Xiuwen Liu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.comnet.2022.109507

2022-01-01

SSRN Electronic Journal

Abstract:In mobile crowdsensing systems, the public crowd are required to report data with actual locations under location privacy vulnerabilities. Moreover, even sensing data itself further deepens location privacy breaches. Existing works allow each worker to consider his own privacy, but the accumulated privacy budget will lower down group data privacy of each sensing region. Moreover, multi-region spatial data correlations indicate that multi-group correlated data privacy may be leaked from each other. To this end, we develop a novel MCS framework, called GDA-Crowd(Group effect-based Data Aggregation), which consists of three parts: location obfuscation and aggregation, group effect-based data privacy and aggregation, and incentive mechanism. We start from individual location privacy guarantee and propose a location aggregation method to cluster workers into groups. Then, we exploit intra-group effect, i.e., data privacy interdependence under the judicious selection of workers’ participation, to enhance privacy-accuracy balance. Moreover, multi-group global histogram incorporates inter-group effect, i.e., correlated privacy loss from spatial data correlations, into inter-group data aggregation. Finally, we design a truthful, individually rational and computationally efficient incentive mechanism for participant selection. The synopsis of contributions includes dual privacy protection, dual group effect for desirable privacy-accuracy tradeoff, synergies among incentive mechanism, privacy-preserving data aggregation for approximate optimality. Theoretical analysis and extensive experiments validate our effectiveness and superiority.

Jiawei Duan,Qingqing Ye,Haibo Hu

DOI: https://doi.org/10.48550/arXiv.2201.07469

2022-01-19

Abstract:Local differential privacy (LDP), which perturbs the data of each user locally and only sends the noisy version of her information to the aggregator, is a popular privacy-preserving data collection mechanism. In LDP, the data collector could obtain accurate statistics without access to original data, thus guaranteeing privacy. However, a primary drawback of LDP is its disappointing utility in high-dimensional space. Although various LDP schemes have been proposed to reduce perturbation, they share the same and naive aggregation mechanism at the side of the collector. In this paper, we first bring forward an analytical framework to generally measure the utilities of LDP mechanisms in high-dimensional space, which can benchmark existing and future LDP mechanisms without conducting any experiment. Based on this, the framework further reveals that the naive aggregation is sub-optimal in high-dimensional space, and there is much room for improvement. Motivated by this, we present a re-calibration protocol HDR4ME for high-dimensional mean estimation, which improves the utilities of existing LDP mechanisms without making any change to them. Both theoretical analysis and extensive experiments confirm the generality and effectiveness of our framework and protocol.

Cryptography and Security,Databases

Xingxing Xiong,Shubo Liu,Dan Li,Zhaohui Cai,Xiaoguang Niu

DOI: https://doi.org/10.1016/j.jisa.2020.102633

IF: 4.96

2020-12-01

Journal of Information Security and Applications

Abstract:<p>Technology and usage advances in wireless communication and smart mobile devices with localization capabilities enable a large number of emerging applications of location-based services, e.g. mobile crowdsourcing applications, which are facilitating our daily life. However, collecting and sharing location data to service providers of applications will give rise to mobile users' concerns on their privacy, especially location privacy. In this paper, we investigate the problem of real-time spatio-temporal data aggregation with privacy preservation in the local setting. In response to this, we propose a systematic solution based on stringent local differential privacy preservation technique to deal with the problem. Firstly, we introduce a novel definition of (ε,  δ)-local differential privacy with the ability to capture the temporal correlation in spatio-temporal data and provide differential privacy preservation. Secondly, we develop an efficient framework of generalized randomized response (GRR) based real-time and private spatio-temporal data aggregation with an untrusted server. Finally, we conduct experiments on two real-world datasets to evaluate our framework. The results show that our GRR based framework significantly outperforms that based on PIM and LRM in data utility and demonstrate its superiority to achieve better trade-off of privacy and utility for real-time spatio-temporal data aggregation with stringent privacy preservation.</p>

computer science, information systems

Bo Jiang,Ming Li,Ravi Tandon

DOI: https://doi.org/10.48550/arXiv.2001.02385

2020-11-29

Abstract:In this paper, we study local information privacy (LIP), and design LIP based mechanisms for statistical aggregation while protecting users' privacy without relying on a trusted third party. The notion of context-awareness is incorporated in LIP, which can be viewed as explicit modeling of the adversary's background knowledge. It enables the design of privacy-preserving mechanisms leveraging the prior distribution, which can potentially achieve a better utility-privacy tradeoff than context-free notions such as Local Differential Privacy (LDP). We present an optimization framework to minimize the mean square error in the data aggregation while protecting the privacy of each individual user's input data or a correlated latent variable while satisfying LIP constraints. Then, we study two different types of applications: (weighted) summation and histogram estimation and derive the optimal context-aware data perturbation parameters for each case, based on randomized response type of mechanism. We further compare the utility-privacy tradeoff between LIP and LDP and theoretically explain why the incorporation of prior knowledge enlarges feasible regions of the perturbation parameters, which thereby leads to higher utility. We also extend the LIP-based privacy mechanisms to the more general case when exact prior knowledge is not available. Finally, we validate our analysis by simulations using both synthetic and real-world data. Results show that our LIP-based privacy mechanism provides better utility-privacy tradeoffs than LDP, and the advantage of LIP is even more significant when the prior distribution is more skewed.

Cryptography and Security,Databases,Information Theory,Systems and Control

Zichun Liu,Liusheng Huang,Hongli Xu,Wei Yang

DOI: https://doi.org/10.3390/e25010130

2023-01-09

Abstract:Graph data are widely collected and exploited by organizations, providing convenient services from policy formation and market decisions to medical care and social interactions. Yet, recent exposures of private data abuses have caused huge financial and reputational costs to both organizations and their users, enabling designing efficient privacy protection mechanisms a top priority. Local differential privacy (LDP) is an emerging privacy preservation standard and has been studied in various fields, including graph data aggregation. However, existing research studies of graph aggregation with LDP mainly provide single edge privacy for pure graph, leaving heterogeneous graph data aggregation with stronger privacy as an open challenge. In this paper, we take a step toward simultaneously collecting mixed attributed graph data while retaining intrinsic associations, with stronger local differential privacy protecting more than single edge. Specifically, we first propose a moderate granularity attributewise local differential privacy (ALDP) and formulate the problem of aggregating mixed attributed graph data as collecting two statistics under ALDP. Then we provide mechanisms to privately collect these statistics. For the categorical-attributed graph, we devise a utility-improved PrivAG mechanism, which randomizes and aggregates subsets of attribute and degree vectors. For heterogeneous graph, we present an adaptive binning scheme (ABS) to dynamically segment and simultaneously collect mixed attributed data, and extend the prior mechanism to a generalized PrivHG mechanism based on it. Finally, we practically optimize the utility of the mechanisms by reducing the computation costs and estimation errors. The effectiveness and efficiency of the mechanisms are validated through extensive experiments, and better performance is shown compared with the state-of-the-art mechanisms.

Teng Wang,Jun Zhao,Zhi Hu,Xinyu Yang,Xuebin Ren,Kwok-Yan Lam

DOI: https://doi.org/10.1016/j.neucom.2020.09.073

IF: 6

2021-02-01

Neurocomputing

Abstract:<p>Local Differential Privacy (LDP) can provide each user with strong privacy guarantees under untrusted data curators while ensuring accurate statistics derived from privatized data. Due to its powerfulness, LDP has been widely adopted to protect privacy in various tasks (e.g., heavy hitters discovery, probability estimation) and systems (e.g., Google Chrome, Apple iOS). In particular, <span class="math"><math>(∊,δ)</math></span>-LDP has been studied in related statistical tasks like private learning and hypothesis testing, but is mainly achieved by using Gaussian mechanism, leading to the limited data utility. In this paper, we investigate several novel mechanisms that achieve <span class="math"><math>(∊,δ)</math></span>-LDP with higher data utility in collecting and analyzing users' data. Specifically, we first design two <span class="math"><math>(∊,δ)</math></span>-LDP algorithms for mean estimations on multi-dimensional numeric data, which can ensure higher accuracy than the optimal Gaussian mechanism. Then, we investigate different local protocols for frequency estimations on categorical attributes under <span class="math"><math>(∊,δ)</math></span>-LDP. Based on the proposed mechanisms, we further study on <span class="math"><math>(∊,δ)</math></span>-LDP-compliant stochastic gradient descent algorithms for machine learning models. Besides, the theoretical analysis of the error bound and the variance of the proposed algorithms are also presented in the paper. We have conducted extensive experiments on both real-world and synthetic datasets and demonstrated the high data utility of our proposed algorithms in the perspectives of simple data statistics tasks and complex machine learning tasks. The experimental results have shown that our proposed algorithms can effectively improve the data utility in different tasks while alleviating the privacy concerns of each individual.</p>

computer science, artificial intelligence

Yuemin Zhang,Qingqing Ye,Rui Chen,Haibo Hu,Qilong Han

DOI: https://doi.org/10.48550/arXiv.2307.09339

2023-07-18

Databases

Abstract:Trajectory data collection is a common task with many applications in our daily lives. Analyzing trajectory data enables service providers to enhance their services, which ultimately benefits users. However, directly collecting trajectory data may give rise to privacy-related issues that cannot be ignored. Local differential privacy (LDP), as the de facto privacy protection standard in a decentralized setting, enables users to perturb their trajectories locally and provides a provable privacy guarantee. Existing approaches to private trajectory data collection in a local setting typically use relaxed versions of LDP, which cannot provide a strict privacy guarantee, or require some external knowledge that is impractical to obtain and update in a timely manner. To tackle these problems, we propose a novel trajectory perturbation mechanism that relies solely on an underlying location set and satisfies pure $\epsilon$-LDP to provide a stringent privacy guarantee. In the proposed mechanism, each point's adjacent direction information in the trajectory is used in its perturbation process. Such information serves as an effective clue to connect neighboring points and can be used to restrict the possible region of a perturbed point in order to enhance utility. To the best of our knowledge, our study is the first to use direction information for trajectory perturbation under LDP. Furthermore, based on this mechanism, we present an anchor-based method that adaptively restricts the region of each perturbed trajectory, thereby significantly boosting performance without violating the privacy constraint. Extensive experiments on both real-world and synthetic datasets demonstrate the effectiveness of the proposed mechanisms.

Xiangguo Zhao,Yanhui Li,Ye Yuan,Xin Bi,Guoren Wang

DOI: https://doi.org/10.1109/access.2019.2899099

IF: 3.9

2019-01-01

IEEE Access

Abstract:Driven by the advance of positioning technology and the tremendous popularity of location-based services, location-record data have become unprecedentedly available. Publishing such data is of vital importance to the advancement of a wide spectrum of applications, such as marketing analysis, targeted advertising, and urban planning. However, the data collection may pose considerable threats to the individuals privacy. Local differential privacy (LDP) has recently emerged as a strong privacy standard for collecting sensitive information from users. Due to the inherent high dimensionality, it is particularly challenging to publish the location-record data under LDP. In this paper, we propose LDPart, a probabilistic top-down partitioning algorithm to effectively generate a sanitized location-record data. Our approach employs a carefully designed partition tree model to extract essential information in terms of location records. Furthermore, it also makes use of a novel adaptive user allocation scheme and a series of optimization techniques to improve the accuracy of the released data. The extensive experiments conducted on real-world datasets demonstrate that the proposed approach maintains high utility while providing privacy guarantees.

Huichuan Liu,Yong Zeng,Jiale Liu,Zhihong Liu,Jianfeng Ma,Xiaoyan Zhu

DOI: https://doi.org/10.1007/978-981-33-4922-3_13

2020-01-01

Abstract:AbstractIn recent years, with the development of mobile terminals, geographic location has attracted the attention of many researchers because of its convenience in collection and its ability to reflect user profile. To protect user privacy, researchers have adopted local differential privacy in data collection process. However, most existing methods assume that location has already been discretized, which we found, if not done carefully, may introduces huge noise, lowering collected result utility. Thus in this paper, we design a differentially private location division module that could automatically discretize locations according to access density of each region. However, as the size of discretized regions may be large, if directly applying existing local differential privacy based attribute method, the overall utility of collected results may be completely destroyed. Thus, we further improve the optimized binary local hash method, based on personalized differential privacy, to collect user visit frequency of each discretized region. This solution improve the accuracy of the collected results while satisfying the privacy of the user’s geographic location. Through experiments on synthetic and real data sets, this paper proves that the proposed method achieves higher accuracy than the best known method under the same privacy budget.

Ammar Haydari,Chen-Nee Chuah,Michael Zhang,Jane Macfarlane,Sean Peisert

DOI: https://doi.org/10.48550/arXiv.2112.08487

2024-01-15

Abstract:Location data is collected from users continuously to understand their mobility patterns. Releasing the user trajectories may compromise user privacy. Therefore, the general practice is to release aggregated location datasets. However, private information may still be inferred from an aggregated version of location trajectories. Differential privacy (DP) protects the query output against inference attacks regardless of background knowledge. This paper presents a differential privacy-based privacy model that protects the user's origins and destinations from being inferred from aggregated mobility datasets. This is achieved by injecting Planar Laplace noise to the user origin and destination GPS points. The noisy GPS points are then transformed into a link representation using a link-matching algorithm. Finally, the link trajectories form an aggregated mobility network. The injected noise level is selected using the Sparse Vector Mechanism. This DP selection mechanism considers the link density of the location and the functional category of the localized links. Compared to the different baseline models, including a k-anonymity method, our differential privacy-based aggregation model offers query responses that are close to the raw data in terms of aggregate statistics at both the network and trajectory-levels with maximum 9% deviation from the baseline in terms of network length.

Cryptography and Security

Jianyu Yang,Xiang Cheng,Sen Su,Huizhong Sun,Changju Chen

DOI: https://doi.org/10.1109/mdm55031.2022.00035

2022-01-01

Abstract:In this paper, we tackle the problem of collecting individual trajectories under local differential privacy. The key challenge is how to achieve high utility of the collected trajectories while satisfying the strong privacy guarantee. To overcome this challenge, we present a novel approach, which is referred to as PrivTC. In PrivTC, we first design a locally differentially private grid construction method to instruct the aggregator to lay an appropriate grid on the given geospatial domain. Then we propose a locally differentially private spectral learning method to help the aggregator learn the Hidden Markov Model (HMM) from users' trajectories discretized by the constructed grid. Finally, the aggregator generates a synthetic trajectory dataset as a surrogate for the original one from the learned HMM. Extensive experiments on real datasets confirm the effectiveness of PrivTC.

Ekin Tire,M. Emre Gursoy

DOI: https://doi.org/10.1109/jiot.2024.3357570

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Spatial density queries are fundamental in many geospatial data analysis and crowdsourcing tasks. However, answering spatial density queries may violate users’ privacy by exposing their locations to an untrusted data collector. In this paper, we propose a solution for answering spatial density queries under Local Differential Privacy (LDP), a state-of-the-art privacy protection standard. Our solution consists of four main steps: partitioning, finding sensitivity, user-side noisy response computation, and server-side estimation. For the first step, we propose and analyze three basic partitioning strategies, and based on our analysis, we design an improved strategy called Advanced Partitioning. For the second step, we adapt graph-based modeling of query sets from the centralized DP literature. Advanced Partitioning also leverages and extends this technique by formulating the partitioning problem using vertex coloring. For the third and fourth steps, in addition to adapting two popular LDP protocols (GRR, RAPPOR), we propose a novel extension for the OUE protocol. Our new protocol (OBE) is not only applicable to our problem but can also be used in other LDP problems with bitvector encodings. Finally, we perform an extensive experimental evaluation of different partitioning strategies and protocols using multiple real-world datasets. Results show that Advanced Partitioning and OBE yield the lowest error, demonstrating the superiority of our proposed methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shun Zhang,Benfei Duan,Zhili Chen,Hong Zhong,Qizhi Yu

DOI: https://doi.org/10.48550/arXiv.2008.03475

2020-11-05

Abstract:Spatial crowdsourcing (SC) is an increasing popular category of crowdsourcing in the era of mobile Internet and sharing economy. It requires workers to arrive at a particular location for task fulfillment. Effective protection of location privacy is essential for workers' enthusiasm and valid task assignment. However, existing SC models with differential privacy usually perturb real-time location data for both partition and data publication. Such a way may produce large perturbations to counting queries that affect assignment success rate and allocation accuracy. This paper proposes a framework (R-HT) for protecting location privacy of workers taking advantage of both real-time and historical data. We simulate locations by sampling the probability distribution learned from historical data, use them for grid partition, and then publish real-time data under this partitioning with differential privacy. This realizes that most privacy budget is allocated to the worker count of each cell and yields an improved Private Spatial Decomposition approach. Moreover, we introduce some strategies for geocast region construction, including quality scoring function and local maximum geocast radius. A series of experimental results on real-world datasets shows that R-HT attains a stable success rate of task assignment, saves performance overhead and fits for dynamic assignment on crowdsourcing platforms.

Cryptography and Security

Berkay Kemal Balioglu,Alireza Khodaie,Ameer Taweel,Mehmet Emre Gursoy

2024-07-31

Abstract:Local differential privacy (LDP) has recently emerged as a popular privacy standard. With the growing popularity of LDP, several recent works have applied LDP to spatial data, and grid-based decompositions have been a common building block in the collection and analysis of spatial data under DP and LDP. In this paper, we study three grid-based decomposition methods for spatial data under LDP: Uniform Grid (UG), PrivAG, and AAG. UG is a static approach that consists of equal-sized cells. To enable data-dependent decomposition, PrivAG was proposed by Yang et al. as the most recent adaptive grid method. To advance the state-of-the-art in adaptive grids, in this paper we propose the Advanced Adaptive Grid (AAG) method. For each grid cell, following the intuition that the cell's intra-cell density distribution will be affected by its neighbors, AAG performs uneven cell divisions depending on the neighboring cells' densities. We experimentally compare UG, PrivAG, and AAG using three real-world location datasets, varying privacy budgets, and query sizes. Results show that AAG provides higher utility than PrivAG, demonstrating the superiority of our proposed approach. Furthermore, UG's performance is heavily dependent on the choice of grid size. When the grid size is chosen optimally in UG, AAG still beats UG for small queries, but UG beats AAG for large (coarse-grained) queries.

Cryptography and Security

Leilei Du,Peng Cheng,Libin Zheng,Xiang Lian,Lei Chen,Wei Xi,Wangze Ni

2024-12-09

Abstract:Estimating spatial distributions is important in data analysis, such as traffic flow forecasting and epidemic prevention. To achieve accurate spatial distribution estimation, the analysis needs to collect sufficient user data. However, collecting data directly from individuals could compromise their privacy. Most previous works focused on private distribution estimation for one-dimensional data, which does not consider spatial data relation and leads to poor accuracy for spatial distribution estimation. In this paper, we address the problem of private spatial distribution estimation, where we collect spatial data from individuals and aim to minimize the distance between the actual distribution and estimated one under Local Differential Privacy (LDP). To leverage the numerical nature of the domain, we project spatial data and its relationships onto a one-dimensional distribution. We then use this projection to estimate the overall spatial distribution. Specifically, we propose a reporting mechanism called Disk Area Mechanism (DAM), which projects the spatial domain onto a line and optimizes the estimation using the sliced Wasserstein distance. Through extensive experiments, we show the effectiveness of our DAM approach on both real and synthetic data sets, compared with the state-of-the-art methods, such as Multi-dimensional Square Wave Mechanism (MDSW) and Subset Exponential Mechanism with Geo-I (SEM-Geo-I). Our results show that our DAM always performs better than MDSW and is better than SEM-Geo-I when the data granularity is fine enough.

Databases

Shaowei Wang,Liusheng Huang,Yiwen Nie,Xinyuan Zhang,Pengzhan Wang,Hongli Xu,Wei Yang

DOI: https://doi.org/10.1109/tpds.2019.2899097

IF: 5.3

2019-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:For the purpose of improving the quality of services, softwares or online services are collecting various of user data, such as personal information and locations. Such data facilitates mining statistical knowledge of users, but threatens users’ privacy as it may reveal sensitive information (e.g., identities and activities) about individuals. This work considers distribution estimation over user-contributed data meanwhile providing rigid protection of their data with local $\epsilon$ε-differential privacy ($\epsilon$ε-LDP), which sanitizes each user's data on the client's side (e.g, on the user's mobile device). Our privacy protection covers both qualitative data (e.g., categorical data) and discrete quantitative data (e.g., location data). Specifically, for categorical data, we derive an optimal $\epsilon$ε-LDP mechanism (termed as $k$k-subset mechanism) from mutual information perspective, and further show its optimality over existing approaches within the context of discrete distribution estimation; for discrete quantitative data that have arbitrary distance metric, we provide an efficient extension of $k$k-subset mechanism by proposing a variant of the popular Exponential Mechanism (EM) to tackle the asymmetry issue on the data domain. Experiments on real-world datasets and simulated scenarios show that our mechanism is highly efficient and reduces nearly a fraction of $\exp (-\frac{\epsilon }{2})$exp(-ε2) error for distribution estimation when compared to existing approaches.

Hao Wang,Xiao Peng,Yihang Xiao,Zhengquan Xu,Xian Chen

DOI: https://doi.org/10.1007/s40747-021-00550-3

2021-10-09

Abstract:Abstract Privacy preserving methods supporting for data aggregating have attracted the attention of researchers in multidisciplinary fields. Among the advanced methods, differential privacy (DP) has become an influential privacy mechanism owing to its rigorous privacy guarantee and high data utility. But DP has no limitation on the bound of noise, leading to a low-level utility. Recently, researchers investigate how to preserving rigorous privacy guarantee while limiting the relative error to a fixed bound. However, these schemes destroy the statistical properties, including the mean, variance and MSE, which are the foundational elements for data aggregating and analyzing. In this paper, we explore the optimal privacy preserving solution, including novel definitions and implementing mechanisms, to maintain the statistical properties while satisfying DP with a fixed relative error bound. Experimental evaluation demonstrates that our mechanism outperforms current schemes in terms of security and utility for large quantities of queries.

computer science, artificial intelligence

Qing Yang,Fujun Ji,Fei Liu

DOI: https://doi.org/10.1155/2024/5374764

IF: 2.249

2024-03-08

Journal of Advanced Transportation

Abstract:Mobile smart devices, such as mobile phones, wearable devices, and in-vehicle navigation systems, bring us convenience and have become necessities in modern daily life. The built-in global positioning system (GPS) of these mobile devices collects the users’ mobility data to support path planning, navigation and other location-related applications, which also inevitably causes privacy issues. Previous research has shown that employing count-min sketch (CMS) to aggregate mobility datasets is a valid privacy-preserving method for resisting the reconstruction attack on population distributions. However, as the utility/accessibility of the protected datasets is excessively correlated with the size of CMS, decreasing the data transmission cost has become an unsolved issue of that approach. In this paper, we propose an efficient scheme with differential privacy to protect mobility datasets, which releases the privacy-preserving population distributions and achieves better utility as well as a much smaller data transmission cost compared to the CMS-based method. Our proposed scheme is comprised of two collaborative components, global sketch and temporal sketch. The global sketch is responsible for aggregating the raw mobility data and decreasing the data transmission cost, while the temporal sketch is in charge of guaranteeing the utility of the population distributions aggregated by the global sketch. Besides, to enhance the privacy preservation, we employ the Laplace mechanism to make the transmitted data satisfy ε -differential privacy. Through our analysis and empirical experiments, compared to the other three state-of-the-art privacy-preserving methods on mobility datasets, our scheme could preserve the privacy of the mobility datasets with much less data transmission cost under the same utility loss.

transportation science & technology,engineering, civil

Haina Song,Hua Shen,Nan Zhao,Zhangqing He,Minghu Wu,Wei Xiong,Mingwu Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103517

IF: 5.105

2024-01-01

Computers & Security

Abstract:Local differential privacy (LDP) enables terminal participants to share their private data safely while controlling the privacy disclosure at the source. In the majority of current works, they assumed that the privacy preservation parameter is totally determined by the data collector and then dispatched to all participants in mobile crowdsensing. However, in the real world, due to different privacy preferences of participants, it is inelegant and unpromising for all participants to accept the same privacy preservation level during data collection. To address such issue, an adaptive personalized local differential privacy (APLDP) data collection scheme is proposed to realize personalized privacy preservation while achieving higher data utility, in which two different LDP perturbation methods (basic RAPPOR and k-RR) are adaptively chosen by the participants according to their different privacy preferences, as well as the best perturbation probability is adaptively adopted by the participants to perturb their private data. In such case, the adaptive boundary based on the minimum mean square error (MSE) is theoretically derived to allow the participant to adaptively choose the best perturbation method, and meanwhile, it allows the participant to adaptively choose the best perturbation probability. Then, two estimation mergence methods named the direct combination (DC) and the weighted combination (WC) are demonstrated to do efficient data aggregation. Experiments on both synthetic and real data sets show that the proposed APLDP scheme performs better than previous non-personalized proposals in terms of the MSE and the average error rate (AER), especially using WC estimation method.

computer science, information systems

Teddy Cunningham,Graham Cormode,Hakan Ferhatosmanoglu,Divesh Srivastava

DOI: https://doi.org/10.14778/3476249.3476280

2021-08-04

Abstract:Sharing trajectories is beneficial for many real-world applications, such as managing disease spread through contact tracing and tailoring public services to a population's travel patterns. However, public concern over privacy and data protection has limited the extent to which this data is shared. Local differential privacy enables data sharing in which users share a perturbed version of their data, but existing mechanisms fail to incorporate user-independent public knowledge (e.g., business locations and opening times, public transport schedules, geo-located tweets). This limitation makes mechanisms too restrictive, gives unrealistic outputs, and ultimately leads to low practical utility. To address these concerns, we propose a local differentially private mechanism that is based on perturbing hierarchically-structured, overlapping $n$-grams (i.e., contiguous subsequences of length $n$) of trajectory data. Our mechanism uses a multi-dimensional hierarchy over publicly available external knowledge of real-world places of interest to improve the realism and utility of the perturbed, shared trajectories. Importantly, including real-world public data does not negatively affect privacy or efficiency. Our experiments, using real-world data and a range of queries, each with real-world application analogues, demonstrate the superiority of our approach over a range of alternative methods.

Databases,Cryptography and Security