Utility-Aware Synthesis of Differentially Private and Attack-Resilient Location Traces

As mobile devices and location-based services become increasingly ubiquitous, the privacy of mobile users' location traces continues to be a major concern. Traditional privacy solutions rely on perturbing each position in a user's trace and replacing it with a fake location. However, recent studies have shown that such point-based perturbation of locations is susceptible to inference attacks and suffers from serious utility losses, because it disregards the moving trajectory and continuity in full location traces. In this paper, we argue that privacy-preserving synthesis of complete location traces can be an effective solution to this problem. We present AdaTrace, a scalable location trace synthesizer with three novel features: provable statistical privacy, deterministic attack resilience, and strong utility preservation. AdaTrace builds a generative model from a given set of real traces through a four-phase synthesis process consisting of feature extraction, synopsis learning, privacy and utility preserving noise injection, and generation of differentially private synthetic location traces. The output traces crafted by AdaTrace preserve utility-critical information existing in real traces, and are robust against known location trace attacks. We validate the effectiveness of AdaTrace by comparing it with three state of the art approaches (ngram, DPT, and SGLT) using real location trace datasets (Geolife and Taxi) as well as a simulated dataset of 50,000 vehicles in Oldenburg, Germany. AdaTrace offers up to 3-fold improvement in trajectory utility, and is orders of magnitude faster than previous work, while preserving differential privacy and attack resilience.

[1]  Catuscia Palamidessi,et al.  Geo-indistinguishability: differential privacy for location-based systems , 2012, CCS.

[2]  Emiliano De Cristofaro,et al.  Knock Knock, Who's There? Membership Inference on Aggregate Location Data , 2017, NDSS.

[3]  Cyrus Shahabi,et al.  Differentially private publication of location entropy , 2016, SIGSPATIAL/GIS.

[4]  Srinivasan Parthasarathy,et al.  Distance-based outlier detection , 2010, Proc. VLDB Endow..

[5]  Ling Liu,et al.  Location Privacy in Mobile Systems: A Personalized Anonymization Model , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[6]  Somesh Jha,et al.  Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing , 2014, USENIX Security Symposium.

[7]  Christos Faloutsos,et al.  Efficient retrieval of similar time sequences under time warping , 1998, Proceedings 14th International Conference on Data Engineering.

[8]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[9]  Ryan M. Rogers,et al.  Differentially Private Chi-Squared Hypothesis Testing: Goodness of Fit and Independence Testing , 2016, ICML 2016.

[10]  Ashwin Machanavajjhala,et al.  No free lunch in data privacy , 2011, SIGMOD '11.

[11]  Xiaoqian Jiang,et al.  Differentially Private Synthesization of Multi-Dimensional Data using Copula Functions , 2014, EDBT.

[12]  João Gama,et al.  Predicting Taxi–Passenger Demand Using Streaming Data , 2013, IEEE Transactions on Intelligent Transportation Systems.

[13]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[14]  Albert-László Barabási,et al.  Limits of Predictability in Human Mobility , 2010, Science.

[15]  Ashwin Machanavajjhala,et al.  Pufferfish , 2014, ACM Trans. Database Syst..

[16]  Haoxiang Xia,et al.  An Investigation of Intra-Urban Mobility Pattern of Taxi Passengers , 2016 .

[17]  Wang-Chien Lee,et al.  Protecting Moving Trajectories with Dummies , 2007, 2007 International Conference on Mobile Data Management.

[18]  Nitesh Saxena,et al.  On the Privacy of Web Search Based on Query Obfuscation: A Case Study of TrackMeNot , 2010, Privacy Enhancing Technologies.

[19]  Aaron Roth,et al.  The Algorithmic Foundations of Differential Privacy , 2014, Found. Trends Theor. Comput. Sci..

[20]  Graham Cormode,et al.  Personal privacy vs population privacy: learning to attack anonymization , 2011, KDD.

[21]  Kunal Talwar,et al.  Mechanism Design via Differential Privacy , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[22]  Catuscia Palamidessi,et al.  A Predictive Differentially-Private Mechanism for Mobility Traces , 2013, Privacy Enhancing Technologies.

[23]  Divesh Srivastava,et al.  Differentially Private Spatial Decompositions , 2011, 2012 IEEE 28th International Conference on Data Engineering.

[24]  Catuscia Palamidessi,et al.  Optimal Geo-Indistinguishable Mechanisms for Location Privacy , 2014, CCS.

[25]  Jong Kim,et al.  Location Privacy via Differential Private Perturbation of Cloaking Area , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[26]  Dan Suciu,et al.  Boosting the accuracy of differentially private histograms through consistency , 2009, Proc. VLDB Endow..

[27]  Shiva Prasad Kasiviswanathan,et al.  On the 'Semantics' of Differential Privacy: A Bayesian Formulation , 2008, J. Priv. Confidentiality.

[28]  César A. Hidalgo,et al.  Unique in the Crowd: The privacy bounds of human mobility , 2013, Scientific Reports.

[29]  Sarah N. Heiss,et al.  Knock, Knock; Who’s There? , 2012 .

[30]  Carmela Troncoso,et al.  Protecting location privacy: optimal strategy against localization attacks , 2012, CCS.

[31]  Vitaly Shmatikov,et al.  Membership Inference Attacks Against Machine Learning Models , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[32]  Eamonn J. Keogh,et al.  Exact indexing of dynamic time warping , 2002, Knowledge and Information Systems.

[33]  Ling Liu,et al.  Supporting anonymous location queries in mobile environments with privacygrid , 2008, WWW.

[34]  Sridhar Ramaswamy,et al.  Efficient algorithms for mining outliers from large data sets , 2000, SIGMOD '00.

[35]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[36]  Takahiro Hara,et al.  A dummy-based anonymization method based on user trajectory with pauses , 2012, SIGSPATIAL/GIS.

[37]  Philip S. Yu,et al.  Correlated network data publication via differential privacy , 2013, The VLDB Journal.

[38]  Li Xiong,et al.  Protecting Locations with Differential Privacy under Temporal Correlations , 2014, CCS.

[39]  Xing Xie,et al.  Mining interesting locations and travel sequences from GPS trajectories , 2009, WWW '09.

[40]  Matt Duckham,et al.  Trajectory similarity measures , 2015, SIGSPACIAL.

[41]  Hossein Pishro-Nik,et al.  Achieving Perfect Location Privacy in Wireless Devices Using Anonymization , 2016, IEEE Transactions on Information Forensics and Security.

[42]  Ninghui Li,et al.  Differentially Private Publishing of High-dimensional Data Using Sensitivity Control , 2015, AsiaCCS.

[43]  Frank McSherry,et al.  Privacy integrated queries: an extensible platform for privacy-preserving data analysis , 2009, SIGMOD Conference.

[44]  Margaret Martonosi,et al.  DP-WHERE: Differentially private modeling of human mobility , 2013, 2013 IEEE International Conference on Big Data.

[45]  Divesh Srivastava,et al.  DPT: Differentially Private Trajectory Synthesis Using Hierarchical Reference Systems , 2015, Proc. VLDB Endow..

[46]  Srdjan Capkun,et al.  Quantifying Web-Search Privacy , 2014, CCS.

[47]  Calton Pu,et al.  Dynamic Differential Location Privacy with Personalized Error Bounds , 2017, NDSS.

[48]  Ninghui Li,et al.  Differentially private grids for geospatial data , 2012, 2013 IEEE 29th International Conference on Data Engineering (ICDE).

[49]  A. V. Sriharsha,et al.  On Syntactic Anonymity and Differential Privacy , 2015 .

[50]  Thomas Brinkhoff,et al.  A Framework for Generating Network-Based Moving Objects , 2002, GeoInformatica.

[51]  Reza Shokri,et al.  Synthesizing Plausible Privacy-Preserving Location Traces , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[52]  Claude Castelluccia,et al.  Differentially private sequential data publication via variable-length n-grams , 2012, CCS.

[53]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[54]  Claude Castelluccia,et al.  Study : Privacy Preserving Release of Spatio-temporal Density in Paris , 2014 .