# Geo-indistinguishability

## info

* Title: Geo-Indistinguishability: Diifferentail Privacy for Location-Based System
* Miguel E. Andres

* word：
  * intuitive: 直觉的
  * notion: 概念、观点、看法
  * arrondissement: 这是法语，行政区
  * perturbating: 摄动变分法
  * planar: 平面的
  * bandwidth overhead: 带宽开销
  * negligible: 微不足道
  * prohibitive: 贵的
  * once and for all: 一劳永逸
  * dummy localtion: 虚拟地址
  * ubiquity: 无处不在
  * cloak/cloaking: 遮盖掩盖的
  * patch: 补丁、修补
  
## content

Geo-indistinguishablility implies that the user is protected within any radius $r$, but with a level $l = \epsilon r$ that increases with the distance.

The experiments showed that the bandwidth overhead necessary to enhance LBS applications with very high levels of privacy and accuracy is not-prohibitive and, in most cases, negligible for modern applications.

The user expects his location to be kept private: the information sent to the provider should not allow him to accurately infer the user's location.

### K-anonymity

About k-anonymity, many systems aim at protecting the user's identity, requiring that the attacker cannot infer which user is executing the query, among a set of $k$ different users. But this paper is interested in protecting the user's location.

### Counter-measures

Counter-measures, such as taking the environment into account might be complicated and simply be revealed by the attacker's actual side information.

And Differential Privacy, quantization might be similar from my perspective?

In [None]:
a = 5.2
print(int(a))

from random import uniform
delta = uniform(a=-0.5, b=0.5)
a += delta
print(int(a))

### Differential Privacy

It requires that the probability that a query returns a value $v$ when applied to a database $D$, compared to the probability to report the same value when applied to an **adjacent** database $D'$-meaning that $D, D'$ differ in the value of a single individual - should be within a bound of $e^\epsilon$.

It can be successfully applied in cases where aggregate information about several users is published. On the other hand, the nature of this notion makes it poorly suitable for applications in which only a single individual is involved.

### Transformation approaches

Transformation means that transforming all data to a different space, usually employing cryptographic techniques, so that they can be mapped back to spatial information only by user, thereby making it completely invisible to the service provider.

We suppose that $K$ means that **a probabilistic function for selecting a reported value.** $K(x)(Z)$ means the probability that the reported point belongs to the set $Z \subseteq Z'$. $\pi(x)$ is the probability assigned to the location $x$.

Each observation $Z \subseteq Z'$ of a mechanism $K$ induces a posterior distribution

$$
\sigma = Bayes(\pi, K, Z)\ on\ X',\ defined\ as\ \sigma(x) = \dfrac{K(x)(Z)\pi(x)}{\sum_{x'} K(x')(Z)\pi(x')}
$$.

Define that $d_p(\sigma_1, \sigma_2) = sup_{S \subseteq S'} |\ln \dfrac{\sigma_1(S)}{\sigma_2(S)}|$, with the convention that $|\ln \dfrac{\sigma_1(S)}{\sigma_2(S)}| = 0$ if both $\sigma_1(S), \sigma_2(S)$ are 0. $\inf$ if only one of them is 0.

### Geo-indistinguishability

$x, x'$ represent two **points**. Enjoying $l$-privacy within $r$ means that for any $x, x'$ s.t. $d(x, x') \le r$，the distance $d_p(K(x), K(x'))$ between the corresponding distributions should be at most $l$.

Then $\epsilon r$-privacy for all radii $r$, forces the two distributions to be similar for **locations** close to each other, while **relaxing the constraint** for those far away from each other.

Thus.

Geo-indistinguishability means that **A mechanism $K$ satisfies $\epsilon$-geo-indistinguishability if for all $x, x'$**:

$$
d_p(K(x), K(x')) \le \epsilon d(x, x')
$$

Equivalently, $K(x)(Z) \le e^{\epsilon d(x, x')} K(x')(Z),\ for\ all\ x, x' \in X, Z \in Z'$

Geo-indistinguishability is a generalized variant of differential privacy, using an arbitrary metric between secrets.

This paper uses the Hamming metric of standard differential privacy, which aims at completely protecting the value of an individual - would be too strong. This paper are not going to hide the user's location completely. It aims at using a privacy level that depends on the Euclidean distance between locations is a natural choice.

### Characterizations

#### Hiding function

Considerring a function $\phi: X \to X'$, it seems to be S-box in cryptography. Even if an adversary draws the same conclusions, it cannot figure out whether hiding has been applied or not. Of course, slight effect works well, instead of great affection.

Maximum distance $d(\phi) = sup_{x \in X} d(x, \phi(x))$.

Then for all $\phi: X \to X'$, all priors $\pi on X$, and all $Z \subseteq Z':$

$$
d_p(\sigma_1, \sigma_2) \le 2 \epsilon d(\phi),\ where\ \sigma_1 = Bayes(\pi, K, Z), \sigma_2 = Bayes(\pi, K \circ \phi, Z).
$$


#### Abstracting from side information

The goal of a privacy definition is to restrict the information **leakage** caused by the observation. Note that the lack of leakage does not mean that the user's location cannot be inferred, but instead that the adversary's knowledge does not increase due to the **observation**.

Useful LBS query can infer some prior, like city, block and even exact location, to cause leakage caused by observation at a high probability.

Differential privacy does ensure that her risk is the same whether she participates in the database or not, but this might be misleading.