Statistics about traffic flow and people's movement gathered from multiple geographical locations in a distributed manner are the driving force powering many applications, such as traffic prediction, demand prediction, and restaurant occupancy reports. However, these statistics are often based on sensitive location data of people, and hence privacy has to be preserved while releasing them. The standard way to do this is via differential privacy, which guarantees a form of rigorous, worst-case, person-level privacy. In this work, motivated by several counter-intuitive features of differential privacy in distributed location applications, we propose an alternative privacy loss against location reconstruction attacks by an informed adversary. Our experiments on real and synthetic data demonstrate that our privacy loss better reflects our intuitions on individual privacy violation in the distributed spatio-temporal setting.

翻译：基于从多个地理位置分布式收集的交通流量和人群移动统计数据，是驱动交通预测、需求预测及餐厅客流量报告等众多应用的核心动力。然而，这些统计结果往往建立在人们的敏感位置数据之上，因此在发布时需保护隐私。标准方法是通过差分隐私实现，该技术能提供一种严格、最坏情况下的个人级隐私保障。针对分布式位置应用中差分隐私存在的若干反直觉特性，本文提出了一种替代性隐私损失度量方法，专门应对知情攻击者实施的位置重构攻击。基于真实数据与合成数据的实验表明，我们的隐私损失度量能更准确地反映分布式时空场景下个人隐私泄露的直观感受。