Preserving Privacy GPS Traces via Uncertainty-Aware Path Cloaking

Baik Hoh, Marco Gruteser, Hui Xiong, Ansaf Alrabady

Presenter:Yao Lu

ECE 256, Spring 11

Duke University

2

Overview

Introduction Problem Statement Previous work Proposed method Evaluation Discussion

Motivation

Motivation

Motivation

Adversary Model

• Use successive location samples from a vehicle to reconstruct its path mix of various samples belonging to several vehicles.

• Predict the target position using the last known speed and heading information and then decide which next sample to link to the same vehicle.

• If multiple candidate samples exist, choose the one with the highest a posteriori probability based on a probability model of distance and time deviations from the prediction.

• If several of these samples appear similar to each other, no decision with high certainty is possible and tracking stops.

Problem Statement

• Objective1. Privacy Protection: Guarantee strong anonymity in high

and low density areas2. Data quality: Provide sufficient information for traffic

monitoring

• Assumptions1. Trustworthy server to execute centralized algorithm2. Adversary has no priori information of the tracking

subject

When two paths cross

Existing privacy algorithms

K-anonymity: to generalize a data record until it is indistinguishable from

the records of at least k-1 other individuals

Existing privacy algorithms Subsampling

Privacy Metrics

• Mean Time To Confusion (MTTC)• Tracking Uncertainty

ii ppH log

Uncertainty calculation 1

ii ppH log.3id

i ep

ˆ.1

i

ii p

pp

ˆ

ˆ.2

41.0H

Uncertainty calculation 2

ii ppH log.3id

i ep

ˆ.1

i

ii p

pp

ˆ

ˆ.2

56.0H

Path Privacy-Preserving Mechanism

• Only reveal locations samples when

(1)time since the last point of confusion is less than the maximum time to confusion

(2)at the current time tracking uncertainty is above the uncertainty threshold

Reacquisition Tracking Model• Time Window w=10Minutes.

• After the confusion Timeout expires:

Each released sample need to maintain

confusion from the last released positions

within the window

• Before the confusion Timeout expires:

Each released sample need to maintain

confusion to any released samples within

the windows

Evaluation: Data Set

• week-long GPS traces of 233 probe vehicles on a 70km-by-70km area

• 1 minute sampling period

• Overlay it into day-long traces of 2000 vehicles

• Metrics: Tracking time and (relative) weighted road coverage

• Baseline algorithm: random sampling with probability p

Evaluation: Protection Against Target Tracking-

Bounded Tracking Time without Reacquisition

• Uncertainty-aware privacy algorithm limits time to confusion to 5 min while random sampling algorithm’s TTC is a lot longer

• Uncertainty-aware privacy algorithm can release up to 92.5% of the original location samples while random sampling has to remove more samples

Evaluation: Protection Against Target Tracking-

Dependence on Reacquisition and Density

• TTC of uncertainty-aware privacy algorithm

is shorter than subsampling algorithm

Evaluation: Protection Against Target Tracking

• In very low density scenarios,

uncertainty-aware privacy algorithm preserves maximum TTC guarantee of 5 min by removing more samples while subsampling allows a longer maximum TTC

Evaluation: Quality of Service Analysis

• Achieves a relative weighted road coverage similar to that of original location traces

Conclusion & Future Work• Conclusion:1. Proposed time-to-confusion metric to characterize location privacy

2. Uncertainty-aware Path Cloaking outperforms existing algorithm in privacy protection in low density areas with good data quality

• Future Work1. Adversary with a priori knowledge

2. Without a trustworthy location server

3. Track vehicles by speed information

4. Group of vehicles with the same starting point, destination and

move together

Questions & Thoughts

yl177@duke.edu