An audience measurement is generally a measurement of usage statistics in relation to a consumption of content data, for example, in relation to television viewership, radio listenership, newspaper/magazine readership, and web traffic on websites, etc.
FIG. 1 shows an overall ecosystem of Internet Protocol Television (IPTV), wherein every home 101 is connected to a service provider 131 via an IP network 111, which provides IPTV services (e.g. content delivery, interactive gaming) to each home 101. The IP network 111 may be a broadband IP network, e.g. Internet. The service provider 131 receives content from a content provider 141, and delivers the content from the IP network 111 to an IPTV set-top box 103 of each home 101 through a home network gateway 105 and a home network 107. Audience measurement (AM) in IPTV measures end-user behavior in IPTV services, and generates reports on audience information including audience rating, audience engagement, audience movement across programs and applications, audience makeup by segments, and increasing or decreasing popularity of content, etc. These reports are valuable to businesses because they can be used to forecast advertising opportunities, to target specific advertisements and campaigns to particular audience segments across devices, and to provide personalized engagement-driven services to end-users.
In IPTV services, information that must be known by service providers and content providers to facilitate the consumption of IPTV services is referred to as necessary information. Since these are minimally necessary data that would be released to service providers or content providers even without considering AM, their privacy are controlled by the policy-based schemes as done in the existing systems. On the other hand, information collected from the individual viewers/users for the explicit purpose of audience measurement, e.g. numbers of viewers, segmentation of viewers, ratings, audience engagement, is referred to as private information.
Although the measured private information allows businesses to better understand and categorize their end users, many users are uncomfortable with releasing their private information to businesses for fear of privacy breach. Hence, the ITU-T Standardization Group recommends that an AM system provides different levels of permissions for the users to dictate, and the AM system obtains permissions from users before measuring their data. This permission-based control is essentially a “can see, can use; cannot see, cannot use” scheme. With the required level of permission, the data becomes plain to the AM system and it is up to the system to guard the information. That means, once the user gives the permission, the private data of the user is fully transparent to the AM system. Thus, many users who are concerned about privacy may not give permission to disclose their private data, which skews the AM reports towards the less sensitive users, making the reports much less useful and accurate to businesses.
One approach uses Shamir's secret sharing to protect the user's private information. In Shamir's secret sharing, each of n parties is allocated a unique share of a secret, such that the secret is hidden unless one obtains possession of the shares from at least k parties. Applied to the situation of protecting user's private information in audience measurement, the secret is the aggregated information of the private user data. In one implementation, the n users first agree on k common receivers. Each user sends k polynomials, which is used to hide its portion of secret, to these k receivers only. Each of the k receivers consolidates its received polynomials and exchanges these values between receivers to reconstruct the original secret. Exchanging messages should be confidential, otherwise the private values can be easily known to malicious listeners. This can be prevented using any public key cryptosystem, wherein a message to be transmitted is first encrypted by the sender using the receiver's public key and then decrypted by the receiver using its secret private key. This approach requires all the n users to agree on a common group of k receivers. However, once this group of receivers is compromised, the private values of all users are compromised. In addition, such an agreement on a common group of receivers is not easy to achieve among large audiences, especially in the dynamically changing environment composing of IPTV viewers.