WO2015191919A1 - Method and system for privacy-preserving recommendations - Google Patents

Method and system for privacy-preserving recommendations Download PDF

Info

Publication number
WO2015191919A1
WO2015191919A1 PCT/US2015/035422 US2015035422W WO2015191919A1 WO 2015191919 A1 WO2015191919 A1 WO 2015191919A1 US 2015035422 W US2015035422 W US 2015035422W WO 2015191919 A1 WO2015191919 A1 WO 2015191919A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
encrypted
party
content item
rating
Prior art date
Application number
PCT/US2015/035422
Other languages
French (fr)
Inventor
Ehud WEINSBERG
Marc Joye
Efstratios Ioannidis
Original Assignee
Thomson Licensing
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing filed Critical Thomson Licensing
Publication of WO2015191919A1 publication Critical patent/WO2015191919A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0282Rating or review of business operators or products
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping [e-shopping]
    • G06Q30/0631Item recommendations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Definitions

  • the present disclosure generally relates to recommendation systems and, more particularly, to privacy-preserving recommendations.
  • Home entertainment systems including television and media centers, are converging with the Internet and providing access to a large number of available sources of content, such as video, movies, TV programs, music, etc. This expansion in the number of available sources necessitates a new strategy for navigating a media interface associated with such systems and enabling access to certain portions of media content being consumed by the user.
  • the personal information may describe the user, as well as their interests.
  • this personal information may also provide information about content sources available to the particular user.
  • These content sources may be one of a local content source (e.g. on a local area network in a media storage repository) and a third party content source (e.g. subscription based service or pay per view system).
  • a local content source e.g. on a local area network in a media storage repository
  • a third party content source e.g. subscription based service or pay per view system.
  • user information can be encrypted such that the recommendation service cannot decrypt the user information, yet the recommendation service can analyze the user information to predict user ratings for content items.
  • the predicted user ratings can remain obscured from the recommendation service by encryption, yet can provide the basis for recommendations tailored to the user.
  • the encrypted predicted user ratings can be sent to a third party (i.e., not the recommendation service or the user), and the third party can decrypt the predicted user ratings and determine recommendations based on the predicted user ratings.
  • user information can also be obscured from the third party through encryption. In this way, for example, neither the recommendation service nor the third party can obtain the user's personal information, yet the user can be provided with recommendations that are based on the user's personal information.
  • FIG. 1 is a block diagram of an example of a system for delivering video content according to various embodiments.
  • FIG. 2 is a block diagram of an example of a computing system, such as a set-top box/digital video recorder (DVR), gateway, etc., according to various embodiments.
  • a computing system such as a set-top box/digital video recorder (DVR), gateway, etc., according to various embodiments.
  • DVR digital video recorder
  • FIG. 3 illustrates an example of a touch panel input device according to various embodiments.
  • FIG. 4 illustrates another example of an input device according to various embodiments.
  • FIG. 5 is a block diagram of an example of a privacy-preserving recommendation system according to various embodiments.
  • FIG. 6 illustrates an example of a method that can be performed by a user system according to various embodiments.
  • FIG. 7 illustrates an example of a method that can be performed by a recommendation system according to various embodiments.
  • FIG. 8 illustrates an example of a method that can be performed by a third party according to various embodiments.
  • FIG. 9 is a block diagram of another example of a privacy-preserving recommendation system according to various embodiments.
  • FIGS. 10 and 1 1 illustrate examples of methods that can be performed by a recommendation system according to various embodiments.
  • FIG. 12 illustrates an example of a method of receiving and storing a TP- encrypted user rating according to various embodiments.
  • FIG. 13 is a diagram that illustrates one example implementation of the method of FIG. 12 according to various embodiments.
  • FIG. 14 illustrates an example of a method of determining TP-encrypted predicted user ratings according to various embodiments.
  • Consumers of content such as movies, television (TV), music, etc.
  • content such as movies, television (TV), music, etc.
  • Consumers may be faced with browsing through massive databases of content, for example, and can become overwhelmed and frustrated.
  • Consumers may wish to obtain recommendations for content items, e.g., movies, TV shows, songs, etc., from recommendation systems.
  • recommendations typically require the user divulge personal information in order to determine what content the user probably will like.
  • recommendation services can tailor recommendations by analyzing user information, for example, biographical information such as age, sex, race, etc., economic information such as income level, etc., preference information such as what content items users consume and how the users rate the content items, etc., to predict what other content items a user will probably like.
  • user information for example, biographical information such as age, sex, race, etc., economic information such as income level, etc., preference information such as what content items users consume and how the users rate the content items, etc., to predict what other content items a user will probably like.
  • biographical information such as age, sex, race, etc.
  • economic information such as income level
  • preference information such as what content items users consume and how the users rate the content items, etc.
  • user information can be encrypted such that the recommendation service cannot decrypt the user information, yet the recommendation service can analyze the user information to predict user ratings for content items.
  • the predicted user ratings can remain obscured from the recommendation service by encryption, yet can provide the basis for recommendations tailored to the user.
  • the encrypted predicted user ratings can be sent to a third party (i.e., not the recommendation service or the user), and the third party can decrypt the predicted user ratings and determine recommendations based on the predicted user ratings.
  • user information can also be obscured from the third party through encryption. In this way, for example, neither the recommendation service nor the third party can obtain the user's personal information, yet the user can be provided with recommendations that are based on the user's personal information.
  • FIG. 1 illustrates a block diagram of an example of a system 100 for delivering content and recommendations to a home or end user.
  • the content originates from a content source 102, such as a movie studio or production house.
  • the content may be supplied in at least one of two forms.
  • One form may be a broadcast form of content.
  • the broadcast content is provided to the broadcast affiliate manager 104, which is typically a national broadcast service, such as the American Broadcasting Company (ABC), National Broadcasting Company (NBC), Columbia Broadcasting System (CBS), etc.
  • the broadcast affiliate manager may collect and store the content, and may schedule delivery of the content over a delivery network, shown as delivery network 106.
  • Delivery network 106 may include satellite link transmission from a national center to one or more regional or local centers.
  • Delivery network 1 06 may also include local content delivery using local delivery systems such as over the air broadcast, satellite broadcast, or cable broadcast.
  • the locally delivered content is provided to a user system 107 in a user's home.
  • User system 1 07 can include a receiving device 108 that can receive and process content and perform other functions described in more detail below. It is to be appreciated that receiving device 1 08 can be, for example, a set-top box, a digital video recorder (DVR), a gateway, a modem, etc. Receiving device 1 08 may act as entry point, or gateway, for a home network system that includes additional devices configured as either client or peer devices in the home network.
  • receiving device 1 08 can be, for example, a set-top box, a digital video recorder (DVR), a gateway, a modem, etc.
  • Receiving device 1 08 may act as entry point, or gateway, for a home network system that includes additional devices configured as either client or peer devices in the home network.
  • User system 107 can also include a display device 1 14.
  • display device 1 14 can be an external display coupled to receiving device 108.
  • receiving device 108 and display device 1 14 can be parts of a single device.
  • the display device 1 14 may be, for example, a conventional 2-D type display, an advanced 3-D display, etc.
  • User system 107 can also include an input device 1 16, such as a remote controller, a keyboard, a mouse, a touch panel, a touch screen, etc.
  • the input device 1 16 may be adapted to provide user control for the receiving device 108 and/or the display device 1 14.
  • input device 1 1 6 may be an external device that can couple to receiving device 108 via, for example, a wired connection, a signal transmission system, such as infra-red (IR), radio frequency (RF) communications, etc., and may include standard protocols such as universal serial bus (USB), infra-red data association (I RDA) standard, Wi-Fi, Bluetooth and the like, proprietary protocols, etc.
  • IR infra-red
  • RF radio frequency
  • standard protocols such as universal serial bus (USB), infra-red data association (I RDA) standard, Wi-Fi, Bluetooth and the like, proprietary protocols, etc.
  • receiving device 108 and input device 1 1 6 can be part of the same device. Operations of input device 1 16 will be described in further detail below.
  • Special content may include, for example, premium viewing content, pay-per-view content, Internet access, other content otherwise not provided to the broadcast affiliate manager, e.g., movies, video games, other video elements, etc.
  • the special content may be content requested by the user, such as a webpage, a movie download, etc.
  • the special content may be delivered to a content manager 1 10.
  • the content manager 1 1 0 may be a service provider, such as an Internet website, affiliated, for instance, with a content provider, broadcast service, or delivery network service.
  • the content manager 1 1 0 may also incorporate Internet content into the delivery system.
  • the content manager 1 1 0 may deliver the content to the user's receiving device 108 over a communication network, e.g., communication network 1 12.
  • Communication network 1 12 may include high-speed broadband Internet type communications systems. It is important to note that the content from the broadcast affiliate manager 104 may also be delivered using all or parts of communication network 1 12 and content from the content manager 1 10 may be delivered using all or parts of delivery network 106. In some embodiments, the user may obtain content, such as webpages, etc., directly from the Internet 1 13 via communication network 1 12 without necessarily having the content managed by the content manager 1 10.
  • the special content is provided as an augmentation to the broadcast content, providing alternative displays, purchase and merchandising options, enhancement material, etc.
  • the special content may completely replace some programming content provided as broadcast content.
  • the special content may be completely separate from the broadcast content, and may simply be a media alternative that the user may choose to utilize.
  • the special content may be a library of movies that are not yet available as broadcast content.
  • the receiving device 108 may receive different types of content from one or both of delivery network 106 and communication network 1 1 2.
  • the receiving device 1 08 processes the content, and provides a separation of the content based on user preferences and commands.
  • the receiving device 108 may also include a storage device, such as a hard drive or optical disk drive, for recording and playing back audio and video content. Further details of the operation of the receiving device 108 and features associated with playing back stored content will be described below in relation to FIG. 2.
  • the processed content is provided to display device 1 14.
  • content manager 1 1 0 also controls a recommendation system 1 17 that can include a recommendation engine 1 18 and a database 120.
  • Recommendation system 1 17 can process encrypted recommendation information that can be used to provide recommendations to the user as will be described in more detail below.
  • recommendation system 1 1 7 is controlled by content manager 1 10 in this example, it should be appreciated that in some embodiments, recommendation systems can be operated by other entities, such as separate recommendation service providers whose primary service is providing recommendations.
  • System 1 00 can include a third party (TP) 1 22.
  • Third party 122 can communicate with recommendation system 1 17 and user system 107 via communication network 1 12.
  • Third parties, such as third party 122, will be discussed in more detail below.
  • FIG. 2 includes a block diagram of an example of a computing system 200.
  • computing system 200 can be a user system, such as receiving device 1 08 described in FIG. 1 , and may be included as part of a gateway device, modem, set-top box, personal computer, tablet computer, smartphone, etc.
  • computing system 200 can be included in a recommendation system and can perform operations of a recommendation system.
  • computing system 200 can be included in a third party system and can perform operations of a third party system. Examples of recommendation systems and third party systems will be described in more detail below.
  • Computing system 200 may also be incorporated into other systems including an audio device, a display device, etc.
  • the computing system 200 may be, for example, a set top box coupled to an external display device (e.g., a television), a personal computer coupled to a display device (e.g., a computer monitor), etc.
  • the computing system 200 may include an integrated display device, for example, a portable device such as a tablet computer, a smartphone, etc.
  • the input signal receiver 202 may include, for example, receiver circuits used for receiving, demodulation, and decoding signals provided over one of the several possible networks including over the air, cable, satellite, Ethernet, fiber and phone line networks.
  • the desired input signal may be obtained based on user input provided through a user interface 216.
  • the user input may include search terms for a search
  • the input signal received by input signal receiver 202 may include search results.
  • User interface 216 can be coupled to an input device, such as input device 1 16, and can receive and process corresponding user inputs, for example, keystrokes, button presses, touch inputs, such as gestures, audio input, such as voice input, etc., from the input device.
  • User interface 216 may be adapted to interface to a cellular phone, a tablet, a mouse, a remote controller, etc.
  • the decoded output signal is provided to an input stream processor 204.
  • the input stream processor 204 performs the final signal selection and processing, and includes separation of video content from audio content for the content stream.
  • the audio content is provided to an audio processor 206 for conversion from the received format, such as a compressed digital signal, to an analog waveform signal.
  • the analog waveform signal is provided to an audio interface 208 and further to the display device or audio amplifier.
  • the audio interface 208 may provide a digital signal to an audio output device or display device using a High-Definition Multimedia Interface (HDMI) cable, an audio interface such as via a Sony/Philips Digital Interconnect Format (SPDIF), etc.
  • the audio interface may also include amplifiers for driving one more sets of speakers.
  • the audio processor 206 also performs any necessary conversion for the storage of the audio signals.
  • the video output from the input stream processor 204 is provided to a video processor 210.
  • the video signal may be one of several formats.
  • the video processor 21 0 provides, as necessary, a conversion of the video content, based on the input signal format.
  • the video processor 21 0 also performs any necessary conversion for the storage of the video signals.
  • a computer-readable storage device 212 can store computer-executable instructions for performing operations according to various embodiments. The instructions can be executed by one or more processors, such as a controller 214.
  • Storage device 21 2 may be, for example, a hard disk drive, one or more large capacity integrated electronic memories, such as static RAM (SRAM), dynamic RAM (DRAM), etc., an interchangeable optical disk storage system such as a compact disk (CD) drive, digital video disk (DVD) drive, etc.
  • SRAM static RAM
  • DRAM dynamic RAM
  • CD compact disk
  • DVD digital video disk
  • computing system 200 can be a user system, such as receiving device 1 18, and storage device 21 2 may store audio and video content received at the input.
  • Storage device 212 can allow later retrieval and playback of the content under the control of controller 214 and also based on commands, e.g., navigation instructions such as fast-forward (FF) and rewind (RW), received from user interface 216.
  • commands e.g., navigation instructions such as fast-forward (FF) and rewind (RW)
  • the converted video signal from the video processor 210, either originating from the input or from the storage device 212, is provided to the display interface 21 8.
  • the display interface 218 further provides the display signal to a display device, such as display device 1 14, described above.
  • the controller 214 is interconnected via a bus to several of the components of the device 200, including the input stream processor 204, audio processor 206, video processor 210, storage device 212, and user interface 216.
  • the controller 214 manages the conversion process for converting the input stream signal into a signal for storage on the storage device or for display.
  • the controller 214 also manages the retrieval and playback of stored content.
  • the controller 214 can receive rating information input by a user and can perform encryption of the user rating information, as described below in more detail.
  • Controller 214 can be coupled to a memory, such as control memory 220 (e.g., volatile or non-volatile memory, including RAM, SRAM, DRAM, ROM, programmable ROM (PROM), flash memory, electronically programmable ROM (EPROM), electronically erasable programmable ROM (EEPROM), etc.).
  • Control memory 220 may store instructions for execution by controller 214.
  • Control memory 220 may store information, such as a database of elements, for example, graphic elements containing content. The database may be stored as a pattern of graphic elements, such as graphic elements containing content, various graphic elements used for generating a displayable user interface for display interface 21 8, and the like.
  • the memory may store the graphic elements in identified or grouped memory locations and use an access or location table to identify the memory locations for the various portions of information related to the graphic elements. Additional details related to the storage of the graphic elements will be described below.
  • the implementation of the control memory 220 may include several possible embodiments, such as a single memory device, more than one memory circuit communicatively connected or coupled together to form a shared or common memory, etc.
  • the memory may be included with other circuitry, such as portions of bus communications circuitry, in a larger circuit.
  • FIGS. 3 and 4 represent two examples of input devices, 300 and 400, such as input device 1 16.
  • Input devices 300 and 400 can couple with a user interface, such as user interface 216.
  • Input devices 300 and 400 may be used to initiate and/or select various functions available to a user related to the acquisition, consumption, access and/or modification of content, such as multimedia content, broadcast content, Internet content, etc.
  • Input devices 300 and 400 can also allow a user to input rating information and requests for recommendations, as described below in more detail.
  • FIG. 3 illustrates an example of a touch panel input device 300.
  • the touch panel device 300 may be interfaced, for example, via the user interface 216 of the computing system 200 in FIG. 2.
  • the touch panel device 300 allows operation of the computing system or set top box based on hand movements, or gestures, and actions translated through the panel into commands for the set top box or other control device. This is achieved by the controller 214 generating a touch screen user interface including at least one user selectable image element enabling initiation of at least one operational command.
  • the touch screen user interface may be pushed to the touch screen device 300 via the user interface 21 6.
  • the touch screen user interface generated by the controller 214 may be accessible via a webserver executing on one of the user interface 21 6.
  • the touch panel 300 may serve as a navigational tool to navigate a grid display, as described above for search results.
  • the touch panel 300 may serve as a display device allowing the user to more directly interact with the navigation through the grid display of content.
  • the touch panel 300 can also include a camera element and/or at least one audio sensing element.
  • the touch panel 300 employs a gesture sensing controller or touch screen enabling a number of different types of user interaction.
  • the inputs from the controller are used to define gestures and the gestures, in turn, define specific contextual commands.
  • the configuration of the sensors may permit defining movement of a user's fingers on a touch screen or may even permit defining the movement of the controller itself in either one dimension or two dimensions.
  • Two-dimensional motion, such as a diagonal, and a combination of yaw, pitch and roll can be used to define any three-dimensional motions, such as a swing.
  • Gestures are interpreted in context and are identified by defined movements made by the user. Depending on the complexity of the sensor system, only simple one-dimensional motions or gestures may be allowed.
  • a simple right or left movement on the sensor as shown here may produce a fast forward or rewind function.
  • multiple sensors could be included and placed at different locations on the touch screen. For instance, a horizontal sensor for left and right movement may be placed in one spot and used for volume up/down, while a vertical sensor for up and down movement may be placed in a different spot and used for channel up/down. In this way specific gesture mappings may be used.
  • the touch screen device 300 may recognize alphanumeric input traces which may be automatically converted into alphanumeric text displayable on one of the touch screen device 300 or output via display interface 21 8 to a primary display device.
  • FIG. 4 illustrates another example of an input device, input device 400.
  • the input device 400 may, for example, be used to interact with the user interfaces generated by the system and which are output for display by the display interface 21 8 to a primary display device (e.g. television, monitor, etc).
  • the input device of FIG. 4 may be formed as a remote control having a 12-button alphanumerical keypad 402 and a navigation section 404 including directional navigation buttons and a selector button.
  • the input device 400 may also include a set of function buttons 406 that, when selected, initiate a particular system function (e.g. menu, guide, DVR, etc).
  • the input device 400 may include a set of programmable application specific buttons 408 that, when selected, may initiate a particularly defined function associated with a particular application executed by the controller 214.
  • Input device 400 may include a display screen 410 that can display information, such as program information, menu information, navigation information, etc.
  • the depiction of the input device in FIG. 4 is merely exemplary and the input device may include any number and/or arrangement of buttons that enable a user to interact with the user interface process according to various embodiments. Additionally, it should be noted that users may use either or both of the input devices depicted and described in FIGS. 3 and 4 simultaneously and/or sequentially to interact with the system.
  • the user input device may include at least one of an audio sensor and a visual sensor.
  • the audio sensor may sense audible commands issued from a user and translate the audible commands into functions to be executed by the user.
  • the visual sensor may sense the user's presence and match user information of the sensed user(s) to stored visual data in the usage database 120 in FIG. 1 . Matching visual data sensed by the visual sensor enables the system to automatically recognize the user's presence and retrieve any user profile information associated with the user. Additionally, the visual sensor may sense physical movements of at least one user present and translate those movements into control commands for controlling the operation of the system.
  • the system may have a set of pre-stored command gestures that, if sensed, enable the controller 214 to execute a particular feature or function of the system.
  • An example of a type of gesture command may include the user waving their hand in a rightward direction which may initiate a fast forward command or a next screen command or a leftward direction which may initiate a rewind or previous screen command depending on the current context.
  • This description of physical gestures able to be recognized by the system is merely exemplary and should not be taken as limiting. Rather, this description is intended to illustrate the general concept of physical gesture control that may be recognized by the system and persons skilled in the art could readily understand that the controller may be programmed to specifically recognize any physical gesture and allow that gesture to be tied to at least one executable function of the system.
  • FIG. 5 is a block diagram of an example of a privacy-preserving recommendation system 500 according to various embodiments.
  • System 500 can include a user system 501 , such as user system 107 shown in FIG. 1 , that can be in a user's home, for example.
  • User system 501 can include, for example, a set-top box, a digital video recorder (DVR), a gateway, a modem, etc., that can receive and process content delivered via a communication network, such as communication network 1 1 2, and that can send communications, such as data, information, messages, requests, etc., via the communication network.
  • System 500 can also include a recommendation system 504, such as recommendation system 1 1 7 shown in FIG. 1 , and a third party 507, such as third party 122 shown in FIG. 1 .
  • the user may wish to obtain recommendations for content items, such as movies, TV shows, music, etc., from recommendation system 504.
  • recommendation services require information about a user in order to determine what content the user probably will like.
  • Recommendation services can provide recommendations by analyzing user information, for example, biographical information such as age, sex, race, etc., economic information such as income level, etc., preference information such as what content items users consume and how the users rate the content items, etc., to predict what other content items a user will probably like.
  • biographical information such as age, sex, race, etc.
  • economic information such as income level, etc.
  • preference information such as what content items users consume and how the users rate the content items, etc.
  • users may wish to keep such information private.
  • System 500 illustrates an example in which user information can be kept private with the help of a third party, such as third party 507, while still allowing a recommendation service to analyze the user information and provide recommendations.
  • the user information can be the ratings that the user has given to various content items, such as movies.
  • the ratings can be, for example, a numerical value on a scale of one to five.
  • User system 501 can provide recommendation system 504 with the user ratings under an encryption that does not allow the recommendation system to decrypt the ratings, but allows third party 507 to decrypt the ratings.
  • FIG. 6 illustrates an example of a method that can be performed by a user system, such as user system 501 .
  • the user system can obtain (601 ) a user rating for a content item, such as a movie.
  • a content item such as a movie.
  • the user may watch the movie on a display, such as display device 1 14, and then input a rating for the movie using and input device, such as input device 1 16.
  • the user system can encrypt (602) the user rating with an encryption that does not allow the recommendation system to decrypt the ratings, but allows a third party, such as third party 507, to decrypt the ratings.
  • the user system can generate a TP-encrypted user rating.
  • the user system can encrypt the user rating using a public key of the third party.
  • the user system can send (603) TP-encrypted rating information to the recommendation system.
  • the TP-encrypted rating information can include the TP-encrypted user rating together with an unencrypted identification (ID) of the content item.
  • the unencrypted content item ID can allow the recommendation system to identify the content item corresponding to the TP-encrypted user rating. In this way, the recommendation system can determine what content item the user has rated, but cannot determine the user rating.
  • communication 51 1 illustrates TP-encrypted rating information sent from user system 501 to recommendation system 504.
  • the TP-encrypted rating information in each communication 51 1 can include TP-encrypted user ratings and corresponding unencrypted content item IDs for multiple content items.
  • user system 501 may store multiple user ratings and periodically send TP-encrypted rating information for all stored user ratings in a single communication 51 1 .
  • the TP-encrypted rating information in each communication 51 1 can include a single TP-encrypted user rating and corresponding unencrypted content item ID.
  • user system 501 can automatically encrypt the user rating and send the TP-encrypted user rating and corresponding unencrypted content item ID in a communication 51 1 .
  • the user can input a request for a recommendation to user system 501 , and the user system can send a recommendation request as a communication 514 to recommendation system 504.
  • FIG. 7 illustrates an example of a method that can be performed by a recommendation system, such as recommendation system 504.
  • the recommendation system can obtain (701 ) TP-encrypted rating information.
  • the recommendation system can receive one or more communications 51 1 and store the TP-encrypted rating information in a database.
  • the recommendation system can receive and store TP-encrypted rating information from multiple users.
  • the recommendation system can determine (702) to provide a recommendation.
  • recommendation system 504 can determine to provide user system 501 with a recommendation in response to receiving the recommendation request in communication 514.
  • the recommendation system can determine (703) TP-encrypted predicted ratings based on the TP-encrypted rating information.
  • the TP- encrypted user ratings for the content items that the user has rated can be analyzed while remaining under TP encryption to produce TP-encrypted predicted ratings for other content items.
  • user information such as user ratings and predicted user ratings for various content items can remain under TP encryption while in the possession of the recommendation system.
  • the result can be a list that includes a TP-encrypted predicted rating for each content item in a database of the recommendation system.
  • the recommendation system can be prevented from gaining information of how the user rated particular content items or which other content items the user will probably like or dislike.
  • the TP-encrypted predicted ratings can be sent to the third party to be decrypted.
  • the third party can determine the user's unencrypted predicted ratings and corresponding unencrypted content item IDs. Therefore, the third party could gain private information of which content items the user will probably like or dislike.
  • the recommendation system can encrypt the corresponding content item IDs with an encryption that the third party cannot decrypt, but the user system can decrypt. For example, the recommendation system can encrypt the content item IDs with the user's public key.
  • the recommendation system can then send (704) the TP-encrypted predicted ratings and corresponding user-encrypted content item IDs to the third party.
  • the TP-encrypted predicted ratings and corresponding user-encrypted content item IDs can be sent to third party 507 in a communication 517.
  • FIG. 8 illustrates an example of a method that can be performed by a third party, such as third party 507.
  • the third party can obtain (801 ) TP-encrypted predicted ratings and corresponding encrypted content item IDs, which in this case includes the user-encrypted content item IDs.
  • the third party can decrypt (802) the TP-encrypted predicted ratings.
  • the third party can make a recommendation determination by, for example, determining a pre-defined subset of predicted ratings based on predetermined criteria and selecting (803) the user- encrypted content item IDs that correspond to the predicted ratings in subset. For example, the third party can sort the decrypted predicted ratings and corresponding user-encrypted content item IDs from highest to lowest value of predicted rating.
  • the third party can then select the top-k predicted ratings, i.e., the k predicted ratings with the highest values, and the corresponding user- encrypted content item IDs, where k can be an integer that is agreed upon between the recommendation service and the third party.
  • the third party can then send (804) the sorted top-k user-encrypted content item IDs to an appropriate entity, in this case, the user system.
  • the third party can send the corresponding predicted ratings together with the user- encrypted content item IDs.
  • third party can send the top-k user-encrypted content item IDs as a communication 521 .
  • the user system can decrypt the user-encrypted content item IDs to obtain an ordered list of top-k recommendations.
  • the recommendation service may demand that the third party send the user only the top-k recommendations because the recommendation system may desire that the user request additional recommendations in the future, particularly if the recommendation service charges a fee to provide recommendations. If the user received more than the top-k recommendations, for example, the user might not need to request additional recommendations as often. However, in the system 500 example illustrated in FIG. 5, the third party could potentially provide the user with more than the top-k recommendations.
  • FIG. 9 is a block diagram of another example of a privacy-preserving recommendation system according to various embodiments.
  • System 900 can include a user system 901 , such as user system 107 shown in FIG. 1 , that can be in a user's home, for example.
  • System 900 can also include a recommendation system 904, such as recommendation system 1 17 shown in FIG. 1 , and a third party 907, such as third party 1 22 shown in FIG. 1 .
  • user system 901 can send TP-encrypted rating information via a communication 91 1 and a recommendation request via a communication 914, similar to the example of system 500.
  • recommendation system 904 can further encrypt the user-encrypted content item IDs with an encryption that only the recommendation system can decrypt.
  • the content item IDs can be recommender-encrypted and user- encrypted, which may also be referred to as recommender/user-encrypted content item IDs.
  • Recommendation system 904 can send TP-encrypted predicted ratings and corresponding recommender/user-encrypted content item IDs to third party 907 via a communication 917.
  • FIGS. 10 and 1 1 illustrate examples of methods that can be performed by a recommendation system, such as recommendation system 904.
  • the recommendation system can obtain (1001 ) TP-encrypted rating information from one or more users, can determine (1 002) to provide a recommendation, for example, in response to receiving a recommendation request from a user system, can determine (1003) TP- encrypted predicted ratings based on the TP-encrypted rating information, and can encrypt the corresponding content item IDs with an encryption that the third party cannot decrypt, but the user system can decrypt, for example, with the user's public key.
  • the recommendation system can further encrypt the user-encrypted content item IDs with an encryption that only the recommendation system can decrypt, for example, by encrypting (1004) using the recommendation system's private key.
  • the recommendation system can then send (1 005) the TP- encrypted predicted ratings and corresponding recommender/user-encrypted content item IDs to the third party.
  • the TP-encrypted predicted ratings and corresponding recommender/user-encrypted content item IDs can be sent to third party 907 in a communication 91 7.
  • the third party can perform a similar method as the example of FIG. 8.
  • the third party can obtain the TP-encrypted predicted ratings and the corresponding encrypted content item IDs, which in this case, can include the recommender/user- encrypted content item IDs.
  • the third party can decrypt the TP-encrypted predicted ratings.
  • the third party can select the recommender/user-encrypted content item IDs that correspond to the predicted ratings in a subset based on predetermined criteria, for example, the top-k predicted ratings sorted from highest to lowest predicted rating value.
  • the third party can then send the sorted top-k recommender/user-encrypted content item IDs to the appropriate entity.
  • the appropriate entity can be recommendation system.
  • the third party can send the sorted top-k recommender/user-encrypted content item IDs to the recommendation system via a communication 921 . In this way, the recommendation system can be assured that the third party is providing only k recommended content items.
  • the recommendation system can obtain (1 1 01 ) the sorted top-k recommender/user-encrypted content item IDs and can decrypt
  • the recommendation system can send the recommendation system's private key to obtain the sorted top-k user-encrypted content item IDs.
  • the recommendation system can send
  • the sorted top-k user-encrypted content item IDs can be sent to user system 901 in a communication 924.
  • FIGS. 12-14 illustrate examples of various methods that can be performed by a recommendation system to keep user information private while allowing TP- encrypted predicted ratings to be determined based on the TP-encrypted rating information according to some embodiments.
  • FIG. 12 illustrates an example of a method of receiving and storing a TP- encrypted user rating according to various embodiments.
  • a recommendation system can obtain (1201 ) a TP-encrypted user rating and corresponding content item ID.
  • the recommendation system can index (1202) the TP-encrypted user rating based on the corresponding content item ID and can store (1203) the TP- encrypted user rating based on the index.
  • the TP-encrypted user rating can be stored in a database, such as recommendation information database 120 shown in FIG. 1 .
  • FIG. 13 is a diagram that illustrates one example implementation of the method of FIG. 12 according to various embodiments.
  • Multiple users 1301 can subscribe to a recommendation service that operates a recommendation system that can include a recommendation engine 1 304 and a recommendation information database 1307.
  • a matrix M stored as a data structure 1314 stored in recommendation information database 1307.
  • Matrix M can include TP-encrypted user ratings where r is the user rating, i is a user index, and j is a content item index. That is, each row of matrix M includes the TP-encrypted user ratings for a particular user, and each column of matrix M includes the TP-encrypted user ratings for a particular content item.
  • each row of matrix M can represent a TP-encrypted user profile vector ⁇ ( ⁇ ,), and each column of matrix M can represent a TP-encrypted content item profile (STp(Vj) .
  • FIG. 13 shows matrix M including TP-encrypted user ratings at some locations, and locations in matrix M that do not have a TP-encrypted user rating are represented by dashes
  • FIG. 13 also illustrates one example of a method for storing TP-encrypted user ratings in matrix M according to various embodiments.
  • the user's system can send a communication 131 1 to recommendation engine 1304.
  • Each communication can include TP-encrypted rating information, such as a TP-encrypted user rating and a corresponding content item ID, together with a user ID that can identify the user sending the communication.
  • TP-encrypted rating information such as a TP-encrypted user rating and a corresponding content item ID
  • a user ID that can identify the user sending the communication.
  • a user (1 ) may input a user rating for content item (3) to the user system of user (1 ), and the user system can encrypt the user rating and send communication 131 1 that includes a user (1 ) ID, an item (3) ID, and the TP-encrypted user rating ( ⁇ ( ).
  • FIG. 13 shows communications 131 1 resulting from user (2) rating content item (5), i.e., [user (2) ID, item (5) ID, ⁇ ( ], which recommendation engine 1304 receives, indexes and stores at row 2, column 5 of matrix M.
  • FIG. 13 also shows communications 131 1 resulting from user (3) rating content item (5), i.e., [user (3) ID, item (5) ID, ⁇ ( ], which recommendation engine 1304 receives, indexes (£ ⁇ (3 ⁇ 4,5), and stores at row 3, column 5 of matrix M.
  • FIG. 13 shows communications 131 1 resulting from user (2) rating content item (5), i.e., [user (2) ID, item (5) ID, ⁇ ( ], which recommendation engine 1304 receives, indexes (£ ⁇ (3 ⁇ 4,5), and stores at row 3, column 5 of matrix M.
  • FIG. 13 also shows communications 131 1 resulting from user (4) rating content item (3), i.e., [user (4) ID, item (3) ID, ⁇ ( ], which recommendation engine 1304 receives, indexes ( ⁇ ( ⁇ 3 ), and stores at row 4, column 3 of matrix M.
  • FIG. 1 3 shows communications 131 1 resulting from user (5) rating content item (4), i.e., [user (5) ID, item (4) ID, ⁇ ( ], which recommendation engine 1304 receives, indexes ( ⁇ ( ⁇ 5 ), and stores at row 5, column 4 of matrix M.
  • FIG. 1 shows communications 131 1 resulting from user (5) rating content item (4), i.e., [user (5) ID, item (4) ID, ⁇ ( ], which recommendation engine 1304 receives, indexes ( ⁇ ( ⁇ 5 ), and stores at row 5, column 4 of matrix M.
  • matrix M also includes other entries, such as , ⁇ ), ® ⁇ ( ⁇ 2 , ⁇ ), ⁇ ( ⁇ 2 , 4 ) , etc., which can be previously-stored TP-encrypted user ratings resulting from ratings users 1 301 input in the past, for example.
  • matrix factorization can be used to analyze the TP-encrypted user ratings while remaining under TP encryption to produce TP-encrypted predicted ratings for other content items.
  • matrix M can be an n x m matrix with entries corresponding to all TP-encrypted user ratings received from the users.
  • the number of (£ ⁇ (3 ⁇ 4) entries in matrix M is much smaller than the value of n ⁇ m. In other words, for many applications, most of entries in matrix M are empty entries.
  • Matrix factorization can be used to predict the values of the empty entries for a particular user profile u,, and thus predict how the user would rate the content items that the user has not yet rated, while the user profile remains TP-encrypted as ⁇ ( ⁇ ,).
  • an additive semantically secure public-key homomorphic encryption £, e.g., Paillier cryptosystem, can be used and a TP- encrypted predicted user rating can be determined for each empty entry (i,j) in a TP-encrypted user profile by multiplying the TP-encrypted user profile vector, STp(Ui), with the TP-encrypted content item profile of the ⁇ th content item, e T p(Vj) :
  • FIG. 14 illustrates an example of a method of determining TP-encrypted predicted user ratings according to various embodiments.
  • a recommendation system can obtain (1401 ) the TP-encrypted user profile of user i, ®TP(U I ).
  • the recommendation system can determine (1403) whether a TP-encrypted user rating for the exists. In other words, the recommendation system can determine whether user (i) has already rated content item (j). If e T p(ri ) exists, j can be incremented (1404) (e.g., increased by 1 ), and the process can return to determine (1403) whether exists.
  • recommendation system can obtain (1405) the TP-encrypted profile vector of the ⁇ th content item, (STp(Vj), and can multiply (1406) e T p(Ui) with e T p(Vj) to obtain the TP-encrypted predicted rating, (STp( ij), as in Equation (1 ) above.
  • Recommendation system can encrypt (1407) the content item (j) ID with the public key of user i, and can store (1408) the TP-encrypted predicted rating, e T p( ij) and the corresponding user-encrypted content item (j) ID, e U ser(content ID j ), as a tuple in a vector of tuples, where each tuple is a [(£ T p( . j ), e U ser(content ID j )] pair.
  • recommendation system can return to increment j (1404), and can return to determine (1403) whether (!3 ⁇ 4>(3 ⁇ 4) exists. Otherwise, if it is determined (1409) that j corresponds to the last content item, recommendation system can send (1410) the vector of [e T p( ij), e U ser(content ID j )] tuples to the third party.
  • a computing system such as a general purpose computer through computer-executable instructions (e.g., software, firmware, etc.) stored on a computer-readable medium (e.g., storage disk, memory, etc.) and executed by a computer processor.
  • a computer-readable medium e.g., storage disk, memory, etc.
  • software implementing one or more methods shown in the flowcharts could be stored in storage device 212 and executed by controller 214.
  • various elements shown in the figures may be implemented in various forms of hardware, software or combinations thereof. That is, various elements may be implemented in a combination of hardware and software on one or more appropriately programmed general-purpose devices, which may include a processor, memory and input/output interfaces.
  • processor or “controller” should not be construed to refer exclusively to hardware capable of executing software, and may implicitly include, without limitation, digital signal processor ("DSP") hardware, read only memory (“ROM”) for storing software, random access memory (“RAM”), and nonvolatile storage.
  • DSP digital signal processor
  • ROM read only memory
  • RAM random access memory
  • any switches shown in the figures are conceptual only. Their function may be carried out through the operation of program logic, through dedicated logic, through the interaction of program control and dedicated logic, or even manually, the particular technique being selectable by the implementer as more specifically understood from the context.
  • any element expressed as a means for performing a specified function is intended to encompass any way of performing that function including, for example, a combination of circuit elements that performs that function, software in any form, including, therefore, firmware, microcode or the like, combined with appropriate circuitry for executing that software to perform the function, etc.
  • the disclosure as defined by such claims resides in the fact that the functionalities provided by the various recited means are combined and brought together in the manner which the claims call for. It is thus regarded that any means that can provide those functionalities are equivalent to those shown herein.

Abstract

Various examples of systems and methods for providing recommendations that can be tailored to a user while preserving the privacy of the user's personal information are disclosed. In various embodiments, user information can be encrypted such that the recommendation service cannot decrypt the user information, yet the recommendation service can analyze the user information to predict user ratings for content items. The predicted user ratings can remain obscured from the recommendation service by encryption, yet can provide the basis for recommendations tailored to the user. In particular, the encrypted predicted user ratings can be sent to a third party (i.e., not the recommendation service or the user), and the third party can decrypt the predicted user ratings and determine recommendations based on the predicted user ratings.

Description

METHOD AND SYSTEM FOR PRIVACY-PRESERVING RECOMMENDATIONS
CROSS REFERENCE TO RELATED APPLICATIONS
This application claims priority to U.S. Provisional Application No. 62/010,867, filed on June 1 1 , 2014, which is incorporated by reference herein in its entirety.
TECHNICAL FIELD
The present disclosure generally relates to recommendation systems and, more particularly, to privacy-preserving recommendations.
BACKGROUND
Home entertainment systems, including television and media centers, are converging with the Internet and providing access to a large number of available sources of content, such as video, movies, TV programs, music, etc. This expansion in the number of available sources necessitates a new strategy for navigating a media interface associated with such systems and enabling access to certain portions of media content being consumed by the user.
With this expansion, there is a trend towards providing personalized content to a user who has set up a profile including personal information. The personal information may describe the user, as well as their interests.
Additionally, this personal information may also provide information about content sources available to the particular user. These content sources may be one of a local content source (e.g. on a local area network in a media storage repository) and a third party content source (e.g. subscription based service or pay per view system). SUMMARY
Various examples of systems and methods for providing recommendations that can be tailored to a user while preserving the privacy of the user's personal information are disclosed. In various embodiments, user information can be encrypted such that the recommendation service cannot decrypt the user information, yet the recommendation service can analyze the user information to predict user ratings for content items. The predicted user ratings can remain obscured from the recommendation service by encryption, yet can provide the basis for recommendations tailored to the user. In particular, the encrypted predicted user ratings can be sent to a third party (i.e., not the recommendation service or the user), and the third party can decrypt the predicted user ratings and determine recommendations based on the predicted user ratings. In various embodiments, user information can also be obscured from the third party through encryption. In this way, for example, neither the recommendation service nor the third party can obtain the user's personal information, yet the user can be provided with recommendations that are based on the user's personal information.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of an example of a system for delivering video content according to various embodiments.
FIG. 2 is a block diagram of an example of a computing system, such as a set-top box/digital video recorder (DVR), gateway, etc., according to various embodiments.
FIG. 3 illustrates an example of a touch panel input device according to various embodiments. FIG. 4 illustrates another example of an input device according to various embodiments.
FIG. 5 is a block diagram of an example of a privacy-preserving recommendation system according to various embodiments.
FIG. 6 illustrates an example of a method that can be performed by a user system according to various embodiments.
FIG. 7 illustrates an example of a method that can be performed by a recommendation system according to various embodiments.
FIG. 8 illustrates an example of a method that can be performed by a third party according to various embodiments.
FIG. 9 is a block diagram of another example of a privacy-preserving recommendation system according to various embodiments.
FIGS. 10 and 1 1 illustrate examples of methods that can be performed by a recommendation system according to various embodiments.
FIG. 12 illustrates an example of a method of receiving and storing a TP- encrypted user rating according to various embodiments.
FIG. 13 is a diagram that illustrates one example implementation of the method of FIG. 12 according to various embodiments.
FIG. 14 illustrates an example of a method of determining TP-encrypted predicted user ratings according to various embodiments.
It should be understood that the drawings are for purposes of illustrating the concepts of the disclosure and are not necessarily the only possible configurations for illustrating the disclosure. DETAILED DESCRIPTION
Consumers of content, such as movies, television (TV), music, etc., can have difficulty finding content they are likely to enjoy. Consumers may be faced with browsing through massive databases of content, for example, and can become overwhelmed and frustrated. Consumers may wish to obtain recommendations for content items, e.g., movies, TV shows, songs, etc., from recommendation systems. However, in order to obtain good recommendations, e.g., recommendations that are tailored to the consumer's personal tastes, recommendation services typically require the user divulge personal information in order to determine what content the user probably will like. For example, recommendation services can tailor recommendations by analyzing user information, for example, biographical information such as age, sex, race, etc., economic information such as income level, etc., preference information such as what content items users consume and how the users rate the content items, etc., to predict what other content items a user will probably like. However, consumers may not want to provide such information to a recommendation service. In other words, users may wish to keep such information private.
The following disclosure includes various examples of systems and methods for providing recommendations that can be tailored to a user while preserving the privacy of the user's personal information. In various embodiments, user information can be encrypted such that the recommendation service cannot decrypt the user information, yet the recommendation service can analyze the user information to predict user ratings for content items. The predicted user ratings can remain obscured from the recommendation service by encryption, yet can provide the basis for recommendations tailored to the user. In particular, the encrypted predicted user ratings can be sent to a third party (i.e., not the recommendation service or the user), and the third party can decrypt the predicted user ratings and determine recommendations based on the predicted user ratings. In various embodiments, user information can also be obscured from the third party through encryption. In this way, for example, neither the recommendation service nor the third party can obtain the user's personal information, yet the user can be provided with recommendations that are based on the user's personal information.
FIG. 1 illustrates a block diagram of an example of a system 100 for delivering content and recommendations to a home or end user. The content originates from a content source 102, such as a movie studio or production house. The content may be supplied in at least one of two forms. One form may be a broadcast form of content. The broadcast content is provided to the broadcast affiliate manager 104, which is typically a national broadcast service, such as the American Broadcasting Company (ABC), National Broadcasting Company (NBC), Columbia Broadcasting System (CBS), etc. The broadcast affiliate manager may collect and store the content, and may schedule delivery of the content over a delivery network, shown as delivery network 106. Delivery network 106 may include satellite link transmission from a national center to one or more regional or local centers. Delivery network 1 06 may also include local content delivery using local delivery systems such as over the air broadcast, satellite broadcast, or cable broadcast. The locally delivered content is provided to a user system 107 in a user's home.
User system 1 07 can include a receiving device 108 that can receive and process content and perform other functions described in more detail below. It is to be appreciated that receiving device 1 08 can be, for example, a set-top box, a digital video recorder (DVR), a gateway, a modem, etc. Receiving device 1 08 may act as entry point, or gateway, for a home network system that includes additional devices configured as either client or peer devices in the home network.
User system 107 can also include a display device 1 14. In some embodiments, display device 1 14 can be an external display coupled to receiving device 108. In some embodiments, receiving device 108 and display device 1 14 can be parts of a single device. The display device 1 14 may be, for example, a conventional 2-D type display, an advanced 3-D display, etc. User system 107 can also include an input device 1 16, such as a remote controller, a keyboard, a mouse, a touch panel, a touch screen, etc. The input device 1 16 may be adapted to provide user control for the receiving device 108 and/or the display device 1 14. In some embodiments, input device 1 1 6 may be an external device that can couple to receiving device 108 via, for example, a wired connection, a signal transmission system, such as infra-red (IR), radio frequency (RF) communications, etc., and may include standard protocols such as universal serial bus (USB), infra-red data association (I RDA) standard, Wi-Fi, Bluetooth and the like, proprietary protocols, etc. In some embodiments, receiving device 108 and input device 1 1 6 can be part of the same device. Operations of input device 1 16 will be described in further detail below.
A second form of content is referred to as special content. Special content may include, for example, premium viewing content, pay-per-view content, Internet access, other content otherwise not provided to the broadcast affiliate manager, e.g., movies, video games, other video elements, etc. The special content may be content requested by the user, such as a webpage, a movie download, etc. The special content may be delivered to a content manager 1 10. The content manager 1 1 0 may be a service provider, such as an Internet website, affiliated, for instance, with a content provider, broadcast service, or delivery network service. The content manager 1 1 0 may also incorporate Internet content into the delivery system. The content manager 1 1 0 may deliver the content to the user's receiving device 108 over a communication network, e.g., communication network 1 12. Communication network 1 12 may include high-speed broadband Internet type communications systems. It is important to note that the content from the broadcast affiliate manager 104 may also be delivered using all or parts of communication network 1 12 and content from the content manager 1 10 may be delivered using all or parts of delivery network 106. In some embodiments, the user may obtain content, such as webpages, etc., directly from the Internet 1 13 via communication network 1 12 without necessarily having the content managed by the content manager 1 10.
Several adaptations for utilizing the separately delivered content may be possible. In one possible approach, the special content is provided as an augmentation to the broadcast content, providing alternative displays, purchase and merchandising options, enhancement material, etc. In another embodiment, the special content may completely replace some programming content provided as broadcast content. Finally, the special content may be completely separate from the broadcast content, and may simply be a media alternative that the user may choose to utilize. For instance, the special content may be a library of movies that are not yet available as broadcast content. The receiving device 108 may receive different types of content from one or both of delivery network 106 and communication network 1 1 2. The receiving device 1 08 processes the content, and provides a separation of the content based on user preferences and commands. The receiving device 108 may also include a storage device, such as a hard drive or optical disk drive, for recording and playing back audio and video content. Further details of the operation of the receiving device 108 and features associated with playing back stored content will be described below in relation to FIG. 2. The processed content is provided to display device 1 14.
In the example of FIG. 1 , content manager 1 1 0 also controls a recommendation system 1 17 that can include a recommendation engine 1 18 and a database 120. Recommendation system 1 17 can process encrypted recommendation information that can be used to provide recommendations to the user as will be described in more detail below. Although recommendation system 1 1 7 is controlled by content manager 1 10 in this example, it should be appreciated that in some embodiments, recommendation systems can be operated by other entities, such as separate recommendation service providers whose primary service is providing recommendations.
System 1 00 can include a third party (TP) 1 22. Third party 122 can communicate with recommendation system 1 17 and user system 107 via communication network 1 12. Third parties, such as third party 122, will be discussed in more detail below.
FIG. 2 includes a block diagram of an example of a computing system 200. In some embodiments, computing system 200 can be a user system, such as receiving device 1 08 described in FIG. 1 , and may be included as part of a gateway device, modem, set-top box, personal computer, tablet computer, smartphone, etc. In some embodiments, computing system 200 can be included in a recommendation system and can perform operations of a recommendation system. In some embodiments, computing system 200 can be included in a third party system and can perform operations of a third party system. Examples of recommendation systems and third party systems will be described in more detail below.
Computing system 200 may also be incorporated into other systems including an audio device, a display device, etc. The computing system 200 may be, for example, a set top box coupled to an external display device (e.g., a television), a personal computer coupled to a display device (e.g., a computer monitor), etc. In some embodiments, the computing system 200 may include an integrated display device, for example, a portable device such as a tablet computer, a smartphone, etc.
In computing system 200 shown in FIG. 2, the content is received by an input signal receiver 202. The input signal receiver 202 may include, for example, receiver circuits used for receiving, demodulation, and decoding signals provided over one of the several possible networks including over the air, cable, satellite, Ethernet, fiber and phone line networks. The desired input signal may be obtained based on user input provided through a user interface 216. For example, the user input may include search terms for a search, and the input signal received by input signal receiver 202 may include search results. User interface 216 can be coupled to an input device, such as input device 1 16, and can receive and process corresponding user inputs, for example, keystrokes, button presses, touch inputs, such as gestures, audio input, such as voice input, etc., from the input device. User interface 216 may be adapted to interface to a cellular phone, a tablet, a mouse, a remote controller, etc.
The decoded output signal is provided to an input stream processor 204. The input stream processor 204 performs the final signal selection and processing, and includes separation of video content from audio content for the content stream. The audio content is provided to an audio processor 206 for conversion from the received format, such as a compressed digital signal, to an analog waveform signal. The analog waveform signal is provided to an audio interface 208 and further to the display device or audio amplifier. In some embodiments, the audio interface 208 may provide a digital signal to an audio output device or display device using a High-Definition Multimedia Interface (HDMI) cable, an audio interface such as via a Sony/Philips Digital Interconnect Format (SPDIF), etc. The audio interface may also include amplifiers for driving one more sets of speakers. The audio processor 206 also performs any necessary conversion for the storage of the audio signals.
The video output from the input stream processor 204 is provided to a video processor 210. The video signal may be one of several formats. The video processor 21 0 provides, as necessary, a conversion of the video content, based on the input signal format. The video processor 21 0 also performs any necessary conversion for the storage of the video signals.
A computer-readable storage device 212 can store computer-executable instructions for performing operations according to various embodiments. The instructions can be executed by one or more processors, such as a controller 214. Storage device 21 2 may be, for example, a hard disk drive, one or more large capacity integrated electronic memories, such as static RAM (SRAM), dynamic RAM (DRAM), etc., an interchangeable optical disk storage system such as a compact disk (CD) drive, digital video disk (DVD) drive, etc.
In various embodiments, computing system 200 can be a user system, such as receiving device 1 18, and storage device 21 2 may store audio and video content received at the input. Storage device 212 can allow later retrieval and playback of the content under the control of controller 214 and also based on commands, e.g., navigation instructions such as fast-forward (FF) and rewind (RW), received from user interface 216.
The converted video signal, from the video processor 210, either originating from the input or from the storage device 212, is provided to the display interface 21 8. The display interface 218 further provides the display signal to a display device, such as display device 1 14, described above. The controller 214 is interconnected via a bus to several of the components of the device 200, including the input stream processor 204, audio processor 206, video processor 210, storage device 212, and user interface 216. The controller 214 manages the conversion process for converting the input stream signal into a signal for storage on the storage device or for display. The controller 214 also manages the retrieval and playback of stored content. Furthermore, as will be described below, the controller 214 can receive rating information input by a user and can perform encryption of the user rating information, as described below in more detail.
Controller 214 can be coupled to a memory, such as control memory 220 (e.g., volatile or non-volatile memory, including RAM, SRAM, DRAM, ROM, programmable ROM (PROM), flash memory, electronically programmable ROM (EPROM), electronically erasable programmable ROM (EEPROM), etc.). Control memory 220 may store instructions for execution by controller 214. Control memory 220 may store information, such as a database of elements, for example, graphic elements containing content. The database may be stored as a pattern of graphic elements, such as graphic elements containing content, various graphic elements used for generating a displayable user interface for display interface 21 8, and the like. In some embodiments, the memory may store the graphic elements in identified or grouped memory locations and use an access or location table to identify the memory locations for the various portions of information related to the graphic elements. Additional details related to the storage of the graphic elements will be described below. Further, the implementation of the control memory 220 may include several possible embodiments, such as a single memory device, more than one memory circuit communicatively connected or coupled together to form a shared or common memory, etc. Still further, the memory may be included with other circuitry, such as portions of bus communications circuitry, in a larger circuit.
FIGS. 3 and 4 represent two examples of input devices, 300 and 400, such as input device 1 16. Input devices 300 and 400 can couple with a user interface, such as user interface 216. Input devices 300 and 400 may be used to initiate and/or select various functions available to a user related to the acquisition, consumption, access and/or modification of content, such as multimedia content, broadcast content, Internet content, etc. Input devices 300 and 400 can also allow a user to input rating information and requests for recommendations, as described below in more detail.
FIG. 3 illustrates an example of a touch panel input device 300. The touch panel device 300 may be interfaced, for example, via the user interface 216 of the computing system 200 in FIG. 2. The touch panel device 300 allows operation of the computing system or set top box based on hand movements, or gestures, and actions translated through the panel into commands for the set top box or other control device. This is achieved by the controller 214 generating a touch screen user interface including at least one user selectable image element enabling initiation of at least one operational command. The touch screen user interface may be pushed to the touch screen device 300 via the user interface 21 6. In some embodiments, the touch screen user interface generated by the controller 214 may be accessible via a webserver executing on one of the user interface 21 6. The touch panel 300 may serve as a navigational tool to navigate a grid display, as described above for search results. In some embodiments, the touch panel 300 may serve as a display device allowing the user to more directly interact with the navigation through the grid display of content. The touch panel 300 can also include a camera element and/or at least one audio sensing element.
In some embodiments, the touch panel 300 employs a gesture sensing controller or touch screen enabling a number of different types of user interaction. The inputs from the controller are used to define gestures and the gestures, in turn, define specific contextual commands. The configuration of the sensors may permit defining movement of a user's fingers on a touch screen or may even permit defining the movement of the controller itself in either one dimension or two dimensions. Two-dimensional motion, such as a diagonal, and a combination of yaw, pitch and roll can be used to define any three-dimensional motions, such as a swing. Gestures are interpreted in context and are identified by defined movements made by the user. Depending on the complexity of the sensor system, only simple one-dimensional motions or gestures may be allowed. For instance, a simple right or left movement on the sensor as shown here may produce a fast forward or rewind function. In addition, multiple sensors could be included and placed at different locations on the touch screen. For instance, a horizontal sensor for left and right movement may be placed in one spot and used for volume up/down, while a vertical sensor for up and down movement may be placed in a different spot and used for channel up/down. In this way specific gesture mappings may be used. For example, the touch screen device 300 may recognize alphanumeric input traces which may be automatically converted into alphanumeric text displayable on one of the touch screen device 300 or output via display interface 21 8 to a primary display device.
FIG. 4 illustrates another example of an input device, input device 400. The input device 400 may, for example, be used to interact with the user interfaces generated by the system and which are output for display by the display interface 21 8 to a primary display device (e.g. television, monitor, etc). The input device of FIG. 4 may be formed as a remote control having a 12-button alphanumerical keypad 402 and a navigation section 404 including directional navigation buttons and a selector button. The input device 400 may also include a set of function buttons 406 that, when selected, initiate a particular system function (e.g. menu, guide, DVR, etc). In some embodiments, the input device 400 may include a set of programmable application specific buttons 408 that, when selected, may initiate a particularly defined function associated with a particular application executed by the controller 214. Input device 400 may include a display screen 410 that can display information, such as program information, menu information, navigation information, etc. The depiction of the input device in FIG. 4 is merely exemplary and the input device may include any number and/or arrangement of buttons that enable a user to interact with the user interface process according to various embodiments. Additionally, it should be noted that users may use either or both of the input devices depicted and described in FIGS. 3 and 4 simultaneously and/or sequentially to interact with the system.
In some embodiments, the user input device may include at least one of an audio sensor and a visual sensor. For example, the audio sensor may sense audible commands issued from a user and translate the audible commands into functions to be executed by the user. The visual sensor may sense the user's presence and match user information of the sensed user(s) to stored visual data in the usage database 120 in FIG. 1 . Matching visual data sensed by the visual sensor enables the system to automatically recognize the user's presence and retrieve any user profile information associated with the user. Additionally, the visual sensor may sense physical movements of at least one user present and translate those movements into control commands for controlling the operation of the system. In this embodiment, the system may have a set of pre-stored command gestures that, if sensed, enable the controller 214 to execute a particular feature or function of the system. An example of a type of gesture command may include the user waving their hand in a rightward direction which may initiate a fast forward command or a next screen command or a leftward direction which may initiate a rewind or previous screen command depending on the current context. This description of physical gestures able to be recognized by the system is merely exemplary and should not be taken as limiting. Rather, this description is intended to illustrate the general concept of physical gesture control that may be recognized by the system and persons skilled in the art could readily understand that the controller may be programmed to specifically recognize any physical gesture and allow that gesture to be tied to at least one executable function of the system.
FIG. 5 is a block diagram of an example of a privacy-preserving recommendation system 500 according to various embodiments. System 500 can include a user system 501 , such as user system 107 shown in FIG. 1 , that can be in a user's home, for example. User system 501 can include, for example, a set-top box, a digital video recorder (DVR), a gateway, a modem, etc., that can receive and process content delivered via a communication network, such as communication network 1 1 2, and that can send communications, such as data, information, messages, requests, etc., via the communication network. System 500 can also include a recommendation system 504, such as recommendation system 1 1 7 shown in FIG. 1 , and a third party 507, such as third party 122 shown in FIG. 1 .
The user may wish to obtain recommendations for content items, such as movies, TV shows, music, etc., from recommendation system 504. Typically, recommendation services require information about a user in order to determine what content the user probably will like. Recommendation services can provide recommendations by analyzing user information, for example, biographical information such as age, sex, race, etc., economic information such as income level, etc., preference information such as what content items users consume and how the users rate the content items, etc., to predict what other content items a user will probably like. However, some users may not want to provide such information to a recommendation service. In other words, users may wish to keep such information private.
System 500 illustrates an example in which user information can be kept private with the help of a third party, such as third party 507, while still allowing a recommendation service to analyze the user information and provide recommendations. For example, the user information can be the ratings that the user has given to various content items, such as movies. In some embodiments, the ratings can be, for example, a numerical value on a scale of one to five. User system 501 can provide recommendation system 504 with the user ratings under an encryption that does not allow the recommendation system to decrypt the ratings, but allows third party 507 to decrypt the ratings.
In this regard, FIG. 6 illustrates an example of a method that can be performed by a user system, such as user system 501 . The user system can obtain (601 ) a user rating for a content item, such as a movie. For example, the user may watch the movie on a display, such as display device 1 14, and then input a rating for the movie using and input device, such as input device 1 16. The user system can encrypt (602) the user rating with an encryption that does not allow the recommendation system to decrypt the ratings, but allows a third party, such as third party 507, to decrypt the ratings. In other words, the user system can generate a TP-encrypted user rating. For example, the user system can encrypt the user rating using a public key of the third party. The user system can send (603) TP-encrypted rating information to the recommendation system. The TP-encrypted rating information can include the TP-encrypted user rating together with an unencrypted identification (ID) of the content item. The unencrypted content item ID can allow the recommendation system to identify the content item corresponding to the TP-encrypted user rating. In this way, the recommendation system can determine what content item the user has rated, but cannot determine the user rating.
Referring to FIG. 5, communication 51 1 illustrates TP-encrypted rating information sent from user system 501 to recommendation system 504. In some embodiments, the TP-encrypted rating information in each communication 51 1 can include TP-encrypted user ratings and corresponding unencrypted content item IDs for multiple content items. For example, user system 501 may store multiple user ratings and periodically send TP-encrypted rating information for all stored user ratings in a single communication 51 1 . In some embodiments, the TP-encrypted rating information in each communication 51 1 can include a single TP-encrypted user rating and corresponding unencrypted content item ID. For example, each time the user rates a movie, user system 501 can automatically encrypt the user rating and send the TP-encrypted user rating and corresponding unencrypted content item ID in a communication 51 1 . When the user wishes to receive a recommendation, the user can input a request for a recommendation to user system 501 , and the user system can send a recommendation request as a communication 514 to recommendation system 504.
FIG. 7 illustrates an example of a method that can be performed by a recommendation system, such as recommendation system 504. The recommendation system can obtain (701 ) TP-encrypted rating information. For example, the recommendation system can receive one or more communications 51 1 and store the TP-encrypted rating information in a database. In some embodiments, the recommendation system can receive and store TP-encrypted rating information from multiple users. The recommendation system can determine (702) to provide a recommendation. For example, recommendation system 504 can determine to provide user system 501 with a recommendation in response to receiving the recommendation request in communication 514.
The recommendation system can determine (703) TP-encrypted predicted ratings based on the TP-encrypted rating information. In other words, the TP- encrypted user ratings for the content items that the user has rated can be analyzed while remaining under TP encryption to produce TP-encrypted predicted ratings for other content items. In this way, user information such as user ratings and predicted user ratings for various content items can remain under TP encryption while in the possession of the recommendation system. As will be described in more detail below with respect to an example of an embodiment, the result can be a list that includes a TP-encrypted predicted rating for each content item in a database of the recommendation system. Although some information in the list may be unencrypted, i.e., the content item IDs, the predicted rating corresponding to each content item ID is under TP encryption. Thus, the recommendation system can be prevented from gaining information of how the user rated particular content items or which other content items the user will probably like or dislike.
In order to for the TP-encrypted predicted ratings to be used to determine recommendations for content items, the TP-encrypted predicted ratings can be sent to the third party to be decrypted. However, if the third party also receives the corresponding unencrypted content item IDs, the third party can determine the user's unencrypted predicted ratings and corresponding unencrypted content item IDs. Therefore, the third party could gain private information of which content items the user will probably like or dislike. However, the recommendation system can encrypt the corresponding content item IDs with an encryption that the third party cannot decrypt, but the user system can decrypt. For example, the recommendation system can encrypt the content item IDs with the user's public key. The recommendation system can then send (704) the TP-encrypted predicted ratings and corresponding user-encrypted content item IDs to the third party.
Referring to FIG. 5, the TP-encrypted predicted ratings and corresponding user-encrypted content item IDs can be sent to third party 507 in a communication 517.
FIG. 8 illustrates an example of a method that can be performed by a third party, such as third party 507. The third party can obtain (801 ) TP-encrypted predicted ratings and corresponding encrypted content item IDs, which in this case includes the user-encrypted content item IDs. The third party can decrypt (802) the TP-encrypted predicted ratings. The third party can make a recommendation determination by, for example, determining a pre-defined subset of predicted ratings based on predetermined criteria and selecting (803) the user- encrypted content item IDs that correspond to the predicted ratings in subset. For example, the third party can sort the decrypted predicted ratings and corresponding user-encrypted content item IDs from highest to lowest value of predicted rating. The third party can then select the top-k predicted ratings, i.e., the k predicted ratings with the highest values, and the corresponding user- encrypted content item IDs, where k can be an integer that is agreed upon between the recommendation service and the third party. The third party can then send (804) the sorted top-k user-encrypted content item IDs to an appropriate entity, in this case, the user system. In some embodiments, the third party can send the corresponding predicted ratings together with the user- encrypted content item IDs.
Referring to FIG. 5, third party can send the top-k user-encrypted content item IDs as a communication 521 . After user system 501 receives communication 521 , the user system can decrypt the user-encrypted content item IDs to obtain an ordered list of top-k recommendations.
The recommendation service may demand that the third party send the user only the top-k recommendations because the recommendation system may desire that the user request additional recommendations in the future, particularly if the recommendation service charges a fee to provide recommendations. If the user received more than the top-k recommendations, for example, the user might not need to request additional recommendations as often. However, in the system 500 example illustrated in FIG. 5, the third party could potentially provide the user with more than the top-k recommendations.
FIG. 9 is a block diagram of another example of a privacy-preserving recommendation system according to various embodiments. System 900 can include a user system 901 , such as user system 107 shown in FIG. 1 , that can be in a user's home, for example. System 900 can also include a recommendation system 904, such as recommendation system 1 17 shown in FIG. 1 , and a third party 907, such as third party 1 22 shown in FIG. 1 .
In the example of system 900, user system 901 can send TP-encrypted rating information via a communication 91 1 and a recommendation request via a communication 914, similar to the example of system 500. In system 900, recommendation system 904 can further encrypt the user-encrypted content item IDs with an encryption that only the recommendation system can decrypt. In other words, the content item IDs can be recommender-encrypted and user- encrypted, which may also be referred to as recommender/user-encrypted content item IDs. Recommendation system 904 can send TP-encrypted predicted ratings and corresponding recommender/user-encrypted content item IDs to third party 907 via a communication 917.
In this regard, FIGS. 10 and 1 1 illustrate examples of methods that can be performed by a recommendation system, such as recommendation system 904. Similar to the example of FIG. 7, the recommendation system can obtain (1001 ) TP-encrypted rating information from one or more users, can determine (1 002) to provide a recommendation, for example, in response to receiving a recommendation request from a user system, can determine (1003) TP- encrypted predicted ratings based on the TP-encrypted rating information, and can encrypt the corresponding content item IDs with an encryption that the third party cannot decrypt, but the user system can decrypt, for example, with the user's public key.
The recommendation system can further encrypt the user-encrypted content item IDs with an encryption that only the recommendation system can decrypt, for example, by encrypting (1004) using the recommendation system's private key. The recommendation system can then send (1 005) the TP- encrypted predicted ratings and corresponding recommender/user-encrypted content item IDs to the third party.
Referring to FIG. 9, the TP-encrypted predicted ratings and corresponding recommender/user-encrypted content item IDs can be sent to third party 907 in a communication 91 7. The third party can perform a similar method as the example of FIG. 8. For example, from communication 917 the third party can obtain the TP-encrypted predicted ratings and the corresponding encrypted content item IDs, which in this case, can include the recommender/user- encrypted content item IDs. The third party can decrypt the TP-encrypted predicted ratings. The third party can select the recommender/user-encrypted content item IDs that correspond to the predicted ratings in a subset based on predetermined criteria, for example, the top-k predicted ratings sorted from highest to lowest predicted rating value. The third party can then send the sorted top-k recommender/user-encrypted content item IDs to the appropriate entity. In this case, the appropriate entity can be recommendation system. Referring to FIG. 9, the third party can send the sorted top-k recommender/user-encrypted content item IDs to the recommendation system via a communication 921 . In this way, the recommendation system can be assured that the third party is providing only k recommended content items.
Referring to FIG. 1 1 , the recommendation system can obtain (1 1 01 ) the sorted top-k recommender/user-encrypted content item IDs and can decrypt
(1 102) , e.g., with the recommendation system's private key to obtain the sorted top-k user-encrypted content item IDs. The recommendation system can send
(1 103) the sorted top-k user-encrypted content item IDs to the user system. As shown in FIG. 9, the sorted top-k user-encrypted content item IDs can be sent to user system 901 in a communication 924.
FIGS. 12-14 illustrate examples of various methods that can be performed by a recommendation system to keep user information private while allowing TP- encrypted predicted ratings to be determined based on the TP-encrypted rating information according to some embodiments. FIG. 12 illustrates an example of a method of receiving and storing a TP- encrypted user rating according to various embodiments. A recommendation system can obtain (1201 ) a TP-encrypted user rating and corresponding content item ID. The recommendation system can index (1202) the TP-encrypted user rating based on the corresponding content item ID and can store (1203) the TP- encrypted user rating based on the index. For example, the TP-encrypted user rating can be stored in a database, such as recommendation information database 120 shown in FIG. 1 .
FIG. 13 is a diagram that illustrates one example implementation of the method of FIG. 12 according to various embodiments. Multiple users 1301 can subscribe to a recommendation service that operates a recommendation system that can include a recommendation engine 1 304 and a recommendation information database 1307. A matrix M stored as a data structure 1314 stored in recommendation information database 1307. Matrix M can include TP-encrypted user ratings
Figure imgf000025_0001
where r is the user rating, i is a user index, and j is a content item index. That is, each row of matrix M includes the TP-encrypted user ratings for a particular user, and each column of matrix M includes the TP-encrypted user ratings for a particular content item. In other words, each row of matrix M can represent a TP-encrypted user profile vector δτρ(υ,), and each column of matrix M can represent a TP-encrypted content item profile (STp(Vj) . FIG. 13 shows matrix M including TP-encrypted user ratings at some locations, and locations in matrix M that do not have a TP-encrypted user rating are represented by dashes
FIG. 13 also illustrates one example of a method for storing TP-encrypted user ratings in matrix M according to various embodiments. When one of users 1301 rates a content item, the user's system can send a communication 131 1 to recommendation engine 1304. Each communication can include TP-encrypted rating information, such as a TP-encrypted user rating and a corresponding content item ID, together with a user ID that can identify the user sending the communication. For example, a user (1 ) may input a user rating for content item (3) to the user system of user (1 ), and the user system can encrypt the user rating and send communication 131 1 that includes a user (1 ) ID, an item (3) ID, and the TP-encrypted user rating (δτρ( ). Recommendation engine 1304 can receive communication 131 1 from user (1 ), determine the user index i based on the user ID (i = 1 ), and determine the content item index j based on the content item ID (j = 3). Then, recommendation system can index the included TP- encrypted user rating δτρ(η,3) and store the indexed TP-encrypted user rating, for example, at row 1 , column 3 of matrix M.
Likewise, FIG. 13 shows communications 131 1 resulting from user (2) rating content item (5), i.e., [user (2) ID, item (5) ID, δτρ( ], which recommendation engine 1304 receives, indexes
Figure imgf000026_0001
and stores at row 2, column 5 of matrix M. FIG. 13 also shows communications 131 1 resulting from user (3) rating content item (5), i.e., [user (3) ID, item (5) ID, δτρ( ], which recommendation engine 1304 receives, indexes (£ΤΡ(¾,5), and stores at row 3, column 5 of matrix M. FIG. 13 also shows communications 131 1 resulting from user (4) rating content item (3), i.e., [user (4) ID, item (3) ID, δτρ( ], which recommendation engine 1304 receives, indexes (ΒΤΡ(Γ 3), and stores at row 4, column 3 of matrix M. Finally, FIG. 1 3 shows communications 131 1 resulting from user (5) rating content item (4), i.e., [user (5) ID, item (4) ID, δτρ( ], which recommendation engine 1304 receives, indexes (ΒΤΡ(Γ5 ), and stores at row 5, column 4 of matrix M. In the example of FIG. 1 3, matrix M also includes other entries, such as ,Ι ), ®ΤΡ(Γ2,Ι ), δτρ(Γ2,4) , etc., which can be previously-stored TP-encrypted user ratings resulting from ratings users 1 301 input in the past, for example.
In various embodiments, matrix factorization (MF) can be used to analyze the TP-encrypted user ratings
Figure imgf000027_0001
while remaining under TP encryption to produce TP-encrypted predicted ratings
Figure imgf000027_0002
for other content items. For example, in the case that the recommendation service has n users (i = 1 ...n) and can provide recommendations for m content items (j = 1 ...m), then matrix M can be an n x m matrix with
Figure imgf000027_0003
entries corresponding to all TP-encrypted user ratings received from the users. For many applications, the number of (£ΤΡ(¾) entries in matrix M is much smaller than the value of n χ m. In other words, for many applications, most of entries in matrix M are empty entries. Matrix factorization can be used to predict the values of the empty entries for a particular user profile u,, and thus predict how the user would rate the content items that the user has not yet rated, while the user profile remains TP-encrypted as δτρ(υ,). In various embodiments, for example, an additive semantically secure public-key homomorphic encryption (£, e.g., Paillier cryptosystem, can be used and a TP- encrypted predicted user rating can be determined for each empty entry (i,j) in a TP-encrypted user profile by multiplying the TP-encrypted user profile vector, STp(Ui), with the TP-encrypted content item profile of the \th content item, eTp(Vj) :
fij) = eTP(Ui)T eTP(Vj) (1 )
FIG. 14 illustrates an example of a method of determining TP-encrypted predicted user ratings according to various embodiments. A recommendation system can obtain (1401 ) the TP-encrypted user profile of user i, ®TP(UI). The content item index j can be initialized (1402), e.g. , by setting j = 1 . The recommendation system can determine (1403) whether a TP-encrypted user rating for the
Figure imgf000028_0001
exists. In other words, the recommendation system can determine whether user (i) has already rated content item (j). If eTp(ri ) exists, j can be incremented (1404) (e.g., increased by 1 ), and the process can return to determine (1403) whether
Figure imgf000028_0002
exists. On the other hand, if it is determined (1403) that
Figure imgf000028_0003
does not exist, recommendation system can obtain (1405) the TP-encrypted profile vector of the \th content item, (STp(Vj), and can multiply (1406) eTp(Ui) with eTp(Vj) to obtain the TP-encrypted predicted rating, (STp( ij), as in Equation (1 ) above.
Recommendation system can encrypt (1407) the content item (j) ID with the public key of user i, and can store (1408) the TP-encrypted predicted rating, eTp( ij) and the corresponding user-encrypted content item (j) ID, eUser(content IDj), as a tuple in a vector of tuples, where each tuple is a [(£Tp( .j), eUser(content IDj)] pair. Recommendation system can determine (1409) whether j corresponds to the last content item, e.g., determine whether j = m. If it is determined (1409) that j is not the last content item, then recommendation system can return to increment j (1404), and can return to determine (1403) whether (!¾>(¾) exists. Otherwise, if it is determined (1409) that j corresponds to the last content item, recommendation system can send (1410) the vector of [eTp( ij), eUser(content IDj)] tuples to the third party.
It should be appreciated by those skilled in the art that the methods described above may be implemented by, for example, by a computing system such as a general purpose computer through computer-executable instructions (e.g., software, firmware, etc.) stored on a computer-readable medium (e.g., storage disk, memory, etc.) and executed by a computer processor. Referring to FIG. 2, for example, software implementing one or more methods shown in the flowcharts could be stored in storage device 212 and executed by controller 214. It should be understood that various elements shown in the figures may be implemented in various forms of hardware, software or combinations thereof. That is, various elements may be implemented in a combination of hardware and software on one or more appropriately programmed general-purpose devices, which may include a processor, memory and input/output interfaces.
It should also be appreciated that although various examples of various embodiments have been shown and described in detail herein, those skilled in the art can readily devise other varied embodiments that still remain within the scope of this disclosure.
All examples and conditional language recited herein are intended for instructional purposes to aid the reader in understanding the principles of the disclosure and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions.
Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosure, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
Thus, for example, it will be appreciated by those skilled in the art that the block diagrams presented herein represent conceptual views of illustrative circuitry embodying the principles of the disclosure. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudocode, and the like represent various processes which may be substantially represented in computer readable media and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
The functions of the various elements shown in the figures may be provided through the use of dedicated hardware as well as hardware capable of executing software in association with appropriate software. When provided by a processor, the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared. Moreover, explicit use of the term "processor" or "controller" should not be construed to refer exclusively to hardware capable of executing software, and may implicitly include, without limitation, digital signal processor ("DSP") hardware, read only memory ("ROM") for storing software, random access memory ("RAM"), and nonvolatile storage.
Other hardware, conventional and/or custom, may also be included. Similarly, any switches shown in the figures are conceptual only. Their function may be carried out through the operation of program logic, through dedicated logic, through the interaction of program control and dedicated logic, or even manually, the particular technique being selectable by the implementer as more specifically understood from the context.
In the claims hereof, any element expressed as a means for performing a specified function is intended to encompass any way of performing that function including, for example, a combination of circuit elements that performs that function, software in any form, including, therefore, firmware, microcode or the like, combined with appropriate circuitry for executing that software to perform the function, etc. The disclosure as defined by such claims resides in the fact that the functionalities provided by the various recited means are combined and brought together in the manner which the claims call for. It is thus regarded that any means that can provide those functionalities are equivalent to those shown herein.

Claims

1 . A computing system (200) comprising:
one or more processors (214); and
a memory (220) storing instructions executable by the one or more processors (214) to cause the computing system to obtain a user rating for a content item, to obtain a content item identification of the content item, to encrypt the user rating with encryption that allows a third party to decrypt the user rating, but does not allow a recommender to decrypt the user rating, and to send the encrypted user rating and the corresponding content item identification to the recommender.
2. The computing system of claim 1 , wherein the instructions further cause the computing system to receive a communication that is encrypted with encryption that allows the computer system to decrypt, and to decrypt the communication to obtain recommendation information based on the user rating.
3. A non-transitory computer-readable medium (212) storing computer- executable instructions executable to perform a method comprising:
obtaining a user rating for a content item;
obtaining a content item identification of the content item;
encrypting the user rating with encryption that allows a third party to decrypt the user rating, but does not allow a recommender to decrypt the user rating; and
sending the encrypted user rating and the corresponding content item identification to the recommender.
4. The non-transitory computer-readable medium of claim 3, the method further comprising:
receiving a communication that is encrypted with encryption that allows the computer system to decrypt; and
decrypting the communication to obtain recommendation information based on the user rating.
5. A method for preserving privacy of user ratings of content items in a recommendation system, the method comprising:
obtaining a user rating for a content item;
obtaining a content item identification of the content item;
encrypting the user rating with encryption that allows a third party to decrypt the user rating, but does not allow a recommender to decrypt the user rating; and
sending the encrypted user rating and the corresponding content item identification to the recommender.
6. The method of claim 5, further comprising:
receiving a communication that is encrypted with encryption that allows the computer system to decrypt; and
decrypting the communication to obtain recommendation information based on the user rating.
7. A computing system (200) comprising:
one or more processors (214); and
a memory (220) storing instructions executable by the one or more processors (214) to cause the computing system to obtain encrypted rating information from a user, the encrypted rating information being encrypted with encryption that allows a third party to decrypt the user rating, but does not allow a recommender to decrypt the rating information, to determine to provide a recommendation, to determine encrypted predicted ratings based on the encrypted rating information, and to send the encrypted predicted ratings and corresponding content item identifications to a third party, wherein the content item identifications are encrypted with encryption that the third party cannot decrypt, but that the user can decrypt.
8. The computing system of claim 7, wherein the instructions further cause the computing system to encrypt user-encrypted content item identifications with a private key of the recommender.
9. The computing system of claim 7, wherein determining the third party- encrypted predicted ratings includes multiplying a third party-encrypted user profile with a third party-encrypted content item profile.
10. The computing system of claim 7, wherein the instructions further cause the computing system to index the third party-encrypted user ratings based on the corresponding content item identification, and store the third party- encrypted user ratings based on the indexing.
1 1 . The computing system of claim 7, wherein storing the third party- encrypted user rating includes storing the third party-encrypted user rating in a matrix.
12. A non-transitory computer-readable medium (212) storing computer- executable instructions executable to perform a method comprising:
obtaining encrypted rating information from a user, the encrypted rating information being encrypted with encryption that allows a third party to decrypt the user rating, but does not allow a recommender to decrypt the rating information;
determining to provide a recommendation;
determining encrypted predicted ratings based on the encrypted rating information; and
sending the encrypted predicted ratings and corresponding content item identifications to a third party, wherein the content item identifications are encrypted with encryption that the third party cannot decrypt, but that the user can decrypt.
13. The non-transitory computer-readable medium of claim 12, wherein the method further comprises:
encrypting user-encrypted content item identifications with a private key of the recommender.
14. The non-transitory computer-readable medium of claim 12, wherein determining the third party-encrypted predicted ratings includes multiplying a third party-encrypted user profile with a third party-encrypted content item profile.
15. The non-transitory computer-readable medium of claim 12, wherein the method further comprises:
indexing the third party-encrypted user ratings based on the corresponding content item identification; and
storing the third party-encrypted user ratings based on the indexing.
16. The non-transitory computer-readable medium of claim 12, wherein storing the third party-encrypted user rating includes storing the third party- encrypted user rating in a matrix.
17. A method for preserving privacy of user ratings of content items in a recommendation system, the method comprising:
obtaining encrypted rating information from a user, the encrypted rating information being encrypted with encryption that allows a third party to decrypt the user rating, but does not allow a recommender to decrypt the rating information;
determining to provide a recommendation;
determining encrypted predicted ratings based on the encrypted rating information; and
sending the encrypted predicted ratings and corresponding content item identifications to a third party, wherein the content item identifications are encrypted with encryption that the third party cannot decrypt, but that the user can decrypt.
18. The method of claim 17, wherein the method further comprises:
encrypting user-encrypted content item identifications with a private key of the recommender.
19. The method of claim 17, wherein determining the third party-encrypted predicted ratings includes multiplying a third party-encrypted user profile with a third party-encrypted content item profile.
20. The method of claim 17, wherein the method further comprises:
indexing the third party-encrypted user ratings based on the corresponding content item identification; and
storing the third party-encrypted user ratings based on the indexing.
21 . The method of claim 17, wherein storing the third party-encrypted user rating includes storing the third party-encrypted user rating in a matrix.
22. A computing system (200) comprising:
one or more processors (214); and
a memory (220) storing instructions executable by the one or more processors (214) to cause the computing system to obtain third party-encrypted predicted ratings and corresponding user-encrypted content item identifications, to decrypt the predicted ratings, and to select content item identifications corresponding to a subset of the decrypted predicted ratings.
23. The computing system of claim 22, wherein the third party-encrypted predicted ratings are further encrypted with encryption of a recommender, and the instructions further cause the computing system to send the selected content item identifications to the recommender.
24. The computing system of 22, wherein the instructions further cause the computing system to send the selected content item identifications to a user corresponding to the user encryption used for the user-encrypted content item identifications.
25. A non-transitory computer-readable medium (212) storing computer- executable instructions executable to perform a method comprising:
obtaining third party-encrypted predicted ratings and corresponding user- encrypted content item identifications;
decrypting the predicted ratings; and
selecting content item identifications corresponding to a subset of the decrypted predicted ratings.
26. The non-transitory computer-readable medium of claim 25, wherein the third party-encrypted predicted ratings are further encrypted with encryption of a recommender, and the method further comprises:
sending the selected content item identifications to the recommender.
27. The non-transitory computer-readable medium of 25, the method further comprising:
sending the selected content item identifications to a user corresponding to the user encryption used for the user-encrypted content item identifications.
28. A method for preserving privacy of user ratings of content items in a recommendation system, the method comprising:
obtaining third party-encrypted predicted ratings and corresponding user- encrypted content item identifications;
decrypting the predicted ratings; and
selecting content item identifications corresponding to a subset of the decrypted predicted ratings.
29. The method of claim 28, wherein the third party-encrypted predicted ratings are further encrypted with encryption of a recommender, the method further comprising:
sending the selected content item identifications to the recommender.
30. The method of 28, further comprising:
sending the selected content item identifications to a user corresponding to the user encryption used for the user-encrypted content item identifications.
PCT/US2015/035422 2014-06-11 2015-06-11 Method and system for privacy-preserving recommendations WO2015191919A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201462010867P 2014-06-11 2014-06-11
US62/010,867 2014-06-11

Publications (1)

Publication Number Publication Date
WO2015191919A1 true WO2015191919A1 (en) 2015-12-17

Family

ID=53496947

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/035422 WO2015191919A1 (en) 2014-06-11 2015-06-11 Method and system for privacy-preserving recommendations

Country Status (1)

Country Link
WO (1) WO2015191919A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016528A1 (en) * 2003-08-08 2007-01-18 Verhaegh Wilhelmus F J System for processing data and method thereof
US20140058882A1 (en) * 2012-08-27 2014-02-27 Opera Solutions, Llc Method and Apparatus for Ordering Recommendations According to a Mean/Variance Tradeoff

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016528A1 (en) * 2003-08-08 2007-01-18 Verhaegh Wilhelmus F J System for processing data and method thereof
US20140058882A1 (en) * 2012-08-27 2014-02-27 Opera Solutions, Llc Method and Apparatus for Ordering Recommendations According to a Mean/Variance Tradeoff

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"LECTURE NOTES IN COMPUTER SCIENCE", vol. 7731, 1 January 2013, SPRINGER BERLIN HEIDELBERG, Berlin, Heidelberg, ISBN: 978-3-54-045234-8, ISSN: 0302-9743, article SÉBASTIEN GAMBS ET AL: "SlopPy: Slope One with Privacy", pages: 104 - 117, XP055209622, DOI: 10.1007/978-3-642-35890-6_8 *
ANIRBAN BASU ET AL: "Efficient Privacy-Preserving Collaborative Filtering Based on the Weighted Slope One Predictor *", JOURNAL OF INTERNET SERVICES AND INFORMATION SECURITY (JISIS), 31 December 2011 (2011-12-31), pages 26 - 46, XP055209645, Retrieved from the Internet <URL:http://isyou.info/jisis/vol1/no4/jisis-2011-vol1-no4-02.pdf> [retrieved on 20150826] *

Similar Documents

Publication Publication Date Title
US20230138030A1 (en) Methods and systems for correcting, based on speech, input generated using automatic speech recognition
US20140223481A1 (en) Systems and methods for updating a search request
US20150350729A1 (en) Systems and methods for providing recommendations based on pause point in the media asset
US20130179783A1 (en) Systems and methods for gesture based navigation through related content on a mobile user device
US20140150023A1 (en) Contextual user interface
US9398345B2 (en) Methods and systems for generating customized collages of media assets based on user criteria
US20150128158A1 (en) Systems and methods for recommending content
EP3090568A1 (en) Proximity dependent media playback
US9288521B2 (en) Systems and methods for updating media asset data based on pause point in the media asset
US11270738B2 (en) Systems and methods for determining playback points in media assets
US9785398B2 (en) Systems and methods for automatically adjusting volume of a media asset based on navigation distance
JP2022036180A (en) Recommending media content based on trajectory of user
US9398343B2 (en) Methods and systems for providing objects that describe media assets
US20190303420A1 (en) Systems and methods for determining one or more user devices suitable for displaying media assets matching a search query
US9069764B2 (en) Systems and methods for facilitating communication between users receiving a common media asset
US20180367857A1 (en) Systems and methods for ranking content sources based on a number of media assets identified to be interesting to a user
US10616649B2 (en) Providing recommendations based on passive microphone detections
US11245945B2 (en) Systems and methods for displaying segments of media guidance data
EP3119094A1 (en) Methods and systems for clustering-based recommendations
WO2016044129A1 (en) Method and system for privacy-preserving recommendations
WO2015191921A1 (en) Method and system for privacy-preserving recommendations
US9782681B2 (en) Methods and systems for controlling media guidance application operations during video gaming applications
US20150326927A1 (en) Portable Device Account Monitoring
US20150033269A1 (en) System and method for displaying availability of a media asset
WO2015191919A1 (en) Method and system for privacy-preserving recommendations

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15733021

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15733021

Country of ref document: EP

Kind code of ref document: A1