Is Geo-Indistinguishability What You Are Looking for?

Since its proposal in 2013, geo-indistinguishability has been consolidated as a formal notion of location privacy, generating a rich body of literature building on this idea. A problem with most of these follow-up works is that they blindly rely on geo-indistinguishability to provide location privacy, ignoring the numerical interpretation of this privacy guarantee. In this paper, we provide an alternative formulation of geo-indistinguishability as an adversary error, and use it to show that the privacy vs.~utility trade-off that can be obtained is not as appealing as implied by the literature. We also show that although geo-indistinguishability guarantees a lower bound on the adversary’s error, this comes at the cost of achieving poorer performance than other noise generation mechanisms in terms of average error, and enabling the possibility of exposing obfuscated locations that are useless from the quality of service point of view.

💡 Research Summary

The paper critically examines the widespread reliance on geo‑indistinguishability (GeoInd) as a location‑privacy guarantee, arguing that many follow‑up works adopt the notion without a clear quantitative understanding of what the privacy parameter ε actually means in practice. The authors first reformulate GeoInd, traditionally expressed as a bound on the multiplicative distance between output distributions, into an equivalent statement about the minimum error probability of a “decision adversary” who must guess which of two equally likely locations a user occupies after observing the obfuscated output. This reformulation yields a simple closed‑form relationship: the adversary’s error probability p*e = 1/(1 + e^{ε·d}), where d is the Euclidean distance between the two candidate true locations. Consequently, small values of ε·d give an error close to 0.5 (random guessing), while larger values drive the error toward zero, meaning the adversary can almost certainly identify the true location.

Armed with this interpretation, the authors evaluate two canonical GeoInd mechanisms: the planar Laplace mechanism (the original construction) and a planar Laplace mechanism followed by an optimal deterministic remapping based on a popularity dataset (the current state‑of‑the‑art). For the plain Laplace mechanism, the average loss (expected Euclidean distance between true and reported locations) is r = 2/ε, and the 95th‑percentile loss r₉₅ can be computed analytically using the Lambert‑W function. Experiments show that achieving a modest privacy level of pe = 0.4 (i.e., the adversary succeeds at most 60 % of the time) requires r ≈ 5·r where r* is the intended privacy radius (e.g., 200 m). This translates to an average displacement of about 1 km and a 5 % chance of being more than 2.3 km away from the true location—clearly unacceptable for many location‑based services that need nearby results.

The remapped Laplace mechanism reduces the average loss by roughly 40 % (e.g., from 1 km to about 600 m for the same privacy level) but only modestly improves the 95th‑percentile loss (still around 10 × r*). Thus, while the remapping yields a better average utility, the worst‑case utility degradation remains substantial.

To assess whether GeoInd truly offers superior protection compared with simpler noise‑addition schemes, the authors also test two non‑GeoInd mechanisms: adding isotropic Gaussian noise and adding uniform noise within a circle, both calibrated to the same ε values. They measure the actual decision‑adversary error probability pₑ (averaged over many trials) and compare it with the theoretical lower bound pe. The results reveal that for “reasonable” privacy levels (where pe is not trivially close to zero), the Gaussian and uniform mechanisms actually produce larger average error than the Laplace mechanism, but only when ε·d is very small—precisely the regime where GeoInd provides essentially no privacy because the adversary’s prior already localizes the user tightly. In regimes where privacy is meaningful, the Laplace mechanism’s error approaches the lower bound, meaning it offers no advantage over the simpler mechanisms in terms of average protection.

The paper draws several important conclusions. First, the minimal error guarantee inherent in GeoInd does not translate into practical utility: to achieve a given privacy level, one must inject noise that severely degrades service quality, especially in terms of worst‑case displacement. Second, the commonly used parameter choices (e.g., ε = log 2 for a 200 m radius) correspond to surprisingly weak privacy when interpreted through the adversary‑error lens. Third, practitioners should not select ε based solely on qualitative arguments; instead, they must quantitatively balance the desired privacy (as an error probability) against acceptable utility loss for their specific application. Finally, GeoInd is not universally optimal; in many scenarios, alternative noise mechanisms (Gaussian or uniform) can provide comparable or better average protection without the heavy utility penalty imposed by the strict GeoInd constraints. The authors therefore advocate for a more nuanced, numerically grounded approach to location‑privacy design rather than an uncritical adoption of GeoInd.