Geographic Differential Privacy for Mobile Crowd Coverage Maximization

For real-world mobile applications such as location-based advertising and spatial crowdsourcing, a key to success is targeting mobile users that can maximally cover certain locations in a future period. To find an optimal group of users, existing methods often require information about users’ mobility history, which may cause privacy breaches. In this paper, we propose a method to maximize mobile crowd’s future location coverage under a guaranteed location privacy protection scheme. In our approach, users only need to upload one of their frequently visited locations, and more importantly, the uploaded location is obfuscated using a geographic differential privacy policy. We propose both analytic and practical solutions to this problem. Experiments on real user mobility datasets show that our method significantly outperforms the state-of-the-art geographic differential privacy methods by achieving a higher coverage under the same level of privacy protection. Introduction Crowd coverage maximization is a classical problem in mobile computing: how to selectm users from a candidate pool to maximize the probability of covering a set of target locations in a coming time period (e.g., one day or one week). This problem and its variants have a wide spectrum of applications in location-based advertising (Dhar and Varshney 2011), spatial crowdsoucing (Chen and Shahabi 2016; Zhang et al. 2014), urban computing (Zheng et al. 2014), etc. For example, it can help shop owners to offer electronic coupons to the set of mobile app users who may physically visit the region around the shop soon; it can also help crowdsourcing organizers to recruit the participants to cover the task area with the highest probability (Xiong et al. 2016). One of the key steps in crowd coverage maximization is mobility profiling, i.e., predicting the probability of a user appearing at a certain location. A common practice is first dividing an area into fine-grained grids or sub-areas, and then counting the frequency of a user appearing in each grid based on trajectory history (Guo et al. 2017). One can use more sophisticated models like Poisson process to estimate users’ occurrence distribution (Xiong et al. 2016). Existing mobility profiling methods often require access to Copyright c © 2018, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved. users’ historical mobility traces, which may seriously compromise user privacy. For example, users’ exposed location data may reveal sensitive information about their identities and social relationships (Cho, Myers, and Leskovec 2011; Rossi et al. 2015). Despite the importance of location privacy, as far as we know, there is little research effort combining location privacy, mobility profiling, and crowd coverage maximization up to date. To fill this gap, this paper aims to explore how to protect the crowds’ location privacy, while still optimizing their expected coverage of a set of locations. To achieve this goal, we propose a mobile crowd coverage maximization framework with a rigorous privacy protection scheme — geographic differential privacy (Andrés et al. 2013). A geographic differential privacy policy obfuscates a user’s actual location to another with carefully designed probabilities, such that adversaries, regardless of their prior knowledge, can learn little about the user’s true location after observing the obfuscated locations. However, with differential privacy protection, crowd coverage maximization can only be performed based on the obfuscated (inaccurate) locations, which leads to inevitable loss of the quality of the selected users. Therefore, we propose a method to generate the optimal location obfuscation policy which satisfies geographic differential privacy while minimizing such loss. In summary, this paper has the following contributions: (1) To the best of our knowledge, this is the first work studying the mobile crowd coverage maximization problem with location privacy protection. (2) In our approach, users only need to upload one of their frequently visited locations, and more importantly, the uploaded location is obfuscated using the rigorous privacy policy — geographic differential privacy. We further formulate an optimization problem to obtain the optimal obfuscation policy that can maximize the expected future crowd coverage over a set of locations under a guaranteed level of differential privacy protection. As the optimization problem is non-convex, we first mathematically analyze the scenario when only one location needs to cover and then derive an optimal solution. Then, we extend this setting to the multilocation coverage scenario and propose a practical algorithm to obtain the optimal obfuscation policy. (3) Experiments on real human mobility datasets verify that, by selecting the same number of users under the same ar X iv :1 71 0. 10 47 7v 1 [ cs .C R ] 2 8 O ct 2 01 7 level of privacy protection, our method achieves a higher coverage than state-of-the-art differential privacy methods. Preliminaries Geographic differential privacy (Andrés et al. 2013) introduces the idea of database differential privacy (Dwork 2008) into the location obfuscation context. Its key idea is: given an observed obfuscated location l∗, any two locations l1 and l2 have similar probabilities of being mapped to l∗. It is thus hard for an adversary to differentiate whether the user is at l1 or l2 by observing l∗. Definition 1 (Andrés et al. 2013). Suppose the target area includes a set of locations L, then an obfuscation policy P satisfies geographic -differential privacy, iff. P (l|l1) ≤ e 12P (l|l2) ∀l1, l2, l∗ ∈ L (1) where P (l∗|l) is the probability of obfuscating l to l∗, d(l1, l2) is the distance between l1 and l2, is the privacy budget — the smaller , the better privacy protection. Note that the set of locations are usually constructed by dividing the target area into subregions, e.g., equal-size grids (Bordenabe, Chatzikokolakis, and Palamidessi 2014) or cell-tower regions (Xiong et al. 2016). If P satisfies geographic differential privacy, it can be proven that for adversaries with any prior knowledge about users’ location distributions, their posterior knowledge after observing the obfuscated location can only be increased by a small constant factor (Andrés et al. 2013). Note that this protection is guaranteed even if the adversaries know P . Due to this rigorous protection effect, geographic differential privacy has seen many applications in location based services, spatial crowdsourcing, etc. (Bordenabe, Chatzikokolakis, and Palamidessi 2014; Wang et al. 2016; Wang et al. 2017). Mobility profiling aims to estimate the probability of a user covering a certain location during a time period in the future. Specifically, a user ui’s mobility profile is denoted as Mi, and Mi(lj), lj ∈ L means the estimated probability of ui visiting lj in a concerned future period (e.g., next week). Commonly used mobility profiling methods include frequency-based (Guo et al. 2017) and Poissonbased (Xiong et al. 2016) algorithms. We use the Poisson process to model user mobility given its better prediction performance in our experiments. More details can be found in the supplemental materials.