On the differential privacy of dynamic location obfuscation with personalized error bounds

Geo-indistinguishability and expected inference error are two complementary notions for location privacy. The joint guarantee of differential privacy (indistinguishability) and distortion privacy (inference error) limits the information leakage. In this paper, we analyze the differential privacy of PIVE dynamic location obfuscation mechanism proposed by Yu, Liu and Pu (ISOC Network and Distributed System Security Symposium, 2017) and show that PIVE fails to offer differential privacy guarantees on adaptive protection location set as claimed. Specifically, we demonstrate that different protection location sets could intersect with one another due to the defined search algorithm and then different locations in the same protection location set could have different protection diameters. As a result, we can show that the proof of differential privacy for PIVE is incorrect. We also make some detailed discussions on feasible privacy frameworks with achieving personalized error bounds.