論文誌 (国際) Mechanisms to Address Different Privacy Requirements for Users and Locations

Ryota HIRAISHI (Kyoto univ.), Masatoshi YOSHIKAWA (Kyoto univ.), Yang CAO (Hokkaido univ.), Sumio FUJITA, Hidehito GOMI

The IEICE Transactions on Information and Systems (IEICE Transactions)


The importance of location information of individuals has been increasing in recent years, and the utilization of such data has become indispensable for business and society. The possible usages of location information include personalized services (map, restaurant search andweather forecast service) and business decisions (deciding where to open a store). However, considering the data can be abused, users should add random noises on their own terminals before providing their location data to collectors. In many cases, the level of privacy protection required by a user depends on the location. Therefore, in our framework, we assume that users can specify different privacy protection requirements for each location using the adversarial error (AE), and the system computes a mechanism to satisfy the requirements. In order to guarantee some utility for data analysis, the maximum error in outputting the location should also be output. In the framework of differential privacy, the mechanism for adding random noise is public, but in this problem setting, the privacy protection requirements and the mechanism must not be disclosed because these information themselves include sensitive information. We propose two mechanisms to address this privacy personalization. The first mechanism is the individual exponential mechanism, which uses the exponential mechanism used in the differential privacy framework. However, in individual exponential mechanism, the maximum error for each output can be used to narrow down candidates of the true location by observing outputs from the same location multiple times. The second mechanism improves on this drawback, and is called donut mechanism, which uniformly outputs a random location near the location where the distance from user’s true location is at the userspecified AE distance. Since there are also possible attacks against donut mechanism that use the maximum error, we have extended the mechanism to counter these attacks. We compare these two mechanisms by conducting experiments using maps constructed from artificial data and real data.

Paper : Mechanisms to Address Different Privacy Requirements for Users and Locations新しいタブまたはウィンドウで開く (外部サイト)