6,034 research outputs found
Measuring Membership Privacy on Aggregate Location Time-Series
While location data is extremely valuable for various applications,
disclosing it prompts serious threats to individuals' privacy. To limit such
concerns, organizations often provide analysts with aggregate time-series that
indicate, e.g., how many people are in a location at a time interval, rather
than raw individual traces. In this paper, we perform a measurement study to
understand Membership Inference Attacks (MIAs) on aggregate location
time-series, where an adversary tries to infer whether a specific user
contributed to the aggregates.
We find that the volume of contributed data, as well as the regularity and
particularity of users' mobility patterns, play a crucial role in the attack's
success. We experiment with a wide range of defenses based on generalization,
hiding, and perturbation, and evaluate their ability to thwart the attack
vis-a-vis the utility loss they introduce for various mobility analytics tasks.
Our results show that some defenses fail across the board, while others work
for specific tasks on aggregate location time-series. For instance, suppressing
small counts can be used for ranking hotspots, data generalization for
forecasting traffic, hotspot discovery, and map inference, while sampling is
effective for location labeling and anomaly detection when the dataset is
sparse. Differentially private techniques provide reasonable accuracy only in
very specific settings, e.g., discovering hotspots and forecasting their
traffic, and more so when using weaker privacy notions like crowd-blending
privacy. Overall, our measurements show that there does not exist a unique
generic defense that can preserve the utility of the analytics for arbitrary
applications, and provide useful insights regarding the disclosure of sanitized
aggregate location time-series
GLOVE: towards privacy-preserving publishing of record-level-truthful mobile phone trajectories
Datasets of mobile phone trajectories collected by network operators offer an unprecedented opportunity to discover new knowledge from the activity of large populations of millions. However, publishing such trajectories also raises significant privacy concerns, as they contain personal data in the form of individual movement patterns. Privacy risks induce network operators to enforce restrictive confidential agreements in the rare occasions when they grant access to collected trajectories, whereas a less involved circulation of these data would fuel research and enable reproducibility in many disciplines. In this work, we contribute a building block toward the design of privacy-preserving datasets of mobile phone trajectories that are truthful at the record level. We present GLOVE, an algorithm that implements k-anonymity, hence solving the crucial unicity problem that affects this type of data while ensuring that the anonymized trajectories correspond to real-life users. GLOVE builds on original insights about the root causes behind the undesirable unicity of mobile phone trajectories, and leverages generalization and suppression to remove them. Proof-of-concept validations with large-scale real-world datasets demonstrate that the approach adopted by GLOVE allows preserving a substantial level of accuracy in the data, higher than that granted by previous methodologies.This work was supported by the Atracción de Talento Investigador program of the Comunidad de Madrid under Grant No. 2019-T1/TIC-16037 NetSense
Differentially Private Approximate Pattern Matching
In this paper, we consider the -approximate pattern matching problem under
differential privacy, where the goal is to report or count all substrings of a
given string which have a Hamming distance at most to a pattern , or
decide whether such a substring exists. In our definition of privacy,
individual positions of the string are protected. To be able to answer
queries under differential privacy, we allow some slack on , i.e. we allow
reporting or counting substrings of with a distance at most
to , for a multiplicative error and an
additive error . We analyze which values of and are
necessary or sufficient to solve the -approximate pattern matching problem
while satisfying -differential privacy. Let denote the length of
. We give 1) an -differentially private algorithm with an additive
error of and no multiplicative error for the existence
variant; 2) an -differentially private algorithm with an additive
error for the counting variant; 3)
an -differentially private algorithm with an additive error of
and multiplicative error for the reporting
variant for a special class of patterns. The error bounds hold with high
probability. All of these algorithms return a witness, that is, if there exists
a substring of with distance at most to , then the algorithm returns
a substring of with distance at most to . Further,
we complement these results by a lower bound, showing that any algorithm for
the existence variant which also returns a witness must have an additive error
of with constant probability.Comment: This is a full version of a paper accepted to ITCS 202
A Survey and Experimental Study on Privacy-Preserving Trajectory Data Publishing
Trajectory data has become ubiquitous nowadays, which can benefit various real-world applications such as traffic management and location-based services. However, trajectories may disclose highly sensitive information of an individual including mobility patterns, personal profiles and gazetteers, social relationships, etc, making it indispensable to consider privacy protection when releasing trajectory data. Ensuring privacy on trajectories demands more than hiding single locations, since trajectories are intrinsically sparse and high-dimensional, and require to protect multi-scale correlations. To this end, extensive research has been conducted to design effective techniques for privacy-preserving trajectory data publishing. Furthermore, protecting privacy requires carefully balance two metrics: privacy and utility. In other words, it needs to protect as much privacy as possible and meanwhile guarantee the usefulness of the released trajectories for data analysis. In this survey, we provide a comprehensive study and a systematic summarization of existing protection models, privacy and utility metrics for trajectories developed in the literature. We also conduct extensive experiments on two real-life public trajectory datasets to evaluate the performance of several representative privacy protection models, demonstrate the trade-off between privacy and utility, and guide the choice of the right privacy model for trajectory publishing given certain privacy and utility desiderata
Critical Evaluation of Cross-Border Infrastructure Projects in Asia
This paper attempts to fill gaps faced by policymakers and practitioners in the evaluation of cross-border infrastructure projects. It first defines what constitutes cross-border infrastructure projects, and then outlines an analytical framework and criteria to evaluate them. The criteria identify additionalities and externalities specific to cross-border infrastructure projects that need to be stressed in covering broader and indirect impacts that are not usually captured in the analysis of national projects. Then the paper examines to what extent the defined criteria are applicable in evaluating recent cross-border infrastructure projects. It also reports on emerging impacts patterns evidenced in relevant studies. The paper draws lessons and implications for design and implementation of cross-border infrastructure projects.asian infrastructure projects design implementation; asian trade costs; economic analysis infrastructure projects
The distinctive determinants of European urban growth: Does one size fit all?
This paper investigates growth differences in the urban system of the EU12. Alternative dependent variables - growth in population and real GDP per capita - are analysed and instructive differences emerge. The US model which assumes perfect factor mobility does not seem well adapted to European conditions. There is evidence strongly suggesting that equilibrating flows between cities are highly constrained in the EU. Models in which growth of real GDP p.c. are the dependent variable perform well and make it possible to test significant hypotheses. Evidence is found which is supportive of a spatial adaptation of the endogenous growth model with the relative size of the university sector having a highly significant role in explaining growth differences. In addition the analysis supports the conclusion that systems of urban governance are strongly related to growth. The variables are formulated in a way which tests hypotheses derived from 'fiscal federalism' viewing growth promotion as the production of a local public good. While international factor flows appear to be constrained as an adjustment mechanism the density of urbanisation in regions of the EU12 seems to produce a strong local 'growth shadow' effect consistent with commuting flows having an important role in spatial economic adjustment processes. Finally new evidence is found supporting the conclusion that integration shocks in the EU favour core areas but that this effect tends to fade with time.
DPT : differentially private trajectory synthesis using hierarchical reference systems
GPS-enabled devices are now ubiquitous, from airplanes and cars to smartphones and wearable technology. This has resulted in a wealth of data about the movements of individuals and populations, which can be analyzed for useful information to aid in city and traffic planning, disaster preparedness and so on. However, the places that people go can disclose extremely sensitive information about them, and thus their use needs to be filtered through privacy preserving mechanisms. This turns out to be a highly challenging task: raw trajectories are highly detailed, and typically no pair is alike. Previous attempts fail either to provide adequate privacy protection, or to remain sufficiently faithful to the original behavior.
This paper presents DPT, a system to synthesize mobility data based on raw GPS trajectories of individuals while ensuring strong privacy protection in the form of ε-differential privacy. DPT makes a number of novel modeling and algorithmic contributions including (i) discretization of raw trajectories using hierarchical reference systems (at multiple resolutions) to capture individual movements at differing speeds, (ii) adaptive mechanisms to select a small set of reference systems and construct prefix tree counts privately, and (iii) use of direction-weighted sampling for improved utility. While there have been prior attempts to solve the subproblems required to generate synthetic trajectories, to the best of our knowledge, ours is the first system that provides an end-to-end solution. We show the efficacy of our synthetic trajectory generation system using an extensive empirical evaluation
Life-cycle asset management in residential developments building on transport system critical attributes via a data-mining algorithm
Public transport can discourage individual car usage as a life-cycle asset management strategy towards carbon neutrality. An effective public transport system contributes greatly to the wider goal of a sustainable built environment, provided the critical transit system attributes are measured and addressed to (continue to) improve commuter uptake of public systems by residents living and working in local communities. Travel data from intra-city travellers can advise discrete policy recommendations based on a residential area or development's public transport demand. Commuter segments related to travelling frequency, satisfaction from service level, and its value for money are evaluated to extract econometric models/association rules. A data mining algorithm with minimum confidence, support, interest, syntactic constraints and meaningfulness measure as inputs is designed to exploit a large set of 31 variables collected for 1,520 respondents, generating 72 models. This methodology presents an alternative to multivariate analyses to find correlations in bigger databases of categorical variables. Results here augment literature by highlighting traveller perceptions related to frequency of buses, journey time, and capacity, as a net positive effect of frequent buses operating on rapid transit routes. Policymakers can address public transport uptake through service frequency variation during peak-hours with resultant reduced car dependence apt to reduce induced life-cycle environmental burdens of buildings by altering residents' mode choices, and a potential design change of buildings towards a public transit-based, compact, and shared space urban built environment
Differentially Private Location Privacy in Practice
With the wide adoption of handheld devices (e.g. smartphones, tablets) a
large number of location-based services (also called LBSs) have flourished
providing mobile users with real-time and contextual information on the move.
Accounting for the amount of location information they are given by users,
these services are able to track users wherever they go and to learn sensitive
information about them (e.g. their points of interest including home, work,
religious or political places regularly visited). A number of solutions have
been proposed in the past few years to protect users location information while
still allowing them to enjoy geo-located services. Among the most robust
solutions are those that apply the popular notion of differential privacy to
location privacy (e.g. Geo-Indistinguishability), promising strong theoretical
privacy guarantees with a bounded accuracy loss. While these theoretical
guarantees are attracting, it might be difficult for end users or practitioners
to assess their effectiveness in the wild. In this paper, we carry on a
practical study using real mobility traces coming from two different datasets,
to assess the ability of Geo-Indistinguishability to protect users' points of
interest (POIs). We show that a curious LBS collecting obfuscated location
information sent by mobile users is still able to infer most of the users POIs
with a reasonable both geographic and semantic precision. This precision
depends on the degree of obfuscation applied by Geo-Indistinguishability.
Nevertheless, the latter also has an impact on the overhead incurred on mobile
devices resulting in a privacy versus overhead trade-off. Finally, we show in
our study that POIs constitute a quasi-identifier for mobile users and that
obfuscating them using Geo-Indistinguishability is not sufficient as an
attacker is able to re-identify at least 63% of them despite a high degree of
obfuscation.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies
(MoST) 2014 (http://arxiv.org/abs/1410.6674
- …