Location Privacy Protection for Location-based Services CS587x Lecture Department of Computer Science Iowa State University Location-based Services (LBS) Dilemma To use an LBS, a user needs to disclose her location, but a persons whereabouts may imply sensitive private information HospitalPolitical Party Nightclub Stalking. Location Privacy Protection Policy-based approaches Legislation governs the collection and distribution of personal location data Personal location management lets users determine when and whom to release location information These schemes cannot prevent location data from being abused by insiders Challenge Simply using pseudonym is not sufficient because a users location itself may reveal her real-world identity e.g., correlate with restricted spaces such as home address and office Location Depersonalization Basic idea: reducing location resolution Report a cloaking area, instead of actual location Location Depersonalization Basic idea: reducing location resolution Report a cloaking area, instead of actual location Research issue: each cloaking area must provide a desired level of depersonalization, and be as small as possible The state of the art Ensuring each cloaking area contains a certain number of users A cloaking area with K users provides K-anonymity protection Problem 1 The anonymity server requires frequent location updates from all users Practicality Scalability Users not engaged in LBSs may not be willing to help protect others anonymity Problem 2 In the case of continuous LBSs, simply ensuring each cloaking area contains at least K users does NOT guarantee K-anonymity protection Problem 2 In the case of continuous LBSs, simply ensuring each cloaking area contains at least K users does NOT guarantee K-anonymity protection New threats 1. Location resolution refinement 2. Trace attack Problem 3 A cloaking area guarantees service anonymity, but NOT location privacy An adversary does not know who requests the service, but knows that the requestor was inside the area, and in particular, she was with some other people there Where you are and whom you are with are closely related with what you are doing The root of the problems All existing techniques cloak a users position based on her current neighbors Observation Public areas are naturally depersonalized A large number of visits by different people More footprints, more popular Park Highway Basic Idea Using footprints for location depersonalization Each cloaking area contains at least K different footprints Location privacy protection An adversary may be able to identify all these users, but will not know who was there at what time Trajectory database Source of historical location data From wireless service carriers, which provide the communication infrastructure From the users of LBSs, who need to report location for cloaking Trajectory database Source of historical location data From wireless service carriers, which provide the communication infrastructure From the users of LBSs, who need to report location for cloaking Trajectory indexing for efficient retrieval Partition network domain into cells Maintain a cell table for each cell Sporadic LBS A client reports server p: its current location K: its desired privacy level Server computes a circular region containing p and K-1 footprints, each from a different user needs to be as small as possible Sporadic LBS A client reports server p: its current location K: its desired privacy level Server computes a circular region containing p and K-1 footprints, each from a different user needs to be as small as possible Continuous LBSs A client reports a base trajectory T 0 = {c 1,c 2,,c n } the desired anonymity level K Server computes a new trajectory T = { B 1,B 2,,B n } Continuous LBSs A client reports a base trajectory T 0 = {c 1,c 2,,c n } the desired anonymity level K The server computes a K-anonymity trajectory (KAT) T = { B 1,B 2,,B n } When the user arrives at c i, server reports B i for LBS K-Anonymity Trajectory (KAT) Problem How to find the KAT with the best resolution? K=3 Challenges Given a database of N trajectories, there are sets of trajectories with size K-1 Given a fixed set of addictive trajectories, different orders of cloaking result in different KATs Exhaustive search: expensive A Heuristic Approach Cloak T 0 with one trajectory Cloak T 0 with a set of K-1 trajectories Select additive trajectory candidates Cloaking One Additive Trajectory Cloaking T 0 with additive trajectory T a T o = {c 1,c 2,,c n }; T a = {a 1,a 2,,a m }, where n m T = { B 1,B 2,,B n } is the cloaking result Goal: minimize T s resolution B1B1 B2B2 B3B3 B4B4 T=Cloak(To,Ta) ToTo TaTa Cloaking with a Set of Additive Trajectories Different order of cloaking can have vastly different results T 0 +T 1 +T 2 = T 0 +T 2 +T 1 ? T0T0 T1T1 T2T2 Approach 1: Linear(T 0,S) 1. Sort the trajectories based on their distances to T 0 2. Cloak with T 0 in order of their distance Approach 1: Linear(T 0,S) 1. Sort the trajectories based on their distances to T 0 2. Cloak with T 0 in order of their distance Cloak(To, Ta) is called s + K 1 times Approach 1: Linear(T 0,S) 1. Sort the trajectories based on their distances to T 0 2. Cloak with T 0 in order of their distance K=3. Linear cloaks T 0 with T 1 and T 2 But cloaking with T 1 and T 3 have a better result. Cloak(To, Ta) is called s + K 1 times Limit of Linear Approach 1: Linear(T 0,S) 1. Sort the trajectories based on their distances to T 0 2. Cloak with T 0 in order of their distance K=3. Linear cloaks T 0 with T 1 and T 2 But cloaking with T 1 and T 3 have a better result. Cloak(To, Ta) is called s + K 1 times Limit of Linear Approach 1: Linear(T 0,S) 1. Sort the trajectories based on their distances to T 0 2. Cloak with T 0 in order of their distance K=3. Linear cloaks T 0 with T 1 and T 2 But cloaking with T 1 and T 3 have a better result. Cloak(To, Ta) is called s + K 1 times Limit of Linear Quadratic(T 0,S) Once an additive trajectory is cloaked Set the cloaking result as T For the rest trajectories, compare the distance to T, instead of T 0 In the worst case, Cloak(T 0,T a ) is called (K-1)(s-K/2+1) times 1. T 1 is closest to T 0, so T = Cloak(T 0,T a ) 2. T 3 is closest to T, so T = Cloak(T,T a ) Select Additive Trajectory Candidates Only those trajectories close to the base trajectory should be considered Searching algorithm Performance Study Simulate mobile nodes movement on the real road map. Extract four types of roads Speed changes at intersection. Generate a footprints database containing certain number of trajectories with random assigned user ID. Experiments Performance metric Cloaking range: the average radius of the cloaking circles Single location cloaking Neighboring nodes vs. footprints Trajectory cloaking Linear, Quadratic, and BaseLine Baseline: cloaking using neighboring mobile users Trajectory Cloaking Generate a set of LBS requests, each containing A User ID The start and destination Randomly selected in the map The fastest path as the users expected route Select a location sample every 100 meters along the route Required degree of privacy protection Effective of Anonymity Level (a) shows cloaking range of different algorithms Cloaking range increases as K increases (b) shows the cloaking range on different roads Popular roads have a large number of footprints Unpopular roads are sensitive to the change of K Concluding Remarks We explore historical location data for location depersonalization Each reported location/trajectory has been visited by at least K different people We develop a suite of novel location cloaking algorithms for Sporadic LBSs Continuous LBSs Up to date, this is the only solution that can support location privacy protection