What's the Gist? Privacy-Preserving Aggregation of User Profiles

TL;DR

This paper proposes a privacy-preserving method for users to share only aggregate data, enabling accurate profiling while maintaining privacy, using encrypted and differentially-private contributions evaluated on census data.

Contribution

It introduces a novel framework allowing users to disclose only aggregate models of their data through encrypted, differentially-private contributions, balancing utility and privacy.

Findings

Accurate aggregates achievable with as few as 100 users

Framework generates revenue for users and data brokers

Overhead of the method is low

Abstract

Over the past few years, online service providers have started gathering increasing amounts of personal information to build user profiles and monetize them with advertisers and data brokers. Users have little control of what information is processed and are often left with an all-or-nothing decision between receiving free services or refusing to be profiled. This paper explores an alternative approach where users only disclose an aggregate model -- the "gist" -- of their data. We aim to preserve data utility and simultaneously provide user privacy. We show that this approach can be efficiently supported by letting users contribute encrypted and differentially-private data to an aggregator. The aggregator combines encrypted contributions and can only extract an aggregate model of the underlying data. We evaluate our framework on a dataset of 100,000 U.S. users obtained from the U.S. Census Bureau and show that (i) it provides accurate aggregates with as little as 100 users, (ii) it generates revenue for both users and data brokers, and (iii) its overhead is appreciably low.