The Long Road to Computational Location Privacy: A Survey

The widespread adoption of continuously connected smartphones and tablets developed the usage of mobile applications, among which many use location to provide geolocated services. These services provide new prospects for users: getting directions to work in the morning, leaving a check-in at a restaurant at noon and checking next day’s weather in the evening are possible right from any mobile device embedding a GPS chip. In these location-based applications, the user’s location is sent to a server, which uses them to provide contextual and personalized answers. However, nothing prevents the latter from gathering, analyzing and possibly sharing the collected information, which opens the door to many privacy threats. Indeed, mobility data can reveal sensitive information about users, among which one’s home, work place or even religious and political preferences. For this reason, many privacy-preserving mechanisms have been proposed these last years to enhance location privacy while using geolocated services. This paper surveys and organizes contributions in this area from classical building blocks to the most recent developments of privacy threats and location privacy-preserving mechanisms. We divide the protection mechanisms between online and offline use cases, and organize them into six categories depending on the nature of their algorithm. Moreover, this paper surveys the evaluation metrics used to assess protection mechanisms in terms of privacy, utility and performance. Finally, open challenges and new directions to address the problem of computational location privacy are pointed out and discussed.

[1]  Walid G. Aref,et al.  Casper*: Query processing for location services without compromising privacy , 2006, TODS.

[2]  Ashwin Machanavajjhala,et al.  l-Diversity: Privacy Beyond k-Anonymity , 2006, ICDE.

[3]  John Krumm,et al.  Inference Attacks on Location Tracks , 2007, Pervasive.

[4]  Frank Stajano,et al.  Mix zones: user privacy in location-aware services , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[5]  Lionel Brunie,et al.  Trust management and reputation systems in mobile participatory sensing applications: A survey , 2015, Comput. Networks.

[6]  Panagiotis Papadimitratos,et al.  Collaborative Location Privacy , 2011, 2011 IEEE Eighth International Conference on Mobile Ad-Hoc and Sensor Systems.

[7]  Ling Liu,et al.  Supporting anonymous location queries in mobile environments with privacygrid , 2008, WWW.

[8]  Marco Gruteser,et al.  USENIX Association , 1992 .

[9]  Frank Stajano,et al.  Location Privacy in Pervasive Computing , 2003, IEEE Pervasive Comput..

[10]  Ramachandran Ramjee,et al.  Nericell: rich monitoring of road and traffic conditions using mobile smartphones , 2008, SenSys '08.

[11]  Mohamed Grissa,et al.  Location Privacy in Cognitive Radio Networks: A Survey , 2017, IEEE Communications Surveys & Tutorials.

[12]  Kang G. Shin,et al.  Privacy protection for users of location-based services , 2012, IEEE Wireless Communications.

[13]  Chi-Yin Chow,et al.  Trajectory privacy in location-based services and data publication , 2011, SKDD.

[14]  Catuscia Palamidessi,et al.  A Predictive Differentially-Private Mechanism for Mobility Traces , 2013, Privacy Enhancing Technologies.

[15]  Romain Rouvoy,et al.  Dynamic Deployment of Sensing Experiments in the Wild Using Smartphones , 2013, DAIS.

[16]  Berker Agir,et al.  On the Privacy Implications of Location Semantics , 2016, Proc. Priv. Enhancing Technol..

[17]  Valtteri Niemi,et al.  Inferring social ties in academic networks using short-range wireless communications , 2013, WPES.

[18]  Catuscia Palamidessi,et al.  Geo-indistinguishability: differential privacy for location-based systems , 2012, CCS.

[19]  Manolis Terrovitis,et al.  Privacy preservation in the dissemination of location data , 2011, SKDD.

[20]  Kang G. Shin,et al.  Location Privacy Protection for Smartphone Users , 2014, CCS.

[21]  George Danezis,et al.  An Automated Social Graph De-anonymization Technique , 2014, WPES.

[22]  Antoine Boutet,et al.  Uniqueness Assessment of Human Mobility on Multi-Sensor Datasets , 2016, ARES.

[23]  Learning with Privacy at Scale Differential , 2017 .

[24]  Laks V. S. Lakshmanan,et al.  Anonymizing moving objects: how to hide a MOB in a crowd? , 2009, EDBT '09.

[25]  D. Gática-Pérez,et al.  Towards rich mobile phone datasets: Lausanne data collection campaign , 2010 .

[26]  Kentaro Toyama,et al.  Project Lachesis: Parsing and Modeling Location Histories , 2004, GIScience.

[27]  Sushil Jajodia,et al.  Privacy in geo-social networks: proximity notification with untrusted service providers and curious buddies , 2010, The VLDB Journal.

[28]  Andrew J. Blumberg,et al.  Privacy and accountability for location-based aggregate statistics , 2011, CCS '11.

[29]  Jinyan Zang,et al.  Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps , 2015 .

[30]  David Eckhoff,et al.  Metrics : a Systematic Survey , 2018 .

[31]  Yücel Saygin,et al.  Towards trajectory anonymization: a generalization-based approach , 2008, SPRINGL '08.

[32]  Liam McNamara,et al.  SpotME If You Can: Randomized Responses for Location Obfuscation on Mobile Phones , 2011, 2011 31st International Conference on Distributed Computing Systems.

[33]  Patrick Traynor,et al.  Secure outsourced garbled circuit evaluation for mobile devices , 2013, J. Comput. Secur..

[34]  Matthias Grossglauser,et al.  CRAWDAD dataset epfl/mobility (v.2009-02-24) , 2009 .

[35]  Carmela Troncoso,et al.  Back to the Drawing Board: Revisiting the Design of Optimal Location Privacy-preserving Mechanisms , 2017, CCS.

[36]  Philippe Golle,et al.  On the Anonymity of Home/Work Location Pairs , 2009, Pervasive.

[37]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[38]  Yang Cao,et al.  LocLok: Location Cloaking with Differential Privacy via Hidden Markov Model , 2017, Proc. VLDB Endow..

[39]  Oded Goldreich,et al.  Cryptography and cryptographic protocols , 2003, Distributed Computing.

[40]  Chao Li,et al.  ReverseCloak: Protecting Multi-level Location Privacy over Road Networks , 2015, CIKM.

[41]  Hervé Rivano,et al.  PRIVA'MOV: Analysing Human Mobility Through Multi-Sensor Datasets , 2017 .

[42]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[43]  John Krumm,et al.  Far Out: Predicting Long-Term Human Mobility , 2012, AAAI.

[44]  Xintao Wu,et al.  Using Randomized Response for Differential Privacy Preserving Data Collection , 2016, EDBT/ICDT Workshops.

[45]  Christof Fetzer,et al.  IncApprox: A Data Analytics System for Incremental Approximate Computing , 2016, WWW.

[46]  Miao Pan,et al.  Traffic-aware multiple mix zone placement for protecting location privacy , 2012, 2012 Proceedings IEEE INFOCOM.

[47]  Jean-Pierre Hubaux,et al.  A Predictive Model for User Motivation and Utility Implications of Privacy-Protection Mechanisms in Location Check-Ins , 2018, IEEE Transactions on Mobile Computing.

[48]  Frank McSherry,et al.  Privacy integrated queries: an extensible platform for privacy-preserving data analysis , 2009, SIGMOD Conference.

[49]  Sébastien Gambs,et al.  De-anonymization attack on geolocated data , 2014, J. Comput. Syst. Sci..

[50]  Caitlin D Cottrill,et al.  Location Privacy: Who Protects? , 2011 .

[51]  Nikos Pelekis,et al.  Privacy-aware querying over sensitive trajectory data , 2011, CIKM '11.

[52]  Catuscia Palamidessi,et al.  Methods for Location Privacy: A comparative overview , 2017, Found. Trends Priv. Secur..

[53]  Junshan Zhang,et al.  From Social Group Utility Maximization to Personalized Location Privacy in Mobile Networks , 2017, IEEE/ACM Transactions on Networking.

[54]  Chi-Yin Chow,et al.  A peer-to-peer spatial cloaking algorithm for anonymous location-based service , 2006, GIS '06.

[55]  Nitesh Saxena,et al.  On the limitations of query obfuscation techniques for location privacy , 2011, UbiComp '11.

[56]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[57]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[58]  Ralf Hartmut Güting,et al.  BerlinMOD: a benchmark for moving object databases , 2009, The VLDB Journal.

[59]  Shashi Shekhar,et al.  Discovering personal gazetteers: an interactive clustering approach , 2004, GIS '04.

[60]  Alex Pentland,et al.  Social fMRI: Investigating and shaping social mechanisms in the real world , 2011, Pervasive Mob. Comput..

[61]  John Krumm,et al.  A survey of computational location privacy , 2009, Personal and Ubiquitous Computing.

[62]  Vincent Roca,et al.  Mobilitics: Analyzing Privacy Leaks in Smartphones , 2013, ERCIM News.

[63]  Wang-Chien Lee,et al.  Protecting Moving Trajectories with Dummies , 2007, 2007 International Conference on Mobile Data Management.

[64]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[65]  Lionel Brunie,et al.  Differentially Private Location Privacy in Practice , 2014, ArXiv.

[66]  Catuscia Palamidessi,et al.  Optimal Geo-Indistinguishable Mechanisms for Location Privacy , 2014, CCS.

[67]  Benjamin C. M. Fung,et al.  Differentially private transit data publication: a case study on the montreal transportation system , 2012, KDD.

[68]  Hui Xiong,et al.  Preserving privacy in gps traces via uncertainty-aware path cloaking , 2007, CCS '07.

[69]  Xing Xie,et al.  Mining interesting locations and travel sequences from GPS trajectories , 2009, WWW '09.

[70]  Karl Aberer,et al.  User-side adaptive protection of location privacy in participatory sensing , 2013, GeoInformatica.

[71]  Gang Wang,et al.  De-anonymization of Mobility Trajectories: Dissecting the Gaps between Theory and Practice , 2018, NDSS.

[72]  Saikat Guha,et al.  Koi: A Location-Privacy Platform for Smartphone Apps , 2012, NSDI.

[73]  Dan Boneh,et al.  Location Privacy via Private Proximity Testing , 2011, NDSS.

[74]  Jure Leskovec,et al.  Friendship and mobility: user movement in location-based social networks , 2011, KDD.

[75]  John Krumm Realistic Driving Trips For Location Privacy , 2009, Pervasive.

[76]  Francesco Bonchi,et al.  Never Walk Alone: Uncertainty for Anonymity in Moving Objects Databases , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[77]  John Krumm,et al.  Placer: semantic place labels from diary data , 2013, UbiComp.

[78]  Sharad Jaiswal,et al.  Trust no one: a decentralized matching service for privacy in location based services , 2010, MobiHeld '10.

[79]  Thomas Brinkhoff,et al.  A Framework for Generating Network-Based Moving Objects , 2002, GeoInformatica.

[80]  Carmela Troncoso,et al.  Unraveling an old cloak: k-anonymity for location privacy , 2010, WPES '10.

[81]  Sara Bouchenak,et al.  ACCIO: How to Make Location Privacy Experimentation Open and Easy , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[82]  Ying Cai,et al.  Feeling-based location privacy protection for location-based services , 2009, CCS.

[83]  Kunal Talwar,et al.  Mechanism Design via Differential Privacy , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[84]  Marc-Olivier Killijian,et al.  Next place prediction using mobility Markov chains , 2012, MPM '12.

[85]  Reza Shokri,et al.  Synthesizing Plausible Privacy-Preserving Location Traces , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[86]  Carmela Troncoso,et al.  Is Geo-Indistinguishability What You Are Looking for? , 2017, WPES@CCS.

[87]  Cédric Lauradoux,et al.  Time Distortion Anonymization for the Publication of Mobility Data with High Utility , 2015, TrustCom 2015.

[88]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[89]  Frank Dürr,et al.  A classification of location privacy attacks and approaches , 2012, Personal and Ubiquitous Computing.

[90]  Marco Gruteser,et al.  Protecting Location Privacy Through Path Confusion , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[91]  Chen Wang,et al.  Smartphone Privacy Leakage of Social Relationships and Demographics from Surrounding Access Points , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[92]  Jun Tang,et al.  Privacy Loss in Apple's Implementation of Differential Privacy on MacOS 10.12 , 2017, ArXiv.

[93]  Augustin Chaintreau,et al.  FindYou: A Personal Location Privacy Auditing Tool , 2016, WWW.

[94]  Margaret Martonosi,et al.  DP-WHERE: Differentially private modeling of human mobility , 2013, 2013 IEEE International Conference on Big Data.

[95]  Sébastien Gambs,et al.  Show me how you move and I will tell you who you are , 2010, SPRINGL '10.

[96]  Francesco Bonchi,et al.  Anonymization of moving objects databases by clustering and perturbation , 2010, Inf. Syst..

[97]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[98]  Anderson Santana de Oliveira,et al.  Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps , 2017, Proc. Priv. Enhancing Technol..

[99]  Urs Hengartner,et al.  Zerosquare : A Privacy-Friendly Location Hub for Geosocial Applications , 2013 .

[100]  Nikos Pelekis,et al.  Hermoupolis: a semantic trajectory generator in the data science era , 2015, SIGSPACIAL.

[101]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[102]  Jeffrey S. Foster,et al.  An Empirical Study of Location Truncation on Android , 2013 .

[103]  Calton Pu,et al.  Dynamic Differential Location Privacy with Personalized Error Bounds , 2017, NDSS.

[104]  Hui Zang,et al.  Anonymization of location data does not work: a large-scale measurement study , 2011, MobiCom.

[105]  Ninghui Li,et al.  Differentially private grids for geospatial data , 2012, 2013 IEEE 29th International Conference on Data Engineering (ICDE).

[106]  César A. Hidalgo,et al.  Unique in the Crowd: The privacy bounds of human mobility , 2013, Scientific Reports.

[107]  Ninghui Li,et al.  t-Closeness: Privacy Beyond k-Anonymity and l-Diversity , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[108]  Xing Xie,et al.  T-drive: driving directions based on taxi trajectories , 2010, GIS '10.

[109]  Josep Domingo-Ferrer,et al.  Database Anonymization: Privacy Models, Data Utility, and Microaggregation-based Inter-model Connections , 2016, Database Anonymization.

[110]  Liviu Iftode,et al.  Privately querying location-based services with SybilQuery , 2009, UbiComp.

[111]  Ling Liu,et al.  MobiMix: Protecting location privacy with mix-zones over road networks , 2011, 2011 IEEE 27th International Conference on Data Engineering.

[112]  Lionel Brunie,et al.  Adaptive Location Privacy with ALP , 2016, 2016 IEEE 35th Symposium on Reliable Distributed Systems (SRDS).

[113]  Deborah Estrin,et al.  PEIR, the personal environmental impact report, as a platform for participatory sensing systems research , 2009, MobiSys '09.

[114]  Andreas Haeberlen,et al.  Differential Privacy: An Economic Method for Choosing Epsilon , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[115]  Tetsuji Satoh,et al.  Protection of Location Privacy using Dummies for Location-based Services , 2005, 21st International Conference on Data Engineering Workshops (ICDEW'05).

[116]  Emiliano De Cristofaro,et al.  Knock Knock, Who's There? Membership Inference on Aggregate Location Data , 2017, NDSS.

[117]  Guangzhong Sun,et al.  Driving with knowledge from the physical world , 2011, KDD.

[118]  Nikhil Sharma,et al.  Quantifying Privacy Loss of Human Mobility Graph Topology , 2018, Proc. Priv. Enhancing Technol..

[119]  Ling Liu,et al.  Location Privacy in Mobile Systems: A Personalized Anonymization Model , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[120]  Cecilia Mascolo,et al.  Mining User Mobility Features for Next Place Prediction in Location-Based Services , 2012, 2012 IEEE 12th International Conference on Data Mining.

[121]  Stéphane Bressan,et al.  Publishing trajectories with differential privacy guarantees , 2013, SSDBM.

[122]  Marie-José Huguet,et al.  SRide: A Privacy-Preserving Ridesharing System , 2018, WISEC.

[123]  Thomas Seidl,et al.  Preserving privacy of moving objects via temporal clustering of spatio-temporal data streams , 2011, SPRINGL '11.

[124]  Ian Goldberg,et al.  Louis, Lester and Pierre: Three Protocols for Location Privacy , 2007, Privacy Enhancing Technologies.

[125]  Eyal Kushilevitz,et al.  Private information retrieval , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[126]  Reza Shokri,et al.  On the Optimal Placement of Mix Zones , 2009, Privacy Enhancing Technologies.

[127]  Imad Aad,et al.  From big smartphone data to worldwide research: The Mobile Data Challenge , 2013, Pervasive Mob. Comput..

[128]  Li Xiong,et al.  Protecting Locations with Differential Privacy under Temporal Correlations , 2014, CCS.

[129]  Claude Castelluccia,et al.  Study : Privacy Preserving Release of Spatio-temporal Density in Paris , 2014 .

[130]  Johannes Gehrke,et al.  Towards Privacy for Social Networks: A Zero-Knowledge Based Definition of Privacy , 2011, TCC.

[131]  Marco Fiore,et al.  Hiding mobile traffic fingerprints with GLOVE , 2015, CoNEXT.

[132]  Panos Kalnis,et al.  PRIVE: anonymous location-based queries in distributed mobile systems , 2007, WWW '07.

[133]  Jong Kim,et al.  Location Privacy via Differential Private Perturbation of Cloaking Area , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[134]  Xinwen Fu,et al.  CAP: A Context-Aware Privacy Protection System for Location-Based Services , 2009, 2009 29th IEEE International Conference on Distributed Computing Systems.

[135]  Panos Kalnis,et al.  Private queries in location based services: anonymizers are not necessary , 2008, SIGMOD Conference.

[136]  Jure Leskovec,et al.  {SNAP Datasets}: {Stanford} Large Network Dataset Collection , 2014 .

[137]  Mani B. Srivastava,et al.  ipShield: A Framework For Enforcing Context-Aware Privacy , 2014, NSDI.

[138]  Philip S. Yu,et al.  Mobile systems location privacy: “MobiPriv” a robust k anonymous system , 2010, 2010 IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications.

[139]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[140]  Claudio Bettini,et al.  Differentially-private release of check-in data for venue recommendation , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[141]  Catuscia Palamidessi,et al.  Constructing elastic distinguishability metrics for location privacy , 2015, Proc. Priv. Enhancing Technol..

[142]  Massimo Barbaro,et al.  A Face Is Exposed for AOL Searcher No , 2006 .

[143]  George Danezis,et al.  How Much Is Location Privacy Worth? , 2005, WEIS.

[144]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[145]  Marco Fiore,et al.  Preserving mobile subscriber privacy in open datasets of spatiotemporal trajectories , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[146]  Takahiro Hara,et al.  A dummy-based anonymization method based on user trajectory with pauses , 2012, SIGSPATIAL/GIS.