Privacy & Usability of IPTV Recommender Systems Tolga Arul, Nikolaos Athanasios Anagnostopoulos, Stefan Katzenbeisser Security Engineering Group, Department of Computer Science, Technische Universit¨ at Darmstadt Emails: {arul, anagnostopoulos, katzenbeisser}@seceng.informatik.tu-darmstadt.de Abstract—IPTV is capable of providing recommendations for upcoming TV programs based on consumer feedback. With the increasing popularity and performance of recommender systems, risks of user privacy breach emerge. Although several works about privacy-preserving designs of recommender systems exist in the literature, a detailed analysis of the current state-of-the- art regarding privacy as well as an investigation of the usability aspects of such systems, so far, have not received consideration. In this paper, we survey current approaches for recommender systems by studying their privacy and usability properties in the context of IPTV. I. MOTIVATION In recent years, increasing bandwidth to customer premises has enabled the comprehensive transmission of broadcast data over telephone lines. Typically paired with Internet, voice and mobile services, the Internet Protocol TeleVision (IPTV) service has exceedingly gained popularity. Enabled by two-way communication, IPTV recommender systems (RS) can increase the quality of user experience by personalized proposition of items such as video on demand content, linear TV, or personalized advertisements. However, such systems always involve the collection of privacy-sensitive user data and inherently lead to a certain violation of privacy. Several papers discuss how privacy for IPTV RS can be enhanced by introducing privacy-preserving technologies to the IPTV system architecture. For the design of such systems, usability is a critical factor, because systems that are not easy to use will not to be commercially successful. However, the support of privacy and usability lead to contradicting properties [1], since the quality of recommendations depends on the amount and quality of user information. Although several approaches exist in the literature, a comparative overview is missing. II. CLASSIFICATION SCHEME FOR IPTV RECOMMENDER SYSTEMS For the evaluation of privacy guarantees of a system, it is required to examine the considered privacy and attacker models for this system. The privacy model describes the conditions, under which user data are considered to be safe from inference and which user data deserve protection. More- over, the attacker model describes the motivation, knowledge, and resources of an attacker in the system context. In the following, we will consider the privacy criteria introduced in [2] that differentiate between two settings, each laying out a set of privacy, attacker, and system model parameters. In the secrecy setting all exchanged data has to be protected against inference, which leads to an encryption-based system in a centralized client-server environment, obviously involving the service provider and the set-top box of the user. Here, the attacker may be an unauthorized third party or another user of the system and conforms to the Dolev-Yao attacker model [3], where the user and the service provider are trustworthy. In the anonymity setting, an obfuscation-based system is used and the users and the service provider conform to the semi- honest attacker model originally described by Yao in [4]. In addition to an active attacker equipped with the abilities and knowledge of a regular user, the semi-honest parties try to infer sensitive information from received data while adhering to a communication protocol and do not actively attack each other. For the assessment of the usability of an IPTV RS, we consider two aspects, i.e., the quality of recommendations and the usability for the users and the service provider. The quality of recommendations is determined by the accuracy of predictions regarding the rating of a specific item and the accuracy of classification of relevant items, according to [5]. The usability for the service provider and users is determined by the expected effort to set up and maintain the corresponding RS. III. STATE- OF- THE-ART PRIVACY-PRESERVING IPTV RECOMMENDER SYSTEM ARCHITECTURES In our state-of-the-art review, we discuss four RS for the IPTV domain. The privacy enhancing framework in [6] is designed as a middleware for enhancing the privacy of users through obfuscation of their item consumption data. The sys- tem described in [7] is a very similar framework designed as a middleware using different obfuscation methods. The RS in [8] relies on the recognition of the age of the current viewer as an input for a demographic personalization process. Finally, we will look at a RS for car advertisements based on demographic user information in [9]. The system in [9] is designed accord- ing to the secrecy setting and employs an encryption-based RS. In this case, highly sensitive user data is shared with the service provider, who is likely to increase the business value by exploiting user data unless a restrictive legal framework is in force. The authors evaluate their system by performing a user study. The effect of their recommendation algorithm is assessed through user questionnaires about the relevance of advertisements. We expect that an actual implementation will have an insufficient recommendation performance as no composition of the participant group is given, the quality of the recommendation algorithm is evaluated in a subjective form, and only few advertisements are used. Since the system is not designed as a framework, but as a monolithic piece of soft- ware, we assume that it cannot be added easily to any existing