Skip to main content
QUICK REVIEW

[论文解读] Differentially Private Location Privacy in Practice

Vincent Primault, Sonia Ben Mokhtar|arXiv (Cornell University)|Oct 28, 2014
Privacy-Preserving Technologies in Data参考文献 20被引用 28
一句话总结

本文使用真实移动轨迹数据评估了地理不可区分性(Geo-Indistinguishability)这一差分隐私机制在位置隐私保护中的表现。尽管该机制具有坚实的理论保障,研究发现,即使在高混淆水平下,攻击者仍能重新识别至少63%的用户兴趣点(POIs),暴露出差分隐私在位置服务中理论与实践之间存在关键差距。

ABSTRACT

With the wide adoption of handheld devices (e.g. smartphones, tablets) a large number of location-based services (also called LBSs) have flourished providing mobile users with real-time and contextual information on the move. Accounting for the amount of location information they are given by users, these services are able to track users wherever they go and to learn sensitive information about them (e.g. their points of interest including home, work, religious or political places regularly visited). A number of solutions have been proposed in the past few years to protect users location information while still allowing them to enjoy geo-located services. Among the most robust solutions are those that apply the popular notion of differential privacy to location privacy (e.g. Geo-Indistinguishability), promising strong theoretical privacy guarantees with a bounded accuracy loss. While these theoretical guarantees are attracting, it might be difficult for end users or practitioners to assess their effectiveness in the wild. In this paper, we carry on a practical study using real mobility traces coming from two different datasets, to assess the ability of Geo-Indistinguishability to protect users' points of interest (POIs). We show that a curious LBS collecting obfuscated location information sent by mobile users is still able to infer most of the users POIs with a reasonable both geographic and semantic precision. This precision depends on the degree of obfuscation applied by Geo-Indistinguishability. Nevertheless, the latter also has an impact on the overhead incurred on mobile devices resulting in a privacy versus overhead trade-off. Finally, we show in our study that POIs constitute a quasi-identifier for mobile users and that obfuscating them using Geo-Indistinguishability is not sufficient as an attacker is able to re-identify at least 63% of them despite a high degree of obfuscation.

研究动机与目标

  • 评估地理不可区分性在保护用户位置隐私方面的实际有效性。
  • 评估差分隐私机制是否能在实际中防止用户敏感兴趣点(POIs)的重新识别。
  • 衡量隐私保护(混淆程度)与移动设备系统开销之间的权衡。
  • 探究混淆后的位置数据是否仍泄露足够信息,使攻击者能够以高地理和语义精度推断POIs。
  • 确定POIs是否可作为准标识符,即使在差分隐私保护下仍导致用户被重新识别。

提出的方法

  • 本研究使用两个不同数据集的真实移动轨迹数据,模拟在地理不可区分性机制下的位置数据。
  • 应用地理不可区分性机制,通过向用户位置添加噪声以确保差分隐私。
  • 研究人员模拟了一个好奇的位置服务(LBS),该服务观察混淆后的位置数据,并尝试推断用户的真实POIs。
  • 评估地理精度(推断位置与真实POI的接近程度)和语义精度(POI类型的正确识别率)。
  • 通过测量不同隐私预算(epsilon)水平下的重新识别率,分析其对噪声量的控制作用。
  • 通过测量混淆过程的计算成本,量化移动设备上的系统开销。

实验结果

研究问题

  • RQ1一个好奇的位置服务(LBS)能否从差分隐私保护的混淆位置数据中重新识别用户的位置兴趣点(POIs)?
  • RQ2混淆程度(由隐私预算ε控制)如何影响攻击者推断POI的准确性?
  • RQ3POIs在多大程度上可作为准标识符,使用户在差分隐私保护下仍面临重新识别风险?
  • RQ4隐私保护(混淆)与移动设备上计算开销之间的权衡关系如何?
  • RQ5即使在强隐私保障下,推断POIs的语义和地理精度是否仍保持较高水平?

主要发现

  • 即使在高混淆水平下,攻击者仍能重新识别至少63%的用户兴趣点(POIs)。
  • 推断POIs的地理和语义精度保持较高水平,表明混淆数据仍泄露了显著信息。
  • 隐私预算(ε)直接影响POI推断的准确性以及移动设备上的计算开销。
  • 即使具备强理论保障,地理不可区分性在实践中仍无法防止重新识别,原因在于POIs具有准标识符的特性。
  • 本研究揭示了显著的理论与实践差距:差分隐私机制无法完全防范真实世界中对位置数据的推断攻击。
  • 移动设备上的计算开销随混淆程度提高而增加,表明隐私与性能之间存在实际权衡。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。