Overview

The widespread adoption of continuously connected smartphones and tablets developed the usage of mobile applications, among which many use location to provide geolocated services. These services provide new prospects for users: getting directions to work in the morning, leaving a check-in at a restaurant at noon and checking next day's weather in the evening are possible right from any mobile device embedding a GPS chip. In these location-based applications, the user's location is sent to a server, which uses them to provide contextual and personalised answers. However, nothing prevents the latter from gathering, analysing and possibly sharing the collected information, which opens the door to many privacy threats. Indeed, mobility data can reveal sensitive information about users, among which one's home, work place or even religious and political preferences. For this reason, many privacy-preserving mechanisms have been proposed these last years to enhance location privacy while using geolocated services.
This web site identifies the main inference attacks (i.e., re-identification attack) and the protection mechanisms developed by our research team.

User Re-identification Attacks

A user re-identification attack (or a de-anonymization attack) is an inference attack which its main objective is to associate an anonymous (and/or obfuscated) mobility trace to its originating user, based on a previously collected background knowledge from which the attack builds a set of user profiles. Various user re-identification attacks have been proposed in the literature. What distinguishes these attacks is the way they represent user profiles. In this section, we list user re-identification attacks developed by our research team.

Attacks	Description
POI-Attack	Points of Interest Attack
AP-Attack	All Points Attack
FURIA	A Federated User Re-Identification Attack

Location Privacy Protection Mechanisms

To mitigate location privacy threats, many location privacy protection mechanisms (LPPMs for short) have been proposed in the litterature. Their goal is to protect location privacy of users while still allowing them to enjoy geolocated services. An LPPM can be defined as a function which takes as input one or multiple mobility records of a given user and produces as output an obfuscated version of this data. LPPMs rely on a wide array of techniques, ranging from data perturbation to data to data encryption, and including data generalization and fake data generation. LPPMs can be classified in two categories:
online/semi-online LPPMs and offline LPPMs.

Online/ Semi-Online LPPMs
In online ( e.g., real time use cases) and semi-online ( e.g., crowd sensing applications), users regularly send single or multiple mobility records to a Location Based Service (LBS) in order to request specific informations about their surroundings for example, POIs retreival applications, weather applications and navigation applications. In this category of LPPMs, we find the following LPPMs , developed in our location privacy team.

LPPMs	Description
Promesse
EDEN

Offline LPPMs
Offline LPPMs comes into play once an LBS has collected mobility data and wants to publish it, whether it is for commercial or non-benefit purposes (e.g., sharing data with a marketing company or to release a dataset as open data). Instead of protecting locations on-the-fly, offline LPPMs protect the whole mobility datasets at once.

LPPMs	Description
PULP	Achieving Privacy and Utility Trade-off in User Mobility Data.
ALP	Adaptive Location privacy
HMC	HeatMap Confusion
MOOD	MObility data privacy as Orphan Desease

Mobility Datasets

In our experiments, our team uses four real mobility datasets. These datasets are: (1) PrivaMov that contains the mobility of 48 students and staff members in the city of Lyon; (2) Geolife that contains the mobility of 42 users mainly in the city of Beijing; (3) MDC that contains the mobility data of 144 users in the city of Geneva and (4) Cabspotting that contains the mobility of 536 cab drivers in the city of San Francisco. A mobility data trace is constituted of a sequence of spatio-temporal records r = (lat,lng,t) associated to a given user, where "lat" and "lng" correspond to the latitude and longitude of GPS coordinates while "t" is a timestamp.