Dynamic Differential Location Privacy with Personalized Error Bounds

Location privacy continues to attract significant attentions in recent years, fueled by the rapid growth of locationbased services (LBSs) and smart mobile devices. Location obfuscation has been the dominating location privacy preserving approach, which transforms the exact location of a mobile user to a perturbed location before its public release. The notion of location privacy has evolved from user-defined location kanonymity to two statistical quantification based privacy notions: geo-indistinguishability and expected inference error. The former promotes differential location privacy but does not protect location against inference attacks of Bayesian adversary with using prior information, whereas the latter promotes the background inference resilient location privacy but does not guarantee differential location privacy with respect to geo-indistinguishability. In this paper we argue that geo-indistinguishability and expected inference error are two complementary notions for location privacy. We formally study the relationship between two privacy notions. By leveraging this relationship and a personalized error bound, we can effectively combine the two privacy notions. We develop PIVE, a two-phase dynamic differential location privacy framework. In Phase I, we take into account the user-defined inference error threshold and the prior knowledge about the user’s location to determine a subset of locations as the protection location set for protecting the actual location by increasing adversary’s expected location inference error. In Phase II, we generate pseudo-locations (i.e., perturbed locations) in the way that achieves differential privacy over the protection location set. This two-phase location obfuscation is constructed dynamically by leveraging the relationship between two privacy notions based on adversary’s current prior information and user-specific privacy requirements on different locations and at different times. Experiments with real-world datasets demonstrate that our PIVE approach effectively guarantees the two privacy notions simultaneously and outperforms the existing mechanisms in terms of adaptive privacy protection in presence of skewed locations and computation efficiency.