A Framework for Managing Multifaceted Privacy Leakage While Optimizing Utility in Continuous LBS Interactions

TL;DR

These contributions provide a more comprehensive framework for analyzing privacy concerns across different facets of location-based interactions, and instantiate the framework with the Plannar Isotopic Mechanism to demonstrate its practical applicability while ensuring optimal utility and quantifying privacy leakages across various dimensions.

Abstract

Privacy in Location-Based Services (LBS) has become a paramount concern with the ubiquity of mobile devices and the increasing integration of location data into various applications. This paper presents several novel contributions to advancing the understanding and management of privacy leakage in LBS. Our contributions provide a more comprehensive framework for analyzing privacy concerns across different facets of location-based interactions. Specifically, we introduce $(ε, δ)$-location privacy, $(ε, δ, θ)$-trajectory privacy, and $(ε, δ, θ)$-POI privacy, which offer refined mechanisms for quantifying privacy risks associated with location, trajectory, and points of interest (POI) when continuously interacting with LBS. Furthermore, we establish fundamental connections between these privacy notions, facilitating a holistic approach to privacy preservation in LBS. Additionally, we present a lower bound analysis to evaluate the utility of the proposed privacy-preserving mechanisms, offering insights into the trade-offs between privacy protection and data utility. Finally, we instantiate our framework with the Plannar Isotopic Mechanism to demonstrate its practical applicability while ensuring optimal utility and quantifying privacy leakages across various dimensions. The evaluations provided provide a comprehensive insight into the efficacy of our framework in capturing privacy loss on location, trajectory, and points of interest while enabling quantification of the ensured accuracy.

Figures (5)

• Figure 1: Temporal Evolution of captured utility with LDP location obfuscation mechanism. The initial position of the user is denoted by the blue point ($\bullet$) in the figure. The pink points ($\bullet$) represent the adversary's perception of the potential positions at a specific timestep, which is inferred based on various background information available to the adversary, such as road traffic conditions. The red point ($\bullet$) indicates the actual (true) position of the user, while the green point ($\bullet$) represents the obfuscated position. Finally, the arrows $\leftrightarrow$ depicts err, the loss of utility quantified as the distance between the obfuscated shared location and the actual location of the user. In each on the timesteps, obfuscated position was derived using the Planar Isotropic Mechanism xiao2015protecting.
• Figure 2: The leakage profiles considered in our model. The blue point ($\bullet$) marks the initial position of the user. In contrast, the pink points ($\bullet$) represent a subset of candidate locations chosen for obfuscating the actual user's location, which is symbolized by the red point ($\bullet$). Lastly, the violet point ($\bullet$) signifies potential locations that were excluded from the process of obfuscating the current user's location.
• Figure 3: Upper bound on location privacy loss
• Figure 4: Trajectory privacy loss quantification
• Figure 5: POI privacy loss quantification

Theorems & Definitions (21)

• definition 1: $\varepsilon$-LDP)
• definition 2: Adversarial LDP rastogi2009relationship
• theorem 1: xiao2015protecting
• definition 3: Convex Hull
• definition 4: Sensitivity Hull xiao2015protecting
• definition 5: Location-based $\epsilon$-LDP xiao2015protecting
• Remark
• Proposition 4.1
• definition 6: $\delta$-obfuscation set
• Remark