The rise of smart phones equipped with various sensors has enabled personalization of various applications based on user contexts extracted from sensor readings. At the same time it has raised serious concerns about the privacy of user contexts. In this paper, we present MASKIT, a technique to ﬁlter a user context stream that provably preserves privacy. The ﬁltered context stream can be released to applications or be used to answer queries from applications. Privacy is deﬁned with respect to a set of sensitive contexts speciﬁed by the user. MASKIT limits what adversaries can learn from the ﬁltered stream about the user being in a sensitive context – even if the adversaries are powerful and have knowledge about the ﬁltering system and temporal correlations in the context stream. At the heart of MASKIT is a privacy check deciding whether to release or suppress the current user context. We present two novel privacy checks and explain how to choose the check with the higher utility for a user. Our experiments on real smartphone context traces of 91 users demonstrate the utility of MASKIT.