Protecting suppliers' private information: the case of stock levels and the impact of correlated items
Abstract
A marketplace is defined where the private data of suppliers (e.g., prosumers) are protected, so that neither their identity nor their level of stock is made known to end customers, while they can sell their products at a reduced price. A broker acts as an intermediary, which takes care of providing the items missing to meet the customers’ demand and allows end customers to take advantages of reduced prices through the subscription of option contracts. Formulas are provided for the option price under three different probability models for the availability of items. Option pricing allows the broker to partially transfer its risk on end customers.
Keywords:
privacy, statistical databases, supply chain1 Introduction
Though privacy has been defined as the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others [13], the right of individuals, rather than companies, to protect their personal data has so far been the focus of most privacy studies. This is especially true in the context of marketplaces, where consumers may release, deliberately or not, details about themselves and the items they purchase. Algorithms and platforms have been devised to enforce customers’ privacy requirements (see, e.g., [7, 6]), but little attention has been paid to the other side of trading, i.e., companies selling their products.
However, a company may wish to select the level of information it provides to its customers, but the widespread adoption of eshops divulges a lot of details about company’s operations, not just to prospective customers but to everyone accessing the ecommerce platform, including competitors. For example, companies may wish to keep their level of stock for a given product secret. The issue is even more delicate when traders are actually prosumers, who, acting as sellers, may reveal personal data; an example of such a context is that of smart grids [1]. Generally speaking, individuals acting as suppliers may wish not to be profiled and rather keep secret the products they happen to own. The definition of a marketplace where suppliers can sell their products while retaining privacy is then a relevant issue.
Such a definition has been proposed in [9], where the information to be protected is the identity of the sellers and their level of stock, and the role of a broker is envisaged. It was shown that such a marketplace may be set up with benefits for all the stakeholders (a broker/producer, privacyaware suppliers, and end customers) through the use of differential privacy mechanisms [4] and option contracts subscribed by end customers [10]. A general formula for option pricing has been derived in [10], where nothing at all is known about the actual availability of items by the suppliers.
In this paper, we embrace the marketplace definition provided in [9] and consider the case where the broker, though it doesn’t know the actual number of available items, may adopt a hypothesis concerning their probability distribution. In particular, we consider the cases where the stocks owned by suppliers exhibits either full or null correlation (i.e., respectively perfectly correlated stocks and independent suppliers) and a third case where a uniform distribution applies (representing a mild correlation). For each case we derive a formula for the option price. We show that the using such an option price allows the broker to transfer its risk to end customers.
The paper is organized as follows. In Section 2 we define the marketplace and the stakeholders, while the option contract between the broker and end customers is described in Section 3. In Section 4 we describe the three models for the availability of items, which are used to derive the option pricing formulas in Section 5.
2 A market for privacyaware suppliers
Let’s consider a database of suppliers where information can be obtained about the availability of a set of items, but suppliers are somewhat screened. Suppliers could be vendors whose typical line of business does not include those products or who wish to get rid of some remainders, or individuals (prosumers) who happen to have those products in their availability. For example, the database could contain the number of items available for sale at each supplier, so that the vertical sum across all suppliers included in the database would tell us the overall number of items available. Such a database, providing statistics about the entities included in it, is called a statistical database [12]. However, in a statistical database, releasing statistical information may compromise the privacy of individual contributors. But suppliers may wish not to divulge those information; for example they do not want competitors (who could access the database) to know their level of stock, or, as individuals, they do not wish to be profiled about the items they own. If suppliers wish to be screened, a curator may sit between the users, posing the query, and the database. The responses to these queries may be modified by the curator in order to protect the privacy of the contributors [3], for example so as not to tell us exactly either which supplier can provide us with those items or how many items in the set are available. Instead of providing the exact number, the database provides us with an obfuscated number, which is more or less close to the exact figure. A mechanism to achieve differential privacy is the use of noisy sums: the response to a counting query is the sum of the true figure and some noise [4]. The use of a statistical database plus the use of noisy sums may therefore protect the private information of suppliers.
When end customers demand for a number of items, the uncertainty surrounding the actual availability of those items doesn’t allow to close deals. In the presence of such privacy constraints, we postulate that a market can develop through the introduction of a broker/producer and the use of option contracts.
Let’s consider the case where end customers demand for items. A broker commits to provide them with the number of items required. In fact, the broker may procure those items either by producing them itself (at a unit production cost ) or by resorting to privacyaware suppliers, whose availability is known through the statistical database previously mentioned. As already said, privacyaware suppliers do not release full information about the availability of their products, but release instead an obfuscated number , which is generally different from the true number of items that they can provide (though the broker may obtain a refined estimate of the true number through Bayesian analysis [8]).
The privacy enjoyed by privacyaware suppliers is reflected in the price they advertise. Prices set by privacyaware suppliers depend on the level of obfuscation (i.e. privacy protection): the higher the level of obfuscation (embodied by the variance of the added noise), the lower the price. Assuming , the broker has a real advantage to procure as many items as it can through privacyaware suppliers at the reduced price , and transfer part of that benefit to end customers by setting a lower end price. If the availability of items is not enough to satisfy the demand (), the broker/producer produces the remaining items (but does not enjoy the full benefit of the reduced price).
In order to exploit the offer by privacyaware suppliers, the broker submits a query to the statistical database containing information about the availability of items and pays a fixed amount and receives the noisy response . It commits to buy all the items available, though they may exceed the actual demand . When the actual number of available items is disclosed (at delivery), it pays the privacyaware suppliers the overall amount . If the demand is fully met () the broker does not have to produce any item; otherwise, the broker has to produce items at the unit cost . The resulting supply chain is shown in Figure 1.
It is to be noted that both curator and the broker in the end know the exact number of items available by the suppliers, but they have (different) reasons to keep it private. In fact, the database curator does not have a direct contact with end customers and is not in the business of retailing. Instead, the broker’s business relies on the privacy of those data for its intermediary role. In addition, the roles of the curator and the broker may have to be kept separate due to regulatory constraints.
However, such a procedure is not free of risks for the broker/producer, which, on the one hand commits to provide its customers with the required items, but on the other hand is subject to the uncertainty determined by the unknown availability of items delivered by privacyaware suppliers, with the risks deriving from the commitments to buy all the items available and, if required, to produce the remaining ones at a higher cost.
The broker/producer has therefore to hedge against such risks. A way we suggest is to resort to option contracts, which are described in the next section.
3 Risk coverage through options
As seen in the previous section, the broker/producer undergoes a risk when resorting to privacyaware suppliers in order to meet customers’ demand at a reduced cost, a benefit which it transfers to end customers through a reduced price. It needs however to hedge against such a risk. In this section we describe a mechanism, based on option contracts, by which it can achieve such protection.
Since the stakeholders that ultimately benefit from resorting to privacyaware suppliers are end customers, the broker/producer may transfer some of that risk to them, asking them to pay a price to get the right to buy the desired number of items at a predetermined lower price (i.e., a booking fee). In the language of financial markets, this is a call option, since it endows the end customer with the right to buy [5]. End customers are then required to subscribe a call option to be sure to get the right number of items they wish at a reduced price.
A critical issue in option contract is setting the right price. In the typical scenario, the amount to be paid for the option contract is expected to depend on the current value of the items for sale, the predetermined price to be paid if the option is exercised, and the expected behaviour of the item’s value in the period from the option contract underwriting to the exercise time. A simple form of pricing is given by the BlackScholes formula [2], but a form tailored for the context is to be derived here.
The general expression for the option price is
(1) 
which considers the risk due to the extracost of buying the excess items provided by privacyaware suppliers. In [10], the risk of having to buy the items exceeding the demand has been analysed, and the following pricing formula has been derived for the case where Laplacian noise is added to form the noisy sum [11]:
(2) 
where is the shape parameter of the Laplace distribution: the smaller , the greater the differential privacy. In that formula, the declared value was considered as the best estimate of the actual availability.
However, if we have some a priori information about the actual availability, we can gain a better estimate for it and obtain a more accurate formula for the option price. In [8], we have shown that Bayesian analysis mat be used to obtain a better estimate of the figure previously obfuscated through the addition of Laplace noise. Here we exploit the same mechanism to obtain a better estimate of the actual availability. In the next section we describe three models that may provide the a priori information we need to apply Bayes estimation.
4 Models for items availability
The extracost incurred by the broker to get the items through privacyaware suppliers depends on the number of items actually available. This is unknown to the broker till the disclosure by those suppliers when setting the deal. However, models may be adopted for the envisaged availability that allow us to obtain a formula for the option price once the declared availability is made known. In this section, we describe three models, which represent three paradigmatic situations: unit correlation, independent suppliers, and uniform distribution (which represents a mild correlation).
The case of unit correlation applies when either all the suppliers have the item or none of them have it. Their behaviour shows therefore full correlation, hence the name given to the model. The number of availabile items may therefore take just either of two values: 0 or . The probability associated to the two cases is
(3) 
The case opposite to full correlation is that of no correlation at all, where the availability of the item by any supplier is independent of any other suppliers. If we now indicate the probability of any supplier to have the item by , the probability of the number of available items follows a binomial distribution with parameters and :
(4) 
Finally, as an intermediate case between those of no correlation and unit correlation, we can consider the case of uniform distribution
(5) 
5 Formulas for risk transfer
After defining the three paradigmatic models for the availability of items, in this section we derive the pricing formulas for the three cases.
5.1 Unit correlation
In the case of unit correlation, the number of actually available items may take either of two values and , as defined in Equation (3).
The extracost is then
(6) 
This expression is still dependent on the conditional probability , which we may obtain through Bayes’ theorem
(7) 
By replacing the expression (7) in the extracost expression (6) we finally obtain
(8) 
If we assume that the declaration falls within the limits of the range of suppliers, i.e., , we have
(9) 
If we consider the price as a function of the declared number of available items, we see that the price switches quite abruptly between two values. When , the normalized price is
(10) 
Instead, when we are on the opposite side of declared values, , we have
(11) 
The turning point between the two values is
A set of price curves are shown in Figure 2 for suppliers, , and . As we can see the normalized option price is practically zero when the declared availability is and nearly when the declared availability is . The only parameters that actually impact the price are the demand and the declared availability . The probability of the suppliers having all the items plays a negligible role, just in the small range around . In practice, this means that the end customer switches from paying nothing (when the declared availability is less than half the number of suppliers) to paying almost the full price of the items available but not required (when the declared availability is more than half the number of suppliers). In the latter case there is practically a complete transfer of risk.
5.2 Independent suppliers
In the case of independent suppliers, each one having the item with probability , the number of actually available items follows a binomial distribution with parameters and , as described in Section 4.
Since the broker will incur an extracost for the items that it has to buy from the suppliers in excess of the actual demand, the extracost suffered by the broker is
(12) 
We now examine the dependence of the option price on the following parameters:

Declared availability

Demand

Probability of individual availability
We first plot the normalized option price for three different values of demand (again, with suppliers, , and ) in Figure 3.
We see again the option price transitioning from a very low value to a high one as the suppliers declare a higher availability. From Equation (14) the low and high value result
(15) 
But there are two important differences with respect to the case of perfectly correlated suppliers:

the low value is not always practically zero, but rises over zero when the demand is low;

the transition from low to high is quite smooth rather than abrupt as in the cases of perfect correlation.
In order to examine the impact of the probability of individual availability, we can consider the set of curves in Figure 4, where , , and . We observe a similar behaviour as in the previous curves, where now higher values of the individual probability push the price up.
Summing up, we can conclude that low demand, high declared availability, and high individual availability probability lead to higher option prices.
5.3 Uniform availability
The third model we consider is the uniform distribution, which is tantamount to assuming that we have no specific hypothesis for the availability of items.
As in the previous two models, we proceed to define the extracost
(16) 
and to evaluate the conditional probability through Bayes’ theorem (in this case the uniform distribution is a non informative prior)
(17) 
which, replaced in Equation (16), provides us with the final expression of the extracost
(18) 
Now the only parameters are the demand and the declared availability . We plot three sample curves for the normalized price in Figure 5, again for suppliers and .
We see that we obtain a piecewise linear curve with a knee in , that can be approximated by the formula
(19) 
In this case the risk transfer may be partial or excessive. If the noise added is negative, so that the suppliers declare an availability lower than real (), the price of the option is
(20) 
so that not the whole risk is transferred to end customers. The opposite case occurs when , which may make end customers pay more than the actual risk.
6 Conclusions
The issue of option contracts in a privacyaware market has been analysed, where the identity and level of stock of suppliers are kept hidden from end customers and potential competitors through a differential privacy scheme by the addition of Laplace noise. The scheme employs a broker that acts as an intermediary between suppliers and end customers. Pricing formulas for the option have been derived under three different models for the availability of items, which respectively assume a perfect correlation between suppliers, their independence (hence, perfect uncorrelation), or a uniform distribution (hence, a mild correlation). The option contract allows the broker to transfer part of its risk to end customers.
References
 Clements, S., Kirkham, H.: Cybersecurity considerations for the smart grid. In: Power and Energy Society General Meeting, 2010 IEEE. pp. 1–5. IEEE (2010)
 Davis, M.H.: Black–Scholes Formula. Encyclopedia of Quantitative Finance (2010)
 Dwork, C.: Differential privacy: A survey of results. In: Theory and Applications of Models of Computation, pp. 1–19. Springer (2008)
 Dwork, C.: A firm foundation for private data analysis. Communications of the ACM 54(1), 86–95 (2011)
 Hull, J.C.: Options, futures, and other derivatives. Pearson Education (2006)
 Kalvenes, J., Basu, A.: Design of robust businesstobusiness electronic marketplaces with guaranteed privacy. Management Science 52(11), 1721–1736 (2006)
 Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: Privacyenabled management of customer data. In: Privacy Enhancing Technologies. pp. 69–84. Springer (2003)
 Naldi, M., D’Acquisto, G.: Differential privacy for counting queries: can Bayes estimation help uncover the true value? arXiv preprint arXiv:1407.0116 (2014)
 Naldi, M., D’Acquisto, G.: Option contracts for a privacyaware market. In: KI 2015, 38th German Conference on Artificial Intelligence, Workshop on Privacy and Inference. Dresden (Sept 21, 2015), http://arxiv.org/abs/1509.06524
 Naldi, M., D’Acquisto, G.: Option pricing in a privacyaware market. In: Communications and Network Security (CNS), 2015 IEEE Conference on. pp. 759–760. IEEE, Florence (2015)
 Sarathy, R., Muralidhar, K.: Evaluating Laplace noise addition to satisfy differential privacy for numeric data. Transactions on Data Privacy 4(1), 1–17 (2011)
 Shoshani, A.: Statistical databases: Characteristics, problems, and some solutions. In: Proceedings of the 8th International Conference on Very Large Data Bases. pp. 208–222. Morgan Kaufmann Publishers Inc. (1982)
 Westin, A.F.: Privacy and freedom. Washington and Lee Law Review 25(1), 166 (1968)