A Tolerance-Degree-Based Sensitive Area Division Method for Improving Location Privacy Protection of Smart Terminal

Abstract

Due to the subjective nature of sensitive area radius, the effectiveness of current privacy protection strategies is often quite poor. To address this issue, a sensitive area radius design method of smart terminal is proposed by considering the total privacy budget and tolerance degree of adversary inference capabilities. With the increase in the tolerance degree of adversary’s inference capabilities, the sensitive area radius decreases. Based on the division results of the sensitive area, the privacy budgets of smart terminals are allocated separately. Then, a location data perturbation strategy is designed based on the allocated privacy budget and location encoding. Compared with the existing privacy protection strategies, the proposed method is more reasonable, which can improve the effectiveness of location privacy protection strategy. Finally, experimental results based on the real-world dataset show that the proposed algorithm can enhance data utility by 40%.

1. Introduction

With the development of wireless communication technology and mobile sensing technology [1], location-based service (LBS) develops rapidly. To provide a good service, LBS provider often needs to know the geographical location information of the user, which leads to large volumes of mobile location data [2]. Once data stored on third-party service platforms are leaked, the security of user sensitive location information may be seriously endangered [3,4]. Therefore, protecting location privacy in the process of collecting and using user location information has become a central research topic in LBS.

To mitigate location-privacy leakage, various solutions have been proposed in different LBS scenarios [5,6,7]. K-anonymity [8] and pseudonyms [9] are used to hide real user identities in personal query services, which can enable anonymous interaction between clients and servers. However, anonymous sets and pseudonyms are frequently updated due to the high-frequency transmission of location data. Cryptographic-based schemes can prevent adversaries from decoding location data during transmission [10], but they are computationally expensive and have limited practicality. Differential privacy (DP) [11] is proposed as an advanced approach to enhance anonymity by injecting controllable noise, safeguarding location information. Differential privacy is the focus of this paper. Based on the distribution of servers, the technology is mainly categorized into centralized differential privacy (CDP) [12,13,14] and local differential privacy (LDP) [15,16,17,18]. However, the CDP depends on third-party servers, which can expose users to privacy leakage [19]. In contrast, the LDP performs privacy processing on the user side and allows users to protect their location information based on their requirements. Thus, LDP offers stronger and more secure location privacy protection by eliminating the third-party trust assumption, which requires further attention and research.

Usually, a global privacy budget is allocated by traditional LDP to provide uniform privacy protection across all locations [20]. It can lead to insufficient protection in sensitive areas and overprotection in non-sensitive areas, making it difficult to meet diverse privacy requirements [21]. Therefore, location protection, considering privacy preference, deserves more attention. In [22], the loss of location information is used to generate a perturbation radius to protect sensitive locations within the obfuscation area. In [23], a method is proposed to encode and perturb location information based on user-specified sensitive ranges. However, the existing dividing methods of sensitive areas often fail to consider the adversary’s inference capabilities, resulting in inadequate protection for sensitive locations. With the development of mobile communications, a more rational method for sensitive area division to improve location privacy protection deserves further research.

In order to address the above issues, a tolerance-degree-based sensitive area division method (TD-SAD) is proposed, which can provide hierarchical protection while improving data utility. The contributions and content of this paper are as follows:

• To enhance the local stability of location encoding, a spatial index strategy is designed based on Hilbert curves and Geohash.
• A tolerance-degree-based sensitive area radius design method is proposed for reasonably adjusting the privacy budget of smart terminal, and the privacy budget is calculated according to the divided sensitive area.
• To improve the similarity and statistical usability of the encoding, a distribution-aware random response method is designed, which implements a random response mechanism using allocated budgets.
• The effectiveness of the proposed method is verified by experiments based on the real-world dataset.

The rest of the paper is organized as follows. Section 2 introduces the adversary model based on location privacy protection. Section 3 describes the specific concept of the proposed method. Section 4 theoretically analyzes the security of the proposed method. Experimental results are provided in Section 5. Section 6 concludes this paper and provides some future perspectives.

2. Location Privacy Protection of Smart Terminal

The scenario of the LBS system based on local differential privacy is shown in Figure 1. DP processing is performed locally on user side, and then processed location information is uploaded to the service platform [24,25]. However, location data can be intercepted, captured, attacked, or stolen by external adversaries. Moreover, adversaries can even collude with multiple service providers to aggregate users’ location information across sources. Consequently, DP is deployed entirely on the user side, and the service provider is treated as an honest-but-curious participant.

A uniform explanation of the mathematical symbols defined and used is provided in

Table 1. The commonly used notations.

Symbol	Description
ε	Privacy budget
Pr	Perturbation probability
Pi,j	Conditional probability that the output data is j when the input data is i
ui	Proportion of element i in the total data
R	Sensitive area radius
Di,j	Distance from original location i to the nearest sensitive location j
L	Encoding of the original location
L′	Encoding of the original position after perturbation
L(bj)	The bit j of the original code
L(bj′)′	The bit j of the perturbation code

for subsequent understanding in the paper.

3. A Tolerance-Degree-Based Sensitive Area Division Method

3.1. Proposed Tolerance-Degree-Based Sensitive Area Division Method

The model of the proposed TD-SAD is shown in Figure 2, which comprises three components: location encoding, privacy budget allocation, and location perturbation. The core ideas are (i) encoding the location data as a bit string; (ii) partitioning the geographical space into sensitive and non-sensitive areas; and (iii) designing a distribution-aware random response. Both the perturbation probabilities and privacy budget allocation are adjusted dynamically according to different sensitive areas. After obtaining the real locations, the original data are processed under LDP with the privacy requirements of user.

3.2. Location Encoding Based on Hilbert Space Filling

Space filling curves can be used to map the d-dimensional space into a one-dimensional space [26]. A major characteristic of Hilbert curve is that points that are adjacent in the plane tend to be close along the curve. The first-order Hilbert curve is shown in Figure 3a, which divides the 2D space into four uniform subgrids and labels the quadrants sequentially. As shown in Figure 3b, higher-order Hilbert curves are generated recursively by splitting the grid and rotating the curve.

For a given location coding accuracy p and bit number b, the total bits B used for coding is determined by,

$$B=p \times b$$

(1)

According to (1), the order division h of Hilbert curve can be calculated by,

$$h=\lfloor {\displaystyle \frac{B}{2}}\rfloor$$

(2)

For a given planar domain, the uniform grid size of Hilbert curve N at order h can be determined by:

$$N ={ 2}^h$$

(3)

Geohash [27] is an efficient method of encoding. Usually, Z-order fill curves are used in traditional Geohash, which preserves only partial order. In order to solve this problem, Hilbert curve with an order-preserving nature is used to replace Z-order curves to connect spatial points. Specifically, the longitude is bound to [−180, 180], and the latitude is bound to [−90, 90]. At each step, the current interval is bisected. If the longitude exceeds the midpoint, the longitude bit is set to 1; otherwise, it is set to 0. Latitude is encoded in a similar way until the desired accuracy or encoding length is reached. Finally, the longitude code is placed at even positions, and the latitude code is placed at odd positions.

As shown in Figure 4, the blue numbers represent the longitude code of the location, and the red numbers represent the latitude code. Following the alternating rule above, the location (104.0638546, 30.6599157) is encoded as {11100100110011010100}.

3.3. Budget Allocation

The location protection mechanism based on DP is related to the allocation of privacy budget [28]. Uniform allocation of privacy budget can over-perturb codes in non-sensitive areas while under-perturbing codes in sensitive areas, failing to meet different privacy needs. Therefore, a sensitive area radius is designed based on the total privacy budget and tolerance degree of the adversary’s inference capabilities to divide into sensitive areas. According to Geo-Indistinguishability, the distance distortion r between actual location and the perturbed location of a user is determined by [29]:

$$r = {\displaystyle \frac{-1}{{\epsilon }_{\mathit{total}}}}(W_{-1}({\displaystyle \frac{\tau -1}{\mathrm{e}}})+1)$$

(4)

where ${\epsilon }_{\mathit{total}}$ is the total privacy budget, $W_{-1}({\displaystyle \frac{\tau -1}{\mathrm{e}}})$ is the Lambert function, and τ is a random number between [0, 1].

Let ρ∈(0,1) denote the tolerance degree of the adversary’s inference capabilities, i.e., the upper-bound probability that an adversary predicts the real location lies within the sensitive area, then the sensitivity area radius R based on (4), is determined by:

$$R = {\displaystyle \frac{-1}{{\epsilon }_{\mathit{total}}}}(W_{-1}({\displaystyle \frac{\rho -1}{\mathrm{e}}})+1)$$

(5)

3.3.1. Privacy Allocation Outside Sensitive Areas

When a user is outside the sensitive area, the real location of the user is far from the sensitive location, which indicates low privacy sensitivity. Thus, the privacy budget can be allocated directly according to the proportion of distance. The allocation model is determined by:

$${\epsilon }_{i\left(\mathit{out}\right)}={\displaystyle \frac{D_{i,j}}{{\sum }_{i=1}^m{\sum }_{j=1}^M{D}_{i,j}}}{\epsilon }_{\mathit{total}}$$

(6)

where ${\epsilon }_{i\left(\mathit{out}\right)}$ is the privacy budget allocated to the i-th real location outside the sensitive area, D_i,j is the distance from the i-th service request point to its nearest j-th sensitive location, and m represents the total number of service request points. M represents the total number of sensitive location points set by the user.

According to (6), the allocated privacy budget varies with distance, as shown in Figure 5. As can be seen, the closer the original location is to the sensitive location, the less privacy budget is allocated. In particular, the allocated privacy budget is close to 0 when passing through a sensitive location, since the noise amplitude in DP is inversely proportional to privacy budget. A privacy budget tending to 0 indicates the addition of infinite noise, which can cause service failure on the smart terminal.

3.3.2. Privacy Allocation in Sensitive Areas

If the real location is within a sensitive area, the privacy requirement is high. Given the sensitive location and the sensitive radius R, a circular region centered on the sensitive location with radius R is generated. The remaining external privacy budget is evenly distributed to other locations within the sensitive area:

$${\epsilon }_{i\left(\mathit{in}\right)} = {\displaystyle \frac{{\epsilon }_{\mathit{total}}-\sum {\epsilon }_{i\left(\mathit{out}\right)}}{n}}$$

(7)

where ${\epsilon }_{i\left(\mathit{in}\right)}$ is the privacy budget value allocated to the location i of the user currently in the sensitive region, and n is the total number of sensitive locations contained within the sensitive area.

3.4. Perturbation Mechanism Based on Random Response

The fixed conditional probability is used by traditional random response mechanisms [30] to perturb the original data, resulting in significant differences between the results. In order to preserve the similarity of the target data before and after disturbance, a distribution-aware random response method is designed based on the original distribution characteristics of the data.

The random perturbation of sensitive data may be abstracted as follows: assume that the data x of the data provider comes from X = {0,1}, and the perturbation result comes from Y = {0,1}. The $u_{i }$ is the distribution proportion of element i (i∈{0,1}) in the original data, where $0\le u_i\le 1$ and ${ u}_0+u_1 = 1$. The conditional probability that the output data is j when the input data is i is assumed to be $P_{\mathit{ij}}\left(i, j\in \left\{0,1\right\}\right)$. The design perturbation matrix is $P =\left(\begin{array}{cc}{P}_{00}& P_{01}\\ P_{10}& P_{11}\end{array}\right)$, where $0 \le { P}_{i,j }\le 1$, $P_{00} + P_{01} = 1$ and $P_{10 }+ P_{11 }= 1$. Therefore, the utility of data can be measured by the mathematical expectation of the perturbed output data relative to the original input data, which is determined by:

$$E = P_{00} \times u_{0 }+ P_{11 }\times u_1$$

(8)

Then, a linear programming approach is employed to maximize mathematical expectation, where the constraints are established as follows:

$$\left\{\begin{array}{c}{1-P}_{11} \le {{ e}^{\epsilon }P}_{00}\\ {1-P}_{00}\le {e^{\epsilon }P}_{11}\\ P_{00}\le e^{\epsilon }\left({1-P}_{11}\right)\\ {P_{11}\le { e}^{\epsilon }(1-P}_{00})\\ 0\le P_{00},P_{11}\le 1\end{array}\right.$$

(9)

With vertices A (0,1), B (${\displaystyle \frac{e^{\epsilon }}{{1+e}^{\epsilon }}}$, ${\displaystyle \frac{e^{\epsilon }}{{1+e}^{\epsilon }}}$), C (1,0), and D (${\displaystyle \frac{1}{{1+e}^{\epsilon }}}$, ${\displaystyle \frac{1}{{1+e}^{\epsilon }}}$), the feasible domain of the random response model (8) is shown in Figure 6.

Depending on the optimal solution of mathematical expectation, the following three situations can be drawn:

• When ${\displaystyle \frac{u_0}{u_1}} \le {\displaystyle \frac{1}{ e^{\epsilon }}}$, the optimal solution for the mathematical expectation in Equation (3) is point A with P₀₀ = 0 and P₁₁ = 1, the perturbation matrix can be designed as $P =\left(\begin{array}{cc}0& 1\\ 0& 1\end{array}\right)$.
• When ${\displaystyle \frac{1}{e^{\epsilon }}}<{\displaystyle \frac{u_0}{u_1}}<e^{\epsilon }$, the optimal solution is point B. The optimal value of the mathematical expectation is ${\displaystyle \frac{e^{\epsilon }}{{1+e}^{\epsilon }}}$, so the perturbation matrix can be designed as $P=\left(\begin{array}{cc}{\displaystyle \frac{e^{\epsilon }}{{1+e}^{\epsilon }}}& {\displaystyle \frac{1}{{1+e}^{\epsilon }}}\\ {\displaystyle \frac{1}{{1+e}^{\epsilon }}}& {\displaystyle \frac{e^{\epsilon }}{{1+e}^{\epsilon }}}\end{array}\right)$.
• When ${{\displaystyle \frac{u_0}{u_1}}\ge e}^{\epsilon }$, the optimal solution is point C, with P₀₀ = 1 and P₁₁ = 0, so the perturbation matrix can be designed as $P =\left(\begin{array}{cc}1& 0\\ 1& 0\end{array}\right)$.

Let $b_{j }$ be the j-th bit of the original location code, and ${b_j}^{\prime }$ be the perturbed location code. The $u_0$ and $u_1$ represent the distribution proportion of elements 0 and 1 in the code. With the perturbation matrix P analyzed above, the encoding is perturbed by selecting the following probability formula [31]:

$$\mathit{Pr}\left[{b^{\prime }}_j=b_j\right]=\left\{\begin{array}{c} {\displaystyle \genfrac{}{}{0pt}{}{1, b_j=1}{0{, b}_j=0}} , if {\displaystyle \frac{u_0}{u_1}}\le e^{-\epsilon }\\ {\displaystyle \genfrac{}{}{0pt}{}{\frac{e^{\epsilon }}{{1+e}^{\epsilon }}{, b}_j=1 \mathrm{or} 0 }{\frac{1}{{1+e}^{\epsilon }}{, b}_j=1 \mathrm{or} 0 }}, if{ e}^{-\epsilon }<{\displaystyle \frac{u_0}{u_1}}<\\ {\displaystyle \genfrac{}{}{0pt}{}{1,{ b}_j=0 }{0, b_j=1}} , if {\displaystyle \frac{u_0}{u_1}}\ge e^{-\epsilon }\end{array}\right.e^{\epsilon }$$

(10)

Suppose a sample of location encoding has a distribution of 0 s and 1 s such that $u_0$ = 0.3 and $u_1$ = 0.7, with an allocated privacy budget of 0.5. Since ${\displaystyle \frac{u_0}{u_1}}\le e^{-\epsilon }$, the conditional probability matrix $P =\left(\begin{array}{cc}0& 1\\ 0& 1\end{array}\right)$ is selected for the perturbation (i.e., the first case in Equation (10)), where the probabilities for P₀₁ and P₁₁ are both 1. Regardless of the input is $b_j$= 0 or $b_j$ = 1, the probability of outputting $\mathit{Pr}\left[{b^{\prime }}_j=1\right]$ is 1.

4. Privacy Protection Security Analysis

LDP is a privacy protection model strictly proved by mathematical reasoning [32,33]. The formula is used to prove that the proposed TD-SDA method satisfies the requirement of ε-local differential privacy.

The original location is encoded as L, and perturbed location is encoded as L′. $L\left(b_j\right)$ and $L {\left({b_j}^{\prime }\right)}^{\prime }$ represent the original and perturbed codes of j-th bit. According to the combined characteristics of local differential privacy, the following equation holds:

$$\mathit{Pr}\left[L^{\prime }|L\right] = \mathit{Pr}\left[L^{\prime }\left({b_j}^{\prime }\right) = 1|L\left(b_j\right)\right]$$

(11)

Similarly, for another location code $L*$, the following equation holds:

$$\mathit{Pr}\left[L^{\prime }|L*\right] = Pr\left[L^{\prime }\left({b_j}^{\prime }\right)=1|L*\left(b_j\right)\right]$$

(12)

Then,

$${\displaystyle \frac{\mathit{Pr}\left[L^{\prime }|L\right]}{\mathit{Pr}\left[L^{\prime }|L*\right]}}={\displaystyle \frac{\mathit{Pr}\left[L^{\prime }\left({b_j}^{\prime }\right)=1|L\left(b_j\right)\right]}{\mathit{Pr}\left[L^{\prime }\left({b_j}^{\prime }\right)=1|L*\left(b_j\right)\right]}}$$

(13)

$$\le {\displaystyle \frac{\max \mathit{Pr}\left[L^{\prime }\left({b_j}^{\prime }\right)=1|L\left(b_j\right)\right]}{\min \mathit{Pr}\left[L^{\prime }\left({b_j}^{\prime }\right)=1|L*\left(b_j\right)\right]}}$$

(14)

$$={\displaystyle \frac{\mathit{Pr}\left[L^{\prime }\left({b_j}^{\prime }\right)=1|L\left(b_j\right)=1\right]}{\mathit{Pr}\left[L^{\prime }\left({b_j}^{\prime }\right)=1|L*\left(b_j\right)=0\right]}}$$

(15)

$$={\displaystyle \frac{\raisebox{1ex}{$e^{\epsilon }$}\!\left/ \!\raisebox{-1ex}{$1+e^{\epsilon }$}\right.}{\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$1+e^{\epsilon }$}\right.}}=e^{\epsilon }$$

(16)

Based on the above analysis and the definition of local differential privacy, TD-SDA satisfies ε-local differential privacy. Usually, adversaries can monitor data and intercept information during communication [34]. Therefore, threats are categorized into three types for security analysis combined with TD-SAD.

• Parameter Inference: adversaries can infer location encoding and decoding methods based on the obtained parameters of grid partitioning and location encoding. But the information does not reveal the specific location of user, which protects the privacy.
• Request Interception: adversaries can infer the service location by intercepting location service requests. But the information obtained is the perturbed location, which does not involve privacy information. The protectiveness of response interception is similar to case 2.
• Collusive service providers: multiple providers can share and jointly analyze acquired location information. But the accessed information is the sum of several privacy perturbations. Moreover, stronger perturbation is used by TD-SAD in sensitive areas, further reducing the success rate of adversaries in re-identification.

5. Experimentation and Analysis

5.1. Experimental Data

A real-world dataset from Gowalla [35] was used, which comprised a total of 1,280,969 location points and labeled each location with the user ID, latitude, and longitude.

5.2. Experimental Methods

Our experiments run on an Intel (R) Core (TM) i5-9300H CPU 2.40 GHz machine with Windows 10 operating system and implemented in Python 3.8. To verify the progressiveness of the proposed strategy, the algorithms of DPL-Hc [17] and LDPHC [23] are compared and implemented in the same experimental environment. In algorithm [17], an advanced Laplace mechanism was used to achieve global perturbation of location coding. In algorithm [23], the W-RR perturbation mechanism was used to perturb the Huffman location coding.

Noise is introduced to perturb the location data, which results in a loss of location data quality. In order to evaluate the privacy and effectiveness of the proposed method, indicator for Qos loss was introduced from [36]. In addition, to evaluate the accuracy of the statistical analysis performed by the server based on the disturbance location, the mean absolute error (MAE) and root mean square error (RMSE) were used.

5.3. Practical Utility in LBS Scenarios Based on TD-SAD Method

Location-based proximity discovery is a typical application in LBS, which is used to find interactive targets of the current user location within a distance. A total of 40 check-in samples taken at 7:00 a.m. and 5:00 p.m. were selected based on Gowalla as the service request points for users. The 10% locations from the sample were selected as sensitive locations. Considering data utility, ρ was set to 0.8, and ε was set to 1. The distance was set to [50, 100, 150]. To evaluate the practicality of the proposed TD-SAD, recall rec and discovery precision prec were used as indicators. The user set is U_T. For any queried user u ∈ U_T, the recall rec and discovery precision prec are determined by:

$$rec\left(u\right)= {\displaystyle \frac{\left|S_u^{orig}\bigcap S_u^{pert}\right|}{S_u^{orig}}}$$

(17)

$$prec\left(u\right)={\displaystyle \frac{\left|S_u^{orig}\bigcap S_u^{pert}\right|}{S_u^{pert}}}$$

(18)

where $S_u^{orig}$ denotes the actual neighborhood, and $S_u^{pert}$ denotes the perturbation neighborhood.

The Gowalla dataset used in this paper dates back to 2010, which may limit the generalizability of the results to modern, denser mobility data. Thus, experiments were further conducted based on the Foursquare [37] dataset to validate the practical utility of the TD-SAD method in LBS scenarios. Specifically, 50 check-in samples based on Foursquare were selected as the experimental validation set.

The recall and discovery precision of each method under different distances are shown in

Table 2. Recall and discovery precision of different methods based on Gowalla.

Method	50		100		150
	Recall	Precision	Recall	Precision	Recall	Precision
DPL-Hc in [17]	0.3000	0.4215	0.4994	0.5613	0.7898	0.7428
LDPHC in [23]	0.3404	0.2331	0.7153	0.5933	0.8284	0.6953
The Proposed TD-SAD	0.6249	0.5930	0.7316	0.7173	0.8623	0.7973

and

Table 3. Recall and discovery precision of different methods based on Foursquare.

Method	50		100		150
	Recall	Precision	Recall	Precision	Recall	Precision
DPL-Hc in [17]	0.4707	0.5600	0.5155	0.5098	0.6465	0.6136
LDPHC in [23]	0.4987	0.5808	0.6384	0.6323	0.6804	0.6701
The Proposed TD-SAD	0.6083	0.6024	0.6600	0.6533	0.7404	0.7489

. Overall, LDPHC outperformed DPL-Hc in most settings. This is an advantage because DPL-Hc applied a widespread noise mechanism directly to grid index, resulting in larger deviations before and after perturbation. In contrast, LDPHC disturbed only a single random bit, which had a better perturbation result. The proposed TD-SAD considered the similarity of the 0/1 bits distribution probabilities before and after perturbation and further confined the perturbation to the vicinity of the original area based on hierarchical perturbation. Thus, the preferment of TD-SAD was demonstrably better than other comparative methods. The experimental results verified that the proposed method improves data usability while providing privacy protection.

5.4. Relative Error of Range Query

Local differential privacy processing causes a deviation in the location uploaded to the server, which leads to a decrease in data availability. Therefore, the location data availability is measured by calculating the relative error between the query results of the real location dataset and the disturbed location dataset. The relative error of the count range query can be defined as:

$$\mathit{Relative} \mathit{error} \left(\mathrm{C}\right) = {\displaystyle \frac{|\tilde{Q}\left(\mathrm{C}\right)-Q\left(\mathrm{C}\right)|}{Q\left(\mathrm{C}\right)}}$$

(19)

where C is the query range, $Q\left(\mathrm{C}\right)$ is the query result on the real location dataset, and $\tilde{Q}\left(\mathrm{C}\right)$ is the query result on the perturbed location dataset.

The privacy budget parameter ε was set to [0.4~2.0] with an interval of 0.4 during the experiments. The query ranges C were set to 25%, 50%, and 85%. By setting experimental constraints covering different ranges, the performance of each privacy protection mechanism in the corresponding query range was evaluated.

The location was out of the current range caused by random perturbation, resulting in relative errors. Figure 7 shows the relative error results of the three location privacy protection strategies under the different ranges of the query. As can be seen from Figure 7, the relative error of TD-SAD decreased by 30%, 25%, and 15%, respectively, as the range increased from 25% to 85%. TD-SAD combined spatial clustering based on Hilbert curves and differentiated privacy budget allocation, constraining the perturbations of non-sensitive locations to remain near the original positions, thus offsetting the bias introduced by perturbations in sensitive areas.

5.5. Quality Loss of Proposed TD-SAD Method

Figure 8 shows the impact of the three location privacy protection strategies under different location scales when the privacy budget ε was 1. Seen from Figure 8, the Mean absolute error, Root mean square error, and the Qos loss of each method increased with the increased of position data. But the TD-SDA experimental data recorded the minimum values. The reason is that TD-SAD improves the perturbation method by using differentiated perturbation approaches for different encodings. It maximizes the probability of similarity between data before and after perturbation, which minimizes the statistical error result.

5.6. Accuracy of Location Data Aggregation

The experimental results of Figure 9 show that the MAE and RMSE of TD-SAD can be stabilized at 30 and 190. The reason is that the proposed TD-SAD designed a distribution-aware random response mechanism to disturb locations while preserving spatial clustering properties, which can improve the coding of distribution proportion imbalances.

5.7. Runtime of the Proposed TD-SAD Method

To validate the operational efficiency, the runtime of the encoding module and the perturbation module was compared under different locations numbers. The privacy budget ε for the experiment was 1. In addition, the runtime for allocating the privacy budget was taken into account within the encoding.

Figure 10 shows the variation in runtime of the encoding module, the perturbation module, and their combination with different data sizes. As the number of locations increases, the runtime of the TD-SAD increases accordingly. But the time cost is maintained at the millisecond level. As can be seen from Figure 10, the runtime of the encoding module exceeds that of the perturbation. The reason is that each location is traversed in the encoding module to allocate the corresponding privacy budget based on the divided sensitive area. The perturbation module needed only to select a perturbation probability based on the distribution of the encoded bits to perform a random response mechanism.

6. Conclusions

In this paper, a tolerance-degree-based sensitive area division method is proposed for improving the location privacy protection of smart terminals. Sensitive areas are divided based on the total privacy budget and the tolerance degree of adversary inference capabilities. Compared to traditional location privacy protection, the proposed TD-SAD offers more secure hierarchical protection based on divided sensitive zones. Owing to a distribution-aware perturbation strategy, the proposed TD-SAD can obtain better data utility after perturbation. In future research, we will conduct more in-depth studies on location privacy protection using more novel and richer datasets.