Peiyuan Liu, Master’s candidate
David R. Cheriton School of Computer Science
Mobile devices (e.g., smart phones) are widely used in people’s daily lives. When users rely on location-based services in mobile applications, plenty of location records are exposed to the service providers. This location privacy threat attracts many researchers’ attention. Although many location privacy preserving mechanisms (LPPMs) and metrics have been proposed, most of them are based on simplified cell-based frameworks. The experiment results of using the simplified frameworks may be very different from those of using a more realistic framework. For example, semantic information can be very useful for an attacker in the cell-based frameworks because the simplified frameworks lose some geographical location information, but it may not be useful in the same way in a more realistic framework. Besides, many previous works blindly rely on the geo-indistinguishability, but we have no idea how geo-indistinguishability is related to the location information an adversary can obtain. Also, previous works usually assume an attacker’s background knowledge is all or nothing, but in the real world an attacker can have different types or amounts of background knowledge. All these problems make people confused about how to effectively protect their location privacy in different situations.
To address this problem, we propose a more realistic location privacy framework, which considers location points instead of cells as inputs, to quantify each component in the framework. Using this framework, we do several experiments to evaluate different impacts of the prior probability of a protection mechanism, the geographical knowledge, the semantic knowledge, and the geo-indistinguishability property on the attack results.
Our results show that that an adversary only needs to obtain 6% of background knowledge to infer around 50% of users actual locations that he can infer when having full background knowledge; the prior probability distribution of an LPPM has much less impact than the background knowledge; an LPPM with the geo-indistinguishability property may not have better performance against different attacks than LPPMs without this property; the semantic information is not as useful as previous work shows. We believe our findings will help users and researchers have a better understanding of our location privacy framework, and help them choose the appropriate techniques in different situations.