Measuring Membership Privacy on Aggregate Location Time-Series

While location data is extremely valuable for various applications, disclosing it prompts serious threats to individuals' privacy. To limit such concerns, organizations often provide analysts with aggregate time-series that indicate, e.g., how many people are in a location at a time interval, rather than raw individual traces. In this paper, we perform a measurement study to understand Membership Inference Attacks (MIAs) on aggregate location time-series, where an adversary tries to infer whether a specific user contributed to the aggregates. We find that the volume of contributed data, as well as the regularity and particularity of users' mobility patterns, play a crucial role in the attack's success. We experiment with a wide range of defenses based on generalization, hiding, and perturbation, and evaluate their ability to thwart the attack vis-a-vis the utility loss they introduce for various mobility analytics tasks. Our results show that some defenses fail across the board, while others work for specific tasks on aggregate location time-series. For instance, suppressing small counts can be used for ranking hotspots, data generalization for forecasting traffic, hotspot discovery, and map inference, while sampling is effective for location labeling and anomaly detection when the dataset is sparse. Differentially private techniques provide reasonable accuracy only in very specific settings, e.g., discovering hotspots and forecasting their traffic, and more so when using weaker privacy notions like crowd-blending privacy. Overall, our measurements show that there does not exist a unique generic defense that can preserve the utility of the analytics for arbitrary applications, and provide useful insights regarding the disclosure of sanitized aggregate location time-series

GLOVE: towards privacy-preserving publishing of record-level-truthful mobile phone trajectories

Datasets of mobile phone trajectories collected by network operators offer an unprecedented opportunity to discover new knowledge from the activity of large populations of millions. However, publishing such trajectories also raises significant privacy concerns, as they contain personal data in the form of individual movement patterns. Privacy risks induce network operators to enforce restrictive confidential agreements in the rare occasions when they grant access to collected trajectories, whereas a less involved circulation of these data would fuel research and enable reproducibility in many disciplines. In this work, we contribute a building block toward the design of privacy-preserving datasets of mobile phone trajectories that are truthful at the record level. We present GLOVE, an algorithm that implements k-anonymity, hence solving the crucial unicity problem that affects this type of data while ensuring that the anonymized trajectories correspond to real-life users. GLOVE builds on original insights about the root causes behind the undesirable unicity of mobile phone trajectories, and leverages generalization and suppression to remove them. Proof-of-concept validations with large-scale real-world datasets demonstrate that the approach adopted by GLOVE allows preserving a substantial level of accuracy in the data, higher than that granted by previous methodologies.This work was supported by the Atracción de Talento Investigador program of the Comunidad de Madrid under Grant No. 2019-T1/TIC-16037 NetSense

Differentially Private Approximate Pattern Matching

In this paper, we consider the $k$-approximate pattern matching problem under differential privacy, where the goal is to report or count all substrings of a given string $S$ which have a Hamming distance at most $k$ to a pattern $P$, or decide whether such a substring exists. In our definition of privacy, individual positions of the string $S$ are protected. To be able to answer queries under differential privacy, we allow some slack on $k$, i.e. we allow reporting or counting substrings of $S$ with a distance at most $(1+\gamma)k+\alpha$ to $P$, for a multiplicative error $\gamma$ and an additive error $\alpha$. We analyze which values of $\alpha$ and $\gamma$ are necessary or sufficient to solve the $k$-approximate pattern matching problem while satisfying $\epsilon$-differential privacy. Let $n$ denote the length of $S$. We give 1) an $\epsilon$-differentially private algorithm with an additive error of $O(\epsilon^{-1}\log n)$ and no multiplicative error for the existence variant; 2) an $\epsilon$-differentially private algorithm with an additive error $O(\epsilon^{-1}\max(k,\log n)\cdot\log n)$ for the counting variant; 3) an $\epsilon$-differentially private algorithm with an additive error of $O(\epsilon^{-1}\log n)$ and multiplicative error $O(1)$ for the reporting variant for a special class of patterns. The error bounds hold with high probability. All of these algorithms return a witness, that is, if there exists a substring of $S$ with distance at most $k$ to $P$, then the algorithm returns a substring of $S$ with distance at most $(1+\gamma)k+\alpha$ to $P$. Further, we complement these results by a lower bound, showing that any algorithm for the existence variant which also returns a witness must have an additive error of $\Omega(\epsilon^{-1}\log n)$ with constant probability.Comment: This is a full version of a paper accepted to ITCS 202

A Survey and Experimental Study on Privacy-Preserving Trajectory Data Publishing

Trajectory data has become ubiquitous nowadays, which can benefit various real-world applications such as traffic management and location-based services. However, trajectories may disclose highly sensitive information of an individual including mobility patterns, personal profiles and gazetteers, social relationships, etc, making it indispensable to consider privacy protection when releasing trajectory data. Ensuring privacy on trajectories demands more than hiding single locations, since trajectories are intrinsically sparse and high-dimensional, and require to protect multi-scale correlations. To this end, extensive research has been conducted to design effective techniques for privacy-preserving trajectory data publishing. Furthermore, protecting privacy requires carefully balance two metrics: privacy and utility. In other words, it needs to protect as much privacy as possible and meanwhile guarantee the usefulness of the released trajectories for data analysis. In this survey, we provide a comprehensive study and a systematic summarization of existing protection models, privacy and utility metrics for trajectories developed in the literature. We also conduct extensive experiments on two real-life public trajectory datasets to evaluate the performance of several representative privacy protection models, demonstrate the trade-off between privacy and utility, and guide the choice of the right privacy model for trajectory publishing given certain privacy and utility desiderata

Critical Evaluation of Cross-Border Infrastructure Projects in Asia

This paper attempts to fill gaps faced by policymakers and practitioners in the evaluation of cross-border infrastructure projects. It first defines what constitutes cross-border infrastructure projects, and then outlines an analytical framework and criteria to evaluate them. The criteria identify additionalities and externalities specific to cross-border infrastructure projects that need to be stressed in covering broader and indirect impacts that are not usually captured in the analysis of national projects. Then the paper examines to what extent the defined criteria are applicable in evaluating recent cross-border infrastructure projects. It also reports on emerging impacts patterns evidenced in relevant studies. The paper draws lessons and implications for design and implementation of cross-border infrastructure projects.asian infrastructure projects design implementation; asian trade costs; economic analysis infrastructure projects

The distinctive determinants of European urban growth: Does one size fit all?

This paper investigates growth differences in the urban system of the EU12. Alternative dependent variables - growth in population and real GDP per capita - are analysed and instructive differences emerge. The US model which assumes perfect factor mobility does not seem well adapted to European conditions. There is evidence strongly suggesting that equilibrating flows between cities are highly constrained in the EU. Models in which growth of real GDP p.c. are the dependent variable perform well and make it possible to test significant hypotheses. Evidence is found which is supportive of a spatial adaptation of the endogenous growth model with the relative size of the university sector having a highly significant role in explaining growth differences. In addition the analysis supports the conclusion that systems of urban governance are strongly related to growth. The variables are formulated in a way which tests hypotheses derived from 'fiscal federalism' viewing growth promotion as the production of a local public good. While international factor flows appear to be constrained as an adjustment mechanism the density of urbanisation in regions of the EU12 seems to produce a strong local 'growth shadow' effect consistent with commuting flows having an important role in spatial economic adjustment processes. Finally new evidence is found supporting the conclusion that integration shocks in the EU favour core areas but that this effect tends to fade with time.

DPT : differentially private trajectory synthesis using hierarchical reference systems

GPS-enabled devices are now ubiquitous, from airplanes and cars to smartphones and wearable technology. This has resulted in a wealth of data about the movements of individuals and populations, which can be analyzed for useful information to aid in city and traffic planning, disaster preparedness and so on. However, the places that people go can disclose extremely sensitive information about them, and thus their use needs to be filtered through privacy preserving mechanisms. This turns out to be a highly challenging task: raw trajectories are highly detailed, and typically no pair is alike. Previous attempts fail either to provide adequate privacy protection, or to remain sufficiently faithful to the original behavior. This paper presents DPT, a system to synthesize mobility data based on raw GPS trajectories of individuals while ensuring strong privacy protection in the form of ε-differential privacy. DPT makes a number of novel modeling and algorithmic contributions including (i) discretization of raw trajectories using hierarchical reference systems (at multiple resolutions) to capture individual movements at differing speeds, (ii) adaptive mechanisms to select a small set of reference systems and construct prefix tree counts privately, and (iii) use of direction-weighted sampling for improved utility. While there have been prior attempts to solve the subproblems required to generate synthetic trajectories, to the best of our knowledge, ours is the first system that provides an end-to-end solution. We show the efficacy of our synthetic trajectory generation system using an extensive empirical evaluation

Life-cycle asset management in residential developments building on transport system critical attributes via a data-mining algorithm

Public transport can discourage individual car usage as a life-cycle asset management strategy towards carbon neutrality. An effective public transport system contributes greatly to the wider goal of a sustainable built environment, provided the critical transit system attributes are measured and addressed to (continue to) improve commuter uptake of public systems by residents living and working in local communities. Travel data from intra-city travellers can advise discrete policy recommendations based on a residential area or development's public transport demand. Commuter segments related to travelling frequency, satisfaction from service level, and its value for money are evaluated to extract econometric models/association rules. A data mining algorithm with minimum confidence, support, interest, syntactic constraints and meaningfulness measure as inputs is designed to exploit a large set of 31 variables collected for 1,520 respondents, generating 72 models. This methodology presents an alternative to multivariate analyses to find correlations in bigger databases of categorical variables. Results here augment literature by highlighting traveller perceptions related to frequency of buses, journey time, and capacity, as a net positive effect of frequent buses operating on rapid transit routes. Policymakers can address public transport uptake through service frequency variation during peak-hours with resultant reduced car dependence apt to reduce induced life-cycle environmental burdens of buildings by altering residents' mode choices, and a potential design change of buildings towards a public transit-based, compact, and shared space urban built environment

Differentially Private Location Privacy in Practice

With the wide adoption of handheld devices (e.g. smartphones, tablets) a large number of location-based services (also called LBSs) have flourished providing mobile users with real-time and contextual information on the move. Accounting for the amount of location information they are given by users, these services are able to track users wherever they go and to learn sensitive information about them (e.g. their points of interest including home, work, religious or political places regularly visited). A number of solutions have been proposed in the past few years to protect users location information while still allowing them to enjoy geo-located services. Among the most robust solutions are those that apply the popular notion of differential privacy to location privacy (e.g. Geo-Indistinguishability), promising strong theoretical privacy guarantees with a bounded accuracy loss. While these theoretical guarantees are attracting, it might be difficult for end users or practitioners to assess their effectiveness in the wild. In this paper, we carry on a practical study using real mobility traces coming from two different datasets, to assess the ability of Geo-Indistinguishability to protect users' points of interest (POIs). We show that a curious LBS collecting obfuscated location information sent by mobile users is still able to infer most of the users POIs with a reasonable both geographic and semantic precision. This precision depends on the degree of obfuscation applied by Geo-Indistinguishability. Nevertheless, the latter also has an impact on the overhead incurred on mobile devices resulting in a privacy versus overhead trade-off. Finally, we show in our study that POIs constitute a quasi-identifier for mobile users and that obfuscating them using Geo-Indistinguishability is not sufficient as an attacker is able to re-identify at least 63% of them despite a high degree of obfuscation.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies (MoST) 2014 (http://arxiv.org/abs/1410.6674