WO2022167217A1 - Dispositif mobile, serveur, programme informatique et procédés de préservation de la confidentialité - Google Patents

Dispositif mobile, serveur, programme informatique et procédés de préservation de la confidentialité Download PDF

Info

Publication number
WO2022167217A1
WO2022167217A1 PCT/EP2022/051051 EP2022051051W WO2022167217A1 WO 2022167217 A1 WO2022167217 A1 WO 2022167217A1 EP 2022051051 W EP2022051051 W EP 2022051051W WO 2022167217 A1 WO2022167217 A1 WO 2022167217A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
user
distorted
population density
distorting
Prior art date
Application number
PCT/EP2022/051051
Other languages
English (en)
Inventor
Alexandru SERBANATI
Thomas CARETTE
Original Assignee
Sony Group Corporation
Sony Europe B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Group Corporation, Sony Europe B.V. filed Critical Sony Group Corporation
Publication of WO2022167217A1 publication Critical patent/WO2022167217A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • Mobile device server, computer program, and methods for privacy preservation
  • Embodiments of the present disclosure relate to a mobile device, a server, a computer program, and methods for privacy preservation.
  • the present disclosure relates to a concept for processing information on a position of a user for privacy preservation.
  • Various applications in information technology provide for collecting information on a position of users.
  • the information on the position of users allow location-based applications, such as location-based services and/or location-based analyses of user data.
  • location-based applications such as location-based services and/or location-based analyses of user data.
  • the collection of information on a position of users may rise privacy concerns because such information may lead to identification of users.
  • Embodiments of the present disclosure provide a method for privacy preservation.
  • the method comprises obtaining information on a position of a user.
  • the method also comprises obtaining information on a population density in an environment of the user.
  • the method comprises distorting the information on the user’s position based on the information on the population density for privacy preservation and providing the distorted information on the user’s position.
  • the information on the position may be indicative of a true or real position of the user which may be a geographic position of the user, an area, or an address where the user is located.
  • various positioning techniques e.g. satellite- based radio positioning, mobile phone tracking, camera-based, optical positioning, radio frequency identification (RFID) -based localization, etc.
  • RFID radio frequency identification
  • the information on the population density is, e.g., indicative of a number of persons, residents, and/or other users in a predefined environment of the user, i.e. a predefined area surrounding the user.
  • the population density e.g., is determined based on the information on the position of the user.
  • the information on the population density is obtained from a local or external database or map indicative of the population density.
  • the environment may be defined differently.
  • the environment is a predetermined area in a predefined perimeter of the user.
  • the environment is a country, a state, a city, a district where the user is located.
  • the information on the user’s position may be used.
  • Embodiments of the present disclosure are based on the finding that the privacy of the user can be protected by distorting the information on the (true) position of the user. Another finding is that the higher the population density, the less distortion of information on the position of user is sufficient to obfuscate or anonymize the information, i.e. to avoid that the information on the position can be associated with the user or his/her identity.
  • the bias may decrease with an increasing population density in the environment and vice versa. In other words, an amplitude of the bias decreases when the population density increases.
  • the bias may be inversely proportional to the population density.
  • the bias may relate to each other in other ways.
  • the distorted information on the user’s position e.g., is indicative of a position that deviates from the true position by the aforementioned bias. As a result, the distorted information on the user’s position cannot be (unambiguously) associated with the user. This allows the user to provide the distorted information on the user’s position to other (untrustworthy) entities while the user’s privacy is still preserved irrespective of the population density in the environment of the user.
  • the method may further comprise obtaining information on an intended accuracy of the position and distorting the information on the user’s position may comprise distorting the information on the user’s position based on the information on the intended accuracy.
  • the intended accuracy e.g., is indicative of a maximum allowed distortion of the information on the user’s position which (still) allows exploitation of the distorted information for a predefined purpose or in a predefined use case. Accordingly, the bias may be determined such that the distorted information is consistent with the intended accuracy.
  • the intended accuracy e.g., is 10 km. Accordingly, the bias is lower than or equal to 10 km. It is noted that the intended accuracy may be also defined otherwise. Also, a relation between the intended accuracy and the bias may be different. The relation between the intended accuracy and the bias may involve other factors, like cellular-network-cell size, (pre-calculated) population density, and/or recency of information sharing.
  • the method described herein can be executed by any trusted/trustworthy entity (e.g. a trusted server).
  • a device controlled by the user e.g., a mobile (communications) device, e.g. a mobile phone, a tablet, a game console, or a wearable, of the user.
  • the method proposed herein enables location-based monitoring of one or a plurality of users while preserving the privacy of the users.
  • the method may further comprise obtaining user-specific data and providing the user-specific data together with the distorted information on the user’s position.
  • This e.g., enables a location-based analysis of the user-specific data while the privacy of users is still preserved.
  • the user-specific data e.g., comprises or is indicative of personal information (e.g. name, date of birth/age, political convictions, etc.).
  • obtaining user specific data may comprise requesting user-specific data from the user or receiving the user-specific data on behalf of the user from a third party.
  • the user-specific data comprises information on a health status of the user.
  • the user-specific data e.g., is indicative of a body temperature, symptoms, and/or a medication of the user.
  • This e.g., allows location-based analysis of the health status of a plurality of users, e.g., in order to trace an epidemic and/or pandemic outbreak while the privacy of users is still preserved.
  • the mobile device may be configured to determine the health status by monitoring body functions and/or vital signs (e.g. body temperature, pulse, respiratory rate, blood pressure, etc.) of the user.
  • the mobile device e.g., comprises a thermometer for monitoring the body temperature of the user.
  • Further embodiments provide a method for a server.
  • the method comprises receiving information on a position of at least one user.
  • the information on the position is distorted based on information on a population density in an environment of the user.
  • the method comprises processing the distorted information on the user’s position using the information on the population density.
  • the information was distorted in accordance with the method for privacy preservation.
  • the server e.g., collects disturbed information on the position of a number of users.
  • Processing the distorted information e.g., comprises analyzing the distorted information on the position based on the information on the population density using statistical inference.
  • Statistical inference e.g., allows to determine a model of a spatial distribution of the users. In doing so, the information on the population density may serve as a measure for the uncertainty of positions in the information on the position of the users for a more precise model of the spatial distribution.
  • Bayesian inference and/or Likelihoodist statistics are/is used. In this way, a sufficiently precise model of the spatial distribution of the users may be determined while the privacy of the users is still preserved.
  • processing the distorted information comprises generating a map based on the distorted information on the position and the population density.
  • the map is indicative of a spatial distribution of the plurality of users.
  • the map indicates the model for of the spatial distribution of the users determined by statistical inference.
  • the server receives user-specific data of the plurality of users (together with the information on their position) and generating the map comprises generating the map based on the user-specific data.
  • the map e.g., is indicative of a spatial distribution and the user-specific data.
  • the user-specific data comprises information on a health status of the users. This, e.g., allows to trace the spread of diseases.
  • inventions provide a computer program comprising instructions, which, when the computer program is executed by a processor, cause the processor to carry out any one of the methods proposed herein.
  • a mobile device comprising one or more interfaces for communication and a data processing circuit configured to control the one or more interfaces. The data processing circuit and the one or more interfaces are configured to execute one of the methods for privacy preservation.
  • a server comprising one or more interfaces for communication and a data processing circuit configured to control the one or more interfaces.
  • the data processing circuit and the one or more interfaces are configured to execute one of the methods for the server.
  • Fig. 1 illustrates a flow chart schematically illustrating an embodiment of a method for privacy preservation
  • Fig. 2 illustrates a flow chart schematically illustrating an embodiment of a method for a server
  • Fig. 3 illustrates a block diagram schematically illustrating an embodiment of a mobile device and a server
  • Fig. 4 illustrates a block diagram schematically illustrating an exemplary use case of the proposed concept
  • Fig. 5 illustrates a diagram schematically depicting a noise update mechanism.
  • Global health concerns drive the need to monitor epidemics and pandemics in better ways.
  • One way is to have geolocalized monitoring of fever. This, e.g., entails mapping a body temperature of users onto their spatial distribution.
  • the mapping e.g., allows to detect epidemic outbreaks sufficiently early and to take measures in order to at least mitigate health crises.
  • the body temperature e.g., is mapped based on the position of users. Information on the position, though, may allow to identify the users and are therefore very sensitive.
  • there may be a demand for privacy preservation in location-based applications e.g., for tracking an epidemic.
  • Fig. 1 illustrates a flow chart schematically illustrating an embodiment of a method 100 for privacy preservation.
  • Method 100 comprises obtaining 110 information on a position of a user.
  • Obtaining 110 information on the position of the user e.g., comprises localizing the user.
  • various positioning or localization techniques e.g. satellite-based radio positioning, mobile phone tracking, camera-based, and/or radio frequency identification (RFID) -based localization may be used.
  • obtaining 110 the information on the position comprises receiving the information on the position from an external entity.
  • RFID radio frequency identification
  • Method 100 further comprises obtaining 120 information on a population density in an environment of the user.
  • the environment is a predefined area where the user is located. Also, a number of other persons and/or users may be located therein.
  • the environment e.g., is a state, a city, a street, or an arbitrarily defined area. The more persons or users are located in the environment, the higher may be the population density.
  • the population density e.g., is the demographic population density in the environment.
  • the information on the population density indicates the demographic population density of a city where the user is located.
  • the population density is a density of other users or devices in the environment.
  • method 100 comprises distorting 130 the information on the user’s position based on the information on the population density for privacy preservation.
  • the (actual/true) position e.g., is added and/or multiplied with bias.
  • the bias is sufficiently large to distort the actual position to such an extent that the distorted information cannot be (unambiguously) associated with the user or distinguished from positions of other persons or users in the environment.
  • the bias may be inversely related to the population density. For example, the lower the population density, the higher is the bias. Conversely, the bias can be lower when the population density is higher while the privacy is still preserved.
  • the bias e.g., is a default device bias of a device executing method 100.
  • noise mechanisms may be used to add individually defined noise values from one or more noise distributions to the bias. Therefore, the bias may include one or more noise values from a predefined noise distribution.
  • distorting 130 the information on the user’s position may comprise adding one or more noise values (selected) from a predefined noise distribution to the user’s position for distorting the information on the user’s position. Distorting 130 the information on the user’s position using the one or more noise values from the predefined noise distribution, e.g., makes the resulting distorted information on the user’s position more resistant against identification than using a default device bias.
  • the predefined noise distribution can be understood as a probability density function and, e.g., is an exponential distribution, a normal distribution, or a combination thereof and the noise values are selected in accordance with probabilities indicated by the noise distribution. For the exponential or normal distribution, e.g., larger noise values are selected with less probability.
  • a width of the noise distribution may relate to the population density.
  • additive noise mechanisms e.g. Laplace mechanism or Gaussian mechanism
  • a static bias can hide an absolute position, it can reveal a trajectory of the user with respect to other distorted information on the user’s position and a map of allowed positions or trajectories for the user.
  • the trajectory can be used to separate the bias from exact information.
  • the bias e.g., comprises a static bias and a (smaller and) additional bias evolv- ing/varying over time.
  • Method 100 also comprises providing 140 the distorted information on the user’s position.
  • Method 100 e.g., is performed on or by a mobile device (e.g. a mobile phone, tablet, or any other mobile communications device) of the user.
  • method 100 is executed by a trusted entity remote from the user (e.g. a trusted server operating on behalf of the user).
  • method 100 is executed partly on both the mobile device and the trusted entity.
  • providing 140 the distorted information may provide for transmitting the distorted information from the mobile device or the trusted entity to an external server.
  • the external server thus, can exploit the distorted information on the user’s position for various purposes.
  • An exemplary purpose is the determination of a spatial distribution of a plurality of users.
  • Another exemplary purpose is the monitoring of epidemics and/or pandemics, as stated in more detail later.
  • method 100 further comprises obtaining information on an intended accuracy of the position and distorting 130 the information on the user’s position comprises distorting the information on the user’s position based on the information on the intended accuracy.
  • the intended accuracy e.g., is indicative of a maximum allowed distortion of the information on the user’ s position which (still) allows exploitation of the distorted information for a predefined purpose. Accordingly, the bias may be determined such that the distorted information is consistent with the intended accuracy.
  • the information on the intended accuracy e.g., is indicative of the intended accuracy of the spatial distribution of users or an intended accuracy for monitoring epidemics and/or pandemics.
  • the information on the intended accuracy e.g., allows to distort the information on the user’s position not more than it is consistent with the intended accuracy. For example, thus, the distortion of the user’s position is not higher than it is consistent with an intended accuracy for monitoring epidemics and/or pandemics.
  • steps of method 100 are executed iteratively.
  • obtaining 110 the information on the position comprises obtaining first information on the position of the user at a first time and obtaining at second information on the position of the user at a second time.
  • the first information on the user’s position e.g., indicates a first position of the user and the second information indicates a second position of the user, wherein the first and the second position may differ when the user moves.
  • method 100 may comprise determining a first bias and at least one second bias different from the first bias. The bias for distorting the information on the user’s position may vary with time and/or other quantities.
  • distorting 130 the information on the user’s position may comprise distorting the first information on the user’s position using the first bias and distorting the second information on the user’s position using the second bias.
  • method 100 also comprises obtaining user-specific data and providing the user-specific data together with the distorted information on the user’s position. This, e.g., allows data analyses with respect to the user-specific data.
  • providing the user-specific data together with the distorted information on the user’s position comprises distorting the user-specific data and providing the distorted user-specific data together with the distorted information on the user’s position, e.g., in order to enhance the privacy preservation.
  • the user-specific data e.g., comprise information on an age, gender, and/or the like of the user.
  • the user-specific data comprises information on a health status of the user, for example, in order to enable tracking the spread of a disease or a virus.
  • method 100 may comprise obtaining information on the health status of the user.
  • the information on the health status e.g., includes the body temperature, information on symptoms, and/or information on encounters with sick and/or infected persons. In this way, epidemics and/or pandemics may be tracked.
  • the mobile device e.g. the wearable, may be also configured to measure vital signs (e.g. body temperature, pulse, respiratory rate, and/or blood pressure) of the user.
  • vital signs e.g. body temperature, pulse, respiratory rate, and/or blood pressure
  • method 100 may be performed by mobile devices of a plurality of users.
  • the external server may receive distorted information on the position of several users. This allows the external server, e.g., to determine a spatial distribution of the users while still preserving the privacy of the users.
  • Such a method is stated in more detail with reference to Fig. 2.
  • Fig. 2 illustrates a flow chart schematically illustrating an embodiment of a method 200 for a server.
  • the server can be understood as any infrastructure device for processing information.
  • the server comprises one or a number of communicatively coupled data processing devices, hardware components, and/or the like.
  • Method 200 comprises receiving 210 information on a position of at least one user.
  • the information on the position is distorted based on information on a population density in an environment of the user, e.g., in accordance with method 100.
  • the server may receive such distorted information on the position of a plurality of users.
  • method 200 comprises processing 220 the distorted information on the user’s position using the information on the population density.
  • Processing 220 the distorted information on the user’s position e.g., provides for a data analysis based on the distorted information on the user’s position and the information on the population density.
  • a data analysis e.g., statistical inference, such as Bayesian inference or Likelihood! st statistics, is applied.
  • the information on the population density influences the extent (e.g. the bias) to which the information on the user’s position has been distorted.
  • the information on the population density is indicative of an uncertainty of the distorted information on the user’s position.
  • the information on the population density therefore allows to make assumptions or estimates about one or more parameters for the data analysis and, thus, enables an increased efficiency as well as an increased precision and/or reliability of an outcome (e.g. the spatial distribution) of the data analysis.
  • the information on the population density e.g., allows to assume or estimate the hyperparameter a.
  • a precision of the outcome may be further enhanced with more information on the distortion for the data analysis.
  • the noise distribution used for distorting 130 the information to the server and/or on one or more parameters or predefined limits for such parameters are provided to the data analysis.
  • Processing 220 the distorted information may also comprise generating a map based on the distorted information on the position and the population density.
  • the map e.g., indicates the spatial distribution of the plurality of users.
  • the spatial distribution e.g., allows the server to determine a population density of users.
  • the population density of users may serve as information on the population density.
  • method 200 may comprise receiving user-specific data of the plurality of users.
  • generating the map may comprise generating the map based on the user-specific data.
  • the map may be indicative of a spatial distribution and the user-specific data.
  • the user-specific data may comprise information on a health status (e.g. the body temperature, symptoms, or the like) of the users.
  • the map e.g., indicates the body temperature of the users and where the users averagely have a higher body temperature and/or symptoms than elsewhere. Hence, one can track the spread of a disease or virus causing fever and/or characteristic symptoms using the map.
  • method 100 and method 200 can be understood as complementary methods for privacy preserving location-based applications or concepts, e.g., for tracking an epidemic.
  • the methods 100 and 200 are executed by a mobile device of the user and a server, respectively.
  • Fig. 3 illustrates a block diagram schematically illustrating an embodiment of a mobile device 300 and a (external) server 400.
  • Both the mobile device 300 and the server comprise one or more interfaces 312 or 412, respectively, for communication.
  • the mobile device 300 and the server 400 both comprise a data processing circuit 314 or 414, respectively, configured to control the one or more interfaces 312 or 412, respectively.
  • the data processing circuit 314 and the one or more interfaces 312 are configured to execute an embodiment of method 100.
  • the data processing circuit 414 and the one or more interfaces 412 are configured to execute an embodiment of method 200.
  • the mobile device 300 may be a mobile communications device of the user and the server 400 may be any infrastructure device or system for processing information.
  • the one or more interfaces 312 and 412 may correspond to or comprise any means for obtaining, receiving, transmitting or providing analog or digital signals or information, e.g. any connector, contact, pin, register, input port, output port, conductor, lane, etc. which allows providing or obtaining a signal or information.
  • An interface may be wireless or wireline and it may be configured to communicate, i.e. transmit or receive signals, information with further internal or external components.
  • the one or more interfaces 312 and 412 may comprise any components to enable according communication between the mobile device 300 and the server 400.
  • Such components may include transceiver (transmitter and/or receiver) components, such as one or more Low-Noise Amplifiers (LNAs), one or more Power-Amplifiers (PAs), one or more duplexers, one or more diplexers, one or more filters or filter circuitry, one or more converters, one or more mixers, accordingly adapted radio frequency components, etc.
  • LNAs Low-Noise Amplifiers
  • PAs Power-Amplifiers
  • duplexers one or more duplexers
  • diplexers one or more filters or filter circuitry
  • filters or filter circuitry one or more filters or filter circuitry
  • converters one or more mixers, accordingly adapted radio frequency components, etc.
  • the interfaces 312 and 412 are configured to access and use a wireless local area network and/or a cellular network for the communication between the mobile device 300 and the server 400.
  • the data processing circuit 314 and 414 may be implemented using one or more processing units, one or more processing devices, any means for processing, such as a processor, a computer or a programmable hardware component being operable with accordingly adapted software.
  • the described function of the data processing circuit 314 or 414 may as well be implemented in software, which is then executed on one or more programmable hardware components.
  • Such hardware components may comprise a general- purpose processor, a Digital Signal Processor (DSP), a micro-controller, etc.
  • DSP Digital Signal Processor
  • the data processing circuit 314 may be configured to carry out any of the methods 100 and the data processing circuit 414 may be configured to carry out any of the methods 200 described herein.
  • the data processing circuit 314 is configured to obtain information on a position of a user, obtain information on a population density in an environment of the user, and distort the information on the user’s position based on the information on the population density for privacy preservation.
  • the data processing circuit 314 is configured to provide the distorted information on the user’s position via the one or more interfaces 312.
  • the data processing circuit 414 is, e.g., the data processing circuit 414 may receive the distorted information on the user’s position through the one or more interfaces 412 and process the distorted information on the user’s position according to method 200, e.g., for data analysis.
  • Fig. 4 illustrates a block diagram schematically illustrating an exemplary use case of the proposed concept.
  • the objective e.g., is to generate a fever heatmap 440 indicative of the body temperature of a plurality of users.
  • the proposed concept is illustrated (only) for one user carrying mobile device 300 and the server 400 in Fig. 4.
  • the proposed concept may be also applied to a plurality of users.
  • a plurality of users or respective user devices may provide distorted information on their position to generate the above heatmap.
  • the mobile device 300 obtains a position of the user for the information on the user’s position using GPS or mobile phone tracking and information on a body temperature of the user.
  • the mobile device 300 may be configured to observe the body temperature, e.g., using one or more temperature sensors (not shown).
  • the mobile device 300 may in a step A query information on the population density in the environment of the user of the mobile device 300.
  • the mobile device 300 may select for the environment, based on the position of the user, an area where the user is located from a plurality of predefined area in a database 316 and provide the server 400 with the area where the user is located.
  • the area e.g., is a city, a district, or a street where the user is located. Naturally, the area is large enough to avoid that the user can be identified based on this area.
  • the server 400 determines, based on the area, an amount of distorted information 418 on the position of one or more other users in the environment/area.
  • the amount of distorted information 418 e.g., is indicative of a number of data points indicating the (distorted) position of one of the users which the server 400 received in a predefined period of time.
  • the distorted information on the position of the other users e.g., was also generated according to the proposed concept.
  • the server 400 may select for the information on the population density in the environment of the user a population density map 416’ from a plurality of population density maps in a database 416 based on the provided area where the user is located.
  • the server 400 e.g., generates the population density map 416’ based on a number of the other users in the environment of the user.
  • the information on the population density is not limited to a map but can be also any other information indicative of the population density.
  • server 400 provides the selected population density map 416’ and the amount of distorted information 418 to the mobile device 300 in a subsequent step B. Respectively, the mobile device 300 receives the population density map from the server 400.
  • the population density map 416’ and the amount of distorted information 418 may be stored in a cache on the mobile device 300.
  • the population density map 416’ and the amount of distorted information 418 can be queried from the cache from then on, e.g., to save resources for the communication between the mobile device 300 and the server 400.
  • the mobile device 300 distorts the obtained position based on the population density map 416’ and the amount of distorted information 418 for privacy preservation. For this, the mobile device 300, e.g., adjusts the bias for distorting the position based on the population density map 416’ and the amount of distorted information 418 so as to prevent the user from being identified among the other users based on the distorted position.
  • the distribution of geolocation of several (many) persons or users should overlap. The lower the population density and/or the less the amount of distorted information 418, the larger is the bias for distorting the user’s position in order to preserve the user’s privacy (and vice versa).
  • the bias is larger than for a plurality of data points.
  • the population density and the amount of distorted information 418 are weighted and considered in the determination of the bias according to their weights, as stated in more detail later. Further optionally, no geolocation may be reported but merely the aforementioned area if the amount of distorted information 418 and/or the population density is smaller than a predefined threshold.
  • step C An outcome of step C is distorted information 316’ on the user’s position.
  • step D the mobile device 300 provides the distorted information 316’ to the server 400. More specifically, the mobile device 300 provides the distorted information 316’ together with the information on the body temperature to the server 400. Respectively, the server 400 receives the distorted information 316’ and the information on the body temperature and stores these in a database 420. Analogously, the server 400 collects distorted information on the position of other users and information on their body temperature and stores these in the database 420.
  • step E the server 400 may then process the distorted information on the position of the user and the other users together with the respective information on their body temperature using a respective population density used for the distortion in a “heatmap estimator” 430 in order to generate the fever heatmap 440.
  • the mobile device 300 may successively generate and provide distorted information on the user’s position.
  • obtaining 110 information on the position of the user and providing 140 the distorted information on the user’s position comprises successively obtaining information on the position of the user and successively providing the distorted information at time intervals.
  • the bias for distorting the information on the user’s position may be varied.
  • the proposed concept further provides for updating bias for distorting the information on the position with an update frequency determined on the basis of at least one of the time intervals between successively provided distorted information and the information on the population density. This is described in greater detail with reference to Fig. 5.
  • the bias or noise The less frequently the bias or noise is updated, the more resistant may be the distorted information on the user’s position against averaging attacks and hence allow to hide exact location for longer periods. Thus, the update frequency may decrease for an increasing population density. However, the slower the bias is updated, the more likely the distorted information on the user's position could be reverse engineered by mapping allowed positions to a map of probable true datapoints (e.g. detecting a clear street pattern in the gathered locations could reveal the bias).
  • Fig. 5 illustrates diagram 500 schematically a noise update mechanism for privacy preservation.
  • diagram 500 shows how the bias or additional bias in addition to a less frequently bias for distorting information 318 on the user’s position may be varied for protection against averaging attacks on the distorted information on the user’s position.
  • Diagram 500 illustrates how an amplitude of the bias and the update frequency are varied to preserve the privacy and, e.g., protect the distorted information on the user's position against averaging attacks for identifying the user.
  • the abscissa 510 of the diagram 500 e.g., indicates the update frequency with which the (additional) bias is updated and the ordinate 520 of diagram 500 indicates the amplitude of the (additional) bias used for distorting the user’s position.
  • the information on the user's position may be distorted in accordance with a predefined bias-frequency-profile 530 defining the amplitude and the update frequency.
  • the amplitude and/or the update frequency may particularly depend on the population density. In other words, the amplitude and/or the update frequency may vary with the population density, e.g., to enable privacy preservation for various population densities.
  • the population density map 416’ may be used.
  • the amplitude and/or the update frequency may depend on a “recency” of one or more recently obtained data points containing information on the user’s position, i.e. to the “recency” of the information on the user’s position.
  • the noise update mechanism e.g., varies the amplitude and/or the update frequency based on information 320 about recent data emission.
  • the information 320 e.g., indicates a predefined data emission frequency/rate with which the recently obtained data points have been provided and/or time intervals between the recently obtained data points. Accordingly, the amplitude and/or the update frequency, e.g., depends on those time intervals and/or the said predefined frequency.
  • the amplitude of the (additional) bias e.g., the width of the above mentioned noise distributions may be varied.
  • the bias-frequency-profile 530 defining the amplitude and the update frequency can be understood as a function of the population density and the information 320 about the recent data emission.
  • the population density and the information 320 may be differently weighted in different ranges of the update frequency.
  • the information 320 and the population density e.g., are differently weighted in a first and a second frequency range of the update frequency.
  • the population density may be stronger weighted than the information 320, i.e., the populations density influences the bias-frequency - profile 530 in the first frequency range 510A more than the information 320 while in the second frequency range 510B, the information 320 is stronger weighted than the population density. So, the information 320 influences the bias-frequency-profile 530 more than the population density in the second frequency range 510B.
  • the bias-frequency-profile 530 may be defined such that the privacy of the user or the users is preserved for various populations densities and various data emission rates/fre- quencies or varying recency.
  • the bias-frequency-profile 530 e.g., provides for a higher or lower amplitude and/or a higher or lower update frequency for a higher or lower population density and/or a larger or smaller time intervals between successively obtained/provided data points in order to preserve the user’ privacy.
  • the (additional) bias may be updated for each data point indicative of the user’s position.
  • a method for privacy preservation comprising: obtaining information on a position of a user; obtaining information on a population density in an environment of the user; distorting the information on the user's position based on the information on the population density for privacy preservation; and providing the distorted information on the user's position.
  • the method further comprises obtaining information on an intended accuracy of the position, and wherein distorting the information on the user's position comprises distorting the information on the user's position based on the information on the intended accuracy.
  • obtaining the information on the position comprises obtaining first information on the position of the user at a first time and obtaining at second information on the position of the user at a second time, wherein the method further comprises determining a first bias and at least one second bias different from the first bias, and wherein distorting the information on the user's position comprises distorting the first information on the user's position using the first bias and distorting the second information on the user's position using the second bias.
  • obtaining information on the position of the user and providing the distorted information on the user's position comprises successively obtaining information on the position of the user and successively providing the distorted information at time intervals; and wherein the method further comprises updating bias for distorting the information on the position with an update frequency determined on the basis of at least one of the time intervals and the information on the population density.
  • the information on the population density includes a map indicative of the population density of an area where the user is located.
  • distorting the information on the user's position comprises adding one or more noise values from a predefined noise distribution to the user's position for distorting the information on the user's position.
  • obtaining information on a population density comprises receiving, at the user device, the information on the population density from an external server, and wherein providing the distorted information on the user's position comprises providing, by the user device, the distorted information on the user's position to the external server.
  • a method for a server comprising: receiving information on a position of at least one user, wherein the information on the position is distorted based on information on a population density in an environment of the user; and processing the distorted information on the user's position using the information on the population density.
  • receiving information on the position of at least one user comprises receiving the information on the position of a plurality of users, wherein the information of the plurality of users is distorted based on information on a population density in an environment of the users, and wherein processing the distorted information comprises generating a map based on the distorted information on the position and the population density, wherein the map is indicative of a spatial distribution of the plurality of users.
  • a computer program comprising instructions, which, when the computer program is executed by a processor, cause the processor to carry out any one of the methods of any one of (1) to (16).
  • a mobile device comprising: one or more interfaces for communication; and a data processing circuit configured to control the one or more interfaces, wherein the data processing circuit and the one or more interfaces are configured to: obtain information on a position of a user; obtain information on a population density in an environment of the user; distort the information on the user's position based on the information on the population density for privacy preservation; and provide the distorted information on the user's position.
  • a server compri sing : one or more interfaces for communication; and a data processing circuit configured to control the one or more interfaces, wherein the data processing circuit and the one or more interfaces are configured to: receive information on a position of at least one user, wherein the information on the position is distorted based on information on a population density in an environment of the user; and process the distorted information on the user's position using the information on the population density.
  • a system comprising: a mobile device configured to: obtain information on a position of a user; obtain information on a population density in an environment of the user; distort the information on the user's position based on the information on the population density for privacy preservation; and provide the distorted information on the user's position; and a server configured to: receive the distorted information on the user’s position; and process the distorted information on the user's position using the information on the population density.
  • Examples may further be or relate to a (computer) program including a program code to execute one or more of the above methods when the program is executed on a computer, processor or other programmable hardware component.
  • steps, operations or processes of different ones of the methods described above may also be executed by programmed computers, processors or other programmable hardware components.
  • Examples may also cover program storage devices, such as digital data storage media, which are machine-, processor- or computer-readable and encode and/or contain machine-executable, processor-executable or computer-executable programs and instructions.
  • Program storage devices may include or be digital storage devices, magnetic storage media such as magnetic disks and magnetic tapes, hard disk drives, or optically readable digital data storage media, for example.
  • Other examples may also include computers, processors, control units, (field) programmable logic arrays ((F)PLAs), (field) programmable gate arrays ((F)PGAs), graphics processor units (GPU), application-specific integrated circuits (ASICs), integrated circuits (ICs) or system-on-a-chip (SoCs) systems programmed to execute the steps of the methods described above.
  • FPLAs field programmable logic arrays
  • F field) programmable gate arrays
  • GPU graphics processor units
  • ASICs application-specific integrated circuits
  • ICs integrated circuits
  • SoCs system-on-a-chip
  • a block, device or functional aspect of the device or system may correspond to a feature, such as a method step, of the corresponding method. Accordingly, aspects described in relation to a method shall also be understood as a description of a corresponding block, a corresponding element, a property or a functional feature of a corresponding device or a corresponding system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Des modes de réalisation de la présente divulgation concernent un dispositif mobile, un serveur, un procédé de fonctionnement associé, un programme informatique et un procédé de préservation de la confidentialité. Le procédé de préservation de la confidentialité comprend l'obtention d'informations de position d'un utilisateur. Le procédé comprend également l'obtention d'informations d'une densité de population dans un environnement de l'utilisateur. En outre, le procédé comprend la distorsion des informations de position de l'utilisateur sur la base des informations de densité de population pour la préservation de la confidentialité et la fourniture des informations déformées de position de l'utilisateur.
PCT/EP2022/051051 2021-02-02 2022-01-18 Dispositif mobile, serveur, programme informatique et procédés de préservation de la confidentialité WO2022167217A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP21154827 2021-02-02
EP21154827.6 2021-02-02

Publications (1)

Publication Number Publication Date
WO2022167217A1 true WO2022167217A1 (fr) 2022-08-11

Family

ID=74550432

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/051051 WO2022167217A1 (fr) 2021-02-02 2022-01-18 Dispositif mobile, serveur, programme informatique et procédés de préservation de la confidentialité

Country Status (1)

Country Link
WO (1) WO2022167217A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110277036A1 (en) * 2010-05-04 2011-11-10 Intertrust Technologies Corporation Policy Determined Accuracy of Transmitted Information
US20160037480A1 (en) * 2014-07-30 2016-02-04 Google Technology Holdings LLC Method and apparatus for enforcing tiered geographical anonymity in a mobile device
US20160066179A1 (en) * 2014-08-29 2016-03-03 Apple Inc. Reduced resolution location determination for improved anonymity of user location

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110277036A1 (en) * 2010-05-04 2011-11-10 Intertrust Technologies Corporation Policy Determined Accuracy of Transmitted Information
US20160037480A1 (en) * 2014-07-30 2016-02-04 Google Technology Holdings LLC Method and apparatus for enforcing tiered geographical anonymity in a mobile device
US20160066179A1 (en) * 2014-08-29 2016-03-03 Apple Inc. Reduced resolution location determination for improved anonymity of user location

Similar Documents

Publication Publication Date Title
CN111341463B (zh) 疫情排查方法、装置、计算机设备和存储介质
Li et al. Privacy leakage of location sharing in mobile social networks: Attacks and defense
Cheng et al. Preserving user location privacy in mobile data management infrastructures
TWI239198B (en) A system and method to anonymously test for proximity of mobile users without revealing individual phase space coordinates
US10542019B2 (en) Preventing intersection attacks
Jin et al. A survey and experimental study on privacy-preserving trajectory data publishing
Berke et al. Assessing disease exposure risk with location data: A proposal for cryptographic preservation of privacy
Wang et al. Privacy preservation for context sensing on smartphone
Li et al. vContact: Private WiFi-based IoT contact tracing with virus lifespan
Borra COVID-19 apps: Privacy and security concerns
Pandey et al. Handling device heterogeneity and orientation using multistage regression for GMM based localization in IoT networks
Xiong et al. REACT: Real-time contact tracing and risk monitoring using privacy-enhanced mobile tracking
US9651654B2 (en) Correcting device error radius estimates in positioning systems
Zhu et al. An adaptive privacy-preserving scheme for location tracking of a mobile user
EP4120897A1 (fr) Systèmes et procédés de surveillance et de détection d'éclosion d'une maladie contagieuse
Dong et al. On the limitations of existing notions of location privacy
US20210313073A1 (en) Network tracking of contagion propagation through host populations
US11743685B2 (en) Systems and methods for monitoring system equipment diagnosis
Da et al. React: real-time contact tracing and risk monitoring via privacy-enhanced mobile tracking
Elmalaki et al. Spycon: Adaptation based spyware in human-in-the-loop IoT
WO2022167217A1 (fr) Dispositif mobile, serveur, programme informatique et procédés de préservation de la confidentialité
Tchorbadjieff et al. On regime changes of COVID-19 outbreak
US20230184879A1 (en) Device positioning
Piao et al. Privacy Analysis and Comparison of Pandemic Contact Tracing Apps.
CN114496291A (zh) 疫情风险评估方法、装置、计算机设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22702630

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22702630

Country of ref document: EP

Kind code of ref document: A1