Privacy in trajectory micro-data publishing: a survey

We survey the literature on the privacy of trajectory micro-data, i.e., spatiotemporal information about the mobility of individuals, whose collection is becoming increasingly simple and frequent thanks to emerging information and communication technologies. The focus of our review is on privacy-preserving data publishing (PPDP), i.e., the publication of databases of trajectory micro-data that preserve the privacy of the monitored individuals. We classify and present the literature of attacks against trajectory micro-data, as well as solutions proposed to date for protecting databases from such attacks. This paper serves as an introductory reading on a critical subject in an era of growing awareness about privacy risks connected to digital services, and provides insights into open problems and future directions for research.

[1]  Lars Kulik,et al.  A Formal Model of Obfuscation and Negotiation for Location Privacy , 2005, Pervasive.

[2]  Arkadiusz Stopczynski,et al.  Tracking Human Mobility Using WiFi Signals , 2015, PloS one.

[3]  Stan Matwin,et al.  Sanitization of Call Detail Records via Differentially-Private Bloom Filters , 2015, DBSec.

[4]  Kai Zhao,et al.  Protecting Trajectory From Semantic Attack Considering ${k}$ -Anonymity, ${l}$ -Diversity, and ${t}$ -Closeness , 2019, IEEE Trans. Netw. Serv. Manag..

[5]  David E. Millard,et al.  A Literature Survey and Classifications on Data Deanonymisation , 2015, CRiSIS.

[6]  Jianfeng Ma,et al.  TrPF: A Trajectory Privacy-Preserving Framework for Participatory Sensing , 2013, IEEE Transactions on Information Forensics and Security.

[7]  Catuscia Palamidessi,et al.  Geo-indistinguishability: differential privacy for location-based systems , 2012, CCS.

[8]  Marco Gruteser,et al.  USENIX Association , 1992 .

[9]  Ling Liu,et al.  Differentially Private and Utility Preserving Publication of Trajectory Data , 2019, IEEE Transactions on Mobile Computing.

[10]  Margaret Martonosi,et al.  DP-WHERE: Differentially private modeling of human mobility , 2013, 2013 IEEE International Conference on Big Data.

[11]  Francesco Bonchi,et al.  Anonymization of moving objects databases by clustering and perturbation , 2010, Inf. Syst..

[12]  Daqing Zhang,et al.  Modeling User Activity Preference by Leveraging User Spatial Temporal Characteristics in LBSNs , 2015, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[13]  Jong Kim,et al.  Location Privacy via Differential Private Perturbation of Cloaking Area , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[14]  Sushil Jajodia,et al.  Preserving Anonymity of Recurrent Location-Based Queries , 2009, 2009 16th International Symposium on Temporal Representation and Reasoning.

[15]  John C. Mitchell,et al.  Evaluating the privacy properties of telephone metadata , 2016, Proceedings of the National Academy of Sciences.

[16]  Mirco Musolesi,et al.  Spatio-temporal techniques for user identification by means of GPS mobility data , 2015, EPJ Data Science.

[17]  Yücel Saygin,et al.  Towards trajectory anonymization: a generalization-based approach , 2008, SPRINGL '08.

[18]  Miao Pan,et al.  Traffic-aware multiple mix zone placement for protecting location privacy , 2012, 2012 Proceedings IEEE INFOCOM.

[19]  Stéphane Bressan,et al.  Not So Unique in the Crowd: a Simple and Effective Algorithm for Anonymizing Location Data , 2014, PIR@SIGIR.

[20]  Stéphane Bressan,et al.  Publishing Trajectory with Differential Privacy: A Priori vs. A Posteriori Sampling Mechanisms , 2013, DEXA.

[21]  Jayakrishnan Unnikrishnan,et al.  De-anonymizing private data by matching statistics , 2013, 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[22]  Sébastien Gambs,et al.  De-anonymization attack on geolocated data , 2014, J. Comput. Syst. Sci..

[23]  Alex Pentland,et al.  Reality mining: sensing complex social systems , 2006, Personal and Ubiquitous Computing.

[24]  Albert-László Barabási,et al.  Understanding individual human mobility patterns , 2008, Nature.

[25]  Josep Domingo-Ferrer,et al.  Microaggregation- and permutation-based anonymization of movement data , 2012, Inf. Sci..

[26]  Nikos Pelekis,et al.  Who Cares about Others' Privacy: Personalized Anonymization of Moving Object Trajectories , 2016, EDBT.

[27]  Jordana Dym,et al.  There's a Map For That , 2012 .

[28]  Sushil Jajodia,et al.  Protecting Privacy Against Location-Based Personal Identification , 2005, Secure Data Management.

[29]  Sébastien Canard,et al.  Novel differentially private mechanisms for graphs , 2016, IACR Cryptol. ePrint Arch..

[30]  Stavros Papadopoulos,et al.  Differentially Private Event Sequences over Infinite Streams , 2014, Proc. VLDB Endow..

[31]  Simson L. Garfinkel,et al.  De-Identification of Personal Information , 2015 .

[32]  César A. Hidalgo,et al.  Unique in the Crowd: The privacy bounds of human mobility , 2013, Scientific Reports.

[33]  Silvio Lattanzi,et al.  Linking Users Across Domains with Location Data: Theory and Validation , 2016, WWW.

[34]  Lei Chen,et al.  Robust and fast similarity search for moving object trajectories , 2005, SIGMOD '05.

[35]  Tadayoshi Kohno,et al.  Exploring ADINT: Using Ad Targeting for Surveillance on a Budget - or - How Alice Can Buy Ads to Track Bob , 2017, WPES@CCS.

[36]  Franco Turini,et al.  Mobility, Data Mining and Privacy the Experience of the GeoPKDD Project , 2008, PinKDD.

[37]  Marco Mamei,et al.  Re-identification of anonymized CDR datasets using social network data , 2014, 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS).

[38]  Hui Xiong,et al.  Enhancing Security and Privacy in Traffic-Monitoring Systems , 2006, IEEE Pervasive Computing.

[39]  Matthieu Roy,et al.  Beyond San Fancisco Cabs : Building a *-lity Mining Dataset for Social Traces Analysis , 2010 .

[40]  Ninghui Li,et al.  t-Closeness: Privacy Beyond k-Anonymity and l-Diversity , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[41]  Reza Shokri,et al.  Synthesizing Plausible Privacy-Preserving Location Traces , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[42]  Ling Liu,et al.  MobiMix: Protecting location privacy with mix-zones over road networks , 2011, 2011 IEEE 27th International Conference on Data Engineering.

[43]  Claude Castelluccia,et al.  Differentially private sequential data publication via variable-length n-grams , 2012, CCS.

[44]  Delphine Reinhardt Privacy in mobile participatory sensing: Current trends and future challenges , 2016, J. Syst. Softw..

[45]  Etienne Huens,et al.  Data for Development: the D4D Challenge on Mobile Phone Data , 2012, ArXiv.

[46]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[47]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[48]  Sushil Jajodia,et al.  Anonymity and Historical-Anonymity in Location-Based Services , 2009, Privacy in Location-Based Applications.

[49]  Catuscia Palamidessi,et al.  Optimal Geo-Indistinguishable Mechanisms for Location Privacy , 2014, CCS.

[50]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[51]  Gang Wang,et al.  De-anonymization of Mobility Trajectories: Dissecting the Gaps between Theory and Practice , 2018, NDSS.

[52]  Claude Castelluccia,et al.  Study : Privacy Preserving Release of Spatio-temporal Density in Paris , 2014 .

[53]  Dan Pei,et al.  Your trajectory privacy can be breached even if you walk in groups , 2016, 2016 IEEE/ACM 24th International Symposium on Quality of Service (IWQoS).

[54]  Xing Xie,et al.  PrivTree: A Differentially Private Algorithm for Hierarchical Decompositions , 2016, SIGMOD Conference.

[55]  Hui Xiong,et al.  Achieving Guaranteed Anonymity in GPS Traces via Uncertainty-Aware Path Cloaking , 2010, IEEE Transactions on Mobile Computing.

[56]  J. Crowcroft,et al.  Leveraging Data Science to Combat COVID-19: A Comprehensive Review , 2020, IEEE Transactions on Artificial Intelligence.

[57]  Hui Zang,et al.  Anonymization of location data does not work: a large-scale measurement study , 2011, MobiCom.

[58]  Thomas Brinkhoff,et al.  Generating Traffic Data , 2003, IEEE Data Eng. Bull..

[59]  Vicenç Torra,et al.  SwapMob: Swapping Trajectories for Mobility Anonymization , 2018, PSD.

[60]  Francesco Bonchi,et al.  Never Walk Alone: Uncertainty for Anonymity in Moving Objects Databases , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[61]  Marco Fiore,et al.  Hiding mobile traffic fingerprints with GLOVE , 2015, CoNEXT.

[62]  Shouling Ji,et al.  General Graph Data De-Anonymization , 2016, ACM Trans. Inf. Syst. Secur..

[63]  Ninghui Li,et al.  Differentially private grids for geospatial data , 2012, 2013 IEEE 29th International Conference on Data Engineering (ICDE).

[64]  Marco Fiore,et al.  Generation and Analysis of a Large-Scale Urban Vehicular Mobility Dataset , 2014, IEEE Transactions on Mobile Computing.

[65]  Claudio Bettini,et al.  Handbook of Mobile Data Privacy , 2018, Springer International Publishing.

[66]  Murat Kantarcioglu,et al.  Practical Differentially Private Modeling of Human Movement Data , 2016, DBSec.

[67]  Benjamin C. M. Fung,et al.  Differentially private transit data publication: a case study on the montreal transportation system , 2012, KDD.

[68]  Martin Vetterli,et al.  Where You Are Is Who You Are: User Identification by Matching Statistics , 2015, IEEE Transactions on Information Forensics and Security.

[69]  Marco Gruteser,et al.  Protecting Location Privacy Through Path Confusion , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[70]  Marco Fiore,et al.  Large-Scale Mobile Traffic Analysis: A Survey , 2016, IEEE Communications Surveys & Tutorials.

[71]  M. Nanni Mobility , Data Mining and Privacy – the GeoPKDD project , 2009 .

[72]  Frank Stajano,et al.  Mix zones: user privacy in location-aware services , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[73]  Philippe Golle,et al.  On the Anonymity of Home/Work Location Pairs , 2009, Pervasive.

[74]  Ramakrishnan Srikant,et al.  Privacy-preserving data mining , 2000, SIGMOD '00.

[75]  Saleem N. Bhatti,et al.  CRAWDAD dataset st_andrews/sassy (v.2011-06-03) , 2011 .

[76]  Hui Xiong,et al.  Preserving privacy in gps traces via uncertainty-aware path cloaking , 2007, CCS '07.

[77]  Sree Hari Krishnan Parthasarathi,et al.  Exploiting innocuous activity for correlating users across sites , 2013, WWW.

[78]  Maxim Raya,et al.  Mix-Zones for Location Privacy in Vehicular Networks , 2007 .

[79]  Huan Liu,et al.  gSCorr: modeling geo-social correlations for new check-ins on location-based social networks , 2012, CIKM.

[80]  Mirco Musolesi,et al.  It's the way you check-in: identifying users in location-based social networks , 2014, COSN '14.

[81]  Philip S. Yu,et al.  Privacy-preserving data publishing: A survey of recent developments , 2010, CSUR.

[82]  Divesh Srivastava,et al.  Differentially Private Spatial Decompositions , 2011, 2012 IEEE 28th International Conference on Data Engineering.

[83]  Li Xiong,et al.  A two-phase algorithm for mining sequential patterns with differential privacy , 2013, CIKM.

[84]  John Krumm,et al.  Inference Attacks on Location Tracks , 2007, Pervasive.

[85]  Carmela Troncoso,et al.  Protecting location privacy: optimal strategy against localization attacks , 2012, CCS.

[86]  Nikos Mamoulis,et al.  Privacy Preservation in the Publication of Trajectories , 2008, The Ninth International Conference on Mobile Data Management (mdm 2008).

[87]  Fan Zhang,et al.  Exploring human mobility with multi-source data at extremely large metropolitan scales , 2014, MobiCom.

[88]  Ashwin Machanavajjhala,et al.  Principled Evaluation of Differentially Private Algorithms using DPBench , 2015, SIGMOD Conference.

[89]  George Danezis,et al.  GENERAL TERMS , 2003 .

[90]  Thomas Seidl,et al.  Differential private trajectory protection of moving objects , 2012, IWGS '12.

[91]  Romit Roy Choudhury,et al.  Hiding stars with fireworks: location privacy through camouflage , 2009, MobiCom '09.

[92]  Li Xiong,et al.  Protecting Locations with Differential Privacy under Temporal Correlations , 2014, CCS.

[93]  David K. Y. Yau,et al.  Privacy vulnerability of published anonymous mobility traces , 2010, MobiCom.

[94]  Klaus H. Hinrichs,et al.  Managing uncertainty in moving objects databases , 2004, TODS.

[95]  Nikos Pelekis,et al.  Nearest Neighbor Search on Moving Object Trajectories , 2005, SSTD.

[96]  Franco Zambonelli,et al.  Re-identification and information fusion between anonymized CDR and social network data , 2015, Journal of Ambient Intelligence and Humanized Computing.

[97]  Xiaoming Fu,et al.  Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data , 2017, WWW.

[98]  Laks V. S. Lakshmanan,et al.  Trajectory anonymity in publishing personal mobility data , 2011, SKDD.

[99]  Kai Zhao,et al.  Beyond K-Anonymity: Protect Your Trajectory from Semantic Attack , 2017, 2017 14th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON).

[100]  Hamed Haddadi,et al.  Privacy Leakage in Mobile Computing: Tools, Methods, and Characteristics , 2014, ArXiv.

[101]  Marco Gruteser,et al.  Linking anonymous location traces through driving characteristics , 2013, CODASPY '13.

[102]  Josep Domingo-Ferrer,et al.  On the privacy offered by (k, δ)-anonymity , 2013, Inf. Syst..

[103]  Reza Shokri,et al.  Evaluating the Privacy Risk of Location-Based Services , 2011, Financial Cryptography.

[104]  Divesh Srivastava,et al.  DPT: Differentially Private Trajectory Synthesis Using Hierarchical Reference Systems , 2015, Proc. VLDB Endow..

[105]  Michael Hicks,et al.  Deanonymizing mobility traces: using social network as a side-channel , 2012, CCS.

[106]  H. Mannila,et al.  Computing Discrete Fréchet Distance ∗ , 1994 .

[107]  Anna Monreale,et al.  Movement data anonymity through generalization , 2009, SPRINGL '09.

[108]  Jure Leskovec,et al.  Friendship and mobility: user movement in location-based social networks , 2011, KDD.

[109]  Rolando Trujillo-Rasua,et al.  The Fréchet/Manhattan Distance and the Trajectory Anonymisation Problem , 2016, DBSec.

[110]  Frank Stajano,et al.  Location Privacy in Pervasive Computing , 2003, IEEE Pervasive Comput..

[111]  Hideitsu Hino,et al.  Group Sparsity Tensor Factorization for Re-Identification of Open Mobility Traces , 2017, IEEE Transactions on Information Forensics and Security.

[112]  Claudio Bettini,et al.  Privacy Protection in Location-Based Services: A Survey , 2018, Handbook of Mobile Data Privacy.

[113]  Yue Wang,et al.  A Data- and Workload-Aware Algorithm for Range Queries Under Differential Privacy , 2014, ArXiv.

[114]  Delphine Christin,et al.  Privacy in mobile participatory sensing , 2016 .

[115]  Prateek Mittal,et al.  Dependence Makes You Vulnberable: Differential Privacy Under Dependent Tuples , 2016, NDSS.

[116]  Masatoshi Yoshikawa,et al.  Differentially Private Real-Time Data Release over Infinite Trajectory Streams , 2015, 2015 16th IEEE International Conference on Mobile Data Management.

[117]  Chi-Yin Chow,et al.  Trajectory privacy in location-based services and data publication , 2011, SKDD.

[118]  Catuscia Palamidessi,et al.  A Predictive Differentially-Private Mechanism for Mobility Traces , 2013, Privacy Enhancing Technologies.

[119]  Shouling Ji,et al.  Structure Based Data De-Anonymization of Social Networks and Mobility Traces , 2014, ISC.

[120]  L. Sweeney Simple Demographics Often Identify People Uniquely , 2000 .

[121]  M. Decker,et al.  Location Privacy-An Overview , 2008, 2008 7th International Conference on Mobile Business.

[122]  Carlo Ratti,et al.  Towards Matching User Mobility Traces in Large-Scale Datasets , 2017, IEEE Transactions on Big Data.

[123]  Carl A. Gunter,et al.  Plausible Deniability for Privacy-Preserving Data Synthesis , 2017, Proc. VLDB Endow..

[124]  Kunal Talwar,et al.  Mechanism Design via Differential Privacy , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[125]  Y. de Montjoye,et al.  Unique in the shopping mall: On the reidentifiability of credit card metadata , 2015, Science.

[126]  Xing Xie,et al.  GeoLife: A Collaborative Social Networking Service among User, Location and Trajectory , 2010, IEEE Data Eng. Bull..

[127]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[128]  Marco Fiore,et al.  Preserving mobile subscriber privacy in open datasets of spatiotemporal trajectories , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[129]  Narseo Vallina-Rodriguez,et al.  7 in 10 smartphone apps share your data with third-party services , 2017 .

[130]  Laks V. S. Lakshmanan,et al.  Anonymizing moving objects: how to hide a MOB in a crowd? , 2009, EDBT '09.

[131]  D. Gática-Pérez,et al.  Towards rich mobile phone datasets: Lausanne data collection campaign , 2010 .

[132]  Matthias Grossglauser,et al.  CRAWDAD dataset epfl/mobility (v.2009-02-24) , 2009 .