Location Privacy Overview

Report
Preserving Location Privacy
Uichin Lee
KAIST KSE
Slides based on http://www.vldb.org/conf/2007/papers/tutorials/p1429-liu.pdf by Ling Liu
http://synrg.ee.duke.edu/ppts/cachecloak-mobicom09.ppt by Romit Choudhury
Location Based Service (LBS): Examples
• Location based emergency services & traffic
monitoring
– How many cars on the highway 85 north?
– What is the estimated time of travel to my
destination?
– Give me the location of 5 nearest Toyota
maintenance stores?
• Location based advertisement & entertainment
– Send E-coupons to all customers within five
miles of my store
– Where are the nearest movie theater to my
current location?
• Location finder
– Where are the gas stations within five miles of
my location?
– Where is nearest movie theater?
Location privacy
• The claim/right of individuals, groups and
institutions to determine for themselves,
when, how and to what extent location
information about them is communicated to
others (similar to Westin’s def)
• Location privacy also refers to the ability to
prevent other parties from learning one’s
current or past location.
Privacy threats through LBS
• Communication privacy threats
– Sender anonymity?
• Location inference threats
– Precise location tracking
• Successive position updates can be linked together, even if
identifiers are removed from location updates
– Observation identification
• If external observation is available, it can be used to link a
position update to an identity (e.g., Bluetooth scanning)
– Restricted space identification
• A known location owned by identity relationship can link an
update to an identity (e.g., home)
Location privacy architecture
• Centralized trusted third party location anonymization model
– A trusted third party anonymization proxy server is served for both
location updates and location anonymization.
– Capable of supporting customizable and personalized location kanonymization
• Client-based non-cooperative location anonymization model
– Mobile clients maintain their location privacy based on their
knowledge
– Location cloaking without location k-anonymity support
• Decentralized corporative mobility group model
– Group of mobile clients collaborate with one another to provide
location privacy of a single user without involving a centralized trusted
authority.
• Distributed Hybrid Architecture with limited cooperation
Centralized trusted third party arch.
• Assume Trusted Privacy Provider (TPP)
– Reveal location to TPP
– TPP exposes anonymized location to Loc. App (or LBS)
Loc. App1
Loc. App2
Loc. App3
Privacy
Provider
Loc. App4
How to preserve location privacy?
• Pseudonymns
• Spatio-temporal cloaking:
– K-anonymity + Mix zones
• Location perturbation (adding noise)
– PoolView (sensys08)
Pseudonymns
• Just Call Yourself ``Freddy”[Gruteser04]
– Effective only when infrequent location exposure
– Else, spatio-temporal patterns enough to deanonymize
… think breadcrumbs
John
Leslie
Jack
Susan
Alex
Romit’s Office
Slides from: http://synrg.ee.duke.edu/ppts/cachecloak-mobicom09.ppt
K-anonymity
• K-anonymity [Gedic05]
– Convert location to a space-time bounding box
– Ensure K users in the box
– Location Apps reply to boxed region
Bounding Box
• Issues
You
K=4
– Poor quality of location
– Degrades in sparse regions
– Not real-time (e.g., wait until k is reached as in CliqueCloak)
Mix zone: confuse via mixing
• Path intersections is an opportunity for privacy
– If users intersect in space-time, cannot say who is
who later
Mix zone: confuse via mixing
• Path intersections is an opportunity for privacy
– If users intersect in space-time, cannot say who is
who later
?
Hospital
?
Airport
Unfortunately, users may not intersect
in both space and time
Mix zone/time: hiding until mixed
• Partially hide locations until users mixed [Hoh et al., CCS’07]
– Expose after a delay
Hospital
Airport
Mix zone/time: hiding until mixed
• Partially hide locations until users mixed [Hoh et al., CCS’07]
– Expose after a delay
Hospital
Airport
But delays unacceptable to real-time apps
Mix zone/time+caching:
predict & cache
• Predict until paths intersect [Meyerowitz et al., Mobicom’09]
Predict
Hospital
Airport
Predict
Mix zone/time+caching:
predict & cache
• Predict until paths intersect [Meyerowitz et al., Mobicom’09]
– Expose predicted intersection to application
Predict
Hospital
Airport
Predict
Cache the information on each predicted location
Summary: R-U Confidentiality Map
Disclosure Risk R
Original Data
Maximum
Tolerable
Risk
Released Data
No Data
Data Utility U
George Duncan 2001
16
Slide from: http://www.ccsr.ac.uk/methods/archive/AccessGrid/documents/GeorgeDuncanPresentation.ppt

similar documents