Location Privacy Context Better localization technology + Pervasive wireless connectivity = Location-based applications Location-Based Apps For Example: GeoLife shows grocery list near WalMart Micro-Blog allows location scoped.
Download
Report
Transcript Location Privacy Context Better localization technology + Pervasive wireless connectivity = Location-based applications Location-Based Apps For Example: GeoLife shows grocery list near WalMart Micro-Blog allows location scoped.
Location Privacy
1
Context
Better localization technology
+
Pervasive wireless connectivity
=
Location-based applications
2
Location-Based Apps
For Example:
GeoLife shows grocery list near WalMart
Micro-Blog allows location scoped querying
Location-based ad: Coffee coupon at Starbucks
…
Location expresses context of user
Facilitating content delivery
Its as if Location is the IP address for content
3
Double-Edged Sword
While location drives this new class of applications,
it also violates user’s privacy
Sharper the location, richer the app, deeper the violation
4
The Location Based Service Workflow
Forward
to local service:
Request:
Reply:
Reply:
Retrieve
all
available
services
in
Retrieve all available services
in
location
client’s location
Client
Server
LBS Database
(Location Based Service)
5
The Location Anonymity Problem
Request:
Retrieve all bus lines from location
to address
Client
Server
Privacy Violated
=
=
LBS Database
(Location Based Service)
6
Double-Edged Sword
Moreover, range of apps are PUSH based.
Require continuous location information
Phone detected at Starbucks, PUSH a coffee coupon
Phone located on highway, query traffic congestion
7
Location Privacy
Problem:
Continuous location exposure
a serious threat to privacy
Research:
Preserve privacy without
sacrificing the quality of
continuous loc. based apps
8
Just Call Yourself ``Freddy”
Pseudonymns [Gruteser04]
Effective only when infrequent location exposure
Else, spatio-temporal patterns enough to deanonymize
… think breadcrumbs
John
Leslie
Jack
Susan
Alex
Romit’s Office
9
A Customizable k-Anonymity Model for
Protecting Location Privacy
Paper by:
B. Gedik, L.Liu
(Georgia Tech)
Slides adopted from: Tal Shoseyov
10
Location Anonymity
“A message from a client to a database is called
location anonymous if the client’s identity cannot be
distinguished from other users based on the client’s
location information.”
Database
11
k-Anonymity
“A message from a client to a database is called
location k-anonymous if the client cannot be identified
by the database based on the client’s location from other
k-1 clients.”
12
Implementation of Location Anonymity
Server transforms the
message
byto“anonymizing”
Database
executes request
Server forwards
data
Server
sends
the location
datato
in the
the received
according
client
Database
replies to server
“anonymized”
message
Client sends plain
request data
anonymous
with compiled
messagedata
to the server
13
Implementation of Location k-Anonymity
y
Temporal
Spatial Cloaking
Cloaking
– Setting
– Setting
a range
a timeofinterval,
space to be
where
a single
allbox,
the clients
where all
in aclients
specific
located
location
within the
sending
range area message
said to beininthat
the time
“same
interval
location”.
are said to
have sent the message in the “same time”.
x
t
14
Implementation of Location k-Anonymity
Spatial-Temporal Cloaking –
Setting a range of space and a
time interval, where all the
messages sent by client inside the
range in that time interval. This
spatial and temporal area is
called a “cloaking box”.
t
y
x
15
Previous solutions
M. Gruteser, D Grunwald (2003) – For a fixed k
value, the server finds the smallest area around the
client’s location that potentially contains k-1 different
other clients, and monitoring that area over time until
such k-1 clients are found.
Drawback:
Fixed anonymity
value for all
clients (service
dependent)
16
Add Noise
K-anonymity [Gedic05]
Convert location to a space-time bounding box
Ensure K users in the box
Location Apps reply to boxed region
Bounding Box
You
K=4
Issues
Poor quality of location
Degrades in sparse regions
Not real-time
17
Confuse Via Mixing
Path intersections is an opportunity for privacy
If users intersect in space-time, cannot say who is who later
18
Confuse Via Mixing
Path intersections is an opportunity for privacy
If users intersect in space-time, cannot say who is who later
?
Hospital
?
Airport
Unfortunately, users may not intersect
in both space and time
19
Hiding Until Mixed
Partially hide locations until users mixed [Gruteser07]
Expose after a delay
Hospital
Airport
20
Hiding Until Mixed
Partially hide locations until users mixed [Gruteser07]
Expose after a delay
Hospital
Airport
But delays unacceptable to real-time apps
21
Existing solutions seem to suggest:
Privacy and Quality of Localization (QoL)
is a zero sum game
Need to sacrifice one to gain the other
22
Hiding Stars with Fireworks:
Location Privacy through Camouflage
23
Goal
Break away from this tradeoff
Target:
Spatial accuracy
Real-time updates
Privacy guarantees
Even in sparse populations
New Proposal: CacheCloak
24
The Intuition
Predict until paths intersect
Hospital
Airport
25
The Intuition
Predict until paths intersect
Predict
Hospital
Airport
Predict
26
The Intuition
Predict until paths intersect
Expose predicted intersection to application
Predict
Hospital
Airport
Predict
Cache the information on each predicted location
27
CacheCloak
System Design and Evaluation
28
Architecture
Assume trusted privacy provider
Reveal location to CacheCloak
CacheCloak exposes anonymized location to Loc. App
Loc. App1
Loc. App2
Loc. App3
Loc. App4
CacheCloak
29
In Steady State …
Location Based Application
CacheCloak
30
Prediction
Location Based Application
Backward
prediction
Forward
prediction
CacheCloak
31
Prediction
Location Based Application
CacheCloak
32
Predicted Intersection
Location Based Application
Predicted Path
CacheCloak
33
Query
Location Based Application
Predicted Path
CacheCloak
34
Query
Location Based Application
?
?
?
?
CacheCloak
35
LBA Responds
Location Based Application
Array of responses
CacheCloak
36
Cached
Location Based Application
Cached Responses
CacheCloak
Location based
Information
37
Cached Response
Location Based Application
Cached Responses
CacheCloak
Location based
Information
38
Cached Response
Location Based Application
Cached Responses
CacheCloak
Location based
Information
39
Cached Response
Location Based Application
Cached Responses
CacheCloak
40
Cached Response
Location Based Application
Predicted
Path
CacheCloak
41
Benefits
Real-time
Response ready when user
arrives at predicted location
Predicted Path
High QoL
Responses can be specific to location
Overhead on the wired backbone (caching helps)
Entropy guarantees
Entropy increases at traffic intersections
Sparse population
Can be handled with dummy users, false branching
42
Quantifying Privacy
City converted into grid of small sqaures (pixels)
Users are located at a pixel at a given time
Each pixel associated with 8x8 matrix
Element (x, y) = probability that user enters x and exits y
y
Probabilities diffuse
At intersections
Over time
x
pixel
Privacy = entropy
E user
pixels
pi log pi
43
Diffusion
Probability of user’s presence diffuses
Diffusion gradient computed based on history
i.e., what fraction of users take right turn at this
intersection
Time t1
Time t2
Time t3
Road
Intersection
44
Evaluation
Trace based simulation
VanetMobiSim + US Census Bureau trace data
Durham map with traffic lights, speed limits, etc.
6km x 6km
10m x 10m pixel
1000 cars
Vehicles follow Google map paths
Performs collision avoidance
45
Results
High average entropy
Bits of Mean Entropy
Quite insensitive to user density (good for sparse regions)
Minimum entropy reasonably high
Max.
Min.
Time (Minutes)
Number of Users (N)
46
Results
Peak Counting
Mean # of Peaks
# of places where attacker’s confidence is > Threshold
Time (Seconds)
Time (Seconds)
47
Results
Peak Counting
Mean # of Peaks
# of places where attacker’s confidence is > Threshold
Number of Users (N)
48
Limitations, Discussions …
CacheCloak overhead
Application replies to lot of queries
However, overhead on wired infrastructure
Caching reduces this overhead significantly
CacheCloak assumes same, indistinguishable query
Different queries can deanonymize
Possible through query combination … future work
Per-user privacy guarantee not yet supported
Adaptive branching & dummy users
CacheCloak - a central trusted entity
Distributed version proposed in the paper
49
Closing Thoughts
Two nodes may intersect in space but not in time
Mixing not possible, without sacrificing timeliness
Mobility prediction creates space-time
intersections
Enables virtual mixing in future
50
Closing Thoughts
CacheCloak
Implements the prediction and caching function
High entropy possible
even under sparse population
Spatio-temporal accuracy
remains uncompromised
51
52
53
Thank You
For more related work, visit:
http://synrg.ee.duke.edu
54