Geo-indistinguishable location obfuscation with inference error bounds

Geo-indistinguishability and expected inference error are two complementary statistical notions for location privacy. The joint guarantee of differential privacy (indistinguishability) and distortion privacy (inference error) limits the information leakage. This paper analyzes the dynamic location obfuscation mechanism called PIVE by Yu, Liu and Pu (NDSS 2017), and shows that PIVE fails to offer either of the privacy guarantees on adaptive Protection Location Sets (PLSs) as claimed. Specifically, we demonstrate that different PLSs could intersect with one another due to the defined search algorithm, and different apriori locations in the same PLS could have different protection diameters which causes the problematic proof of local differential privacy for PIVE. Besides, the condition introduced in PIVE is confirmed to be not sufficient for bounding expected inference errors against Bayesian attacks. To address these issues, we introduce a relaxed definition of geo-indistinguishability, propose a couple of correction approaches, and analyze their satisfied privacy characteristics.