Protocols that hide user's preferences in electronic transactions

The Internet creates many new threats to personal privacy and raises some unique privacy concerns. In this paper we study the problem of how to protect users' privacy in web transactions of digital products. In particular, we introduce a system which (1) allows a user to disclose his/her identity information (such as user account or credit card number) to a web site in exchange for a digital product, but (2) prevents the web site from learning which specific product the user intends to obtain. The problem concerned here is orthogonal to the problem of anonymous transactions [M. Reed, P. Syverson, D. Goldschag, Anonymous connections and Onion Routing, IEEE Journal of Selected Areas in Communication 16 (4) (1998) 482-494; M. Reiter, A. Rubin, Crowds: anonymity for web transactions, ACM Transactions on Information System Security, 1 (1) (1998) 66-92] but commensurate with the general problem of PIR (private information retrieval) [B. Chor, O. Goldreich, E. Kushilevita, M. Sudan, Private information retrieval, in: Proceedings of 36th FOCS, 1995, pp. 41-50; B. Chor, N. Gilboa, Computational private information retrieval, in: Proceedings of 29th STOC, 1997, pp. 304-313]. Most of the existing results in PIR, however, are theoretical in nature and can not be applied in practice due to their huge communication and computational overheads. In the present paper, we introduce two practical solutions that satisfy the above two requirements and analyze their security and performance. Another issue we study in this paper is how to recover sales statistics data in our user privacy-protected system. We present a novel solution to the problem along with its security analysis.