Skip to main content

PGLP: Customizable and Rigorous Location Privacy Through Policy Graph

  • Conference paper
  • First Online:
Computer Security – ESORICS 2020 (ESORICS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12308))

Included in the following conference series:

  • 4228 Accesses

Abstract

Location privacy has been extensively studied in the literature. However, existing location privacy models are either not rigorous or not customizable, which limits the trade-off between privacy and utility in many real-world applications. To address this issue, we propose a new location privacy notion called PGLP, i.e., Policy Graph based Location Privacy, providing a rich interface to release private locations with customizable and rigorous privacy guarantee. First, we design a rigorous privacy for PGLP by extending differential privacy. Specifically, we formalize location privacy requirements using a location policy graph, which is expressive and customizable. Second, we investigate how to satisfy an arbitrarily given location policy graph under realistic adversarial knowledge, which can be seen as constraints or public knowledge about user’s mobility pattern. We find that a policy graph may not always be viable and may suffer location exposure when the attacker knows the user’s mobility pattern. We propose efficient methods to detect location exposure and repair the policy graph with optimal utility. Third, we design an end-to-end location trace release framework that pipelines the detection of location exposure, policy graph repair, and private location release at each timestamp with customizable and rigorous location privacy. Finally, we conduct experiments on real-world datasets to verify the effectiveness and the efficiency of the proposed algorithms.

This work is partially supported by JSPS KAKENHI Grant No. 17H06099, 18H04093, 19K20269, U.S. National Science Foundation (NSF) under CNS-2027783 and CNS-1618932, and Microsoft Research Asia (CORE16).

Yang and Yonghui contributed equally to this work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    For example, it is impossible to move from Kyoto to London in a short time.

  2. 2.

    https://github.com/emory-aims/pglp.

  3. 3.

    http://pflow.csis.u-tokyo.ac.jp/.

References

  1. Andrés, M.E., Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Geo-indistinguishability: differential privacy for location-based systems. In: CCS, pp. 901–914 (2013)

    Google Scholar 

  2. Bao, J., Zheng, Yu., Wilkie, D., Mokbel, M.: Recommendations in location-based social networks: a survey. GeoInformatica 19(3), 525–565 (2015). https://doi.org/10.1007/s10707-014-0220-8

    Article  Google Scholar 

  3. Bettini, C., Wang, X.S., Jajodia, S.: Protecting privacy against location-based personal identification. In: Jonker, W., Petković, M. (eds.) SDM 2005. LNCS, vol. 3674, pp. 185–199. Springer, Heidelberg (2005). https://doi.org/10.1007/11552338_13

    Chapter  Google Scholar 

  4. Cao, Y., Takagi, S., Xiao, Y., Xiong, L., Yoshikawa, M.: PANDA: policy-aware location privacy for epidemic surveillance. In: VLDB Demonstration Track (2020, to appear)

    Google Scholar 

  5. Cao, Y., Xiao, Y., Xiong, L., Bai, L.: PriSTE: from location privacy to spatiotemporal event privacy. In: 2019 IEEE 35th International Conference on Data Engineering (ICDE), pp. 1606–1609 (2019)

    Google Scholar 

  6. Cao, Y., Xiao, Y., Xiong, L., Bai, L., Yoshikawa, M.: PriSTE: protecting spatiotemporal event privacy in continuous location-based services. Proc. VLDB Endow. 12(12), 1866–1869 (2019)

    Article  Google Scholar 

  7. Cao, Y., Xiao, Y., Xiong, L., Bai, L., Yoshikawa, M.: Protecting spatiotemporal event privacy in continuous location-based services. IEEE Trans. Knowl. Data Eng. (2019)

    Google Scholar 

  8. Cao, Y., Xiong, L., Yoshikawa, M., Xiao, Y., Zhang, S.: ConTPL: controlling temporal privacy leakage in differentially private continuous data release. VLDB Demonstration Track 11(12), 2090–2093 (2018)

    Google Scholar 

  9. Cao, Y., Yoshikawa, M., Xiao, Y., Xiong, L.: Quantifying differential privacy under temporal correlations. In: 2017 IEEE 33rd International Conference on Data Engineering (ICDE), pp. 821–832 (2017)

    Google Scholar 

  10. Cao, Y., Yoshikawa, M., Xiao, Y., Xiong, L.: Quantifying differential privacy in continuous data release under temporal correlations. IEEE Trans. Knowl. Data Eng. 31(7), 1281–1295 (2019)

    Article  Google Scholar 

  11. Chatzikokolakis, K., Palamidessi, C., Stronati, M.: A predictive differentially-private mechanism for mobility traces. In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 21–41. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08506-7_2

    Chapter  Google Scholar 

  12. Chatzikokolakis, K., Palamidessi, C., Stronati, M.: Constructing elastic distinguishability metrics for location privacy. Proc. Priv. Enhancing Technol. 2015(2), 156–170 (2015)

    Article  Google Scholar 

  13. Cho, E., Myers, S.A., Leskovec, J.: Friendship and mobility: user movement in location-based social networks. In: KDD, pp. 1082–1090 (2011)

    Google Scholar 

  14. Chow, C.-Y., Mokbel, M.F., Liu, X.: Spatial cloaking for anonymous location-based services in mobile peer-to-peer environments. GeoInformatica 15(2), 351–380 (2011)

    Article  Google Scholar 

  15. Dwork, C.: Differential privacy. In: ICALP, pp. 1–12 (2006)

    Google Scholar 

  16. Dwork, C., McSherry, F., Nissim, K., Smith, A.: Calibrating noise to sensitivity in private data analysis. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 265–284. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_14

    Chapter  Google Scholar 

  17. Fan, L., Bonomi, L., Xiong, L., Sunderam, V.: Monitoring web browsing behavior with differential privacy. In: WWW, pp. 177–188 (2014)

    Google Scholar 

  18. Fawaz, K., Shin, K.G.: Location privacy protection for smartphone users. In: CCS, pp. 239–250 (2014)

    Google Scholar 

  19. Furuhata, M., Dessouky, M., Ordóñez, F., Brunet, M.-E., Wang, X., Koenig, S.: Ridesharing: the state-of-the-art and future directions. Transp. Res. Part B: Methodol. 57, 28–46 (2013)

    Article  Google Scholar 

  20. Gambs, S., Killijian, M.-O., del Prado Cortez, M.N.: Next place prediction using mobility Markov chains. In: Proceedings of the First Workshop on Measurement, Privacy, and Mobility, pp. 1–6 (2012)

    Google Scholar 

  21. Gedik, B., Liu, L.: Protecting location privacy with personalized k-anonymity: Architecture and algorithms. IEEE Trans. Mob. Comput. 7(1), 1–18 (2008)

    Article  Google Scholar 

  22. Gruteser, M., Grunwald, D.: Anonymous usage of location-based services through spatial and temporal cloaking. In: MobiSys, pp. 31–42 (2003)

    Google Scholar 

  23. Han, Y., Li, S., Cao, Y., Ma, Q., Yoshikawa, M.: Voice-indistinguishability: protecting voiceprint in privacy-preserving speech data release. In: IEEE ICME (2020)

    Google Scholar 

  24. Hardt, M., Talwar, K.: On the geometry of differential privacy. In: STOC, pp. 705–714 (2010)

    Google Scholar 

  25. He, X., Machanavajjhala, A., Ding, B.: Blowfish privacy: tuning privacy-utility trade-offs using policies, pp. 1447–1458 (2014)

    Google Scholar 

  26. Ingle, M., et al.: Slowing the spread of infectious diseases using crowdsourced data. IEEE Data Eng. Bull. 12 (2020)

    Google Scholar 

  27. Kifer, D., Machanavajjhala, A.: A rigorous and customizable framework for privacy. In: PODS, pp. 77–88 (2012)

    Google Scholar 

  28. Li, N., Li, T., Venkatasubramanian, S.: t-closeness: privacy beyond k-anonymity and l-diversity. In: IEEE ICDE, pp. 106–115 (2007)

    Google Scholar 

  29. Li, N., Lyu, M., Su, D., Yang, W.: Differential privacy: from theory to practice (2016)

    Google Scholar 

  30. Luo, Y., Tang, N., Li, G., Li, W., Zhao, T., Yu, X.: DEEPEYE: a data science system for monitoring and exploring COVID-19 data. IEEE Data Eng. Bull. 12 (2020)

    Google Scholar 

  31. Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: privacy beyond k-anonymity. In: IEEE ICDE, p. 24 (2006)

    Google Scholar 

  32. Parent, C., et al.: Semantic trajectories modeling and analysis. ACM Comput. Surv. 45(4), 42:1–42:32 (2013)

    Article  Google Scholar 

  33. Pejó, B., Desfontaines, D.: SoK: differential privacies. In: Proceedings on Privacy Enhancing Technologies Symposium (2020)

    Google Scholar 

  34. Primault, V., Boutet, A., Mokhtar, S.B., Brunie, L.: The long road to computational location privacy: a survey. IEEE Commun. Surv. Tutor. 21, 2772–2793 (2018)

    Article  Google Scholar 

  35. Recabarren, R., Carbunar, B.: What does the crowd say about you? Evaluating aggregation-based location privacy. WPES 2017, 156–176 (2017)

    Google Scholar 

  36. Song, S., Wang, Y., Chaudhuri, K.: Pufferfish privacy mechanisms for correlated data. In: SIGMOD, pp. 1291–1306 (2017)

    Google Scholar 

  37. Sweeney, L.: K-anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst. 10(5), 557–570 (2002)

    Google Scholar 

  38. Takagi, S., Cao, Y., Asano, Y., Yoshikawa, M.: Geo-graph-indistinguishability: protecting location privacy for LBS over road networks. In: Foley, S.N. (ed.) DBSec 2019. LNCS, vol. 11559, pp. 143–163. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22479-0_8

    Chapter  Google Scholar 

  39. Xiao, Y., Xiong, L.: Protecting locations with differential privacy under temporal correlations. In: CCS, pp. 1298–1309 (2015)

    Google Scholar 

  40. Xiao, Y., Xiong, L., Zhang, S., Cao, Y.: LocLok: location cloaking with differential privacy via hidden Markov model. Proc. VLDB Endow. 10(12), 1901–1904 (2017)

    Article  Google Scholar 

  41. Zheng, Y., Chen, Y., Xie, X., Ma, W.-Y.: GeoLife2.0: a location-based social networking service. In: IEEE MDM, pp. 357–358 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yang Cao .

Editor information

Editors and Affiliations

Appendices

A An Example of Isolated Node

Intuition. We examine the privacy guarantee of P-PIM w.r.t. \( \mathcal {G}^\mathcal {C} \) in Fig. 3(a). According to K-norm Mechanism [24] in Definition 9, P-PIM guarantees that, for any two neighbors \(\mathbf{s} _{i}\) and \(\mathbf{s} _{j}\), their difference is bounded in the convex body K, i.e. \(f(\mathbf{s} _{i})-f(\mathbf{s} _{j})\in K\). Geometrically, for a location \(\mathbf{s} \), all other locations in the convex body of \(K+f(\mathbf{s} )\) are \(\epsilon \)-indistinguishable with \(\mathbf{s} \).

Example 1 (Disconnected but Not Isolated Node)

In Fig. 11, \(\mathbf{s} _2\) is disconnected under constraint \(\mathcal {C}=\{\mathbf {s}_2,\mathbf {s}_4,\mathbf {s}_5,\mathbf {s}_6\}\). However, \(\mathbf{s} _{2}\) is not isolated because \(f(\mathbf{s} _2)+K\) contains \(f(\mathbf{s} _4)\) and \(f(\mathbf{s} _5)\). Hence, \(\mathbf{s} _{2}\) and other nodes in \(\mathcal {C}\) are indistinguishable.

Fig. 11.
figure 11

(a) A policy graph under \(\mathcal {C}=\{\mathbf {s}_2,\mathbf {s}_4,\mathbf {s}_5,\mathbf {s}_6\}\); (b) the \(\varDelta f^\mathcal {G}\) of vectors \(f(\mathbf{s} _{i})-f(\mathbf{s} _{j})\); (c) the sensitivity hull \( K({\mathcal {G}^\mathcal {C}}) \) covering the \(\varDelta f^\mathcal {G}\); (d) the shape \(f(\mathbf{s} _{2})+K({\mathcal {G}^\mathcal {C}})\) containing \(f(\mathbf{s} _{4})\) and \(f(\mathbf{s} _{5})\). That is to say, \( \mathbf{s} _2 \) is indistinguishable with \( \mathbf{s} _4 \) and \( \mathbf{s} _5\).

B Policy Graph Repair Algorithm

Figure 4(a) shows the graph under constraint \(\mathcal {C}=\{\mathbf {s}_3,\mathbf {s}_4,\mathbf {s}_5,\mathbf {s}_6\}\). Then \(\mathbf{s} _3\) is exposed because \(f(\mathbf{s} _3)+K^\mathcal {G}\) contains no other node. To satisfy the PGLP without isolated nodes, we need to connect \(\mathbf{s} _3\) to another node in \(\mathcal {C}\), i.e. \(\mathbf{s} _4\), \(\mathbf{s} _5\) or \(\mathbf{s} _6\).

If \(\mathbf{s} _3\) is connected to \(\mathbf{s} _4\), then Fig. 4(b) shows the new graph and its sensitivity hull. By adding two new edges \(\{f(\mathbf{s} _3)-f(\mathbf{s} _4),f(\mathbf{s} _4)-f(\mathbf{s} _3)\}\) to \(\varDelta f^\mathcal {G}\), the shaded areas are attached to the sensitivity hull. Similarly, Figs. 4(c) and (d) show the new sensitivity hulls when \(\mathbf{s} _3\) is connected to \(\mathbf{s} _6\) and \(\mathbf{s} _5\) respectively. Because the smallest area of \(K^\mathcal {G}\) is in Fig. 4(b), the repaired graph is \(\mathcal {G}^\mathcal {C}\vee \overline{\mathbf{s _3\mathbf{s} _4}}\), i.e., add edge \( \overline{\mathbf{s _3\mathbf{s} _4}}\) to the graph \(\mathcal {G}^\mathcal {C}\).

Theorem 8

Algorithm 4 takes \(O(m^2log(m))\) time where m is the number of valid nodes (with edge) in the policy graph.

Algorithm. Algorithm 4 derives the minimum protectable graph for location data when an isolated node is detected. We can connect the isolated node \(\mathbf{s} _i\) to the rest (at most m) nodes, generating at most m convex hulls where \(m=|\mathcal {V}|\) is the number of valid nodes. In two-dimensional space, it only takes O(mlog(m)) time to find a convex hull. To derive Area of a shape, we exploit the computation of determinant whose intrinsic meaning is the \(\textsc {Volume}\) of the column vectors. Therefore, we use \(\mathop \sum \limits _{i=1,j=i+1}^{i=h}det(\mathbf{v} _i,\mathbf{v} _j)\) to derive the Area of a convex hull with clockwise nodes \(\mathbf{v} _1,\mathbf{v} _2,\cdots ,\mathbf{v} _{h}\) where h is the number of vertices and \(\mathbf{v} _{h+1}=\mathbf{v} _1\). By comparing the area of these convex hulls, we can find the smallest area in \(O(m^2log(m))\) time where m is the number of valid nodes. Note that Algorithms 3 and 4 can also be combined together to protect any disconnected nodes.

C Related Works

1.1 C.1 Differential Privacy

While differential privacy [15] has been accepted as a standard notion for privacy protection, the concept of standard differential privacy is not generally applicable for complicated data types. Many variants of differential privacy have been proposed, such as Pufferfish privacy [27], Geo-Indistinguishability [1] and Voice-Indistinguishability [23] (see Survey [33]). Blowfish privacy [25] is the first generic framework with customizable privacy policy. It defines sensitive information as secrets and known knowledge about the data as constraints. By constructing a policy graph, which should also be consistent with all constraints, Blowfish privacy can be formally defined. Our definition of PGLP is inspired by Blowfish framework. Notably, we find that the policy graph may not be viable under temporal correlations represented by Markov model, which was not considered in the previous work. This is also related to another line of works studying how to achieve differential privacy under temporal correlations [8,9,10, 36].

1.2 C.2 Location Privacy

A close line of works focus on extending differential privacy to location setting. The first DP-based location privacy model is Geo-Indistinguishability [1], which scales the sensitivity of two locations to their Euclidean distance. Hence, it is suitable for proximity-based applications. Following by Geo-Indistinguishability, several location privacy notions [38, 40] have been proposed based on differential privacy. A recent DP-based location privacy, spatiotemporal event privacy [5,6,7], proposed a new representation for secrets in spatiotemporal data called spatiotemoral events using Boolean expression. It is essentially different from this work since here we are considering the traditional representation of secrets, i.e., each single location or a sequence of locations.

Several works considered Markov models for improving utility of released location traces or web browsing activities [11, 17], but did not consider the inference risks when an adversary has the knowledge of the Markov model. Xiao et al. [39] studied how to protect the true location if a user’s movement follows Markov model. The technique can be viewed as a special instantiation of PGLP. In addition, PGLP uses a policy graph to tune the privacy and utility to meet diverse the requirement of location-based applications.

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cao, Y. et al. (2020). PGLP: Customizable and Rigorous Location Privacy Through Policy Graph. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12308. Springer, Cham. https://doi.org/10.1007/978-3-030-58951-6_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58951-6_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58950-9

  • Online ISBN: 978-3-030-58951-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics