Skip to main content

Optimal noise functions for location privacy on continuous regions

Abstract

Users of location-based services are highly vulnerable to privacy risks since they need to disclose, at least partially, their locations to benefit from these services. One possibility to limit these risks is to obfuscate the location of a user by adding random noise drawn from a noise function. In this paper, we require the noise functions to satisfy a generic location privacy notion called \(\ell \)-privacy, which makes the position of the user in a given region \(\mathcal {X}\) relatively indistinguishable from other points in \(\mathcal {X}\). We also aim at minimizing the loss in the service utility due to such obfuscation. While existing optimization frameworks regard the region \(\mathcal {X}\) restrictively as a finite set of points, we consider the more realistic case in which the region is rather continuous with a nonzero area. In this situation, we demonstrate that circular noise functions are enough to satisfy \(\ell \)-privacy on \(\mathcal {X}\) and equivalently on the entire space without any penalty in the utility. Afterward, we describe a large parametric space of noise functions that satisfy \(\ell \)-privacy on \(\mathcal {X}\), and show that this space has always an optimal member, regardless of \(\ell \) and \(\mathcal {X}\). We also investigate the recent notion of \(\epsilon \)-geo-indistinguishability as an instance of \(\ell \)-privacy and prove in this case that with respect to any increasing loss function, the planar Laplace noise function is optimal for any region having a nonzero area.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. 1.

    Throughout this paper, we denote the space of points (i.e., locations) by \({\mathbb {R}}^2\), while the space of Euclidean vectors is represented by \({\mathbb {E}}^2\).

  2. 2.

    Uniform \(\rho \)-tightness of a collection of distributions is a stronger version of “tightness” (cf., page 59 in [3]), which is not parametric on \(\rho \), and requires the probability masses to uniformly converge to zero outside any compact subset of \({\mathbb {E}}^2\).

  3. 3.

    Since the distinguishability is unitless (as it is a ratio between two probabilities), the unit of \(\epsilon \) is the reciprocal of the distance unit (e.g., \(\textit{km}^{-1}\)) and its numerical value depends indeed on the chosen unit for the distance.

References

  1. 1.

    Andrés, M.E., Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Geo-indistinguishability: differential privacy for location-based systems. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS ’13, pp. 901–914. ACM, New York (2013)

  2. 2.

    Beresford, A.R., Stajano, F.: Location privacy in pervasive computing. IEEE Pervasive Comput. 2(1), 46–55 (2003)

    Article  Google Scholar 

  3. 3.

    Billingsley, P.: Convergence of Probability Measure. Wiley Series in Probability and Statistics: Probability and Statistics, 2nd edn. Wiley, New York (1999)

    Book  Google Scholar 

  4. 4.

    Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Optimal geo-indistinguishable mechanisms for location privacy. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pp. 251–262. ACM, New York (2014)

  5. 5.

    Brenner, H., Nissim, K.: Impossibility of differentially private universally optimal mechanisms. In: Proceedings of FOCS, pp. 71–80. IEEE (2010)

  6. 6.

    Chatzikokolakis, K., Palamidessi, C., Stronati, M.: A predictive differentially-private mechanism for mobility traces. In: Proceedings of PETS, LNCS, vol. 8555, pp. 21–41. Springer (2014)

  7. 7.

    Chen, R., Fung, B.C., Desai, B.C., Sossou, N.M.: Differentially private transit data publication: a case study on the montreal transportation system. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’12, pp. 213–221. ACM, New York (2012)

  8. 8.

    Dwork, C.: Differential privacy. In: Proceedings of ICALP, LNCS, vol. 4052, pp. 1–12. Springer (2006)

  9. 9.

    ElSalamouny, E., Chatzikokolakis, K., Palamidessi, C.: A differentially private mechanism of optimal utility for a region of priors. In: Proceedings of the Second International Conference on Principles of Security and Trust, POST’13, pp. 41–62. Springer-Verlag, Berlin, Heidelberg (2013)

    Google Scholar 

  10. 10.

    ElSalamouny, E., Chatzikokolakis, K., Palamidessi, C.: Generalized differential privacy: regions of priors that admit robust optimal mechanisms. In: Horizons of the Mind. A Tribute to Prakash Panangaden: Essays Dedicated to Prakash Panangaden on the Occasion of His 60th Birthday, LNCS, vol. 8464, pp. 292–318. Springer International Publishing (2014)

  11. 11.

    ElSalamouny, E., Gambs, S.: Differential privacy models for location-based services. Trans. Data Priv. 9(1), 15–48 (2016)

    Google Scholar 

  12. 12.

    Freudiger, J., Shokri, R., Hubaux, J.P.: Evaluating the Privacy Risk of Location-Based Services. Springer, Berlin (2012)

    Book  Google Scholar 

  13. 13.

    Gambs, S., Killijian, M., del Prado Cortez, M.N.: De-anonymization attack on geolocated data. J. Comput. Syst. Sci. 80(8), 1597–1614 (2014)

    MathSciNet  Article  Google Scholar 

  14. 14.

    Gedik, B., Liu, L.: Location privacy in mobile systems: a personalized anonymization model. In: Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, ICDCS ’05, pp. 620–629. IEEE Computer Society, Washington (2005)

  15. 15.

    Geng, Q., Viswanath, P.: The optimal noise-adding mechanism in differential privacy. IEEE Trans. Inf. Theory 62(2), 925–951 (2016)

    MathSciNet  Article  Google Scholar 

  16. 16.

    Geng, Q., Viswanath, P.: Optimal noise adding mechanisms for approximate differential privacy. IEEE Trans. Inf. Theory 62(2), 952–969 (2016)

    MathSciNet  Article  Google Scholar 

  17. 17.

    Ghosh, A., Roughgarden, T., Sundararajan, M.: Universally utility-maximizing privacy mechanisms. In: Proceedings of STOC, pp. 351–360. ACM (2009)

  18. 18.

    Golle, P., Partridge, K.: On the Anonymity of Home/Work Location Pairs. Springer, Berlin (2009)

    Google Scholar 

  19. 19.

    Gruteser, M., Grunwald, D.: Anonymous usage of location-based services through spatial and temporal cloaking. In: Proceedings of the 1st International Conference on Mobile Systems, Applications and Services, MobiSys ’03, pp. 31–42. ACM, New York (2003)

  20. 20.

    Gupte, M., Sundararajan, M.: Universally optimal privacy mechanisms for minimax agents. In: Proceedings of PODS, pp. 135–146. ACM (2010)

  21. 21.

    Hoh, B., Gruteser, M., Xiong, H., Alrabady, A.: Enhancing security and privacy in traffic-monitoring systems. IEEE Pervasive Comput. 5(4), 38–46 (2006)

    Article  Google Scholar 

  22. 22.

    Krumm, J.: Inference Attacks on Location Tracks. Springer, Berlin (2007)

    Book  Google Scholar 

  23. 23.

    Leskovec, J.: Gowalla. https://snap.stanford.edu/data/loc-gowalla.html (2010). Accessed 2 July 2016

  24. 24.

    Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity—a proposal for terminology. In: Designing Privacy Enhancing Technologies, LNCS, vol. 2009, pp. 1–9. Springer, Berlin (2001)

    Google Scholar 

  25. 25.

    Salamon, D.: Measure and Integration. EMS Textbooks in Mathematics. European Mathematical Society, Zürich (2016)

    Google Scholar 

  26. 26.

    Shokri, R., Theodorakopoulos, G., Danezis, G., Hubaux, J.P., Le Boudec, J.Y.: Quantifying location privacy: The case of sporadic location exposure. In: Proceedings of PETS, LNCS, vol. 6794, pp. 57–76. Springer, Berlin (2011)

    Chapter  Google Scholar 

  27. 27.

    Shokri, R., Theodorakopoulos, G., Le Boudec, J.Y., Hubaux, J.P.: Quantifying location privacy. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP ’11, pp. 247–262. IEEE Computer Society, Washington (2011)

  28. 28.

    Shokri, R., Theodorakopoulos, G., Troncoso, C., Hubaux, J.P., Le Boudec, J.Y.: Protecting location privacy: optimal strategy against localization attacks. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pp. 617–627. ACM, New York (2012)

  29. 29.

    Shokri, R., Troncoso, C., Diaz, C., Freudiger, J., Hubaux, J.P.: Unraveling an old cloak: k-anonymity for location privacy. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, WPES ’10, pp. 115–118. ACM, New York (2010)

  30. 30.

    van der Vaart, A., Wellner, J.: Weak Convergence and Empirical Processes: With Applications to Statistics. Springer Series in Statistics. Springer, New York (1996)

    Book  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Ehab ElSalamouny.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

ElSalamouny, E., Gambs, S. Optimal noise functions for location privacy on continuous regions. Int. J. Inf. Secur. 17, 613–630 (2018). https://doi.org/10.1007/s10207-017-0384-y

Download citation

Keywords

  • Location privacy
  • \(\ell \)-privacy
  • Geo-indistinguishability
  • Symmetric mechanisms
  • Location-based services
  • Noise functions
  • Distinguishability functions