Information about people’s movements and the locations they visit enables an increasing number of mobility analytics applications, e.g., in the context of urban and transportation planning, In this setting, rather than collecting or sharing raw data, entities often use aggregation as a privacy protection mechanism, aiming to hide individual users’ location traces. Furthermore, to bound information leakage from the aggregates, they can perturb the input of the aggregation or its output to ensure that these are differentially private.
In this paper, we set to evaluate the impact of releasing aggregate location time-series on the privacy of individuals contributing to the aggregation. We introduce a framework allowing us to reason about privacy against an adversary attempting to predict users’ locations or recover their mobility patterns. We formalize these attacks as inference problems, and discuss a few strategies to model the adversary’s prior knowledge based on the information she may have access to. We then use the framework to quantify the privacy loss stemming from aggregate location data, with and without the protection of differential privacy, using two real-world mobility datasets. We find that aggregates do leak information about individuals’ punctual locations and mobility profiles. The density of the observations, as well as timing, play important roles, e.g., regular patterns during peak hours are better protected than sporadic movements. Finally, our evaluation shows that both output and input perturbation offer little additional protection, unless they introduce large amounts of noise ultimately destroying the utility of the data.
 D. M. Endres and J. E. Schindelin. A new metric for probability distributions. IEEE Transactions on Information theory, 2003.
 Ú. Erlingsson, V. Pihur, and A. Korolova. RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response. In CCS, 2014.
 L. Fan and L. Xiong. Real-time aggregate monitoring with differential privacy. In CIKM, 2012.
 G. Ghinita. Privacy for location-based services. Synthesis Lectures on Information Security, Privacy, & Trust, 4(1), 2013.
 P. Golle and K. Partridge. On the anonymity of home/work location pairs. In Pervasive Computing, 2009.
 S.-S. Ho and S. Ruan. Differential privacy for location pattern mining. In Workshop on Security and Privacy in GIS and LBS, 2011.
 E. J. Horvitz, J. Apacible, R. Sarin, and L. Liao. Prediction, expectation, and surprise: Methods, designs, and study of a deployed traffic forecasting service. arXiv preprint arXiv:1207.1352, 2012.
 C. Kopp, M. Mock, and M. May. Privacy-preserving distributed monitoring of visit quantities. In SIGSPATIAL, 2012.
 J. Krumm. Inference attacks on location tracks. In Pervasive Computing, 2007.
 J. Krumm. A survey of computational location privacy. Personal and Ubiquitous Computing, 13(6), 2009.
 S. Kullback and R. A. Leibler. On information and sufficiency. The Annals of Mathematical Statistics, 22(1), 1951.
 N. Lathia, C. Smith, J. Froehlich, and L. Capra. Individuals among commuters: Building personalised transport information services from fare collection systems. Pervasive and Mobile Computing, 9(5), 2013.
 J. Lin. Divergence measures based on the shannon entropy. IEEE Transactions on Information theory, 1991.
 A. Machanavajjhala, D. Kifer, J. Abowd, J. Gehrke, and L. Vilhuber. Privacy: Theory meets practice on the map. In ICDE, 2008.
 L. Melis, G. Danezis, and E. De Cristofaro. Efficient private statistics with succinct sketches. In NDSS, 2016.
 B. Pan, Y. Zheng, D. Wilkie, and C. Shahabi. Crowd sensing of traffic anomalies based on human mobility and social media. In SIGSPATIAL, 2013.
 I. Polakis, G. Argyros, T. Petsios, S. Sivakorn, and A. D. Keromytis. Where’s wally?: Precise user discovery attacks in location proximity services. In CCS, 2015.
 R. A. Popa, A. J. Blumberg, H. Balakrishnan, and F. H. Li. Privacy and accountability for location-based aggregate statistics. In CCS, 2011.
 A. Pyrgelis, E. De Cristofaro, and G. Ross. Privacy-Friendly Mobility Analytics using Aggregate Location Data. In SIGSPATIAL, 2016.
 D. Quercia, I. Leontiadis, L. McNamara, C. Mascolo, and J. Crowcroft. Spotme if you can: Randomized responses for location obfuscation on mobile phones. In ICDCS, 2011.
 V. Rastogi and S. Nath. Differentially private aggregation of distributed time-series with transformation and encryption. In SIGMOD, 2010.
 E. Shi, H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-preserving aggregation of time-series data. In NDSS, 2011.
 R. Shokri, G. Theodorakopoulos, G. Danezis, J.-P. Hubaux, and J.-Y. Le Boudec. Quantifying location privacy: the case of sporadic location exposure. In PETS, 2011.
 R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. Quantifying location privacy. In IEEE Symposium on Security and Privacy, 2011.
 R. Shokri, C. Troncoso, C. Diaz, J. Freudiger, and J.-P. Hubaux. Unraveling an old cloak: k-anonymity for location privacy. In WPES, 2010.
 R. Silva, S. M. Kang, and E. M. Airoldi. Predicting traffic volumes and estimating the effects of shocks in massive transportation systems. Proceedings of the National Academy of Sciences, 112(18), 2015.
 H. To, K. Nguyen, and C. Shahabi. Differentially Private Publication of Location Entropy. In SIGSPATIAL, 2016.
 G. Wang, B. Wang, T. Wang, A. Nika, H. Zheng, and B. Y. Zhao. Whispers in the dark: analysis of an anonymous social network. In IMC, 2014.
 S. L. Warner. Randomized response: A survey technique for eliminating evasive answer bias. Journal of the American Statistical Association, 60(309), 1965.
 A. Waseda and R. Nojima. Analyzing randomized response mechanisms under differential privacy. In ICIS, 2016.
 M. Wernke, P. Skvortsov, F. Dürr, and K. Rothermel. A classification of location privacy attacks and approaches. Personal and Ubiquitous Computing, 18(1), 2014.
 F. Xu, Z. Tu, Y. Li, P. Zhang, X. Fu, and D. Jin. Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data. In WWW, 2017.
 M. Xue, C. L. Ballard, K. Liu, C. L. Nemelka, Y. Wu, K. W. Ross, and H. Qian. You can yak but you can’t hide: Localizing anonymous social network users. In IMC, 2016.
 H. Zang and J. Bolot. Anonymization of location data does not work: A large-scale measurement study. In MobiCom, 2011.