On-the-fly Privacy for Location Histograms


An important motivation for research in location privacy has been to protect against user profiling, i.e., inferring a user’s political affiliation, wealth level, sexual preferences, religious beliefs and other sensitive attributes. Existing approaches focus on distorting or suppressing individual locations, but we argue that, for directly protecting against profiling, it is more appropriate to focus on the frequency with which various locations are visited - in other words, the histogram of a user’s locations. We introduce and explore a new privacy notion for location histograms, in which the user chooses a target histogram that she wants to avoid or to resemble by obfuscating her location visits. For example, she may want to avoid looking wealthy or to resemble a health conscious person. We describe how to design concrete privacy mechanisms that operate under different assumptions on e.g. the user’s mobility, including provably optimal mechanisms. We use a mobility dataset with 1083 users to illustrate how these mechanisms achieve privacy while minimizing the quality loss caused by the location obfuscation, in the context of two types of Location-Based Services: nearest-PoI, and geofence.

IEEE Transactions on Dependable and Secure Computing
(JCR 2019: 6.864)