A Theory of Pricing Private Data

Personal data has value to both its owner and to institutions who would like to analyze it. Privacy mechanisms protect the owner’s data while releasing to analysts noisy versions of aggregate query results. But such strict protections of individual’s data have not yet found wide use in practice. Instead, Internet companies, for example, commonly provide free services in return for valuable sensitive information from users, which they exploit and sometimes sell to third parties. As the awareness of the value of the personal data increases, so has the drive to compensate the end user for her private information. The idea of monetizing private data can improve over the narrower view of hiding private data, since it empowers individuals to control their data through financial means. In this paper we propose a theoretical framework for assigning prices to noisy query answers, as a function of their accuracy, and for dividing the price amongst data owners who deserve compensation for their loss of privacy. Our framework adopts and extends key principles from both differential privacy and query pricing in data markets. We identify essential properties of the price function and micro-payments, and characterize valid solutions.

💡 Research Summary

The paper addresses a gap between the theoretical guarantees of differential privacy (DP) and the practical need to compensate individuals for the privacy loss incurred when their data is used in data markets. While DP focuses on limiting the privacy loss measured by the parameter ε, it does not prescribe any monetary value for that loss. Conversely, existing data‑market pricing schemes often ignore the privacy dimension entirely. The authors therefore propose a unified theoretical framework that assigns a price to noisy query answers as a function of their accuracy, and that distributes this price among the data owners who suffer the corresponding privacy loss.

The core of the framework is a price function p(ε,δ) that depends on the privacy budget ε and the desired accuracy δ (or equivalently the noise magnitude). The authors stipulate four essential properties for any admissible price function: (1) non‑negativity, (2) monotonicity in both ε (higher privacy loss → higher price) and δ (higher accuracy → higher price), (3) budget balance (the total price collected from the analyst must equal the sum of micro‑payments to data owners), and (4) privacy guarantee (each owner’s individual ε_i must not exceed the privacy budget they have consented to).

Micro‑payments μ_i are derived from three factors: the individual’s sensitivity Δ_i (the maximum change a single record can cause in the query), the contribution weight γ_i (the proportion of the query result that depends on that record), and the global privacy parameter ε. A simple linear rule μ_i = κ·γ_i·Δ_i·ε is proposed, where κ is a market‑wide coefficient reflecting the monetary value placed on privacy. This rule satisfies a “fair‑share” principle: owners whose data materially improve the query’s accuracy receive proportionally larger compensation.

The authors explore concrete functional forms for p(ε,δ). A baseline linear price model p(ε,δ)=α·ε+β captures the intuition that price grows with privacy loss (α>0) and includes a fixed service fee β. For multiple queries, they apply the standard DP composition theorem, accumulating ε across queries (ε_total = Σ ε_k) and consequently accumulating price (p_total = Σ p_k). This yields a “cumulative price” model that respects the additive nature of privacy loss.

To demonstrate feasibility, the paper formulates an optimization problem: given a total budget B and a target accuracy δ, find the smallest ε (and thus the lowest price) that satisfies the DP accuracy bound ε ≥ Δ/(δ·ln(1/β)) while also meeting the budget‑balance constraint Σ μ_i = p(ε,δ). Using Lagrange multipliers and the Karush‑Kuhn‑Tucker (KKT) conditions, the authors prove that a solution exists and provide an algorithmic procedure to compute it.

A case study on a synthetic medical database illustrates the model. The query is the average blood pressure; varying ε and δ shows that higher accuracy dramatically raises the price, and that records with higher sensitivity (e.g., rare disease patients) receive larger micro‑payments. The simulation confirms that the total price equals the sum of micro‑payments, satisfying the budget‑balance property.

The discussion acknowledges several limitations. Real‑world data markets are subject to legal and ethical constraints that may affect how privacy loss is monetized. The current analysis assumes independent queries; correlated queries would require more sophisticated composition accounting. Moreover, the linear micro‑payment rule may not capture complex utility functions where marginal privacy loss has diminishing or increasing monetary value.

In conclusion, the paper provides a rigorous bridge between differential privacy and data‑market economics. By defining a price function with clear desiderata and a principled micro‑payment scheme, it offers a foundation for “privacy as a tradable commodity.” Future work is suggested on non‑linear pricing, handling query interdependencies, and integrating regulatory frameworks, paving the way for practical implementations where individuals can be financially compensated for the privacy they relinquish.