What You Are Looking for? Simon Oya, Carmela Troncoso, Fernando - - PowerPoint PPT Presentation

what you are looking for
SMART_READER_LITE
LIVE PREVIEW

What You Are Looking for? Simon Oya, Carmela Troncoso, Fernando - - PowerPoint PPT Presentation

Dec 17, 2023 113 likes •216 views

Is Geo-Indistinguishability What You Are Looking for? Simon Oya, Carmela Troncoso, Fernando Prez-Gonzlez 1 Motivation. Obfuscation-Based Location Privacy. Location information is sensitive. I want to use location services Solution:

slide-1
SLIDE 1

Is Geo-Indistinguishability What You Are Looking for?

Simon Oya, Carmela Troncoso, Fernando Pérez-González

1

slide-2
SLIDE 2
  • Location information is sensitive.
  • Solution: obfuscation mechanisms
  • We get some privacy.
  • We lose some quality of service.
  • There are many metrics to assess the privacy of
  • A popular notion is geo-indistinguishability.
  • Motivation. Obfuscation-Based Location Privacy.

2

Service provider

Here you go! I’m at the fake location , closest ? I want to use location services without disclosing my location

In this work We study the privacy implications of geo-indistinguishability, revealing some of its issues.

slide-3
SLIDE 3
  • GeoInd means ensuring that and are “indistinguishable” given .
  • Mathematically:

Geo-Indistinguishability [1]

Real location Obfuscated location Another real location Privacy parameter Distance metric (e.g., Euclidean) Less privacy More privacy

[1] Andrés, Miguel E., et al. "Geo-indistinguishability: Differential privacy for location-based systems." CCS’13.

Less privacy (easier to distinguish) More privacy (harder to distinguish) Obfuscation mechanism

3

slide-4
SLIDE 4

Choosing the GeoInd Privacy Parameter

  • How do we choose ?
  • Typical approach:

4

Privacy radius Privacy level

  • How do we choose ?
  • From log(1.4) to log(10).
  • Normally, log(2).
  • Example:
  • Inside the region, we get:

Hard to interpret

slide-5
SLIDE 5

Assume , so the adv. decides .

GeoInd as an Adversary Error

  • Decision Adversary:

5

gives GeoInd if and only if, :

  • Previous example:

Easier to interpret

slide-6
SLIDE 6
  • Two GeoInd mechanisms: Laplace [1]

and Laplace with remapping [2].

  • Example.
  • Privacy goal: for locations in
  • Laplace:

GeoInd in Numbers

[1] Andrés, Miguel E., et al. "Geo-indistinguishability: Differential privacy for location-based systems." CCS’13. [2] Chatzikokolakis, Konstantinos, Ehab ElSalamouny, and Catuscia Palamidessi. "Efficient Utility Improvement for Location Privacy." PoPETS’17. 308-328.

6

Reported location here on average Reported location 95%

  • f the time is here
slide-7
SLIDE 7
  • Privacy goal: for locations in
  • Laplace:
  • Laplace + RM:

GeoInd in Numbers

  • Two GeoInd mechanisms: Laplace [1]

and Laplace with remapping [2].

  • Example.

(Gowalla dataset)

[1] Andrés, Miguel E., et al. "Geo-indistinguishability: Differential privacy for location-based systems." CCS’13. [2] Chatzikokolakis, Konstantinos, Ehab ElSalamouny, and Catuscia Palamidessi. "Efficient Utility Improvement for Location Privacy." PoPETS’17. 308-328.

6

Reported location here on average Reported location 95%

  • f the time is here
slide-8
SLIDE 8

Reported location here on average Reported location 95%

  • f the time is here
  • Privacy goal: for locations in
  • Laplace:
  • Laplace + RM:

GeoInd in Numbers

  • Two GeoInd mechanisms: Laplace [1]

and Laplace with remapping [2].

  • Example.
  • In terms of average error , other

mechanisms perform better than Laplace.

(Gowalla dataset)

[1] Andrés, Miguel E., et al. "Geo-indistinguishability: Differential privacy for location-based systems." CCS’13. [2] Chatzikokolakis, Konstantinos, Ehab ElSalamouny, and Catuscia Palamidessi. "Efficient Utility Improvement for Location Privacy." PoPETS’17. 308-328.

The price we pay is too high for the privacy we get!! Bad privacy-utility trade-off

6

slide-9
SLIDE 9

Where is the problem?

  • GeoInd comes from differential privacy.
  • Differential Privacy scenarios: low sensitivity queries.
  • It is possible to achieve with high privacy
  • User-centric Location Privacy: high sensitivity queries!

9

Solutions?

  • Re-design location queries to have

low sensitivity [1].

  • Use bandwidth as a resource to

improve utility [1].

  • Use less ambitious privacy metrics…

[1] Andrés, Miguel E., et al. "Geo-indistinguishability: Differential privacy for location-based systems." CCS’13.

slide-10
SLIDE 10

Conclusions

10

ALL ABOARD THE GEOIND TRAIN!!!

  • Evaluate privacy and quality loss

numerically.

  • GeoInd as an adversary error can

help in this regard.

  • Understand what GeoInd means:
  • If you want average protection,

use something else!

  • If you really want GeoInd, re-

design queries, use bandwidth as a resource, etc.

Thank you!!

simonoya@gts.uvigo.es