A privacy-preserving opt-out mechanism for returning to campus

In a phased reopening of MIT, some members of our community (graduate student researchers, faculty, and staff) may not yet feel comfortable returning to campus. Yet, they might not raise these concerns for fear of repercussions from their supervisors. To create an atmosphere in which concerned employees can opt-out anonymously and work remotely, we propose a mechanism to recruit other workers to volunteer to be randomly selected to stay home. Volunteers would be reimbursed and, by acting for the common good, they provide a mechanism to preserve the privacy of those opting-out owing to health concerns. The mechanism presents a trade-off between privacy and efficiency by enabling people who have the greatest need to work on campus to do so. The following proposal is in response to a question posed by MIT’s Vice Chancellor Ian Waitz.

Before deploying the proposed mechanism, subunits of MIT (e.g., labs or dining halls) and target occupancies should be identified. Choosing target occupancies is a complex decision problem which we do not tackle with our proposal. Given a target occupancy, we propose to use the following mechanism to select who should be on campus in each subunit.

First, workers express their concerns, if existent, using a private means of communication, e.g., through a personalized survey. Using similar means of communication, other workers announce a reimbursement amount that would incentivize them to work remotely. MIT then chooses a reimbursement threshold t. (We discuss the choice of the threshold in the next paragraph.) Workers who “bid” an amount below t constitute the pool of potential volunteers. From the potential volunteers, a small group of volunteers, e.g., 5% of the number of those with concerns, is randomly chosen (e.g. if 100 people express concerns, MIT randomly selects 5 people from the pool of volunteers). An MIT entity (not directly related to supervisors) informs concerned workers, volunteers and their supervisors that they were chosen to work remotely. Payments to volunteers are deposited directly into the volunteer’s bank accounts, without access by supervisors.

As the group of chosen volunteers might also face repercussions, these are randomly selected from a larger pool that bid below a threshold t. This selection mechanism preserves the privacy of selected volunteers. By deciding on a threshold t, and randomly selecting only from those that bid a smaller amount, those most in need to work on campus are not forced to continue to work remotely.

Periodically (e.g. every three weeks), before the composition of workers on-site changes, MIT repeats this mechanism. If the same group raises concerns over an extended period of time, volunteers already working remotely will be asked to update their required reimbursement amount. Up to a limit which MIT does not disclose, these workers are reimbursed in excess of what they announced in the first round of the mechanism. The rest of the volunteer group is selected as described above. This helps workers with longer-lasting concerns to work remotely without their supervisors being certain of them having concerns.

The required number of volunteers need only be a small percentage (e.g., 5%) of the number of concerned workers in order to provide a “harmless explanation” for working remotely. For example, if 40 workers raise concerns, 4 workers that are randomly selected to work remotely could obscure the identity of those that opted-out. Then, in this example, with a probability of about 4.7%, an employee working from home is a volunteer. Hence, without additional information, a supervisor cannot be sure which employees have opted-out or volunteered.

Policy Parameters

  • We estimate 5% as the percentage of the number of concerned workers to constitute the group of volunteers; however, this could (and probably should) be chosen differently as informed by psychology.
  • The bidding threshold t will depend on the bids by workers and trade-offs between privacy and efficiency. On the one side, it has to be low enough so that reimbursements remain reasonable and workers most in need to work on-site are not in the pool of potential volunteers; on the other hand, it has to be high enough so that selected volunteers randomly drawn from the initial pool cannot be reproached for their low bid.
  • Selecting the sub-units also presents a trade-off between efficiency and privacy. If one subunit is too heterogeneous, then the willingness to accept working remotely, and hence the bids, could be different for different kinds of workers (e.g. dining staff vs. experimentalists vs. theoreticians). This could lead to a situation in which the pool of potential volunteers is biased towards one subgroup, such as non-experimentalists within graduate student researchers. On the other hand, if the subunits are too narrow (e.g. one group is one lab), then indivisibilities (e.g. 5% of cases would be 0.5 workers) might lead to more severe inefficiencies.

Theoretical Properties

  • The one-shot version of this system is cost-minimizing in the class of mechanisms (i) in which people with concerns work remotely and are not incentivized to work on-site using money and (ii) that upper bound the probability that an agent staying home raised concerns.
  • The mechanism induces incentives to make unilateral inflation of bids nonprofitable.


  • This system is a mid-term solution that provides a “harmless explanation” for concerned workers: the level of privacy preservation decays with repetitions of the mechanism; i.e. in the long-term, other strategies need to be deployed (ideally through the implementation of policies that alleviate the health concerns of the people opting out).
  • The system is theoretically gameable if all workers collude and bid high. Yet such a cartel, aside from violating the the MIT Rules of Conduct, would need to be large and would require a high degree of coordination for a small reward; namely the reimbursement would need to be internally shared between all members of the cartel in the amount earned by a handful of members.

For further details, please contact: Andreas Haupt and Manon Revel.

© MIT Institute for Data, Systems, and Society | 77 Massachusetts Avenue | Cambridge, MA 02139-4307 | 617-253-1764 |