skip to main content
research-article

Measuring Membership Privacy on Aggregate Location Time-Series

Authors Info & Claims
Published:12 June 2020Publication History
Skip Abstract Section

Abstract

While location data is extremely valuable for various applications, disclosing it prompts serious threats to individuals' privacy. To limit such concerns, organizations often provide analysts with aggregate time-series that indicate, e.g., how many people are in a location at a time interval, rather than raw individual traces. In this paper, we perform a measurement study to understand Membership Inference Attacks (MIAs) on aggregate location time-series, where an adversary tries to infer whether a specific user contributed to the aggregates. We find that the volume of contributed data, as well as the regularity and particularity of users' mobility patterns, play a crucial role in the attack's success. We experiment with a wide range of defenses based on generalization, hiding, and perturbation, and evaluate their ability to thwart the attack vis-à-vis the utility loss they introduce for various mobility analytics tasks. Our results show that some defenses fail across the board, while others work for specific tasks on aggregate location time-series. For instance, suppressing small counts can be used for ranking hotspots, data generalization for forecasting traffic, hotspot discovery, and map inference, while sampling is effective for location labeling and anomaly detection when the dataset is sparse. Differentially private techniques provide reasonable accuracy only in very specific settings, e.g., discovering hotspots and forecasting their traffic, and more so when using weaker privacy notions like crowd-blending privacy. Overall, our measurements show that there does not exist a unique generic defense that can preserve the utility of the analytics for arbitrary applications, and provide useful insights regarding the disclosure of sanitized aggregate location time-series.

References

  1. John M Abowd. 2018. The US Census Bureau adopts differential privacy. In KDD .Google ScholarGoogle Scholar
  2. Gergely Acs and Claude Castelluccia. 2014. A case study: Privacy-preserving release of spatio-temporal density in Paris. In KDD.Google ScholarGoogle Scholar
  3. Michael Backes, Pascal Berrang, Mathias Humbert, and Praveen Manoharan. 2016. Membership privacy in MicroRNA-based studies. In CCS .Google ScholarGoogle Scholar
  4. Vincent Bindschaedler and Reza Shokri. 2016. Synthesizing plausible privacy-preserving location traces. In S&P .Google ScholarGoogle Scholar
  5. Spyros Boukoros, Mathias Humbert, Stefan Katzenbeisser, and Carmela Troncoso. 2019. On (the Lack of) Location Privacy in Crowdsourcing Applications. In Usenix Security .Google ScholarGoogle Scholar
  6. N. Buscher, S. Boukoros, S. Bauregger, and S. Katzenbeisser. 2017. Two Is Not Enough: Privacy Assessment of Aggregation Schemes in Smart Metering. In PoPETS.Google ScholarGoogle Scholar
  7. Xiang Cai, Rishab Nithyanand, Tao Wang, Rob Johnson, and Ian Goldberg. 2014. A systematic approach to developing and evaluating website fingerprinting defenses. In CCS .Google ScholarGoogle Scholar
  8. Luca Canzian and Mirco Musolesi. 2015. Trajectories of depression: unobtrusive monitoring of depressive states by means of smartphone mobility traces analysis. In Ubicomp .Google ScholarGoogle Scholar
  9. Richard Chow and Philippe Golle. 2009. Faking Contextual Data for Fun, Profit, and Privacy. In WPES .Google ScholarGoogle Scholar
  10. Consumer Financial Protection Bureau. 2017. Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation . https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf .Google ScholarGoogle Scholar
  11. Yves-Alexandre de Montjoye, César A Hidalgo, Michel Verleysen, and Vincent D Blondel. 2013. Unique in the Crowd: The privacy bounds of human mobility . SREP (2013).Google ScholarGoogle Scholar
  12. Cynthia Dwork. 2008. Differential privacy: A survey of results. In TAMC.Google ScholarGoogle Scholar
  13. Cynthia Dwork, Moni Naor, Toniann Pitassi, and Guy N Rothblum. 2010. Differential privacy under continual observation. In STOC .Google ScholarGoogle Scholar
  14. Energy Networks Association (ENA). 2017. Smart Meter Aggregation Assessment Final Report . https://bit.ly/2LHqAg3 .Google ScholarGoogle Scholar
  15. Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. 2014. Rappor: Randomized aggregatable privacy-preserving ordinal response. In CCS .Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Johannes Gehrke, Michael Hay, Edward Lui, and Rafael Pass. 2012. Crowd-blending privacy. In CRYPTO .Google ScholarGoogle Scholar
  17. Johannes Gehrke, Edward Lui, and Rafael Pass. 2011. Towards privacy for social networks: A zero-knowledge based definition of privacy. In TCC .Google ScholarGoogle Scholar
  18. Philippe Golle and Kurt Partridge. 2009. On the Anonymity of Home/Work Location Pairs. In Pervasive Computing .Google ScholarGoogle Scholar
  19. Marco Gruteser and Dirk Grunwald. 2003. Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking. In MobiSys .Google ScholarGoogle Scholar
  20. Mehmet Emre Gursoy, Ling Liu, Stacey Truex, Lei Yu, and Wenqi Wei. 2018. Utility-Aware Synthesis of Differentially Private and Attack-Resilient Location Traces. In CCS .Google ScholarGoogle Scholar
  21. Jamie Hayes, Luca Melis, George Danezis, and Emiliano De Cristofaro. 2019. LOGAN: Evaluating Privacy Leakage of Generative Models Using Generative Adversarial Networks. In PoPETS.Google ScholarGoogle Scholar
  22. Xi He, Graham Cormode, Ashwin Machanavajjhala, Cecilia M Procopiuc, and Divesh Srivastava. 2015. DPT: differentially private trajectory synthesis using hierarchical reference systems. VLDB (2015).Google ScholarGoogle Scholar
  23. Minh X Hoang, Yu Zheng, and Ambuj K Singh. 2016. Forecasting Citywide Crowd Flows based on Big Data. In SIGSPATIAL .Google ScholarGoogle Scholar
  24. Baik Hoh, Marco Gruteser, Hui Xiong, and Ansaf Alrabady. 2007. Preserving privacy in GPS traces via uncertainty-aware path cloaking. In CCS .Google ScholarGoogle Scholar
  25. Nils Homer, Szabolcs Szelinger, Margot Redman, David Duggan, Waibhav Tembe, Jill Muehling, John V Pearson, Dietrich A Stephan, Stanley F Nelson, and David W Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays . PLoS Genetics (2008).Google ScholarGoogle Scholar
  26. Yue-Qing Hu and Wing K Fung. 2003. Interpreting DNA mixtures with the presence of relatives. International Journal of Legal Medicine , Vol. 117, 1 (2003).Google ScholarGoogle ScholarCross RefCross Ref
  27. Bargav Jayaraman and David Evans. 2019. Evaluating Differentially Private Machine Learning in Practice. In USENIX Security .Google ScholarGoogle Scholar
  28. Shouling Ji, Weiqing Li, Mudhakar Srivatsa, Jing Selena He, and Raheem Beyah. 2016. General graph data de-anonymization: From mobility traces to social networks. TISSEC (2016).Google ScholarGoogle Scholar
  29. Renhe Jiang, Xuan Song, Zipei Fan, Tianqi Xia, Quanjun Chen, Qi Chen, and Ryosuke Shibasaki. 2018. Deep ROI-Based Modeling for Urban Human Mobility Prediction . IMWUT (2018).Google ScholarGoogle Scholar
  30. Ian Jolliffe. 2002. Principal Component Analysis .Wiley & Sons .Google ScholarGoogle Scholar
  31. Dmytro Karamshuk, Anastasios Noulas, Salvatore Scellato, Vincenzo Nicosia, and Cecilia Mascolo. 2013. Geo-spotting: mining online location-based services for optimal retail store placement. In KDD .Google ScholarGoogle Scholar
  32. Maurice G Kendall. 1945. The treatment of ties in ranking problems. Biometrika (1945).Google ScholarGoogle Scholar
  33. John Krumm. 2007. Inference attacks on location tracks. In PerCom .Google ScholarGoogle Scholar
  34. Ninghui Li, Wahbeh Qardaji, and Dong Su. 2012. On Sampling, Anonymization, and Differential Privacy or, K-anonymization Meets Differential Privacy. In ASIACCS .Google ScholarGoogle Scholar
  35. Xuemei Liu, James Biagioni, Jakob Eriksson, Yin Wang, George Forman, and Yanmin Zhu. 2012. Mining large-scale, sparse GPS traces for map inference: comparison of approaches. In KDD .Google ScholarGoogle Scholar
  36. Yunhui Long, Vincent Bindschaedler, Lei Wang, Diyue Bu, Xiaofeng Wang, Haixu Tang, Carl A Gunter, and Kai Chen. 2018. Understanding membership inferences on well-generalized learning models. arXiv preprint arXiv:1802.04889 (2018).Google ScholarGoogle Scholar
  37. Ashwin Machanavajjhala, Daniel Kifer, John Abowd, Johannes Gehrke, and Lars Vilhuber. 2008. Privacy: Theory meets practice on the map. In ICDE.Google ScholarGoogle Scholar
  38. Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov. 2019. Inference Attacks Against Collaborative Learning. In S&P.Google ScholarGoogle Scholar
  39. Joseph Meyerowitz and Romit Roy Choudhury. 2009. Hiding Stars with Fireworks: Location Privacy Through Camouflage. In MobiCom .Google ScholarGoogle Scholar
  40. Darakhshan J Mir, Sibren Isaacman, Ramón Cáceres, Margaret Martonosi, and Rebecca N Wright. 2013. Dp-where: Differentially private modeling of human mobility. In BigData .Google ScholarGoogle Scholar
  41. Milad Nasr, Reza Shokri, and Amir Houmansadr. 2018. Machine learning with membership privacy using adversarial regularization. In CCS .Google ScholarGoogle Scholar
  42. Bei Pan, Yu Zheng, David Wilkie, and Cyrus Shahabi. 2013. Crowd sensing of traffic anomalies based on human mobility and social media. In SIGSPATIAL .Google ScholarGoogle Scholar
  43. Michal Piorkowski, Natasa Sarafijanovic-Djukic, and Matthias Grossglauser. 2009. CRAWDAD EPFL/Mobility Dataset . http://crawdad.org/epfl/mobility/20090224 .Google ScholarGoogle Scholar
  44. Apostolos Pyrgelis, Emiliano De Cristofaro, and Gordon J Ross. 2016. Privacy-friendly mobility analytics using aggregate location data. In SIGSPATIAL .Google ScholarGoogle Scholar
  45. Apostolos Pyrgelis , Nicolas Kourtellis, Ilias Leontiadis , Joan Serrà, and Claudio Soriente. 2018. There goes Wally: Anonymously sharing your location gives you away. In Big Data .Google ScholarGoogle Scholar
  46. Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro. 2017. What Does The Crowd Say About You? Evaluating Aggregation-based Location Privacy. In PoPETS.Google ScholarGoogle Scholar
  47. Apostolos Pyrgelis, Carmela Troncoso, and Emiliano De Cristofaro. 2018. Knock Knock, Who's There? Membership Inference on Aggregate Location Data. In NDSS .Google ScholarGoogle Scholar
  48. Daniele Quercia, Ilias Leontiadis, Liam McNamara, Cecilia Mascolo, and Jon Crowcroft. 2011. SpotMe if you can: Randomized responses for location obfuscation on mobile phones. In ICDCS .Google ScholarGoogle Scholar
  49. Vibhor Rastogi and Suman Nath. 2010. Differentially private aggregation of distributed time-series with transformation and encryption. In SIGMOD.Google ScholarGoogle Scholar
  50. Luca Rossi, James Walker, and Mirco Musolesi. 2015. Spatio-temporal techniques for user identification by means of GPS mobility data . EPJ Data Science (2015).Google ScholarGoogle Scholar
  51. Ahmed Salem, Yang Zhang, Mathias Humbert, Mario Fritz, and Michael Backes. 2019. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In NDSS .Google ScholarGoogle Scholar
  52. Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In S&P .Google ScholarGoogle Scholar
  53. Reza Shokri, George Theodorakopoulos, George Danezis, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2011a. Quantifying Location Privacy: The Case of Sporadic Location Exposure. In PoPETS .Google ScholarGoogle Scholar
  54. Reza Shokri, George Theodorakopoulos, Jean-Yves Le Boudec, and Jean-Pierre Hubaux. 2011b. Quantifying location privacy. In S&P.Google ScholarGoogle Scholar
  55. Reza Shokri, Carmela Troncoso, Claudia Diaz, Julien Freudiger, and Jean-Pierre Hubaux. 2010. Unraveling an old cloak: k-anonymity for location privacy. In WPES.Google ScholarGoogle Scholar
  56. Mudhakar Srivatsa and Mike Hicks. 2012. Deanonymizing mobility traces: Using social network as a side-channel. In CCS .Google ScholarGoogle Scholar
  57. Telefonica Smart Steps. 2019. https://www.business-solutions.telefonica.com/en/enterprise/solutions/smarter-selling/big-data-insights/.Google ScholarGoogle Scholar
  58. Hien To, Kien Nguyen, and Cyrus Shahabi. 2016. Differentially private publication of location entropy. In SIGSPATIAL.Google ScholarGoogle Scholar
  59. Stacey Truex, Ling Liu, Mehmet Emre Gursoy, Lei Yu, and Wenqi Wei. 2018. Towards Demystifying Membership Inference Attacks . arXiv 1807.09173 (2018).Google ScholarGoogle Scholar
  60. Uber Movement. 2019. https://movement.uber.com/.Google ScholarGoogle Scholar
  61. Giridhari Venkatadri, Athanasios Andreou, Yabing Liu, Alan Mislove, Krishna P Gummadi, Patrick Loiseau, and Oana Goga. 2018. Privacy Risks with Facebook's PII-based Targeting: Auditing a Data Broker's Advertising Interface. In S&P .Google ScholarGoogle Scholar
  62. Huandong Wang, Chen Gao, Yong Li, Gang Wang, Depeng Jin, and Jingbo Sun. 2018. De-anonymization of mobility trajectories: Dissecting the gaps between theory and practice. In NDSS .Google ScholarGoogle Scholar
  63. Huandong Wang, Chen Gao, Yong Li, Zhi-Li Zhang, and Depeng Jin. 2017. From fingerprint to footprint: Revealing physical world privacy leakage by cyberspace cookie logs. In CIKM .Google ScholarGoogle Scholar
  64. Rui Wang, Yong Fuga Li, XiaoFeng Wang, Haixu Tang, and Xiaoyong Zhou. 2009. Learning your identity and disease from research papers: information leaks in genome wide association study. In CCS .Google ScholarGoogle Scholar
  65. Waze. 2019. https://www.waze.com .Google ScholarGoogle Scholar
  66. Fengli Xu, Zhen Tu, Yong Li, Pengyu Zhang, Xiaoming Fu, and Depeng Jin. 2017. Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data. In WWW.Google ScholarGoogle Scholar
  67. Mao Ye, Dong Shou, Wang-Chien Lee, Peifeng Yin, and Krzysztof Janowicz. 2011. On the semantic annotation of places in location-based social networks. In KDD .Google ScholarGoogle Scholar
  68. Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. 2018. Privacy risk in machine learning: Analyzing the connection to overfitting. In CSF .Google ScholarGoogle Scholar
  69. Hui Zang and Jean Bolot. 2011. Anonymization of location data does not work: A large-scale measurement study. In MobiCom .Google ScholarGoogle Scholar
  70. Yu Zheng, Lizhu Zhang, Xing Xie, and Wei-Ying Ma. 2009. Mining interesting locations and travel sequences from GPS trajectories. In WWW .Google ScholarGoogle Scholar

Index Terms

  1. Measuring Membership Privacy on Aggregate Location Time-Series

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!