Preserving Location Privacy

Uichin Lee KAIST KSE

Slides based on http://www.vldb.org/conf/2007/papers/tutorials/p1429-liu.pdf

by Ling Liu http://synrg.ee.duke.edu/ppts/cachecloak-mobicom09.ppt

by Romit Choudhury

Location Based Service (LBS): Examples

• • • Location based emergency services & traffic monitoring – How many cars on the highway 85 north?

– What is the estimated time of travel to my destination?

– Give me the location of 5 nearest Toyota maintenance stores?

Location based advertisement & entertainment – Send E-coupons to all customers within five miles of my store – Where are the nearest movie theater to my current location?

Location finder – Where are the gas stations within five miles of my location?

– Where is nearest movie theater?

Location privacy

• • The claim/right of individuals, groups and institutions to determine for themselves,

when, how and to what extent location

information about them is communicated to others (similar to Westin’s def) Location privacy also refers to the ability to prevent other parties from learning one’s

current or past location.

Privacy threats through LBS

• • Communication privacy threats – Sender anonymity?

Location inference threats – Precise location tracking •

Successive position updates can be linked together, even if

identifiers are removed from location updates – Observation identification • If external observation is available, it can be used to link a position update to an identity (e.g., Bluetooth scanning) – Restricted space identification • A known location owned by identity relationship can link an update to an identity (e.g., home)

Location privacy architecture

• • • • Centralized trusted third party location anonymization model – A trusted third party anonymization proxy server is served for both location updates and location anonymization.

– Capable of supporting customizable and personalized location k anonymization Client-based non-cooperative location anonymization model – Mobile clients maintain their location privacy based on their knowledge – Location cloaking without location k-anonymity support Decentralized corporative mobility group model – Group of mobile clients collaborate with one another to provide location privacy of a single user without involving a centralized trusted authority.

Distributed Hybrid Architecture with limited cooperation

Centralized trusted third party arch.

• Assume Trusted Privacy Provider (TPP) – – Reveal location to TPP TPP exposes anonymized location to Loc. App (or LBS) Loc. App1 Loc. App2 Loc. App3 Loc. App4 Privacy Provider

How to preserve location privacy?

• • • Pseudonymns Spatio-temporal cloaking: – K-anonymity + Mix zones Location perturbation (adding noise) – PoolView (sensys08)

Pseudonymns

• Just Call Yourself ``Freddy” [Gruteser04] – – Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize … think breadcrumbs Leslie Jack John Susan Alex Romit’s Office

Slides from: http://synrg.ee.duke.edu/ppts/cachecloak-mobicom09.ppt

K-anonymity

• K-anonymity – – – [Gedic05] Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region Bounding Box You • Issues – – – Poor quality of location Degrades in sparse regions K=4 Not real-time (e.g., wait until k is reached as in

CliqueCloak

)

Mix zone: confuse via mixing

• Path intersections is an opportunity for privacy – If users intersect in space-time, cannot say who is who later

Mix zone: confuse via mixing

• Path intersections is an opportunity for privacy – If users intersect in space-time, cannot say who is who later ?

Hospital ?

Airport Unfortunately, users may not intersect in both space and time

Mix zone/time: hiding until mixed • Partially hide locations until users mixed [Hoh et al., CCS’07] – Expose after a delay Hospital Airport

Mix zone/time: hiding until mixed • Partially hide locations until users mixed [Hoh et al., CCS’07] – Expose after a delay Hospital Airport But delays unacceptable to real-time apps

Mix zone/time+caching: predict & cache • Predict until paths intersect [Meyerowitz et al., Mobicom’09] Predict Hospital Airport Predict

Mix zone/time+caching: predict & cache • Predict until paths intersect [Meyerowitz – et al., Mobicom’09] Expose predicted intersection to application Predict Hospital Airport Predict Cache the information on each predicted location

Summary: R-U Confidentiality Map

Original Data Maximum Tolerable Risk Released Data No Data Data Utility U

George Duncan 2001 16

Slide from: http://www.ccsr.ac.uk/methods/archive/AccessGrid/documents/GeorgeDuncanPresentation.ppt