Adding Privacy to Netflix RecommendationsFrank McSherry, Ilya Mironov (MSR SVC)

Attacks on Recommender Systems

— No “blending in”, auxiliary information— Differencing attacks/active attacks— Potential threats:

— re-identification, linking of profiles— business, legal liabilities

“Users like you” “Enjoyed by members who enjoyed”

C

CB A A B C

D E F :

ADE

?

?

Differential Privacy

Strong formal privacy definition. Informally:“Any output of the computation is as likely with your data as without.”

Privacy for a Count: How Many Ratings?

Current Architectures:

DP

Private Architecture:

Any output is as likely with your data as without.

Netflix Prize Dataset

17K movies480K people100M ratings3M unknowns

$1M for beating the benchmark by 10%

0.032 0.32 3.20.8800000000000010.9000000000000010.9200000000000010.9400000000000010.9600000000000010.980000000000001

11.02

Cinematchglobal effectskNNSVD

1/σ – privacy parameter

RMSE

benchmark

Differentially Private Recommendation

1.Global effects (movie/user averages)2.Movie-movie covariance matrix

3.Leading “geometric” Netflix algorithms

Accuracy-Privacy Tradeoff

DP

Cost of Privacy over Time

0 500 1000 1500 20000%

4%

8%

12%

16%

0

20000000

40000000

60000000

80000000

100000000

lossrecords

days