[1] Bin Zan, Peng Hao, Marco Gruteser, and Xuegang Ban, VTL Zone-Based Path Cloaking Algorithms.
To be presented at the 14th International IEEE Conference on Intelligent Transportation Systems, ITSC 2011.

[2] Zhanbo Sun ,Bin Zan, Xuegang Ban, Marco Gruteser and Peng Hao, Evaluation of Privacy Preserving Algorithms Using Traffic Knowledge Based Adversary Models.
To be presented at the 14th International IEEE Conference on Intelligent Transportation Systems, ITSC 2011.

[3]  Baik Hoh and Marco Gruteser. Preserving privacy in gps traces via uncertainty-aware path cloaking.
In Proceedings of ACM CCS, 2007.



Privacy Algorithms for Traffic Probe Applications

Project Objectives:

The goal of this research is to develop concepts and methodologies that can be used to co-design transportation modeling methods and privacy protection techniques in collecting and using data from mobile traffic sensors.


Technology Rationale:
Mobile sensors such as cell phones move with the flow they are monitoring as opposed to fixed-location sensor in the road infrastructure. They promise low-cost collection of traffic data but also raise privacy concerns since their information is more closely tied to individual vehicles.

The technology rationale behind our proposal is to consider privacy protection and traffic modeling simultaneously: being aware of the effects of applying privacy schemes to data when developing modeling methods, and being aware of data needs when designing privacy preserving mechanisms. This is possible because data needs for modeling do not necessarily have to be compromised to ensure privacy protection: An application-aware design of privacy algorithms can retain features important for the application, while still achieving privacy by removing features that are less important. The key is to find the best balance between data collection / processing and privacy protection so that (1) novel privacy protection schemes can be developed to collect the most appropriate mobile data elements, and (2) new mobile-data-based modeling methods can be developed meanwhile to best use privacy-preserving mobile data to extract information.

Technical Approach:

We approach the problem by designing privacy algorithms that filter location data to make the data less identifiable but also retain details important for the application. As an example, we developed a zone-aware privacy algorithm to filter location traces, which still takes into account traffic density and uncertainty. This allows the algorithm to release location traces only in the intersection zones where data is needed by the application, yet still offer a fixed degree of privacy independent of traffic density.

As shown in the figure, the zone-aware privacy algorithm/system adds a location proxy server between the traffic probe server and the vehicles. The system also deploys virtual trip line zones on target road sections, to define where data is important for the application. An individual vehicle uploads its GPS trace and sensing data to the location proxy server when it is inside a VTL zone. Privacy protection processing is performed at the location proxy server where the ID of each vehicles will be removed before the data are hand over to application server (basic anonymize technique). Furthermore, data which has high risk of disclosing private information (moving pattern/trajectory) are filtered (advanced filtering technique).   

With the assumption that the application server is untrusted and the adversary could have access to the application server, the proposed algorithm includes three major steps. The first is to study the empirical distribution of travel time between two VTL zones. The second step is to compute the path likelihood from one VTL zone to the other. The final step is to determine if a set of traces can be disclosed to the application server based on the tracking uncertainty calculation. Interested readers could refer to our paper [1] and [2] for more details.



Progress To Date and Future Work Plan:
We have compared the proposed VTL zone-based path cloaking algorithm with a zone-unaware path cloaking algorithm from Hoh et al. [3]. First we run both algorithms on the collected data to remove samples that do not meet the privacy requirement, in which the entropy metric is set to 0.95, and then use the remaining samples as the input to a mobile sensing traffic probe (MSTP) application. Figure 2 depicts trajectories before and after cloaking using the zone-unaware algorithm. Blue solid lines and dots represent the entire trajectories, and red dots represent the portions removed during cloaking. As we observe in the figure, about one third of samples are removed after cloaking. Some remaining vehicles only have discontinuous or incomplete trajectories in the area of interest (between the black horizontal solid lines). As a consequence, more than half of the travel time data are lost. Under this circumstance, the MSTP application model does not perform well. In contrast, the proposed algorithm removes only 3% of the collected samples, and it achieves the same success rate as when no sample is removed. We also can see from table I that the application success rate increased from 39 to 82% when using the zone-based algorithm.


In our future work, the privacy algorithms need to be tested using a more sophisticated adversary model, which incorporates more traffic knowledge. One example of sophisticated adversary model is the one, which can classify vehicle type based on GPS data information. The privacy protection algorithm needs to be improved so that either the classification procedure cannot be correctly performed by the adversary or that the improved algorithm could limit the usage of vehicle type information to re-indentify a target vehicle.


Prof. Marco Gruteser

732-932-6857 Ext. 649

gruteser (AT) winlab (DOT) rutgers (DOT) edu



Copyright © 2004-2012 WINLAB, Rutgers, The State University of New Jersey