-
Asymptotic Privacy Loss due to Time Series Matching of Dependent Users
Authors:
Nazanin Takbiri,
Minting Chen,
Dennis L. Goeckel,
Amir Houmansadr,
Hossein Pishro-Nik
Abstract:
The Internet of Things (IoT) promises to improve user utility by tuning applications to user behavior, but revealing the characteristics of a user's behavior presents a significant privacy risk. Our previous work has established the challenging requirements for anonymization to protect users' privacy in a Bayesian setting in which we assume a powerful adversary who has perfect knowledge of the pri…
▽ More
The Internet of Things (IoT) promises to improve user utility by tuning applications to user behavior, but revealing the characteristics of a user's behavior presents a significant privacy risk. Our previous work has established the challenging requirements for anonymization to protect users' privacy in a Bayesian setting in which we assume a powerful adversary who has perfect knowledge of the prior distribution for each user's behavior. However, even sophisticated adversaries do not often have such perfect knowledge; hence, in this paper, we turn our attention to an adversary who must learn user behavior from past data traces of limited length. We also assume there exists dependency between data traces of different users, and the data points of each user are drawn from a normal distribution. Results on the lengths of training sequences and data sequences that result in a loss of user privacy are presented.
△ Less
Submitted 12 July, 2020;
originally announced July 2020.
-
Leveraging Prior Knowledge Asymmetries in the Design of Location Privacy-Preserving Mechanisms
Authors:
Nazanin Takbiri,
Virat Shejwalker,
Amir Houmansadr,
Dennis L. Goeckel,
Hossein Pishro-Nik
Abstract:
The prevalence of mobile devices and Location-Based Services (LBS) necessitate the study of Location Privacy-Preserving Mechanisms (LPPM). However, LPPMs reduce the utility of LBS due to the noise they add to users' locations. Here, we consider the remap** technique, which presumes the adversary has a perfect statistical model for the user location. We consider this assumption and show that unde…
▽ More
The prevalence of mobile devices and Location-Based Services (LBS) necessitate the study of Location Privacy-Preserving Mechanisms (LPPM). However, LPPMs reduce the utility of LBS due to the noise they add to users' locations. Here, we consider the remap** technique, which presumes the adversary has a perfect statistical model for the user location. We consider this assumption and show that under practical assumptions on the adversary's knowledge, the remap** technique leaks privacy not only about the true location data, but also about the statistical model. Finally, we introduce a novel solution called "Randomized Remap**" as a countermeasure.
△ Less
Submitted 4 December, 2019;
originally announced December 2019.
-
Asymptotic Limits of Privacy in Bayesian Time Series Matching
Authors:
Nazanin Takbiri,
Dennis L. Goeckel,
Amir Houmansadr,
Hossein Pishro-Nik
Abstract:
Various modern and highly popular applications make use of user data traces in order to offer specific services, often for the purpose of improving the user's experience while using such applications. However, even when user data is privatized by employing privacy-preserving mechanisms (PPM), users' privacy may still be compromised by an external party who leverages statistical matching methods to…
▽ More
Various modern and highly popular applications make use of user data traces in order to offer specific services, often for the purpose of improving the user's experience while using such applications. However, even when user data is privatized by employing privacy-preserving mechanisms (PPM), users' privacy may still be compromised by an external party who leverages statistical matching methods to match users' traces with their previous activities. In this paper, we obtain the theoretical bounds on user privacy for situations in which user traces are matchable to sequences of prior behavior, despite anonymization of data time series. We provide both achievability and converse results for the case where the data trace of each user consists of independent and identically distributed (i.i.d.) random samples drawn from a multinomial distribution, as well as the case that the users' data points are dependent over time and the data trace of each user is governed by a Markov chain model.
△ Less
Submitted 18 February, 2019;
originally announced February 2019.
-
Asymptotic Loss in Privacy due to Dependency in Gaussian Traces
Authors:
Nazanin Takbiri,
Ramin Soltani,
Dennis L. Goeckel,
Amir Houmansadr,
Hossein Pishro-Nik
Abstract:
The rapid growth of the Internet of Things (IoT) necessitates employing privacy-preserving techniques to protect users' sensitive information. Even when user traces are anonymized, statistical matching can be employed to infer sensitive information. In our previous work, we have established the privacy requirements for the case that the user traces are instantiations of discrete random variables a…
▽ More
The rapid growth of the Internet of Things (IoT) necessitates employing privacy-preserving techniques to protect users' sensitive information. Even when user traces are anonymized, statistical matching can be employed to infer sensitive information. In our previous work, we have established the privacy requirements for the case that the user traces are instantiations of discrete random variables and the adversary knows only the structure of the dependency graph, i.e., whether each pair of users is connected. In this paper, we consider the case where data traces are instantiations of Gaussian random variables and the adversary knows not only the structure of the graph but also the pairwise correlation coefficients. We establish the requirements on anonymization to thwart such statistical matching, which demonstrate the significant degree to which knowledge of the pairwise correlation coefficients further significantly aids the adversary in breaking user anonymity.
△ Less
Submitted 18 February, 2019; v1 submitted 26 September, 2018;
originally announced September 2018.
-
Privacy of Dependent Users Against Statistical Matching
Authors:
Nazanin Takbiri,
Amir Houmansadr,
Dennis L. Goeckel,
Hossein Pishro-Nik
Abstract:
Modern applications significantly enhance user experience by adapting to each user's individual condition and/or preferences. While this adaptation can greatly improve a user's experience or be essential for the application to work, the exposure of user data to the application presents a significant privacy threat to the users\textemdash even when the traces are anonymized\textemdash since the sta…
▽ More
Modern applications significantly enhance user experience by adapting to each user's individual condition and/or preferences. While this adaptation can greatly improve a user's experience or be essential for the application to work, the exposure of user data to the application presents a significant privacy threat to the users\textemdash even when the traces are anonymized\textemdash since the statistical matching of an anonymized trace to prior user behavior can identify a user and their habits. Because of the current and growing algorithmic and computational capabilities of adversaries, provable privacy guarantees as a function of the degree of anonymization and obfuscation of the traces are necessary. Our previous work has established the requirements on anonymization and obfuscation in the case that data traces are independent between users. However, the data traces of different users will be dependent in many applications, and an adversary can potentially exploit such. In this paper, we consider the impact of dependency between user traces on their privacy. First, we demonstrate that the adversary can readily identify the association graph of the obfuscated and anonymized version of the data, revealing which user data traces are dependent. Next, we demonstrate that the adversary can use this association graph to break user privacy with significantly shorter traces than in the case of independent users, and that obfuscating data traces independently across users is often insufficient to remedy such leakage. Finally, we discuss how users can improve privacy by employing joint obfuscation that removes or reduces the data dependency.
△ Less
Submitted 29 May, 2019; v1 submitted 28 June, 2018;
originally announced June 2018.
-
Privacy against Statistical Matching: Inter-User Correlation
Authors:
Nazanin Takbiri,
Amir Houmansadr,
Dennis L. Goeckel,
Hossein Pishro-Nik
Abstract:
Modern applications significantly enhance user experience by adapting to each user's individual condition and/or preferences. While this adaptation can greatly improve utility or be essential for the application to work (e.g., for ride-sharing applications), the exposure of user data to the application presents a significant privacy threat to the users, even when the traces are anonymized, since t…
▽ More
Modern applications significantly enhance user experience by adapting to each user's individual condition and/or preferences. While this adaptation can greatly improve utility or be essential for the application to work (e.g., for ride-sharing applications), the exposure of user data to the application presents a significant privacy threat to the users, even when the traces are anonymized, since the statistical matching of an anonymized trace to prior user behavior can identify a user and their habits. Because of the current and growing algorithmic and computational capabilities of adversaries, provable privacy guarantees as a function of the degree of anonymization and obfuscation of the traces are necessary. Our previous work has established the requirements on anonymization and obfuscation in the case that data traces are independent between users. However, the data traces of different users will be dependent in many applications, and an adversary can potentially exploit such. In this paper, we consider the impact of correlation between user traces on their privacy. First, we demonstrate that the adversary can readily identify the association graph, revealing which user data traces are correlated. Next, we demonstrate that the adversary can use this association graph to break user privacy with significantly shorter traces than in the case when traces are independent between users, and that independent obfuscation of the data traces is often insufficient to remedy such. Finally, we discuss how the users can employ dependency in their obfuscation to improve their privacy.
△ Less
Submitted 27 June, 2018; v1 submitted 2 May, 2018;
originally announced May 2018.
-
Matching Anonymized and Obfuscated Time Series to Users' Profiles
Authors:
Nazanin Takbiri,
Amir Houmansadr,
Dennis L. Goeckel,
Hossein Pishro-Nik
Abstract:
Many popular applications use traces of user data to offer various services to their users. However, even if user data is anonymized and obfuscated, a user's privacy can be compromised through the use of statistical matching techniques that match a user trace to prior user behavior. In this work, we derive the theoretical bounds on the privacy of users in such a scenario. We build on our recent st…
▽ More
Many popular applications use traces of user data to offer various services to their users. However, even if user data is anonymized and obfuscated, a user's privacy can be compromised through the use of statistical matching techniques that match a user trace to prior user behavior. In this work, we derive the theoretical bounds on the privacy of users in such a scenario. We build on our recent study in the area of location privacy, in which we introduced formal notions of location privacy for anonymization-based location privacy-protection mechanisms. Here we derive the fundamental limits of user privacy when both anonymization and obfuscation-based protection mechanisms are applied to users' time series of data. We investigate the impact of such mechanisms on the trade-off between privacy protection and user utility. We first study achievability results for the case where the time-series of users are governed by an i.i.d. process. The converse results are proved both for the i.i.d. case as well as the more general Markov chain model. We demonstrate that as the number of users in the network grows, the obfuscation-anonymization plane can be divided into two regions: in the first region, all users have perfect privacy; and, in the second region, no user has privacy.
△ Less
Submitted 27 June, 2018; v1 submitted 30 September, 2017;
originally announced October 2017.
-
Performance Bounds for Grouped Incoherent Measurements in Compressive Sensing
Authors:
Adam C. Polak,
Marco F. Duarte,
Dennis L. Goeckel
Abstract:
Compressive sensing (CS) allows for acquisition of sparse signals at sampling rates significantly lower than the Nyquist rate required for bandlimited signals. Recovery guarantees for CS are generally derived based on the assumption that measurement projections are selected independently at random. However, for many practical signal acquisition applications, including medical imaging and remote se…
▽ More
Compressive sensing (CS) allows for acquisition of sparse signals at sampling rates significantly lower than the Nyquist rate required for bandlimited signals. Recovery guarantees for CS are generally derived based on the assumption that measurement projections are selected independently at random. However, for many practical signal acquisition applications, including medical imaging and remote sensing, this assumption is violated as the projections must be taken in groups. In this paper, we consider such applications and derive requirements on the number of measurements needed for successful recovery of signals when groups of dependent projections are taken at random. We find a penalty factor on the number of required measurements with respect to the standard CS scheme that employs conventional independent measurement selection and evaluate the accuracy of the predicted penalty through simulations.
△ Less
Submitted 20 October, 2014; v1 submitted 9 May, 2012;
originally announced May 2012.
-
An Improved Lower Bound to the Number of Neighbors Required for the Asymptotic Connectivity of Ad Hoc Networks
Authors:
Sanquan Song,
Dennis L. Goeckel,
Don Towsley
Abstract:
Xue and Kumar have established that the number of neighbors required for connectivity of wireless networks with N uniformly distributed nodes must grow as log(N), and they also established that the actual number required lies between 0.074log(N) and 5.1774log(N). In this short paper, by recognizing that connectivity results for networks where the nodes are distributed according to a Poisson poin…
▽ More
Xue and Kumar have established that the number of neighbors required for connectivity of wireless networks with N uniformly distributed nodes must grow as log(N), and they also established that the actual number required lies between 0.074log(N) and 5.1774log(N). In this short paper, by recognizing that connectivity results for networks where the nodes are distributed according to a Poisson point process can often be applied to the problem for a network with N nodes, we are able to improve the lower bound. In particular, we show that a network with nodes distributed in a unit square according to a 2D Poisson point process of parameter N will be asymptotically disconnected with probability one if the number of neighbors is less than 0.129log(N). Moreover, similar number of neighbors is not enough for an asymptotically connected network with N nodes uniformly in a unit square, hence improving the lower bound.
△ Less
Submitted 27 September, 2005;
originally announced September 2005.