy and provide quality of service. One layer focuses on the interactions among the multiple asymmetric users and the second layer considers the influence between any two of the three parties (user, platform, and adversary). We prove that the Nash Equilibrium exists in the proposed game and find the optimal strategy for the platform to provide quality service, while protecting private data, along with inter- actions with the adversary. Using real datasets, we present simulations to validate our theoretical analysis.
Due to the rapid development and popularity of context aware services, peo- ple’s lives have become more comfortable and convenient than ever before. Ap- plications include health care, smart grid, industrial services [48], social net- work platforms, and transportation, to name a few [5, 7]. Smart transporta- tion [6,15,32] provides drivers the optimal path based upon current traffic condi- tions, e-health [46] platforms are able to continuously monitor a patient’s health status and facilitate communication with the healthcare specialist, and the smart grid [31] improves power management by monitoring usage patterns and balanc- ing loads. Typically, it is only with the users’ information that these context aware applications can provide and maintain any service and the quality of the service is often directly dependent upon the quantity and quality of collected data. As a result, users must consider the cost of leaking private information in order to benefit from such services. There is, of course, always a threat of private information being captured during data transmission. However, in re- cent years, private data leakage, as well as intentional data sale/reuse is more
2 Yan Huang, Zhipeng Cai, and Anu G. Bourgeois
Fig. 1. Two-layer three-party game model
likely from the service provider platform [3,4,16,18,25,26,49]. In recent news we learned of Facebook improperly sharing data that impacted 87 million users [2] and Equifax [1] compromised private information of 143 million users. In spite of this, users still employ these applications, as the services are deemed essential to many people, thus positions the provider platforms in a dominant capacity [14]. This has led to considerable research on techniques to protect a user’s private data from being leaked and/or sold. Most of the privacy protection algorithms, e.g. k-anonymity [40, 41], l-diversity [30, 33], t-closeness [22], and differential privacy [36, 50], protect the data by adding noise, but this in turn will decrease the quality of the services provided. Therefore, several game theory based models have been proposed to balance the trade-off between service quality or reward and privacy protection. Most of the game theory based research has a drawback, in that they only focus on the interaction between two parties, i.e. the user with an untrusted platform, or the user with an adversary (an entity trying to purchase or steal data) [13, 27, 28, 44]. A more realistic model should consider the interactions of the three parties: the user, platform, and adversary. These two-party models ignore or fail to formulate the interaction between each pair of parties (3 such pairings). More recently, diverse three-party game models have been proposed to provide a more realistic interaction analysis [21,23,24,39,42,43]. Yet there is still a shortcoming, as they can only provide binary strategies, meaning the decision for users to submit or not submit their data. Instead, it would be beneficial to have a fine-grained strategy to provide a protection level ranging between 0-1, which is what we propose in this paper. Another deficiency with the current n-player game models (those with n users) [13, 28, 29, 44, 45, 47] is that they only consider the interaction between the users and other parties (either the platform or adversary). They fail to represent the interaction between asymmetric users, where users have individual privacy protection expectations. To demonstrate the impact, let us consider a transportation application. A user is able to get accurate traffic status without submitting any personal information to the platform, provided other users do submit their information. If multiple users stop submitting their information, the service quality will decrease, and if no users submit their information, minimal service can be provided. Thus multiple users must submit their data to provide enough context to the platform for better quality service.
4 Yan Huang, Zhipeng Cai, and Anu G. Bourgeois
strategy sets Si ⊂ RN^ , si ∈ Si. The joint strategy set S =
i∈I Si, is assumed to be a compact metric space, and payoff functions π˜i : S → R, i ∈ I , are assumed to be upper semi-continuous. Then the Quasi-Aggregative Game can be defined as follows.
Definition 1. (Quasi-Aggregative Game) [17] The game Γ = ( ˜πi, Si)i∈I is a quasi-aggregative game with aggregator g : S → R, if there exist continuous functions Fi : R × Si → R (the shift functions), and σi : S−i → X−i ⊂ R, i ∈ I (the interaction functions) such that each of the payoff functions i ∈ I can be written: ˜πi = πi (σi (s−i, si) , si) , where πi : X−i × Si → R, and: g(s) = Fi (σi(s−i), si)), ∀s ∈ S, i ∈ I. Agent i’s best-replies, depend on x−i = σi(s−i), is given by Ri(x−i) = arg max πi(x−i, si) : si ∈ Si.
Theorem 1. The quasi-aggregative game has a pure strategy Nash equilibrium (PSNE) the following two assumptions holds. [17]
Assumption 1 Each correspondence Ri : X−i → 2 Si^ is strictly decreasing.
Assumption 2 The shift-function Fi, i ∈ I , all exhibit strictly increasing dif- ferences in x−i and si.
In this section, we formulate the interactions between asymmetric users, as well as the interactions among the three parties and introduce the proposed game model.
3.1 Users Model
Assume a set of users N = { 1 , 2 , ..., n} use a client of a platform to get context- based service. Each user i ∈ N will submit a dataset Di = {di 1 , di 2 , ..., dim} with m attributes to the platform. The client has a local privacy protection algorithm installed which satisfies strict privacy protection standards, such as Local Differential Privacy [36]. Thus, the platform can only get anonymized data or noise-added data from users. Even if the client has a privacy protection algorithm installed, the anonymized data or noise-added data can still leak some information to the platform, the privacy leakage level depends on the privacy protection setting of the client. Without loss of generality, we define the privacy protection level of attribute j as δj ∈ [0, 1]. When δj = 1, the platform cannot retrieve any information about users’ at- tribute j. When δj = 0, the platform can retrieve all the information about users’ attribute j. To get statistical result from users, the platform has to set the same δ = {δ 1 , δ 2 , ..., δm} for all the users [9,11,20,38]. According to privacy protection laws, such as General Data Protection Regulation within the European Union and the European Economic Area, the platform should use strongest privacy
Privacy Protection for Context-Aware Services 5
protection strength in the client by default. Thus, the default setting of privacy protection level vector is δ = { 1 , 1 , ..., 1 }. However, by using the strongest privacy protection strength, the platform cannot collect usable information from users, resulting in worst service quality. Thus, to collect information from users, the platform has to offer a δ with lower privacy protection level. Users have the right to accept or reject the platform’s offer δ. We define user i’s strategy for attribute j as aij ∈ [0, 1], which defines the probability of user i accept the privacy leakage level δj. Therefore, the strategy vector of user i is ai = {ai 1 , ai 2 , ..., aim} and the strategy vector of all users is a = {ai, aj , ..., an}. The service quality depends on the users’ strategy, and one user’s strategy has a marginal impact on service quality. The service quality of user i received from the platform depends not only on its strategy ai, but also on the strategy of other users a−i. Formally, for a specific privacy protection level, the expected received service quality of user i is determined by the strategy of user i and other users’ strategy, which can be defined as Qi (a−i, ai). Meanwhile, the platform may resell users’ data to a adversary resulting in privacy loss to the users. Assume each user has a constant privacy cost estimation vector ci = {ci 1 , ci 2 , ..., cim}, where cij defines the privacy cost of attribute j’s privacy leakage. We can define the total cost estimation of user i as follows:
Ciu (ai) =
∑^ m
j=
cij aij (sj + (1 − δj )) , (1)
where sj ≤ δj is privacy leakage level when the platform resells the users’ dataset. Thus, we can derive the expected utility function of user i as follows.
U (^) iu (ai, a−i) = Qi (a−i, ai) − Cui (ai). (2)
3.2 Platform Model
The quality of service depends upon the number of users that accept the pri- vacy protection level of attributes. For this reason, the platform entices uses to accept the offer with higher privacy leakage level by providing more accurate service quality. We define σj (a) as the expected number of users that accept the information leakage level δj for attribute j, and calculate σj (a) as
σj (a) =
∑^ n
i=
aij. (3)
The value of δj reveals the privacy leakage of users’ attribute j and also reveals the information that can be retrieved by the platform. According to the research of privacy protection algorithms [10,11,37], the service quality based on attribute j can be defined as a logarithmic function of privacy leakage level δj , and is affected by the number of users that accept the privacy leakage level δj as a law of diminishing marginal utility. Therefore, we can derive that the service
Privacy Protection for Context-Aware Services 7
3.3 Adversary Model
To get users information, the third party can purchase data from the platform. By using purchased data, the adversary can generate value according to its type γ, where θ is its value productivity, and γ is its value output elasticities of each attribute. According to data aggregation research [19] and the standard form of Cobb-Douglas production function [34], the expected data value to the adversary can be defined as
Vt (s, a) = θ
∑^ m
j=
sγj σjb (a). (8)
Thus, the expected utility function of the third party is
U t^ ((p(γ), s), a) = Vt (s, a) − P ((p(γ), s), a). (9)
In this section, we formulate the problem with a two-layer three-party game and analyze its Nash Equilibrium.
4.1 Aggregative Game Model
In this paper, we assume users do not exchange information with the other users. Each user’s action influences the other users’ utility. With a specific pri- vacy leakage level δ, we can use quasi-aggregative game model to formulate the interactions among users. To maximize utility, a user chooses a proper privacy leakage level for each attribute. According to [17], we define the interactions among users as m quasi- aggregative games, e.g., Γj = (˜πij , Ai), ∀j = 1, 2 , ...m, where Ai is user i’s strategy space. The payoff function of each player in this game can be de- fined as ˜πij = U (^) iju (σij (a−i), aij ); the aggregator can be defined as gj (a) = Fij (σij (a−i), aij ) = σij (a−i) + aij ; the interaction functions vector can be de- fined as σij (a−i) =
k∈N,k 6 =i akj^. User i in the game Γj aims to maximize its utility by properly choosing a strategy vector ai such that ai = arg max aij
U (^) iu (σi(a−i), aij ).
According to the property of quasi-aggregative game theory [17], we can derive the following theorem.
Theorem 2. The game Γu = (˜πi, Ai)i∈N has a pure strategy Nash equilibrium (PSNE) for any privacy leakage level δ.
Proof. When the integrated value σ−i increases, user i can get increased payoff. Thus, user i can increase its payoff by decreasing the value of strategy si. As a result, the best-reply correspondence of user i is strictly decreasing. It is obvi- ously that the shift function Fi (Eq. 4.1) exhibits strictly increasing differences in x−i and si. According to [17], the theorem is proved.
8 Yan Huang, Zhipeng Cai, and Anu G. Bourgeois
4.2 Contract Model
The platform makes a contract with the adversary. Assume the adversary an- nounces its type is γ, γ ∈ (0, 1). The platform provides a menu of contracts {(p(γ), s)}to the adversary. According to contract theory [35], to incentivize the adversary to accept the contract designated for him rather than choosing other contracts or refusing any contract, the menu of contracts should satisfy both the individual rationality condition and the incentive compatibility condition defined below.
Condition 1 (Individual Rationality (IR)) A menu of contracts {(p(γ), s)} sat- isfies the individual rationality constraints if it yields to the adversary a non- negative payoff, i.e., ∀γ ∈ (0, 1), U t(p(γ), s) ≥ 0 , where U t(p(γ), s) is the utility of adversary with type γ.
Condition 2 (Incentive Compatibility (IC)) A menu of contracts {(p(γ), δ)} satisfies the individual compatibility constraints if the best response for the ad- versary with type γ is to choose the contract (p(γ), s) rather than other contracts, i.e., ∀γ, ˆγ ∈ (0, 1), U t(p(γ), δ) ≥ U t(p(ˆγ), s).
Therefore, the objective of the platform is to maximize its utility by properly creating a menu of contracts. We formalize the optimization problem of the platform as follows.
max {(p(γ),s)}
U p^ (δ, s, p(γ), a) ,
subject to Condition 1 and 2.
According to the aggregative model and contract model, we can see that the platform needs to properly choose the privacy leakage level δ for all users and create the contract menu for the adversary to maximize its utility. Therefore, the Nash Equilibrium can be derived by solving the combined optimization problem:
max (δ,{(p(γ),s)})
U p^ (δ, s, p(γ), a∗) ,
subject to Condition 1 and 2.
where a∗^ is the PSNE of the aggregative game.
In this section, we study the interactions in the proposed two-layer three-party game. In the simulation, we utilize a parallel machining learning algorithm termed Particle Swarm Optimization (PSO) [8] to find the optimal strategies for the user and the platform.
10 Yan Huang, Zhipeng Cai, and Anu G. Bourgeois
shows the utility of user i when it stays in the Nash Equilibrium, and the dashed green line is when it leaves the Nash Equilibrium. As we can see, the user’s utility increases at first and then decreases as the protection level increases. The reason for utility increasing, is that the rate of the user’s privacy loss decreasing is larger than that of service quality decreasing. However, the user’s utility decreases after the maximum point, because the rate of service quality decreasing is larger than that of privacy loss decreasing. User i has utility 0 with the strongest protection level δ 5 because the user cannot get any service quality and has no privacy loss. Fig. 2 also shows us that the utility of user i when it stays in NE is higher than that when it leaves NE. This proves the existence of NE in the aggregative model and that users cannot get higher utility if they use non-NE strategies.
5.3 Platform Comparison
We compare the proposed platform with a trusted platform and an untrusted platform. We assume the trusted platform keeps users’ data safe and will not trade the data, while the untrusted platform sells all its collected data. As shown in Fig. 3, the utility of the proposed platform (solid red line) increases at first and then decreases as the protection level increases. The utility increases because the rate of payoff increasing is larger than that of reputation loss increasing and the utility decreases because the rate of payoff increasing is less than that of reputation loss increasing. This proves the NE existence of the two-layer three-party game because the platform cannot increase its utility by simply decreasing the privacy protection level. Fig. 3 and Fig. 4 compare the utility of three types of platforms with dif- ferent protection levels and different adversary types, respectively. As shown in Fig. 3, the trusted platform has higher utility than the untrusted platform with protection level δ 0 to δ 1 because the trusted platform has no reputation loss and the selling profit of untrusted platform cannot make up its reputation loss. The untrusted platform has higher utility than the trusted platform with protection level δ 2 to δ 5 because the payment from selling data can dominate the reputa- tion loss, thus has more profit than the trusted platform. This explains why the platforms usually sell users data in real life. However, the platform does not need to sell all the users’ data to maximize its utility. From Fig. 3 and Fig. 4, we can see that the proposed platform in this paper has the highest utility because it balances the tradeoff between payoff (from data collection and selling data) and reputation loss. It will choose a proper protection level and selling strategy to maximize its utility. Therefore, we can conclude that the proposed framework can provide balanced strategies for the platform. By using the proposed model, the platform will properly choose the data selling strategy, thus decreasing users’ privacy loss.
The use of context-aware services are integrated into the majority of people’s daily lives. By utilizing these services, one must provide certain private infor-
Privacy Protection for Context-Aware Services 11
mation in order to receive better outcomes. Users risk leaking private data, as service platforms are sometimes willing to sell this information to a third party, or adversary to gain more profit, thus resulting in conflicting goals. This paper studies the interactions among the three parties by proposing a platform-centric two-layer three party game. In the proposed game model, we theoretically formulate the behaviors of each party and the interactions among the three parties by using an aggregate game model and contract model. We run simulations with real datasets to validate the effectiveness of the proposed game model. We show that the proposed model can provide the proper strategy for the platform to balance the payoff and reputation loss, thus increasing privacy protection of the users. This work will enable platforms, such as Facebook, to provide quality service and protection to its users, but also provide a means to profit from a balanced strategy. To further investigate more realistic privacy protection issues, this work will be extended to a model that considers the in- fluence of temporal data. Therefore, the users and platform need to consider the privacy protection for not only the current status, but also previous and future conditions.
This work is partly supported by the National Science Foundation (NSF) under grant NOs. 1252292, 1741277, 1704287, and 1829674.
Privacy Protection for Context-Aware Services 13