Time-Efficient Locally Relevant Geo-Location Privacy Protection
Chenxi Qiu, Ruiyao Liu, Primal Pappachan, Anna Squicciarini, Xinpeng Xie
TL;DR
This work tackles the scalability challenge of LP-based geo-obfuscation for location privacy in LBS by introducing Locally Relevant Geo-Obfuscation (LR-Geo), which confines optimization to locally relevant locations for each user and offloads coefficient computation to a server. It combines an exponential mechanism to enforce Geo-Ind across users with a Benders decomposition framework to exploit a ladder-structured constraint matrix, achieving substantial improvements in computation time and data utility while preserving privacy. The authors provide theoretical guarantees for Geo-Ind with high probability, derive cost bounds, and demonstrate empirical gains on Rome road-network data, showing LR-Geo can handle up to 1500 locations within about 100 seconds and outperform multiple baselines. The approach offers a practical path to deploying privacy-preserving geo-obfuscation at city-scale or larger, balancing privacy, utility, and scalability in real-world LBS deployments.
Abstract
Geo-obfuscation serves as a location privacy protection mechanism (LPPM), enabling mobile users to share obfuscated locations with servers, rather than their exact locations. This method can protect users' location privacy when data breaches occur on the server side since the obfuscation process is irreversible. To reduce the utility loss caused by data obfuscation, linear programming (LP) is widely employed, which, however, might suffer from a polynomial explosion of decision variables, rendering it impractical in largescale geo-obfuscation applications. In this paper, we propose a new LPPM, called Locally Relevant Geo-obfuscation (LR-Geo), to optimize geo-obfuscation using LP in a time-efficient manner. This is achieved by confining the geo-obfuscation calculation for each user exclusively to the locally relevant (LR) locations to the user's actual location. Given the potential risk of LR locations disclosing a user's actual whereabouts, we enable users to compute the LP coefficients locally and upload them only to the server, rather than the LR locations. The server then solves the LP problem based on the received coefficients. Furthermore, we refine the LP framework by incorporating an exponential obfuscation mechanism to guarantee the indistinguishability of obfuscation distribution across multiple users. Based on the constraint structure of the LP formulation, we apply Benders' decomposition to further enhance computational efficiency. Our theoretical analysis confirms that, despite the geo-obfuscation being calculated independently for each user, it still meets geo-indistinguishability constraints across multiple users with high probability. Finally, the experimental results based on a real-world dataset demonstrate that LR-Geo outperforms existing geo-obfuscation methods in computational time, data utility, and privacy preservation.