Privacypreserving Crowdguided AI Decisionmaking
in Ethical Dilemmas
Abstract.
With the rapid development of artificial intelligence (AI), ethical issues surrounding AI have attracted increasing attention. In particular, autonomous vehicles may face moral dilemmas in accident scenarios, such as staying the course resulting in hurting pedestrians or swerving leading to hurting passengers. To investigate such ethical dilemmas, recent studies have adopted preference aggregation, in which each voter expresses her/his preferences over decisions for the possible ethical dilemma scenarios, and a centralized system aggregates these preferences to obtain the winning decision. Although a useful methodology for building ethical AI systems, such an approach can potentially violate the privacy of voters since moral preferences are sensitive information and their disclosure can be exploited by malicious parties resulting in negative consequences. In this paper, we report a firstofitskind privacypreserving crowdguided AI decisionmaking approach in ethical dilemmas. We adopt the formal and popular notion of differential privacy to quantify privacy, and consider four granularities of privacy protection by taking voter/recordlevel privacy protection and centralized/distributed perturbation into account, resulting in four approaches VLCP, RLCP, VLDP, and RLDP, respectively. Moreover, we propose different algorithms to achieve these privacy protection granularities, while retaining the accuracy of the learned moral preference model. Specifically, VLCP and RLCP are implemented with the data aggregator setting a universal privacy parameter and perturbing the averaged moral preference to protect the privacy of voters’ data. VLDP and RLDP are implemented in such a way that each voter perturbs her/his local moral preference with a personalized privacy parameter. Extensive experiments based on both synthetic data and realworld data of voters’ moral decisions demonstrate that the proposed approaches achieve high accuracy of preference aggregation while protecting individual voter’s privacy.
1. Introduction
Artificial intelligence (AI) is becoming an integral part of our daily lives and critical infrastructures. With the widespread applications of AI, ethical issues surrounding AI have become an important sociotechnical challenge (Wallach and Allen, 2008; Awad et al., 2018). One of the fundamental questions in AI ethics is how to allow humans to guide AI to make moral decisions when faced with ethical dilemmas. An ethical dilemma is a situation in which any decision violates certain aspects of ethics (Yu et al., 2018). The following is a concrete example of an ethical dilemma that autonomous vehicles encounter (Greene, 2016). A selfdriving car has a sudden mechanical failure and cannot brake in time. If the car were to continue its current trajectory, it would kill pedestrians but the passenger would be safe. Alternatively, if it were to swerve into a wall, the pedestrians would be safe but the passenger would be killed. In such a situation, an ethical dilemma arises when the AI must choose between the two alternatives. This is just one example of many ethical dilemmas AI technologies face (Shariff et al., 2017). To enable AI to deal with such situations, it is useful to aggregate opinions from the human society.
To explore moral dilemmas faced by autonomous vehicles, Bonnefon et al. (2016) surveyed via Amazon Mechanical Turk whether people prefer to save many versus few lives, or the vehicle’s passengers versus pedestrians. Their findings suggest that participants prefer others to buy autonomous vehicles which sacrifice their passengers for the greater good, but prefer for themselves to ride in autonomous vehicles which protect passengers at all costs.
In a study similar to (Bonnefon et al., 2016), Awad et al. (2018) also gathered data about voters’ decisions in scenarios where autonomous vehicles face ethical dilemmas, but at a much larger scale and with each voter’s data containing more dimensions. Specifically, they built an online experimental platform named the Moral Machine (Mor, [n. d.]), which collected 39.61 million decisions in ten languages from 4 million people in 233 countries and territories. The data collected from each voter are highdimensional, which include preferences of saving many versus few lives, passengers versus pedestrians, the young versus the elderly, humans versus pets, and pedestrians who cross legally versus pedestrians who jaywalk, etc. With such a high volume of crowdsourced data, Awad et al. (2018) summarized global and regional moral preferences as well as crosscultural ethical variations.
Using the data collected from the Moral Machine, Noothigattu et al. (2018) built a global moral preference model so as to guide automated ethical decisionmaking. Specifically, each voter’s data are analyzed to infer her/his parameter of moral preference, and the moral preference of the society is obtained by averaging voters’ parameters. Each voter’s data consist of a number of records, with each record being the voter’s preference in a given ethical dilemma scenario. In each scenario, no matter how the autonomous vehicle decides to act, some undesirable outcome will happen. A voter’s preference in each scenario means that the voter prefers a decision made by the autonomous vehicle (e.g., staying the course and killing the crossing pedestrians) over the other alternative (e.g., swerving and killing the passengers).
As discussed above, existing studies on AI ethics (e.g., (Bonnefon et al., 2016; Awad et al., 2018; Noothigattu et al., 2018)) directly analyze voters’ data of moral decisions. However, such approaches may violate the privacy of voters. Since moral preferences are sensitive information and their disclosure may be exploited by malicious parties to produce negative consequences. One may wonder how the learned and aggregated moral preference model for the society can leak a voter’s sensitive choices about the moral dilemmas. A recent work (Fredrikson et al., 2015) has shown that an adversary can successfully use a learned deep neural network model to infer users’ sensitive facial information in the training dataset. Specifically, for an attacker which obtains the learned face recognition model, although it is difficult to infer all users’ faces, the attacker may recover an image which is close to one user’s face, resulting in a privacy breach of the particular user in the training dataset (Fredrikson et al., 2015).
In this paper, to prevent the learned preference model of the society from leaking individual voter’s sensitive information, we propose a differential privacy (DP)based secure preference aggregation model to enable crowdsourced opinions to guide AI decisionmaking in ethical dilemmas without exposing sensitive privacy information. We adopt the formal notion of DP (Dwork and Roth, 2014; Dwork et al., 2006a) to quantify privacy. Intuitively, by incorporating some noise, the output of an algorithm under DP will not change significantly due to the presence or absence of one voter’s information in the dataset.
Contributions. With the proposed approach, we make the following contributions in this paper.

We quantify four granularities of privacy protection by combing voter/recordlevel privacy protection and centralized/distributed perturbation, which are denoted by VLCP, RLCP, VLDP, and RLDP. We further propose different algorithms to achieve them. Specifically, to achieve VLCP and RLCP, the aggregator adds Laplace noise to the average preference parameter of all voters. VLDP and RLDP are achieved by having each voter adding Laplace noise to her/his local moral preference parameter with a personalized privacy parameter. Moreover, we also propose to achieve RLDP by perturbing the objective function when learning each voter’s preference parameters, which achieves higher accuracy than the addition of Laplace noise.

We conduct extensive experiments on both synthetic datasets and a realworld dataset extracted from the Moral Machine. The results demonstrate that our algorithms can achieve high accuracy while ensuring strong privacy protection.
To the best of our knowledge, this is the first research on privacy issues in studies of humanguided ethical AI decisionmaking. More specifically, we proposed privacypreserving mechanisms to address voters’ privacy in computing a society’s moral preference.
Organization. The remainder of the paper is organized as follows. Section 2 reviews the related studies of AI ethics and privacy protection. In Section 3, we discuss the preliminaries of differential privacy and formalize the research problem. Section 4 presents the proposed privacypreserving crowdguided ethical AI decisionmaking algorithms. In Section 5, we conduct extensive experiments to evaluate the effectiveness of our algorithms. Section 6 provides discussions and future directions. Section 7 concludes the paper.
2. Related Work
The widespread adoption of AI has made it pertinent to address the ethical issues surrounding this technology.
Greene et al. (2016) advocated solving AI ethical issues via preference aggregation, in which each voter expresses her/his preferences over the possible decisions, and a centralized system aggregates these preferences to obtain the winning decision. Conitzer et al. (2017) discussed the idea of collecting a labeled dataset of moral dilemmas represented as lists of feature values, and then leveraging machine learning techniques to learn to classify actions as morally right or wrong. However, no actual data collection or analysis was presented. Using a largescale dataset of voters’ ethical decisions collected by the Moral Machine (2018), Noothigattu et al. (2018) built a moral preference model for each voter and averaged these models to obtain the moral preference of the whole society. Hammond and Belle (2018) utilized tractable probabilistic learning to induce models of moral scenarios and blameworthiness automatically from datasets of human decisionmaking, and computed judgments tractably from the obtained models. Zhang and Conitzer (2019) showed that many classical results from Probably Approximately Correct (PAC) learning can be applied to the preference aggregation framework. For a comprehensive study of more related work on AI ethics, interested readers can refer to a recent survey by Yu et al. (2018).
The above studies significantly contributed to the emerging area of AI ethics, but unfortunately, none of them is designed to protect voters’ privacy in the data analysis process. Moral preferences of voters are sensitive information and should be well protected, since their disclosure can be exploited by malicious entities to have adverse consequences. A recent work (Fredrikson et al., 2015) has shown that even a learned deep neural network can leak sensitive information in the training dataset. Hence, it is critical to incorporate formal privacy protection into models for AI ethics guided by humans.
To quantify privacy, we use the rigorous notion of differential privacy (DP) (Dwork and Roth, 2014). Recently, differential privacy has been widely studied in many areas (Abadi et al., 2016). For general statistical data release problems, DP can be achieved by the Laplace mechanism (Dwork et al., 2006b) which injects Laplace noise into the released statistical results. Furthermore, for parameter estimation solved by an optimization problem, an alternative algorithm to achieve DP is the functional mechanism proposed by (Zhang et al., 2012), which perturbs the objective function of the optimization problem rather than the optimized parameters.
As a representative example, this paper adds voter privacy protection into the learned moral preference model of Noothigattu et al. (2018). Incorporating privacy protection into other studies are future directions. Although Jones et al. (2018) and Brubaker (2018) emphasized the importance of security and privacy protection in AI ethics, to the best of our knowledge, our paper is the first technical work to formally build privacy protection into the study of AI ethics.
3. Preliminaries
Differential privacy (DP) (Dwork et al., 2006a; Dwork and Roth, 2014) provides strong guarantees for the privacy of any individual in a query response, regardless of the adversary’s prior knowledge.
Definition 1 (Differential Privacy (DP) (Dwork and Roth, 2014; Dwork et al., 2006a)).
A randomized algorithm satisfies differential privacy, if for any two neighboring datasets and which differ in only one tuple, and for any possible subset of outputs of , we have
(1) 
where is the probability of an event. refers to the privacy parameter. Smaller means stronger privacy protection, but less utility as more randomness is introduced into .
There are two variants of DP: bounded DP and unbounded DP (Tramèr et al., 2015). In bounded DP, which we adopt in this paper, two neighboring datasets have the same sizes but different records at only one of all positions. In unbounded DP, the sizes of two neighboring datasets differ by one (i.e., one tuple is in one database, but not in the other).
The Laplace Mechanism (Dwork et al., 2006b) can be used to achieve DP by adding independent Laplace noise to each dimension of the query output. The scale of the zeromean Laplace noise is set as , where is the norm sensitivity of the query function , which measures the maximum change of the outputs over neighboring datasets (i.e. ).
Problem Formulation. In our system model, each voter owns a dataset of pairwise comparisons (i.e., records), denoted by }. and are pairwise alternatives capturing moral dilemmas in a scenario (e.g., means staying the course resulting in killing crossing pedestrians, while means swerving leading to killing passengers). Any pair for means that voter chose over . Each or is a dimensional vector such that and for denote the th dimensional value of and , respectively. The dimension of a scenario represents its features (e.g., the number of young passengers, the number of old pedestrians, the number of pets, etc).
Noothigattu et al. (2018) adopted the Thurstone–Mosteller process (Mosteller, 2006), which models the utility as a Gaussian random variable. Let be the preference parameter of voter , where denotes the set of real numbers. It is assumed (Mosteller, 2006) that the utilities of alternatives and follow Gaussian distributions and , respectively. Thus, the result of the utility by choosing minus the utility by choosing follows a Gaussian distribution , so that
, where is the cumulative distribution function of the standard normal distribution (i.e. ). Then, the maximum likelihood estimation (MLE) method is used to learn the parameter for each voter . In particular, the loglikelihood function is defined as follows:
(2) 
Based on Eq. (2), MLE is used to estimate the of each voter (Noothigattu et al., 2018). However, the optimal parameter to maximize Eq. (2) may not always exist. For example, given , if is positive for each , suppose there exists to maximize Eq. (2), then each dimension of is positive. However, a contraction occurs with . Hence, in the case of positive for all , no exists to maximize Eq. (2). In order to ensure that (i) the optimal parameter can always be found, and (ii) bounded sensitivity that will be used in the Laplace mechanism for achieving differential privacy, we introduce a constraint that each voter’s parameter has an norm at most . Specifically, we define user ’s parameter by
(3) 
After learning the parameters for all voters, the preference parameter for the whole society is computed by averaging all voters’ preference parameters (i.e. , for denoting the whole dataset of voters). Therefore, the purpose of this paper is to design privacypreserving algorithms to guarantee voter privacy while learning a society’s preference parameter with high accuracy.
4. Our Solutions
This section first introduces four privacy protection paradigms and then presents our algorithms to achieve these paradigms.
4.1. Privacy Modeling
Our paper incorporates privacy protection into preference aggregation of Noothigattu et al. (2018). In this setting, each voter’s data consist of a number of records, with each record being the voter’s preference in a given scenario. In each scenario, no matter how the autonomous vehicle decides to act, someone will get hurt. A voter’s preference in each scenario means that the voter prefers a decision made by the autonomous vehicle (e.g., staying the course and killing crossing pedestrians) over the other alternative (e.g., swerving and killing passengers).
Based on the above observations, in our study of privacy protection for crowdsourced data collection in AI ethics, we will consider two variants for the meaning of neighboring datasets: 1) recordneighboring and 2) voterneighboring datasets, which allow us to achieve voterlevel privacy protection and recordlevel privacy protection, respectively:

Voterlevel privacy protection. Two datasets are voterneighboring datasets if one can be obtained from the other by changing one voter’s records arbitrarily.

Recordlevel privacy protection. Two datasets are recordneighboring if one can be obtained from the other by changing a single record of one voter.
For completeness, we also consider the case of a trusted aggregator and the case of an untrusted aggregator, where privacy is achieved with centralized perturbation and distributed perturbation, respectively:

Centralized perturbation. When the aggregator is trusted by the voters, the aggregator perturbs the aggregated information (e.g., by adding noise) in a centralized manner to protect privacy. We refer to this as centralized perturbation.

Distributed perturbation. When the aggregator is not trusted by the voters, each voter independently perturbs her/his local data (e.g., by adding noise) in a distributed manner for privacy protection. We refer to this as distributed perturbation.
Permutating centralized/distributed perturbation and voterlevel/
recordlevel privacy protection yields four alternative privacy protection paradigms:
(1) voterlevel privacy protection with centralized perturbation (VLCP); (2) recordlevel privacy protection with centralized perturbation (RLCP); (3) voterlevel privacy protection with distributed perturbation (VLDP); (4) recordlevel privacy protection with distributed perturbation (RLDP).

VLCP: For differential privacy with VLCP, the aggregator chooses a universal privacy parameter and enforces a randomization algorithm such that for any two voterneighboring datasets and , and for any possible subset of outputs of , we have .

RLCP: For differential privacy with RLCP, the aggregator chooses a universal privacy parameter and enforces a randomization algorithm such that for any two recordneighboring datasets and , and for any possible subset of outputs of , we have .

VLDP: For differential privacy with VLDP, voter chooses a privacy parameter and enforces a randomization algorithm such that for any two datasets and (which are naturally voterneighboring), and for any possible subset of outputs of , we have . Note that VLDP is the same as the notion of local differential privacy (Duchi et al., 2013) which has recently received much interest (Wang et al., 2019; Tang et al., 2017; Erlingsson et al., 2014).

RLDP: For differential privacy with VLDP, voter chooses a privacy parameter and enforces a randomization algorithm such that for any two recordneighboring datasets and , and for any possible subset of outputs of , we have .
In what follows, we further disambiguate the above four privacy protection paradigms, and outline how each of them can be realized.
First, VLCP can be achieved with the data aggregator setting a universal privacy parameter and perturbing the averaged moral preference by adding Laplace noise to protect the privacy of each voter’s complete data. Second, RLCP can be achieved in the same way as VLCP when using Laplace mechanism. This is because the sensitivity of the averaged parameter under RLCP is the same as that under VLCP, which will be proved in Theorem 1. Third, VLDP is a strong privacy protection paradigm and can be achieved by perturbing each voter’s moral preference by adding Laplace noise to protect each record in the dataset. Each voter can choose a personalized privacy parameter to perturb her/his moral preference accordingly, and report the noisy moral preference to the aggregator. Finally, RLDP can be achieved by the same way as VLDP when using Laplace mechanism. The reason is that the sensitivity of each voter’s parameter under RLDP is the same as that under VLDP, which will be proved in Theorem 3.
However, achieving RLDP by adding Laplace noise directly leads to limited utility even for weak privacy protection, as illustrated in our experiments in Section 5. Therefore, to pursuing better utility, we propose to adopt the functional mechanism (Zhang et al., 2012), which enforces differential privacy by perturbing the object function of the optimization problem, rather than the optimized parameters (i.e., each voter’s moral preference). Note that we can’t adopt the functional mechanism to estimate the social preference parameter under voterlevel privacy protection or centralized perturbation. This is because the social preference parameter is derived by averaging the preference parameters of all voters instead of the solution of the optimization problem. The functional mechanism itself is used for analyzing and solving the optimization problem.
Thus, we will consider the above four privacy protection paradigms to achieve differential privacy for ethical decision making of AI and will propose three algorithms which cover the above four paradigms. Specifically, the three algorithms are outlined as follows.

VLCP/RLCP algorithm via perturbing the average moral preference parameters of all voters by Laplace mechanism.

VLDP/RLDP algorithm via perturbing the moral preference parameters of each voter by Laplace mechanism.

RLDP algorithm via perturbing the object function of each voter.
In the following subsections, we will introduce the proposed algorithms in detail.
4.2. VLCP/RLCP: Perturbing the Average Moral Preference Parameters
In this section, we propose an algorithm to achieve VLCP and RLCP by perturbing the average moral preference parameters estimated from maximum likelihood estimation. Each voter obtains its parameter according to Eq. (3), which enforces the norm of to be at most . Then each voter sends it to the aggregator, and the aggregator computes the average estimate , for . The  sensitivity of with respect to neighboring datasets equals , since the maximal range that can change is no greater than by the triangle inequality (see Theorem 1 for specific proofs). As shown in Algorithm 1, after computing the average parameters of all voters, a random noise vector will be drawn from the Laplace distribution . Then, the perturbed preference parameter is returned as the final social moral preference parameter. Note that we may suppress the argument in and the argument in for simplicity.
Theorem 1 (Privacy of Algorithm 1).
Algorithm 1 satisfies differential privacy for both VLCP and RLCP.
Proof.
First, we prove that the sensitivities and with respect to voterneighboring datasets and recordneighboring datasets are both under centralized perturbation, where
(4)  
(5) 
Let and be recordneighboring datasets such that and differ in only a single voter ’s one record, i.e., and . We assume }, where each dimension of is , and each dimension of for is close to , and }, where each dimension of is , and each dimension of for is close to . Therefore, based on Eq. (3), we know that each of the dimensions of and are close to and , respectively. Given and , the norm difference between and equals , which can be made to be arbitrarily close to . Hence, the norm sensitivity of with respect to recordneighboring datasets is .
In a way similar to the above argument, the norm sensitivity of with respect to voterneighboring datasets is . For voterneighboring datasets and , voter ’s dataset variants and can differ arbitrarily.
We now analyze the utility of Algorithm 1. At the end of Algorithm 1, the aggregator obtains the parameter vector of moral preference , which can be understood as a noisy version of the true result . We consider the utility of Algorithm 1 by analyzing the probability that the norm of the estimation error is no greater than a given quantity . To this end, we note that follows a dimensional multivariate Laplace distribution, with each dimension being an independent zeromean Laplace random variable with scale . With denoting the probability density function of random variable being a given , the expression of involves Bessel function. Hence, for general norm, it is difficult to compute . Below we consider the special case of norm following (Dwork and Roth, 2014), where we use the union bound to present the utility result of Algorithm 1 in the following Theorem 2.
Proof.
With , we know that follows the probability distribution . Then denoting the dimensions of by , we have
where the step of “” uses the union bound. ∎
Theorem 2 shows that the utility of Algorithm 1 decreases as increases. This is confirmed by Figure 5 for experimental results.
From Theorem 1, both VLCP and RLCP assume a universal privacy parameter for all voters; i.e., the same privacy protection level for all voters. In the following, we focus on proposing algorithms with distributed perturbation so that voters can choose personalized privacy parameters to achieve different privacy protection levels.
4.3. VLDP/RLDP: Perturbing the Moral Preference Parameter of Each Voter
This section introduces an algorithm to achieve VLDP and RLDP by perturbing the moral preference parameter of each voter under Laplace mechanism. Algorithm 2 shows the pseudocode of perturbing the preference parameter of each voter with a personalized privacy parameter . Each voter obtains its parameter according to Eq. (3), which enforces the norm of to be at most . Then, the sensitivity of each voter’s parameter will since the maximal changing range of is no greater than with respect to neighboring datasets (see Theorem 3 for the specific proofs). Then, the parameter of voter will be perturbed as , where is a random Laplace noise vector drawn from .
After obtaining the noisy parameter of each voter in a distributed way, the final social moral preference parameter can be computed by averaging all voters’ parameters, that is for . Note that we may suppress the argument in and the argument in for simplicity.
Theorem 3 (Privacy of Algorithm 2).
For each voter , Algorithm 2 satisfies differential privacy for both VLDP and RLDP.
Proof.
First, we prove that for voter , the sensitivities and with respect to voterneighboring and recordneighboring datasets are both under distributed perturbation, where
(6)  
(7) 
For voter , let and be two recordneighboring datasets. Specifically, for }, where each dimension of is , and each dimension of for is close to , we know from Eq. (3) that each of the dimensions of is close to . For }, where each dimension of is , and each dimension of for is close to , we know from Eq. (3) that each of the dimensions of is close to . Hence, the norm difference between and can be made to be arbitrarily close to . Hence, for voter , the norm sensitivity of with respect to recordneighboring datasets is .
In a way similar to the above argument, the norm sensitivity of with respect to voterneighboring datasets is . Note that voter ’s voterneighboring datasets and can differ arbitrarily.
Proof.
Our experiments in Section 5 will show that achieving VLDP/RLDP by adding Laplace noise to each voter’s parameter will lead to a limited utility. Recall that VLDP (voterlevel privacy protection with distributed perturbation) itself is the strongest notion among four paradigms focused in this paper. Thus, it accordingly has the worst data utility. Clearly, we can know that the definition of RLDP is relatively weaker than VLDP. However, RLDP holds the same low data utility as the VLDP when using Laplace mechanism. Therefore, in the next section, we focus on proposing a novel algorithm which can achieve RLDP while ensuring a higher data utility.
4.4. RLDP: Perturbing the Object Function of Each Voter
To further enhance the data utility, an alternative approach is to perturb the objective function of each voter when conducting MLE optimization. This is the functional mechanism of (Zhang et al., 2012). For comparison, we will show in Section 5 (Figures 4 and 8(d)) that the functional mechanism can provide better utility than adding Laplace noise directly for recordlevel differential privacy.
In view of Eq. (2), we define . We split the loglikelihood function for voter as
(8) 
Later, we will focus on one arbitrary voter , and omit the notation in the analysis for simplicity. Since the final parameter is just the average of each , we can process each one by one. We then split the objective function (8) for each record as
(9) 
Therefore, the optimal model parameter for each voter is:
(10) 
We denote a dimensional vector by . By the StoneWeierstrass Theorem (Rudin, 1964), any continuous and differentiable can always be written as a (potentially infinite) polynomial of . For some , we have
(11) 
where is the coefficient of in the polynomial. denotes the product of for some (the set of nonnegative integers). contains the set of all products of with degree , that is
.
Thus, we will express the objective function (9) for each user and each record as a polynomial like Eq. (11). Let and be two functions defined as follows:
(12) 
Then we have .
Using the Taylor expansion at , we write as below:
(13) 
Then we adopt an approximation approach to reduce the degree of the summation. In particular, we only use the value of for , where denotes the order derivative. Specifically, we can compute . From , we get . From , we have . Thus, we approximate by
(14) 
For each , , we preprocess the data to make and . Then by triangle inequality. For simplicity, we suppress both and , and write to mean . Given , we have by CauchySchwarz inequality, where denotes the th dimension of the vector . Thus, from Lemma 1 in (Zhang et al., 2012) and Eq. (14), we can compute the sensitivity of the coefficient vector for in Eq. (13) with respect to recordneighboring datasets as
After computing the sensitivity’s upper bound as above, we inject Laplace noise with scale to the coefficients of the objective function and then solve the noisy objective function to estimate the moral parameters of each voter . Algorithm 3 shows the pseudocode of our algorithm. From the above analysis, we have a Theorem 5 which follows the above analysis.
5. Experimental Evaluation
This section implements our proposed algorithms and evaluates their performance on synthetic datasets and a realworld dataset extracted from the Moral Machine, respectively.
(a) Algorithm 1  (b) Algorithm 3 
5.1. Synthetic Data
We first present the experimental results on synthetic data. Denote the true parameter of each voter as which is sampled from Gaussian distribution , where each mean for is independently sampled from the uniform distribution , and is the identity matrix with being the dimension size (i.e., the number of features). By default, we set when not specified. For each voter , we generate its pairwise comparison via the following two steps (by default when not specified). First, we sample two alternatives and independently from the Gaussian distribution . Second, we sample their utilities and based on the Gaussian distribution and , respectively. To evaluate the performance of our algorithms, we compute the accuracy which is defined as the fraction of test instances on which the true and noisy parameters give the same exact outcome. Besides, the parameter is set as in the following experiments.
The results in Figures 2, 2 and 4 show high accuracies of our Algorithms 1, Algorithms 2 and 3 on the synthetic dataset with the privacy parameter varying from 0.01 to 10; specifically, we consider . Note that we here use the same privacy parameter for all voters and will analyse the personalized privacy parameter specifically in the following. As shown in all figures, a smaller (i.e., higher privacy protection level) will lead to a lower accuracy.
Moreover, Figures 2, 2 and 4 (all with ) show that for three Algorithms 1, 2 and 3, a larger number of voters (i.e., ) or a larger number of records (i.e., ) leads to better accuracy. This is because our output is the average of each voter. Then with more voters, each one is relatively less sensitive. Therefore, it can achieve better accuracy (less noise) while keeping the same privacy.
We also compare the accuracies of three Algorithms 1, 2 and 3. As shown in Figure 4, Algorithms 1 outperforms the other two algorithms. Also, both Algorithms 1 and 3 have much better accuracy than Algorithm 2. This is because Algorithm 2 realizes distributed privacy protection by adding Laplace noise, which ensures strong privacy guarantees, thus leading a relatively low data utility. In contrast, Algorithm 3 also achieves distributed privacy protection by perturbing the objective function instead of parameters directly, which improves the data utility greatly. Therefore, Figure 4 illustrates the superiority of functional mechanism over Laplace for recordlevel privacy protection with distributed perturbation.
Impact of the dimension . Figure 5 shows the comparisons of the impact of parameter on the accuracy of the Algorithms 1 and 3. Due to the space limitation, we no longer present the result of Algorithm 2 here since it has limited data utility as shown in Figure 4. It can be seen from Figure 5 that the accuracy of both Algorithms 1 and 3 will be decreased with the increase of dimension . For Algorithm 1, the larger means more information to be protected so the accuracy will be reduced. For Algorithm 3, the sensitivity will increase with the increase of , thus leading to the reduction of the accuracy when becomes larger.
Impact of the personalized privacy parameters. We also implement personalized privacy parameter choices for RLDP (i.e., Algorithm 3) and conduct extensive experiments to show the impact of the personalized privacy parameter on accuracies. Although Algorithm 2 can also achieve personalized privacy protection, we no longer present the result of Algorithm 2 here since it has limited data utility and due to the space limitation.
We set personalized privacy parameter specifications based on the findings from studies in (Jorgensen et al., 2015; Acquisti and Grossklags, 2005). The voters are randomly divided into three groups: (i) conservative, (ii) moderate, and (iii) liberal, representing voters with high/medium/low privacy concern, respectively. The fraction of voters in three groups are , , and , where . We set default values as , , and , which are chosen based on the findings reported in (Acquisti and Grossklags, 2005). The privacy parameters of voters who belong to conservative or moderate groups are chosen uniformly at random from or correspondingly (and rounding to the nearest hundredth), where ,