Yonghui Xiao,Li Xiong

DOI: https://doi.org/10.1145/2810103.2813640

2015-11-05

Abstract:Concerns on location privacy frequently arise with the rapid development of GPS enabled devices and location-based applications. While spatial transformation techniques such as location perturbation or generalization have been studied extensively, most techniques rely on syntactic privacy models without rigorous privacy guarantee. Many of them only consider static scenarios or perturb the location at single timestamps without considering temporal correlations of a moving user's locations, and hence are vulnerable to various inference attacks. While differential privacy has been accepted as a standard for privacy protection, applying differential privacy in location based applications presents new challenges, as the protection needs to be enforced on the fly for a single user and needs to incorporate temporal correlations between a user's locations. In this paper, we propose a systematic solution to preserve location privacy with rigorous privacy guarantee. First, we propose a new definition, "$\delta$-location set" based differential privacy, to account for the temporal correlations in location data. Second, we show that the well known $\ell_1$-norm sensitivity fails to capture the geometric sensitivity in multidimensional space and propose a new notion, sensitivity hull, based on which the error of differential privacy is bounded. Third, to obtain the optimal utility we present a planar isotropic mechanism (PIM) for location perturbation, which is the first mechanism achieving the lower bound of differential privacy. Experiments on real-world datasets also demonstrate that PIM significantly outperforms baseline approaches in data utility.

Databases,Cryptography and Security

Le Yu,Shufan Zhang,Yan Meng,Suguo Du,Yuling Chen,Yanli Ren,Haojin Zhu

DOI: https://doi.org/10.1109/tmc.2023.3348136

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:As location data have been increasingly adopted in location-based advertising (LBA), revealing locations to untrusted service providers has raised severe privacy concerns. Recent studies propose obfuscation mechanisms built upon geo-indistinguishability (geo-IND) to provide formal privacy guarantee. Unfortunately, due to the high degree of spatiotemporal regularity in human mobility pattern, the privacy cost will be unacceptably high in this situation, leading to accurate inference of user real locations. In this study, we identify this privacy risk in LBA scenarios under long-term and multi-platform assumption. We demonstrate an attacker can infer 75%∼90% of top-1 locations within a range of only 200 meters. To address it, we propose PrivLocAd , a novel system which can provide longitudinal privacy guarantee. The novelty of PrivLocAd stems from a novel surrogate-based obfuscation, which generates multiple surrogate locations to improve the privacy-utility trade-off. In addition, two novel obfuscation mechanisms, the two-stage Gaussian and multi-level surrogate generation mechanism in charge of surrogate generation can achieve the longitudinal privacy guarantee in intra- and inter-platform condition respectively. Our experimental results demonstrate PrivLocAd is able to defend against the attack, which reduces the inference rate to less than 1% of user top-1 locations in the 200 meter range.

Minghui Min,Liang Xiao,Jiahao Ding,Hongliang Zhang,Shiyin Li,Miao Pan,Zhu Han

DOI: https://doi.org/10.1109/twc.2021.3132464

IF: 10.4

2021-01-01

IEEE Transactions on Wireless Communications

Abstract:Indoor location-based services (LBS) are widely used in large-scale indoor buildings, such as high-rise hospitals and multi-story shopping malls. At the same time, location privacy protection in such three-dimensional (3D) space has recently attracted considerable attention. Currently, most existing location privacy protection schemes focus on two-dimensional (2D) location protection and fail to prevent location inference attacks when the user’s location data include height dimension, i.e., 3D geolocation. Enlightened by the concept of differential privacy, in this paper we first study the impact factors of the degree of indistinguishability of 3D geolocations. Then, we quantify location privacy for LBS applications in the 3D space with geo-indistinguishability (3D-GI) rigorously and provably. We develop a mechanism of three-variates Laplacian to generate perturbed locations considering the locations’ X, Y, and Z-coordinates simultaneously, guaranteeing geo-indistinguishability. Furthermore, the discretization noise-adding mechanism is studied to satisfy geo-indistinguishability in the 3D space under the finite precision of hardware/devices. Considering the discretized mechanism can only satisfy geo-indistinguishability in finite 3D space and users visit the limited regions, we further study the truncation of the Laplacian mechanism to limit the generated perturbed locations within a specific region. Simulation results demonstrate that the proposed 3D-GI outperforms the benchmarks while guaranteeing privacy regardless of the adversary’s prior knowledge.

telecommunications,engineering, electrical & electronic

Yahong Chen,Zhibo Wang,Boyang Wang,Hui Li,BEN NIU,fenghua li

DOI: https://doi.org/10.1109/tmc.2020.3000730

IF: 6.075

2020-01-01

IEEE Transactions on Mobile Computing

Abstract:Mechanisms built upon geo-indistinguishability render location privacy, where a user can submit obfuscated locations to Location-Based Service providers but still be able to correctly utilize services. However, these mechanisms are vulnerable under inference attacks. Particularly, with background knowledge of a user's obfuscated locations, an attacker can infer actual locations by carrying out long-term observation attacks. Unfortunately, how to defend long-term observation attacks in the field of differential location privacy remains open. In this paper, we first demonstrate the vulnerabilities of existing mechanisms under long-term observation attacks. In light of these vulnerabilities, we devise a novel mechanism, referred to as Eclipse, which bridges the gap between location protection and usability of services. Specifically, we harness geo-indistinguishability and <span class="mjpage"><svg xmlns:xlink="http://www.w3.org/1999/xlink" width="1.211ex" height="2.176ex" style="vertical-align: -0.338ex;" viewBox="0 -791.3 521.5 936.9" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg"><g stroke="currentColor" fill="currentColor" stroke-width="0" transform="matrix(1 0 0 -1 0 0)"> <use xlink:href="#MJMATHI-6B" x="0" y="0"></use></g></svg></span>k-anonymity to obfuscate locations and hide each location based on an anonymity set. As a result, our mechanism effectively perturbs the distribution of locations and suppresses leakage under long-term observation attacks. Moreover, the set of possible outputs is utilized to minimize the impacts to usability and correctness. We formally define and rigorously prove the security of the proposed mechanism by leveraging differential privacy. Moreover, we implement the proposed mechanism and conduct a series of experiments on real-world datasets to demonstrate its efficacy and efficiency.<svg xmlns="http://www.w3.org/2000/svg" style="display: none;"><defs id="MathJax_SVG_glyphs"><path stroke-width="1" id="MJMATHI-6B" d="M121 647Q121 657 125 670T137 683Q138 683 209 688T282 694Q294 694 294 686Q294 679 244 477Q194 279 194 272Q213 282 223 291Q247 309 292 354T362 415Q402 442 438 442Q468 442 485 423T503 369Q503 344 496 327T477 302T456 291T438 288Q418 288 406 299T394 328Q394 353 410 369T442 390L458 393Q446 405 434 405H430Q398 402 367 380T294 316T228 255Q230 254 243 252T267 246T293 238T320 224T342 206T359 180T365 147Q365 130 360 106T354 66Q354 26 381 26Q429 26 459 145Q461 153 479 153H483Q499 153 499 144Q499 139 496 130Q455 -11 378 -11Q333 -11 305 15T277 90Q277 108 280 121T283 145Q283 167 269 183T234 206T200 217T182 220H180Q168 178 159 139T145 81T136 44T129 20T122 7T111 -2Q98 -11 83 -11Q66 -11 57 -1T48 16Q48 26 85 176T158 471L195 616Q196 629 188 632T149 637H144Q134 637 131 637T124 640T121 647Z"></path></defs></svg>

computer science, information systems,telecommunications

Jiadong Zhang,Chi-Yin Chow

DOI: https://doi.org/10.1109/TSC.2018.2810890

IF: 11.019

2021-03-01

IEEE Transactions on Services Computing

Abstract:The sequential pattern in the human movement is one of the most important aspects for location recommendations in geosocial networks. Existing location recommenders have to access users’ raw check-in data to mine their sequential patterns that raises serious location privacy breaches. In this paper, we propose a new <italic>P</italic>rivacy-preserving <italic>LO</italic>cation <italic>RE</italic>commendation framework (PLORE) to address this privacy challenge. First, we employ the <inline-formula><tex-math notation="LaTeX">$n$</tex-math><alternatives><mml:math><mml:mi>n</mml:mi></mml:math><inline-graphic xlink:href="zhang-ieq1-2810890.gif"/></alternatives></inline-formula>th-order additive Markov chain to exploit users’ sequential patterns for location recommendations. Further, we contrive the probabilistic differential privacy mechanism to reach a good trade-off between high recommendation accuracy and strict location privacy protection. Finally, we conduct extensive experiments to evaluate the performance of PLORE using three large-scale real-world data sets. Extensive experimental results show that PLORE provides efficient and highly accurate location recommendations, and guarantees strict privacy protection for user check-in data in geosocial networks.

Engineering,Computer Science

Hao Zhou,Yingjie Wu,Sisi Zhong,Zhao Luo,Xiaodong Wang

DOI: https://doi.org/10.1109/icicee.2012.418

2012-01-01

Abstract:The query privacy issue in location-based services (LBS) has recently received considerable attention. To protect the query privacy of users, current state-of-the-art techniques adopt cloaking which cloaks the sender's location to k-anonymized spatial region (ASR), such that an attack based on the sender's location cannot identify the query source with probability larger than 1/k, among other k-1 users. However, these techniques do not consider that these k-1 additional mobile users with different privacy requirements may send request at the same time. In this paper, we propose a new attack model that an adversary who observes all the ASRs at one time can identify the query source with probability larger than 1/k based on prior knowledge of the locations of all users. And we propose our two algorithms, namely, Basic and Adaptive Algorithms, which strengthen the privacy guarantee to defend such inference attack while still support personalized user privacy requirements. We verify the effectiveness of the proposed algorithms by experiments on location data which synthetically generated on real road maps.

Maho Asada,Masatoshi Yoshikawa,Yang Cao

DOI: https://doi.org/10.1007/978-3-030-22479-0_9

2019-04-24

Abstract:In recent years, it has become easy to obtain location information quite precisely. However, the acquisition of such information has risks such as individual identification and leakage of sensitive information, so it is necessary to protect the privacy of location information. For this purpose, people should know their location privacy preferences, that is, whether or not he/she can release location information at each place and time. However, it is not easy for each user to make such decisions and it is troublesome to set the privacy preference at each time. Therefore, we propose a method to recommend location privacy preferences for decision making. Comparing to existing method, our method can improve the accuracy of recommendation by using matrix factorization and preserve privacy strictly by local differential privacy, whereas the existing method does not achieve formal privacy guarantee. In addition, we found the best granularity of a location privacy preference, that is, how to express the information in location privacy protection. To evaluate and verify the utility of our method, we have integrated two existing datasets to create a rich information in term of user number. From the results of the evaluation using this dataset, we confirmed that our method can predict location privacy preferences accurately and that it provides a suitable method to define the location privacy preference.

Databases,Cryptography and Security

Ximu Zeng,Xue Chen,Xiao Peng,Xiaoshan Zhang,Hao Wang,Zhengquan Xu

DOI: https://doi.org/10.1007/s12652-021-03690-z

IF: 3.662

2022-01-10

Journal of Ambient Intelligence and Humanized Computing

Abstract:Among the advanced methods, differential privacy (DP), introducing independent Laplace noise, has become an influential privacy mechanism owing to its provable and rigorous privacy guarantee. Nonetheless, in practice, POI data to be protected is always correlated, while independent noise may cause undesirable information disclosure than expected. Recent researches attempt to optimize the sensitivity function of DP with consideration of the correlation strength between POI—but there is a drawback in a substantial growth of noise level. To remedy this problem, this paper exploits the degradation of DP in expected privacy levels for correlated POI data and proposes a solution to mitigate it. We propose a generalized Laplace mechanism to achieve privacy guarantees. Specifically, we design a practical iteration mechanism, including an update function, to conduct a generalized Laplace mechanism when facing large scale queries. Experimental evaluation on real-world datasets over multiple fields show that our solution consistently outperforms state-of-the-art mechanisms in data utility while providing the same privacy guarantee as other approaches for correlated POI data.

computer science, information systems,telecommunications, artificial intelligence

Xiaoyan Zhu,Haotian Chi,Shunrong Jiang,Xiaosan Lei,Hui Li

DOI: https://doi.org/10.1109/ICC.2014.6883667

2014-01-01

Abstract:Location-based services (LBSs) are attracting more and more attentions with the increasing popularity of mobile devices and online social networking. In LBSs, users can conveniently obtain their interested information by sending queries to the LBS server. However, users' queries include their identities, locations, interests, etc, which may result in the leakage of users' trajectory and other sensitive information. Although the existing obfuscation and location anonymization techniques along with a long-term pseudonym can protect users' location privacy to some extent, users' real identities and moving trajectories can still be deduced through long-term observation and side information aided inference attacks. To address these problems, we propose a dynamic pseudo-ID system, where unlinkable pseudo-IDs are used by users to completely hide their identities in the queries, in order to break the link between users' identities and their locations. Moreover, we employ certificates to ensure the verifiability and traceability of the dynamic pseudo-IDs. Security analysis and evaluation results show that the proposed scheme can enhance user' privacy and is feasible to implement into mobile devices.

Sourabh Yadav,Chenyang Yu,Xinpeng Xie,Yan Huang,Chenxi Qiu

2024-09-15

Abstract:Geo-obfuscation is a Location Privacy Protection Mechanism used in location-based services that allows users to report obfuscated locations instead of exact ones. A formal privacy criterion, geoindistinguishability (Geo-Ind), requires real locations to be hard to distinguish from nearby locations (by attackers) based on their obfuscated representations. However, Geo-Ind often fails to consider context, such as road networks and vehicle traffic conditions, making it less effective in protecting the location privacy of vehicles, of which the mobility are heavily influenced by these factors. In this paper, we introduce VehiTrack, a new threat model to demonstrate the vulnerability of Geo-Ind in protecting vehicle location privacy from context-aware inference attacks. Our experiments demonstrate that VehiTrack can accurately determine exact vehicle locations from obfuscated data, reducing average inference errors by 61.20% with Laplacian noise and 47.35% with linear programming (LP) compared to traditional Bayesian attacks. By using contextual data like road networks and traffic flow, VehiTrack effectively eliminates a significant number of seemingly "impossible" locations during its search for the actual location of the vehicles. Based on these insights, we propose TransProtect, a new geo-obfuscation approach that limits obfuscation to realistic vehicle movement patterns, complicating attackers' ability to differentiate obfuscated from actual locations. Our results show that TransProtect increases VehiTrack's inference error by 57.75% with Laplacian noise and 27.21% with LP, significantly enhancing protection against these attacks.

Cryptography and Security

Hongtao Li,Yue Wang,Feng Guo,Jie Wang,Bo Wang,Chuankun Wu

DOI: https://doi.org/10.1155/2021/4696455

2021-06-30

Wireless Communications and Mobile Computing

Abstract:Location-based services (LBS) have become an important research area with the rapid development of mobile Internet technology, GPS positioning technology, and the widespread application of smart phones and social networks. LBS can provide convenience and flexibility for the users’ daily life, but at the same time, it also brings security risks to the users’ privacy. Untrusted or malicious LBS servers can collect users’ location data through various ways and disclose it to the third party, thus causing users’ privacy leakage. In this paper, a differential privacy location protection method based on the Markov model for user’s location privacy is proposed. Firstly, the transition probability matrix between states of the n -order Markov model is used to predict the occurrence state and development trend of events; thereby, the user’s location is predicted, and then a location prediction algorithm based on the Markov model (LPAM) is proposed. Secondly, a location protection algorithm based on differential privacy (LPADP) is proposed, in which location privacy tree (LPT) is constructed according to the location data and the difficulty of retrieval, the two nodes with the largest predicted value of LPT are allocated with a reasonable privacy budget, and Laplace noise is added to protect location privacy. Theoretical analysis and experimental results show that the proposed method not only meets the requirements of differential privacy and protects location privacy effectively but also has high data availability and low time complexity.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kah Meng Chong,Amizah Malip

DOI: https://doi.org/10.1016/j.comnet.2024.110214

IF: 5.493

2024-01-31

Computer Networks

Abstract:With the development of Intelligent Transportation Systems (ITS), a vast amount of location data is being generated from various IoT devices equipped with location positioning sensors. Preserving the privacy of location data release is a critical concern, as the publication of aggregated data often reveals private information about the users. Differential Privacy (DP) has recently emerged as a robust framework to guarantee privacy in this context. However, conventional DP mechanisms commonly make no assumption about the distribution of the input data, which could lead to unexpected privacy leakage if the data are correlated. In this paper, we investigate the complex simultaneous impact of user correlation, spatial–temporal correlation and prior knowledge of an adversary on the privacy leakage of a DP mechanism, which has not been addressed in prior work. We derive several closed-form expressions that demonstrate and quantify the privacy leakage under correlated location data, followed by the design of efficient algorithms to compute such privacy leakage. Then, we propose a Δ -CDP (Correlated Differential Privacy) to provide a formal privacy guarantee against the additional privacy leakage incurred by these factors. Extensive comparisons, theoretical analysis, and experimental simulations are presented to validate the correctness and efficiency of the proposed work.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Abhinav Palia,Rajat Tandon

DOI: https://doi.org/10.1007/978-3-030-03405-4_5

2017-05-05

Abstract:With the tremendous increase in the number of smart phones, app stores have been overwhelmed with applications requiring geo-location access in order to provide their users better services through personalization. Revealing a user's location to these third party apps, no matter at what frequency, is a severe privacy breach which can have unpleasant social consequences. In order to prevent inference attacks derived from geo-location data, a number of location obfuscation techniques have been proposed in the literature. However, none of them provides any objective measure of privacy guarantee. Some work has been done to define differential privacy for geo-location data in the form of geo-indistinguishability with l privacy guarantee. These techniques do not utilize any prior background information about the Points of Interest (PoIs) of a user and apply Laplacian noise to perturb all the location coordinates. Intuitively, the utility of such a mechanism can be improved if the noise distribution is derived after considering some prior information about PoIs. In this paper, we apply the standard definition of differential privacy on geo-location data. We use first principles to model various privacy and utility constraints, prior background information available about the PoIs (distribution of PoI locations in a 1D plane) and the granularity of the input required by different types of apps, in order to produce a more accurate and a utility maximizing differentially private algorithm for geo-location data at the OS level. We investigate this for a particular category of apps and for some specific scenarios. This will also help us to verify that whether Laplacian noise is still the optimal perturbation when we have such prior information.

Cryptography and Security

Liang Yan,Lei Li,Xuejiao Mu,Hao Wang,Xian Chen,Hyoseop Shin

DOI: https://doi.org/10.3390/s23042121

IF: 3.9

2023-02-16

Sensors

Abstract:With the rapid development of intelligent mobile terminals and communication technologies, location-based services (LBSs) have become an essential part of users' lives. LBS providers upload and share the collected users' location data. The more commonly used methods for location privacy protection are differential privacy and its extensions. However, the semantic information about location, which is an integral part of the location data, often contains sensitive user information. Most existing research methods have failed to pay enough attention to protecting the semantic information in the location data. To remedy this problem, two different scenarios for location semantic privacy protection methods are proposed in this paper to address single-point and continuous location queries. Simulation experiments on real social location check-in datasets, and comparison of three different privacy protection mechanisms, show that our solution demonstrates good service quality and privacy protection considering location semantics.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Kunyi Chen,Siyao Cheng,Hong Gao,Jianzhong Li

DOI: https://doi.org/10.1109/BIGCOM.2018.00026

2018-01-01

Abstract:Location based services become increasingly popular with the dramatic grows of smartphones. Personal location information is disclosed to the service providers while users are enjoying such applications. However, this data can be used to infer a user's detailed activities, or to track and predict the user's daily movements, which raises significant privacy concerns. Achieving both preserving privacy and high quality in locationbased services is still a challenge. To address this challenge, we provide a novel strategy which guarantees high service quality by ensuring the distance between a real location and the obfuscated one is bounded. For preserving location privacy, the key idea of our strategy is to select obfuscating function randomly to process data. Therefore, the real data can not be inferred by approximate or stochastic methods. This is the first paper to use such methods for preserving privacy. And the effectiveness of our strategy is demonstrated through extensive simulations.

Bo Wang,Hongtao Li,Yina Guo,Xiaoyu Ren 

DOI: https://doi.org/10.3390/s23115219

IF: 3.9

2023-05-31

Sensors

Abstract:Location-based services (LBS) are widely used due to the rapid development of mobile devices and location technology. Users usually provide precise location information to LBS to access the corresponding services. However, this convenience comes with the risk of location privacy disclosure, which can infringe upon personal privacy and security. In this paper, a location privacy protection method based on differential privacy is proposed, which efficiently protects users’ locations, without degrading the performance of LBS. First, a location-clustering (L-clustering) algorithm is proposed to divide the continuous locations into different clusters based on the distance and density relationships among multiple groups. Then, a differential privacy-based location privacy protection algorithm (DPLPA) is proposed to protect users’ location privacy, where Laplace noise is added to the resident points and centroids within the cluster. The experimental results show that the DPLPA achieves a high level of data utility, with minimal time consumption, while effectively protecting the privacy of location information.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Leye Wang,Daqing Zhang,Dingqi Yang,Brian Y. Lim,Xiao Han,Xiaojuan Ma

DOI: https://doi.org/10.1109/tifs.2020.2975925

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Sparse Mobile Crowdsensing (MCS) has become a compelling approach to acquire and make inference on urban-scale sensing data. However, participants risk their location privacy when reporting data with their actual sensing positions. To address this issue, we adopt e-differential-privacy in Sparse MCS to provide a theoretical guarantee for participants' location privacy regardless of an adversary's prior knowledge. Furthermore, to reduce the data quality loss caused by differential location obfuscation, we propose a privacypreserving framework with three components. First, we learn a data adjustment function to fit the original sensing data to the obfuscated location. Second, we apply a linear program to select an optimal location obfuscation function, which aims to minimize the uncertainty in data adjustment. We also propose a fast approximated variant. Third, we propose an uncertaintyaware inference algorithm to improve the inference accuracy of obfuscated data. Evaluations with real environment and traffic datasets show that our optimal method reduces the data quality loss by up to 42% compared to existing differential privacy methods.

Yuan Tao,Taochun Wang,Yong Qiang,Leilei Shen,Fulong Chen,Chuanxin Zhao

DOI: https://doi.org/10.1016/j.comnet.2024.110421

IF: 5.493

2024-04-24

Computer Networks

Abstract:Location information is often required for task allocation in mobile crowdsensing. However, directly uploading location information can raise concerns about privacy leakage among users. To address this issue and protect users privacy when uploading location data to the server, this paper proposes a novel method based on differential privacy for preserving location information. The main idea is to utilize Hilbert mapping to transform the two-dimensional location coordinate of the user into a one-dimensional Hilbert index. Then, Laplace noise is added to the index to introduce a perturbed index, ensuring the protection of location privacy. To enhance the usability of the perturbed index, this paper treats the Laplace noise as a random variable and employs mathematical integration to measure the distance between users and tasks. Leveraging the characteristic of the Hilbert index, wherein a small change in the indexes can result in a large distance between corresponding coordinates, the combination of differential privacy and Hilbert mapping offers enhanced effectiveness compared to conventional differential privacy location preservation schemes. Finally, the proposed scheme is evaluated using the real dataset, and the experiments validate its efficacy.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Ammar Haydari,Chen-Nee Chuah,Michael Zhang,Jane Macfarlane,Sean Peisert

DOI: https://doi.org/10.48550/arXiv.2112.08487

2024-01-15

Abstract:Location data is collected from users continuously to understand their mobility patterns. Releasing the user trajectories may compromise user privacy. Therefore, the general practice is to release aggregated location datasets. However, private information may still be inferred from an aggregated version of location trajectories. Differential privacy (DP) protects the query output against inference attacks regardless of background knowledge. This paper presents a differential privacy-based privacy model that protects the user's origins and destinations from being inferred from aggregated mobility datasets. This is achieved by injecting Planar Laplace noise to the user origin and destination GPS points. The noisy GPS points are then transformed into a link representation using a link-matching algorithm. Finally, the link trajectories form an aggregated mobility network. The injected noise level is selected using the Sparse Vector Mechanism. This DP selection mechanism considers the link density of the location and the functional category of the localized links. Compared to the different baseline models, including a k-anonymity method, our differential privacy-based aggregation model offers query responses that are close to the raw data in terms of aggregate statistics at both the network and trajectory-levels with maximum 9% deviation from the baseline in terms of network length.

Cryptography and Security

Wei Tong,Yinggang Tong,Chang Xia,Jingyu Hua,Qun Li,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2022.3184279

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Location-based services have significantly affected mobile users’ everyday life, and location privacy has become essential. Some applications (e.g., location-based recommendation, mobility analytics) do not need the raw location data, and the service providers adopt aggregation to protect users’ location traces. However, some works show that even these aggregation data may disclose users’ location privacy when additional prior knowledge is available to an adversary. We consider the location privacy problem in the presence of Location Uniqueness, a property by which some geographical locations can be re-identified based on the aggregated point-of-interest information. We first study whether existing protection mechanisms are adequate for defending against this type of attack. Then we present two practical attacks for inferring users’ actual locations based on the POI aggregates. A secure POI aggregate release mechanism is proposed for defending against this type of re-identification attack and achieving differential privacy at the same time. We conduct extensive experiments on real-world datasets. The results show that the existing protection mechanisms cannot provide sufficient protection against location re-identification attacks. The proposed attacks can significantly improve the inference performance, and the proposed protection mechanism achieves satisfactory performance.