Is Geo-Indistinguishability What You Are Looking for?
This work critically assesses a foundational concept in location privacy, highlighting limitations for researchers and practitioners relying on geo-indistinguishability.
The paper tackles the problem of geo-indistinguishability as a location privacy notion, showing that its privacy-utility trade-off is less appealing than implied and that it can lead to poorer average error and useless obfuscated locations compared to other mechanisms.
Since its proposal in 2013, geo-indistinguishability has been consolidated as a formal notion of location privacy, generating a rich body of literature building on this idea. A problem with most of these follow-up works is that they blindly rely on geo-indistinguishability to provide location privacy, ignoring the numerical interpretation of this privacy guarantee. In this paper, we provide an alternative formulation of geo-indistinguishability as an adversary error, and use it to show that the privacy vs.~utility trade-off that can be obtained is not as appealing as implied by the literature. We also show that although geo-indistinguishability guarantees a lower bound on the adversary's error, this comes at the cost of achieving poorer performance than other noise generation mechanisms in terms of average error, and enabling the possibility of exposing obfuscated locations that are useless from the quality of service point of view.