Abstract
Datasets of mobile phone trajectories collected by network operators offer an unprecedented opportunity to discover new knowledge from the activity of large populations of millions. However, publishing such trajectories also raises significant privacy concerns, as they contain personal data in the form of individual movement patterns. Privacy risks induce network operators to enforce restrictive confidential agreements in the rare occasions when they grant access to collected trajectories, whereas a less involved circulation of these data would fuel research and enable reproducibility in many disciplines. In this work, we contribute a building block toward the design of privacy-preserving datasets of mobile phone trajectories that are truthful at the record level. We present GLOVE, an algorithm that implements k-anonymity, hence solving the crucial unicity problem that affects this type of data while ensuring that the anonymized trajectories correspond to real-life users. GLOVE builds on original insights about the root causes behind the undesirable unicity of mobile phone trajectories, and leverages generalization and suppression to remove them. Proof-of-concept validations with large-scale real-world datasets demonstrate that the approach adopted by GLOVE allows preserving a substantial level of accuracy in the data, higher than that granted by previous methodologies.
- V. Blondel, A. Decuyper, and G. Krings. 2015. A survey of results on mobile phone datasets analysis. EPJ Data Sci. 4, 10 (2015).Google Scholar
- D. Naboulsi, M. Fiore, S. Ribot, and R. Stanica. 2016. Large-scale mobile traffic analysis: A survey. IEEE Communications Surveys & Tutorials 18, 1 (2016), 124–161.Google Scholar
Digital Library
- L. Sweeney. 2002. k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 105 (2002), 557–570.Google Scholar
Digital Library
- A. Narayanan and V. Shmatikov. 2008. Robust de-anonymization of large sparse datasets. In IEEE SP 2008.Google Scholar
- H. Zang and J. Bolot. 2011. Anonymization of location data does not work: A large-scale measurement study. In Proceedings of the 17th annual international conference on Mobile computing and networking (MobiCom’11). Association for Computing Machinery, New York, NY, USA, 145–156.Google Scholar
- Y. de Montjoye, C. A. Hidalgo, M. Verleysen, and V. Blondel. 2013. Unique in the crowd: The privacy bounds of human mobility. Nature Scientific Reports 3(2013), 1376.Google Scholar
Cross Ref
- A. Cecaj, M. Mamei, and N. Bicocchi. 2014. Re-identification of anonymized CDR datasets using social network data. In IEEE PerCom Workshops 2014.Google Scholar
- C. Riederer, Y. Kim, A. Chaintreau, N. Korula, and S. Lattanzi. 2016. Linking users across domains with location data: Theory and validation. In ACM WWW 2016.Google Scholar
- D. Kondor, B. Hashemian, Y.-A. de Montjoye, and C. Ratti. 2017. Towards matching user mobility traces in large-scale datasets. Retrieved on 27-May-2021 from https://arxiv.org/abs/1709.05772.Google Scholar
- B. C. M. Fung, K. Wang, R. Chen, and P. S. Yu. 2010. Privacy-preserving data publishing: A survey of recent developments. ACM Comput. Surv. 42, 4, Article 14 (June 2010), 53 pages.Google Scholar
- R. Agrawal and R. Srikant. 2000. Privacy-preserving data mining. SIGMOD Record 29,2 (2000), 439–450.Google Scholar
Digital Library
- Y. Song, D. Dahlmeier, and S. Bressan. 2014. Not so unique in the crowd: A simple and effective algorithm for anonymizing location data. In PIR 2014.Google Scholar
- J. Salas, D. Megías, and V. Torra. 2018. Swapmob: Swapping trajectories for mobility anonymization. Privacy in Statistical Databases, J. Domingo-Ferrer and F. Montes.331–346, Springer International Publishing.Google Scholar
- R. Chen, B. C. M. Fung, B. C. Desai, and N. M. Sossou. 2012. Differentially private transit data publication: A case study on the Montreal transportation system. In Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’12). Association for Computing Machinery, New York, NY, USA, 213–221.Google Scholar
- D. J. Mir, S. Isaacman, R. Cáceres, M. Martonosi, and R. N. Wright. 2013. DP-WHERE: Differentially private modeling of human mobility. In IEEE International Conference on Big Data. 580–588.Google Scholar
- A. Tockar. 2014. Riding with the stars: Passenger privacy in the NYC taxicab dataset. Technical Report. Neustar Research, Sep.Google Scholar
- R. Trujillo-Rasua and J. Domingo-Ferrer. 2013. On the privacy offered by (k,δ)-anonymity. Information Systems 38 (2013), 491–494.Google Scholar
Digital Library
- F. Bonchi, L. V. S. Lakshmanan, and H. Wang. 2011. Trajectory anonymity in publishing personal mobility data. SIGKDD Explorations Newsletter, 13,1(2011), 30–42.Google Scholar
Digital Library
- A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam. 2007. l-diversity: Privacy beyond k-anonymity. ACM Transactions on Knowledge Discovery from Data 1, 1 (2007), 3.Google Scholar
- R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. 2011. Quantifying location privacy. In IEEE SP 2011.Google Scholar
- N. Li, T. Li, and S. Venkatasubramanian. 2007. t-Closeness: Privacy beyond k-anonymity and l-diversity. In IEEE ICDE 2007.Google Scholar
- M. Gramaglia, M. Fiore, A. Tarable, and A. Banchs. 2017. Preserving mobile subscriber privacy in open datasets of spatiotemporal trajectories. IEEE Conference on Computer Communications. 1–9. DOI:10.1109/INFOCOM.2017.8056979Google Scholar
- C. Dwork. 2006. Differential privacy. In ICALP 2006.Google Scholar
Digital Library
- M. Hay, G. Miklau, D. Jensen, D. Towsley, and P. Weis. 2008. Resisting structural re-identification in anonymized social networks. Proc. VLDB Endow. 1, 1 (August 2008), 102–114.Google Scholar
Digital Library
- L. Sweeney. 2016. Practical differentially private modeling of human movement data. In IFIP DBSec 2016.Google Scholar
- M. Fiore, P. Katsikouli, E. Zavou, M. Cunche, F. Fessant, D. Le Hello, U. Matchi Aivodji, B. Olivier, T. Quertier, and R. Stanica. 2020. Privacy in trajectory micro-data publishing: A survey transactions on data privacy, IIIA-CSIC, 2020, 13, 91–149.Google Scholar
- M. Gruteser and D. Grunwald. 2003. Anonymous usage of location-based services through spatial and temporal cloaking. In ACM MobiSys 2003.Google Scholar
- H. Kido, Y. Yanagisawa, and T. Satoh. 2005. Protection of location privacy using dummies for location-based services. In 21st International Conference on Data Engineering Workshops (ICDEW’05). 1248–1248.Google Scholar
- B. Gedik and L. Liu. 2008. Protecting location privacy with personalized k-anonymity: Architecture and algorithms. IEEE Transactions on Mobile Computing 7, 1 (2008), 1–18.Google Scholar
Digital Library
- M. Herrmann, A. Rial, C. Diaz, and B. Preneel. 2014. Practical privacy-preserving location-sharing based services with aggregate statistics. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks (WiSec’14). Association for Computing Machinery, New York, NY, USA, 87–98.Google Scholar
- M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. 2013. Geo-indistinguishability: Differential privacy for location-based systems. In 20th ACM Conference on Computer and Communications Security, ACM, Nov 2013, Berlin, Germany. 901–914.Google Scholar
- R. Assam, M. Hassani, and T. Seidl. 2012. Differential private trajectory protection of moving objects. In Proceedings of the 3rd ACM SIGSPATIAL International Workshop on GeoStreaming (IWGS’12). Association for Computing Machinery, New York, NY, USA, 68–77.Google Scholar
- N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. 2014. Optimal geo-indistinguishable mechanisms for location privacy. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). Association for Computing Machinery, New York, NY, USA, 251–262.Google Scholar
- Y. Xiao and L. Xiong. 2015. Protecting locations with differential privacy under temporal correlations. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). Association for Computing Machinery, New York, NY, USA, 1298–1309.Google Scholar
- J. C. Duchi, M. I. Jordan, and M. J. Wainwright. 2013. Local privacy and statistical minimax rates. In IEEE 54th Annual Symposium on Foundations of Computer Science. 429–438.Google Scholar
- A. R. Beresford and F. Stajano. 2004. Mix zones: User privacy in location-aware services. In Proceedings of the IEEE Annual Conference on Pervasive Computing and Communications Workshops. 127–131.Google Scholar
- B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady. 2007. Preserving privacy in GPS traces via uncertainty-aware path cloaking. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). Association for Computing Machinery, New York, NY, USA, 161–171.Google Scholar
- J. Meyerowitz and R. R. Choudhury. 2009. Hiding stars with fireworks: Location privacy through camouflage. In Proceedings of the 15th Annual International Conference on Mobile Computing and Networking (MobiCom’09). Association for Computing Machinery, New York, NY, USA, 345–356.Google Scholar
- A. Monreale, G. Andrienko, N. Andrienko, F. Giannotti, D. Pedreschi, S. Rinzivillo, and S. Wrobel. Movement data anonymity through generalization. Transactions on Data Privacy 3,2 (2010), 91–121.Google Scholar
- O. Abul, F. Bonchi, and M. Nanni. 2010. Never walk alone: Uncertainty for anonymity in moving objects databases. In IEEE ICDE 2008.Google Scholar
- J. Domingo-Ferrer and R. Trujillo-Rasúa. 2012. Microaggregation- and permutation-based anonymization of movement data. Information Science, 208 (2012), 55–80.Google Scholar
Digital Library
- B. C. M. Fung, M. Cao, B. C. Desai, and H. Xu. 2009. Privacy protection for RFID data. In Proceedings of the 2009 ACM Symposium on Applied Computing (SAC’09). Association for Computing Machinery, New York, NY, USA, 1528–1535.Google Scholar
- R. Yarovoy, F. Bonchi, L. V. S. Lakshmanan, and W. H. Wang. 2009. Anonymizing moving objects: How to hide a mob in a crowd? In Proceedings of the 12th International Conference on Extending Database Technology: Advances in Database Technology (EDBT’09). Association for Computing Machinery, New York, NY, USA, 72–83.Google Scholar
- M. E. Nergiz, M. Atzori, Y. Saygin, and B. Güç. 2009. Towards trajectory anonymization: A generalization-based approach. Transactions on Data Privacy 2,1 (2009), 47–75.Google Scholar
Digital Library
- O. Abul, F. Bonchi, and M. Nanni. 2010. Anonymization of moving objects databases by clustering and perturbation. Information Systems, 35,8 (2010), 884–910.Google Scholar
Digital Library
- G. Cormode, C. Procopiuc, D. Srivastava, E. Shen, and T. Yu. 2012. Differentially private spatial decompositions. In IEEE 28th International Conference on Data Engineering. 20–31.Google Scholar
- G. Acs and C. Castelluccia. 2014. A case study: Privacy preserving release of spatio-temporal density in Paris. In Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’14). Association for Computing Machinery, New York, NY, USA, 1679–1688.Google Scholar
- M. Alaggan, S. Gambs, S. Matwin, and M. Tuhin. 2015. Sanitization of call detail records via differentially-private bloom filters. In 29th IFIP Annual Conference on Data and Applications Security and Privacy (DBSEC), Jul 2015, Fairfax, VA, United States. 223–230.Google Scholar
- S. Brunet, S. Canard, S. Gambs, and B. Olivier. 2016. Novel differentially private mechanisms for graphs. IACR Cryptology, 2016 (2016), 745.Google Scholar
- M. Hay, A. Machanavajjhala, G. Miklau, Y. Chen, and D. Zhang. 2015. Principled evaluation of differentially private algorithms using dpbench. In Proceedings of the 2016 International Conference on Management of Data (SIGMOD’16). Association for Computing Machinery, New York, NY, USA, 139–154.Google Scholar
- D. Shao, K. Jiang, T. Kister, S. Bressan, and K.-L. Tan. 2013. Publishing trajectory with differential privacy: A priori vs. a posteriori sampling mechanisms. In DEXA 2013.Google Scholar
Digital Library
- J. Zhang, X. Xiao, and X. Xie. 2016. Privtree: A differentially private algorithm for hierarchical decompositions. In Proceedings of the 2016 International Conference on Management of Data (SIGMOD’16). Association for Computing Machinery, New York, NY, USA, 155–170.Google Scholar
- X. He, G. Cormode, A. Machanavajjhala, C. M. Procopiuc, and D. Srivastava. 2015. DPT: Differentially private trajectory synthesis using hierarchical reference systems. Proc. VLDB Endow. 8, 11 (July 2015), 1154–1165.Google Scholar
- R. Chen, G. Acs, and C. Castelluccia. 2012. Differentially private sequential data publication via variable-length n-grams. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). Association for Computing Machinery, New York, NY, USA, 638–649.Google Scholar
- M. E. Gursoy, L. Liu, S. Truex, and L. Yu. 2018. Differentially private and utility preserving publication of trajectory data. IEEE Transactions on Mobile Computing 18, 10 (2018), 2315–2329.Google Scholar
Cross Ref
- V. T. de Almeida and R. H. Güting. 2005. Indexing the trajectories of moving objects in networks. In Proceedings of the 16th International Conference on Scientific and Statistical Database Management. 115–118.Google Scholar
- V. D. Blondel, M. Esch, C. Chan, F. Clerot, P. Deville, E. Huens, F. Morlot, Z. Smoreda, and C. Ziemlicki. Data for development: The D4D challenge on mobile phone data. Retrieved on 27 May 2021 from https://arxiv.org/abs/1210.0137.Google Scholar
- D. Hoaglin, F. Mosteller, and J. W. Tukey. 1983. Understanding Robust and Exploratory Data Analysis. Wiley.Google Scholar
- C. Bettini, X. S. Wang, and S. Jajodia. 1983. Protecting privacy against location-based personal identification. In SDM 2005.Google Scholar
- Code of conduct applying to the processing of personal data for statistical and scientific research purposes within the framework of the national statistical system. Article 5 – Criteria to Assess the Identification Risk. Retrieved from on 27 May 2021 from https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29.Google Scholar
- H. Zang and J. Bolot. 2007. Mining call and mobility data to improve paging efficiency in cellular networks. In Proceedings of the 13th Annual ACM International Conference on Mobile Computing and Networking (MobiCom’07). Association for Computing Machinery, New York, NY, USA, 123–134.Google Scholar
- M. Coscia, S. Rinzivillo, F. Giannotti, and D. Pedreschi. 2012. Optimal spatial resolution for the analysis of human mobility. In IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. 248–252.Google Scholar
- C. Iovan, A.-M. Olteanu-Raimond, T. Couronne, and Z. Smoreda. 2013. Moving and calling: Mobile phone data quality measurements and spatiotemporal uncertainty in human mobility studies. Geographic Information Science at the Heart of Europe, D. Vandenbroucke, B. Bucher, and J. Crompvoets.Springer, 2013.Google Scholar
Index Terms
GLOVE: Towards Privacy-Preserving Publishing of Record-Level-Truthful Mobile Phone Trajectories
Recommendations
An effective value swapping method for privacy preserving data publishing
Privacy is an important concern in the society, and it has been a fundamental issue when to analyze and publish data involving human individual's sensitive information. Recently, the slicing method has been popularly used for privacy preservation in ...
An Anonymization Method Based on Tradeoff between Utility and Privacy for Data Publishing
ICMECG '12: Proceedings of the 2012 International Conference on Management of e-Commerce and e-GovernmentPrivacy preserving is an important issue in data publishing. Many anonymization algorithms are available in meeting the privacy requirements of the privacy models such as k-anonymity, l-diversity and t-closeness. In this paper, we discuss the ...
A Survey on Privacy Preserving Dynamic Data Publishing
Many organizations, especially small and medium business SMB enterprises require the collection and sharing of data containing personal information. The privacy of this data must be preserved before outsourcing to the commercial public. Privacy ...






Comments