2084 Online Information Privacy or membership of privacy Web seal programmes. Alternatively, the mistrust may be directed toward the Internet medium. Therefore, the solution may lie within the education of Australian Internet users toward the rights and resources available to them, not only by privacy advocacy organisa- tions, but on e-entrepreneurs’ Web sites and their related industry organisations. Given that the study found that there is a relationship between information privacy and certain demographic characteristics such as loca- tion and gender, a sound approach for e-entrepre- neurs would be to consider their target population before developing data collection strategies. For LQVWDQFHDVWKHVXUYH\¿QGVWKDWZRPHQDSSHDUHG to be more pragmatic than their concerned male counterparts, Web sites with a female target audi- ence could emphasise the value of data disclosure — what will individuals receive in return, while one targeting men may want to accentuate how consumer information privacy is upheld. Interest- ingly, however, males had the highest reported usage of privacy-enhancing tools (an average of 1.22 tools out of a possible 5, compared to 0.93 reported by females). In fact, over 10% more men than women had used at least one tool. Finally, the study also found an inverse cor- UHODWLRQEHWZHHQWKHFRQVWUXFWV³H[SHULHQFH´ DQG³WRWDOSULYDF\´DVPHDVXUHGE\UHVSRQVHVWR questions regarding the OECD Data Protection Principles). Thus, inexperienced Internet users KDGKLJKHU³WRWDOSULYDF\´YDOXHVWKDQWKHLUH[- perienced counterparts, which is consistent with WKH¿QGLQJVIURPDQXPEHURIVWXGLHV&XOQDQ 1993; Stone & Stone, 1990; NUA, 1998). The LPSOLFDWLRQRIWKLV¿QGLQJLVWKDWHHQWUHSUHQHXUV should give special consideration to new Internet users by introducing them to privacy-enhancing methods and technologies and reinforcing their value. CONCLUSION This chapter reports and discusses the results of an empirical study which aimed to identify and model Australian Internet users’ online informa- WLRQSULYDF\RULHQWDWLRQVE\FRPELQLQJVSHFL¿F demographic and attitudinal measurements with behavioural data. The resultant privacy-sophis- tication index clearly illustrates the subjective- ness of online information privacy and groups Australian Internet users according to a range of privacy-related characteristics, which could assist e-entrepreneurs to further understand the role of information privacy in cyberspace and hence better interact with customers in e-busi- ness operations. $ U J XDEO\ W K HN H\ ¿ QG L QJ I U RP W KH VX U Y H \L V W K D W  the majority of Australian Internet users appear to be highly sensitive toward online information privacy and suggests privacy management must be an ongoing priority for e-entrepreneurs. This VWXG\DOVR¿QGVWKDWWKHUHDUHGLIIHUHQFHVLQSUL- vacy-related attitudes and behaviours between the sexes, although there does not appear to be D VLJQL¿FDQW FRUUHODWLRQ ZLWK DQ\ RWKHU GHPR- graphic factor. Therefore, e-entrepreneurs who run gender-oriented businesses should consider WKHLPSOLFDWLRQVRIWKHVH¿QGLQJVLQUHODWLRQWR their privacy protection strategies. Although there are methodological limitations which may affect the validity of the results, this study provides e-entrepreneurs with an in-depth insight into Australian Internet users’ attitudes and behaviours toward online information privacy, the knowledge from which, may be applicable cross-culturally. S o m e e - b u s i n e s s e s m a y c h o o s e t o u s e i n f o r m a - tion privacy practices as a market segmentation variable (Culnan & Bies, p. 162), and the PSI pro- ¿OHVPD\DVVLVWLQWKLVUHVSHFW7KHUHLVHYLGHQFH to suggest that good privacy can actually result in gains to e-commerce, therefore, a proactive approach toward consumer privacy may not only be socially responsible, but strategically sound. 2085 Online Information Privacy REFERENCES Allen, A. (2000). Gender and privacy in cyber- space. Stanford Law Review, 52(5), 1175-1200. Attaran, M. (2000). Managing legal liability of the Net: A ten step guide for IT managers. In- formation Management and Computer Security, 8(2), 98-100. Bennett, C. (1992). Regulating privacy – Data protection and public policy in Europe and the United States. New York: Cornell University Press. Clarke, R. (1999). Introduction to dataveillance DQG LQIRUPDWLRQ SULYDF\ DQG GH¿QLWLRQV RI terms. Retrieved May 23, 2002, from www.anu. edu/people/Roger.Clarke/DV/Intro.html Clarke, R. (2001). Privacy as a means of engen- dering trust in cyberspace. Retrieved June 9, 2001, from www.anu.edu/people/Roger.Clarke/ DV/eTrust.html Cranor, L., Reagle, J., & Ackerman, M. (1999). Beyond concern: Understanding Net users atti- tudes about online privacy. AT&T Labs-Research Technical Report TR 99.4.3. Retrieved April 14, 1999, from www.research.att.com/library/trs/ TRs/99/99.4/ Culnan, M. (1993). How did they get my name? An exploratory investigation of consumer at- titudes toward secondary information use. MIS Quarterly, 17(3), 341-363. Culnan, M. (1999). Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation. Organization Science: A Journal of the Institute of Management Sciences, 10(1), 104-115. Culnan, M., & Bies, R. (1999). Fair informa- tion practices for marketing. In C. Bennett & R. Grant (Eds.), Vi sion s of pr i va c y: Poli c y vo i c e s fo r the digital age. Toronto: University of Toronto Press. Culnan, M., & Milne, G. (2001, December). The Culnan-Milne survey on consumers and online privacy notices: Summary of responses, joint working paper. Bentley College, MA, and Isen- berg School of Management. Dembeck, C. (1999, April 8). Report: Online shopping desire overrides privacy concerns. E- Commerce Times. The Economist Intelligence Unit. (2001). Private investigations: Data privacy and the challenge to business. Available online at www.eiu.com Fried, C. (1996). In Z. Sardar & J. Ravetz (Eds.), Cyberfutures: Culture & politics on the infor- mation superhighway. New York: New York University Press. Fukuyama, F. (1999). Building trust online: TRUSTe, privacy and self governance. Retrieved February 5, 2001, from www.truste.org/about/ WUXVWHZKLWHSDSHU¿QDOGRF Gindin, S. (1997). Lost and found in cyberspace. San Diego Law Review, 1153, 24-79. Harrison-McKnight, D. & Chervany, N. (2001). What trust means in e-commerce customer relationships: An interdisciplinary conceptual typology. International Journal of Electronic Commerce, 6(2), 35-39. Hofstede, G. (2001). Cultures consequences (2 nd ed.). CA: Sage Publications. Lessig, L. (1999). Code and other laws of cyber- space. New York: Basic Books. Long, G., Hogg, M., Hartley, M., & Angold, S. (1999). Relationship marketing and privacy: Ex- ploring the thresholds. Journal of Marketing Prac- tice: Applied Marketing Science, 5(1), 4-20. Lyon, D., & Zureik, E. (Eds.). (1996). Computers, surveillance & privacy. University of Minnesota Press. 2086 Online Information Privacy Maslow, A. (1987). Motivation & personality (3 rd ed.) New York: Harper & Row. Meridian Research. (2001). Regulatory compli- ance: The tip of the privacy iceberg. Meridien Research. Retrieved May 16, 2003, from www. keepmedia.com/ShowItemDetails.do?itemID =533026&extID=10030&oliID=226 Michael, J. (1994). Privacy & human rights. UNESCO & Dartmouth, Aldershot. Milberg, S., Burke, S., Smith, H., & Kallman, E. (1995).Values, personal information privacy, and regulatory approaches. Association for Comput- ing Machinery. Communications of the AGM, 38(12), 65-74. Milne, G., & Boza, M. (1999). Trust and concern in consumers’ perceptions of marketing informa- tion management practices, Journal of Interactive Marketing, 13(1), 5-24. Milne, G., & Gordon, M. (1993) Direct mail SULYDF\HI¿FLHQF\WUDGHRIIVZLWKLQDQLPSOLHG social contract framework. Journal of Public Policy and Marketing, 12(2), 206-215. NUA. (1998). Shoppers still concerned about privacy. Available online at www.nua.ie/sur- veys/index Papadopoulou, P., Andreou, A., Kanellis, P., & Matrakos, D. (2001). Trust and relationship build- ing in electronic commerce. Internet Research: Electronic Networking Applications and Policy, 11(4), 322-332. Perrolle, J. (1996). Privacy and surveillance in computer-supported cooperative work. In D. Lyon & E. Zuriek (Eds.), Computers, surveillance and privacy (pp. 50-71). Minneapolis: University of Minnesota Press. Phelps, J., D’Souza, G., & Nowak, G. (2001). An- tecedents and consequences of consumer privacy concerns: An empirical investigation. Journal of Interactive Marketing, 15(4), 2-17. Phelps, J., Nowak, G., & Ferrell, E. (2000). Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy & Marketing, 19(1), 27-41. Posch, R. (1993). Don’t take Lou Harris too seri- ously. Direct Marketing, 56(8), 44-48. Princeton Survey Research. (2002). A matter of trust: What users want from Web sites. Princeton Survey Research. Rao, C., & Singhapakdi, S. (1997). Marketing ethics: A comparison between services and other marketing professionals. Journal of Services Marketing, 11(6), 409-426. Reder, A. (1995). ,QSXUVXLWRISULQFLSOHDQGSUR¿W Business success through social responsibility. New York: Putnam. Scholtz (2001). Privacy@net. Consumers Inter- national. Retrieved March 3, 2002, from www. consumersinternational.org/news/pressreleases/ fprivreport.pdf Sheehan, K. (1999). An investigation of gender differences in on-line privacy concerns and resul- tant behaviours. Journal of Interactive Marketing, 13(1), 24-38 S h e e h a n , K . (2 0 0 2) . To w a r d a t y p o l og y o f I n t e r n e t users and online privacy concerns. The Informa- tion Society, 18, 21-32. Sheehan, K., & Grubbs Hoy, M. (1999). Flam- ing, complaining, abstaining: How online users respond to privacy concerns. Journal of Advertis- ing, 28(3), 37-51. Sheehan, K., & Grubbs Hoy, M. (2000). Dimen- sions of privacy concern among online consum- ers. Journal of Public Policy & Marketing, 19(1), 62-73. Singhapakdi, A., Rawwas, M., Matra, J., & Ahmed, M. (1999). A cross-cultural study of con- sumer perceptions about marketing ethics. Journal of Consumer Marketing, 16(3), 257-272. 2087 Online Information Privacy Smith, H. (1994). Managing privacy. Chapel Hill: University of North Carolina Press. Smith, H., Milberg, S., & Burke, S. (1996). Infor- mation privacy: Measuring individual’s concerns about organisational practices. MIS Quarterly, 20(2), 167-196. Smith, R. (1993). CEP’93 – The proper face of privacy. Privacy Journal. Retrieved from July 1, 2002, from www.cpsr.org/conferences/cfp93/ smith.html Taylor, H. (2003). Most people are ‘privacy prag- matists’ who, while concerned about privacy, ZLOOVRPHWLPHVWUDGHLWRIIIRURWKHUEHQH¿WV7KH Harris Poll No. 17. Available online at www.har- risinteractive.com/harris_poll Westin, A. (1967). Privacy & freedom. New York: Atheneum. Wr ight , R. (1993). Overhear i ng t he Inter net. The New Republic, September 13. Available online at www. nua.com/surveys/index.cgi?f=VSandart_id= 905358552andrel=true ENDNOTE 1 Many of the Westin-Harris survey reports are available on the Privacy and American Business Web site www.pandab.org. This work was previously published in Entrepreneurship and Innovations in E-Business: An Integrative Perspective, edited by F. Zhao, pp. 200-222, copyright 2006 by IGI Publishing (an imprint of IGI Global). 2088 Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited. Chapter 7.8 Analyzing the Privacy of a Vickrey Auction Mechanism Ismael Rodríguez Universidad Complutense de Madrid, Spain Natalia López Universidad Complutense de Madrid, Spain ABSTRACT This article studies the properties of a distributed mechanism to perform the Vickrey auction. This mechanism, which was originally presented in López, Núñez, Rodríguez, and Rubio (2004), has the main characteristic that most of the informa- tion concerning the bids is kept private for both bidders and the auctioneer without the necessity of any trusted third party. In particular, after the DXFWLRQLV¿QLVKHGRQO\WKHYDOXHRIWKHVHFRQG highest bid and the identity of the highest bidder are publicly revealed. However, in that paper, several questions about the applicability of the protocol were left unanswered. In particular, no implementation was provided. Besides, the analysis of the collusion risk was too brief. In this paper, we address these issues in a deeper way. Let us note that, as it is stated in Brandt and Sandholm (2004), it is impossible to create a completely private mechanism to perform the Vickrey auction. In particular, we identify a gap between the proposed protocol and the complete privacy: If any n-2 bidders and the winning bid- der collude, the privacy is lost. Besides, some privacy properties can be broken by chance if some VSHFL¿FVLWXDWLRQVDSSHDUWKRXJKWKHSUREDELOLW\ of this threat decreases as the number of bidders increases. In addition, we present and analyze a simple implementation of the protocol, and we consider its practical applicability. INTRODUCTION Auctions are very effective ways to allocate re- sources. There exist several auction mechanisms, with the Vickrey auction (Vickrey, 1961) being one of the mechanisms that has attracted more interest from the computer science researchers. This is a sealed bid where the bidder who submits the highest bid gets the item, but he/she pays the 2089 Analyzing the Privacy of a Vickrey Auction Mechanism amount submitted in the second highest bid. As it is well known, the Vickrey auction has several good properties. In particular, it removes any incentive for bidders to bid strategically. This is so because the dominant strategy of each agent consists in submitting a bid for his or her reserve price, that is, the maximum price that the agent would pay for the auctioned item. Thus, the Vickrey auction is a direct-revelation mechanism since, in order to maximize their utility, agents have to say the truth. In a Vickrey auction, the difference between WKH¿UVWDQGVHFRQGSULFHVLVWKHprice paid by the auctioneer to guarantee that all the agents tell the truth. However, as the revenue equiva- lence theorem (RET) claims (Myerson, 1981), this auction produces the same revenue for the auctioneer as other standard auctions (English, 'XWFK¿UVWSULFHVHDOHGDXFWLRQWKRXJKLWLV worth pointing out that in general, the auctioneer GRHVQRWPD[LPL]HWKHSUR¿WZLWKUHVSHFWWRD more ÀH[LEOH scheme. 1 Actually, note that if the auctioneer found out in advance the reserve price of the highest bid, he/she would prefer to sell WKHLWHPZLWKD¿[HGSULFHDVtake-it-or-leave-it. Besides, the Vickrey auction is usually assumed to be a private-value auction, that is, reserve S U L F H V D UH O RF D O O \D Q G L QG H S H QG H Q W O\ ¿ [H GE \H D FK  agent. This property disallows an agent to get more interested in an item because other agents have higher bids. Privacy issues may be a handicap in Vickrey auctions. If the auctioneer has access to all the bids, then he/she can use this information in subsequent auctions of similar items (by using a take-it-or- leave-it strategy). Thus, it is not desirable for the agents that the auctioneer knows their reserve prices. Moreover, if the bidders know all the bids, they can also adapt their subsequent bids. 2 This would imply that the auction is not with private value anymore, so that reserve prices are not used afterwards (Sandholm & Lesser, 1995). Thus, a desirable characteristic to be included in Vickrey auctions consists in keeping, as much as possible, the privacy of the bids. In other words, our goal is that at the end of the auction, each bid- der is the only one who knows his/her own bid. Moreover, it would also be very desirable that neither the bidders nor the auctioneer know the value of other bids. Obviously, there always exist some mi nimal exceptions to complete privacy. In particular, we need to know the second-highest bid as well as the highest bidder. However, in order to resolve the auction, we need to know neither the highest bid nor the second-highest bidder. Some protocols have been proposed to keep the good properties of the Vickrey auction while guaranteeing privacy (see, e.g., Lipmaa, Asokan, & Niemi, 2002; López et al. 2004; Naor, Pinkas, & Sumner, 1999). In Lipmaa et al. (2002), privacy is partially lost: although the auction authority cannot relate bids with bidders, he/she knows the value of all the bids that have been submitted. In the case of Naor et al. (1999), the collusion of the auctioneer and the auction issuer allows them to infer all the bids of the bidders. In López et al. (2004), bidders do not communicate their real bid to other agents (neither to other bidders nor to the auctioneer), so that protocol does not depend on a trusted third part as the previous protocols do. However, in that paper, some topics concerning its practical applicability were not addressed. Besides, some scenarios of privacy threat were WDFNOHGWRREULHÀ\,QSDUWLFXODUVRPHVLWXDWLRQV concerning the collusion of bidders were not properly discussed. Hence, a deeper analysis of this protocol is still needed. In this paper, we present a (simple) imple- mentation of that protocol and analyze some of its properties in a deeper way. In particular, we show that the collusion of bidders cannot breach the privacy with certainty unless n-2 bidders and the winner (that is, n-1 bidders) collude, where n is the number of bidders in the auction. Besides, we show that other collusion threats may appear by chance, though the probability of these situ- ations decreases with the number of bidders. As it is stated in Brandt and Sandholm (2004), it is 2090 Analyzing the Privacy of a Vickrey Auction Mechanism LPSRVVLEOHWR¿QGDFRPSOHWHO\SULYDWHPHFKD- nism to perform the Vickrey auction. This result imposes an upper bound of privacy-preserving HI¿FLHQF\ LQ WKDW IUDPHZRUN ,Q SDUWLFXODU LW shows that it is not possible to eliminate all of the previous collusion threats from the protocol. However, to the best of our knowledge, this is the protocol that provides the best privacy properties for performing the Vickrey auction without the necessity of any trusted third party. The rest of the paper is organized as follows. In the next section we sketch the main ideas of our method. In spite that this section is self-contained, explanations are brief because any interested UHDGHUFDQ¿QGWKHRULJLQDOSUHVHQWDWLRQRIWKLV protocol in López et al (2004). Afterwards, in the next two sections, we discuss some properties that are required in order to keep the privacy of the protocol. First, our discussion focuses on study- ing different ways in which a single bidder could try to break the privacy of the protocol. Then, we study how a group of bidders could collude to try to break the privacy. Next, we present a simple VLPXODWLRQRIRXU SURWRFRO DQG EULHÀ\GLVFXVV a concrete experiment. Finally, we present our conclusions and some lines for future work. METHODOLOGY ,QWKLVVHFWLRQZHEULHÀ\VNHWFKWKHEDVLFLGHDV underlying the protocol presented in López et al. (2004). Basically, this protocol consists in apply- ing some function to all bids. Then, the values returned by the function are compared, and we select the second-highest value. Next, we apply the inverse function to that value, and we obtain the second-highest bid. After this value is computed, ZHSXEOLFO\DVN³:KRLVWKHELGGHUZKRZRXOG pay this value for the item being auctioned?” Let us remark that, since the Vickrey auction rules promote that all bidders bid their reserve prices, only the highest bidder wants to buy the item at that price, as the second-highest bidder does not care about purchasing the item at that price or not. However, the utility of the highest bidder improves if he/she buys the item at that price. Hence, only the bidder who submitted the high- est bid will claim to be the winner. The item is assigned to that bidder, and the price is the value of the second-highest bid. 3 Let f be the function used in the previous VFKHPH7KLVIXQFWLRQPXVWIXO¿OOVRPHSURSHU- ties. First, it must be strictly increasing, that is, x,y: x<y o f(x)<f(y). This is required to guar- antee that the second-highest transformed value corresponds actually to the second-highest bid. Another property of f is that it must be injective, because we need to use f -1 to decode the second highest value. In addition, privacy will be achieved only if we have that both f and f -1 are unknown WRDOOELGGHUV2WKHUZLVHDELGGHUFRXOG¿QGRXW all bids by applying f -1 to the values returned by the function. To achieve that goal, each bidder will know only a piece of the function called local function, and f will be the composition of all of them. Bidders will privately create their local functions, and the encoding or decoding of a bid will only be possible with the collaboration of all bidders together. The composition of local functions will work as follows: After some bid- der receives a (partially) transformed bid from another bidder, he/she applies his or her local function and afterwards, he/she sends the result to another bidder, and so on. Finally, we need the global function dependent on at least three parameters. After the auction is over, all bidders know a pair (input,output) of the global function. This pair consists of the second bid and the second- transformed value. Moreover, the winner of the auction knows another example, because he/she knows his or her bid and its transformation, which is the highest transformed value. Hence, function f must be such that two examples of application are not enough to infer it. 4 For example, a function depending on three parameters is f(x) = (B · x A ) + C. Clearly, two examples of inputs and outputs 2091 Analyzing the Privacy of a Vickrey Auction Mechanism are not enough to infer the function. We will go back to this idea in the next section. In order to obtain the desired behavior in WKHJOREDOIXQFWLRQORFDOIXQFWLRQVPXVWIXO¿OO some properties (see López et al., 2004 for more details): • We need the global function to be strictly LQFUHDVLQJ$VXI¿FLHQWFRQGLWLRQIRUDVVXU- ing it is that all local functions are strictly increasing. • If the order of application of local functions were the same for all bids, some bidder would know all bids, because the bidder who owns WKH¿UVWORFDOIXQFWLRQZRXOGUHFHLYHDOOELGV EHIRUHWKH\DUHWUDQVIRUPHG,QVWHDGWKH¿UVW local function to be applied to each bid will be that of the owner of that bid. So, no bid will be sent to another bidder. • Once all bids are completely transformed according to all local functions, we should DYRLGDELGGHU¿QGLQJRXWZKLFKRQHLVWKH transformed value of his or her bid, because in this case he/she would know how many bids are over and under his or her own. Note that if the owner of a bid knows the order of application of local functions, then he/she can guess who will broadcast it once the last local function is applied to his or her bid. In order to avoid that, after a bidder receives a (partially) transformed value and applies his or her own local function, he/she will freely (e.g., randomly) choose the next bidder in the transformation of that value. • A consequence of the previous conditions is that the order of application of local functions could be different for each bid. However, we want the global function to be the same LQDOOFDVHV$VXI¿FLHQWFRQGLWLRQIRUWKDW is that the composition of local functions is commutative, that is, for any local functions f and g we have f(g(x))=g(f(x)). • After all bids are transformed according to all local functions, all transformed values are broadcasted, and the second highest transformed value is selected. We need this value to be decoded in order to obtain the second bid. The inverse transformation will be computed by applying the inverse of each local function. So, we need that each local function is invertible. Besides, the order of application of inverse local functions in the decoding will not necessarily be the inverse of the path we used in the encoding. Let us note that if it were, then the identity of the second bidder would be revealed because the last bidder of the decoding would be WKH¿UVWRIWKHHQFRGLQJ6LQFHZHQHHGWKH global inverse function to be unique, the composition of the inverse local functions must also be commutative. As we said before, the global function should depend on at least three parameters. We will do it by increasing the number of function parameters iteratively. We will illustrate this idea with an example. Let us consider again the function F(x) = (x A + B) · C, which depends on three parameters. Clearly, the composition of functions of this form is not commutative, so local functions cannot be like that. Instead, we can compose some commutative local functions to achieve function F in several stages,Q WKH¿UVWVWDJHDOOELGGHUVZLOODSSO\ local functions of the form f(x) = x a , where a is privately chosen by each bidder. After all local functions are applied to all bids, we have that all bids are transformed according to a function f(x) = x A , where A is the multiplication of each a chosen privately by each bidder: then the second stage begins. Let us note that transformed values are not SXEOLFO\FRPPXQLFDWHGDIWHUWKH¿UVWVWDJHLVRYHU Instead, any bidder that is the last one applying his or her local function to some value sends the new value only to the bidder that will begin the transformation of that value in the second stage (in particular, it could be itself). In the second stage, functions follow the form f(x) = x + b. After this 2092 Analyzing the Privacy of a Vickrey Auction Mechanism stage is carried out like the previous one, we have that all bids have been transformed according to a function f(x) = x A + B, where B is the addition of all b. Then the bidders who were the last in the second stage send the values to some bidder to begin the third stage. This time, local functions follow the pattern f(x) = c · x. After the third stage ¿QLVKHVDOOYDOXHVDUHEURDGFDVWHG7KHUHODWLRQ between these values and the original bids is given by a function F(x) = (x A + B) · C, where C is the multiplication of each c. Once the second highest transformed value is selected, a similar process must be performed WR¿QGRXWWKHELGFRUUHVSRQGLQJWRWKDWYDOXH So, the inverse function will be applied to it. To obtain the inverse function, the order of stages has to be opposite to that which we had before. ,QWKH¿UVWVWDJHRIWKHEDFNZDUGVSDWKZHXVH functions that follow the form f(x) = x · 1/c, in the next one we use functions f(x) = x - b, and ¿QDOO\ZHWDNHIXQFWLRQVI[ [ 1/a . At the end, the last bidder applying one of such functions will broadcast the result, which is actually the second highest bid. According to the previous scheme, bidders send each other some information in both the FRGL¿FDWLRQ DQG WKH GHFRGLQJ SKDVHV $IWHU D bidder applies his or her local function to some value and he/she decides the next bidder in the transformation, he/she has to send to him orher two data: The (partially) transformed value and the set of bidders who have already applied their local functions to this value in the current stage. The latter is needed by the next bidder to choose the bidder after him. It is also needed to know ZKHWKHUWKHWUDQVIRUPDWLRQLQWKLVVWDJHLV¿QLVKHG and the next stage must begin. KEEPING THE PRIVACY If the global function depends on at least three parameters, then two examples of application of that function are not enough to infer the function. For example, let us consider that the global func- tion follows the same form as before, that is, F(x) = (B · x A ) + C. Besides, let us suppose that the second highest bid is 2 and its transformation is 4, while the highest bid and its transformation are DQGUHVSHFWLYHO\$IWHUWKHDXFWLRQ¿QLVKHV all bidders know that 4 is the transformation of 2, and that there is a bid whose transformation is 8. Besides, the winner (who is the bidder with more information) knows also that 8 is the trans- formation of 4. However, the winner is unable WR¿QGRXWWKHJOREDOIXQFWLRQWKDWLVKHVKHLV XQDEOHWR¿QGRXW$%DQG&$FFRUGLQJWRKLV or her knowledge, these parameters could be (A, B, C) = (1, 0, 2). However, (2, 8, 1/3) and (3, 48, 1/14) are other valid possibilities. Actually, there DUHLQ¿QLWHSRVVLELOLWLHV6RWKHUHODWLYHGLVWDQFH between transformed values (e.g., 8 is double 4, 8 is 4 plus 4) does not provide any information to infer totally or partially the respective bids. However, we must address some issues con- cerning the use of several stages in our scheme. In order to keep the privacy, some additional conditions must be introduced. Let us consider the backwards process where the second highest bid is decoded. During this process, both the last bidder who applies his or her local function in some stage k and the ¿UVW bidder who applies it in the next stage k+1 have privileged information. We will illustrate this issue with an example. Let us consider that the global function is F(x) = (x A + B) · C, and let us suppose that it is composed by using three stages as explained previously. Let us note that a bidder located in the intermediate of two stages knows the transformed value of the second highest bid at this point. For example, both the last bidder of the second decoding stage (i.e., the stage where functions are of the form f(x) = [EDQGWKH¿UVWELGGHURIWKHODVWRQHZKHUH functions of the form f(x) = x 1/a are used) know the transformed value of the second highest bid after WKH¿UVWWZRVWDJHV/HWs be that value, and let B 1 and B 2 be the two previous bidders, respectively. After the last stage, the true second highest bid is 2093 Analyzing the Privacy of a Vickrey Auction Mechanism broadcasted (say b). Then, by taking into account s and b, bidders B 1 and B 2 can easily infer the whole function of the last stage, which follows the form f(x) = x 1/A for some A that is the multiplication of the value a of each bidder. If either B 1 or B 2 is the winner of the auction, he/she can use this function to calculate the transformation of his or her own bid before the last decoding stage. Let w be such value. Let us note that the function governing the composition of decoding stages 1 and 2 follows the form f(x) = (x · 1/C) - B, which depends on two parameters. So, the winner of the auction can e a s i l y i n f e r t h i s f u n c t i o n b y t a k i n g i n t o a c c o u n t h i s or her two examples of application. This function provides the whole inverse global function, and this one gives the global function. So, the win- ner of the auction could have access to all bids. Moreover, the winner is not the only bidder who could infer the global function by being located in the intermediate of stages. In particular, if any bidder is located in the intermediate point of stages 1 and 2 and, at the same time, in the point between stages 2 and 3, then he/she can easily infer the function governing each stage, which gives him or her the global function. In order to avoid this problem, we must impose some additional conditions to ensure that no bid- der can infer the global function. First, we must avoid that some bidder is located in more than 2 intermediate points. During the decoding stage, any bidder that is located in an intermediate point will be included in a set. Besides, each time a bid- der has to send a value to another, it will check whether the next step is positioned in an intermedi- ate point and, if it is, it will not send the value to a bidder that is already included in that set. Second, the problem of the privileged information of the winner can be solved by using at least 4 stages. The kinds of function used in each stage will be iterated as follows: The three kinds of functions commented before (exponentiation, addition, multiplication) are ordered in some arbitrary way K 0 , K 1 , K 2 . Then, each stage i uses the kind K i mod 3 . Let us consider that 4 stages are used. If the ZLQQHULVORFDWHGLQWKH¿UVWLQWHUPHGLDWHSRLQW then the function corresponding to the next three steps depends on three parameters. The case is similar if he/she is located in the third intermediate point. If he/she is located in the second, then he/she cannot transform his or her own bid according to t he f u n ct io n us e d u p to t h is p oi nt . H en c e, he /s he is unable to get at least 2 examples. So, the winner cannot use his or her privileged information to infer the global function. RISKS OF COLLUSION In spite that no single bidder can break the pri- vacy by his or her own, we have to consider the possibility that some bidders collude to share their information in order to infer some bids or the global function (which would give all bids). To the best of our knowledge, the collusion of n- 1 bidders is needed to extract some information with certainty, where the number of bidders is n. In order to achieve this property, the protocol described in the previous section has to be slightly PRGL¿HG Let us consider some collusion scenarios. Let us suppose that functions of the form f(x) = x a DUHXVHGLQWKH¿UVWVWDJH%HVLGHVOHWXVVXSSRVH WKDWGXULQJWKHWUDQVIRUPDWLRQRIDELGLQWKH¿UVW stage, a bidder B 1 sends a partially transformed value to bidder X. Then, X applies his or her function and sends the result to B 2 . Meanwhile, the bid of X, as well as the rest of bids, are col- ODERUDWLYHO\FRGL¿HGLQSDUDOOHO/HWXVVXSSRVH that the transformation of the bid of X is carried out as follows: X applies his or her function to his or her bid, and then he/she sends the result- ing value to some bidder B 3 . In this case, B 1 , B 2 , and B 3 can easily infer the bid of bidder X. They can do it in the following way. First, bidders B 1 and B 2 ¿QGRXWWKHH[SRQHQWXVHGE\ELGGHU; in his or her local function. In order to do that, it is enough that B 1 and B 2 compare the value sent from B 1 to X and the value sent from X to B 2 . . (2001). Trust and relationship build- ing in electronic commerce. Internet Research: Electronic Networking Applications and Policy, 11(4), 322-332. Perrolle, J. (1996). Privacy and surveillance. privacy-enhancing methods and technologies and reinforcing their value. CONCLUSION This chapter reports and discusses the results of an empirical study which aimed to identify and model Australian. www. nua.com/surveys/index.cgi?f=VSandart_id= 905358552andrel=true ENDNOTE 1 Many of the Westin-Harris survey reports are available on the Privacy and American Business Web site www.pandab.org. This work