Geo-Indistinguishability: Differential Privacy for Location-Based Systems

TL;DR

This paper introduces geo-indistinguishability, a formal privacy framework for location-based systems that protects user location within a radius while allowing useful approximate data to be shared, using a differential privacy approach.

Contribution

It formalizes geo-indistinguishability as a privacy notion, proposes a noise-adding mechanism to achieve it, and demonstrates its effectiveness compared to existing methods.

Findings

Our mechanism provides the best privacy guarantees for a given utility level.

It effectively protects user location within a specified radius.

The approach is applicable to real-world location-based services.

Abstract

The growing popularity of location-based systems, allowing unknown/untrusted servers to easily collect huge amounts of information regarding users' location, has recently started raising serious privacy concerns. In this paper we study geo-indistinguishability, a formal notion of privacy for location-based systems that protects the user's exact location, while allowing approximate information - typically needed to obtain a certain desired service - to be released. Our privacy definition formalizes the intuitive notion of protecting the user's location within a radius r with a level of privacy that depends on r, and corresponds to a generalized version of the well-known concept of differential privacy. Furthermore, we present a perturbation technique for achieving geo-indistinguishability by adding controlled random noise to the user's location. We demonstrate the applicability of our technique on a LBS application. Finally, we compare our mechanism with other ones in the literature. It turns our that our mechanism offers the best privacy guarantees, for the same utility, among all those which do not depend on the prior.