Abstract
Users of location-based services are highly vulnerable to privacy risks since they need to disclose, at least partially, their locations to benefit from these services. One possibility to limit these risks is to obfuscate the location of a user by adding random noise drawn from a noise function. In this paper, we require the noise functions to satisfy a generic location privacy notion called \(\ell \)-privacy, which makes the position of the user in a given region \(\mathcal {X}\) relatively indistinguishable from other points in \(\mathcal {X}\). We also aim at minimizing the loss in the service utility due to such obfuscation. While existing optimization frameworks regard the region \(\mathcal {X}\) restrictively as a finite set of points, we consider the more realistic case in which the region is rather continuous with a nonzero area. In this situation, we demonstrate that circular noise functions are enough to satisfy \(\ell \)-privacy on \(\mathcal {X}\) and equivalently on the entire space without any penalty in the utility. Afterward, we describe a large parametric space of noise functions that satisfy \(\ell \)-privacy on \(\mathcal {X}\), and show that this space has always an optimal member, regardless of \(\ell \) and \(\mathcal {X}\). We also investigate the recent notion of \(\epsilon \)-geo-indistinguishability as an instance of \(\ell \)-privacy and prove in this case that with respect to any increasing loss function, the planar Laplace noise function is optimal for any region having a nonzero area.
Similar content being viewed by others
Notes
Throughout this paper, we denote the space of points (i.e., locations) by \({\mathbb {R}}^2\), while the space of Euclidean vectors is represented by \({\mathbb {E}}^2\).
Uniform \(\rho \)-tightness of a collection of distributions is a stronger version of “tightness” (cf., page 59 in [3]), which is not parametric on \(\rho \), and requires the probability masses to uniformly converge to zero outside any compact subset of \({\mathbb {E}}^2\).
Since the distinguishability is unitless (as it is a ratio between two probabilities), the unit of \(\epsilon \) is the reciprocal of the distance unit (e.g., \(\textit{km}^{-1}\)) and its numerical value depends indeed on the chosen unit for the distance.
References
Andrés, M.E., Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Geo-indistinguishability: differential privacy for location-based systems. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS ’13, pp. 901–914. ACM, New York (2013)
Beresford, A.R., Stajano, F.: Location privacy in pervasive computing. IEEE Pervasive Comput. 2(1), 46–55 (2003)
Billingsley, P.: Convergence of Probability Measure. Wiley Series in Probability and Statistics: Probability and Statistics, 2nd edn. Wiley, New York (1999)
Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Optimal geo-indistinguishable mechanisms for location privacy. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pp. 251–262. ACM, New York (2014)
Brenner, H., Nissim, K.: Impossibility of differentially private universally optimal mechanisms. In: Proceedings of FOCS, pp. 71–80. IEEE (2010)
Chatzikokolakis, K., Palamidessi, C., Stronati, M.: A predictive differentially-private mechanism for mobility traces. In: Proceedings of PETS, LNCS, vol. 8555, pp. 21–41. Springer (2014)
Chen, R., Fung, B.C., Desai, B.C., Sossou, N.M.: Differentially private transit data publication: a case study on the montreal transportation system. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’12, pp. 213–221. ACM, New York (2012)
Dwork, C.: Differential privacy. In: Proceedings of ICALP, LNCS, vol. 4052, pp. 1–12. Springer (2006)
ElSalamouny, E., Chatzikokolakis, K., Palamidessi, C.: A differentially private mechanism of optimal utility for a region of priors. In: Proceedings of the Second International Conference on Principles of Security and Trust, POST’13, pp. 41–62. Springer-Verlag, Berlin, Heidelberg (2013)
ElSalamouny, E., Chatzikokolakis, K., Palamidessi, C.: Generalized differential privacy: regions of priors that admit robust optimal mechanisms. In: Horizons of the Mind. A Tribute to Prakash Panangaden: Essays Dedicated to Prakash Panangaden on the Occasion of His 60th Birthday, LNCS, vol. 8464, pp. 292–318. Springer International Publishing (2014)
ElSalamouny, E., Gambs, S.: Differential privacy models for location-based services. Trans. Data Priv. 9(1), 15–48 (2016)
Freudiger, J., Shokri, R., Hubaux, J.P.: Evaluating the Privacy Risk of Location-Based Services. Springer, Berlin (2012)
Gambs, S., Killijian, M., del Prado Cortez, M.N.: De-anonymization attack on geolocated data. J. Comput. Syst. Sci. 80(8), 1597–1614 (2014)
Gedik, B., Liu, L.: Location privacy in mobile systems: a personalized anonymization model. In: Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, ICDCS ’05, pp. 620–629. IEEE Computer Society, Washington (2005)
Geng, Q., Viswanath, P.: The optimal noise-adding mechanism in differential privacy. IEEE Trans. Inf. Theory 62(2), 925–951 (2016)
Geng, Q., Viswanath, P.: Optimal noise adding mechanisms for approximate differential privacy. IEEE Trans. Inf. Theory 62(2), 952–969 (2016)
Ghosh, A., Roughgarden, T., Sundararajan, M.: Universally utility-maximizing privacy mechanisms. In: Proceedings of STOC, pp. 351–360. ACM (2009)
Golle, P., Partridge, K.: On the Anonymity of Home/Work Location Pairs. Springer, Berlin (2009)
Gruteser, M., Grunwald, D.: Anonymous usage of location-based services through spatial and temporal cloaking. In: Proceedings of the 1st International Conference on Mobile Systems, Applications and Services, MobiSys ’03, pp. 31–42. ACM, New York (2003)
Gupte, M., Sundararajan, M.: Universally optimal privacy mechanisms for minimax agents. In: Proceedings of PODS, pp. 135–146. ACM (2010)
Hoh, B., Gruteser, M., Xiong, H., Alrabady, A.: Enhancing security and privacy in traffic-monitoring systems. IEEE Pervasive Comput. 5(4), 38–46 (2006)
Krumm, J.: Inference Attacks on Location Tracks. Springer, Berlin (2007)
Leskovec, J.: Gowalla. https://snap.stanford.edu/data/loc-gowalla.html (2010). Accessed 2 July 2016
Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity—a proposal for terminology. In: Designing Privacy Enhancing Technologies, LNCS, vol. 2009, pp. 1–9. Springer, Berlin (2001)
Salamon, D.: Measure and Integration. EMS Textbooks in Mathematics. European Mathematical Society, Zürich (2016)
Shokri, R., Theodorakopoulos, G., Danezis, G., Hubaux, J.P., Le Boudec, J.Y.: Quantifying location privacy: The case of sporadic location exposure. In: Proceedings of PETS, LNCS, vol. 6794, pp. 57–76. Springer, Berlin (2011)
Shokri, R., Theodorakopoulos, G., Le Boudec, J.Y., Hubaux, J.P.: Quantifying location privacy. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP ’11, pp. 247–262. IEEE Computer Society, Washington (2011)
Shokri, R., Theodorakopoulos, G., Troncoso, C., Hubaux, J.P., Le Boudec, J.Y.: Protecting location privacy: optimal strategy against localization attacks. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pp. 617–627. ACM, New York (2012)
Shokri, R., Troncoso, C., Diaz, C., Freudiger, J., Hubaux, J.P.: Unraveling an old cloak: k-anonymity for location privacy. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, WPES ’10, pp. 115–118. ACM, New York (2010)
van der Vaart, A., Wellner, J.: Weak Convergence and Empirical Processes: With Applications to Statistics. Springer Series in Statistics. Springer, New York (1996)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
ElSalamouny, E., Gambs, S. Optimal noise functions for location privacy on continuous regions. Int. J. Inf. Secur. 17, 613–630 (2018). https://doi.org/10.1007/s10207-017-0384-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-017-0384-y