Revealing Privacy Vulnerabilities of Anonymous Trajectories

The proliferation of various mobile devices equipped with GPS positioning modules makes the collection of trajectories more easier than ever before, and more and more trajectory datasets have been available for business applications or academic researches. Normally, published trajectories are often anonymized by replacing real identities of mobile objects with pseudonyms (e.g., random identifiers); however, privacy leaks can hardly be prevented. In this paper, we introduce a novel paradigm of de-anonymization attack re-identifying trajectories of victims from anonymous trajectory datasets. Different from existing attacks, no background knowledge or side channel information about the target dataset is required. Instead, we claim that, for each moving object, there exist some mobility patterns that reflect the preference or usual behavior of the object, and will not change dramatically over a period of time. As long as those relatively stable patterns can be extracted from trajectories and be utilized as quasi-identifiers, trajectories can be linked to anonymous historical ones. To implement such kind of de-anonymization attacks, an adversary only needs to collect a few trajectory segments of a victim, the durations of which do not necessarily overlap with that of trajectories in the target dataset (in simple terms, those trajectory segments are not necessary sub-trajectories included in the target dataset). Since the movements of victims in public areas could be observed openly, an adversary can obtain traces or locations about the victims either by direct monitoring them (e.g., tracking) or from third parties (e.g., social-networks). Then, the adversary extracts useful patterns from both the historical trajectories in the accessible dataset and newly obtained trajectory segments of victims, the historical trajectory with most similar patterns to that of a victim is considered as belonging to the victim. In order to demonstrate the feasibility of such attacks, we conduct extensive trace-driven simulations. We extract road segment preferences and stop of interests from trajectories of vehicles, and construct feature vectors (mobility patterns) of vehicles according to them, used for trajectory comparisons. Simulation results show that the adversary could re-identify anonymous trajectories effectively.

[1]  Sébastien Gambs,et al.  De-anonymization Attack on Geolocated Data , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[2]  Marco Gruteser,et al.  Protecting privacy, in continuous location-tracking applications , 2004, IEEE Security & Privacy Magazine.

[3]  Francesca Pratesi,et al.  Fast Estimation of Privacy Risk in Human Mobility Data , 2017, SAFECOMP Workshops.

[4]  Hui Zang,et al.  Anonymization of location data does not work: a large-scale measurement study , 2011, MobiCom.

[5]  Min Zhang,et al.  The De-anonymization Method Based on User Spatio-Temporal Mobility Trace , 2017, ICICS.

[6]  David K. Y. Yau,et al.  Privacy vulnerability of published anonymous mobility traces , 2010, MobiCom.

[7]  Lars Kulik Privacy for real-time location-based services , 2009, SIGSPACIAL.

[8]  Changjun Jiang,et al.  Unique on the Road: Re-identification of Vehicular Location-Based Metadata , 2016, SecureComm.

[9]  Jie Wu,et al.  Privacy-Preserving Social Tie Discovery Based on Cloaked Human Trajectories , 2017, IEEE Trans. Veh. Technol..

[10]  Marco Gruteser,et al.  USENIX Association , 1992 .

[11]  Xiaoming Fu,et al.  Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data , 2017, WWW.

[12]  John Krumm,et al.  A survey of computational location privacy , 2009, Personal and Ubiquitous Computing.

[13]  Chao Li,et al.  De-anonymizable Location Cloaking for Privacy-Controlled Mobile Systems , 2015, NSS.

[14]  Yuchen Zhao,et al.  On the Strength of Privacy Metrics for Vehicular Communication , 2019, IEEE Transactions on Mobile Computing.

[15]  Anna Monreale,et al.  A Privacy Risk Model for Trajectory Data , 2014, IFIPTM.

[16]  Gang Wang,et al.  De-anonymization of Mobility Trajectories: Dissecting the Gaps between Theory and Practice , 2018, NDSS.

[17]  Chengyang Zhang,et al.  Map-matching for low-sampling-rate GPS trajectories , 2009, GIS.

[18]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[19]  Jean-Pierre Hubaux,et al.  Quantifying Interdependent Privacy Risks with Location Data , 2017, IEEE Transactions on Mobile Computing.

[20]  Xiaohui Liang,et al.  Privacy Leakage of Location Sharing in Mobile Social Networks: Attacks and Defense , 2016, IEEE Transactions on Dependable and Secure Computing.

[21]  Frank Stajano,et al.  Location Privacy in Pervasive Computing , 2003, IEEE Pervasive Comput..

[22]  Reza Shokri,et al.  Evaluating the Privacy Risk of Location-Based Services , 2011, Financial Cryptography.

[23]  Carlo Ratti,et al.  Towards Matching User Mobility Traces in Large-Scale Datasets , 2017, IEEE Transactions on Big Data.

[24]  Ashwin Machanavajjhala,et al.  Worst-Case Background Knowledge for Privacy-Preserving Data Publishing , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[25]  Adam Meyerson,et al.  On the complexity of optimal K-anonymity , 2004, PODS.

[26]  Yücel Saygin,et al.  Towards trajectory anonymization: a generalization-based approach , 2008, SPRINGL '08.

[27]  Karim Emara,et al.  Safety-Aware Location Privacy in VANET: Evaluation and Comparison , 2017, IEEE Transactions on Vehicular Technology.