Differential Privacy Models for Location-Based Services
Ehab ElSalamouny(a),(b), Sebastien Gambs(c),(*)
Transactions on Data Privacy 9:1 (2016) 15 - 48
(a) INRIA, France.
(b) Faculty of Computers and Informatics, Suez Canal University, Egypt.
(c) Université du Québec à Montréeal (UQAM), Canada.
e-mail:ehab.m.s @gmail.com; gambs.sebastien @uqam.ca
In this paper, we consider the adaptation of differential privacy to the context of location-based services (LBSs), which personalize the information provided to a user based on his current position. Assuming that the LBS provider is queried with a perturbed version of the position of the user instead of his exact one, we rely on differential privacy to quantify the level of indistinguishability (i.e., privacy) provided by this perturbation with respect to the user's position. In this setting, the adaptation of differential privacy can lead to various models depending on the precise form of indistinguishability required. We discuss the set of properties that hold for these models in terms of privacy, utility and also implementation issues. More precisely, we first introduce and analyze one of these models, the (D, e)-location privacy, which is directly inspired from the standard differential privacy model. In this context, we describe a general probabilistic model for obfuscation mechanisms for the locations whose output domain is the Euclidean space E2. In this model, we characterize the satisfiability conditions of (D, e)-location privacy for a particular mechanism and also measure its utility with respect to an arbitrary loss function. Afterwards, we present and analyze symmetric mechanisms in which all locations are perturbed in a unified manner through a noise function, focusing in particular on circular noise functions. We prove that, under certain assumptions, the circular functions are rich enough to provide the same privacy and utility levels as other more complex (i.e., non-circular) noise functions, while being easier to implement. Finally, we extend our results to a generalized notion for location privacy, called l-privacy capturing both (D, e)-location privacy and also the notion of e-geo-indistinguishability recently introduced by Andrés, Bordenabe, Chatzikokolakis and Palamidessi.