Transcript Document

Preserving Privacy in Location-Based
Services
using Sudoku Structures
Authors : Sumitra Biswal, Goutam Paul & Shashwat Raizada
A Presentation for ICISS-2014
IDRBT, Hyderabad
OUTLINE
•
•
•
•
•
•
Introduction – case study
Location Privacy : Concept and background
Limitations encountered
Objective of the paper
Proposed Mechanism
Preventive measures against adversarial
attacks
• Experimentations and inference
• Conclusion
NOTE: The presentation contains instances and certain pictures referred from internet
Introduction : Case Study
• Location Based Services (LBS)
offer services anytime and
anywhere.
– Automate multiple tasks.
– Quicker and given refined
facilities.
– Time saving.
• Services seek Location to provide
“Intelligent” service.
• LBS dark aspects – profit
oriented, no guaranteed proof of
secure data handling.
Retrieved from http://www.navigadget.com/index.php/2006/03/23/location-basedservices-without-a-gps-receiver
Retrieved from http://www.consumerreports.org/cro/news/2011/06/senateintroduces-mobile-location-privacy-bill/index.htm
• LBS owing to new Privacy Bills claim
their concern for user privacy.
• No guaranteed proof of data security and
privacy found yet.
LBS post user target ads
using location and time of
visit details
INEVITABLE QUESTION
“If you aren't doing anything wrong, what do you
have to hide?”
MUCH MORE INEVITABLE ANSWER
“If I'm not doing anything wrong, then you have
no cause to watch me.”
- Ref.
(“The value of Privacy” - Schneier on
Security)
Retrieved from http://www.adweek.com/news-gallery/technology/how-pgunilever-and-campbells-are-targeting-foursquare-check-ads-154536#holidaynog-2
Consistently keeping track of records with a notion of suspicion is “Spying” and is
objectionable.
Location Privacy : Concept and background
Location Privacy: A growing concern among users
52% respondents express
concern with sharing their
location
49% would be comfortable
if they can clearly manage
who sees their location
information
Retrieved from http://news.microsoft.com/2011/01/26/data-privacy-day-tackles-concerns-as-locationbased-services-grow-in-popularity/
84% concerned about
sharing information
without consent and losing
privacy thereafter.
Almost one-quarter of respondents
said their greatest privacy concern
was having their information used
for marketing purposes.
The same percentage of people
named having strangers know too
much about their activities as their
top worry.
Retrieved from http://www.marketresearchworld.net/content/view/4867/48/
Google Play developer Content Policy (with effect from August 2014)
Users given
privilege to opt out
of Promotion based
Ads.
LBS not allowed to
link Ad Id with user
device Identifiers.
In case of violation,
services will be cast
out.
Retrieved from http://www.futureofprivacy.org/2014/01/15/a-cutting-edge-guide-to-privacy-for-not-so-cutting-edge-phones/
Yet another creepy incident: Uber watching you using “God View ”
Retrieved from http://thehill.com/policy/technology/225071-uber-ignites-new-privacy-fight
2011 : Stalker view
showing locations of
30 Uber users in NY,
real time.
Half of the people
were familiar.
Notified one of
current whereabouts.
Concerned user /
victim quits service
Retrieved from http://www.forbes.com/sites/kashmirhill/2014/10/03/god-view-uber-allegedly-stalked-users-for-party-goers-viewing-pleasure/
• Legal policies are not sufficient to counteract the issue. Law and Technology
must go hand in hand.
• LBS no more just concern to users, but also for LBS developers and
marketeers.
Retrieved from https://www.eff.org/wp/locational-privacy
Limitations
Encountered
Not sufficient
to ensure
privacy
Pseudonyms.
Entropy alone cannot
provide risk levels of
adversary and inference
attacks.
Cannot serve
varying
environments
3rd Party usage. Cannot
be used unless Kidentical users available.
CloakingLocation Perturbation.
K-Anonymity and Obfuscation.
Cannot
cater to
Might not help in
nontrajectory mode
uniform
of privacy
domains
Hashing
L-Diversity Technique.
Adding Random Noise.
Ref : From miscellaneous sources
Objective of the paper
• Address the challenges faced in the field of
Pervasive Computing.
• To provide solution against adversarial
location service providers.
• To not to use third party service providers for
anonymisation and obfuscation purpose.
• To provide cost effective solution to the
problems associated.
• To ensure it stands up to adversaries.
Proposed Mechanism
Major challenges exhibited in previous works
– Dependency on Third Parties
– Failure in dynamic environment
• Aim : To develop a technique that renders uniformity as
well as preserves uniqueness.
• SUDOKU : Principle of two U’s – Uniqueness and
Uniformity.
• Level of Confidence degrades at Adversary level and
increases at Users’ end.
• Covers Location ,Query and Trajectory Privacy.
• Client- Server Architecture. NO Third Parties involved.
Sudoku and its hardness solving
properties
• NP – complete problem
• Total solutions to a 9X9 grid is approx. 6.67 ∗
1021
• Possess greater Shannon’s entropy than any
randomly generated matrix
• Maximum Distance Separable (MDS) matrix
• Uniform distribution
Preventive measures against
adversarial attacks
• Man in the middle – adversary grabs the
response of service provider to find user’s
exact location.
• Tracking movement – Collating POIs of user
to build profile
Man-in-the middle attack
Adversary’s objective : Break user’s ubiquity and nail down exact
block of user’s presence.
Area of concern = X sq. Km
Grid order = N
Cellsize =C
Number of grids mapping the area, G = X / (N2 .C2)
Number of each kind of block available , U = G. N = X / (N .C2)
Each block represents user. User’s ubiquity measured by U
E is set of k entities, e1, e2 …ek for a query
di is the ith pairwise distance between entities.
Adversarial attack complexities
• Scattering of scarce
entities:
di ≥ (C√2) ∀ i,
• Scattering of abundant
amount of entities:
di < (C√2) ∀ i,
Tracking Movement
Using POIs along with time stamp to build profile of
user violates trajectory privacy.
Server End :
Using block ID for providing navigation or routes
User End :
• Querying source and destination in terms of block ID
• Compute appropriate route at device level and
navigate
• Each navigational route equipped with mix zone
concept and delayed time stamp
Experimentations and inference
Increasing variability of entities ensures less ubiquity of blocks
Each block represents a user.
User may lose ubiquity with increasing variability
Variability if (Grid Order AND Cellsize )
Grid Order 4 with No. of Entities=1680;
Cellsize=500m.
Grid Order 4 with No. of Entities=1680;
Cellsize=50m.
BLOCK
HOSPITALS
RESTAURANTS
ATM_COUNTERS
470
1
49
124
227
14
23
2
51
113
251
4
13
27
3
35
135
252
86
237
480
4
45
128
250
BLOCK
HOSPITALS
RESTAURANTS
ATM_COUNTERS
1
84
236
2
6
3
4
Suppose n (i,j) is the number of entities of type j in block i, 1≤ i ≤N, 1 ≤ j ≤M.
To capture the variability amongst the entities within a block, we define the
following.
Variability: Sum of Standard Deviation values computed for each kind of entity
across the blocks.
Degree of Variability vs. Cellsize for
Grid Order 4
Degree of Variability vs. Cellsize for
Grid Order 9
Mechanism against Trajectory Privacy Attack . Availability of routes from server for given
source and destination
The data records released from user device are sanitized using mix-zone concepts
(pseudonym for every block covered), random delay of time recorded for every move and
user location replaced with block numbers (anonymization).
Cost Complexity, Ubiquity And Comparisons of H.Kido et al
Work and Sudoku - Based Query and Location Privacy
Techniques
Ubiquity and Message cost for Order 4
Ubiquity and Message cost for Order 9
Cellsize Vs. Ubiquity
Cellsize Vs. Answer Message Cost
Conclusion
• The paper focuses on :
– Adversarial location service providers
– Extracting service without third party involvement
– Mitigates unauthorised access to user device data logs
– Involves real time coordinates. Improvisation envisaged
using real time meta data.
– Provides solution for LBS providers to gain clients’
trust
• Obfuscation + encryption = Enhanced privacy and
security
• Thriving challenge to be answered in future:
– Resolve trade-off amidst privacy, QoS and cost