PRIVÉ: Anonymous Location-Based

Queries in Distributed Mobile Systems

1 National University of Singapore{ghinitag,kalnis}@comp.nus.edu.sg

2 University of Peloponnese, Greecespiros@uop.gr

Gabriel Ghinita1 Panos Kalnis1

Spiros Skiadopoulos2

Location-Based Services (LBS) LBS users

Mobile devices with GPS capabilities

Spatial database queries

Queries NN and Range Queries Location server is NOT trusted

“Find closest hospital to my present location”

Problem Statement Queries may disclose sensitive information

Query through anonymous web surfing service

But user location may disclose identity Triangulation of device signal Publicly available databases Physical surveillance

How to preserve query source anonymity? Even when exact user locations are known

Solution Overview Anonymizing Spatial Region (ASR)

Identification probability ≤ 1/K

Minimize overhead Reduce ASR extent

Fast ASR assembly time

Support user mobility

Central Anonymizer Architecture Intermediate tier between users and LBS

Bottleneck and single point of attack/failure

PRIVÉ Architecture

K-Anonymity*

Age ZipCode Disease

42 25000 Ulcer

46 35000 Pneumonia

50 20000 Flu

54 40000 Gastritis

48 50000 Dyspepsia

56 55000 Bronchitis

* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.

Name Age ZipCode

Andy 42 25000

Bill 46 35000

Ken 50 20000

Nash 54 40000

Mike 48 50000

Sam 56 55000

(a) Microdata (b) Voting Registration List (public)

K-Anonymity*

Age ZipCode Disease

42-46 25000-35000 Ulcer

42-46 25000-35000 Pneumonia

50-54 20000-40000 Flu

50-54 20000-40000 Gastritis

48-56 50000-55000 Dyspepsia

48-56 50000-55000 Bronchitis

* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.

(a) 2-anonymous microdata (b) Voting Registration List (public)

Name Age ZipCode

Andy 42 25000

Bill 46 35000

Ken 50 20000

Nash 54 40000

Mike 48 50000

Sam 56 55000

Relational and Spatial Anonymity

42 44 46 48 50 52 54 56

20k

25k

30k

35k

40k

45k

50k

55k

ZipAge

Existing Cloaking Solutions

Redundant Queries Send K-1 redundant queries

Gives away exact location of users Potentially high overhead

CloakP2P [Chow06]

Find K-1 NN of query source Source likely to be closest to ASR center

Vulnerable to “center-of-ASR” attack

[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06

uq

5-ASR

NOT SECURE !!!

QuadASR[Gru03, Mok06]

Quad-tree based Fails to preserve anonymity for outliers Unnecessarily large ASR size

u1

u2

u3

u4

A1

A2• u4’s identity is disclosed

• If u4 queries, ASR is A2

• If any of u1, u2, u3 queries,

ASR is A1

• Let K=3

[Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003

[Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006

NOT SECURE !!!

Secure LocationAnonymization

Reciprocity Consider querying user uq and ASR Aq

Let ASq = {set of users enclosed by Aq}

Aq has the reciprocity property iffi. |AS| ≥ Kii. ui,uj AS, ui ASj uj ASi

hilbASR Based on Hilbert space-filling curve

index users by Hilbert value of location partition Hilbert sequence into “K-buckets”

Start End

Advantages of hilbASR Guarantees source privacy

K-ASRs have the “reciprocity” property

Reduced ASR size Hilbert ordering preserves locality well K-ASR includes exactly K users (in most cases)

Efficient ASR assembly and user relocation Balanced, annotated index tree User relocation, ASR assembly in O(log #users)

hilbASR with Annotated Index

K=6 Example

PRIVÉ

PRIVÉ Characteristics P2P overlay network

Resembles annotated B+-tree Hierarchical clustering architecture

Bounded cluster size [,3)

S relocates to 60

Relocation

Load Balancing Hierarchical architecture

Inherent imbalance in peer load

Cluster head rotation mechanism Rotation triggered by load Communication cost predominant

Fault Tolerance Soft-state mechanism

Cluster membership periodically updated Recovery facilitated by state replication

Leader election protocol In case of cluster head failure

Experimental Evaluation

Experimental Setup San Francisco Bay Area road network

Network-based Generator of Moving Objects*

Up to 10000 users Velocities from 18 to 68 km/h

Uniform and skewed query distributions

Anonymity degree K in the range [10, 160]

* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,6(2):153–180, 2002.

Anonymity Strength (center-of-ASR)

ASR Size

Query Efficiency

Relocation Efficiency

Load Balancing

0% 20% 40% 60% 80% 100%Node Fraction

Conclusions LBS Privacy an important concern

Existing solutions have no privacy guarantees Centralized approach has limitations

Poor scalability, legal issues

Contribution Anonymization with privacy guarantees

hilbASR Extension to decentralized systems

Improved scalability and availability No single point-of-attack/failure

Bibliography on LBS Privacy

http://anonym.comp.nus.edu.sg

Bibliography [Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking Algorithm

for Anonymous Location-based Services, ACM GIS ’06 [Gru03] - Gruteser et al, Anonymous Usage of Location-Based

Services Through Spatial and Temporal Cloaking, MobiSys 2003 [Ged05] – Gedik et al, Location Privacy in Mobile Systems: A

Personalized Anonymization Model, ICDCS 2005 [Mok06] – Mokbel et al, The New Casper: Query Processing for

Location Services without Compromising Privacy, VLDB 2006

MobiHide Randomized ASR assembly technique:

Also uses Hilbert ordering ASR chosen as random K-user sequence

Advantages No global knowledge required Flat index structure (Chord DHT)

Disadvantages No privacy guarantees for skewed query

distributions but still strong anonymity in practice