Constructing elastic distinguishability metrics for location privacy

Konstantinos Chatzikokolakis 1 , Catuscia Palamidessi 2 , and Marco Stronati 3
  • 1 CNRS and LIX, École Polytechnique, France
  • 2 INRIA and LIX, École Polytechnique, France
  • 3 LIX, École Polytechnique, France


With the increasing popularity of hand-held devices, location-based applications and services have access to accurate and real-time location information, raising serious privacy concerns for their users. The recently introduced notion of geo-indistinguishability tries to address this problem by adapting the well-known concept of differential privacy to the area of location-based systems. Although geo-indistinguishability presents various appealing aspects, it has the problem of treating space in a uniform way, imposing the addition of the same amount of noise everywhere on the map. In this paper we propose a novel elastic distinguishability metric that warps the geometrical distance, capturing the different degrees of density of each area. As a consequence, the obtained mechanism adapts the level of noise while achieving the same degree of privacy everywhere. We also show how such an elastic metric can easily incorporate the concept of a “geographic fence” that is commonly employed to protect the highly recurrent locations of a user, such as his home or work. We perform an extensive evaluation of our technique by building an elastic metric for Paris’ wide metropolitan area, using semantic information from the OpenStreetMap database. We compare the resulting mechanism against the Planar Laplace mechanism satisfying standard geo-indistinguishability, using two real-world datasets from the Gowalla and Brightkite location-based social networks. The results show that the elastic mechanism adapts well to the semantics of each area, adjusting the noise as we move outside the city center, hence offering better overall privacy.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [2] M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. Geo-indistinguishability: differential privacy for location-based systems. In Proc. of CCS, pages 901–914. ACM, 2013.

  • [3] C. A. Ardagna, M. Cremonini, E. Damiani, S. D. C. di Vimercati, and P. Samarati. Location privacy protection through obfuscation-based techniques. In Proc. of DAS, volume 4602 of LNCS, pages 47–60. Springer, 2007.

  • [4] B. Bamba, L. Liu, P. Pesti, and T. Wang. Supporting anonymous location queries in mobile environments with privacygrid. In Proc. of WWW, pages 237–246. ACM, 2008.

  • [5] N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. Optimal geo-indistinguishable mechanisms for location privacy. In Proc. of CCS, 2014.

  • [6] A. J. B. Brush, J. Krumm, and J. Scott. Exploring end user preferences for location obfuscation, location-based services, and the value of location. In Proc. of UbiComp 2010. ACM, 2010.

  • [7] K. Chatzikokolakis, M. E. Andrés, N. E. Bordenabe, and C. Palamidessi. Broadening the scope of Differential Privacy using metrics. In Proc. of PETS, volume 7981 of LNCS, pages 82–102. Springer, 2013.

  • [8] K. Chatzikokolakis, C. Palamidessi, and M. Stronati. A predictive differentially-private mechanism for mobility traces. In Proc. of PETS, volume 8555 of LNCS, pages 21–41. Springer, 2014.

  • [9] R. Cheng, Y. Zhang, E. Bertino, and S. Prabhakar. Preserving user location privacy in mobile data management infrastructures. In Proc. of PET, volume 4258 of LNCS, pages 393–412. Springer, 2006.

  • [10] E. Cho, S. A. Myers, and J. Leskovec. Friendship and mobility: user movement in location-based social networks. In Proceedings of the 17th ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining. ACM, 2011.

  • [11] R. Dewri. Local differential perturbations: Location privacy under approximate knowledge attackers. IEEE Trans. on Mobile Computing, 99(PrePrints):1, 2012.

  • [12] M. Duckham and L. Kulik. A formal model of obfuscation and negotiation for location privacy. In Proc. of PERVASIVE, volume 3468 of LNCS, pages 152–170. Springer, 2005.

  • [13] C. Dwork. Differential privacy. In Proc. of ICALP, volume 4052 of LNCS, pages 1–12. Springer, 2006.

  • [14] K. Fawaz and K. G. Shin. Location privacy protection for smartphone users. In Proc. of CCS, pages 239–250. ACM Press, 2014.

  • [15] S. Gambs, M.-O. Killijian, and M. N. del Prado Cortez. Show me how you move and i will tell you who you are. Trans. on Data Privacy, 4(2):103–126, 2011.

  • [16] P. Golle and K. Partridge. On the anonymity of home/work location pairs. In Proc. of PerCom. IEEE, 2009.

  • [17] S.-S. Ho and S. Ruan. Differential privacy for location pattern mining. In Proc. of SPRINGL, pages 17–24. ACM, 2011.

  • [18] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. In Proc. of SecureComm, pages 194–205. IEEE, 2005.

  • [19] H. Kido, Y. Yanagisawa, and T. Satoh. Protection of location privacy using dummies for location-based services. In Proc. of ICDE Workshops, page 1248, 2005.

  • [20] J. Krumm. A survey of computational location privacy. Personal and Ubiquitous Computing, 13(6):391–399, 2009.

  • [21] A. Machanavajjhala, D. Kifer, J. M. Abowd, J. Gehrke, and L. Vilhuber. Privacy: Theory meets practice on the map. In Proc. of ICDE, pages 277–286. IEEE, 2008.

  • [22] A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam. l-diversity: Privacy beyond k-anonymity. ACM Trans. on Knowledge Discovery from Data (TKDD), 1(1):3, 2007.

  • [23] F. McSherry and K. Talwar. Mechanism design via differential privacy. In Proc. of FOCS, pages 94–103. IEEE, 2007.

  • [24] P. Samarati. Protecting respondents’ identities in microdata release. IEEE Trans. Knowl. Data Eng, 13(6):1010–1027, 2001.

  • [25] P. Shankar, V. Ganapathy, and L. Iftode. Privately querying location-based services with SybilQuery. In Proc. of Ubi-Comp, pages 31–40. ACM, 2009.

  • [26] K. G. Shin, X. Ju, Z. Chen, and X. Hu. Privacy protection for users of location-based services. IEEE Wireless Commun, 19(2):30–39, 2012.

  • [27] R. Shokri. Optimal user-centric data obfuscation. Technical report, ETH Zurich, 2014.

  • [28] R. Shokri, G. Theodorakopoulos, J.-Y. L. Boudec, and J.-P. Hubaux. Quantifying location privacy. In Proc. of S&P, pages 247–262. IEEE, 2011.

  • [29] R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, and J.-Y. L. Boudec. Protecting location privacy: optimal strategy against localization attacks. In Proc. of CCS, pages 617–627. ACM, 2012.

  • [30] R. Shokri, C. Troncoso, C. Diaz, J. Freudiger, and J.-P. Hubaux. Unraveling an old cloak: k-anonymity for location privacy. In Proc. of WPES 2010, pages 115–118 115–118 115–118, 2010.

  • [31] M. Terrovitis. Privacy preservation in the dissemination of location data. SIGKDD Explorations, 13(1):6–18, 2011.

  • [32] M. Xue, P. Kalnis, and H. Pung. Location diversity: Enhanced privacy protection in location based services. In Proc. of LoCA, volume 5561 of LNCS, pages 70–87. Springer, 2009.


Journal + Issues