Electronic toll collection (ETC) systems are becoming increasingly popular, but are inherently privacy-sensitive as they deal with users’ location data. While prior research has proposed privacy-preserving ETC (PPETC) systems, which hide the individual toll fees from the toll service provider and provide it only with a total monthly fee, we study in this paper the actual privacy properties of PPETC schemes. Since prior work has shown that PPETC schemes may be insufficient to protect user privacy in real-world scenarios, we analyze the effectiveness of using an additional protection mechanism: applying a differential privacy (DP) mechanism that obscures the actual monthly toll fee by adding a small amount of noise. While this seems like a straightforward solution, it presents challenges. Adding noise to monthly fees can increase users’ monetary costs, so the noise must be kept small. But since adding more noise intuitively means more privacy when applying DP, one must carefully choose the amount of added noise in order to strike a balance between privacy gain and additional cost. Our goal is to examine two popular DP mechanisms for categorical data, namely k-ary randomized response and the exponential mechanism, to evaluate their effectiveness in protecting users’ toll station visits and determine the associated privacy costs. To investigate how well these mechanisms hide the visited toll stations, we design attacks on each protection mechanism that attempts to recover the toll station visits from an obscured monthly toll fee and evaluate its effectiveness in two real-world scenarios.
Zur Publikation