Elastic distinguishability metrics for Location Privacy Marco - - PowerPoint PPT Presentation

elastic distinguishability metrics for location privacy
SMART_READER_LITE
LIVE PREVIEW

Elastic distinguishability metrics for Location Privacy Marco - - PowerPoint PPT Presentation

Oct 20, 2023 384 likes •705 views

Elastic distinguishability metrics for Location Privacy Marco Stronati marco@stronati.org joint work with K. Chatzikokolakis and C. Palamidessi 1 / 14 Privacy for LBS Goal: limit semantic inference (not anonymity) Reasonable utility for

slide-1
SLIDE 1

Elastic distinguishability metrics for Location Privacy

Marco Stronati marco@stronati.org joint work with

  • K. Chatzikokolakis and C. Palamidessi

1 / 14

slide-2
SLIDE 2

Privacy for LBS

Goal: limit semantic inference (not anonymity) Reasonable utility for LBS

2 / 14

slide-3
SLIDE 3

Obfuscation

Mechanism

x − → M − → z

[Chatzikokolakis et. al: Broadening the Scope of Differential Privacy Using Metrics. PETS’13]

3 / 14

slide-4
SLIDE 4

Obfuscation

Mechanism

x − → M − → z

[Chatzikokolakis et. al: Broadening the Scope of Differential Privacy Using Metrics. PETS’13]

3 / 14

slide-5
SLIDE 5

Obfuscation

Mechanism

x − → M − → z

[Chatzikokolakis et. al: Broadening the Scope of Differential Privacy Using Metrics. PETS’13]

3 / 14

slide-6
SLIDE 6

Obfuscation

Mechanism

x − → M − → z

[Chatzikokolakis et. al: Broadening the Scope of Differential Privacy Using Metrics. PETS’13]

3 / 14

slide-7
SLIDE 7

Obfuscation

Mechanism

x − → M − → z

dX-privacy

dP(M(x), M(x′)) ≤ dX(x, x′) ∀x, x′ Distinguishability Metric on your set

  • f secrets

Apply noise according to the metric

[Chatzikokolakis et. al: Broadening the Scope of Differential Privacy Using Metrics. PETS’13]

3 / 14

slide-8
SLIDE 8

Geo Indistinguishability

dX(x, x′) = ǫ dE(x, x′) Space is privacy ǫ tunes how much

Requirement

I want to be indistinguishable from a certain amount of space.

[Andr´ es et al: Geo-indistinguishability: differential privacy for location-based systems. CCS’13]

4 / 14

slide-9
SLIDE 9

Geo Indistinguishability

dX(x, x′) = ǫ dE(x, x′) Space is privacy ǫ tunes how much

Requirement

I want to be indistinguishable from a certain amount of space.

[Andr´ es et al: Geo-indistinguishability: differential privacy for location-based systems. CCS’13]

4 / 14

slide-10
SLIDE 10

Not adaptable

5 / 14

slide-11
SLIDE 11

Privacy Mass from OpenStreetMap

6 / 14

slide-12
SLIDE 12

Privacy Mass from OpenStreetMap

6 / 14

slide-13
SLIDE 13

Privacy Requirement

I want to be indistinguishable from a certain amount of privacy mass. req(l) = mass

7 / 14

slide-14
SLIDE 14

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-15
SLIDE 15

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-16
SLIDE 16

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-17
SLIDE 17

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-18
SLIDE 18

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-19
SLIDE 19

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-20
SLIDE 20

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-21
SLIDE 21

Building an Elastic Metric

Graph-based algo: start with a disconnetted graph interate over all nodes

◮ compute mass ◮ add an edge with l = req−1(mass)

we stop at l⊤ dX(x, x′) = shortest-path(x, x′)

8 / 14

slide-22
SLIDE 22

Elastic Mechanism

Elastic Mechanism = Elastic Metric + Exponential Mechanism

9 / 14

slide-23
SLIDE 23

Elastic Mechanism

9 / 14

slide-24
SLIDE 24

Elastic Mechanism

9 / 14

slide-25
SLIDE 25

Elastic Mechanism

9 / 14

slide-26
SLIDE 26

Evaluation

EM vs PL City (Paris) vs Subsurb (Nanterre) Fixed Utility as Expected Error Compare Privacy as Adversarial Error Gowalla and Brightkite datasets

[Shokri, Theodorakopoulos, Boudec, Hubaux. Quantifying location privacy. S&P’11]

10 / 14

slide-27
SLIDE 27

Evaluation

1000 2000 3000 4000 5000 6000 7000 8000 EM city EM suburb

Expected Error (m)

PL 0.6 0.65 0.7 0.75 0.8 0.85 0.9 0.95 1 EM city PL city EM suburb PL suburb

AdvError

11 / 14

slide-28
SLIDE 28

Conclusion & Future

Geoind is simple and efficient (Location Guard) Too rigid! Contributions: Elastic metric with privacy mass requirement Scalable algorithm Future Work: Include in privacy mass ideas from k-anonymity Lightweight version for Location Guard

12 / 14

slide-29
SLIDE 29

Thanks

Don’t miss Location Guard tomorrow

13 / 14

slide-30
SLIDE 30

Fences

linear growth of epsilon fences for recurrent places achieve “better privacy” consuming less ǫ dF(x, x′) =    dX(x, x′) x, x′ / ∈ F x, x′ ∈ F ∞

  • .w.

14 / 14