Private Status Updating with Erasures: A Case for Retransmission Without Resampling
Ahmed Arafa, Karim Banawan

TL;DR
This paper explores a privacy-aware status updating system over erasure channels, demonstrating that retransmitting stale updates without resampling can enhance privacy while managing age-of-information.
Contribution
It introduces a novel approach combining waiting times and retransmissions of stale updates to balance privacy and freshness in AoI systems.
Findings
Retransmitting stale updates can improve privacy under certain conditions.
Waiting times can be optimized to balance privacy and AoI.
Stale update retransmission is beneficial without resampling in specific scenarios.
Abstract
A status updating system is considered in which a source updates a destination over an erasure channel. The utility of the updates is measured through a function of their age-of-information (AoI), which assesses their freshness. Correlated with the status updates is another process that needs to be kept private from the destination. Privacy is measured through a leakage function that depends on the amount and time of the status updates received: stale updates are more private than fresh ones. Different from most of the current AoI literature, a post-sampling waiting time is introduced in order to provide a privacy cover at the expense of AoI. More importantly, it is also shown that, depending on the leakage budget and the channel statistics, it can be useful to retransmit stale status updates following erasure events without resampling fresh ones.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAge of Information Optimization · Distributed Sensor Networks and Detection Algorithms · Distributed systems and fault tolerance
Private Status Updating with Erasures:
A Case for Retransmission Without Resampling††thanks: This work was supported by the U.S. National Science Foundation under Grants CNS 21-14537 and ECCS 21-46099.
Ahmed Arafa
Electrical and Computer Engineering Department, University of North Carolina at Charlotte, USA
Karim Banawan
Department of Electrical Engineering, Alexandria University, Egypt
Abstract
A status updating system is considered in which a source updates a destination over an erasure channel. The utility of the updates is measured through a function of their age-of-information (AoI), which assesses their freshness. Correlated with the status updates is another process that needs to be kept private from the destination. Privacy is measured through a leakage function that depends on the amount and time of the status updates received: stale updates are more private than fresh ones. Different from most of the current AoI literature, a post-sampling waiting time is introduced in order to provide a privacy cover at the expense of AoI. More importantly, it is also shown that, depending on the leakage budget and the channel statistics, it can be useful to retransmit stale status updates following erasure events without resampling fresh ones.
I Introduction
Providing fresh status updates to destinations is crucial for timely decision-making in various applications, including smart city, e-Health, and digital twins, to name a few. At the same time, with the vast connectivity and correlation between data sources, some information may need to be kept private from curious destinations while providing them with the useful data they need. In this paper, we consider the interplay between utility and privacy of status updates through the lens of time.
Data freshness is quantified by the age-of-information (AoI), defined as the time elapsed since the latest useful piece of received data has been generated [1]. In this paper, the utility of status updates is measured through a function acting on their AoI. Such function may represent the estimation mean square error [2, 3], under some assumptions on the underlying process being updated. Privacy, on the other hand, is measured through a function that depends on the relationship between the amount of data received so far and the process to be kept private. We focus on scenarios in which the privacy leakage is at its peak when status updates are most fresh. Thereby, a tension arises between data freshness and data privacy.
We study a continuous-time status updating system in which a source-destination pair are communicating through an erasure channel. The freshness of data is controlled by pre-sampling waiting times [4], while the privacy is maintained by post-sampling waiting times. The post-sampling waiting times are carefully designed to deliver moderately fresh updates; these are updates that are fresh enough to provide utility, yet stale enough to provide privacy. A main pillar in our work is that we allow the source to retransmit old samples following erasures without resampling fresh ones. Specifically, we study the following question here:
how many retransmissions are to be allowed before the sample becomes too stale and useless?
We carefully provide an answer to that question that depends on the privacy leakage budget and the channel statistics such that the long-term average utility is maximized.
Related works. A number of works in the literature study the relationship between AoI and privacy. Our previous work [5] considers an information-theoretic private information retrieval problem with AoI guarantees. The work in [6] studies differential privacy metrics that depend on AoI. Reference [7] is closely-related to our work. It considers the privacy-AoI tradeoff in discrete-time systems, and designs post-sample waiting policies for when to release updates in queuing systems in order to control the privacy leakage. Different from [7], we consider a continuous-time system, with erasures, and jointly design waiting times and the number of retransmissions to balance AoI with leakage.
II System Model and Objective
Consider a stochastic process that represents a time-varying status to be conveyed to a destination. Such process represents a user’s status over time, e.g., home electric usage. Samples from this process are generated at will, and are sent through a channel that introduces random delays and erasures. Specifically, the th sample is generated at time , transmitted for the first time at , and takes time units to traverse through the channel, denoted the channel busy time. After that, the sample is still prune to erasure with probability , whence the sample may be retransmitted at time , incurring channel busy time, and the process repeats. In general, the th sample may be (re)transmitted times until successful reception. In case the th attempt fails, the sample is discarded and the process restarts with a fresh sample . Observe that means that the sample is transmitted only once. We now have the following constraints:
[TABLE]
Channel busy times, ’s, are independent and identically distributed (i.i.d.). Similarly, erasure events are i.i.d., and are independent from and ’s.
A successfully-received sample is denoted an update. Let , and denote the sampling time of the th update, its transmission time, and the channel busy time it encounters, respectively. It follows that , and . The th update is delivered at time
[TABLE]
See Fig. 1 for an example time line including all the variables introduced so far. At the destination, the age-of-information (AoI) of the process at time is defined as
[TABLE]
We measure the utility of the status updates through a general increasing age-penalty functional that acts upon the AoI process . Specifically, the instantaneous utility of the updates at time is given by
[TABLE]
Therefore, updates are more useful when their AoI is small. Observe that the AoI drops right after delivery times. We note that measuring utility through AoI is meaningful in estimation and tracking settings, as one can show that the minimum mean square error estimate of Markovian processes is given by an increasing function of the AoI, see, e.g., [2, 3].
Correlated with is another stochastic process that represents a latent variable that needs to be kept private from the destination. We consider an honest-but-curious destination node that may be interested in getting more information about the user from the updates it conveys. The privacy leakage at time is governed by the amount of information that the received samples, so far, can reveal about , which we capture using the following non-negative function :
[TABLE]
where denotes all the updates received up to time . For instance, one can adopt the mutual information [8] to measure the privacy leakage, as done in several works [9, 10, 11, 12, 13, 14, 15, 16], or other notions such as in [17, 18], and its generalization, in [19]. We have the following assumption about :
[TABLE]
where denotes cardinality. Thus, the leakage decreases over time, as long as no new samples have been received. This also implies that leakage peaks occur right after delivery times. Several situations satisfy the privacy leakage assumption in (II). For instance, consider the information leakage metric to an estimating adversary in [20],
[TABLE]
where the leakage signifies the estimating accuracy of the adversary (i.e., denotes almost perfect estimation of given ). Considering the estimation setting , where is a Wiener process with and i.i.d. Gaussian process, then ,. The estimation leakage is given by:
[TABLE]
Hence, decreases over time. The same arguments hold for the guessing adversary if is picked from a discrete distribution with . A different example with an Ornstein-Uhlenbeck (OU) process estimation and a mutual information leakage metric can be found in Section III.
From the above, we see a tension between utility and privacy, as noted in previous works [9, 10, 11, 12, 14, 16, 18, 21]: reducing AoI increases the leakage, and vice versa.
Our goal is to maximize the utility of the updates, while preserving privacy. Specifically, we wish to design the sampling times and transmission times such that the long-term average age-penalty is minimized, subject to an upper bound on the average maximum privacy leakage:
[TABLE]
where denotes the leakage budget, and denotes the expectation over the random variables involved.
For , problem (II) reduces to minimizing an AoI functional, and hence it would be optimal to set (first transmission times are the same as sampling times) and (only one transmission attempt per sample), . The reason behind these is obvious: there is no need to keep a fresh sample waiting idly after being generated as this will only hurt the AoI, and retransmitting an older sample is worse than discarding it and starting fresh. We note that this has been the typical scenario in most AoI literature that do not consider a sampling constraint budget.
Now for , it may be beneficial to set . This would relatively increase the AoI of the received update, but at the same time would decrease the privacy leakage. The reason follows from the assumption in (II); the peak leakage occurs at delivery times, and we need to make it no larger than , on average. Following the same rationale, it may also be beneficial to retransmit the same sample in case of a failure since a fresher sample would lead to a relatively lower AoI, and hence a higher privacy leakage, when delivered.
We characterize the solution of (II) in the remainder of this paper. In particular, we discuss when to acquire a new sample, when to transmit it, and how many times it should be retransmitted so as to keep the information about fresh and that about private.
III Problem Reformulation:
Waiting Times and Stationary Policies
In this section, we focus on processes in which the privacy leakage reduces, with a slight abuse of notation, to
[TABLE]
Thus, according to our assumption on , the privacy leakage is a decreasing function of AoI. For instance, consider an OU process with parameters and [22], and set with being i.i.d. noise. Further, let the leakage function be given by the mutual information. One can show that [8]
[TABLE]
which is a decreasing function of as required.
We now reformulate the optimization problem in (II) in terms of waiting times, as opposed to sampling and transmission times. Specifically, we denote by an epoch the time elapsed in between two successful updates: the th epoch extends from until . We now define the first pre-sampling waiting time in the th epoch as
[TABLE]
That is, is the waiting time at the beginning of epoch before acquiring the first sample in it. Next, we define the first post-sampling waiting time following the acquisition of the first sample in the th epoch as
[TABLE]
We now (re)denote by the channel busy time of the first sample’s th transmission attempt in the th epoch. Therefore, we have the post-sampling waiting time sequence given by
[TABLE]
where now denotes the maximum number of transmission attempts for the first sample in the th epoch. For simplicity of presentation, let us define
[TABLE]
as the maximum time allocated to the transmission attempts of the first sample in the th epoch. In case the first sample is unsuccessful after its last transmission attempt, we define the second pre-sampling waiting time as
[TABLE]
This is then followed by a post-sampling waiting time sequence given exactly as in (15) and (III) after replacing , and by , and , respectively.
In general, the pre- and post-sampling waiting time sequences in the th epoch will be given as follows:
[TABLE]
with and . The th epoch ends whenever a transmission attempt is successful, which defines and the start of the next epoch . The length of the th epoch is
[TABLE]
where is the number of samples generated in the th epoch, and denotes the number of attempts needed for the th sample to be delivered. Clearly, . Observe that the AoI at the start of epoch is given by
[TABLE]
We focus on stationary policies in which the waiting times have the same distribution across epochs. We also fix
[TABLE]
Problem (II) now reduces to one over a single epoch:
[TABLE]
We now have the following lemma:
Lemma 1
In problem (III), it is optimal to perform pre-sampling waiting only at the beginning of an epoch. Likewise, it is optimal to perform post-sampling waiting only once per sample following each sampling time.
**Proof: ** Observe that the epoch length in (III) only depends on the aggregate sum of the pre-sampling waiting times. One can then define the aggregate pre-sampling waiting time
[TABLE]
and optimize that instead, which does not change the value of the optimal solution. Similarly, one can also define aggregate post-sampling waiting times
[TABLE]
and optimize those instead.
Next, we focus on deterministic waiting policies in which the pre-sampling waiting time is a deterministic function of the starting AoI of the th epoch:
[TABLE]
We note that stationary deterministic waiting policies are known to be optimal under i.i.d. channel settings [4]. By Lemma 1, and under stationary deterministic waiting policies, the th epoch length is now given by
[TABLE]
and the optimization problem finally becomes
[TABLE]
In the sequel, we present solutions to problem (III) first for the case without errors, followed by that with errors.
IV The Case Without Errors:
We analyze problem (III) for error-free transmissions in this section. Our structural insights drawn from the solution of this scenario will serve as a building block for the scenario with channel errors in the following section. Now, for , we have (no retransmissions are needed), and . Hence, we drop the subscript and superscript in and , and re-evaluate the epoch length in (III) as
[TABLE]
Problem (III) then reduces to
[TABLE]
Lemma 2
The optimal post-sampling waiting policy of problem (IV) is , for some constant given by
[TABLE]
where is the unique solution of .
**Proof: ** We first argue that cannot depend on , since the new sample generated in the th epoch leaks information at the beginning of epoch with a value that is independent of previous epochs’ events. Specifically, depends solely on (through its distribution). Since ’s are i.i.d., we can conclude that ’s are also i.i.d.
Next, observe that the post-sampling waiting time can only hurt the AoI. This can readily be shown by a sample path argument; increasing increases the service time of the th sample, and only makes it more stale when received. Now let us fix . Setting would then be AoI-optimal, provided that the privacy constraint is met, i.e., if . Otherwise, one should set to the lowest value allowed by the leakage budget. Since is decreasing, such value is given by in (33).
Finally, since ’s are i.i.d., the above argument shows that they should all be fixed at the same value.
Lemma 2 shows that there can be situations in which the channel busy time provides a natural privacy cover (when ), and that post-waiting times should only be used when necessary. The lemma also shows that one can define a new channel busy time
[TABLE]
with given by (33), which is still i.i.d., and optimize the pre-sampling waiting time over as done in the AoI minimization literature. Specifically, the results in, e.g., [23, 3], show that the pre-sampling policy is a threshold policy
[TABLE]
where , and the function
[TABLE]
denotes the expected utility by the end of the th epoch when it starts with an AoI value of . Further, the value of is given by the unique solution of
[TABLE]
which can be found by, e.g., a bisection search [3].
This completes the solution for the setting without errors.
V The Case With Errors:
In this section, we extend the aforementioned solution to the case with channel errors. First, we fix the value of and evaluate the distributions of the random variables and . Observe that a new sample will be generated only if the previous one has failed transmissions, which occurs with probability . It then follows that
[TABLE]
As for the number of transmissions, , needed for sample (the final sample) to succeed, we note that in case the th transmission attempt is successful given that a successful transmission occurs in at most attempts. Thus,
[TABLE]
i.e., is a truncated random variable.
Next, following similar arguments as in Lemma 2, one can show that the post-sampling waiting times ’s are all fixed in the optimal solution of problem (III), and are given by (33). Hence, the epoch length in (III) is now proportional to
[TABLE]
This allows us to draw the following insight:
Remark 1
As the privacy leakage budget decreases, increases, and hence the value of must be relatively small so as to not to make the epoch length too large. This can be achieved by increasing , which controls the distribution of and makes it take smaller values with higher probabilities.
The above remark is one fundamental observation in this paper: the number of retransmissions should be inversely proportional to . Intuitively, higher levels of privacy are naturally achieved when retransmitting stale samples, and therefore making a case for retransmission without resampling.
To get more insight on how the utility behaves as a function of , we focus on the scenario in which , together with a zero-pre-sampling waiting policy in which . In this case, the starting AoI in the th epoch is given by
[TABLE]
and the th epoch length in (III) reduces to
[TABLE]
Consequently, direct geometrical arguments lead to expressing the utility (long-term average AoI) as
[TABLE]
We start with computing the second moment of . Since , and are mutually independent, one can write
[TABLE]
One can then show that the second term in (V) is given by
[TABLE]
while the first term in (V) can be expressed as
[TABLE]
where the last term follows by iterated expectations. Focusing on the second term above, one can expand it as follows:
[TABLE]
Substituting (49) in (V), and then (V) and (45) in (V), we get an expression for the second moment of in terms of the first and second moments of and . These latter moments are directly computable from (38) and (39) as
[TABLE]
Finally, observe that the remaining terms in (43) are merely the first moments of and computed above. We now have a closed-form expression of the utility in terms of the number of retransmissions , and the privacy leakage budget (embedded in the value of ).
Next, we discuss how to choose the optimal .
VI Optimal Number of Retransmissions
We evaluate the optimal number of retransmissions for a system with . For the privacy leakage function, we consider the OU process example considered in Section III ( is given by (13)). In Fig. 2, we plot the utility versus for different values of error probability . In the top figure, we consider a leakage budget of , for which one can show by (33) that . In the bottom figure, we consider , for which . In both cases, . Evidently, the utility in the bottom figure is worse (higher AoI) since the leakage budget is tighter. Two further observations can be drawn. First, the optimal (circled in red) increases with for fixed . The intuition behind this is that as increases, a sample takes a relatively longer time to be successfully delivered. Hence, if one resamples often in this case (i.e., if is small), the sample will incur even more time due to the extra post-sampling waiting that has to be added. The second observation is that the optimal increases with for fixed . This is also intuitive since for larger the leakage budget is tighter, and hence one has to retransmit the same sample for longer times to preserve privacy.
Next, we fix (i.e., ) and vary the busy time statistic, . For (slower channel) we get for all values of in Fig. 2. While for (faster channel), we get , i.e., increases relative to the values in Fig. 2. This is mainly because the channel naturally adds a privacy coverage when it is slow, and requires more protection by retranmissions when it is fast.
VII Conclusion
A freshness-privacy tradeoff has been considered for a source-destination pair communicating through an erasure channel. It has been shown that carefully designing post-sampling waiting times, together with the number of retransmissions of unsuccessful samples can provide useful status updates while maintaining desired levels of privacy.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] R. D. Yates, Y. Sun, R. D. Brown, S. K. Kaul, E. Modiano, and S. Ulukus. Age of information: An introduction and survey. IEEE J. Sel. Areas Commun. , 39(5):1183–1210, May 2021.
- 2[2] Y. Sun, Y. Polyanskiy, and E. Uysal-Biyikoglu. Sampling of the Wiener process for remote estimation over a channel with random delay. IEEE Trans. Inf. Theory , 66(2):1118–1135, February 2020.
- 3[3] A. Arafa, K. Banawan, K. G. Seddik, and H. V. Poor. Sample, quantize, and encode: Timely estimation over noisy channels. IEEE Trans. Commun. , 69(10):6485–6499, October 2021.
- 4[4] Y. Sun, E. Uysal-Biyikoglu, R. D. Yates, C. E. Koksal, and N. B. Shroff. Update or wait: How to keep your data fresh. IEEE Trans. Inf. Theory , 63(11):7492–7508, November 2017.
- 5[5] K. Banawan, A. Arafa, and S. Ulukus. Timely private information retrieval. In Proc. IEEE ISIT , July 2021.
- 6[6] M. Zhang, E. Wei, R. Berry, and J. Huang. Age-dependent differential privacy. In Proc. ACM Sigmetrics/IFIP Performance , June 2022.
- 7[7] N. Sathyavageesran, R. D. Yates, A. D. Sarwate, and N. Mandayam. Privacy leakage in discrete-time updating systems. In Proc. IEEE ISIT , June 2022.
- 8[8] T. Cover and J. A. Thomas. Elements of Information Theory . John Wiley & Sons, 2006.
