Transcript Preserving Privacy in GPS Traces via Uncertainty
Virtual Trip Lines for Distributed Privacy Preserving Traffic Monitoring
Baik Hoh et al. MobiSys08
Slides based on Dr. Hoh’s MobiSys presentation
Collaborative Traffic Monitoring using Cellphone based Probe Vehicles
Anonymization Satellite Cellular Service Provider Location Proxy Traffic Estimation
Data mining and logging
Access Control Probe Vehicles
Vehicle ID | timestamp | Lon | Lat | Speed | Heading ----------------------------------------------------------------- 254,18-oct-2006 10:11:12,-85.3452,42.4928,42.18,135 372,18-oct-2006 10:11:12,-85.3427,42.4898,63.72,100 182,18-oct-2006 10:11:12,-85.4092,42.4726,50.15,75 254,18-oct-2006 10:12:12,-85.3462,42.4998,45.18,135 372,18-oct-2006 10:12:12,-85.3512,42.4944,60.01,185 182,18-oct-2006 10:12:12,-85.4102,42.4753,45.88,235 … 254,18-oct-2006 10:21:12,-85.3856,42.5129,45.67,135
Anonymous Trace log files
Inference/Insider Attacks Compromise Location Privacy
Still insider attacks and remote break-ins possible Re-identification of traces through data analysis
.
.
..
..
.
.
.
.
.
.
. .
Tracking algorithms recover individual trace [Hoh05] (Median trip time only 15min) Anonymous Trace log files Home Identification [Hoh06] GPS often precise enough to identify home
Related Works: Uncertainty-Aware Path Cloaking Requires a Trustworthy Proxy Server [Hoh07] • Time-to-confusion
(TTC) criterion*
measures time an adversary can track with high confidence • Disclosure control algorithm that selectively reveals GPS samples to limit the maximum Time-to confusion .
.
.
..
..
.
.
.
.
.
.
.
.
. .
What if location proxy got compromised?
Satellite Cellular Service Provider Location Proxy Traffic Estimation
Data mining and logging Vehicle ID | timestamp | Lon | Lat | Speed | Heading ----------------------------------------------------------------- 254,18-oct-2006 10:11:12,-85.3452,42.4928,42.18,135 372,18-oct-2006 10:11:12,-85.3427,42.4898,63.72,100
Probe Vehicles
• Idea: distributed “privacy” preserving scheme (a la secret splitting) using Virtual Trip Lines (VTLs)
Virtual Trip Lines (VTLs) Enables Sampling in Space • Better than sampling in time (periodic reports)?
• Chance of distributed architecture?
• VTL has the same effect as "road side” sensor based measurement – VTL can be strategically chosen (optimal placement in the paper)
Privacy Risks and Threat Model
• Any single entity can be compromised (but no collusion) • A driver’s cellphone is trustworthy
Satellite Cellular Service Provider Location Proxy Traffic Estimation
Data mining and logging
My Phone Others
Probablistic Guarantee Model (Mix Zone)
• Mobile generates data: VTL ID, speed, direction • Mobile encrypts data using VTL server’s public key • Privacy guarantee: – Location proxy: can’t decrypt location data – VTL server: can’t find user’s identity (but still inference attack is feasible, e.g., only single vehicle reporting data..) E(VTL ID, speed, dir)
Cell Service Provider Location Proxy VTL Server Traffic Estimation
Mobile’s ID, E(VTL ID, speed, dir) Remove Mobile’s ID E(VTL ID, speed, dir) VTL decrypts the data
Placement Privacy Constraints: Minimum Spacing • Tracking uncertainty is dependent on the spacing between VTLs, the penetration rate, and speed variations of vehicles
Placement Privacy Constraints: Exclusion Areas • Low speed samples are likely generated by vehicles that just entered after the ramp • Suppress sampling on on-/off-ramps
Guaranteed Privacy Model with VTL-based k-anonymity (called Distributed VTL-Based Temporal Cloaking) k=7
VTLIDnew = h (nonce, VTLIDold), h is a secure hash function
ID Proxy Traffic Server Temporally cloaks flow updates, limits update rate per phone, and authenticate users 3. Forward the VTL update 4. Send the cloaked VTL updates VTL Generator 5. Store the cloaked VTL updates VTL Update Log 1a. Nonce for area Handset Coarse location verification to prevent location spoofing Location Verifier 1b. Broadcast nonce to phones in area 2. Send the VTL update Phone generates the new ID for trip line with nonce from VTL generator
Distributed VTL-Based Temporal Cloaking
• Motivated by secret splitting scheme • Traffic estimation is immune to temporal error
Entity
Handset Location Verifier ID proxy Traffic Server
Role
Sensing
Identity
Yes Distributing VTL ID updates Anonymizing and Cloaking Computing Traffic Congestion Yes Yes No Virtual Trip Lines
Location
Accurate Coarse Not available Accurate Temporal Cloaking
Time
Accurate Accurate Accurate Cloaked