Yanzhe Che,Qinming He,Xiaoyan Hong,Kevin Chiew

DOI: https://doi.org/10.1002/dac.2650

2013-01-01

International Journal of Communication Systems

Abstract:While enjoying various LBS location-based services, users also face the threats of location privacy disclosure. This is because even if the communications between users and LBS providers can be encrypted and anonymized, the sensitive information inside LBS queries may disclose the exact location or even the identity of a user. The existing research on location privacy preservation in mobile peer-to-peer P2P networks assumed that users trust each other and directly share location information with each other. Nonetheless, this assumption is not practical for most of the mobile P2P scenarios, for example, an adversary can pretend to be a normal user and collect the locations of other users. Aiming at this issue, this paper presents x-region as a solution to preserve the location privacy in a mobile P2P environment where no trust relationships are assumed amongst mobile users. The main idea is to allow users to share a blurred region known as x-region instead of their exact locations so that one cannot distinguish any user from others inside the region. We propose a theoretical metric for measuring the anonymity property of x-region, together with three algorithms for generating an x-region, namely, benchmark algorithm, weighted expanding algorithm, and aggressive weighted expanding algorithm. These algorithms achieve the anonymity and QoS requirements with different strategies. Our experiments verify the performance of the algorithms against three key metrics. Copyright © 2013 John Wiley & Sons, Ltd.

Felix Beierle,Tobias Eichinger

DOI: https://doi.org/10.1109/smartworld-uic-atc-scalcom-iop-sci.2019.00222

2019-08-01

Abstract:Typically, recommender systems from any domain, be it movies, music, restaurants, etc., are organized in a centralized fashion. The service provider holds all the data, biases in the recommender algorithms are not transparent to the user, and the service providers often create lock-in effects making it inconvenient for the user to switch providers. In this paper, we argue that the user’s smartphone already holds a lot of the data that feeds into typical recommender systems for movies, music, or POIs. With the ubiquity of the smartphone and other users in proximity in public places or public transportation, data can be exchanged directly between users in a device-to-device manner. This way, each smartphone can build its own database and calculate its own recommendations. One of the benefits of such a system is that it is not restricted to recommendations for just one user – ad-hoc group recommendations are also possible. While the infrastructure for such a platform already exists – the smartphones already in the palms of the users – there are challenges both with respect to the mobile recommender system platform as well as to its recommender algorithms. In this paper, we present a mobile architecture for the described system – consisting of data collection, data exchange, and recommender system – and highlight its challenges and opportunities.

Jun Sakuma,Tatsuya Osame

DOI: https://doi.org/10.48550/arXiv.1707.03334

2017-06-06

Abstract:Recommender systems are widely used to predict personalized preferences of goods or services using users' past activities, such as item ratings or purchase histories. If collections of such personal activities were made publicly available, they could be used to personalize a diverse range of services, including targeted advertisement or recommendations. However, there would be an accompanying risk of privacy violations. The pioneering work of Narayanan et al.\ demonstrated that even if the identifiers are eliminated, the public release of user ratings can allow for the identification of users by those who have only a small amount of data on the users' past ratings. In this paper, we assume the following setting. A collector collects user ratings, then anonymizes and distributes them. A recommender constructs a recommender system based on the anonymized ratings provided by the collector. Based on this setting, we exhaustively list the models of recommender systems that use anonymized ratings. For each model, we then present an item-based collaborative filtering algorithm for making recommendations based on anonymized ratings. Our experimental results show that an item-based collaborative filtering based on anonymized ratings can perform better than collaborative filterings based on 5--10 non-anonymized ratings. This surprising result indicates that, in some settings, privacy protection does not necessarily reduce the usefulness of recommendations. From the experimental analysis of this counterintuitive result, we observed that the sparsity of the ratings can be reduced by anonymization and the variance of the prediction can be reduced if $k$, the anonymization parameter, is appropriately tuned. In this way, the predictive performance of recommendations based on anonymized ratings can be improved in some settings.

Information Retrieval,Machine Learning

Yuchen Zhao,Juan Ye,Tristan Henderson

DOI: https://doi.org/10.4108/eai.30-11-2016.2267031

2016-01-01

Abstract:Location-sharing services have grown in use commensurately with the increasing popularity of smart phones. As location data can be sensitive, it is important to preserve people's privacy while using such services, and so location-privacy recommender systems have been proposed to help people configure their privacy settings. These recommenders collect and store people's data in a centralised system, but these themselves can introduce new privacy threats and concerns. In this paper, we propose a decentralised location-privacy recommender system based on opportunistic networks. We evaluate our system using real-world location-privacy traces, and introduce a reputation scheme based on encounter frequencies to mitigate the potential effects of shilling attacks by malicious users. Experimental results show that, after receiving adequate data, our decentralised recommender system's performance is close to the performance of traditional centralised recommender systems (3% difference in accuracy and 1% difference in leaks). Meanwhile, our reputation scheme significantly mitigates the effect of malicious users' input (from 55% to 8% success) and makes it increasingly expensive to conduct such attacks.

Danny Stax,Manel Slokom,Martha Larson

DOI: https://doi.org/10.48550/arXiv.2208.03242

2022-09-09

Abstract:Recently, researchers have turned their attention to recommender systems that use only minimal necessary data. This trend is informed by the idea that recommender systems should use no more user interactions than are needed in order to provide users with useful recommendations. In this position paper, we make the case for applying the idea of minimal necessary data to recommender systems that use user reviews. We argue that the content of individual user reviews should be subject to minimization. Specifically, reviews used as training data to generate recommendations or reviews used to help users decide on purchases or consumption should be automatically edited to contain only the information that is needed.

Information Retrieval

Junliang Liu,Zheng Yang,Yunhao Liu

DOI: https://doi.org/10.1109/icpads.2012.36

2012-01-01

Abstract:Location-based Service (LBS) becomes increasingly important for wireless and mobile networks. In current LBS schemes, Service Providers (SPs) require users report their accurate locations, which can be illegally used by adversaries to infer sensitive information of users. Privacy disclosure raises serious concerns and limits the application of LBS. Previous solutions either rely on pre-installed centralized intermediary or assume cooperative users. Other distributed solutions, lacking of user obligation, only provide relatively poor anonymity. In this study, we propose a new solution of pseudonym change, which works for non-cooperative users and in the absence of intermediary. The basic idea behind our solution is ad-hoc anonymity. The proposed solution allows users to decide whether or not participating according to their own wills. In addition, artificially generated dummies mix up all the users who have participated in pseudonym changes at different times. Theoretical analysis demonstrates that asynchronous pseudonym change and dummy participation notably enhance privacy protection. We implement our solution on a real-world dataset of mobile phone users, which is collected at Boston, MA, and by the Reality Mining, MIT. The simulation results show that our approach significantly outperforms existing solutions.

Jiacheng Gao,Yuan Zhang,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2023.3324802

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Exploiting participants' data without knowing them is the center topic of secure mobile sensing data aggregation. In this paper, we study how to improve existing protocols for computing the minimum or $k$ -th minimum of all participants' data in a privacy-preserving manner. Existing protocols for these two computations require relatively high communication cost or frequent interactions, which leads to unbearable time consumption when the network delay is high. We improve the min computation protocol proposed by [1], cutting down on its need for interactions and thus making it perform better in terms of efficiency. We also propose a new protocol as a secure substitute of the Bit-choosing Algorithm designed by [2]. It helps participants generate a secret permutation, which will be further used in the $k$ -th min computation protocol to achieve higher accuracy and efficiency. Theoretical analyses are done to help predict and understand our new protocols' performances, and later evaluations show that both these new protocols perform notably better in comparison to the existing ones.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Raheem Beyah

2014-01-01

Abstract:When people utilize social applications and services, their privacy suffers potential serious threat. In this paper, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from on-going de-anonymization results. By analyzing the measurement on real data sets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large scale data without the knowledge on the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well known mobility traces: St Andrews, Infocom06, and Smallblue, and three social data sets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. For instance, utilizing the knowledge of one seed mapping merely, 93.2% of the data in Smallblue can be successfully de-anonymized; utilizing the knowledge of ten seed mappings, August 13, 2014 DRAFT

Huandong Wang,Yong Li,Chen Gao,Gang Wang,Xiaoming Tao,Depeng Jin

DOI: https://doi.org/10.1109/tmc.2019.2952774

IF: 6.075

2021-03-01

IEEE Transactions on Mobile Computing

Abstract:Human mobility trajectories are increasingly collected by ISPs to assist academic research and commercial applications. Meanwhile, there is a growing concern that individual trajectories can be de-anonymized when the data is shared, using information from external sources (e.g., online social networks). To understand this risk, prior works either estimate the theoretical privacy bound or simulate de-anonymization attacks on synthetically created datasets. However, it is not clear how well the theoretical estimations are preserved in practice. In this article, we collected a large-scale ground-truth trajectory dataset from 2,161,500 users of a cellular network, and two matched external trajectory datasets from a large social network (56,683 users) and a check-in/review service (45,790 users) on the same user population. The two sets of large ground-truth data provide a rare opportunity to extensively evaluate a variety of de-anonymization algorithms (nine in total). We find that their performance in the real-world dataset is far from the theoretical bound. Further analysis shows that most algorithms have under-estimated the impact of spatio-temporal mismatches between the data from different sources, and the high sparsity of user generated data also contributes to the under-performance. Based on these insights, we propose four new algorithms that are specially designed to tolerate spatial or temporal mismatches (or both) and model location contexts and time contexts. Extensive evaluations show that our algorithms achieve more than 17 percent performance gain over the best existing algorithms, confirming our insights. Further, we propose two new location-privacy preserving mechanisms utilizing the spatio-temporal mismatches to better protect users' privacy against the de-anonymization attack. Evaluation results show that our proposed mechanisms can reduce the performance of de-anonymization attacks by over 8.0 percent, demonstrating the effectivene-s of our insights.

computer science, information systems,telecommunications

Christos Perentis,Michele Vescovi,Chiara Leonardi,Corrado Moiso,Mirco Musolesi,Fabio Pianesi,Bruno Lepri

DOI: https://doi.org/10.1145/3017431

IF: 5.3

2017-05-28

ACM Transactions on Internet Technology

Abstract:The wide adoption of mobile devices and social media platforms have dramatically increased the collection and sharing of personal information. More and more frequently, users are called to make decisions concerning the disclosure of their personal information. In this study, we investigate the factors affecting users’ choices toward the disclosure of their personal data, including not only their demographic and self-reported individual characteristics, but also their social interactions and their mobility patterns inferred from months of mobile phone data activity. We report the findings of a field study conducted with a community of 63 subjects provided with (i) a smart-phone and (ii) a Personal Data Store (PDS) enabling them to control the disclosure of their data. We monitor the sharing behavior of our participants through the PDS and evaluate the contribution of different factors affecting their disclosing choices of location and social interaction data. Our analysis shows that social interaction inferred by mobile phones is an important factor revealing willingness to share, regardless of the data type. In addition, we provide further insights on the individual traits relevant to the prediction of sharing behavior.

computer science, information systems, software engineering

Alexander Galozy,Sadi Alawadi,Victor Kebande,Sławomir Nowaczyk

2023-09-30

Abstract:This paper investigates the issue of privacy in a learning scenario where users share knowledge for a recommendation task. Our study contributes to the growing body of research on privacy-preserving machine learning and underscores the need for tailored privacy techniques that address specific attack patterns rather than relying on one-size-fits-all solutions. We use the latent bandit setting to evaluate the trade-off between privacy and recommender performance by employing various aggregation strategies, such as averaging, nearest neighbor, and clustering combined with noise injection. More specifically, we simulate a linkage attack scenario leveraging publicly available auxiliary information acquired by the adversary. Our results on three open real-world datasets reveal that adding noise using the Laplace mechanism to an individual user's data record is a poor choice. It provides the highest regret for any noise level, relative to de-anonymization probability and the ADS metric. Instead, one should combine noise with appropriate aggregation strategies. For example, using averages from clusters of different sizes provides flexibility not achievable by varying the amount of noise alone. Generally, no single aggregation strategy can consistently achieve the optimum regret for a given desired level of privacy.

Machine Learning,Artificial Intelligence

Gustav Hertz,Sandhya Sachidanandan,Balázs Tóth,Emil S. Jørgensen,Martin Tegnér

DOI: https://doi.org/10.48550/arXiv.2106.11218

2021-06-22

Abstract:This paper advocates privacy preserving requirements on collection of user data for recommender systems. The purpose of our study is twofold. First, we ask if restrictions on data collection will hurt test quality of RNN-based recommendations. We study how validation performance depends on the available amount of training data. We use a combination of top-K accuracy, catalog coverage and novelty for this purpose, since good recommendations for the user is not necessarily captured by a traditional accuracy metric. Second, we ask if we can improve the quality under minimal data by using secondary data sources. We propose knowledge transfer for this purpose and construct a representation to measure similarities between purchase behaviour in data. This to make qualified judgements of which source domain will contribute the most. Our results show that (i) there is a saturation in test performance when training size is increased above a critical point. We also discuss the interplay between different performance metrics, and properties of data. Moreover, we demonstrate that (ii) our representation is meaningful for measuring purchase behaviour. In particular, results show that we can leverage secondary data to improve validation performance if we select a relevant source domain according to our similarly measure.

Information Retrieval,Machine Learning

Yuan Zhang,Qingjun Chen,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2015.2432814

2015-01-01

Abstract:Protecting the privacy of mobile phone user participants is extremely important for mobile phone sensing applications. In this paper, we study how an aggregator can expeditiously compute the minimum value or the kth minimum value of all users' data without knowing them. We construct two secure protocols using probabilistic coding schemes and a cipher system that allows homomorphic bitwise XOR computations for our problems. Following the standard cryptographic security definition in the semi-honest model, we formally prove our protocols' security. The protocols proposed by us can support time-series data and need not to assume the aggregator is trusted. Moreover, different from existing protocols that are based on secure arithmetic sum computations, our protocols are based on secure bitwise XOR computations, thus are more efficient.

Rachid Guerraoui,Anne-Marie Kermarrec,Rhicheek Patra,Mahammad Valiyev,Jingjing Wang

DOI: https://doi.org/10.1109/dsn.2017.22

2017-01-01

Abstract:Recommenders widely use collaborative filtering schemes. These schemes, however, threaten privacy as user profiles are made available to the service provider hosting the recommender and can even be guessed by curious users who analyze the recommendations. Users can encrypt their profiles to hide them from the service provider and add noise to make them difficult to guess. These precautionary measures hamper latency and recommendation quality. In this paper, we present a novel recommender, X-REC, enabling an effective collaborative filtering scheme to ensure the privacy of users against the service provider (system-level privacy) or other users (user-level privacy). X-REC builds on two underlying services: X-HE, an encryption scheme designed for recommenders, and X-NN, a neighborhood selection protocol over encrypted profiles. We leverage uniform sampling to ensure differential privacy against curious users. Our extensive evaluation demonstrates that X-REC provides (1) recommendation quality similar to non-private recommenders, and (2) significant latency improvement over privacy-aware alternatives.

Shenao Wang,Yanjie Zhao,Kailong Wang,Haoyu Wang

DOI: https://doi.org/10.1145/3605762.3624435

2023-01-01

Abstract:Mini programs, or MiniApps, have become prevalent in the digital landscape, offering convenience but raising privacy concerns, particularly in data minimization. Existing coarse-grained privacy measures fall short in ensuring effective data minimization due to the complex structure of MiniApps and the specificities of data usage scenarios. This work proposes an innovative end-to-end hybrid analysis framework, comprising three key modules, to analyze fine-grained usage-scenario-based data minimization within MiniApps. The framework constructs the page-transition structure, aligns data collection with specific purposes, and detects violations of data minimization principles. We also outline our plan to evaluate the framework through a large-scale study involving 120K MiniApps. This research represents a significant advancement in the pursuit of responsible data practices within MiniApps, contributing to the broader field of computer science and digital security.

Pierre Dellenbach,Aurélien Bellet,Jan Ramon

DOI: https://doi.org/10.48550/arXiv.1803.09984

2018-03-27

Abstract:The amount of personal data collected in our everyday interactions with connected devices offers great opportunities for innovative services fueled by machine learning, as well as raises serious concerns for the privacy of individuals. In this paper, we propose a massively distributed protocol for a large set of users to privately compute averages over their joint data, which can then be used to learn predictive models. Our protocol can find a solution of arbitrary accuracy, does not rely on a third party and preserves the privacy of users throughout the execution in both the honest-but-curious and malicious adversary models. Specifically, we prove that the information observed by the adversary (the set of maliciours users) does not significantly reduce the uncertainty in its prediction of private values compared to its prior belief. The level of privacy protection depends on a quantity related to the Laplacian matrix of the network graph and generally improves with the size of the graph. Furthermore, we design a verification procedure which offers protection against malicious users joining the service with the goal of manipulating the outcome of the algorithm.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Multiagent Systems

Chen Gao,Chao Huang,Dongsheng Lin,Yong Li,Depeng Jin

DOI: https://doi.org/10.1145/3397271.3401053

2020-01-01

Abstract:Most existing recommender systems leverage users' complete original behavioral logs, which are collected from mobile devices and stored by the service provider and further fed into recommendation models. This may lead to a high risk of privacy leakage since the recommendation service provider may be trustless. Despite many research efforts on privacy-aware recommendation, the problem of building an effective recommender system completely preserving user privacy is still open. In this work, we propose a general framework named differentially private local collaborative filtering for recommendation. The designed workflow consists of three steps. First, for accumulated behavioral logs saved on users' devices, a differentially private protection mechanism is adopted to help obfuscate the real interactions before reporting them to the server. Second, after collecting all obfuscated records from all users, the server runs an estimation model to calculate similarities between each pair of items. This step requires no user-relevant data, and thus it does not introduce any auxiliary privacy risk. Last, the server sends the estimated user-irrelevant item-similarity matrix to each user device, and the recommendation results are inferred locally based on item similarities with each user's locally stored original behavioral data. To verify our method's efficacy, we conduct extensive experiments on three real-world datasets, demonstrating that our proposed method achieves the best performance compared with the state-of-the-art baselines. We further demonstrate that our method still works well under various privacy budgets and different data sparsity level.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise.

S. Nuñez von Voigt,E. Daniel,F. Tschorsch

DOI: https://doi.org/10.1145/3465481.3465769

2021-07-14

Abstract:Recommender systems are widely used. Usually, recommender systems are based on a centralized client-server architecture. However, this approach implies drawbacks regarding the privacy of users. In this paper, we propose a distributed reciprocal recommender system with strong, self-determined privacy guarantees, i.e., local differential privacy. More precisely, users randomize their profiles locally and exchange them via a peer-to-peer network. Recommendations are then computed and ranked locally by estimating similarities between profiles. We evaluate recommendation accuracy of a job recommender system and demonstrate that our method provides acceptable utility under strong privacy requirements.

Cryptography and Security

Nasim Sonboli,Sipei Li,Mehdi Elahi,Asia Biega

2024-09-21

Abstract:General Data Protection Regulations (GDPR) aim to safeguard individuals' personal information from harm. While full compliance is mandatory in the European Union and the California Privacy Rights Act (CPRA), it is not in other places. GDPR requires simultaneous compliance with all the principles such as fairness, accuracy, and data minimization. However, it overlooks the potential contradictions within its principles. This matter gets even more complex when compliance is required from decision-making systems. Therefore, it is essential to investigate the feasibility of simultaneously achieving the goals of GDPR and machine learning, and the potential tradeoffs that might be forced upon us. This paper studies the relationship between the principles of data minimization and fairness in recommender systems. We operationalize data minimization via active learning (AL) because, unlike many other methods, it can preserve a high accuracy while allowing for strategic data collection, hence minimizing the amount of data collection. We have implemented several active learning strategies (personalized and non-personalized) and conducted a comparative analysis focusing on accuracy and fairness on two publicly available datasets. The results demonstrate that different AL strategies may have different impacts on the accuracy of recommender systems with nearly all strategies negatively impacting fairness. There has been no to very limited work on the trade-off between data minimization and fairness, the pros and cons of active learning methods as tools for implementing data minimization, and the potential impacts of AL on fairness. By exploring these critical aspects, we offer valuable insights for developing recommender systems that are GDPR compliant.

Information Retrieval,Computers and Society,Machine Learning