There goes Wally: Anonymously sharing your location gives you away

TL;DR

This paper demonstrates that large-scale human mobility traces are highly unique, and that even anonymized location leaks can often be de-anonymized, raising significant privacy concerns and informing future data management policies.

Contribution

It provides a comprehensive analysis of how anonymized location leaks can be de-anonymized using large-scale mobility data, highlighting the risks and factors influencing re-identification.

Findings

Location leaks can often be uniquely matched to individuals.

Spatio-temporal obfuscation reduces de-anonymization success.

Mobility patterns are highly unique across individuals.

Abstract

With current technology, a number of entities have access to user mobility traces at different levels of spatio-temporal granularity. At the same time, users frequently reveal their location through different means, including geo-tagged social media posts and mobile app usage. Such leaks are often bound to a pseudonym or a fake identity in an attempt to preserve one's privacy. In this work, we investigate how large-scale mobility traces can de-anonymize anonymous location leaks. By mining the country-wide mobility traces of tens of millions of users, we aim to understand how many location leaks are required to uniquely match a trace, how spatio-temporal obfuscation decreases the matching quality, and how the location popularity and time of the leak influence de-anonymization. We also study the mobility characteristics of those individuals whose anonymous leaks are more prone to identification. Finally, by extending our matching methodology to full traces, we show how large-scale human mobility is highly unique. Our quantitative results have implications for the privacy of users' traces, and may serve as a guideline for future policies regarding the management and publication of mobility data.