Establishing the Price of Privacy in Federated Data Trading

Abstract

Personal data is becoming one of the most essential resources in today’s information-based society. Accordingly, there is a growing interest in data markets, which operate data trading services between data providers and data consumers. One issue the data markets have to address is that of the potential threats to privacy. Usually some kind of protection must be provided, which generally comes to the detriment of utility. A correct pricing mechanism for private data should therefore depend on the level of privacy. In this paper, we propose a model of data federation in which data providers, who are, generally, less influential on the market than data consumers, form a coalition for trading their data, simultaneously shielding against privacy threats by means of differential privacy. Additionally, we propose a technique to price private data, and an revenue-distribution mechanism to distribute the revenue fairly in such federation data trading environments. Our model also motivates the data providers to cooperate with their respective federations, facilitating a fair and swift private data trading process. We validate our result through various experiments, showing that the proposed methods provide benefits to both data providers and consumers.

Appendix A Proofs

Theorem 1

If the privacy valuation function used by the data consumer, D, is \(f(m)=K_1(e^{K_2m}-1)\), in order to impose the penalty scheme to any member \(p\in F\) of a federation F, the Shapley valuation function, \(\psi (.)\), chosen by F, must satisfy \(\frac{\ln (\frac{\epsilon ^T_p}{K_1}+1)}{K_2} < \psi \left( \epsilon ^T_p, \frac{\ln (\frac{w^*\epsilon ^T_p}{K_1}+K)}{K_2}\right) \), where \(K=\frac{\sum _{p'\ne p \in F}d_{p'}\epsilon ^T_{p'}}{K_1}+1\), \(d_{\pi }\) is the number of data points reported by any \(\pi \in F\), and \(w^*\) is the suggested scaling parameter computed by D to propose a realistic deal, as described in Sect. 4.1.

Proof

Using the privacy valuation function \(f(m)=K_1(e^{K_2m}-1)\), we have \(f^{-1}(\epsilon )=\frac{\ln (\frac{\epsilon }{K_1}+1)}{K_2}\). Let p be an arbitrary member of F with a maximum privacy threshold \(\epsilon ^T_p\). Therefore, in order to impose a penalty scheme on p, it needs to be ensured that

$$\begin{aligned} \frac{\ln (\frac{\epsilon ^T_p}{K_1}+1)}{K_2}< \psi (v, M) \nonumber&\\\nonumber&\\\nonumber \implies \frac{\ln (\frac{\epsilon ^T_p}{K_1}+1)}{K_2}< \psi (v, f^{-1}(\epsilon ^P_F))&\\\nonumber \nonumber&\\\nonumber [w^*\in [0,1]\text { is the scaling parameter chosen by }D \text { and } \epsilon ^P_F=w^*\epsilon ^T_F]&\\\nonumber \nonumber&\\\nonumber \implies \frac{\ln (\frac{\epsilon ^T_p}{K_1}+1)}{K_2}< \psi \left( v, \frac{\ln (\frac{\epsilon ^P_F}{K_1}+1)}{K_2}\right)&\\\nonumber&\\\nonumber \implies \frac{\ln (\frac{\epsilon ^T_p}{K_1}+1)}{K_2}< \psi \left( v, \frac{\ln (\frac{C_0+w^*\epsilon ^T_p}{K_1}+1)}{K_2}\right)&\\\nonumber&\\ \nonumber [\text { where }C_0=\sum _{p'\ne p \in F}d_p'\epsilon ^T_{p'}\text { is a constant}]&\\\nonumber \nonumber&\\ \nonumber \implies \frac{\ln (\frac{\epsilon ^T_p}{K_1}+1)}{K_2}< \psi \left( v, \frac{\ln (\frac{C_0+w^*\epsilon ^T_p}{K_1}+1)}{K_2}\right)&\\\nonumber&\\ \nonumber \frac{\ln (\frac{\epsilon ^T_p}{K_1}+1)}{K_2} < \psi \left( v, \frac{\ln (\frac{w^*\epsilon ^T_p}{K_1}+K)}{K_2}\right)&\\&\\ \nonumber [\text {for the constant }K=\frac{C_0}{K_1}+1.] \end{aligned}$$

(1)

   \(\Box \)