ABSTRACT
Human mobility data has been ubiquitously collected through cellular networks and mobile applications, and publicly released for academic research and commercial purposes for the last decade. Since releasing individual's mobility records usually gives rise to privacy issues, datasets owners tend to only publish aggregated mobility data, such as the number of users covered by a cellular tower at a specific timestamp, which is believed to be sufficient for preserving users' privacy. However, in this paper, we argue and prove that even publishing aggregated mobility data could lead to privacy breach in individuals' trajectories. We develop an attack system that is able to exploit the uniqueness and regularity of human mobility to recover individual's trajectories from the aggregated mobility data without any prior knowledge. By conducting experiments on two real-world datasets collected from both mobile application and cellular network, we reveal that the attack system is able to recover users' trajectories with accuracy about 73%~91% at the scale of tens of thousands to hundreds of thousands users, which indicates severe privacy leakage in such datasets. Through the investigation on aggregated mobility data, our work recognizes a novel privacy problem in publishing statistic data, which appeals for immediate attentions from both academy and industry.
- R. Wang, M. Xue, K. Liu, et al. Data-driven privacy analytics: A wechat case study in location-based social networks. In Wireless Algorithms, Systems, and Applications. Springer, 2015.Google ScholarCross Ref
- Apple's commitment to your privacy. http://www.apple.com/privacy/.Google Scholar
- V. D. Blondel, M. Esch, C. Chan, et al. Data for development: the d4d challenge on mobile phone data. arXiv preprint arXiv:1210.0137, 2012.Google Scholar
- G. Acs and C. Castelluccia. A case study: privacy preserving release of spatio-temporal density in paris. In ACM SIGKDD. ACM, 2014. Google ScholarDigital Library
- China telcome' big data products. http://www.dtbig.com/.Google Scholar
- C. Song, Z. Qu, and N. Blumm. Limits of predictability in human mobility. Science, 2010.Google Scholar
- S. Isaacman, R. Becker, R. Cáceres, et al. Ranges of human mobility inprotectLos Angeles and New York. In IEEE PERCOM Workshops. IEEE, 2011.Google Scholar
- S. Isaacman, R. Becker, R. Cáceres, et al. Human mobility modeling at metropolitan scales. In ACM MOBISYS. ACM, 2012. Google ScholarDigital Library
- M. Seshadri, S. Machiraju, A. Sridharan, et al. Mobile call graphs: beyond power-law and lognormal distributions. In ACM KDD. ACM, 2008. Google ScholarDigital Library
- Y. Wang, H. Zang, and M. Faloutsos. Inferring cellular user demographic information using homophily on call graphs. In IEEE INFOCOM WKSHPS. IEEE, 2013.Google ScholarCross Ref
- A. Wesolowski, N. Eagle, A. J. Tatem, et al. Quantifying the impact of human mobility on malaria. Science, 2012.Google Scholar
- M. Saravanan, P. Karthikeyan, and A. Aarthi. Exploring community structure to understand disease spread and control using mobile call detail records. NetMob D4D Challenge, 2013.Google Scholar
- R. W. Douglass, D. A. Meyer, M. Ram, et al. High resolution population estimates from telecommunications data. EPJ Data Science, 2015.Google ScholarCross Ref
- H. Wang, F. Xu, Y. Li, et al. Understanding mobile traffic patterns of large scale cellular towers in urban environment. In ACM IMC. ACM, 2015. Google ScholarDigital Library
- L. Sweeney. k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 2002. Google ScholarDigital Library
- Y. de Montjoye, L. Radaelli, V. K. Singh, et al. Unique in the shopping mall: On the reidentifiability of credit card metadata. Science, 2015.Google Scholar
- H. Zang and J. Bolot. Anonymization of location data does not work: A large-scale measurement study. In ACM Mobicom. ACM, 2011. Google ScholarDigital Library
- M. Gramaglia and M. Fiore. Hiding mobile traffic fingerprints with glove. ACM CoNEXT, 2015. Google ScholarDigital Library
- A.-L. Barabasi. The origin of bursts and heavy tails in human dynamics. Nature, 2005.Google Scholar
- A. Machanavajjhala, D. Kifer, J. Gehrke, et al. l-diversity: Privacy beyond k-anonymity. ACM TKDD, 2007. Google ScholarDigital Library
- Y. de Montjoye, C. A. Hidalgo, M. Verleysen, et al. Unique in the crowd: The privacy bounds of human mobility. Scientific reports, 2013.Google Scholar
- G. B. Dantzig. Linear programming and extensions. Princeton university press, 1998. Google ScholarDigital Library
- H. W. Kuhn. TheprotectHungarian method for the assignment problem. Naval research logistics quarterly, 1955.Google Scholar
- O. Abul, F. Bonchi, and M. Nanni. Anonymization of moving objects databases by clustering and perturbation. Information Systems, 2010. Google ScholarDigital Library
- Pascal Welke, Ionut Andone, Konrad Blaszkiewicz, and Alexander Markowetz. Differentiating smartphone users by app usage. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing, pages 519--523. ACM, 2016. Google ScholarDigital Library
- Lukasz Olejnik, Claude Castelluccia, and Artur Janc. Why johnny can't browse in peace: On the uniqueness of web browsing history patterns. In 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2012), 2012.Google Scholar
- M. C. Gonzalez, C. A. Hidalgo, and A.-L. Barabasi. Understanding individual human mobility patterns. Nature, 2008.Google Scholar
- C. Song, T. Koren, P. Wang, et al. Modelling the scaling properties of human mobility. Nature Physics, 2010.Google ScholarCross Ref
- Y. Liu, K. P. Gummadi, B. Krishnamurthy, et al. Analyzing facebook privacy settings: user expectations vs. reality. In ACM IMC. ACM, 2011. Google ScholarDigital Library
- B. Krishnamurthy and C. E. Wills. Generating a privacy footprint on the internet. In ACM IMC. ACM, 2006. Google ScholarDigital Library
- S. Le B., C. Zhang, A. Legout, et al. I know where you are and what you are sharing: exploiting p2p communications to invade users' privacy. In ACM IMC. ACM, 2011. Google ScholarDigital Library
- S. Liu, I. Foster, S. Savage, et al. Who is. com? learning to parse whois records. In ACM IMC. ACM, 2015. Google ScholarDigital Library
- H. Kido, Y. Yanagisawa, and T. Satoh. Protection of location privacy using dummies for location-based services. In IEEE ICDEW. IEEE, 2005. Google ScholarDigital Library
- A. Monreale, G. L. Andrienko, N. V. Andrienko, et al. Movement data anonymity through generalization. Transactions on Data Privacy, 2010. Google ScholarDigital Library
- K. Sui, Y. Zhao, D. Liu, et al. Your trajectory privacy can be breached even if you walk in groups. IEEE/ACM IWQoS, 2016.Google ScholarCross Ref
- Y. Song, D. Dahlmeier, and S. Bressan. Not so unique in the crowd: a simple and effective algorithm for anonymizing location data. In PIR@ SIGIR, 2014.Google Scholar
- S. Garfinkel. Privacy protection and protect RFID. In Ubiquitous and Pervasive Commerce. Springer, 2006.Google ScholarCross Ref
- J. Domingo-Ferrer and R. Trujillo-Rasua. Microaggregation-and permutation-based anonymization of movement data. Information Sciences, 2012. Google ScholarDigital Library
- Cynthia Dwork, Adam Smith, Thomas Steinke, Jonathan Ullman, and Salil Vadhan. Robust traceability from trace amounts. In Foundations of Computer Science (FOCS), 2015 IEEE 56th Annual Symposium on, pages 650--669. IEEE, 2015. Google ScholarDigital Library
Index Terms
- Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data
Recommendations
Protection of sensitive trajectory datasets through spatial and temporal exchange
SSDBM '14: Proceedings of the 26th International Conference on Scientific and Statistical Database ManagementPrivacy concerns place a great impediment to publishing and/or exchanging trajectory data across companies and institutions. This has urged researchers to address privacy issues prior to trajectory data release. Currently, privacy preserving solutions ...
A Trajectory Privacy Model for Radio-Frequency Identification System
Here we propose a trajectory privacy model to solve privacy and security problems with radio-frequency identification (RFID) systems. The model first formalizes an Adversary Model and then defines an adversary indistinguishability privacy game and ...
Trajectory Privacy Preserving for LBS in P2P Environment
ICBDC '18: Proceedings of the 3rd International Conference on Big Data and ComputingThis paper presents a trajectory similarity measurement method based on user's local anonymous area. This method can protect the location privacy among users between each other in an anonymous group. Based on the trajectory similarity and real user's ...
Comments