Database Reference
In-Depth Information
Privacy Profile
Specification
Privacy
profile
Location
cloaking
Cloaked
regions
Disclosed location
(Cloaker region or
exact position)
Position
transformation
Exact
position
(a)
(b)
Figure 2.9 The Probe system: (a) The workflow. (b) Obfuscated map: the blue polygons
represent cloaked regions, the red rectangles sensitive places, the gray background the
distribution of population in space. (See color plate.)
The motivation behind semantic location privacy is that the sensitivity of
positions may vary depending on the nature of places; for example, the position
of a user staying in an oncological clinic is likely
more sensitive
than the position
of a user walking along a street. If all the positions are treated as though they
are sensitive, the protection would be excessive. More effective is to obfuscate
only those positions that are perceived as sensitive, while disclosing the others
with no change. In this way the loss of position accuracy is limited. This form
of obfuscation is called semantic location cloaking. A sound semantic cloaking
strategy should guarantee:
Semantic diversity
: The user's position cannot be blurred exclusively when
the user is inside a sensitive place, but also when he or she is outside. That
way, the place in which the user is located remains uncertain. An obfuscated
region thus must include places of diverse types.
Independence
of the position cloaking method from the user's position. This
condition prevents the discovery of the correlation between the cloaked region
and the true position, which could be exploited to infer where the user is
located.
These guidelines have been embodied in the privacy-preserving framework
called Probe (Privacy-Aware Obfuscation Environment).
Figure
2.9
illustrates the workflow of the privacy enforcement process in
the Probe system. Users first specify in a privacy profile which categories of
points of interest are sensitive (selecting, for example, from a pre-defined list,
for example, hospitals, religious buildings, and so on) along with the degree of
privacy desired for each of those categories. For example, a privacy degree of
0.1 assigned to hospitals means that the (posterior) probability of locating the
