Gaining Location Privacy from Service Flexibility: A Bayesian Game Theoretic Approach

Abstract

When using location-based services (LBSs), a user obtains points-of-interest $(\text{P}\text{o}\text{I})$ information by providing the LBS platform with his current geo-location. Such a search also leads to potential privacy leakage if an adversary has access to his geo-data. Traditional k-anonymity mechanisms instruct a user to bear the overhead to report his current location together with k-1 dummy locations to confuse the adversary, which only work well given a large number k. Aware of the common practices that a user is actually flexible in service requirement (e.g., as long as the searched PoIs are within his walking distance), we propose a novel approach to help the user gain location privacy from service flexibility for the case of a small number k. By analyzing the strategic interaction between the user and the adversary in a Bayesian game, we prove that the user with service flexibility should never report his real location for searching PoIs nearby. Instead, he should jointly use all k dummy locations to confuse the adversary’s inference of his real location. Take $k=2$ for example, we manage to show that if the adversary is not likely to access both dummy geo-data, the user should report the two dummy locations at two opposite directions of his real location, and otherwise at the same direction. Perhaps surprisingly, our approach may enable the user to benefit from the adversary’s access to more geo-data. Finally, extensive simulations using some real data show that our mechanism obviously outperforms k anonymity mechanism especially under a small number k.