# What Does The Crowd Say About You? Evaluating Aggregation-based Location   Privacy

**Authors:** Apostolos Pyrgelis, Carmela Troncoso, Emiliano De Cristofaro

arXiv: 1703.00366 · 2017-06-13

## TL;DR

This paper evaluates how releasing aggregate location data impacts individual privacy, demonstrating that such data can leak personal mobility information and that current privacy protections like differential privacy have limited effectiveness without sacrificing data utility.

## Contribution

The paper introduces a framework to assess privacy risks of aggregate location data and quantifies privacy loss under different protection mechanisms using real-world datasets.

## Key findings

- Aggregates leak information about individual locations and mobility patterns.
- Regular movement patterns are better protected than sporadic ones.
- Input and output perturbation offer limited privacy benefits without high noise levels.

## Abstract

Information about people's movements and the locations they visit enables an increasing number of mobility analytics applications, e.g., in the context of urban and transportation planning, In this setting, rather than collecting or sharing raw data, entities often use aggregation as a privacy protection mechanism, aiming to hide individual users' location traces. Furthermore, to bound information leakage from the aggregates, they can perturb the input of the aggregation or its output to ensure that these are differentially private.   In this paper, we set to evaluate the impact of releasing aggregate location time-series on the privacy of individuals contributing to the aggregation. We introduce a framework allowing us to reason about privacy against an adversary attempting to predict users' locations or recover their mobility patterns. We formalize these attacks as inference problems, and discuss a few strategies to model the adversary's prior knowledge based on the information she may have access to. We then use the framework to quantify the privacy loss stemming from aggregate location data, with and without the protection of differential privacy, using two real-world mobility datasets. We find that aggregates do leak information about individuals' punctual locations and mobility profiles. The density of the observations, as well as timing, play important roles, e.g., regular patterns during peak hours are better protected than sporadic movements. Finally, our evaluation shows that both output and input perturbation offer little additional protection, unless they introduce large amounts of noise ultimately destroying the utility of the data.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1703.00366/full.md

## Figures

49 figures with captions in the complete paper: https://tomesphere.com/paper/1703.00366/full.md

## References

52 references — full list in the complete paper: https://tomesphere.com/paper/1703.00366/full.md

---
Source: https://tomesphere.com/paper/1703.00366