We are fighting with the pandemic of COVID-19 disease. To prevent the spread of such a highly contagious virus, the crucial information that we need is people’s location history for epidemic surveillance. Recently, many countries that suffer from coronavirus crises attempt to access citizen’s location data to eliminate the outbreak. The US pumped 500 million dollars of emergency funding into the CDC for building a surveillance and data collection system  and discussed with Facebook and Google for sharing people’s location data to combat the coronavirus. In South Korea, the government created a public map of coronavirus patients using location data from telecom and credit card companies . Italy’s telecom companies are sharing location data with health authorities to check whether people are remaining at home . China’s giant tech companies provide a “health code” service to certificate a user’s health status based on her health status and travel history, which are collected by the cellphone Apps . Although these special measures of personal data collection for public health emergency may be temporary and under stringent government regulation, it raises concerns over privacy, and people are worried that it may open the doors to surveillance activities in the name of public health. It also brings a challenge for location privacy protection techniques: how can we utilize people’s mobile data to help combat the pandemic without sacrificing our location privacy.
Location privacy has been extensively studied in the literature . However, the state-of-the-art location privacy models are not flexible enough to balance the individual privacy and public interest in an emergency as we are witnessing in the COVID-19 crisis. The early studies on location privacy were extending -anonymity  and were flexible enough to be adapted to different scenarios such as personalized location anonymity . But the recent studies revealed that -anonymity might not be rigorous enough since they suffer many realistic attacks [14, 16] when the adversary has background knowledge about the original dataset. The recent state-of-the-art location privacy models[3, 22, 21, 20, 23, 5, 6, 7] were extended from differential privacy (DP)  to private location release since DP is considered a rigorous privacy notion. Although these DP-based location privacy models are rigorously defined, yet they are not flexible and customizable for different scenarios with various requirements on privacy-utility trade-off. Taking an example of Geo-Indistinguishability, which is the first and influential DP-based location privacy metrics, the strength of protection is solely controlled by a single parameter to achieve indistinguishability among all possible locations. It is hard to make a good privacy-utility trade-off using this single in a complicated setting.
To address the above issues and motivated by the significant impact of the pandemic of COVID-19 in the world, we demonstrate a policy-based location privacy-preserving epidemic surveillance system. Our contributions are summarized below.
First, we design an epidemic surveillance system with three primary functions: location monitoring, epidemic analysis, and contact tracing. The scenario is shown in Fig.1, where users locally maintain location databases (e.g., all locations in the past two weeks) and share perturbed locations satisfying PGLP w.r.t. a specific policy graph with a semi-honest server. The policy graph essentially acts as an information filter to control what could be shared and what should not be shared.
Second, we demonstrate three policy graphs with the distinct granularity that are appropriate for different functions in the epidemic surveillance. Specifically, we visualize the utility gain or loss between different policy graphs. It turns out that no policy could be the best for all. The attendees of the conference can find that it is possible to have the full functionality of epidemic surveillance while preserving location privacy.
Third, we visualize the trade-off between privacy and utility. Although we can specify a policy graph that enables the full usability of the system, yet it is not clear what is the privacy implication given a policy graph. The policy graph itself could be semantically meaningful, but we lack a quantitative measurement. We provide empirical privacy metrics as the adversary’s successful inference  with an interactive tool The attendees can randomly generate a policy graph to explore its effect on the privacy-utility trade-off. The code is available in github111https://github.com/tkgsn/pglp.. A prototype of a mobile phone App will be available soon.
2.1 Location Policy Graph
Inspired by Blowfish privacy, we use an undirected graph to define which location should be protected and which could not, i.e., location privacy policies. The nodes are secrets and the edges are the required indistinguishability, which indicate an attacker should not be able to distinguish the input secrets by observing the perturbed output. In our setting, we treat possible locations as nodes, and the indistinguishability between the locations as edges.
Definition 2.1 (Location Policy Graph)
A location policy graph is an undirected graph where denotes all the locations (nodes) and represents indistinguishability (edges) between these locations.
Definition 2.2 (Distance in Policy Graph)
We define the distance between two nodes and in a policy graph as the length of the shortest path between them, denoted by .
In DP, the two possible database instances with or without a user’s data are called neighboring databases, which can be interpreted as two nodes with an edge in a policy graph. We generalize it to k-neighbors defined below.
Definition 2.3 (k-Neighbors)
The k-neighbors of location s, denoted by , is the set of nodes that reach s within k hops, i.e., . We define -neighbors as the nodes having a path with s, denoted by .
2.2 Privacy Metrics
We now formalize PGLP (i.e., Policy-based Location Privacy), which guarantees indistinguishability for every pair of neighbors (i.e., for each edge) in a location policy graph.
Definition 2.4 (-Location Privacy)
A randomized algorithm satisfies -location privacy iff for all and for all pairs of -neighbors s and in , we have .
In PGLP, privacy is rigorously guaranteed through ensuring indistinguishability between any two neighboring locations specified by a customizable location policy graph. The user enjoys plausible deniability about her whereabout.
An algorithm satisfies -location privacy, iff any two -neighbors are -indistinguishable.
Lemma 2.1 indicates that, if there is a path between two nodes (locations) in the policy graph, the corresponding indistinguishability is required at a certain degree; if two nodes are not connected (i.e., ), the indistinguishability is not required by the policy. As an extreme case, if a node is not connected with any other nodes, it allows to release it without any perturbation.
2.2.1 Comparison with Other Location Privacy
We analyze the relation between PGLP and two influential DP-based location privacy models, i.e., Geo-Indistinguishability  and -Location Set Privacy . We show that PGLP implies each of them under proper configurations of location policy graphs.
Geo-Indistinguishability  guarantees a level of indistinguishability between two locations and that is scaled with their Euclidean distance, i.e., -indistinguisha-bility, where denotes Euclidean distance. Let be a location policy graph that every location has edges with its closest eight locations on the map as shown in Fig.2 (left). We can derive the following theorem by the fact of for any and Lemma 2.1.
An algorithm satisfying -location privacy also achieves -Geo-Indistinguishability.
-Location Set Privacy  extends differential privacy on a subset of possible locations, which is assumed as adversarial knowledge. -Location Set Privacy ensures indistinguishability among any two locations in the -location set. Let be a location policy that is a complete graph among locations in the -location set as shown in Fig.2 (right).
An algorithm satisfying -location privacy also achieves -Location Set privacy.
The proofs and the mechanisms for PGLP are presented in a full version of this paper  for interested readers.
3 System Overview
3.1 Epidemic Surveillance
Our system provides consist of three main modules: PGLP mechanisms, Location Policy Configuration, and Epidemic Surveillance Apps as shown in Fig.3. PGLP mechanisms are proposed in  for achieving rigorous and customization location privacy. It takes inputs of , location policy graph and the user’s true location, and outputs a perturbed location to the server. The policy recommended by Location Policy Configuration and approved by the user. Location Policy Configuration defines different location policies according to the application of epidemic surveillance. Three primary functions (Apps) for epidemic surveillance are location monitoring, epidemic analysis and contact tracing. Location monitoring focuses on understanding people’s movement between different cities or provinces in a coarse-grained level, which provides essential insights when combining with the incidence rate in each city along with the people’s movement. It could also provide a “health code” service, i.e., allowing certification of the user’s health status, in a privacy-preserving way. A location policy for location monitoring can be “ensuring indistinguishability inside each coarse-grained area and allowing the locations are distinguishable in different coarse-grained areas” such as shown in Fig.4 since such a monitor only requires the people moving between different cities. Epidemic analysis aims at building a predictive disease transmission model such as the SEIR model . The fine-grained data would be beneficial for the estimation of the parameters such as R0 (i.e., basic reproduction number). A location policy for epidemic analysis is similar to the previous one, but more fine-grained, such as in Fig.4. Contact tracing attempts to find all contacts of a diagnosed case so that to stop the spread of disease by finding and isolating patients. A policy for contact tracing can be “ensuring indistinguishability only if the user is not in an infected area, but allowing disclose true location if the user accesses an infected location”, which can be formally represented by a graph in Fig.4. We introduce more details about contact tracing below.
3.2 Demonstration Scenario
This work is partially supported by JSPS KAKENHI Grant No. 17H06099, 18H04093, 19K20269, and Microsoft Research Asia (CORE16).
-  CDC to set up a coronavirus ’surveillance and data collection system’. https://www.businessinsider.com/cdc-coronavirus-surveillance-and-data-collection-stimulus-package-2020-3, 2020. Business Insider.
-  European mobile operators share data for coronavirus fight. https://www.reuters.com/article/us-health-coronavirus-europe-telecoms-idUSKBN2152C2, 2020. Reuters.
-  M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. Geo-indistinguishability: Differential privacy for location-based systems. In CCS, pages 901–914, 2013.
-  Y. Cao, Y. Xiao, S. Takagi, L. Xiong, M. Yoshikawa, Y. Shen, J. Liu, H. Jin, and X. Xu. Customizable and Rigorous Location Privacy through Policy Graph. arXiv:2005.01263, 2020.
-  Y. Cao, Y. Xiao, L. Xiong, and L. Bai. PriSTE: from location privacy to spatiotemporal event privacy. In IEEE ICDE, pages 1606–1609, 2019.
-  Y. Cao, Y. Xiao, L. Xiong, L. Bai, and M. Yoshikawa. PriSTE: protecting spatiotemporal event privacy in continuous location-based services. Proc. VLDB Endow., 12(12):1866–1869, 2019.
-  Y. Cao, Y. Xiao, L. Xiong, L. Bai, and M. Yoshikawa. Protecting spatiotemporal event privacy in continuous location-based services. IEEE TKDE, pages 1–1, 2019.
-  E. Cho, S. A. Myers, and J. Leskovec. Friendship and Mobility: User Movement in Location-based Social Networks. In ACM KDD, 2011.
-  H. Davidson. China’s coronavirus health code apps raise concerns over privacy. https://www.theguardian.com/world/2020/apr/01/chinas-coronavirus-health-code-apps-raise-concerns-over-privacy, 2020. The Guardian.
-  C. Dwork. Differential Privacy. In ICALP, pages 1–12, 2006.
-  B. Gedik and L. Liu. Protecting Location Privacy with Personalized k-Anonymity: Architecture and Algorithms. IEEE Transactions on Mobile Computing, 7:1–18, 2008.
-  X. He, A. Machanavajjhala, and B. Ding. Blowfish privacy: Tuning privacy-utility trade-offs using policies. pages 1447–1458, 2014.
-  M. Y. Li and J. S. Muldowney. Global stability for the SEIR model in epidemiology. Mathematical Biosciences, 125:155–164, 1995.
-  N. Li, T. Li, and S. Venkatasubramanian. T-Closeness: Privacy Beyond k-Anonymity and l-Diversity. In IEEE ICDE, pages 106–115, 2007.
-  K. Lyons. Governments are using cellphone location data to manage the coronavirus. https://www.theverge.com/2020/3/23/21190700/eu-mobile-carriers-customer-data-coronavirus-south-korea-taiwan-privacy, 2020. The Verge.
-  A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubramaniam. L-diversity: Privacy beyond k-anonymity. In ICDE, pages 24–24, 2006.
-  V. Primault, A. Boutet, S. B. Mokhtar, and L. Brunie. The Long Road to Computational Location Privacy: A Survey. IEEE Communications Surveys Tutorials, pages 2772 – 2793, 2018.
-  R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. Quantifying Location Privacy. In IEEE SP, pages 247–262, 2011.
-  L. Sweeney. K-anonymity: A Model for Protecting Privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst., 10(5):557–570, 2002.
-  S. Takagi, Y. Cao, Y. Asano, and M. Yoshikawa. Geo-Graph-Indistinguishability: Protecting Location Privacy for LBS over Road Networks. In DBSec, pages 143–163, 2019.
-  G. Theodorakopoulos, R. Shokri, C. Troncoso, J.-P. Hubaux, and J.-Y. Le Boudec. Prolonging the Hide-and-Seek Game: Optimal Trajectory Privacy for Location-Based Services. In WPES, pages 73–82, 2014.
-  Y. Xiao and L. Xiong. Protecting Locations with Differential Privacy Under Temporal Correlations. In ACM CCS, pages 1298–1309, 2015.
Y. Xiao, L. Xiong, S. Zhang, and Y. Cao.
LocLok: location cloaking with differential privacy via hidden markov model.Proc. VLDB Endow., 10(12):1901–1904, 2017.
-  Y. Zheng, Y. Chen, X. Xie, and W.-Y. Ma. GeoLife2.0: A Location-Based Social Networking Service. In IEEE MDM, pages 357–358, 2009.