Preserving Location Privacy

Uichin LeeKAIST KSE

Slides based on http://www.vldb.org/conf/2007/papers/tutorials/p1429-liu.pdf by Ling Liuhttp://synrg.ee.duke.edu/ppts/cachecloak-mobicom09.ppt by Romit Choudhury

Location Based Service (LBS): Examples

• Location based emergency services & traffic monitoring– How many cars on the highway 85 north?– What is the estimated time of travel to my

destination?– Give me the location of 5 nearest Toyota

maintenance stores?• Location based advertisement & entertainment

– Send E-coupons to all customers within five miles of my store

– Where are the nearest movie theater to my current location?

• Location finder– Where are the gas stations within five miles of my

location?– Where is nearest movie theater?

Location privacy

• The claim/right of individuals, groups and institutions to determine for themselves, when, how and to what extent location information about them is communicated to others (similar to Westin’s def)

• Location privacy also refers to the ability to prevent other parties from learning one’s current or past location.

Privacy threats through LBS

• Communication privacy threats– Sender anonymity?

• Location inference threats – Precise location tracking

• Successive position updates can be linked together, even if identifiers are removed from location updates

– Observation identification• If external observation is available, it can be used to link a position

update to an identity (e.g., Bluetooth scanning)

– Restricted space identification• A known location owned by identity relationship can link an update

to an identity (e.g., home)

Location privacy architecture• Centralized trusted third party location anonymization model

– A trusted third party anonymization proxy server is served for both location updates and location anonymization.

– Capable of supporting customizable and personalized location k-anonymization

• Client-based non-cooperative location anonymization model– Mobile clients maintain their location privacy based on their knowledge– Location cloaking without location k-anonymity support

• Decentralized corporative mobility group model – Group of mobile clients collaborate with one another to provide

location privacy of a single user without involving a centralized trusted authority.

• Distributed Hybrid Architecture with limited cooperation

• Assume Trusted Privacy Provider (TPP)– Reveal location to TPP– TPP exposes anonymized location to Loc. App (or LBS)

Centralized trusted third party arch.

PrivacyProviderPrivacyProvider

Loc. App1Loc. App1 Loc. App2Loc. App2 Loc. App3Loc. App3 Loc. App4Loc. App4

How to preserve location privacy?

• Pseudonymns• Spatio-temporal cloaking:

– K-anonymity + Mix zones• Location perturbation (adding noise)

– PoolView (sensys08)

Pseudonymns

• Just Call Yourself ``Freddy”[Gruteser04]

– Effective only when infrequent location exposure– Else, spatio-temporal patterns enough to deanonymize

… think breadcrumbs

Romit’s OfficeRomit’s Office

John Leslie Jack Susan

Alex

Slides from: http://synrg.ee.duke.edu/ppts/cachecloak-mobicom09.ppt

K-anonymity

• K-anonymity [Gedic05]

– Convert location to a space-time bounding box– Ensure K users in the box– Location Apps reply to boxed region

• Issues– Poor quality of location– Degrades in sparse regions– Not real-time (e.g., wait until k is reached as in CliqueCloak)

YouBounding Box

K=4

Mix zone: confuse via mixing• Path intersections is an opportunity for privacy

– If users intersect in space-time, cannot say who is who later

Mix zone: confuse via mixing• Path intersections is an opportunity for privacy

– If users intersect in space-time, cannot say who is who later

Unfortunately, users may not intersectin both space and time

Unfortunately, users may not intersectin both space and time

Hospital

Airport

?

?

Mix zone/time: hiding until mixed

• Partially hide locations until users mixed [Hoh et al., CCS’07]

– Expose after a delay

Hospital

Airport

Mix zone/time: hiding until mixed

• Partially hide locations until users mixed [Hoh et al., CCS’07]

– Expose after a delay

But delays unacceptable to real-time appsBut delays unacceptable to real-time apps

Hospital

Airport

Mix zone/time+caching: predict & cache

• Predict until paths intersect [Meyerowitz et al., Mobicom’09]

Hospital

Airport

Predict

Predict

Mix zone/time+caching: predict & cache

• Predict until paths intersect [Meyerowitz et al., Mobicom’09]

– Expose predicted intersection to application

Hospital

Airport

Cache the information on each predicted locationCache the information on each predicted location

Predict

Predict

Summary: R-U Confidentiality Map

16

No Data

Data Utility U

Dis

clo

su

re R

isk R

Original Data Maximum Tolerable

Risk

Released Data

Slide from: http://www.ccsr.ac.uk/methods/archive/AccessGrid/documents/GeorgeDuncanPresentation.ppt

George Duncan 2001