Yang Cao,Yonghui Xiao,Li Xiong,Liquan Bai

DOI: https://doi.org/10.1109/icde.2019.00153

2019-04-01

Abstract:Location privacy-preserving mechanisms (LPPMs) have been extensively studied for protecting a user’s location at each time point or a sequence of locations with different timestamps (i.e., a trajectory). We argue that existing LPPMs are not capable of protecting the sensitive information in user’s spatiotemporal activities, such as "visited hospital in the last week" or "regularly commuting between Address 1 and Address 2 every morning and afternoon" (it is easy to infer that Addresses 1 and 2 may be home and office). To address this problem, we define the spatiotemporal event as a new privacy goal, which can be formalized as Boolean expressions between location and time predicates. We show that the spatiotemporal event is a generalization of a single location or a trajectory which is protected by existing LPPMs, while some types of spatiotemporal event may not be protected by the existing LPPMs. Hence, we formally define ϵ-spatiotemporal event privacy which is an indistinguishability-based privacy metric. It turns out that, interestingly, such privacy metric is orthogonal to the existing indistinguishability-based location privacy metric such as Geo-indistinguishability. We also discuss the potential solution to achieve both ϵ-spatiotemporal event privacy and Geo-indistinguishability.

Rongxing Lu,Xiaodong Lin,Zhiguo Shi,Jun Shao

DOI: https://doi.org/10.1109/infocom.2014.6848003

2014-01-01

Abstract:In this paper, we propose a privacy-preserving framework, called PLAM, for local-area mobile social networks. The proposed PLAM framework employs a privacy-preserving request aggregation protocol with k-Anonymity and l-Diversity properties while without involving a trusted anonymizer server to keep user preference privacy when querying location-based service (LBS), and integrates unlinkable pseudo-ID technique to achieve user identity privacy, location privacy. Moreover, the proposed PLAM framework also introduces the privacy-preserving and verifiable polynomial computation to keep LBS provider's functions private while preventing the provider from cheating in computation. Detailed security analysis shows that the proposed PLAM framework can not only achieve desirable privacy requirements but also resist outside attacks on source authentication, data integrity and availability. In addition, extensive simulations are also conducted, and simulation results guide us on how to set proper thresholds for k-anonymity, l-diversity to make a tradeoff between the desirable user preference privacy level and the request delay in different scenarios.

Alireza Partovi,Wei Zheng,Taeho Jung,Hai Lin

DOI: https://doi.org/10.48550/arXiv.2002.10055

2020-02-24

Abstract:In recent years, the widespread of mobile devices equipped with GPS and communication chips has led to the growing use of location-based services (LBS) in which a user receives a service based on his current location. The disclosure of user's location, however, can raise serious concerns about user privacy in general, and location privacy in particular which led to the development of various location privacy-preserving mechanisms aiming to enhance the location privacy while using LBS applications. In this paper, we propose to model the user mobility pattern and utility of the LBS as a Markov decision process (MDP), and inspired by probabilistic current state opacity notation, we introduce a new location privacy metric, namely $\epsilon-$privacy, that quantifies the adversary belief over the user's current location. We exploit this dynamic model to design a LPPM that while it ensures the utility of service is being fully utilized, independent of the adversary prior knowledge about the user, it can guarantee a user-specified privacy level can be achieved for an infinite time horizon. The overall privacy-preserving framework, including the construction of the user mobility model as a MDP, and design of the proposed LPPM, are demonstrated and validated with real-world experimental data.

Cryptography and Security

Rong Fang,Jianmin Han,Juan Yu,Xin Yao,Hao Peng,Jianfeng Lu

DOI: https://doi.org/10.1007/978-3-030-67540-0_5

2021-01-01

Abstract:Location-Based Service (LBS) is one of basic services in collaborative applications. However, LBS applications may disclose user’s location privacy, which receives considerable concerns. Many methods have been proposed to protect privacy in LBS. Planar Isotropic Mechanism (PIM) is a typical location privacy preservation method in the scenario of continuous location data release. However, the method is complicated, since it requires two convex hull transformations and one isotropic position transform. To solve the problem, we propose a Staircase Mechanism (SM) based location privacy preservation method for the scenario of continuous location data release. The proposed method replaces PIM with SM, whose implementation is simple and efficient. Furthermore, SM can achieve the same privacy budget with less noise addition, so it can maintain higher quality of services in LBS. Comprehensive experiments conducted on real location data demonstrate that the proposed method is efficient and can maintain high data utility compared with the method based on PIM.

Yu Wang,Dingbang Xu,Xiao He,Chao Zhang,Fan Li,Bin Xu

DOI: https://doi.org/10.1109/INFCOM.2012.6195577

2012-01-01

Abstract:Location privacy has been a serious concern for mobile users who use location-based services provided by the third-party provider via mobile networks. Recently, there have been tremendous efforts on developing new anonymity or obfuscation techniques to protect location privacy of mobile users. Though effective in certain scenarios, these existing techniques usually assume that a user has a constant privacy requirement along spatial and/or temporal dimensions, which may not be true in real-life scenarios. In this paper, we introduce a new location privacy problem: Location-aware Location Privacy Protection (L2P2) problem, where users can define dynamic and diverse privacy requirements for different locations. The goal of the L2P2 problem is to find the smallest cloaking area for each location request so that diverse privacy requirements over spatial and/or temporal dimensions are satisfied for each user. In this paper, we formalize two versions of the L2P2 problem, and propose several efficient heuristics to provide such location-aware location privacy protection for mobile users. Through multiple simulations on a large data set of trajectories for one thousand mobile users, we confirm the effectiveness and efficiency of the proposed L2P2 algorithms.

Mingge Cao,Haopeng Zhu,Minghui Min,Yulu Li,Shiyin Li,Hongliang Zhang,Zhu Han

2024-01-20

Abstract:Location-based services (LBSs) in vehicular ad hoc networks (VANETs) offer users numerous conveniences. However, the extensive use of LBSs raises concerns about the privacy of users' trajectories, as adversaries can exploit temporal correlations between different locations to extract personal information. Additionally, users have varying privacy requirements depending on the time and location. To address these issues, this paper proposes a personalized trajectory privacy protection mechanism (PTPPM). This mechanism first uses the temporal correlation between trajectory locations to determine the possible location set for each time instant. We identify a protection location set (PLS) for each location by employing the Hilbert curve-based minimum distance search algorithm. This approach incorporates the complementary features of geo-indistinguishability and distortion privacy. We put forth a novel Permute-and-Flip mechanism for location perturbation, which maps its initial application in data publishing privacy protection to a location perturbation mechanism. This mechanism generates fake locations with smaller perturbation distances while improving the balance between privacy and quality of service (QoS). Simulation results show that our mechanism outperforms the benchmark by providing enhanced privacy protection while meeting user's QoS requirements.

Cryptography and Security

Hongtao Li,Yue Wang,Feng Guo,Jie Wang,Bo Wang,Chuankun Wu

DOI: https://doi.org/10.1155/2021/4696455

2021-06-30

Wireless Communications and Mobile Computing

Abstract:Location-based services (LBS) have become an important research area with the rapid development of mobile Internet technology, GPS positioning technology, and the widespread application of smart phones and social networks. LBS can provide convenience and flexibility for the users’ daily life, but at the same time, it also brings security risks to the users’ privacy. Untrusted or malicious LBS servers can collect users’ location data through various ways and disclose it to the third party, thus causing users’ privacy leakage. In this paper, a differential privacy location protection method based on the Markov model for user’s location privacy is proposed. Firstly, the transition probability matrix between states of the n -order Markov model is used to predict the occurrence state and development trend of events; thereby, the user’s location is predicted, and then a location prediction algorithm based on the Markov model (LPAM) is proposed. Secondly, a location protection algorithm based on differential privacy (LPADP) is proposed, in which location privacy tree (LPT) is constructed according to the location data and the difficulty of retrieval, the two nodes with the largest predicted value of LPT are allocated with a reasonable privacy budget, and Laplace noise is added to protect location privacy. Theoretical analysis and experimental results show that the proposed method not only meets the requirements of differential privacy and protects location privacy effectively but also has high data availability and low time complexity.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yonghui Xiao,Li Xiong

DOI: https://doi.org/10.1145/2810103.2813640

2015-11-05

Abstract:Concerns on location privacy frequently arise with the rapid development of GPS enabled devices and location-based applications. While spatial transformation techniques such as location perturbation or generalization have been studied extensively, most techniques rely on syntactic privacy models without rigorous privacy guarantee. Many of them only consider static scenarios or perturb the location at single timestamps without considering temporal correlations of a moving user's locations, and hence are vulnerable to various inference attacks. While differential privacy has been accepted as a standard for privacy protection, applying differential privacy in location based applications presents new challenges, as the protection needs to be enforced on the fly for a single user and needs to incorporate temporal correlations between a user's locations. In this paper, we propose a systematic solution to preserve location privacy with rigorous privacy guarantee. First, we propose a new definition, "$\delta$-location set" based differential privacy, to account for the temporal correlations in location data. Second, we show that the well known $\ell_1$-norm sensitivity fails to capture the geometric sensitivity in multidimensional space and propose a new notion, sensitivity hull, based on which the error of differential privacy is bounded. Third, to obtain the optimal utility we present a planar isotropic mechanism (PIM) for location perturbation, which is the first mechanism achieving the lower bound of differential privacy. Experiments on real-world datasets also demonstrate that PIM significantly outperforms baseline approaches in data utility.

Databases,Cryptography and Security

Sheng Gao,Jianfeng Ma,Weisong Shi,Guoxing Zhan

DOI: https://doi.org/10.1002/wcm.2324

2012-12-06

Wireless Communications and Mobile Computing

Abstract:The ubiquity of mobile devices has facilitated the prevalence of participatory sensing, whereby ordinary citizens use their private mobile devices to collect regional information and to share with participators. However, such applications may endanger the users' privacy by revealing their locations and trajectories information. Most of existing solutions, which hide a user's location information with a coarse region, are under k‐anonymity model. Yet, they may not be applicable in some participatory sensing applications that require precise location information. The goals are seemingly contradictory: to protect a user's location privacy while simultaneously providing precise location information for a high quality of service. In this paper, we propose a method to meet both goals. Through selecting a certain number of a user's partners, it can protect the user's location privacy while providing precise location information. The user's trajectory privacy can be protected by constructing several trajectories that are similar to the user's trajectory in an interval time T. Finally, we utilize a new metric, called slope ratio, to evaluate the partners' selection algorithm that we proposed. Then, we measure the privacy level that the location and trajectory privacy protection mechanism (LTPPM) can achieve. The analysis and simulation results show that LTPPM can protect the user's location and trajectory privacy effectively and also provide a high quality of service in participatory sensing. Copyright © 2012 John Wiley & Sons, Ltd. Location and trajectory privacy problems are the main obstacles to the success of participatory sensing. However, most of existing anonymous methods hide a user's location with a coarse region, which may reduce quality of services. Moreover, the disclosure of trajectory may also reveal the user's location. In this paper, subject to high quality of services, we propose to protect the user's location and trajectory privacy on the basis of equivalence classes formed by his or her partners and present a new metric, named slope ratio, to evaluate trajectory similarity.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hao Zhou,Yingjie Wu,Sisi Zhong,Zhao Luo,Xiaodong Wang

DOI: https://doi.org/10.1109/icicee.2012.418

2012-01-01

Abstract:The query privacy issue in location-based services (LBS) has recently received considerable attention. To protect the query privacy of users, current state-of-the-art techniques adopt cloaking which cloaks the sender's location to k-anonymized spatial region (ASR), such that an attack based on the sender's location cannot identify the query source with probability larger than 1/k, among other k-1 users. However, these techniques do not consider that these k-1 additional mobile users with different privacy requirements may send request at the same time. In this paper, we propose a new attack model that an adversary who observes all the ASRs at one time can identify the query source with probability larger than 1/k based on prior knowledge of the locations of all users. And we propose our two algorithms, namely, Basic and Adaptive Algorithms, which strengthen the privacy guarantee to defend such inference attack while still support personalized user privacy requirements. We verify the effectiveness of the proposed algorithms by experiments on location data which synthetically generated on real road maps.

Yilei Wang,Hao Zhou,Yingjie Wu,Lan Sun

DOI: https://doi.org/10.1109/iccse.2012.6295197

2012-01-01

Abstract:Recently, several techniques have been proposed to protect the user location privacy for location-based services in road network environments. A typical approach for user location privacy protection is to blur a user location into a cloaked set of road segments S such that S satisfies the user specified privacy requirements. However, these location cloaking algorithms work with snapshot locations only and do not consider the effect of continuous location updates. Applying these algorithms directly to continuous queries would lead to privacy leakage if attackers have knowledge about maximum user velocity, namely velocity-based Attack. In this paper, we present the privacy safety condition to defend against velocity-based attack, and propose an anonymity algorithm based on greedy strategy to preserve user privacy. The experiment results based on dataset of real network show the algorithm is effective and feasible.

Hang Shen,Guangwei Bai,Mei Yang,Zhonghui Wang

DOI: https://doi.org/10.1016/j.jnca.2017.01.018

IF: 7.574

2017-03-01

Journal of Network and Computer Applications

Abstract:The existing evaluation methods for location privacy protection mechanism (LPPM) focus mainly on location privacy at the time of issuing a location-based query, and rarely consider trajectory privacy from where multiple successive queries are issued. This paper provides a user-centric analysis of trajectory privacy protection against tracking attacks in presence of quality-loss and energy constraints, focusing on impact of user query behavior within a certain period of time. We consider an attacker with adversarial knowledge on users’ activity and mobility profiles to run tracking attacks, against which users employ LPPMs that incorporate location semantic diversity to maximize trajectory privacy. The attack and defense problems are formalized as a Bayesian Stackelberg game for quantitative analysis. Real location traces are used to assess the LPPMs’ effectiveness, and to find optimal query strategy. The results confirm that query behavior has a significant impact on improving trajectory privacy. Despite increased number of queries to improve trajectory privacy, the effectiveness may be decreased with a longer observation time. At the same query rate, prolonging observation time is beneficial for privacy improvement. We also find that dummy-based LPPM often provides better protection with a stringent energy constraint, while precision-based LPPM performs better under a stringent quality-loss constraint or under a loose energy constraint. At optimal trajectory privacy, quality-loss of precision-based LPPM is lower than that of dummy-based LPPM, but there is an opposite result in terms of energy cost.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Ruxue Wen,Rui Zhang,Kai Peng,Chen Wang

DOI: https://doi.org/10.1109/trustcom53373.2021.00065

2021-01-01

Abstract:With the development of location-based services (LBS), concerns on location privacy frequently arise. Location data often contains users' sensitive information, and direct release it may pose a threat to users' privacy. Differential privacy (DP), as a privacy preserving method with solid mathematical foundation, has been widely used in location data release. However, most if not all of the existing location DP mechanisms only consider static scenarios or perturb the location at single timestamp, which are vulnerable to the so-called location-dependent attacks (LDA) in continuous LBS queries. In this paper, an optimal location DP mechanism against LDA is proposed. Firstly, the necessary conditions for LDA defense are derived by combining the perturbation mechanism of location DP. Then the algorithm of safe perturbance region generation is established to dynamically calculate the perturbation range at each timestamp. Finally, we set up the optimization problem with the real-time quality loss as the optimization objective and the location DP and safe perturbance region as the optimization conditions, and realize the optimal DP mechanism for LDA by solving the optimization problem. Experiment results on real-world datasets show that our mechanism can effectively resist LDA, which also balance privacy protection and data utility well.

Weiqi Zhang,Zhenzhen Xie,Akshita Maradapu Vera Venkata Sai,Qasim Zia,Zaobo He,Guisheng Yin

DOI: https://doi.org/10.26599/tst.2023.9010072

2024-04-01

Abstract:The widespread availability of GPS has opened up a whole new market that provides a plethora of location-based services. Location-based social networks have become very popular as they provide end users like us with several such services utilizing GPS through our devices. However, when users utilize these services, they inevitably expose personal information such as their ID and sensitive location to the servers. Due to untrustworthy servers and malicious attackers with colossal background knowledge, users' personal information is at risk on these servers. Unfortunately, many privacy-preserving solutions for protecting trajectories have significantly decreased utility after deployment. We have come up with a new trajectory privacy protection solution that contraposes the area of interest for users. Firstly, Staying Points Detection Method based on Temporal-Spatial Restrictions (SPDM-TSR) is an interest area mining method based on temporal-spatial restrictions, which can clearly distinguish between staying and moving points. Additionally, our privacy protection mechanism focuses on the user's areas of interest rather than the entire trajectory. Furthermore, our proposed mechanism does not rely on third-party service providers and the attackers' background knowledge settings. We test our models on real datasets, and the results indicate that our proposed algorithm can provide a high standard privacy guarantee as well as data availability.

computer science, information systems,engineering, electrical & electronic, software engineering

Xinyue Sun,Qingqing Ye,Haibo Hu,Jiawei Duan,Qiao Xue,Tianyu Wo,Weizhe Zhang,Jie Xu

DOI: https://doi.org/10.1109/tifs.2024.3480712

IF: 7.231

2024-10-30

IEEE Transactions on Information Forensics and Security

Abstract:Valuable information and knowledge can be learned from users' location traces and support various location-based applications such as intelligent traffic control, incident response, and COVID-19 contact tracing. However, due to privacy concerns, no authority could simply collect users' private location traces for mining or even publishing. To echo such concerns, local differential privacy (LDP) enables individual privacy by allowing each user to report a perturbed version of their data. Unfortunately, when applied to location traces, LDP cannot preserve the semantics in the context of location traces because it treats all locations (i.e., various points of interest) as equally sensitive. This results in a low utility of LDP mechanisms for collecting location traces. In this paper, we address the challenge of collecting and sharing location traces with valuable semantics while providing sufficient privacy protection for participating users. We first propose semantic-constrained local differential privacy (SLDP), a new privacy model to provide a provable mathematical privacy guarantee while preserving desirable semantics. Then, we design a location trace perturbation mechanism (LTPM) that users can use to perturb their traces in a way that satisfies SLDP. Finally, we propose a private location trace synthesis (PLTS) framework in which users use LTPM to perturb their traces before sending them to the collector, who aggregates the users' perturbed data to generate location traces with valuable semantics. Extensive experiments on three real-world datasets demonstrate that our PLTS outperforms existing state-of-the-art methods by at least 21% in a range of real-world applications, such as spatial visiting queries and frequent pattern mining, under the same privacy leakage.

computer science, theory & methods,engineering, electrical & electronic

Xin Wang,Pengrou Shi,Jiaqian Li,Yingxue Yang,Fan Yang,Hongnian Yu,Jingjing Wang

DOI: https://doi.org/10.1109/ICAC55051.2022.9911102

2022-01-01

Abstract:recently, the fast growth of mobile devices and location technology has improved users’ lives and created enormous prospects for diverse applications. Users’ lives have been made simpler by technologies like mobile devices and location-based services (LBS). Users prefer Continuous Location Queries Based on LBS (Continuous LBS). However, when users utilize connected applications, they must constantly submit relevant information to location-based services’ provider (LBSP). In terms of spatial and temporal correlations, in comparison to snapshot LBSs, continuous LBSs present a greater barrier for maintaining location privacy. The adversary can more easily assess the user’s private information, including lifestyles, work address, interests, and even health conditions, through the query content. As a result, one of the current study topics for academics is how to preserve mobile users’ location information to ensure that they do not disclose personal privacy while enjoying associated services. This work comprehensively expounds the research state and development trend of location privacy protection mechanisms in continuous LBSs, classifies five current technologies, and describes their technological solutions, privacy efficiency, and application scenarios based on a timeline. At the same time, this study outlines the challenges that will need to be overcome by future research.

Jian Wang,Yameng Shao,Jianqi Zhu,Yuming Ge

DOI: https://doi.org/10.1109/ACCESS.2018.2877058

IF: 3.9

2018-01-01

IEEE Access

Abstract:Connected vehicles continuously reveal their location information to the potential observers that then track vehicles over time and space. However, safety applications require disseminating such location information to the vicinity, which essentially urges to develop the awareness ability of the exposed location-privacy quantity. We propose an analytic framework to quantify location privacy from the perspective of temporal and spatial correlation, which permits connected vehicles to flexibly configure their preferential location-privacy sensitivity extent. We offer a novel approach so as to make the disclosure of location privacy more human-understandable and independent of the suffered attack pattern. This paradigm enables users to customize the location-privacy protection mechanisms for adapting to the frequently varying traffic context. Moreover, we put forward an adaptive lived-term pseudonym scheme for exampling how to utilize the presented quantitative framework. Finally, we move from theory to practice by applying the proposed theoretical framework to a simulation vehicular mobility data set TAPASCologne composed of more than two hundred and fifty thousand vehicles and a real trace set of more than ten million location sample points obtained from the Roman taxis. We investigate the accuracy and applicability of the presented quantification model and effects of combinations of various concerned parameters. The results show that the quantification model can identify the real-time exposure of location privacy efficiently and effectively as vehicles move and then provide quantitative control feedback to privacy protection mechanisms, which facilitates restrict the location privacy to a target value and tradeoff between the location privacy and service enjoyment.

Liang Yan,Lei Li,Xuejiao Mu,Hao Wang,Xian Chen,Hyoseop Shin

DOI: https://doi.org/10.3390/s23042121

IF: 3.9

2023-02-16

Sensors

Abstract:With the rapid development of intelligent mobile terminals and communication technologies, location-based services (LBSs) have become an essential part of users' lives. LBS providers upload and share the collected users' location data. The more commonly used methods for location privacy protection are differential privacy and its extensions. However, the semantic information about location, which is an integral part of the location data, often contains sensitive user information. Most existing research methods have failed to pay enough attention to protecting the semantic information in the location data. To remedy this problem, two different scenarios for location semantic privacy protection methods are proposed in this paper to address single-point and continuous location queries. Simulation experiments on real social location check-in datasets, and comparison of three different privacy protection mechanisms, show that our solution demonstrates good service quality and privacy protection considering location semantics.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yang Cao,Yonghui Xiao,Shun Takagi,Li Xiong,Masatoshi Yoshikawa,Yilin Shen,Jinfei Liu,Hongxia Jin,Xiaofeng Xu

DOI: https://doi.org/10.48550/arXiv.2005.01263

2020-07-15

Abstract:Location privacy has been extensively studied in the literature. However, existing location privacy models are either not rigorous or not customizable, which limits the trade-off between privacy and utility in many real-world applications. To address this issue, we propose a new location privacy notion called PGLP, i.e., \textit{Policy Graph based Location Privacy}, providing a rich interface to release private locations with customizable and rigorous privacy guarantee. First, we design the privacy metrics of PGLP by extending differential privacy. Specifically, we formalize a user's location privacy requirements using a \textit{location policy graph}, which is expressive and customizable. Second, we investigate how to satisfy an arbitrarily given location policy graph under adversarial knowledge. We find that a location policy graph may not always be viable and may suffer \textit{location exposure} when the attacker knows the user's mobility pattern. We propose efficient methods to detect location exposure and repair the policy graph with optimal utility. Third, we design a private location trace release framework that pipelines the detection of location exposure, policy graph repair, and private trajectory release with customizable and rigorous location privacy. Finally, we conduct experiments on real-world datasets to verify the effectiveness of the privacy-utility trade-off and the efficiency of the proposed algorithms.

Cryptography and Security,Computers and Society

Qiang Ma,Shanfeng Zhang,Tong Zhu,Kebin Liu,Lan Zhang,Wenbo He,Yunhao Liu

DOI: https://doi.org/10.1109/tmc.2016.2624732

IF: 6.075

2017-01-01

IEEE Transactions on Mobile Computing

Abstract:Crowdsensing applications require individuals toshare local and personal sensing data with others to produce valuableknowledge and services. Meanwhile, it has raised concernsespecially for location privacy. Users may wish to prevent privacyleak and publish as many non-sensitive contexts as possible.Simply suppressing sensitive contexts is vulnerable to the adversariesexploiting spatio-temporal correlations in users' behavior.In this work, we present PLP, a crowdsensing scheme whichpreserves privacy while maximizes the amount of data collectionby filtering a user's context stream. PLP leverages a conditionalrandom field to model the spatio-temporal correlations amongthe contexts, and proposes a speed-up algorithm to learn theweaknesses in the correlations. Even if the adversaries are strongenough to know the filtering system and the weaknesses, PLPcan still provably preserves privacy, with little computationalcost for online operations. PLP is evaluated and validated overtwo real-world smartphone context traces of 34 users. Theexperimental results show that PLP efficiently protects privacywithout sacrificing much utility.