SpatialPDP: A personalized differentially private mechanism for range counting queries over spatial databases

Spatial databases are rapidly growing due to the large amount of geometric data obtained from geographic information systems, geomarketing, traffic control, and so on. Range counting queries are among the most common queries over spatial databases. They allow us to describe a region in a geometric space and then retrieve some statistics about geometric objects falling within it. Quadtree-based spatial indices are usually used by spatial databases to speed up range counting queries. Privacy protection is a major concern when answering these queries. The reason is that an adversary observing changes in query answers could induce the presence or absence of a particular geometric object in a spatial database. Differential privacy addresses this problem by guaranteeing that the presence or absence of a geometric object has little effect on the query answers. However, the existing differentially private algorithms for spatial databases ignore the fact that different subregions of a geometric space may require different amounts of privacy protection. This causes that the same privacy budget is considered for different subregions, resulting in a significant increase in error measure for subregions with low privacy protection requirements or a major reduction in privacy measure for subregions with high privacy protection requirements. In this paper, we address these shortcomings by presenting SpatialPDP, a personalized differentially private mechanism for range counting queries over spatial databases. It uses a so-called personalized geometric budgeting strategy to allocate different privacy budgets to subregions with different privacy protection requirements. Our experimental results show that SpatialPDP can achieve a reasonable trade-off between error measure and differential privacy, in accordance with the privacy requirements of different subregions.