CLOAKING AND MODELING TECHNIQUES FOR LOCATION PRIVACY PROTECTION
Ying CaiDepartment of Computer ScienceIowa State UniversityAmes, IA 50011
LOCATION-BASED SERVICES
RISKS ASSOCIATED WITH LBS Exposure of service uses Location privacy
Hospital Political Party Nightclub Stalking….
CHALLENGE Restricted space identification
Simply using a pseudonym is not sufficient because anonymous location data may be correlated with restricted spaces such as home and office for subject re-identification
………
identified
LOCATION DEPERSONALIZATION Basic idea: reducing location resolution
Report a cloaking region, instead of actual location
Location &Request
Answer Answer
Cloaked region& Request
BaseStation
AnonymityServer
LBS Server
Cellular Infrustructures
Internet ::::
Users
Com3
Com3
::::
LBS Server
LOCATION DEPERSONALIZATION Basic idea: reducing location resolution
Report a cloaking region, instead of actual location
Location &Request
Answer Answer
Cloaked region& Request
BaseStation
AnonymityServer
LBS Server
Cellular Infrustructures
Internet ::::
Users
Com3
Com3
::::
LBS Server
Key Issue Each cloaking area must provide a
desired level of depersonalization, and be as small as possible
EXISTING SOLUTION Ensuring each cloaking area contains a certain
number of users [MobiSys’03, ICDCS’05, VLDB’07]
Service Users
K = 4 K = 6
K = 5
PROBLEMS (1) The anonymity server
needs frequent location update from all users
Practicality
Scalability
Difficult to support continuous LBS Simply ensuring each
cloaking region contains K users does not support K-anonymity protection
Service User
PROBLEMS (2) Guarantee only anonymous uses of
services, but not location privacy An adversary may not know who requests the
service, but knows that the K users are all there at the time when the service is requested
Where you are and whom you are with are closely related with what you are doing …
THE ROOT OF THE PROBLEMS These techniques cloak a user’s position
based on his current neighbors
Service Users
K = 4 K = 6
K = 5
OBSERVATION Public areas are naturally depersonalized
A large number of visits by different people More footprints, more popular
Park Highway
PROPOSED SOLUTION [INFOCOM’08]
Using footprints for location cloaking A footprint is a historical location sample Each cloaking region contains at least K different
footprints
Neighboring users Footprints
vs.Location privacy protection An adversary may be able to identify all these users, but will not know who was there at what time
FOOTPRINT DATABASE Source of footprints
From wireless service carriers, which provide the communication infrastructure
From the users of LBSs, who need to report location for cloaking
FOOTPRINT DATABASE
::
::
uid tlink c1, c2, …, cn
database domaincell table
trajectories
Source of footprints From wireless service carriers, which provide the
communication infrastructure From the users of LBSs, who need to report location for
cloaking Trajectory indexing for efficient retrieval
Partition network domain into cells Maintain a cell table for each cell
CLOAKING TECHNIQUES Sporadic LBS
Each a cloaking region needs to 1) be as small as possible, 2) contain footprints from at least K different users
Continuous LBS Each trajectory
disclosed must be a K-anonymity trajectory (KAT)
c1c2
c3 c4
B1B2 B3 B4
additivetrajectory
PRIVACY REQUIREMENT MODELING K-anonymity model
To request a desired level of protection, a user needs to specify a value of K
Problem: choosing an appropriate K is difficult Privacy is about feeling, and it is
difficult to scale one’s feeling using a number
A user can always choose a large K, but this will reduce location resolution unnecessarily
A feeling-based approach A user specifies a public region
A spatial region which she feels comfortable that it is reported as her location should she request a service inside it
The public region becomes her privacy requirement All location reported on her behalf
will be at least as popular as the public region she identifies
PROPOSED SOLUTION [CCS09]
CHALLENGE How to measure the popularity of a spatial
region? More visitors higher popularity More even distribution higher popularity
Given a spatial region R, we define
Entropy E(R) =
Popularity P(R) = 2E(R)
CLOAKING TECHNIQUES Sporadic LBS
Each cloaking region needs to 1) be as small as possible, 2) have a popularity no less than P(R)
Continuous LBS A sequence of location updates which form a
trajectory The strategy for sporadic LBSs may not work
Adversary may identify the common set of visitors
CLOAKING TECHNIQUES Sporadic LBS
Each disclosed cloaking region must be as small as possible and have a popularity no less than P(R)
Continuous LBS The time-series sequence of location samples
must form a P-Populous Trajectory (PPT) A trajectory is a PPT if its popularity is no less
than P The popularity of each cloaking region in the trajectory
must be computed w.r.t. a common set of users
FINDING A CLOAKING SET A simple solution is to find the set of users who
have footprints closest to the service-user
Resolution becomes worse
There may exist another cloaking set which leads to a finer average resolution
PROPOSED SOLUTION Using populous users for cloaking
Popular users have more footprints spanning in a larger regions
Pyramid footprint indexing A user is l-popular if she has footprints in all
cells at level l
Sort users by the level l, and choose the most popular ones as the cloaking set
SIMULATION We implement two other strategies for comparison
Naive cloaks each location independently Plain selects cloaking set by finding footprints closest
to service user’s start position Performance metrics
Cloaking area Protection level
EXPERIMENT A Location Privacy Aware Gateway (LPAG)
ePost-It: a spatial messaging system [MobiSys’08]
CONCLUDING REMARKS Exploring historical location samples for location
cloaking Up to date, this is the only solution that can prevent
anonymous location data from being correlated with restricted spaces to derive who’s where at what time
A feeling-based approach for users to express their location privacy requirement K-anonymity model was the only choice
A suite of location cloaking algorithms Satisfy a required level of protection while resulting in
good location resolution A location privacy-aware gateway prototype has
been implemented
Top Related