Dan Calacci,Alex Berke,Kent Larson,Alex,Pentland

DOI: https://doi.org/10.48550/arXiv.1905.09350

2019-12-10

Abstract:High-resolution individual geolocation data passively collected from mobile phones is increasingly sold in private markets and shared with researchers. This data poses significant security, privacy, and ethical risks: it's been shown that users can be re-identified in such datasets, and its collection rarely involves their full consent or knowledge. This data is valuable to private firms (e.g. targeted marketing) but also presents clear value as a public good. Recent public interest research has demonstrated that high-resolution location data can more accurately measure segregation in cities and provide inexpensive transit modeling. But as data is aggregated to mitigate its re-identifiability risk, its value as a good diminishes. How do we rectify the clear security and safety risks of this data, its high market value, and its potential as a resource for public good? We extend the recently proposed concept of a tradeoff curve that illustrates the relationship between dataset utility and privacy. We then hypothesize how this tradeoff differs between private market use and its potential use for public good. We further provide real-world examples of how high resolution location data, aggregated to varying degrees of privacy protection, can be used in the public sphere and how it is currently used by private firms.

Computers and Society,Information Theory

Vedran Sekara,Laura Alessandretti,Enys Mones,Håkan Jonsson

DOI: https://doi.org/10.1038/s41598-021-82294-1

IF: 4.6

2021-02-16

Scientific Reports

Abstract:Abstract Large-scale collection of human behavioural data by companies raises serious privacy concerns. We show that behaviour captured in the form of application usage data collected from smartphones is highly unique even in large datasets encompassing millions of individuals. This makes behaviour-based re-identification of users across datasets possible. We study 12 months of data from 3.5 million people from 33 countries and show that although four apps are enough to uniquely re-identify 91.2% of individuals using a simple strategy based on public information, there are considerable seasonal and cultural variations in re-identification rates. We find that people have more unique app-fingerprints during summer months making it easier to re-identify them. Further, we find significant variations in uniqueness across countries, and reveal that American users are the easiest to re-identify, while Finns have the least unique app-fingerprints. We show that differences across countries can largely be explained by two characteristics of the country specific app-ecosystems: the popularity distribution and the size of app-fingerprints. Our work highlights problems with current policies intended to protect user privacy and emphasizes that policies cannot directly be ported between countries. We anticipate this will nuance the discussion around re-identifiability in digital datasets and improve digital privacy.

multidisciplinary sciences

Jacopo Staiano,Nuria Oliver,Bruno Lepri,Rodrigo de Oliveira,Michele Caraviello,Nicu Sebe

DOI: https://doi.org/10.48550/arXiv.1407.0566

IF: 6.4588

2014-07-02

Human-Computer Interaction

Abstract:In the context of a myriad of mobile apps which collect personally identifiable information (PII) and a prospective market place of personal data, we investigate a user-centric monetary valuation of mobile PII. During a 6-week long user study in a living lab deployment with 60 participants, we collected their daily valuations of 4 categories of mobile PII (communication, e.g. phonecalls made/received, applications, e.g. time spent on different apps, location and media, photos taken) at three levels of complexity (individual data points, aggregated statistics and processed, i.e. meaningful interpretations of the data). In order to obtain honest valuations, we employ a reverse second price auction mechanism. Our findings show that the most sensitive and valued category of personal information is location. We report statistically significant associations between actual mobile usage, personal dispositions, and bidding behavior. Finally, we outline key implications for the design of mobile services and future markets of personal data.

Christos Perentis,Michele Vescovi,Chiara Leonardi,Corrado Moiso,Mirco Musolesi,Fabio Pianesi,Bruno Lepri

DOI: https://doi.org/10.1145/3017431

IF: 5.3

2017-05-28

ACM Transactions on Internet Technology

Abstract:The wide adoption of mobile devices and social media platforms have dramatically increased the collection and sharing of personal information. More and more frequently, users are called to make decisions concerning the disclosure of their personal information. In this study, we investigate the factors affecting users’ choices toward the disclosure of their personal data, including not only their demographic and self-reported individual characteristics, but also their social interactions and their mobility patterns inferred from months of mobile phone data activity. We report the findings of a field study conducted with a community of 63 subjects provided with (i) a smart-phone and (ii) a Personal Data Store (PDS) enabling them to control the disclosure of their data. We monitor the sharing behavior of our participants through the PDS and evaluate the contribution of different factors affecting their disclosing choices of location and social interaction data. Our analysis shows that social interaction inferred by mobile phones is an important factor revealing willingness to share, regardless of the data type. In addition, we provide further insights on the individual traits relevant to the prediction of sharing behavior.

computer science, information systems, software engineering

Nitin Kohli,Emily Aiken,Joshua Blumenstock

2023-06-16

Abstract:Personal mobility data from mobile phones and other sensors are increasingly used to inform policymaking during pandemics, natural disasters, and other humanitarian crises. However, even aggregated mobility traces can reveal private information about individual movements to potentially malicious actors. This paper develops and tests an approach for releasing private mobility data, which provides formal guarantees over the privacy of the underlying subjects. Specifically, we (1) introduce an algorithm for constructing differentially private mobility matrices, and derive privacy and accuracy bounds on this algorithm; (2) use real-world data from mobile phone operators in Afghanistan and Rwanda to show how this algorithm can enable the use of private mobility data in two high-stakes policy decisions: pandemic response and the distribution of humanitarian aid; and (3) discuss practical decisions that need to be made when implementing this approach, such as how to optimally balance privacy and accuracy. Taken together, these results can help enable the responsible use of private mobility data in humanitarian response.

Cryptography and Security

Evita Bakopoulou,Anastasia Shuba,Athina Markopoulou

DOI: https://doi.org/10.48550/arXiv.2008.08973

2020-08-19

Cryptography and Security

Abstract:Mobile devices have access to personal, potentially sensitive data, and there is a large number of mobile applications and third-party libraries that transmit this information over the network to remote servers (including app developer servers and third party servers). In this paper, we are interested in better understanding of not just the extent of personally identifiable information (PII) exposure, but also its context i.e., functionality of the app, destination server, encryption used, etc.) and the risk perceived by mobile users today. To that end we take two steps. First, we perform a measurement study: we collect a new dataset via manual and automatic testing and capture the exposure of 16 PII types from 400 most popular Android apps. We analyze these exposures and provide insights into the extent and patterns of mobile apps sharing PII, which can be later used for prediction and prevention. Second, we perform a user study with 220 participants on Amazon Mechanical Turk: we summarize the results of the measurement study in categories, present them in a realistic context, and assess users' understanding, concern, and willingness to take action. To the best of our knowledge, our user study is the first to collect and analyze user input in such fine granularity and on actual (not just potential or permitted) privacy exposures on mobile devices. Although many users did not initially understand the full implications of their PII being exposed, after being better informed through the study, they became appreciative and interested in better privacy practices.

Pedro Sanches,Eric-Oluf Svee,Markus Bylund,Benjamin Hirsch,Magnus Boman

DOI: https://doi.org/10.5539/nct.v2n1p34

2014-12-06

Abstract:Location and mobility patterns of individuals are important to environmental planning, societal resilience, public health, and a host of commercial applications. Mining telecommunication traffic and transactions data for such purposes is controversial, in particular raising issues of privacy. However, our hypothesis is that privacy-sensitive uses are possible and often beneficial enough to warrant considerable research and development efforts. Our work contends that peoples behavior can yield patterns of both significant commercial, and research, value. For such purposes, methods and algorithms for mining telecommunication data to extract commonly used routes and locations, articulated through time-geographical constructs, are described in a case study within the area of transportation planning and analysis. From the outset, these were designed to balance the privacy of subscribers and the added value of mobility patterns derived from their mobile communication traffic and transactions data. Our work directly contrasts the current, commonly held notion that value can only be added to services by directly monitoring the behavior of individuals, such as in current attempts at location-based services. We position our work within relevant legal frameworks for privacy and data protection, and show that our methods comply with such requirements and also follow best-practices

Computers and Society

Yang Liu,Andrew Simpson

DOI: https://doi.org/10.1007/978-3-030-42048-2_17

2019-01-01

Abstract:While the widespread use of mobile services offers a variety of benefits to mobile users, it also raises serious privacy concerns. We report the results of a user study that investigated the factors that influence the decision-making process pertaining to the trade-off between privacy and utility in mobile services. Through two focus groups, 16 individual interviews and a questionnaire survey involving 60 participants, the study identified awareness and knowledge of privacy risks, trust in service providers, desire for mobile services, and belief of cyber privacy as four factors that contribute to the perceived trade-off. The results also suggest that, with appropriate adoption, privacy-preserving tools can positively influence the privacy trade-off. In addition, our findings explore the cultural differences regarding privacy between participants from western countries (with the UK as the main representative) and China. In particular, the results suggest that participants from China are more likely to be comfortable with a government department protecting their individual privacy, while participants from western countries are more likely to wish to see such responsibility reside with some combination of individuals and non-governmental organisations.

Alexandra Kapp,Saskia Nuñez von Voigt,Helena Mihaljević,Florian Tschorsch

DOI: https://doi.org/10.1080/17489725.2022.2148008

2022-09-19

Abstract:The importance of human mobility analyses is growing in both research and practice, especially as applications for urban planning and mobility rely on them. Aggregate statistics and visualizations play an essential role as building blocks of data explorations and summary reports, the latter being increasingly released to third parties such as municipal administrations or in the context of citizen participation. However, such explorations already pose a threat to privacy as they reveal potentially sensitive location information, and thus should not be shared without further privacy measures. There is a substantial gap between state-of-the-art research on privacy methods and their utilization in practice. We thus conceptualize a standardized mobility report with differential privacy guarantees and implement it as open-source software to enable a privacy-preserving exploration of key aspects of mobility data in an easily accessible way. Moreover, we evaluate the benefits of limiting user contributions using three data sets relevant to research and practice. Our results show that even a strong limit on user contribution alters the original geospatial distribution only within a comparatively small range, while significantly reducing the error introduced by adding noise to achieve privacy guarantees.

Cryptography and Security,Other Computer Science

Joshua Blumenstock,Gabriel Cadamuro,Robert On

DOI: https://doi.org/10.1126/science.aac4420

IF: 56.9

2015-11-27

Science

Abstract:Accurate and timely estimates of population characteristics are a critical input to social and economic research and policy. In industrialized economies, novel sources of data are enabling new approaches to demographic profiling, but in developing countries, fewer sources of big data exist. We show that an individual's past history of mobile phone use can be used to infer his or her socioeconomic status. Furthermore, we demonstrate that the predicted attributes of millions of individuals can, in turn, accurately reconstruct the distribution of wealth of an entire nation or to infer the asset distribution of microregions composed of just a few households. In resource-constrained environments where censuses and household surveys are rare, this approach creates an option for gathering localized and timely information at a fraction of the cost of traditional methods.

multidisciplinary sciences

Eunyoung Im,Hyeoneui Kim,Hyungbok Lee,Xiaoqian Jiang,Ju Han Kim

DOI: https://doi.org/10.1186/s12911-024-02545-9

IF: 3.298

2024-06-01

BMC Medical Informatics and Decision Making

Abstract:Securing adequate data privacy is critical for the productive utilization of data. De-identification, involving masking or replacing specific values in a dataset, could damage the dataset's utility. However, finding a reasonable balance between data privacy and utility is not straightforward. Nonetheless, few studies investigated how data de-identification efforts affect data analysis results. This study aimed to demonstrate the effect of different de-identification methods on a dataset's utility with a clinical analytic use case and assess the feasibility of finding a workable tradeoff between data privacy and utility.

medical informatics

Pierre Deville,Catherine Linard,Samuel Martin,Marius Gilbert,Forrest R. Stevens,Andrea E. Gaughan,Vincent D. Blondel,Andrew J. Tatem

DOI: https://doi.org/10.1073/pnas.1408439111

IF: 11.1

2014-10-27

Proceedings of the National Academy of Sciences

Abstract:Significance Knowing where people are is critical for accurate impact assessments and intervention planning, particularly those focused on population health, food security, climate change, conflicts, and natural disasters. This study demonstrates how data collected by mobile phone network operators can cost-effectively provide accurate and detailed maps of population distribution over national scales and any time period while guaranteeing phone users’ privacy. The methods outlined may be applied to estimate human population densities in low-income countries where data on population distributions may be scarce, outdated, and unreliable, or to estimate temporal variations in population density. The work highlights how facilitating access to anonymized mobile phone data might enable fast and cheap production of population maps in emergency and data-scarce situations.

multidisciplinary sciences

Huandong Wang,Yong Li,Chen Gao,Gang Wang,Xiaoming Tao,Depeng Jin

DOI: https://doi.org/10.1109/tmc.2019.2952774

IF: 6.075

2021-03-01

IEEE Transactions on Mobile Computing

Abstract:Human mobility trajectories are increasingly collected by ISPs to assist academic research and commercial applications. Meanwhile, there is a growing concern that individual trajectories can be de-anonymized when the data is shared, using information from external sources (e.g., online social networks). To understand this risk, prior works either estimate the theoretical privacy bound or simulate de-anonymization attacks on synthetically created datasets. However, it is not clear how well the theoretical estimations are preserved in practice. In this article, we collected a large-scale ground-truth trajectory dataset from 2,161,500 users of a cellular network, and two matched external trajectory datasets from a large social network (56,683 users) and a check-in/review service (45,790 users) on the same user population. The two sets of large ground-truth data provide a rare opportunity to extensively evaluate a variety of de-anonymization algorithms (nine in total). We find that their performance in the real-world dataset is far from the theoretical bound. Further analysis shows that most algorithms have under-estimated the impact of spatio-temporal mismatches between the data from different sources, and the high sparsity of user generated data also contributes to the under-performance. Based on these insights, we propose four new algorithms that are specially designed to tolerate spatial or temporal mismatches (or both) and model location contexts and time contexts. Extensive evaluations show that our algorithms achieve more than 17 percent performance gain over the best existing algorithms, confirming our insights. Further, we propose two new location-privacy preserving mechanisms utilizing the spatio-temporal mismatches to better protect users' privacy against the de-anonymization attack. Evaluation results show that our proposed mechanisms can reduce the performance of de-anonymization attacks by over 8.0 percent, demonstrating the effectivene-s of our insights.

computer science, information systems,telecommunications

Salman Salamatian,Amy Zhang,Flavio du Pin Calmon,Sandilya Bhamidipati,Nadia Fawaz,Branislav Kveton,Pedro Oliveira,Nina Taft

DOI: https://doi.org/10.1109/jstsp.2015.2442227

IF: 7.695

2015-10-01

IEEE Journal of Selected Topics in Signal Processing

Abstract:We propose a practical methodology to protect a user's private data, when he wishes to publicly release data that is correlated with his private data, to get some utility. Our approach relies on a general statistical inference framework that captures the privacy threat under inference attacks, given utility constraints. Under this framework, data is distorted before it is released, according to a probabilistic privacy mapping. This mapping is obtained by solving a convex optimization problem, which minimizes information leakage under a distortion constraint. We address practical challenges encountered when applying this theoretical framework to real world data. On one hand, the design of optimal privacy mappings requires knowledge of the prior distribution linking private data and data to be released, which is often unavailable in practice. On the other hand, the optimization may become untractable when data assumes values in large size alphabets, or is high dimensional. Our work makes three major contributions. First, we provide bounds on the impact of a mismatched prior on the privacy-utility tradeoff. Second, we show how to reduce the optimization size by introducing a quantization step, and how to generate privacy mappings under quantization. Third, we evaluate our method on two datasets, including a new dataset that we collected, showing correlations between political convictions and TV viewing habits. We demonstrate that good privacy properties can be achieved with limited distortion so as not to undermine the original purpose of the publicly released data, e.g., recommendations.

engineering, electrical & electronic

Fengli Xu,Zhen Tu,Yong Li

DOI: https://doi.org/10.1109/tnsm.2019.2926488

2020-01-01

IEEE Transactions on Network and Service Management

Abstract:Large scale cellular network accessing records are generated by mobile users on daily basis, which leave fine-grained footprints that have potential to compromise the privacy of user mobility. Abundant previous researches have demonstrated that simple anonymization has limited effect in preserving user’s privacy due to prevalence of re-identification attacks. As a result, the mobile operators and application vendors usually turn to a more aggressive solution that is removing the identifier (ID) of each entry in the records. Cellular data sets owners believe that such procedure is sufficient for preserving user’s privacy, since the attackers cannot directly put together the cellular records that belong to one individual, let alone recover user’s identity. However, in this paper, we argue and prove that simply removing the IDs is not sufficient for preserving mobile users’ privacy. We develop a mechanism that is able to extract the mobility patterns of users from cellular records and associate ID-removed records belonging to same individuals. Extensive experiments show that 70%~80% records of each user on average can be accurately recovered for two data sets collected from both mobile application and mobile operator side at the scale of several thousands to tens of thousands users. We find that the number of users released, the temporal and spatial granularity, and the speed of user movement are key factors that determine the privacy leakage in the ID-removed cellular data sets.

Jeffrey Murray,Afra Mashhadi,Brent Lagesse,Michael Stiber,Jeffrey Murray Jr

DOI: https://doi.org/10.48550/arXiv.2101.09834

2021-01-25

Cryptography and Security

Abstract:With mobile phone penetration rates reaching 90%, Consumer Proprietary Network Information (CPNI) can offer extremely valuable information to different sectors, including policymakers. Indeed, as part of CPNI, Call Detail Records have been successfully used to provide real-time traffic information, to improve our understanding of the dynamics of people's mobility and so to allow prevention and measures in fighting infectious diseases, and to offer population statistics. While there is no doubt of the usefulness of CPNI data, privacy concerns regarding sharing individuals' data have prevented it from being used to its full potential. Traditional de-anonymization measures, such as pseudonymization and standard de-identification, have been shown to be insufficient to protect privacy. This has been specifically shown on mobile phone datasets. As an example, researchers have shown that with only four data points of approximate place and time information of a user, 95% of users could be re-identified in a dataset of 1.5 million mobile phone users. In this landscape paper, we will discuss the state-of-the-art anonymization techniques and their shortcomings.

Luoyang Fang,Xiang Cheng,Liuqing Yang,Haonan Wang

DOI: https://doi.org/10.1007/s41650-018-0028-z

2018-01-01

Journal of Communications and Information Networks

Abstract:Mobile big data collected by mobile network operators is of interest to many research communities and industries for its remarkable values. However, such spatiotemporal information may lead to a harsh threat to subscribers’ privacy. This work focuses on subscriber privacy vulnerability assessment in terms of user identifiability across two datasets with significant detail reduced mobility representation. In this paper, we propose an innovative semantic spatiotemporal representation for each subscriber based on the geographic information, termed as daily habitat region, to approximate the subscriber’s daily mobility coverage with far lesser information compared with original mobility traces. The daily habitat region is realized via convex hull extraction on the user’s daily spatiotemporal traces. As a result, user identification can be formulated to match two records with the maximum similarity score between two convex hull sets, obtained by our proposed similarity measures based on cosine distance and permutation hypothesis test. Experiments are conducted to evaluate our proposed innovative mobility representation and user identification algorithms, which also demonstrate that the subscriber’s mobile privacy is under a severe threat even with significantly reduced spatiotemporal information.

Abdullah Almaatouq,Francisco Prieto-Castrillo,Alex Pentland

DOI: https://doi.org/10.1007/978-3-319-47880-7_25

2016-09-07

Abstract:The mapping of populations socio-economic well-being is highly constrained by the logistics of censuses and surveys. Consequently, spatially detailed changes across scales of days, weeks, or months, or even year to year, are difficult to assess; thus the speed of which policies can be designed and evaluated is limited. However, recent studies have shown the value of mobile phone data as an enabling methodology for demographic modeling and measurement. In this work, we investigate whether indicators extracted from mobile phone usage can reveal information about the socio-economical status of microregions such as districts (i.e., average spatial resolution < 2.7km). For this we examine anonymized mobile phone metadata combined with beneficiaries records from unemployment benefit program. We find that aggregated activity, social, and mobility patterns strongly correlate with unemployment. Furthermore, we construct a simple model to produce accurate reconstruction of district level unemployment from their mobile communication patterns alone. Our results suggest that reliable and cost-effective economical indicators could be built based on passively collected and anonymized mobile phone data. With similar data being collected every day by telecommunication services across the world, survey-based methods of measuring community socioeconomic status could potentially be augmented or replaced by such passive sensing methods in the future.

Social and Information Networks,Computers and Society,Physics and Society

Nitin Kohli,Joshua Blumenstock

2024-08-24

Abstract:The proliferation of mobile phones in low- and middle-income countries has suddenly and dramatically increased the extent to which the world's poorest and most vulnerable populations can be observed and tracked by governments and corporations. Millions of historically "off the grid" individuals are now passively generating digital data; these data, in turn, are being used to make life-altering decisions about those individuals -- including whether or not they receive government benefits, and whether they qualify for a consumer loan. This paper develops an approach to implementing algorithmic decisions based on personal data, while also providing formal privacy guarantees to data subjects. The approach adapts differential privacy to applications that require decisions about individuals, and gives decision makers granular control over the level of privacy guaranteed to data subjects. We show that stronger privacy guarantees typically come at some cost, and use data from two real-world applications -- an anti-poverty program in Togo and a consumer lending platform in Nigeria -- to illustrate those costs. Our empirical results quantify the tradeoff between privacy and predictive accuracy, and characterize how different privacy guarantees impact overall program effectiveness. More broadly, our results demonstrate a way for humanitarian programs to responsibly use personal data, and better equip program designers to make informed decisions about data privacy.

Cryptography and Security

Jian Xu,Wei Wang,Jian Pei,Xiaoyuan Wang,Baile Shi,Ada Wai-Chee Fu

DOI: https://doi.org/10.1145/1233321.1233324

2006-01-01

ACM SIGKDD Explorations Newsletter

Abstract:Privacy becomes a more and more serious concern in applications involving microdata. Recently, efficient anonymization has attracted much research work. Most of the previous methods use global recoding, which maps the domains of the quasi-identifier attributes to generalized or changed values. However, global recoding may not always achieve effective anonymization in terms of discernability and query answering accuracy using the anonymized data. Moreover, anonymized data is often used for analysis. As well accepted in many analytical applications, different attributes in a data set may have different utility in the analysis. The utility of attributes has not been considered in the previous methods. In this paper, we study the problem of utility-based anonymization. First, we propose a simple framework to specify utility of attributes. The framework covers both numeric and categorical data. Second, we develop two simple yet efficient heuristic local recoding methods for utility-based anonymization. Our extensive performance study using both real data sets and synthetic data sets shows that our methods outperform the state-of-the-art multidimensional global recoding methods in both discernability and query answering accuracy. Furthermore, our utility-based method can boost the quality of analysis using the anonymized data.