Database Reference
In-Depth Information
pared to previous solutions to similar problems in other contexts (e.g.,
in relational databases)?
Furthermore, how can the above perturbation techniques, defense so-
lutions, and bounds be extended to the sharing of multiple correlated
data streams, or data streams with related context? For example, con-
sider a social sensing application where users share vehicular GPS data
to compute trac speed statistics in a city. In this case, in order to
compute the statistics correctly as a function of time and location, each
vehicle's speed must be shared together with its current GPS location
and time of day. Perturbing the speed alone does not help privacy if
the correct location of the user must be revealed at all times. What
is needed is a perturbation and reconstruction technique that allows a
user to “lie” about their speed, location, and time of day, altogether, in
a manner that makes it impossible to reconstruct their true values, yet
allow an aggregation service to average out the added multi-dimensional
noise and accurately map the true aggregate trac speed as a function
of actual time and space. This problem is related to the more general
concern of privacy-preserving classification [158, 176], except that it is
applied to the challenging case of aggregates of time-series data. Other
methods for centralized and distributed privacy preservation in time se-
ries include the methods discussed in [130, 141], though these methods
are generally
oine
, and cannot easily perform the privacy preservation
in real time, as would be needed for a typical social sensing application.
In many participatory sensing applications, users may upload differ-
ent kinds of data such as images, text, or other feeds to the system. Such
data are often tagged with location (WiFi or GPS) and the time-stamp,
which can have serious consequences in terms of location privacy. Alter-
natively, the users may have to continuously provide their location to an
untrusted service provider, or provide responses to queries which may
compromise their privacy. Some of the earliest work on location privacy
[152] focusses only on user identity suppression, while preserving the full
fidelity of the location data. This approach of course suffers from the
well known problem of adversarial attacks with background information
about approximate location. The work in [66, 75, 94, 131] avoids this pit-
fall by using a
k
-anonymity approach for the spatio-temporal scenario.
The work in [94] proposed a technique called
tessellation
,inwhicha
point location is enlarged to a tile which contains at least
k
users. This
is essentially a spatio-temporal version of the
generalization
technique
which is often used in
k
-anonymity applications. It was observed in [87],
that tessellation is not useful in applications where the large tiles do
not provide the fine grained information about the location for a par-
ticular user (such as the road information). Therefore, the work in [87]
