Abstract
While location data is extremely valuable for various applications, disclosing it prompts serious threats to individuals' privacy. To limit such concerns, organizations often provide analysts with aggregate time-series that indicate, e.g., how many people are in a location at a time interval, rather than raw individual traces. In this paper, we perform a measurement study to understand Membership Inference Attacks (MIAs) on aggregate location time-series, where an adversary tries to infer whether a specific user contributed to the aggregates. We find that the volume of contributed data, as well as the regularity and particularity of users' mobility patterns, play a crucial role in the attack's success. We experiment with a wide range of defenses based on generalization, hiding, and perturbation, and evaluate their ability to thwart the attack vis-à-vis the utility loss they introduce for various mobility analytics tasks. Our results show that some defenses fail across the board, while others work for specific tasks on aggregate location time-series. For instance, suppressing small counts can be used for ranking hotspots, data generalization for forecasting traffic, hotspot discovery, and map inference, while sampling is effective for location labeling and anomaly detection when the dataset is sparse. Differentially private techniques provide reasonable accuracy only in very specific settings, e.g., discovering hotspots and forecasting their traffic, and more so when using weaker privacy notions like crowd-blending privacy. Overall, our measurements show that there does not exist a unique generic defense that can preserve the utility of the analytics for arbitrary applications, and provide useful insights regarding the disclosure of sanitized aggregate location time-series.
- John M Abowd. 2018. The US Census Bureau adopts differential privacy. In KDD .Google Scholar
- Gergely Acs and Claude Castelluccia. 2014. A case study: Privacy-preserving release of spatio-temporal density in Paris. In KDD.Google Scholar
- Michael Backes, Pascal Berrang, Mathias Humbert, and Praveen Manoharan. 2016. Membership privacy in MicroRNA-based studies. In CCS .Google Scholar
- Vincent Bindschaedler and Reza Shokri. 2016. Synthesizing plausible privacy-preserving location traces. In S&P .Google Scholar
- Spyros Boukoros, Mathias Humbert, Stefan Katzenbeisser, and Carmela Troncoso. 2019. On (the Lack of) Location Privacy in Crowdsourcing Applications. In Usenix Security .Google Scholar
- N. Buscher, S. Boukoros, S. Bauregger, and S. Katzenbeisser. 2017. Two Is Not Enough: Privacy Assessment of Aggregation Schemes in Smart Metering. In PoPETS.Google Scholar
- Xiang Cai, Rishab Nithyanand, Tao Wang, Rob Johnson, and Ian Goldberg. 2014. A systematic approach to developing and evaluating website fingerprinting defenses. In CCS .Google Scholar
- Luca Canzian and Mirco Musolesi. 2015. Trajectories of depression: unobtrusive monitoring of depressive states by means of smartphone mobility traces analysis. In Ubicomp .Google Scholar
- Richard Chow and Philippe Golle. 2009. Faking Contextual Data for Fun, Profit, and Privacy. In WPES .Google Scholar
- Consumer Financial Protection Bureau. 2017. Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation . https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf .Google Scholar
- Yves-Alexandre de Montjoye, César A Hidalgo, Michel Verleysen, and Vincent D Blondel. 2013. Unique in the Crowd: The privacy bounds of human mobility . SREP (2013).Google Scholar
- Cynthia Dwork. 2008. Differential privacy: A survey of results. In TAMC.Google Scholar
- Cynthia Dwork, Moni Naor, Toniann Pitassi, and Guy N Rothblum. 2010. Differential privacy under continual observation. In STOC .Google Scholar
- Energy Networks Association (ENA). 2017. Smart Meter Aggregation Assessment Final Report . https://bit.ly/2LHqAg3 .Google Scholar
- Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. 2014. Rappor: Randomized aggregatable privacy-preserving ordinal response. In CCS .Google Scholar
Digital Library
- Johannes Gehrke, Michael Hay, Edward Lui, and Rafael Pass. 2012. Crowd-blending privacy. In CRYPTO .Google Scholar
- Johannes Gehrke, Edward Lui, and Rafael Pass. 2011. Towards privacy for social networks: A zero-knowledge based definition of privacy. In TCC .Google Scholar
- Philippe Golle and Kurt Partridge. 2009. On the Anonymity of Home/Work Location Pairs. In Pervasive Computing .Google Scholar
- Marco Gruteser and Dirk Grunwald. 2003. Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking. In MobiSys .Google Scholar
- Mehmet Emre Gursoy, Ling Liu, Stacey Truex, Lei Yu, and Wenqi Wei. 2018. Utility-Aware Synthesis of Differentially Private and Attack-Resilient Location Traces. In CCS .Google Scholar
- Jamie Hayes, Luca Melis, George Danezis, and Emiliano De Cristofaro. 2019. LOGAN: Evaluating Privacy Leakage of Generative Models Using Generative Adversarial Networks. In PoPETS.Google Scholar
- Xi He, Graham Cormode, Ashwin Machanavajjhala, Cecilia M Procopiuc, and Divesh Srivastava. 2015. DPT: differentially private trajectory synthesis using hierarchical reference systems. VLDB (2015).Google Scholar
- Minh X Hoang, Yu Zheng, and Ambuj K Singh. 2016. Forecasting Citywide Crowd Flows based on Big Data. In SIGSPATIAL .Google Scholar
- Baik Hoh, Marco Gruteser, Hui Xiong, and Ansaf Alrabady. 2007. Preserving privacy in GPS traces via uncertainty-aware path cloaking. In CCS .Google Scholar
- Nils Homer, Szabolcs Szelinger, Margot Redman, David Duggan, Waibhav Tembe, Jill Muehling, John V Pearson, Dietrich A Stephan, Stanley F Nelson, and David W Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays . PLoS Genetics (2008).Google Scholar
- Yue-Qing Hu and Wing K Fung. 2003. Interpreting DNA mixtures with the presence of relatives. International Journal of Legal Medicine , Vol. 117, 1 (2003).Google Scholar
Cross Ref
- Bargav Jayaraman and David Evans. 2019. Evaluating Differentially Private Machine Learning in Practice. In USENIX Security .Google Scholar
- Shouling Ji, Weiqing Li, Mudhakar Srivatsa, Jing Selena He, and Raheem Beyah. 2016. General graph data de-anonymization: From mobility traces to social networks. TISSEC (2016).Google Scholar
- Renhe Jiang, Xuan Song, Zipei Fan, Tianqi Xia, Quanjun Chen, Qi Chen, and Ryosuke Shibasaki. 2018. Deep ROI-Based Modeling for Urban Human Mobility Prediction . IMWUT (2018).Google Scholar
- Ian Jolliffe. 2002. Principal Component Analysis .Wiley & Sons .Google Scholar
- Dmytro Karamshuk, Anastasios Noulas, Salvatore Scellato, Vincenzo Nicosia, and Cecilia Mascolo. 2013. Geo-spotting: mining online location-based services for optimal retail store placement. In KDD .Google Scholar
- Maurice G Kendall. 1945. The treatment of ties in ranking problems. Biometrika (1945).Google Scholar
- John Krumm. 2007. Inference attacks on location tracks. In PerCom .Google Scholar
- Ninghui Li, Wahbeh Qardaji, and Dong Su. 2012. On Sampling, Anonymization, and Differential Privacy or, K-anonymization Meets Differential Privacy. In ASIACCS .Google Scholar
- Xuemei Liu, James Biagioni, Jakob Eriksson, Yin Wang, George Forman, and Yanmin Zhu. 2012. Mining large-scale, sparse GPS traces for map inference: comparison of approaches. In KDD .Google Scholar
- Yunhui Long, Vincent Bindschaedler, Lei Wang, Diyue Bu, Xiaofeng Wang, Haixu Tang, Carl A Gunter, and Kai Chen. 2018. Understanding membership inferences on well-generalized learning models. arXiv preprint arXiv:1802.04889 (2018).Google Scholar
- Ashwin Machanavajjhala, Daniel Kifer, John Abowd, Johannes Gehrke, and Lars Vilhuber. 2008. Privacy: Theory meets practice on the map. In ICDE.Google Scholar
- Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov. 2019. Inference Attacks Against Collaborative Learning. In S&P.Google Scholar
- Joseph Meyerowitz and Romit Roy Choudhury. 2009. Hiding Stars with Fireworks: Location Privacy Through Camouflage. In MobiCom .Google Scholar
- Darakhshan J Mir, Sibren Isaacman, Ramón Cáceres, Margaret Martonosi, and Rebecca N Wright. 2013. Dp-where: Differentially private modeling of human mobility. In BigData .Google Scholar
- Milad Nasr, Reza Shokri, and Amir Houmansadr. 2018. Machine learning with membership privacy using adversarial regularization. In CCS .Google Scholar
- Bei Pan, Yu Zheng, David Wilkie, and Cyrus Shahabi. 2013. Crowd sensing of traffic anomalies based on human mobility and social media. In SIGSPATIAL .Google Scholar
- Michal Piorkowski, Natasa Sarafijanovic-Djukic, and Matthias Grossglauser. 2009. CRAWDAD EPFL/Mobility Dataset . http://crawdad.org/epfl/mobility/20090224 .Google Scholar
- Apostolos Pyrgelis, Emiliano De Cristofaro, and Gordon J Ross. 2016. Privacy-friendly mobility analytics using aggregate location data. In SIGSPATIAL .Google Scholar
- Apostolos Pyrgelis , Nicolas Kourtellis, Ilias Leontiadis , Joan Serrà, and Claudio Soriente. 2018. There goes Wally: Anonymously sharing your location gives you away. In Big Data .Google Scholar
- Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro. 2017. What Does The Crowd Say About You? Evaluating Aggregation-based Location Privacy. In PoPETS.Google Scholar
- Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro. 2018. Knock Knock, Who's There? Membership Inference on Aggregate Location Data. In NDSS .Google Scholar
- Daniele Quercia, Ilias Leontiadis, Liam McNamara, Cecilia Mascolo, and Jon Crowcroft. 2011. SpotMe if you can: Randomized responses for location obfuscation on mobile phones. In ICDCS .Google Scholar
- Vibhor Rastogi and Suman Nath. 2010. Differentially private aggregation of distributed time-series with transformation and encryption. In SIGMOD.Google Scholar
- Luca Rossi, James Walker, and Mirco Musolesi. 2015. Spatio-temporal techniques for user identification by means of GPS mobility data . EPJ Data Science (2015).Google Scholar
- Ahmed Salem, Yang Zhang, Mathias Humbert, Mario Fritz, and Michael Backes. 2019. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In NDSS .Google Scholar
- Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In S&P .Google Scholar
- Reza Shokri, George Theodorakopoulos, George Danezis, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2011a. Quantifying Location Privacy: The Case of Sporadic Location Exposure. In PoPETS .Google Scholar
- Reza Shokri, George Theodorakopoulos, Jean-Yves Le Boudec, and Jean-Pierre Hubaux. 2011b. Quantifying location privacy. In S&P.Google Scholar
- Reza Shokri, Carmela Troncoso, Claudia Diaz, Julien Freudiger, and Jean-Pierre Hubaux. 2010. Unraveling an old cloak: k-anonymity for location privacy. In WPES.Google Scholar
- Mudhakar Srivatsa and Mike Hicks. 2012. Deanonymizing mobility traces: Using social network as a side-channel. In CCS .Google Scholar
- Telefonica Smart Steps. 2019. https://www.business-solutions.telefonica.com/en/enterprise/solutions/smarter-selling/big-data-insights/.Google Scholar
- Hien To, Kien Nguyen, and Cyrus Shahabi. 2016. Differentially private publication of location entropy. In SIGSPATIAL.Google Scholar
- Stacey Truex, Ling Liu, Mehmet Emre Gursoy, Lei Yu, and Wenqi Wei. 2018. Towards Demystifying Membership Inference Attacks . arXiv 1807.09173 (2018).Google Scholar
- Uber Movement. 2019. https://movement.uber.com/.Google Scholar
- Giridhari Venkatadri, Athanasios Andreou, Yabing Liu, Alan Mislove, Krishna P Gummadi, Patrick Loiseau, and Oana Goga. 2018. Privacy Risks with Facebook's PII-based Targeting: Auditing a Data Broker's Advertising Interface. In S&P .Google Scholar
- Huandong Wang, Chen Gao, Yong Li, Gang Wang, Depeng Jin, and Jingbo Sun. 2018. De-anonymization of mobility trajectories: Dissecting the gaps between theory and practice. In NDSS .Google Scholar
- Huandong Wang, Chen Gao, Yong Li, Zhi-Li Zhang, and Depeng Jin. 2017. From fingerprint to footprint: Revealing physical world privacy leakage by cyberspace cookie logs. In CIKM .Google Scholar
- Rui Wang, Yong Fuga Li, XiaoFeng Wang, Haixu Tang, and Xiaoyong Zhou. 2009. Learning your identity and disease from research papers: information leaks in genome wide association study. In CCS .Google Scholar
- Waze. 2019. https://www.waze.com .Google Scholar
- Fengli Xu, Zhen Tu, Yong Li, Pengyu Zhang, Xiaoming Fu, and Depeng Jin. 2017. Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data. In WWW.Google Scholar
- Mao Ye, Dong Shou, Wang-Chien Lee, Peifeng Yin, and Krzysztof Janowicz. 2011. On the semantic annotation of places in location-based social networks. In KDD .Google Scholar
- Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. 2018. Privacy risk in machine learning: Analyzing the connection to overfitting. In CSF .Google Scholar
- Hui Zang and Jean Bolot. 2011. Anonymization of location data does not work: A large-scale measurement study. In MobiCom .Google Scholar
- Yu Zheng, Lizhu Zhang, Xing Xie, and Wei-Ying Ma. 2009. Mining interesting locations and travel sequences from GPS trajectories. In WWW .Google Scholar
Index Terms
Measuring Membership Privacy on Aggregate Location Time-Series
Recommendations
Measuring Membership Privacy on Aggregate Location Time-Series
SIGMETRICS '20: Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer SystemsWhile location data is extremely valuable for various applications, disclosing it prompts serious threats to individuals' privacy. To limit such concerns, organizations often provide analysts with aggregate time-series that indicate, e.g., how many ...
Measuring Membership Privacy on Aggregate Location Time-Series
While location data is extremely valuable for various applications, disclosing it prompts serious threats to individuals' privacy. To limit such concerns, organizations often provide analysts with aggregate time-series that indicate, e.g., how many ...
Privacy-friendly mobility analytics using aggregate location data
SIGSPACIAL '16: Proceedings of the 24th ACM SIGSPATIAL International Conference on Advances in Geographic Information SystemsLocation data can be extremely useful to study commuting patterns and disruptions, as well as to predict real-time traffic volumes. At the same time, however, the fine-grained collection of user locations raises serious privacy concerns, as this can ...






Comments