A Privacy-aware Framework for Online Advertisement Targeting Linlin Yang † , Wei Wang ‡ , Yanjiao Chen ‡ , Qian Zhang ‡ † Fok Ying Tung Graduate School, ‡ Department of Computer Science and Engineering Hong Kong University of Science and Technology, Hong Kong Email: {lyangah, gswwang, chenyanjiao, qianzh}@ust.hk Abstract—With the prosperity of the Internet, many advertis- ers choose to deliver their advertisements by online targeting, where the ad broker is responsible for matching advertisements with users who are likely to be interested in the underlying products or services. However, this online advertisement targeting system requires user profile information and may fail due to privacy issues. In light of growing privacy concerns, we propose a privacy-aware framework for online advertisement targeting, where users are compensated for their privacy leakage and motivated to click more advertisements. In the framework, an ad broker pays a varying amount of money to users for clicking different advertisements due to distinct privacy leakage. Meanwhile advertisers send advertisements to the ad broker and determine the price per user click they need to pay. We model the interactions among advertisers, the ad broker and users as a three-stage game, where every player aims at maximizing its own utility, and Nash Equilibrium is achieved by backward induction. We further analyze the optimal strategies for advertisers, the ad broker and users. Numerical results have shown that the proposed privacy-aware framework is effective as it enables all advertisers, the ad broker and users to maximize their utilities in case of different levels of user privacy sensitivities. In addition, the proposed framework produces higher profits for advertisers and the ad broker than the traditional “paid to click” system. I. I NTRODUCTION As the Internet is an efficient way for advertisements to reach users, nowadays many advertisers are choosing to deliver their advertisements by online targeting. In most existing online advertisement targeting systems, the ad broker makes use of users’ online behavior to match advertisements with users who are likely to be interested in the underlying products or services [1]. For example, Google Adwords, which is a huge success, leverages users’ search items to show advertisements. However, these online targeting systems raise severe privacy concerns. Firstly, to obtain user profile information, the ad broker usually tracks users’ online behavior, where user private information is leaked. For example, frequent visits to luxury goods websites indicate the user may be wealthy, while search- ing for a certain kind of medicine implies the user has a related disease. Hence, private information like financial and physical status is leaked, which exponentially increase the risks like being identified and behavior being predicted. What is more, the ad broker rarely guarantees that its private information is kept safe and not shared with a third party. In 2009, private documents were exposed due to a bug in Google Docs [2]. If malicious entities obtain these information, user safety is threatened. Thus, with growing consciousness about privacy, many users think the risks of having their profile information revealed outweigh the benefits of targeted advertising, so they no longer have the incentive to participate in an advertisement targeting system. Therefore, considering the privacy issue, it is essential to design a mechanism that encourages users to participate and click advertisements. There are mainly two existing works [3] [4] trying to encourage users to involve themselves in an advertisement targeting system by designing mechanisms that can preserve users’ privacy. However, the mechanism in [3] can not fully protect users’ privacy and the mechanism in [4] protects users’ privacy at a loss in advertisers’ satisfaction. In their frameworks, advertisements are targeted without private profile information leaving users’ own devices. As reports about which advertisements are clicked reveal users’ interests, in order not to compromise users’ privacy, a new entity dealer needs to be introduced in [3] to count the number of clicks by proxying all communication between users and the ad broker in an anonymous way. In this system, users’ privacy can only be preserved on the condition that the dealer does not collaborate with the the ad broker, for which, however, there is no guarantee. And users are not aware whether there is collusion between the dealer and the ad broker. In [4], users send falsified click information to an ad broker according to predetermined rules. An algorithm to estimate the actual number of clicks is proposed for the ad broker. Though the system preserves users’ privacy, advertisers may be dissatisfied as the numbers of clicks is inaccurate, which determine how much they will pay. The aforementioned shortcomings of the existing mecha- nisms motivate us to solve the privacy issues by economic incentives. In our privacy-aware framework, we try to preserve users’ privacy to a large extent and compensate them for the privacy leaked in their reports about which advertisements are clicked. As users can get paid from clicking, they are stimulat- ed to click more advertisements. In this way, advertisers get an accurate number of clicks for their advertisements; and users, aware of privacy leakage, are compensated and motivated to click advertisements. The system structure is shown in Fig.1 and it works as follows. • Advertisers send advertisements to the ad broker and determine the price of every click for their advertisements according to the revenue they can gain from each click. • Without user profile information, the ad broker receives