Two de-anonymization attacks on real-world location data based on a hidden Markov model

Abstract

The increasing demand for smart context-aware services and the widespread use of location-based services (LBS) have resulted in the proliferation of mobile devices equipped with geolocation sensors (including GPS, geomagnetic field sensor, accelerometer, proximity sensor, et cetera). As a result, service providers and telecommunications companies can collect massive mobility datasets, often for millions of subscribers. To provide a degree of privacy, dataset owners normally replace personal identifiers such as name, address, and social security number (SSN) with pseudorandom identifiers prior to publication or sale. However, it has been repeatedly shown how sensitive information can be easily extracted or inferred from individuals' mobility data even when personal identifiers are removed. Knowledge of the extent to which location data can be de-anonymized is therefore crucial, in order to design appropriate privacy mechanisms that can prevent re-identification. In this paper, we propose and implement two novel and highly effective de-anonymization techniques: the Forward, and the KL algorithms. Our work utilizes a hidden Markov model (which incorporates spatio-temporal trajectories) in a novel way to generate user mobility profiles for target users. Using a real-world reference dataset containing mobility trajectories from the city of Shanghai (GeoLife, a reference dataset also used in previous studies), we evaluate the robustness of the proposed attack techniques. The results show that our attack techniques successfully re-identify up to 85% anonymized users. This significantly exceeds current comparable de-anonymization techniques, which have a success rate of 40% to 45%.