The Influence of Differential Privacy on Short Term Electric Load Forecasting

There has been a large number of contributions on privacy-preserving smart metering with Differential Privacy, addressing questions from actual enforcement at the smart meter to billing at the energy provider. However, exploitation is mostly limited to application of cryptographic security means between smart meters and energy providers. We illustrate along the use case of privacy preserving load forecasting that Differential Privacy is indeed a valuable addition that unlocks novel information flows for optimization. We show that (i) there are large differences in utility along three selected forecasting methods, (ii) energy providers can enjoy good utility especially under the linear regression benchmark model, and (iii) households can participate in privacy preserving load forecasting with an individual re-identification risk<60%, only 10% over random guessing.


Introduction
Smart metering data is said to be useful for improving the load forecasting task of energy providers [1][2][3][4]. With more accurate forecasts, energy providers gain an advantage for trading and scheduling electricity production and consumption ahead of time. Forecasting errors have to be balanced with control energy for stable electric grid operation. Thereby, the highly volatile control energy prices charged for this compensation can be painful for the energy providers. In Germany of 2017, for example, the average control energy price was 49.67 EUR per MWh, but for 30 minutes, the price shot over 20,614.97 EUR per MWh. 1 On the other hand, monitoring electrical load from individual households incurs violation of privacy, as private behavior patterns are reflected in the energy consumption 2 [1,5,6]. The amount of privacy violation varies depending on the monitoring time resolution of metering data [7]. Using Differential Privacy [8] as privacy model, both time granularity and varying levels of the privacy parameters can be used to quantify and interpret the influence on privacy.
In addition to the privacy issue, the utility of individual data for load forecasting is naturally limited due to the stochasticity of domestic energy usage [9]. To best of our knowledge, no work exists that leverages individual (instead of aggregated) load data to gain a significant advantage on the domestic load forecasting task. This is why domestic load forecasting is performed using load data aggregated over large areas with many households.
In this paper, we investigate whether energy providers can benefit from smart metering data which is acquired in a privacy-friendly way. We formulate a privacy-preserving forecasting process that provides energy producers with forecast utility guarantees and households with strong, yet intuitive privacy guarantees, based on Differential Privacy. We make the following contributions: • First time to regard energy provider's load forecasting task based on smart metering data with prescribed privacy guarantee, • Practical design and evaluation of Differential Privacy for load forecasting, as well as comprehensible and interpretable calculation of presence detection risk using Differential Identifiability, • Determination of the privacy-utility trade-off on real world data [10] using three realistic forecasting methods, and • Demonstrating that differentially private load forecasting with a low presence detection risk ρ < 0.6 and strong utility is especially achievable under the linear regression benchmark model.
This paper is structured as follows. In Section 2, we introduce preliminaries. We formulate our concept for realizing differentially private load forecasting in Section 3 and present an evaluation in Section 4. Related work is presented in Section 5. Finally, Section 6 concludes with a discussion of practical implications.

Preliminaries
In the following, we provide fundamentals regarding electricity grid metering (Section 2.1), the underlying privacy model of this work (Section 2.2), and load forecasting approaches we use for electricity consumption prediction (Section 2.3).

Electricity Metering Process (in Germany)
In this paper, we will discuss our problem setting in the context of the German metering and balancing process. Although the objective of metering for balancing in an electric power system is equal around the world, specific details in metering and settlement are subject to national and regional regulations. That is why we fix our process description to the well-documented German electrical power market. The relevant sources are the German electricity grid access regulation (StromNZV [11]), the German measuring point operation act (MsbG [12]) and the market rules for the implementation of balancing group accounting for electricity (MaBiS [13]).
In Europe, the electric grid is partitioned geographically into control areas which are each operated by a transmission system operator (TSO). Each control area is subdivided into distribution grids operated by a distribution system operator (DSO). Transmission and distribution grid operators are government-regulated entities who are responsible for stable and reliable grid operation and non-discriminatory access to electricity production, consumption and trading. To accomplish these two goals simultaneously, the TSO delegates the task of balancing supply and demand to the grid participants to some extent by charging the participants for any imbalance they cause. How imbalance is estimated and settled is subject to national regulations. (cf. [14][15][16]) Each control area is virtually partitioned into balancing groups which are basically time-dependent accounts for electric energy. An electricity customer (i.e., her grid connection point) is associated with exactly one balancing group which corresponds to the energy service provider and possibly to a specific tariff chosen by the customer. (cf. Sections 4, 5 StromNZV)  Figure 1: Essential roles and information flows in the current metering process (solid black arrows) and in the proposed differential private process for privacy-preserving improved forecasting (dotted blue arrows). For simplicity, we omitted the role of the Measurement Service Provider who is currently responsible for step 1.
Before the roll-out of smart metering, residential electricity meters of customers with low or normal annual consumption have only been read-out annually or during the change of energy provider or tenant. Customers with an annual consumption above 100,000 kWh are subject to real-time load profile measurements which collects average and peak load in each quarter-hour interval. With the roll-out of smart metering, additionally, customers with an annual consumption between 10,000 kWh and 100,000 kWh may be subject to load profile metering with quarter-hourly resolution. (cf. Sections 55, 60 MsbG) Figure 1 shows the essential roles and information flows, as well as our envisioned privacy-preserving information flow, in the metering and balance settlement process. The TSO is usually also in the role of the balancing group coordinator and is responsible for determining the virtual balance of each balancing group in order to charge the balancing group which is the responsible party for imbalances. As the balancing group may be physically scattered among different distribution grids, the TSO needs to aggregate the information about the energy flows in the distribution grids from several DSOs. The problem here is that the DSO does not measure every grid connection point in real-time. This is especially true for residential grid connection points. Therefore, the DSO estimates the residential loads either by using the synthetic or the analytical method (Step 1 and 2 in Figure 1). The synthetic method uses parameterized standard load profiles which are scaled by a forecasted annual energy consumption of each customer. For the analytical method, the DSO subtracts the real-time metered load profiles and estimated transmission losses from the overall load profile of its distribution grid. The remainder is the load profile of the non-metered residential grid connection points, which is then attributed according to a forecasted annual energy consumption of each customer (Step 3 in Figure 1). (cf. Section 1.2 MaBiS [13] and Section 3.8 of the Distribution Code 2007 [17]) The TSO finally aggregates the load profiles from all DSOs to determine the load profile of each balancing group (Step 4 in Figure 1). This overall ex-post balance in each group is used to settle the costs for the actual imbalance during the grid operation. If the imbalance of one group helps to compensate the overall grid imbalance, the responsible party of the group is being paid for the grid support. The parties responsible for the balancing group receive the load and balance measurements for their balancing group in order to retrace the bill and to improve on the load predictions for ex-ante energy trading (Step 5 in Figure 1). (cf. Section 2 MaBiS) Technically, the current metering process is not differentially private as the aggregated load of a balancing group is not perturbed using a randomized method. Even the collection of the annual energy consumption is not differentially private. However, the current metering process based on non-smart meters is generally not considered as serious privacy violation since residential electricity measurements are read out only once per year.

Differential Privacy
Differential Privacy, originally proposed by Dwork [8], is the current gold standard for data privacy. It is achieved by perturbing the result of a query function f (·) s.t. it is no longer possible to confidently predict whether the result was obtained by querying data set D 1 or some other data set D 2 differing in one individual. Thus, privacy is provided to each participant in the data set as their presence or absence becomes almost negligible for computing perturbed query results. To inject noise into the result of some arbitrary query f (·), mechanisms K f are utilized. Mechanisms add noise sampled from a probability distribution to f (·) and are differentially private when they fulfill Definition 1. Definition 1 (Differential Privacy). A mechanism K f : DOM → R is ( , δ)-differentially private if for all data sets D 1 , D 2 ⊂ DOM differing in only one individual and for all possible outputs S ⊆ R : The additive δ is interpreted as the probability of protection failure and required to be negligibly small ≈ 1 |D1| . We refer to Dwork et al. [18] for the proof. Another commonly used, more strict definition calls a mechanism -differentially private if it is ( , 0)-differentially private. Differential Privacy has the appealing property that it holds independent of side knowledge that an adversary might have gathered on the data set. Thus, for convenience, we call a data set differentially private if it has been obtained by a differentially private mechanism.
The query is further specified as a series of k identical aggregate queries f i with co-domain R = R each. The added noise must hide the influence of any individual in the original result of the composed query f = (f 1 , . . . , f k ). The maximum influence of an individual on f (·) is the global sensitivity A popular mechanism for perturbing the outcome of numerical query functions is the Laplace mechanism, proposed by Dwork [19]. It adds noise calibrated w. r. t. the global sensitivity by drawing a random sample from the Laplace distribution with mean µ = 0, scale λ = ∆f according to Theorem 1. Theorem 1 (Laplace Mechanism). Given a series of k identical numerical query functions f = (f 1 , . . . , f k ) ∈ R k , the Laplace Mechanism is an ( ,0)-differentially private mechanism when all z i with 1 ≤ i ≤ k are independently drawn from the random variable Z ∼ Lap(z, ∆f , 0).
Again, for proof, we refer to Dwork et al. [19]. To apply Theorem 1 to smart metering, i.e., a distributed setting, we use the gamma distribution suggested for distributed noise generation by Ács et al. [20]. The following Lemma 1 leads to the generation of gamma noise that satisfies the Laplace mechanism. We use this divisibility to formulate a distributed differentially private metering process in Section 3.3. Lemma 1 (Divisibility of Laplace distribution [21,20]). Let Z(λ) denote a random variable from a Laplace distribution with density f (x, λ) = 1 2λ e |x| λ . Then the distribution of Z(λ) is infinitely divisible. This means that for every integer n ≥ 1 it can be represented as a sum of n random variables Z(λ) = n i=1 X i . Here, each X i = G 1 (n, λ) − G 2 (n, λ). G 1 (n, λ) and G 2 (n, λ) are i. i. d. random variables having gamma distribution with density g(x, n, λ) = (1/λ) 1/n Γ(1/n) x 1 n −1 e −x/λ defined for x ≥ 0.
When a function is evaluated multiple times an overall privacy loss occurs. Under worst case assumptions, the sequential composition theorem of Differential Privacy states that a series of k evaluations of any ( , δ)-differentially private mechanism K f on the same set of individuals results in (k , kδ)-Differential Privacy. However, recent results by Dwork et al. [22] and Kairouz et al. [23] prove that actually sub-linear increases in are achieved under k-fold composition when allowing a smallδ under Theorem 2. Theorem 2 (k-Fold Adaptive Composition for Homogeneous Mechanisms). For any > 0 and δ ∈ [0, 1], andδ ∈ (0, 1] the class of ( , δ)-differentially private mechanisms satisfies When operating in high privacy regimes ( 1), the term (e −1)k e +1 ≈ k 2 illustrates the sub-linear loss of privacy under k-fold composition. Even though composition allows to determine the privacy decay by growth in over a series of queries, a rational explanation for the actual choice of is missing. To the best of our knowledge, there is no approach for giving concrete guidance on choosing . Nonetheless, we are convinced that providing a more comprehensible interpretation of and the corresponding guarantee is crucial for acceptance of Differential Privacy in practice.
Consequently, we apply a belief model in this work to give smart metering users a better understanding of their protection guarantee . The foundation of this model led Lee et al. [24] to define Differential Identifiability, a privacy notion slightly differing from Differential Privacy. For convenience, we restate the definition of Differential Identifiability in Definition 2. Definition 2 (Differential Identifiability). Given an original data set D, a randomized mechanism K satisfies ρ-Differential Identifiability if among all possible databases D 1 , D 2 , ..., D m differing in one individual w. r. t. D the posterior belief after getting the response r is bounded by ρ.
ρ-Differential Identifiability implies that after receiving a mechanism's output r the true data set D can be identified by an adversary with confidence ≤ ρ. Findings by Li et al. [25] show that Differential Privacy and Differential Identifiability are actually equal when m = 2 since Differential Privacy considers only two neighboring data sets D 1 , D 2 by definition. If this condition is met, according to Li et al. [25], the relation between ρ and is: Consequently, the re-identification confidence ρ provides a simplified interpretation of the actual risk when applying ( , 0)-Differential Privacy. When δ > 0, we define that the confidence of ρ holds with probability 1 − δ. We use this method to substantiate our results in Section 4.2.

Electric Load Forecasting Methods
Three different forecasting methods are used within this work. One of the methods is the benchmarking forecasting model (Section 2.3.2) for the 2012 Global Energy Forecast Competition (GEFCom 2012). The other two methods, CountingLab (Section 2.3.3) and Lloyd (Section 2.3.4), were the two highest ranked forecasting methods of the competition. For the first time, the impact of Laplacian noise for differential privacy on realistic forecasting methods is studied in Section 4 .

Global Energy Forecast Competition 2012 (GEFCom 2012)
One of the machine learning competitions of GEFCom 2012 [10] was electric load forecasting. The time span of the given historical load data of an ISO in the USA was approximately 4.5 years in hourly readout intervals from 20 zones. Additionally, historical temperature data of 11 nearby weather stations were given, but there was no information about the association between weather stations and zones. For the forecasting time period, the temperature data was not given and needed to be forecasted, too. A limited amount of tuning is possible due to allowing multiple submissions and directly showing the resulting score.
The statistics of the historical load data are plotted in Figure 2. Zone 4 is the smallest zone with a mean load of only 0.575 MW. In the right panel it can be seen that Zone 9 exhibits outliers with low consumption values which indicates metering issues or local blackouts. 4 8 5 1 13 14 10 16 17 15 9 19 20 11 12 2 6 3 7  Log Scale Electricity Consumption per Zone

Benchmark Forecasting Model of GEFCom 2012
Hong [10] provided a linear regression model as a benchmark for GEFCom 2012 competition. A linear regression model for load forecasting has the general form where F z,t is the forecast of the aggregate energy consumption of zone z in time slot t, β j are the parameters of the model, x t,j are the independent variables, e t is the residual error which cannot be explained by the model.
The 20 benchmark models (one per zone) consider a total of p = 313 explanatory temperature and calendar variables x t,j or cross-effects which are described in the GEFCom 2012 paper [10]. Using that final model, a forecast for the week following the given historical data was to be estimated. While the explanatory calendar variables can be easily obtained, no forecast for temperature T s of the weather stations was given. The benchmark model constructed temperature forecasts by "averaging the temperature at the same date and hour over the past four years" [10].

CountingLab's Forecasting Method
Within the forecasting methods referenced in the GEFCom 2012 paper [10], CountingLab [26] achieved the best test score in the competition. As the benchmark model, it relies on multiple linear regression (6). However, in contrast to the benchmark model, not 20 single forecasts are obtained (one per zone) but 3,840 forecasts F z,h,S,w for each combination of zone z, hour of the day h, season S and day type. As a benefit the number of independent variables is much smaller than for the benchmark model: only nine parameters (interactions of temperature, day number and day number within the season) must be fit per linear model.
The needed temperature forecast is the mean of historical temperatures. In order to win the competition the authors spent additional effort, see Charlton et al. [26] for more details.

Lloyd's Forecasting Method
Lloyd's method [27] achieved the second best test score in the competition. First, the temperature was estimated as the sum of a smooth trend and a daily periodic estimate using Gaussian processes with squared exponential and periodic kernels, respectively.
The prediction is a weighted ensemble of three forecasting methods: (i) the benchmark model (see Section 2.3.2) with weight 0.1, (ii) a gradient boosting machine [28] with weight 0.765 and (iii) a Gaussian process regression with weight 0.135. The weights have been chosen by manual tuning.
For each zone, a separate boosting model was learned using as input the time of day ∈ [0, 1], the time within the week ∈ [0, 7], the temperature predictions and smoothed temperature predictions of all weather stations. Note that the loads are not used as inputs, only as response values.
The third method uses Gaussian process regression using three additive kernels for forecasting that all depend on time: two squared exponential kernels should explain the variation of the load by two different length scales; the third, periodic kernel should model the periodic behavior.

Differentially Private Metering and Load Forecasting
As we have discussed in Section 2.1, the energy provider has the incentive to forecast the load of her customers with low error so that she can trade or schedule energy production ahead of time for lower costs. Smart metering may provide the means to realize a more accurate forecast by using load monitoring of individual households. However, monitoring individual loads conflicts with customer privacy interests. Also, due to the high stochasticity of individual loads, proficiently grouping households based on geographic or topological areas is beneficial to the forecasting performance (cf. Fan et al. [9]).
We propose that the energy provider and the customers meet in the middle by agreeing on a trade-off between forecasting accuracy and customer privacy. For that, Differential Privacy is guaranteed for the customer by grouping households into zones and apply the Laplace mechanism on the aggregated load of each zone. In this paper we assume that a privacy-preserving protocol based on additional homomorphic encryption ( [2,29]) or masking ( [20,30]) exists in the smart metering infrastructure that enables to calculate the sum of all the household's load values at each time point without providing the individual values.
We envision that the energy provider offers different energy tariffs coupled with a specific privacy protection level in terms of different λ values for the Laplace mechanism. The differentially private metering process is detailed in Section 3.3. The customer interprets the privacy level coupled with the tariff by deriving her own effective privacy protection in terms of Differential Identifiability. Using that assessment, she can perform an informed decision about her energy tariff and how much privacy she wants to trade-in. This in described in Section 4.2.
From the perspective of the energy provider, the utility of individual smart metering data is limited. Since the load of the whole balancing group used for balance compensation must be provided by the TSO this could be used for a direct forecast of the aggregate of the balancing group. However, forecasting could possibly be improved by also providing differentially private, zonal sub-aggregates of the region obtained by the DSOs. As shown in Section 4 depending on the forecasting method, using this so-called hierarchical forecast compared to the direct forecast may not even improve the forecasting performance.
If there is an advantage using the hierarchical forecast, the acquisition of smart metering data has to satisfy the privacy interests of the affected customers. For each forecasting method, the limit for the privacy level of the differentially private method depends on the additional error introduced by it. If the forecasting error exceeds the direct forecasting error, smart metering data do not help the energy provider for trading or scheduling tasks. In Sections 3.1 and 3.2, we reflect that idea in the definition of the load forecasting problem and the utility definition.

Basic Forecasting Problem
Consider a control area, called region for simplicity, that is divided into Z zones containing n z households. All households i of a zone z provide their load measurements l z,i,t at several time points t . The zone aggregators (DSOs) calculate the sum of all the household's load values L t at each time point t without receiving the individual values. Therefore, for each zone for each time point t , only the sum of the load values l z,i,t of all the households i of the zone is available, These zonal aggregate loads are available at past time points t 1 , . . . , t k . The goal then is to predict the regional aggregate load which is the sum of the zone's loads, Based on values available at times t 1 , . . . , t k the forecasting problem consists of producing forecasts F t1 , . . . , F t T for the regional aggregate load L for a sequence of forecast horizons t 1 , . . . , t T in the future (t 1 > t k ). For forecasting, not only past aggregate load values are available but also additional factors x t 1 , . . . , x t k , where the vector x t = (x t ,1 , . . . , x t ,p ) summarizes p different explanatory variables. Typical information that is summarized in x t is for example the temperature, the hour of the day or the season (cf. Section 2.3).

Direct Forecasting
Two variants are distinguished. The first variant is called direct forecasting that predicts each L t of the prediction period based on the past regional aggregate values L t 1 , . . . , L t k and other factors x t 1 , . . . , x t k . Note that no zonal aggregate loads are available for forecasting. The corresponding forecast value is denoted by F direct,t .

Hierarchical Forecasting
The second variant is called hierarchical forecasting that is allowed to use the zonal aggregate loads. First, the aggregate load per zone is predicted and the prediction of the region is obtained by the sum of the predicted zonal aggregates. For each zone z, based on the past values L z,t 1 , . . . , L z,t k and other factors x t 1 , . . . , x t k , future values L z,t1 , . . . , L z,t T are forecasted. With the forecasts of the zonal aggregates denoted as F z,t1 , . . . , F z,t T , the overall aggregate L is then estimated Hierarchical forecasting is assumed to be beneficial when the loads of different zones must be predicted differently depending on the forecast inputs. For example, loads exhibit more or less distinctive maximum values also at different times of the day. The temperature might as well be described more accurately for smaller, more homogeneous zones.
Hierarchical forecasting with differentially private, perturbed data is effectively the same problem as before with the difference that for each zone instead of the exact aggregates L z,t 1 , . . . , L z,t k solely perturbed aggregatesL z,t 1 , . . . ,L z,t k are used. Since resulting forecast of the regional aggregate then depends on the amount of added noise, it is denoted as F λ .

Evaluation of Forecasting
As stated before we need to add noise to the original data to achieve Differential Privacy. The noise added to the aggregate of each zone yields to the Differential Privacy property of the aggregate load data of each zone z. Due to the immunity against post-processing (cf. Section 2.2) the overall aggregate load that is computed as the sum is differentially private.
It is clear that in a practical setting, perturbed data can only be of use if the noise does not destroy the prediction performance of the data. For calculating the utility we compare the direct, non-hierarchical forecast with the hierarchical forecast using differentially private load data of the zones.
The utility of the forecasts for loads of the period t 1 , . . . , t T is assessed by two error measures. Firstly, the commonly used mean absolute percent error M AP E, a scale-free error measure that enables a comparison of our results with results for other datasets. Secondly, the mean absolute error M AE that allows to compare different forecasting methods for the same (GEFCom) data. Both error measures are computed according to their names, i.e., This way the error can be assessed both for forecasting the aggregate load L z of a zone z and the overall aggregate load L.
We define utility u λ as the relative gain we achieve by switching from non-hierarchical to hierarchical forecast with perturbed data, The error measure M AE λ uses the forecasts F λ of the hierarchical forecast with perturbed data for the overall aggregate load L, where M AE direct is the error of the direct load forecast for the overall aggregate load L. Since the regional aggregate values are known in any case, direct forecasting can always be done. Therefore, hierarchical forecasting only makes sense when it is better than direct forecasting. Consequently, when the perturbation factor λ becomes too large it causes the error M AE λ to exceed the direct forecasting error M AE direct and the utility becomes negative u λ ≤ 0.

Differentially Private Metering Process
In this work, we strive to bring energy providers in the position to train load forecast models on differentially private aggregated data from electricity customers. Differential Privacy is required due to possible insufficiencies of pure aggregation for privacy protection [8,31].
As stated previously, energy providers desire to limit deviation of their forecasting algorithms due to differentially private noise added to load forecasting training data by specifying an upper bound for acceptable forecasting error. In turn, this will lead to an upper bound for acceptable noise scales λ which is needed according to the Laplace mechanism for achieving Differential Privacy. More specifically, by Theorem 1 each household is provided ∆f λ = -Differential Privacy. The application of the Laplace mechanism results in three challenges in the scenario of this paper.
Firstly, we do not want to have perturbation L z,t 1 , . . . , L z,t k →L z,t 1 , . . . ,L z,t k done by the energy provider to avoid assumptions about trustworthiness. Instead, we desire perturbation to be performed at the data sources directly, i. e. a smart meter adds noise itself for each point in time t . Following Lemma 1, we realize this by decomposing the Laplace noise into the gamma noise for distributed noise generation at household level as stated in equation (13). The provider has to compute the sum for each zone to obtain the noisy total consumption, see equation (14).
Secondly, the training data is represented by a time series t 1 , . . . , t k of each electricity customer's energy data, i.e., involving always the same set of households. Consequently, privacy decays over time as more information is revealed. For measuring the accumulated privacy loss, we apply Theorem 2 to obtain the total privacy loss˜ δ as a function of , δ and time k.
Thirdly, the accumulated privacy guarantee,˜ δ , is hard to interpret for consumers (i.e., electricity customers). Our envisioned process addresses this by translating˜ δ into an interpretable risk ρ by equation (5). ρ represents the upper bound for the confidence of an adversary trying to detect the presence of a single household inL t ,z . We have almost perfect privacy if an attacker is unable to confidently distinguish whether a household contributed to the sum or not, i.e., ρ ≈ 0.5 (random guessing). In contrast, if ρ ≈ 1 the privacy level is extremely low. To provide a reasonably good protection, we aim to bound the confidence at ρ = 0.6, meaning that even in worst case situations an adversary is not able to identify that a household contributed with more than 60% confidence.
Our process of applying Differential Privacy has several benefits. The energy provider does not have to perform any perturbation as noise is added locally by each meter and adds up to noise following the Laplace mechanism. In addition, providers can select the amount of noise λ they tolerate with regard to their forecasting algorithms. λ then gets propagated to households who resolve it to their corresponding ρ to see how much data privacy the energy provider actually ensures.

Experiments and Results
In this section three different models for forecasting the GEFCom data set (Section 2.3.1) are trained.
After confirming the correctness of the implementations by applying the forecasts to unperturbed data, the sensitivity of the forecasting performance on the Laplacian noise of different scales λ is assessed. Because the noise scale λ does not lend itself to describe the achieved privacy in a comprehensive way, such a description is developed in Section 4.2 based on the Differential Identifiability notion. Using all of the above, the privacy-utility trade-off will be described.

Forecast results
We re-implemented Hong's Linear Regression Benchmark Model and CountingLab's forecast model. For sake of simplicity we omitted 2 of the improvements of CountingLab's model. Lloyd's method did not need to be implemented because he provided the source code 3 . Only adaptions facilitating the handling of many different input files have been necessary.
Firstly, we verified the correctness of the implementation for unperturbed data. The MAPE and MAE of the non-perturbed forecast by Hong's model for each zone are depicted in Figure 3a. The zones are sorted by their average load from left to right. Zone 9 and 10 have prominently high errors. As Figure 2 shows, the outliers in Zone 9 indicate metering errors or power outages. In Zone 10, the average monthly consumption suddenly tripled starting January 2008, indicating a change of the grid configuration. As the forecasting time period is after January 2008, this may be the cause of the high forecasting errors.
Similarly, both CountingLab's and Lloyd's forecast models are bad for zones 9 and 10. However, for both of these models the errors are on average smaller for the remaining zones than for the benchmark model.
A comparison between unperturbed direct forecast and the unperturbed hierarchical forecast shows that the hierarchical forecast for the benchmark method lowers the average error by 12 MW. This results in a utility of 7.8% (first line of Table 2) and means that our privacy mechanism should not introduce additional errors much above 12 MW in order to avoid too negative utilities. Surprisingly, the hierarchical forecast is worse than the direct forecast for the other two models resulting in negative utilities.
Now, the impact of varying levels of noise on the forecast performance is evaluated. Figure 3b shows the forecasting error of perturbed hierarchical forecasting of Hong's Benchmark Model using increasing levels of perturbation. We trained the models and ran the forecast 10 times each with different random seeds. In some cases, the error even decreases. The red line indicates our utility-limit of 12 MW above unperturbed error (blue line). With λ = 56, 234, all runs still stayed below this limit. Starting at λ = 100, 000, some runs start to show higher error than the unperturbed direct forecast.
While the performance of CountingLab's forecast is better than the benchmark model for unperturbed data, the performance is highly negatively affected by the noise. This can be seen in Figure 3c where the MAE quickly rises with λ.    The main difference between CountingLab's method and the benchmark model lies in the construction of many small models that use a smaller amount of data, each. It seems plausible that noise can have a greater negative effect on such approaches.
The MAPE and MAE of Lloyd's forecast with perturbed data for each zone are depicted in Figure 3d. Surprisingly, the forecast first improves for some amount of noise, reaches a minimum at λ = 177, 828 and then rises quickly.
This behavior can be attributed to the gradient boosting model which also has the highest weight (0.765) in the ensemble averaging process (not shown). Since the inputs of the gradient boosting model do not include any load values (compare Section 2.3.4), Differential Privacy acts as output noise which has been shown to potentially improve a model by Breiman et al. [32]. As the benchmark model did, the third classifier of the ensemble, the Gaussian Process model, degrades monotonically and finally rather quickly with increasing λ (not shown). The bad reaction upon noise of the Gaussian Process is plausible since the model heavily relies on a limited amount of 500 load values which corresponds to three weeks of data. However, since it only has a weight of 0.135 the behavior of the gradient boosting model dominates for small λ.

Application of Differential Privacy
While we conceptually presented the integration of Differential Privacy into smart metering load forecasting in Section 3.3, we provide an evaluation of the implementation in the following.
As initial step, we let an energy provider set utility bounds by choosing the noise scale λ in dependence of the acceptable loss in utility, i.e., forecast accuracy. In the next step we fix ∆f = 48 kW as global ∆f (i.e., maximum power consumption), which is the maximum power limit of 3-phased circuits in German residential homes. Based on λ and ∆f , a global privacy guarantee of ( , 0)-Differential Privacy (1) is provided by each individual load aggregateL z,t using the Laplace mechanism (2).
However, this theoretical restriction is far from being reached in practice. Thus, households may exchange the global ∆f by a smaller, local ∆f to identify their actual privacy guarantee. Considering the same λ, since = ∆f /λ, households may actually enjoy a stronger (smaller ) protection against presence detection under their local ∆f . However, the guarantee then only applies to loads within the local interval and does not keep an attacker from finding out about the bounds of that local interval. In the end, it is a matter of interpretation whether one relies on a very theoretical protection guarantee or a more realistic relaxation. To illustrate the impact, we vary ∆f 4 according to Table 1 for our scenario.
When continuously releasing information by computingL z,t 1 , . . . ,L z,t k a composition theorem has to be applied as eachL z,t relates to the same set of individuals (i.e., households). The GEFCom data set consists of k = 38, 070 hourly load recordings, thus we have almost 40, 000 composition steps. For large k, however, k-fold adaptive composition (Section 2.2) is a tight estimation of the privacy loss. By fixing some very smallδ, the growth of a composed˜ δ no longer (3) depends linearly on k. We setδ ≤ 1 |D| , where in the worst case w.r.t. the GEFCom data set |D| is the number of all households in the US in 2013 5 , i.e.,δ = 1 117,716,237 ≈ 10 −9 . In the end, each household is protected by (˜ δ ,δ)-Differential Privacy.  Regarding our aim to express the privacy guarantee in a comprehensible way,˜ δ is transformed into ρ by (5). The impact of λ on ρ is displayed in Figure 4 for various ∆f to illustrate the significant difference in presence detection likelihood when using theoretical worst case power consumption (i.e., ∆f = 48 kW) or realistic maximum demands (i.e., ∆f = 15.36 kW). Lowering ∆f to more realistic values causes ρ to decrease and consequently results in stronger protection against presence detection. Thus, for λ ≥ 50, 000, households with realistically estimated maximum loads (∆f ) have already acceptable privacy levels. At λ = 100, 000, even the theoretical worst case of 48 kW approaches the desired ρ = 0.6 (cf. Section 3.3).
The trade-off between privacy and utility is shown in Table 2. Both CountingLab's and Lloyds's model work better for the direct than for the hierarchical setting. In contrast, the hierarchical benchmark forecast outperforms its direct counterpart. Thus, only the benchmark model is a suitable candidate for differential privacy. This is an interesting and unexpected result (note that although the performance of Lloyd's forecast improves with limited amount of noise it never has a positive utility). The desired presence detection confidence region ρ ≤ 0.6 is achieved for the benchmark model for λ = 56, 234 with ∆f = 15.35 and offers a positive utility of 5.94% with respect to the direct forecast. Thus, a setting has been found where both, privacy and utility, have been reached. The authors want to highlight that they assume communication of individual, understandable presence detection risk ρ based on individual ∆f as crucial to foster consumer acceptance of privacy-preserving techniques.

Related Work
One of the first works to discuss and demonstrate privacy issues with smart metering was from Molina-Markham et al. [5]. Later, Greveler et al. [34] demonstrated that the TV program can be inferred based on high-resolution load monitoring. Most recently, Rafsanjani et al. [35] showed empirically that the occupancy of a commercial building can be estimated based on high-resolution energy consumption data with an accuracy above 95%.
Two prominent use-cases of smart metering data are electricity consumption billing and real-time monitoring for grid operations. For billing exact fees are important, so due to the addition of noise Differential Privacy has only rarely been applied [36]. Typically, privacy is improved by disclosing only the necessary information for the business process, which is, at best, the final cost of each individual. Molina-Markham et al. [5], Rial and Danezis [37], and Jawurek et al. [38] use Zero-Knowledge Protocols to provide a privacy-preserving billing.
For real-time electricity monitoring, information aggregated over a geographical or topological grid area is sufficient. The privacy enhancing approaches for this use-case are mostly based on mixing networks which are partially backed by homomorphic encryption. Examples include works by Li et al. [2], Garcia and Jacobs [39], Defend and Kursawe [40], and Finster and Baumgart [41].
All the approaches so far require the metering infrastructure to be designed in a specific way. As a privacy self-defence mechanism, a grid customer could resort to load obfuscation. Load Obfuscation physically manipulates the load profiles of households by using battery storage systems or controllable loads and generators. Examples are Kalogridis et al. [42] and McLaughlin et al. [43], who leverage batteries to shift loads, Chen et al. [44], who controls Combined Heat and Power plants, and Egarter et al. [45], who uses appliances in an energy management approach to protect privacy.
The closest related to our work are differentially private smart metering concepts. Ács and Castelluccia were the first to apply Differential Privacy on smart metering data. In their work [20], the Laplace mechanism is applied distributedly using Gamma distributions before the data is mixed with other Smart Meters in an aggregation group. Bao and Lu [4] investigated further the security and fault tolerance properties of the aggregation and mixing protocol. Eibl and Engel [46] introduced postprocessing to be applied on the perturbed data to improve the utility while still guaranteeing the same privacy level. They also discuss the required number of households in an aggregation group in order to be useful to the data analyst. Barbosa et al. [47] also discussed filtering techniques to improve utility after the noise has been added to the aggregate. Their work evaluates the protection of individual appliances in single households by considering multiple device sensitivities in load profiles and by using Differential Identifiability. However, they do not address the compatibility condition m = 2 to allow utilizing Differential Identifiability in Differential Privacy scenarios. Besides Differential Identifiability, another method for rationally choosing was proposed in [48]. Yet, this approach is purely economically driven and introduces a handful of new parameters depending again on subjective assumptions on a given scenario. As our focus is primarily on security, we decide to further analyze Differential Identifiability and its belief model only. From Ács et al. [20] we borrowed the idea to generate noise scaled to the Laplace mechanism with the gamma distribution. We carried their work further by connecting it to Differential Identifiability and load forecasting with utility guarantees.

Conclusion and Outlook
In this paper, we discussed that energy providers are interested in smart metering data to refine the forecast of domestic loads of their customers. As this conflicts with the privacy loss incurred by the acquisition of individual load profiles, we designed a differentially private metering process based on building blocks already proposed in previous works. Using three well-documented load forecasting approaches, we evaluate whether using smart metering data provides an actual benefit for the energy provider. We found out that this is not always the case and that the forecasting approaches are variously susceptible to noise. If smart metering data actually provides a utility to the energy provider, Differential Privacy allows to gradually trade-off utility against forecasting performance. Our results show that for one forecasting approach, reasonable utility can be reached while providing a strong privacy guarantee. In that case, Differential Identifiability even provides an intuitive interpretation of the amount of privacy loss.
Several important points have to considered when our concept is to be applied safely in practice: Firstly, there is no privacy guarantee for individual smart metering data of a single household. In particular, the sum of individual load and Gamma noise is still sensitive, therefore secure aggregation with other households is crucial. That is why we stated homomorphic encryption and masking or mixing as minimum requirement (cf. Section 3). Secondly, we considered privacy guarantees from a static snapshot of the scenario when the energy provider has collected approximately 4.5 years of zonal load profiles. Applying our approach in practice continuously would mean that the privacy guarantee is stronger if less than 4.5 years of data was collected from you. After 4.5 years our evaluated privacy guarantees would slowly degenerate. Thirdly and tightly connected to the second point, the historic and forecasted load profiles of our used data set were given with hourly read-out intervals. However in Europe, load profiles are acquired in 15 minute intervals. Our findings also apply to this case with the only difference that the privacy guarantee would hold for slightly more than one year instead of 4.5 years. Finally, if the privacy level offered by the energy provider is not high enough to protect the electricity usage of the whole household, the protection can still be interpreted for single household appliances. In this case, one has to be aware that the usage of this single appliance is not allowed to correlate to the (parallel) usage of other appliances.
There are several natural extensions to the presented work: Firstly, for utility evaluation, we used three well-documented point forecasting methods. Point forecast outputs only a single most-likely load value for one time interval. An extension to this work would be to evaluate differentially private metering with probabilistic forecasting methods (cf. [49]). Secondly, our concept pertubates and transmits the complete zonal time series to the energy provider and the forecasting model training is performed by the energy provider. In the future, we plan to integrate Differential Privacy directly into a distributed model training approach on the customer side using objective-function perturbation for less privacy loss and tighter guarantees. Thirdly, lowering the local sensitivity by minimizing the household's peak load leads to a stronger privacy level. Incidentally, automatic energy management systems like the ones described in [45] and [50] are able to shift controllable loads or control battery storages and combined heat and power plants to facilitate this idea. Fourthly, with the continual release of load data in practice, the privacy loss quantified by would slowly add up over the course of time. To be aware of one owns privacy situation, one needs to keep track of how much privacy was already leaked to which party. The data custodian proposed in [51] provides such an accounting service. Finally, the perturbed data could be filtered (e.g., using moving average or Kalman filters) to compensate the noise as already proposed in [4,46].
As final remark, using local sensitivities creates the incentive to limit one own's energy consumption due to privacy protection interests. Although this behavior may be beneficial to the electric grid, this would not be in the spirit of informational self-determination. That is why using the global sensitivity instead of local sensitivities should be preferred.