Location data is frequently collected from populations and shared in aggregate form to guide policy and decision making. However, the prevalence of aggregated data also raises the privacy concern of membership inference attacks (MIAs). MIAs infer whether an individual's data contributed to the aggregate release. Although effective MIAs have been developed for aggregate location data, these require access to an extensive auxiliary dataset of individual traces over the same locations, which are collected from a similar population. This assumption is often impractical given common privacy practices surrounding location data. To measure the risk of an MIA performed by a realistic adversary, we develop the first Zero Auxiliary Knowledge (ZK) MIA on aggregate location data, which eliminates the need for an auxiliary dataset of real individual traces. Instead, we develop a novel synthetic approach, such that suitable synthetic traces are generated from the released aggregate. We also develop methods to correct for bias and noise, to show that our synthetic-based attack is still applicable when privacy mechanisms are applied prior to release. Using two large-scale location datasets, we demonstrate that our ZK MIA matches the state-of-the-art Knock-Knock (KK) MIA across a wide range of settings, including popular implementations of differential privacy (DP) and suppression of small counts. Furthermore, we show that ZK MIA remains highly effective even when the adversary only knows a small fraction (10%) of their target's location history. This demonstrates that effective MIAs can be performed by realistic adversaries, highlighting the need for strong DP protection.

翻译：位置数据常从人群中收集，并以聚合形式共享，以指导政策制定和决策。然而，聚合数据的普及也引发了成员推理攻击（MIAs）的隐私担忧。MIAs推断个体的数据是否对聚合发布有所贡献。尽管针对聚合位置数据已开发出有效的MIAs，但这些攻击需要访问一个在相同地点收集的、来自相似人群的广泛个体轨迹辅助数据集。考虑到位置数据常见的隐私保护实践，这一假设往往不切实际。为了衡量由现实对手执行的MIA风险，我们首次开发了针对聚合位置数据的零辅助知识（ZK）MIA，该攻击无需真实个体轨迹的辅助数据集。相反，我们开发了一种新颖的合成方法，从发布的聚合数据中生成合适的合成轨迹。我们还开发了校正偏差和噪声的方法，以证明即使在发布前应用了隐私机制，我们基于合成的攻击仍然适用。使用两个大规模位置数据集，我们证明我们的ZK MIA在多种设置下（包括流行的差分隐私（DP）实现和小计数抑制）与最先进的Knock-Knock（KK）MIA性能相当。此外，我们表明，即使对手仅知道其目标位置历史的一小部分（10%），ZK MIA仍然非常有效。这证明现实对手能够执行有效的MIAs，突显了强DP保护的必要性。