Designing a Location Trace Anonymization Contest

Location-based services (LBS) are increasingly used in recent years, and consequently a large amount of location traces are accumulating in a data center. Although these traces can be provided to a data analyst for geo-data analysis, the disclosure of location traces raises serious privacy concerns. Finding an appropriate anonymization method for location traces is also extremely challenging, especially for long traces. To address this issue, we have designed and held a location trace anonymization contest that deals with a long trace (400 events per user) and fine-grained locations (1024 regions). In our contest, each team anonymizes her original traces, and then the other teams perform privacy attacks against the anonymized traces (i.e., both defense and attack compete together) in a partial-knowledge attacker model where the adversary does not know the original traces. To realize such a contest, we propose a novel location synthesizer that has diversity in that synthetic traces for each team are different from those for the other teams and utility in that synthetic traces preserve various statistical features of real traces. We also show that re-identification alone is insufficient as a privacy risk, and that trace inference should be added as an additional risk. Specifically, we show an example of anonymization that is perfectly secure against re-identification and is not secure against trace inference. Based on this, our contest evaluates both the re-identification risk and trace inference risk, and analyzes the relation between the two risks. In this paper, we present our location synthesizer and the design of our contest, and then report our contest results.