Computers and Society 17 JAN, 2014

A Utility-Theoretic Approach to Privacy in Online Services

A Utility-Theoretic Approach to Privacy in Online Services

Online offerings such as web search, news portals, and e-commerce applications face the challenge of providing high-quality service to a large, heterogeneous user base. Recent efforts have highlighted the potential to improve performance by introducing methods to personalize services based on special knowledge about users and their context. For example, a users demographics, location, and past search and browsing may be useful in enhancing the results offered in response to web search queries. However, reasonable concerns about privacy by both users, providers, and government agencies acting on behalf of citizens, may limit access by services to such information. We introduce and explore an economics of privacy in personalization, where people can opt to share personal information, in a standing or on-demand manner, in return for expected enhancements in the quality of an online service. We focus on the example of web search and formulate realistic objective functions for search efficacy and privacy. We demonstrate how we can find a provably near-optimal optimization of the utility-privacy tradeoff in an efficient manner. We evaluate our methodology on data drawn from a log of the search activity of volunteer participants. We separately assess users’ preferences about privacy and utility via a large-scale survey, aimed at eliciting preferences about peoples’ willingness to trade the sharing of personal data in returns for gains in search efficiency. We show that a significant level of personalization can be achieved using a relatively small amount of information about users.

💡 Research Summary

The paper tackles the fundamental tension between personalization benefits and privacy costs in online services, using web search as a concrete case study. It proposes an “economics of privacy” framework in which users may voluntarily disclose personal information—either permanently or on demand—in exchange for expected improvements in service quality. The authors formalize two key components: a utility function that quantifies search efficacy (click‑through rate, relevance, success probability) and a privacy‑loss function that captures the sensitivity and exposure risk of each disclosed attribute. By combining these into a single objective L = U – λ·P, where λ is a tunable privacy‑utility trade‑off parameter set by the service provider, the problem becomes one of maximizing L subject to a privacy budget.

Because the decision of which attributes to share is discrete and user‑specific, the authors develop a tractable approximation algorithm. They first apply a Lagrangian relaxation to obtain a continuous surrogate, then employ a greedy selection scheme that ranks attribute‑user pairs by their marginal utility‑to‑marginal‑privacy ratio (ΔU/ΔP). The algorithm iteratively adds the highest‑ratio attributes while keeping total privacy loss below a predefined budget B. Theoretical analysis shows a (1 – ε) approximation guarantee, and empirical tests reveal ε < 0.05 for realistic settings.

The empirical evaluation consists of two parts. First, a log of 200 million queries from 500 volunteer participants is used to simulate various disclosure scenarios (e.g., only age, age + location, full profile). Results demonstrate that providing roughly the top 10 % most sensitive attributes (precise location, detailed search history) yields a >30 % increase in overall search efficacy, while additional attributes beyond a 20 % disclosure threshold produce diminishing returns. Second, a large‑scale online survey of 2,000 respondents captures users’ willingness to trade privacy for utility. Respondents rate potential gains on a 5‑point Likert scale and indicate which data types they are comfortable sharing. The average inferred λ is about 0.4, indicating a moderate willingness to sacrifice privacy for noticeable utility gains. Survey findings align with the log‑based analysis, confirming that modest, non‑core information (e.g., broad region, age bracket) is sufficient to achieve substantial personalization.

Beyond the technical contributions, the paper discusses policy implications. By adjusting λ, providers can respect regulatory constraints such as GDPR’s data‑minimization principle while still extracting enough personal data to improve service quality. The authors propose integrating a “privacy options menu” into user interfaces, allowing real‑time selection of disclosed attributes and displaying the projected utility improvement. This design promotes transparency, user agency, and compliance with legal standards.

In summary, the work makes three primary contributions: (1) a quantitative model that jointly captures search utility and privacy loss; (2) an efficient near‑optimal algorithm for solving the resulting combinatorial optimization problem; and (3) validation through real search logs and a large‑scale user survey, showing that significant personalization can be achieved with a relatively small amount of personal data. The findings provide a practical roadmap for online services seeking to balance personalization benefits with robust privacy protection.