Putting People in their Putting People in their PlacesPlacesAn Anonymous and Privacy-Sensitive Approach to Collecting Sensed Data in Location-Based ApplicationsKaren P. Tang Pedram Keyani, James Fogarty, Jason I. HongHuman-Computer Interaction InstituteCarnegie Mellon University

22

Location-Aware Computing Is Here

In-car navigation systemPDAs, phones, laptops: WiFi & GSM

33

Types of Location-Aware Apps

Person-centric“What restaurants are near me?”“Where are my friends?”“What’s happening around me?”

44

Privacy treated as a tradeoffAnonymity & Privacy

DisclosureFidelity

Specific Location Query:

“Where are the closest restaurants

near me?”

55

Privacy treated as a tradeoffAnonymity & Privacy

DisclosureFidelity

Specific Location Query:

“Where are the closest restaurants

near me?”

More Anonymous Location Query:

“Where are all the restaurants

in Montreal?”

66

Types of Location-Aware Apps

Person-centric“What restaurants are near me?”“Where are my friends?”“What’s happening around me?”

Location-centric“What’s happening at the mall?”“How busy is the restaurant?”“What’s happening on highway 5?”

77

Zipdash: a Location-Centric App

Commercial (acquired by Google)How it works:

Runs on GPS-enabled phonesContinuously disclose GPSServer infers traffic congestionView traffic information on phone

zipdash.com

88

Zipdash: How it works

Each car reports GPS data

Server collects all GPS reports

99

Zipdash: Privacy Threat

Each car reports GPS data

Server collects all GPS reports

Can you trust the server?Data is leaked …Someone is eavesdropping …

Car A

8:00AM 45.587ºN, 73.921ºW

8:05AM 45.527ºN, 73.822ºW

8:10AM 45.594ºN, 73.838ºW

8:15AM 45.594ºN, 73.871ºW

1010

Zipdash: Privacy Threat

Observation: consistent routes

Start/End is “Work” or “Home”

Car A

8:00AM 45.587ºN, 73.921ºW

8:05AM 45.527ºN, 73.822ºW

8:10AM 45.594ºN, 73.838ºW

8:15AM 45.594ºN, 73.871ºW

1111

Car A

8:00AM 45.587ºN, 73.921ºW

8:05AM 45.527ºN, 73.822ºW

8:10AM 45.594ºN, 73.838ºW

8:15AM 45.594ºN, 73.871ºW

Zipdash: Privacy Threat

Observation: consistent routes

Start/End is “Work” or “Home”

Malicious Server Threat:Hijack GPS log for each carInfer start of route as “Home”Lookup via consumer database

“Home”

1212

Car A

8:00AM 45.587ºN, 73.921ºW

8:05AM 45.527ºN, 73.822ºW

8:10AM 45.594ºN, 73.838ºW

8:15AM 45.594ºN, 73.871ºW

Zipdash: Privacy Threat

Observation: consistent routes

Start/End is “Work” or “Home”

Malicious Server Threat:Hijack GPS log for each carInfer start of route as “Home”Lookup via consumer database

Result: Your “Home” and your identity are revealed“Home”

1313

Zipdash: Use Fidelity Tradeoff ?

Car calculates actual GPSCar reports “blurred” GPS

Car A

8:00AM in Montreal, QC

8:05AM in Montreal, QC

8:10AM in Montreal, QC

8:15AM in Montreal, QC

Car A

8:00AM 45.587ºN, 73.921ºW

8:05AM 45.527ºN, 73.822ºW

8:10AM 45.594ºN, 73.838ºW

8:15AM 45.594ºN, 73.871ºW

1414

Zipdash: Use Fidelity Tradeoff ?

Car calculates actual GPSCar reports “blurred” GPS

Application loses usefulnessFidelity tradeoff lessens utility

Car A

8:00AM in Montreal, QC

8:05AM in Montreal, QC

8:10AM in Montreal, QC

8:15AM in Montreal, QC

Car A

8:00AM 45.587ºN, 73.921ºW

8:05AM 45.527ºN, 73.822ºW

8:10AM 45.594ºN, 73.838ºW

8:15AM 45.594ºN, 73.871ºW

1515

Limits of Fidelity Tradeoff

Fidelity tradeoff doesn’t work for Zipdash

1616

A New Approach to Privacy

Fidelity tradeoff doesn’t work for Zipdash

Location-centric applications need a better way to protect users’ privacy

“Hitchhiking”

1717

Overview

Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles

Client computationLocation of interest approvalSensing physical identifiers

Conclusion

1818

Overview

Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles

Client computationLocation of interest approvalSensing physical identifiers

Conclusion

1919

Client-focused, software-based approach to privacy-sensitive, location-centric apps on commodity devices and networks

Key: location is the entity of interest

Ensure complete user anonymity & no new privacy threats, even with malicious server

Hitchhiking: Definition

2020

Client-focused, software-based approach to privacy-sensitive, location-centric apps on commodity devices and networks

Key: Location is the entity of interest

Ensure complete user anonymity & no new privacy threats, even with malicious server

Hitchhiking: Definition

2121

Hitchhiking Approach to Zipdash

“Bridge” = location of interestOnly report GPS when on bridge

2222

Car A

8:05AM 45.527ºN, 73.822ºW

Car B

8:06AM 45.633ºN, 73.862ºW

Car C

8:07AM 45.549ºN, 73.792ºW

Hitchhiking Approach to Zipdash

“Bridge” = location of interestOnly report when on bridge

Prevent malicious server threat

No start/end patternEvery report from the same areasNo lookups are possible

A

B

C

2323

“Is my bus running late?”

Detection of on/off the bus

When on the bus: Device senses location Device models on/off busDevice anonymously

reports bus location to server

Server shares bus info

Hitchhiking Example: Bus

Location of interest: Bus route

[Patterson, 2003]

2424

Hitchhiking Example: Coffee shop

“Is Starbucks busy now?”

When in the coffee shop: Device senses WiFi locationDevice senses other devicesDevice anonymously reports

device count & WiFi infoServer infers shop’s

busyness

Location of interest:Coffee shop

2525

Hitchhiking Example: Meeting Room

Location of interest:Meeting Room

“Can I use that room now?”

When in the meeting room: Device senses WiFi locationDevice anonymously

reports WiFi data to server

Server infers room availability

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

2626

Research Contribution

Hitchhiking is: … a privacy-sensitive approach

… applicable to location-centric apps… provides complete user anonymity

while maintaining application’s full utility

By using Hitchhiking principles, we can build interesting sensor-based location applications without sacrificing the user’s privacy

2727

Overview

Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles

Client computationLocation of interest approvalSensing physical identifiers

Conclusion

2828

Overview

Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles

Client computationLocation of interest approvalSensing physical identifiers

Conclusion

2929

Meeting Room Availability

“Is that meeting room available right now?”

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

3030

Standard Approach: Always Track

Most common approach for current systemsPrivacy Threat from Malicious Server:

Most people spend bulk of time in an officeCorrelate location trails to a specific person

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

3131

Hitchhiking Solution

Define meeting rooms as locations of interestPrivacy defense: Client computation

Compute location on the deviceOnly report while at this location

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

3232

Hitchhiking Solution

Define meeting rooms as locations of interestPrivacy defense: Client computation

Compute location on the deviceOnly report while at this location

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

3333

Client location computation

Prior work: Place Lab [LaMarca et al, 2005; Schilit, 2003]

Client-based approach alone is not enough

Hitchhiking thoroughly investigates these other privacy threats and extends prior work to address them

3434

Overview

Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles

Client computationLocation of interest approvalSensing physical identifiers

Conclusion

3535

Threat: Location Spoofing

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

Privacy Threat from Malicious Server:Add fake locations of interest (e.g. your office)

3636

Threat: Location Spoofing

Privacy Threat from Malicious Server:Add fake locations of interest (e.g. your office)Mislabel a fake location of interestEnables tracking of potential private places

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

Meeting Room C

3737

Hitchhiking Solution

Make threat apparent to the userPrivacy defense: Location of interest approval

In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose your info?

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

Meeting Room C

3838

Hitchhiking SolutionMake threat apparent to the userPrivacy defense: Location of interest approval

In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose information from your current location?”

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room A

Meeting

Room B

Meeting Room C

3939

Overview

Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles

Client computationLocation of interest approvalSensing physical identifiers

Conclusion

4040

Threat: Link identifiers to a person

Privacy Threat from Malicious Server:Attach unique identifiers to locations of interestCraft identifiers to each individualPeople-specific reports for each location of interest

MaliciousServer

MeetingRoom B

B: John

B: Mary

4141

Hitchhiking Solution

Privacy defense: Sensed physical identifiersUse device to sense surrounding identifiersEnsures every device sees the same identifiers Anonymizes reports from devices

HitchhikingServer

MeetingRoom B

00-0C-F1-5C-04-A8

00-0C-F1-5C-04-A8

00-0C-F1-5C-04-A8

4242

Hitchhiking: Putting it Together

Device reports after detecting “Meeting Room B”:If first time, device prompts for disclosure approvalDevice anonymously reports sensed WiFi to server

Server only knows someone is in Meeting Room BNo person-specific location trail for any users

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

Office 6 Office 7 Office 8

Meeting

Room B

Meeting

Room A

00-0C-F1-5C-04-A8

4343

Related issues

Other issues surrounding Hitchhiking:Query AnonymityLive Reports vs. Offline CollectionTransport Layer AttackDenial-of-Service AttackTiming-Based Attack

Defenses for these threats exist…

4444

Overview

Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles

Client computationLocation of interest approvalSensing physical identifiers

Conclusion

4545

Conclusion: Hitchhiking Highlights

It is a client-focused, software-based approach to privacy-sensitive location-centric apps

It works on existing devices & networks

It uses location constraints & anonymity

4646

Conclusion: Hitchhiking Highlights

Hitchhiking is an extreme architecture: Assumes a system with minimum

trust

Systems with implicit trust can relax principles

Provides application developers a way to build useful location apps while avoiding well-known privacy risks

4747

Thank you! Questions and comments?

Karen P. Tangkptang@cs.cmu.eduHuman-Computer Interaction InstituteCarnegie Mellon University

Acknowledgements: This is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. NBCHD030010, by an AT&T Labs fellowship, and by the National Science Foundation under grants IIS-0121560 and IIS-032531. We also thank contributors to Place Lab, jpcap, libpcap, and JDesktop Integration Components, which were utilized in this work.

4848

Potential Questions Slides

K-anonymityMixed ZonesQuery AnonymityLive Reports vs. Offline CollectionTransport Layer AttackDenial-of-Service AttacksTiming-based Attacks

4949

K-Anonymity

Server obscures client’s location by including client + k-1 others

However: Requires a trusted middleware serverNot applicable to location-centric applications supported by Hitchhiking

k-1 others may not be in the meeting room

5050

Mixed Zones

Client gets new ID when entering location

However: Requires trusted middleware server

Server keeps tab of all used IDsServer provides new IDs to clients

5151

Query Anonymity

Hitchhiking: Anonymizes location’s reportDoesn’t anonymize queries about a location

Problem: What if you ask about a location?

If you’ve already been there before: Used sensed identifiers to ask server

5252

Query Anonymity

Hitchhiking: Anonymizes location’s reportDoesn’t anonymize queries about a location

Problem: What if you ask about a location?

If you haven’t been there before: Mask queries Cached, local model

5353

Live Reports vs Offline Collection

Live reports not a Hitchhiking requirement

Hitchhiking doesn’t assume connectivity

Alternative: local cache, upload later

However, might need to change appReal-time availabilityTemporal models of availability

5454

Transport Layer Attacks

Problem: Phone networks: providers know your locationWiFi networks: provider could log MAC address

Reality: People trust their network providers

5555

Transport Layer Attacks

Problem: Phone networks: providers know your locationWiFi networks: provider could log MAC address

Reality: People trust their network providers

Hitchhiking: Give app developers same level of trust Does not introduce any new privacy threats by allowing apps to collect sensed data

5656

Denial-of-Service Attacks

What if: server flooded with bad reports

Standard approach: Give everyone an unique ID Ban the ID that sends fraudulent data

Doesn’t allow for anonymity

5757

Denial-of-Service Attacks

What if: server flooded with bad reports

More anonymous approaches:Note IP address which reports

Unlikely to report from many places in short time

Seed database with false dataInsert non-existent MAC address in identifier list

Ban reports that include false identifiers

5858

Timing-Based Attacks

Hitchhiking: Content cannot lead to tracking

Can we infer from consecutive reports?2 reports received around same time for same location of interestUse reports from 2 close locations of interest

5959

Timing-Based Attacks

Hitchhiking: Content cannot lead to tracking

Can we infer from consecutive reports?2 reports received around same time for same location of interestUse reports from 2 close locations of interest

Solution: Limit frequency of reportsNot just for an application but for all reportsE.g. report 1x/10 min for any app = sparse