No More than What I Post: Preventing Linkage Attacks on Check-in Services

With the flourishing of location based social networks, posting check-ins has become a common practice to document one's daily life. Users usually do not consider check-in records as violations of their privacy. However, through analyzing two real-world check-in datasets, our study shows that check-in records are vulnerable to linkage attacks. Specifically, adversary is able to uniquely re-identify over 52 $\sim$ ∼ 66 percent users in other anonymous mobility datasets and 60 $\sim$ ∼ 80 percent users have more than 60 percent probability leaking unreported mobility records. In addition, we further demonstrate that the privacy sensitivity of check-in records can be more accurately measured by including the information of additional mobility data compared with only looking at check-ins. Based on this observation, we design a partition-and-group framework to integrate the information of check-ins and additional mobility data to attain a novel privacy criterion— $k^{\tau, l}$ k τ , l -anonymity . It ensures adversaries with arbitrary background knowledge cannot use check-ins to re-identify users in other anonymous datasets or learning unreported mobility records. The proposed framework achieves favorable performance against state-of-art baseline in terms of improving check-in utility by 24 $\sim$ ∼ 57 percent while providing stronger privacy guarantee at the same time. We believe this study will open a new angle in attaining both privacy-preserving and useful check-in services.