![Page 1: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/1.jpg)
Location Privacy. Where do we stand and where are we going?
Fernando Pérez-González
Signal Theory and CommunicationsDepartment
Universidad de Vigo -SPAIN
![Page 2: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/2.jpg)
2
Why do we like location based apps?
![Page 3: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/3.jpg)
Google maps
3
![Page 4: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/4.jpg)
Foursquare
4
![Page 5: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/5.jpg)
Facebook place tips
5
![Page 6: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/6.jpg)
Waze
6
![Page 7: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/7.jpg)
And, of course…
7
![Page 8: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/8.jpg)
8
How can you be geolocated?(without you fully knowing)
![Page 9: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/9.jpg)
IP-based Geolocation
9
Source: GeoIPTool
![Page 10: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/10.jpg)
Meta-data based Geolocation
10
![Page 11: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/11.jpg)
Landmark recognition Geolocation
11
![Page 12: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/12.jpg)
Biometric geolocation
12
![Page 13: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/13.jpg)
Credit card usage Geolocation
14
![Page 14: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/14.jpg)
Triangulation and other geolocation techniques
15
![Page 15: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/15.jpg)
Signal strength-based triangulation
16
Source: The Wrongful Convictions Blog
![Page 16: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/16.jpg)
17
Source: The Wrongful Convictions Blog
Signal strength-based triangulation
![Page 17: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/17.jpg)
Multilateration: Time Difference of Arrival (TDOA)
18
Source:[Fujii et al. 2015]
![Page 18: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/18.jpg)
Wardriving geolocation (Wigle)
19
Source:Wigle.net
![Page 19: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/19.jpg)
Electrical Network Frequency Geolocation
20
![Page 20: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/20.jpg)
21
![Page 21: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/21.jpg)
22
Why is it dangerous?
![Page 22: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/22.jpg)
23
![Page 23: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/23.jpg)
Buster busted!
24
![Page 24: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/24.jpg)
25
![Page 25: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/25.jpg)
26
![Page 26: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/26.jpg)
6 months in the life of Malte Spitz (2009-2010)
29
Source:http://www.zeit.de/datenschutz/malte-spitz-data-retention
![Page 27: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/27.jpg)
31
Are we concerned about it?
![Page 28: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/28.jpg)
Are people really concerned about locationprivacy?
• Survey by Skyhook Wireless (July 2015) of 1,000 Smartphone app users.
• 40% hesitate or don’t share location with apps.
• 20% turned off location for all their apps.
• Why people don’t share location?• 50% privacy concerns.
• 23% don’t see value in location data.
• 19% say it drains their battery.
• Why people turn off location?• 63% battery draining.
• 45% privacy.
• 20% avoid advertising.
32
![Page 29: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/29.jpg)
33
How much is geolocation data worth?
![Page 30: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/30.jpg)
34
![Page 31: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/31.jpg)
How much value do we give to location data? [Staiano et al. 2014]
35
Dai
lyV
alu
e(€
)
Many participants opted-out of revealing geolocation information.
Avg. daily value of location info: 3 €
Strong correlation between the amount traveled and the value given to location data.
![Page 32: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/32.jpg)
Earn money as you share data
36
• GeoTask
• £1 PayPal cash voucher per 100 days of location data sharing (£0.01/day)
Financial Times in 2013: advertisers are willing to pay a mere $0.0005 per person for general information such as their age, gender and location, or $0.50 per 1,000 people.
![Page 33: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/33.jpg)
Pay as you drive
38
• Formula can be a function of the amount of miles driven, or the type of driving, age of the driver, type of roads used…
• Up to 40% reduction in the cost of insurance.
![Page 34: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/34.jpg)
39
BIA/Kelsey projects U.S. location-targeted mobile ad spending to grow from $9.8 billion in 2015 to $29.5 billion in 2020.
That’s $90 per person year!!!!
![Page 35: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/35.jpg)
40
SAP, Germany, estimates wireless carrier revenue from selling mobile-user behavior data in $5.5 billion in 2015 and predicts $9.6 billion for 2016.
![Page 36: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/36.jpg)
47
How aboutanonymization/pseudonymization?
![Page 37: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/37.jpg)
Anonymity
Problems:
• Difficult authentication and personalization.
• Operating system or apps may access location before anonymization.
48
Anonymity provider(local/central)
LocationLocation
Service provider
![Page 38: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/38.jpg)
Pseudonimity
Problems:
• Operating system or apps may access location data before pseudonymization.
• Deanonymization.
49
Location
Service providerPseudonym
![Page 39: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/39.jpg)
Deanonymization based on home location [Hoh, Gruteser 2006]
• Data from GPS traces of larger Detroit area (1 min resolution).
• No data when vehicle parked.
• K-means algorithm for clustering locations + 2 heuristics:• Eliminate centroids that don’t have evening visits.
• Eliminate centroids outside residential areas (manually).
50
Source: [Hoh, Gruteser 2006]
![Page 40: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/40.jpg)
Deanonymization based on home location[Krummer 2007]
• 2- week GPS data from 172 subjects (avg. 6 sec resolution).
• Use heuristic to single out trips by car.
• Then use several heuristics: destination closest to 3 a.m. ishome; place where individual spends most time is home; center of cluster with most points is home.
• Use reverse geocoding and white pages to deanonymize. Success measured by finding out name of individual.
• Positive identification rates around 5%.
• Even noise addition with std=500 m gives around 5% successwhen measured by finding out correct address.
51
![Page 41: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/41.jpg)
Mobile trace uniqueness [de Montjoye et al 2013]
• Study on 15 months of mobility data; 0.5M individuals.
• Dataset with hourly updates and resolution given by cellcarrier antennas, only 4 points suffice to identify 95% of individuals.
• Uniqueness of mobility traces decays as 1/10th power of their resolution.
52
Source: [de Montojoye et al. 2013]
![Page 42: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/42.jpg)
53
Location privacy protection mechanisms
![Page 43: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/43.jpg)
Location white lies
54
Source: Caro Spark (CC BY-NC-ND)
![Page 44: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/44.jpg)
Location based privacy mechanisms
55
Inputlocation
Outputpseudolocation
X Z
Source: Motherboards.org
![Page 45: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/45.jpg)
Location privacy protection mechanisms (LPPMs)
•
• The mechanism may be deterministic (e.g., quantization) orstochastic (e.g., noise addition).
• Function may depend on other contextual (e.g., time) or user-tunable (e.g., privacy level) parameters.
• When the mechanism is stochastic, there is an underlyingprobability density function, i.e.,
56
)(XZ
)(
)|( XZf
![Page 46: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/46.jpg)
Hiding
57
![Page 47: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/47.jpg)
Perturbation: (indepedent) noise addition
58
![Page 48: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/48.jpg)
Perturbation: quantization
59
![Page 49: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/49.jpg)
Obfuscation
60
![Page 50: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/50.jpg)
Spatial Cloaking
61
![Page 51: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/51.jpg)
How to commit the perfect murder
62
![Page 52: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/52.jpg)
Space-timeCloaking
63
Time
![Page 53: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/53.jpg)
Dummies
64
![Page 54: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/54.jpg)
User-centric vs. Centralized LPPM
65
User-centric
![Page 55: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/55.jpg)
User-centric vs. Centralized LPPM
66
Centralized
![Page 56: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/56.jpg)
67
![Page 57: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/57.jpg)
Utility vs. Privacy
68
Privacy
Uti
lity
• In broad terms:
![Page 58: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/58.jpg)
Very nice, but…
• There are two main problems:
How do we measure utility?
How do we measure privacy?
69
![Page 59: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/59.jpg)
How to measure utility?
70
![Page 60: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/60.jpg)
71
How to measure utility?
![Page 61: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/61.jpg)
How to measure utility?
72
Real position
pseudolocation
![Page 62: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/62.jpg)
A note about distances
76
2d
1d
![Page 63: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/63.jpg)
Adversarial definition of privacy [Shokri et al 2011-]
• Assume stochastic mechanism for the user .
• Adversary constructs a (possibly stochastic) estimationremapping .
• Prior assumed available to the adversary.
• : Distance between and
• : Distance between and
77
)|( XZf
)|ˆ( ZXr
)(X
x̂ .x)ˆ,( xxd p
),( zxdq x .z
x
zLPPM
x̂ Adversary
![Page 64: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/64.jpg)
Adversarial definition of privacy [Shokri et al 2011-]
• Establish a cap on average utility loss:
• This is a Stackelberg game in which the user chooses firstand the adversary plays second.
• Find optimal adversarial ‘remapping’:
• Optimal remapping depends on and .
where
78
}|),ˆ({minarg)|ˆ(* ZXXdEZXr p
)(X
QLZXdE q )},({
)|( XZf
),ˆ()|()|ˆ(}|),ˆ({ˆ,
XXdZXfZXrZXXdEXX
Pp
)(
)()|()|(
Zf
XXZfZXf
LBPM
Prior
![Page 65: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/65.jpg)
Example: uniform noise addition
79
LPPM
zx̂
)|( XzZf
Prior
x)|( xXZf
![Page 66: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/66.jpg)
Adversarial definition of privacy [Shokri et al 2011-]
• When for a given there are several minimizers thefunction becomes stochastic.
• The user now must maximize privacy:
• Which is achieved for some mechanism
• Privacy is defined as after solving thismaxmin problem.
80
)ˆ,()()|()|ˆ(max)},ˆ({maxˆ,,
* XXdXXZfZXrXXdE p
XXZ
p
X̂Z
)|ˆ(* ZXr
)},ˆ({ XXdE p
)|(* XZf
![Page 67: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/67.jpg)
An interesting result
• When :
i.e. do nothing!
• When the following identity must hold
• When both user and adversary play optimally:
81
)ˆ()|ˆ(* zXzZXr
qp dd
Privacy=Utility Loss
)},({minarg)|(* XzdEXzZf p
2ddd qp
}|{ zZXEz
![Page 68: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/68.jpg)
The Utility Loss-Privacy plane
85
Uti
lity
Loss
Privacy
Achievable regionOptimal Mechanism
Achievable regionOptimal Adversary P=UL
Adv. Strategy 1
Adv. Strategy 2
Adv. Strategy 4
Adv. Strategy 3
Adv. Playing line
![Page 69: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/69.jpg)
What’s wrong with priors?
• Is it realistic to asume that the adversary knows the prior?
• Adversary no longer plays optimally with the ‘wrong’ prior.
• Shokri’s privacy definition is prior-dependent.
• Definition of differential privacy is prior-independent:
- Two databases differing in a single element.
- A: randomized algorithm.
- S: set of possible subsets of im(A).
86
}))(log(Pr{}))(log(Pr{ 21 SDASDA
21, DD
![Page 70: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/70.jpg)
Geoindistinguishability [Chatzikokolakis et al 2013-]
• A mechanism is geo-indistinguishable iff:
for all
• Differential privacy corresponds to dp = Hamming distance.
• Definition is prior-independent.
• Guarantees a small leakage of information BUT is no defense against EVERY adversary: with proper sideinformation, adversary can learn a lot!
87
)',(|)'|(log()|(log(| xxdxXzfxXzf p
.,', zxx
![Page 71: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/71.jpg)
Uniform mechanisms do not provide geo-ind
88
)|( xXZf x
'x
)'|( xXZf
|)'|(log(
)|(log(|
xXzf
xXzf
![Page 72: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/72.jpg)
Laplacian mechanism
• Laplacian distribution in polar coordinates:
• Then,
• The Laplacian mechanism satisfies the geo-ind condition.
89
),(2
2)|(
zxdexXzf
|),()',(||)'(log)|(log| 22 xzdxzdxXzfxXzf
)',(2 xxd Triangleinequality
![Page 73: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/73.jpg)
Laplacian mechanism
90
![Page 74: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/74.jpg)
Optimal mechanisms for geo-ind
• Minimize quality loss (i.e., ) subject to geo-ind constraint.
• Fact: geo-ind constraint is kept under any adversarialremapping
• Optimal mechanism is then
where
• The optimal adversarial remapping would find
91
),()()|()},({,
ZXdXXZfZXdE q
ZX
q
)},({ ZXdE q
)},({minarg)|(* XZdEXZf q
)|ˆ( ZXr
}|),ˆ({minarg)|ˆ(* ZXXdEZXr p
![Page 75: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/75.jpg)
Optimal mechanisms for geo-ind
• If the adversary does nothing. Minimization of theQL has been already done by the mechanism!!
• But if the adversary does nothing, Privacy=QL.
• The operating value thus depends on (the smaller, thelarger the privacy).
92
qp dd
![Page 76: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/76.jpg)
98
Where are we going?
![Page 77: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/77.jpg)
Sensitivity [Bertino et. al 2010]
99
![Page 78: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/78.jpg)
Sensitivity
• The mechanism should weigh the importance given by theuser to each location.
• This can be specified semantically by defining categories.
• Sensitivity of a region:
prob. that the user,
known to be in that
region, is actually in
a sensitive place.
• For other mechanisms:
open problem.
100100
![Page 79: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/79.jpg)
Graph-based models
101
![Page 80: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/80.jpg)
Graph-based models
102
![Page 81: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/81.jpg)
Graph-based models
103
Trace
![Page 82: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/82.jpg)
Graph-based models
• A trace is a path together with time .
• Common assumption for an adversary: the true trace can be described through a Markov chain.
• Prior transition probabilities between states can be estimated if training traces are (at least partially) available.
104
N
iii tX 1},{
)|( nm SSP
)|(1 nm SSP
)( lSP
)|( kl SSP
)|( ln SSP
)|( km SSP
)( kSP
)( mSP
)( nSP
Training data
)( nSP
)|( ln SSP
)( lSP
)|( kl SSP
)( kSP)( mSP)|( km SSP
)|( nm SSP
![Page 83: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/83.jpg)
Graph-based models
• Shokri et al.’s approach: depending on what the adversarywants to learn, apply a different method.
• Maximum likelihood: find the most likely trace given theobserved trace
• Dynamic programming (e.g., Viterbi algorithm) can be used.
105
)},{|},({maxarg 11},{ 1
N
iii
N
iiitXtZtXfN
iii
![Page 84: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/84.jpg)
Graph-based models
• Distribution estimation: estimate the probabilities of alltraces using the Metropolis-Hastings algorithm.
106
![Page 85: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/85.jpg)
Graph-based models
• Location estimation: find the most likely node at time
• Can be solved using the backward-forward algorithm to recursively compute the probabilities.
107
)},{|(maxarg 1
N
iiikX tZXfk
kt
![Page 86: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/86.jpg)
Privacy as a zero-sum game
109
Uti
lity
Loss
Privacy
Achievable regionOptimal Mechanism
P=UL
Achievable regionOptimal Adversary
Privacy+Utility=constant
![Page 87: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/87.jpg)
Adding a new dimension: bandwidth
110
s
dummies) 8( 3 n
)(Privacy
)(LossUtility
2
2
sd
sd
S)(Privacy
)/3()(LossUtility
2
22
Sd
Sdsd
![Page 88: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/88.jpg)
The Utility Loss-Privacy-Bandwidth region
111
Uti
lity
Loss
Privacy
Achievable regionOptimal Mechanism
P=UL
P=3 UL
Achievable regionOptimal Adversary
BW is now 9 times larger
Service providerutility loss
User utilityloss
Privacy gain dueto dummying
![Page 89: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/89.jpg)
Space-time cloaking
112
timeDelay
density .poptimeareaanonimity -kPrivacy
areaLossUtility
![Page 90: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/90.jpg)
Privacy-preserving queries
Retrieval in Encrypted Domain
Encrypted query
Encrypted reply
![Page 91: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/91.jpg)
114
![Page 92: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/92.jpg)
Thanks!
Grupo Procesado de Señal en Comunicaciones
![Page 93: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/93.jpg)
What utility? An example
116
density .poptimeareaanonimity -kPrivacy
area/1/1Utility max
d
![Page 94: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/94.jpg)
But delay also counts…
117
Uti
lity
Privacy
Delay=5 min
Delay=10 min
Delay=15 min
![Page 95: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/95.jpg)
118
![Page 96: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/96.jpg)
What utility? Another example
• Space-time slicing
• Is this related to bandwidth?
119
![Page 97: Presentación de PowerPointgpsc.uvigo.es/sites/default/files/slides/Location_Privacy_Keynote.pdfcarrier antennas, only 4 points suffice to identify 95% of individuals. •Uniqueness](https://reader034.vdocument.in/reader034/viewer/2022042118/5e96587a855e2554b87f5bb8/html5/thumbnails/97.jpg)
• Space-time slicing
• Is this related to bandwidth?
120