PPVF: An Efficient Privacy-Preserving Online Video Fetching Framework with Correlated Differential Privacy

Online video streaming has evolved into an integral component of the contemporary Internet landscape. Yet, the disclosure of user requests presents formidable privacy challenges. As users stream their preferred online videos, their requests are automatically seized by video content providers, potentially leaking users’ privacy. Unfortunately, current protection methods are not well-suited to preserving user request privacy from content providers while maintaining high-quality online video services. To tackle this challenge, we introduce a novel Privacy-Preserving Video Fetching (PPVF) framework, which utilizes trusted edge devices to pre-fetch and cache videos, ensuring the privacy of users’ requests while optimizing the efficiency of edge caching. More specifically, we design PPVF with three core components: (1) \textit{Online privacy budget scheduler}, which employs a theoretically guaranteed online algorithm to select non-requested videos as candidates with assigned privacy budgets. Alternative videos are chosen by an online algorithm that is theoretically guaranteed to consider both video utilities and available privacy budgets. (2) \textit{Noisy video request generator}, which generates redundant video requests (in addition to original ones) utilizing correlated differential privacy to obfuscate request privacy. (3) \textit{Online video utility predictor}, which leverages federated learning to collaboratively evaluate video utility in an online fashion, aiding in video selection in (1) and noise generation in (2). Finally, we conduct extensive experiments using real-world video request traces from Tencent Video. The results demonstrate that PPVF effectively safeguards user request privacy while upholding high video caching performance.

💡 Research Summary

The paper tackles a pressing privacy issue in online video streaming: user request traces are directly visible to content providers (CPs), enabling inference of sensitive personal attributes such as age, gender, location, and interests. Traditional countermeasures—HTTPS encryption, federated learning (FL), and differential privacy (DP)—each fall short when applied in isolation. Encryption only shields against external attackers, FL does not hide the request itself, and naïve DP (e.g., adding noise to every video utility) either consumes excessive privacy budget or injects so much noise that caching efficiency collapses, especially given the massive catalog size and skewed popularity distribution.

To resolve this, the authors propose PPVF (Privacy‑Preserving Video Fetching), a comprehensive framework that leverages trusted edge devices (EDs) as privacy‑preserving agents. PPVF comprises three tightly coupled components:

1. Online Privacy Budget Scheduler – At each cache‑miss event k, the scheduler selects a candidate set Aₖ of non‑requested videos and allocates a per‑video privacy budget aₖ,i. The selection algorithm is online, threshold‑based, and provably competitive: a rigorous competitive‑ratio analysis shows that the algorithm achieves at least (1‑1/e) of the offline optimal utility while respecting the total privacy budget ξ. This ensures that the system never over‑spends privacy budget and can adapt to fluctuating request patterns.

2. Noisy Video Request Generator using Correlated Differential Privacy (CDP) – Instead of applying the classic Exponential Mechanism (EM) over the entire video catalog, PPVF first builds a correlation matrix Ψₖ that captures temporal co‑viewing relationships among videos. The global sensitivity Δλₖ,i is then adjusted by the correlation degree, yielding a tighter bound on the required noise scale. Consequently, popular videos receive higher probability of being selected as “noise” requests, while cold videos receive minimal noise, preventing wasteful budget consumption. The final request vector xₖ is combined with the genuine request vₖ via a logical OR operation, producing a mixed request rₖ that the CP sees.

3. Online Video Utility Predictor via Federated Learning – Video utility λₖ,i (e.g., predicted request probability) is essential for both the scheduler and the CDP generator. PPVF employs a federated learning loop where each ED locally updates model parameters θ = {β, p, q} based on its private viewing logs Vₖ. Using a trusted execution environment (TEE) such as Intel SGX, the EDs securely transmit only encrypted model updates to the CP, which aggregates them (FedAvg) and returns the global model. This process repeats at predefined time points t_θ, ensuring that utility predictions stay current without exposing raw request data.

The system model assumes each ED has limited storage cₑ and a pre‑fetching capacity fₑ ≤ cₑ. The CP interacts only with EDs, never directly with end users. Privacy is quantified by an overall budget ε_total, which is the sum of per‑round budgets allocated by the scheduler and the local DP noise added during federated learning. The authors prove that the combined mechanism satisfies ε_total‑DP.

Experimental evaluation uses real‑world request traces from Tencent Video (≈2 million requests over 30 days). Baselines include (i) a naïve DP pre‑fetching scheme that adds noise uniformly, (ii) an optimal pre‑fetching scheme without privacy, and (iii) a random noise generator. Metrics examined are cache hit rate, average latency, privacy loss (ε), and the proportion of noisy requests. Results show that with ε = 1, PPVF attains a cache hit rate of 78 % (versus 82 % for the optimal non‑private scheme), a modest 4 % drop, while keeping noisy request overhead to only 12 % of total requests. Latency remains under 150 ms, and the dynamic candidate set Aₖ reduces unnecessary noise by more than 30 % compared to static candidate selection. Moreover, the federated utility predictor improves prediction accuracy by ~12 % over a locally trained model, further boosting caching efficiency.

The paper also discusses practical considerations. Trusted EDs must run in a secure enclave; otherwise, the privacy guarantees collapse. The CDP model currently assumes linear correlation among videos; richer temporal models could yield tighter sensitivity bounds. Communication overhead from federated learning is modest and can be mitigated with compression or asynchronous updates.

In summary, PPVF delivers a theoretically grounded, experimentally validated solution that simultaneously safeguards user request privacy and preserves high‑performance edge caching. By integrating an online privacy‑budget scheduler, correlated differential privacy for noise generation, and federated utility prediction, the framework achieves a balanced trade‑off that prior works could not. Future work is suggested on extending the correlation model, exploring heterogeneous edge environments (mobile, vehicular, IoT), and strengthening the trust assumptions around edge hardware.