Geo-indistinguishability: differential privacy for location-based systems

The growing popularity of location-based systems, allowing unknown/untrusted servers to easily collect huge amounts of information regarding users' location, has recently started raising serious privacy concerns. In this paper we introduce geoind, a formal notion of privacy for location-based systems that protects the user's exact location, while allowing approximate information -- typically needed to obtain a certain desired service -- to be released. This privacy definition formalizes the intuitive notion of protecting the user's location within a radius $r$ with a level of privacy that depends on r, and corresponds to a generalized version of the well-known concept of differential privacy. Furthermore, we present a mechanism for achieving geoind by adding controlled random noise to the user's location. We describe how to use our mechanism to enhance LBS applications with geo-indistinguishability guarantees without compromising the quality of the application results. Finally, we compare state-of-the-art mechanisms from the literature with ours. It turns out that, among all mechanisms independent of the prior, our mechanism offers the best privacy guarantees.

[1]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[2]  Tim Roughgarden,et al.  Interactive privacy via the median mechanism , 2009, STOC '10.

[3]  Kang G. Shin,et al.  Privacy protection for users of location-based services , 2012, IEEE Wireless Communications.

[4]  Ilya Mironov,et al.  On significance of the least significant bits for differential privacy , 2012, CCS.

[5]  Ling Liu,et al.  Supporting anonymous location queries in mobile environments with privacygrid , 2008, WWW.

[6]  Marco Gruteser,et al.  USENIX Association , 1992 .

[7]  Panos Kalnis,et al.  Location Diversity: Enhanced Privacy Protection in Location Based Services , 2009, LoCA.

[8]  Liviu Iftode,et al.  Privately querying location-based services with SybilQuery , 2009, UbiComp.

[9]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[10]  Kang G. Shin,et al.  Energy-efficient Information Collection and Dissemination in Wireless Sensor Networks , 2009 .

[11]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[12]  Tetsuji Satoh,et al.  Protection of Location Privacy using Dummies for Location-based Services , 2005, 21st International Conference on Data Engineering Workshops (ICDEW'05).

[13]  Panos Kalnis,et al.  Private queries in location based services: anonymizers are not necessary , 2008, SIGMOD Conference.

[14]  Kunal Talwar,et al.  On the geometry of differential privacy , 2009, STOC '10.

[15]  Catuscia Palamidessi,et al.  Broadening the Scope of Differential Privacy Using Metrics , 2013, Privacy Enhancing Technologies.

[16]  Manolis Terrovitis,et al.  Privacy preservation in the dissemination of location data , 2011, SKDD.

[17]  Torben Bach Pedersen,et al.  Privacy-Preserving Data Mining on Moving Object Trajectories , 2007, 2007 International Conference on Mobile Data Management.

[18]  Ling Liu,et al.  Location Privacy in Mobile Systems: A Personalized Anonymization Model , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[19]  Ernesto Damiani,et al.  Location Privacy Protection Through Obfuscation-Based Techniques , 2007, DBSec.

[20]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[21]  Dale Miller,et al.  Preserving differential privacy under finite-precision semantics , 2013, Theor. Comput. Sci..

[22]  Rinku Dewri,et al.  Local Differential Perturbations: Location Privacy under Approximate Knowledge Attackers , 2013, IEEE Transactions on Mobile Computing.

[23]  Hua Lu,et al.  SpaceTwist: Managing the Trade-Offs Among Location Privacy, Query Performance, and Query Accuracy in Mobile Services , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[24]  Cyrus Shahabi,et al.  Blind Evaluation of Nearest Neighbor Queries Using Space Transformation to Preserve Location Privacy , 2007, SSTD.

[25]  John Krumm,et al.  A survey of computational location privacy , 2009, Personal and Ubiquitous Computing.

[26]  Ashwin Machanavajjhala,et al.  Privacy: Theory meets Practice on the Map , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[27]  Toniann Pitassi,et al.  Fairness through awareness , 2011, ITCS '12.

[28]  K. Lange,et al.  Normal/Independent Distributions and Their Applications in Robust Regression , 1993 .

[29]  Olcay Arslan,et al.  An alternative multivariate skew Laplace distribution: properties and estimation , 2010 .

[30]  Marco Gruteser,et al.  Protecting Location Privacy Through Path Confusion , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[31]  Aaron Roth,et al.  A learning theory approach to noninteractive database privacy , 2011, JACM.

[32]  Shen-Shyang Ho,et al.  Differential privacy for location pattern mining , 2011, SPRINGL '11.

[33]  Yu Zhang,et al.  Preserving User Location Privacy in Mobile Data Management Infrastructures , 2006, Privacy Enhancing Technologies.

[34]  Walid G. Aref,et al.  Casper*: Query processing for location services without compromising privacy , 2006, TODS.

[35]  Carmela Troncoso,et al.  Protecting location privacy: optimal strategy against localization attacks , 2012, CCS.

[36]  Lars Kulik,et al.  A Formal Model of Obfuscation and Negotiation for Location Privacy , 2005, Pervasive.