In order to preserve the possibility of an Internet that is free at the point of use, attention is turning to new solutions that would allow targeted advertisement delivery based on behavioral information such as user preferences, without compromising user privacy. Recently, explorations in devising such systems either take approaches that rely on semantic guarantees like $k$-anonymity -- which can be easily subverted when combining with alternative information, and do not take into account the possibility that even knowledge of such clusters is privacy-invasive in themselves. Other approaches provide full privacy by moving all data and processing logic to clients -- but which is prohibitively expensive for both clients and servers. In this work, we devise a new framework called PrivateFetch for building practical ad-delivery pipelines that rely on cryptographic hardness and best-case privacy, rather than syntactic privacy guarantees or reliance on real-world anonymization tools. PrivateFetch utilizes local computation of preferences followed by high-performance single-server private information retrieval (PIR) to ensure that clients can pre-fetch ad content from servers, without revealing any of their inherent characteristics to the content provider. When considering an database of $>1,000,000$ ads, we show that we can deliver $30$ ads to a client in 40 seconds, with total communication costs of 192KB. We also demonstrate the feasibility of PrivateFetch by showing that the monetary cost of running it is less than 1% of average ad revenue. As such, our system is capable of pre-fetching ads for clients based on behavioral and contextual user information, before displaying them during a typical browsing session. In addition, while we test PrivateFetch as a private ad-delivery, the generality of our approach means that it could also be used for other content types.
翻译:为了保持互联网在使用点是免费的,注意力正在转向新的解决方案,这些解决方案将允许在用户偏好等行为信息的基础上,以用户偏好等行为信息为基础,提供有针对性的广告,而不会损害用户隐私。最近,在设计这类系统时进行探索,要么采取依赖加密保证的方法,如美元匿名,在与替代信息相结合时,这种保密保证很容易被篡改,而没有考虑到甚至连这类集群的知识本身也是隐私侵入的可能性。其他办法则通过将所有数据和处理逻辑移到客户,从而提供完全的隐私,但对于客户和服务器来说都过于昂贵。在这项工作中,我们设计了一个新的框架,即“私募款”是为了建立实用的自动发送管道,而这种管道依赖于加密的硬性和最佳隐私,而不是协同性隐私保证,或者依赖真实世界的匿名工具。 私募款利用当地优惠的计算,然后采用高性通用的单一服务器检索(PIR),以确保客户能够从服务器上获取更多内容,而不必向客户披露任何内在的特性。在这项工作中,我们用40美元测试客户的正常交易成本来展示。