On the differential privacy of dynamic location obfuscation with personalized error bounds

Geo-indistinguishability and expected inference error are two complementary notions for location privacy. The joint guarantee of differential privacy (indistinguishability) and distortion privacy (inference error) limits the information leakage. In this paper, we analyze the differential privacy of PIVE, a dynamic location obfuscation mechanism proposed by Yu, Liu and Pu (NDSS 2017), and show that PIVE fails to offer either of the privacy guarantees on adaptive Protection Location Sets (PLSs) as claimed. Specifically, we demonstrate that different PLSs could intersect with one another due to the defined search algorithm, and then different apriori locations in the same PLS could have different protection diameters. As a result, we can show that the proof of local differential privacy for PIVE is problematic. Besides, the condition introduced in PIVE is confirmed to be not sufficient for bounding expected inference errors in general, which makes the user-defined inference error threshold invalid. To address these issues, we propose a couple of correction approaches, analyze theoretically their satisfied privacy characteristics and detail their respective merits and demerits.