Titulo Estágio
Privacy-preserving Mechanisms for Location Traces
Áreas de especialidade
Comunicações, Serviços e Infraestruturas
Engenharia de Software
Local do Estágio
DEI-FCTUC
Enquadramento
The attractiveness of sharing location data is related to the access to location-based services (LBS), which have proliferated due to the pervasiveness of mobile devices. LBSs use users’ current location to provide a certain (beneficial) service. However, this flow of information with possibly untrustworthy entities poses a thread to ones’ privacy.
Datasets are often made public by providers, or shared with third-parties for financial or research purposes, and even when this is not the case, dataset leakage is always a possibility. Privacy protection mechanisms are thus required to prevent unwanted disclosure. However, poorly anonymized datasets [1], disclosure of aggregated mobility data [2] and even the publication of fully anonymized mobility datasets [3] can be leveraged by informed adversaries leading to the deanonymization of individuals. This is specially critical for location data due to the fact that human mobility traces are highly unique [4, 5, 6], that points-of-interest (POI) act as quasi-identifiers [7, 8], and that individual's traces are extremely predictable given past location history [9].
Privacy protection mechanisms at collection time can be summarized in techniques for anonymization and for obfuscation (perturbation, generalization, suppression, synthetic data generation) [12]. The deanonymization of a track may have serious consequences to a victim, such as revealing sensitive visited locations, which can indicate habits, addictions, health condition, and others [10]. In the most extreme case, an attacker may learn the whereabouts of a person and use that information for stalking [11]. Motivated by these risks, privacy researchers have developed systems/techniques to prevent the disclosure of location, identity, and/or inference of sensitive data.
In this research, the candidate will work on location privacy by exploring the characteristics of this type of data, existing attacks and protection techniques with a focus on mechanisms that can be applied at data collection, that is, in-device before sharing with providers. Privacy-protection mechanism at collection time shift the control over the data from possibly untrustworthy providers to the user, thus effectively empowering individuals to make choices which align with their privacy preferences.
Objetivo
The goal of this thesis is to develop a location privacy protection mechanism that protects users at collection time against not only a single location report, but over time against continuous collection. Specifically, the geo-temporal correlation between reported locations, which is often used as an attack against location privacy, will be used by the protection mechanism to improve the overall privacy. Furthermore, the privacy-preserving mechanism will have to take into consideration the trade-off between privacy and utility such that this data is still useful to enable tailored services.
Plano de Trabalhos - Semestre 1
1) State-of-the-art study on:
- privacy-enabling mechanisms for location-based services;
- methods to compromise location privacy;
- measures/metrics of privacy and utility.
2) Selection and implementation of attacks against location traces. These attacks can include tracking approaches (e.g. Kalman Filter), trajectory reconstruction (estimation, prediction and noise filtering) and inferences, that is, the extrapolation of other information about the user through its location data. Real-world datasets such as the Geolife Dataset [13] or mobility traces of taxi cabs [14] will be used for the evaluation of the privacy and utility of the different approaches.
3) Intermediate report
Plano de Trabalhos - Semestre 2
1) Evaluation of the impact of the frequency of updates in the privacy and utility of the attacks and protection mechanisms. As shown in [15], the frequency of updates critically impacts the correlation between points in a trace, which in turn can be explored by an adversary to decrease privacy;
2) Development of privacy-enhancing mechanisms for location privacy that takes into account the frequency of updates and/or the correlation between points in the definition of the protection mechanism;
3) Implementation and evaluation of the privacy-enhancing mechanisms taking into consideration utility and privacy levels achieved, as well as the computational complexity of the scheme;
4) Writing of master thesis.
Condições
This thesis will take place at the Laboratory for Communications and Telematics of CISUC, where the student will have a working place.
Observações
References / related works:
[1] L. Sweeney, “k-anonymity: A model for protecting privacy,” International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 05, pp. 557–570, 2002.
[2] F. Xu, Z. Tu, Y. Li, P. Zhang, X. Fu, and D. Jin, “Trajectory recovery from ash: User privacy is not preserved in aggregated mobility data,” in Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 2017, pp. 1241–1250.
[3] G. Tsoukaneri, G. Theodorakopoulos, H. Leather, and M. K. Marina, “On the inference of user paths from anonymized mobility data,” in Security and Privacy (EuroS&P), 2016 IEEE European Symposium on. IEEE, 2016, pp. 199–213.
[4] Y.-A. De Montjoye, C. A. Hidalgo, M. Verleysen, and V. D. Blondel, “Unique in the crowd: The privacy bounds of human mobility,” Scientific reports, vol. 3, p. 1376, 2013.
[5] Y. Song, D. Dahlmeier, and S. Bressan, “Not so unique in the crowd: a simple and effective algorithm for anonymizing location data.” in PIR@ SIGIR, 2014, pp. 19–24.
[6] H. Zang and J. Bolot, “Anonymization of location data does not work: A large-scale measurement study,” in Proceedings of the 17th annual international conference on Mobile computing and networking. ACM, 2011, pp. 145–156.
[7] C. Bettini, X. S. Wang, and S. Jajodia, “Protecting privacy against location-based personal identification,” in Workshop on Secure Data Management. Springer, 2005, pp. 185–199.
[8] V. Primault, S. B. Mokhtar, C. Lauradoux, and L. Brunie, “Differentially private location privacy in practice,” in Third Workshop on Mobile Security Technologies (MoST) 2014, 2014.
[9] C. Song, Z. Qu, N. Blumm, and A.-L. Barabási, “Limits of predictability in human mobility,” Science, vol. 327, no. 5968, pp. 1018–1021, 2010.
[10] J. Krumm, “A survey of computational location privacy,” Personal and Ubiquitous Computing, vol. 13, no. 6, pp. 391–399, 2009.
[11] F. Grace, “Stalker victims should check for gps,” CBS News, Feb, vol. 6, 2003.
[12] R. Mendes and J. P. Vilela, “Privacy-preserving data mining: Methods, metrics, and applications,” IEEE Access, vol. 5, pp. 10 562–10 582, 2017.
[13] Y. Zheng, L. Zhang, X. Xie, and W.-Y. Ma, “Mining interesting locations and travel sequences from gps trajectories,” in Proceedings of the 18th international conference on World wide web. ACM, 2009, pp. 791–800.
[14] https://crawdad.org/epfl/mobility/20090224/
[15] R. Mendes and J. Vilela, “On the effect of update frequency on geo-indistinguishability of mobility traces,” in Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 2018.
Orientador
João Paulo Vilela
jpvilela@dei.uc.pt 📩