an obfuscation-based approach for protecting location...

1

An Obfuscation-based Approach forProtecting Location Privacy

Claudio A. Ardagna, Marco Cremonini, Sabrina De Capitani di Vimercati, Pierangela Samarati

Abstract—The pervasive diffusion of mobile communication devices and the technical improvements of location techniques arefostering the development of new applications that use the physical position of users to offer location-based services for business,social, or informational purposes. In such a context, privacy concerns are increasing and call for sophisticated solutions able toguarantee different levels of location privacy to the users. In this paper, we address this problem and present a solution based ondifferent obfuscation operators that, when used individually or in combination, protect the privacy of the location information of users.We also introduce an adversary model and provide an analysis of the proposed obfuscation operators to evaluate their robustnessagainst adversaries aiming to reverse the obfuscation effects to retrieve a location that better approximates the location of the users.Finally, we present some experimental results that validate our solution.

Index Terms—Privacy, Obfuscation techniques, Location-based services

F

1 INTRODUCTION

The physical location of users is rapidly becoming easilyavailable as a class of personal information that can beprocessed for providing new online and mobile services,generally called Location-Based Services (LBSs). Customer-oriented applications, social networks, and monitoringservices can be greatly enriched with data reportingwhere people are, how they are moving, or whetherthey are close to specific locations. Several commercialand enterprise-oriented LBSs are already available andhave gained popularity (e.g., [4], [13], [26]), driven bythe relevant enhancements achieved in the field of sens-ing technologies. Location techniques permit to gatherlocation information with good precision and reliabilityat costs that most people (e.g., the cost of current mo-bile devices like cellular phones) and companies (e.g.,the cost of integrating location techniques in currenttelecommunication systems) can economically sustain.

In this context, the privacy of the users, which isalready the center of many concerns for the risks posedby current online services [4], [29], [34], can be threat-ened by LBSs. The publicity gained by recent securityincidents that have targeted the privacy of users hasrevealed faulty data management practices and unau-thorized trading of personal information (including IDthefts and unauthorized profiling). For instance, legalcases have been reported, where rental companies usedthe GPS technology to track their cars and charge usersfor agreement infringements [9], or where an organiza-tion used a location service to track its own employees[25]. In addition, research on privacy issues has gained a

• The authors are with Dipartimento di Tecnologie dell’Informazione, Uni-versita degli Studi di Milano, 26013 Crema, Italy.E-mail: [email protected]

relevant boost since providers of online and mobile ser-vices have often largely exceeded in collecting personalinformation in the name of service provision.

In such a worrisome scenario, the concept of locationprivacy can be defined as the right of individuals to decidehow, when, and for which purposes their location informationcan be released to other parties. The improper exposure oflocation information could result in severe consequencesthat make users the target of fraudulent attacks [15].

Current research on location privacy has mainly fo-cused on supporting anonymity and partial identities [7],[8], [16], [19], [31]. To a certain extent, anonymity andcomplete knowledge of personal information are theopposite endpoints of all the degrees of personal in-formation knowledge managed by online services, andlocation information is just one type of personal infor-mation that often needs to be bound to a user identity.Anonymity is however not viable in the provision of anonline service when the identification of users is required[23]. In this case, a solution to protect the privacy ofusers consists in decreasing the accuracy of locationinformation [14], [30]. As a matter of fact, many LBSsdo not need to have available location information asaccurate as possible to offer an acceptable quality ofservice to users.

In this paper, we present a novel solution aimed atpreserving the location privacy of the users by perturb-ing location information measured by sensing technolo-gies. We focus on the development of techniques forprotecting a single sample of location information. Forthe sake of concreteness, we consider locations gatheredby means of cellular phones as our reference, even if oursolution is not bound to a specific location technique.One important characteristic of cellular phones is theirlarge availability and the possibility to be used as asource of location information both indoor and outdoor

© 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. DOI: 10.1109/TDSC.2009.25

2

(on the contrary, GPS is operating mainly outdoor). Keyaspects of our perturbation process, called obfuscation, arei) to allow users to express their privacy preferences in asimple and intuitive way, and ii) to enforce the privacypreferences through a set of techniques robust againsta relevant class of de-obfuscation attacks. To this end,we introduce the concept of relevance as a metric of bothlocation information accuracy and privacy that abstractsfrom the physical attributes of the sensing technology aswell as from the actual technique employed to obfuscatea location. This way, while users have just to select a rele-vance value, the robustness of the solution is guaranteedby randomly selecting one of the techniques to producethe obfuscated location. The robustness is demonstratedby our experiments simulating an attacker aiming atreversing the protection granted by obfuscation. Anotherbenefit that the relevance metric could bring to LBSsis to support automated negotiation protocols handlingthe trade-off between the level of location accuracyfor LBS provision requested by service providers andthe protection of the location information requested byusers. Both needs could be expressed as relevance andthe quality of online services or the location privacy canbe adjusted, negotiated, or specified as contractual termsto meet a certain relevance.

The remainder of this paper is organized as follows.Section 2 presents the basic concepts. Section 3 pro-vides the probabilistic fundamentals exploited by theobfuscation operators. Section 4 introduces the basicobfuscation operators used to protect the privacy of theusers. Section 5 presents the composition of our basicobfuscation operators and the set of all the availableoperators. Section 6 analyzes our solution against adver-sarial attacks aimed at compromising the privacy guar-anteed to the users. Section 7 presents an experimentalstudy evaluating the robustness of our solution. Section 8describes a real application scenario. Section 9 discussesrelated work. Section 10 presents our conclusions.

2 BASIC CONCEPTS

The physical position of users, as each physical mea-surement, is always affected by an intrinsic measure-ment error introduced by sensing technologies. A directconsequence of such a lack of precision is that thelocation position of a user cannot be expressed as ageographical point, which would imply to suppose thatsensing technologies can return exact information.1 Wethen assume that positions of users are always repre-sented as planar circular areas. This assumption satisfiesthe general requirement of considering convex areas toeasily compute integrals over them. Also, circular areasapproximate well the actual shape resulting from manylocation techniques (e.g., location gathering based on

1. Some works (e.g., [7], [14], [19], [27]) approximate positions asgeographic points, which is acceptable when the purpose is to analyzetechniques that are affected by small measurement errors only. Ingeneral, such an assumption is not realistic since location measurementerrors are often a relevant factor of the measurement accuracy.

cellular phones). A location measurement returned by asensing technology can then be defined as follows.

Definition 2.1 (Location measurement): Let (xu, yu) be thereal position of a user u. A location measurement for u isa circular area Ai=〈xi,yi,ri〉 ⊆ lR2 returned by a sensingtechnology such that (xi, yi) are the coordinates of thecenter of Ai, ri is its radius, and the following conditionshold:

1) P ((xu, yu) ∈ Ai) = 1;2) P ((xu, yu) ∈ A), where A = 〈x, y, δr〉 ⊂ Ai is the

neighborhood of position (x, y) with δr an infinitelysmall radius, is uniformly distributed.

Condition 1 comes from observing that sensing tech-nologies based on cellular phones usually guarantee thatthe real user position is within the returned area [12].Condition 2 states that the probability that the real userposition falls within a neighborhood A ⊂ Ai of a randompoint (x, y) is uniformly distributed. In other words, thereal user position could be randomly located everywhereinside Ai with uniform probability.

The goal of our work is to design a solution thatprotects the location privacy of the users according totheir preferences and application context. To this end,the location privacy must be measured and quantifiedwith respect to the accuracy of the location measure-ment: the more accurate the measurement, the less theprivacy. The accuracy of a location measurement re-turned by a sensing technology depends on the radiusof the measured circular area, which, in turn, dependson the unavoidable measurement error of the sensingtechnology. To evaluate the quality of a given locationmeasurement, its accuracy must then be compared withthe best accuracy that sensing technologies are able toprovide. Several works describe and discuss differentlocation techniques and their best accuracy [20], [32],which is always expressed by defining the radius of thearea returned if the best accuracy is achieved.

We introduce a metric, called relevance, that providesboth an adimensional technology-independent measureof the location accuracy and a measure of the privacy ofa location measurement. The relevance associated witha location measurement is formally defined as follows.

Definition 2.2 (Relevance): Let Ai=〈xi, yi, ri〉 be a locationmeasurement for a user and ro be the radius of thearea that would be produced if the optimal accuracy isachieved. The relevance associated with Ai, denoted Ri,is the ratio r2

o/r2i .

In other words, Ri models the relative accuracy lossof a given measure (e.g., due to particular environmentalconditions) with respect to the optimal accuracy ro thatthe location techniques would have achieved in perfectenvironmental conditions. Ri is the only relevance valuethat depends on physical values (i.e., measurement er-rors). By definition, such a relevance:

• tends to 0, when the location measurement is ex-tremely inaccurate;

3

• is equal to 1, when the location measurement hasachieved the best accuracy that the location tech-niques allow;

• is in the range (0,1), otherwise; the higher the value,the higher the accuracy.

The location privacy associated with a location measure-ment Ai can then be defined as follows.

Definition 2.3 (Location privacy): Let Ai be a locationmeasurement with relevance Ri. The location privacy ofAi is 1−Ri.

In our reference scenario, users can specify their pri-vacy preferences in term of a final relevance Rf that alocation measurement must not exceed. A typical wayto let users specify their privacy preferences, whichhas been presented in the literature (e.g., [5], [14]), isbased on the concept of minimum distance. For instance,a user can define “100 meters” as her privacy preference,meaning that she can be located with an accuracy notbetter than 100 meters. Considering measurements thatproduce circular areas, such a preference correspondsto an area of radius 100 meters at least. Although thissolution is certainly intuitive and easily understandableby users, it suffers from some drawbacks. In particular,a minimum distance is meaningful in a specific applica-tion context only, and is suitable when the obfuscationis performed by scaling a location measurement to acoarser granularity. We instead propose a solution basedon the specification of a final relevance Rf that does notdepend on the application context and provides strongrobustness. The final relevance Rf together with theinitial relevance Ri associated with Ai are used to derivethe accuracy degradation that needs to be introduced forprivacy reason.

Definition 2.4 (Accuracy degradation): Let Ai be a locationmeasurement with initial relevance Ri, and let Rf bethe final relevance requested by the user. The accuracydegradation to be applied to Ai, denoted λ, is the ratioRf /Ri.

Given a location measurement and an accuracy degra-dation, our problem is to transform (obfuscate) the loca-tion measurement in such a way that the resulting areasatisfies the privacy preference Rf defined by the user.

Problem 2.1 (Obfuscation): Let (xu, yu) be the real positionof a user u, Ai with relevance Ri be a location measure-ment for u, and Rf be the final relevance to be satisfied.Transform Ai into an obfuscated area Af such that thefollowing conditions hold:

1) Af has relevance Rf ;2) P ((xu, yu) ∈ Af ) > 0.

Condition 1 requires the obfuscated area to satisfy theprivacy preference of the user. Condition 2 requires theobfuscated area to include the real user position, andimplies that Ai and Af cannot be disjoint.

The transformation of a location measurement Ai intoan obfuscated area Af is performed by applying a set

obfuscationtt

measurementss

�relevance

//• • •0 Rf Ri Ro = 1

Fig. 1. Relevance degradation due to the intrinsic mea-surement error and obfuscation

of basic obfuscation operators (or a combination of them)that change the radius, or the center, of the originallocation measurement. As illustrated in Figure 1, thetransformation of Ai into Af introduces a relevancedegradation in addition to the natural degradation dueto the intrinsic measurement error. Note that if Rf≥Ri,no obfuscation is applied to the location measurement,since the measurement error introduced by a sensingtechnology already satisfies the privacy preference of theuser. The following sections describe the basic obfusca-tion operators and their composition.

3 PROBABILISTIC FUNDAMENTALS OF THEOBFUSCATION OPERATORS

We briefly survey the basic probabilistic concepts ex-ploited by our obfuscation operators.

Considering the two coordinates (x, y) as two randomvariables, Definition 2.1 implies that each location mea-surement is characterized by a joint probability densityfunction (joint pdf) that is uniform within the locationmeasurement itself [28].

Definition 3.1 (Joint pdf ): Given a location measurementAi=〈xi,yi,ri〉, the joint probability density function (jointpdf) of variables X , Y corresponding to the x-coordinateand the y-coordinate, respectively, denoted fi(X, Y ), is:

fi(x, y) =

{1

πr2i

if (x, y) ∈ Ai

0 otherwise.

The corresponding joint cumulative distribution func-tion (joint cdf) Fi computed over the location measure-ment Ai (i.e.,

∫ ∫Ai

fi(x, y)dx dy) is equal to 1. Intuitively,the joint pdf represents the probability distribution ofthe real user position to be in the neighborhood of apoint (x, y) ∈ Ai; the joint cdf over Ai is the probabilitythat the real user position is within Ai. The physicaltransformations that can be applied on Ai, that is, achange in its radius or center, produce an obfuscatedarea Af for which the joint pdf, joint cdf, or both maybe different from the joint pdf and the joint cdf of theoriginal location measurement. Such physical transfor-mations introduce in the original location measurementan accuracy degradation λ (see Definition 2.4) that canbe defined as the composite probability of the followingtwo independent events: i) a random point (x′, y′) ∈ Af

belongs to the intersection between Ai and Af , and ii) theuser’s actual position (xu, yu) belongs to the intersection.The term λ is then equal to:

4

Fi(ci) = 1fi(c) = 1

πr2i

(a) (b)

Fig. 2. A location measurement (a) and the pdf of thecorresponding variable C (b)

λ = P ((x′, y′) ∈ (Ai ∩Af )) · P ((xu, yu) ∈ (Ai ∩Af )) =

=(Ai ∩Af )

Af

(Ai ∩Af )

Ai=

(Ai ∩Af )2

AfAi(1)

From Definition 2.4 and Equation (1) we obtain that:

λ =Rf

Ri=

(Ai ∩Af )2

AfAi(2)

Equation 2 represents the relationship between theaccuracy degradation λ and the original location mea-surement Ai, which are known, and the correspondingobfuscated area Af , which needs to be computed.

In the following, to graphically illustrate the proba-bilistic effects of an obfuscation over a location measure-ment Ai, we consider a continuous random variable C,defined on the nonnegative real numbers, with a uniformdistribution on [0,πr2

i ], meaning that the probabilitydensity function fi(c) = 1

πr2i, c ∈ [0, πr2

i ] (see Figure 2).The corresponding cumulative distributed function Fi

computed for ci = πr2i , which is the gray area under

the pdf from 0 to πr2i in Figure 2, is equal to 1. It easy to

see that the random variable C is statistically equivalentto variables (X, Y ).

4 BASIC OBFUSCATION OPERATORS

An obfuscation operator calculates an obfuscated areaAf with relevance Rf , starting from a location mea-surement Ai with relevance Ri. Formally, an obfuscationoperator is defined as follows.

Definition 4.1 (Obfuscation operator): Let A be the set ofcircular areas. An obfuscation operator op:A × (0, 1] ×(0, 1] → A takes a circular area Ai and two relevancevalues Ri and Rf as input, where Ri is the relevanceassociated with Ai and Rf < Ri is the final relevance tobe satisfied, and produces as output an obfuscated areaAf such that:

1) Af has relevance Rf ;2) Af ∩Ai 6= ∅.

Here, Condition 2 directly derives from Condition 2of Problem 2.1, which requires that each obfuscated areahas a probability greater than zero of containing the realposition of the user.

(a) radius enlargement

(b) radius reduction

(c) center shifting

Fig. 3. Graphical illustration of the basic obfuscationoperators and of their probabilistic effects on variable C

We now describe our basic obfuscation operators:enlarge (E), reduce (R), and shift (S).Enlarge (E). Given a location measurement Ai with rel-evance Ri, and a relevance Rf , it produces an obfus-cated area E(Ai,Ri,Rf ) = Af with radius rf > ri (seeFigure 3(a)). Obfuscating a location measurement byincreasing its radius logically corresponds to generaliza-tion techniques employed in data privacy solutions (e.g.,[11]). Such an obfuscation has the effect of decreasing theprobability that the real user position falls within theneighborhood of a point (x, y) ∈ Af , which correspondsto decreasing the pdf’s value associated with Af , whilethe probability that the real user position falls within Af

remains equal to 1. Considering variable C, Figure 3(a)shows that by enlarging the radius, the pdf’s value asso-ciated with Af decreases (from fi(c)= 1

πr2i

to ff (c)= 1πr2

f)

while the interval on which is defined increases (from[0,πr2

i ] to [0,πr2f ]), thus maintaining the area under the

pdf equal to 1 (i.e., Ff (cf )=Fi(ci)=1).From Equation (2), it follows that:

Rf

Ri=

(Ai ∩Af )2

AfAi=

Ai

Af=

r2i

r2f

(3)

Consequently, the radius rf of the obfuscated areacalculated with this operator satisfying the user privacypreference Rf is:

rf = ri

sRi

Rf. (4)

For instance, suppose that the privacy preference ofthe user is Rf =0.16 and that a location measurementwith best accuracy has radius ro = 0.4 km (this value

5

is far from reality, but it is assumed for simplicity). Con-sider a location measurement Ai with radius ri = 0.5 km.The relevance Ri associated with Ai is Ri=

r2o

r2i

=0.64. Theapplication of operator E produces an obfuscated areawith relevance Rf and radius rf = ri

√Ri

Rf=1 km.

Reduce (R). Given a location measurement Ai with rel-evance Ri, and a relevance Rf , it produces an ob-fuscated area R(Ai,Ri,Rf ) = Af with radius rf < ri

(see Figure 3(b)). While this obfuscation effect mightappear counterintuitive at first sight, it has a preciseprobabilistic explanation: the probability that the realuser position falls within the obfuscated area is reduced,which corresponds to decreasing the area under the pdfassociated with Af , while the pdf’s value associated withAf remains unchanged (i.e., ff (c)=fi(c)= 1

πr2i

). Consid-ering variable C, Figure 3(b) shows that by reducingthe radius, the interval on which the pdf associatedwith Af is defined decreases (from [0,πr2

i ] to [0,πr2f ]),

meaning that the area under the pdf decreases (i.e.,Ff (cf )<Fi(ci)=1).2

Equation (2) is again used to compute the radius rf ofthe obfuscated area calculated with this technique andthat satisfies the user privacy preference Rf :

Rf

Ri=

(Ai ∩Af )2

AfAi=

Af

Ai=

r2f

r2i

(5)

rf = ri

rRf

Ri. (6)

For instance, suppose that the privacy preference ofthe user is Rf =0.16 and that a location measurementwith best accuracy has radius ro = 0.4 km. Considera location measurement Ai with radius ri = 0.5 km.The relevance Ri associated with Ai is Ri=

r2o

r2i

=0.64. Theapplication of operator R produces an obfuscated area

with relevance Rf and radius rf = ri

√Rf

Ri=0.25 km.

Shift (S). Given a location measurement Ai with rel-evance Ri, and a relevance Rf , it produces an ob-fuscated area S(Ai,Ri,Rf ) = Af such that (xf , yf ) =(xi +d sin θ, yi +d cos θ), where d ∈ (0, 2ri] is the distancebetween the centers of Ai and of Af , and rf =ri (seeFigure 3(c)). Note that distance d cannot be greater than2ri, since by Definition 4.1 the two areas cannot bedisjoint. Such an obfuscation has the probabilistic effectof decreasing both the probability that the real userposition is in the neighborhood of a point (x, y) ∈ Af

and the probability that the real user position falls withinAf . Considering variable C, Figure 3(c) shows that byshifting the center, the pdf’s value associated with Af

decreases (i.e., ff (c)<fi(c)) while the interval on which

2. Obfuscation by radius reduction, while always suitable in theory,has an obvious limitation in the actual size of location measurements.For instance, GPS locations, being usually affected by small measure-ment errors, are unsuitable for this technique while cellular phonesor wi-fi location measurements may exhibit measurement errors thatmake reduction applicable, especially if combined with shifting, asdiscussed in the following.

it is defined remains unchanged, meaning that the areaunder the pdf decreases (i.e., Ff (cf )<Fi(ci)=1). Withrespect to data privacy literature, it logically correspondsto inserting random noise into the data (e.g., [11]).

With shifting, the obfuscation depends on the intersec-tion of Ai and Af : the smaller the intersection (i.e., thehigher the d), the highest the obfuscation. In particular,the maximum privacy is obtained for d=2ri. In additionto distance d, a rotation angle θ must be specified toderive an obfuscated area by shifting the center. For thescope of this paper, and without loss of generality, θ isassumed to be randomly generated. Strategies for select-ing a value for θ depend on the application context [2].From Equation (2) and since Ai and Af have the samearea (i.e., πr2

i = πr2f ), it follows that:

Ai ∩Af = πr2i ·

rRf

Ri. (7)

Expanding the term Ai ∩ Af as a function of thedistance d between the centers, distance d can be cal-culated numerically by solving the following system ofequations, where σ and γ are the central angles of thecircular sectors identified by the two radii connectingthe center of Ai and of Af with the intersection pointsof Ai and of Af , and λ = Rf

Rirepresents the accuracy

degradation.

8><>:h

σ2r2

i −r2

i2

sin σi

+h

γ2r2

f −r2

f

2sin γ

i=√

λπrirf

d = ri cos σ2

+ rf cos γ2

ri sin σ2

= rf sin γ2

(8)

To calculate the distance d between the centers of twopartially overlapped circles having the same radius (i.e.,ri=rf ), the previous system of equations is simplified asfollows.

(σ − sin σ =

√λπ

d = 2ri cos σ2

(9)

Given distance d and a random angle θ, the resultingobfuscated area satisfies the privacy preference Rf of theuser.

For instance, suppose that the privacy preference ofthe user is Rf =0.4 and that a location measurementwith best accuracy has radius ro=0.895 km. Consider alocation measurement Ai with radius ri=1 km. The rele-vance Ri associated with Ai is Ri=

r2o

r2i

=0.8. By Equation 9,the application of operator S produces an obfuscatedarea with relevance Rf and such that d=0.464 km is thedistance between the centers of the two areas. Finally, anangle θ is selected and the obfuscated area is generated.

Figure 4 summarizes the three basic obfuscation op-erators, along with their input parameters, and showshow an obfuscated area Af is computed, by reportingthe coordinate of its center and the radius.

6

Operator Obfuscated area Af =〈xf ,yf ,rf 〉 Commentxf yf rf

E(Ai,Ri,Rf ) xi yi ri

qRiRf

rf fromEq. (4)

R(Ai,Ri,Rf ) xi yi ri

qRf

Rirf fromEq. (6)

S(Ai,Ri,Rf ) xi+d sin θ yi+d cos θ ri d from Eq. (9)θ random

Fig. 4. Basic obfuscation operators

5 COMPOSITION OF THE BASIC OBFUSCATIONOPERATORS

The basic obfuscation operators just illustrated transforma location measurement by changing its radius (oper-ators E and R) or by changing its center (operator S).These two types of physical transformations can also beapplied together, meaning that the basic operators can becomposed by executing them in sequence. In this case,each operator used in the composition must produce anarea where the relevance degradation is always evalu-ated with respect to the original location measurementAi and relevance Ri, which we call reference area andreference relevance, respectively. This observation changesthe definition of obfuscation operator as follows.

Definition 5.1 (Obfuscation operator): Let A be the setof circular areas, and Ai ∈ A be the reference areawith reference relevance Ri. An obfuscation operatoropAi,Ri

: A × (0, 1] → A over Ai and Ri takes an areaA and a relevance R′ as input, with A ∩ Ai 6= ∅ andR′ < Ri, and produces an obfuscated area A′ as outputsuch that:

1) A′ has relevance R′;2) A′ ∩Ai 6= ∅.

From Definition 5.1, it follows that two obfuscationoperators can be composed only if they are defined andevaluated over the same reference area Ai with referencerelevance Ri. From Definition 4.1 and Definition 5.1,it also follows that op(Ai,Ri,Rf ) ≡ opAi,Ri(Ai,Rf ),meaning that when the reference area Ai is also the areathat needs to be obfuscated, the two operator definitionsare equivalent. In the following, the composition of twoobfuscation operators hAi,Ri

and kAi,Ri, called composed

obfuscation operator, is denoted hk (omitting both thereference area Ai and the reference relevance Ri) andstates that the application of operator h is followed bythe application of operator k. As an example, considercomposed operator ES=SAi,Ri

(EAi,Ri(Ai,Rm),Rf ) illus-

trated in Figure 5, where Ai is the original locationmeasurement (the dark gray area), Am is the obfuscatedarea produced by the first operator (the area filled withvertical lines), Af is the obfuscated area produced by thesecond operator (the area filled with horizontal lines). Inthe first obfuscation step (E), relevance Rm is a randomvalue between Rf and Ri and radius rm of area Am

is computed as rm = ri

√Ri

Rm(Equation (4)). According

(a) 1st obfuscation step (b) 2nd obfuscation step

Fig. 5. Composed operator ES applied on Ai

2nd stepvv

1st stepww

measurementvv

�relevance

//• • • •0 Rf Rm Ri Ro = 1

Fig. 6. Relevance degradation due to intrinsic measure-ment error and obfuscation

to Definition 5.1, in the second obfuscation step thecodomain of the Shift operator must be restricted tothe areas that have an intersection with Ai. The value d ofthe center-shifting is then calculated, starting from areaAm, to generate an obfuscated area Af whose overlapwith the original area Ai satisfies the privacy preferenceof the user.

Although in theory it is possible to combine operatorsE, R, and S an arbitrary number of times, the combina-tion of more than two operators is never necessary, asstated by the following lemma.

Lemma 5.1: Given A1 = 〈x1, y1, r1〉 and A2 = 〈x2, y2, r2〉,A1 can always be transformed into A2 (or vice versa)by applying one or both (in some order) of these twooperations:

• a center shifting such that the center (x1, y1) of A1

becomes equal to (x2, y2);• a radius enlargement or reduction such that r1 becomes

equal to r2.The proof immediately follows from the geometric

properties of the circular areas.

From this lemma, it follows that the relevant com-posed operators are those obtained by combining op-erators E and R with operator S, that is: ES, SE, RS, andSR. This implies that we only need one intermediate rel-evance Rm such that Rf < Rm < Ri, which representsthe relevance achieved by the first obfuscation step (seeFigure 6).

Note that the difference between Ri and Rm and thedifference between Rm and Rf have an impact on theimportance associated with each basic operator usedin the composition. Indeed, if the difference betweenthe relevances associated with two areas is small, alsothe corresponding obfuscation effect is small. Figure 7illustrates the redefinition of the three basic obfuscationoperators according to Definition 5.1 and shows theresulting obfuscated area A when they are used: i) inthe first step (1st) of a composed operator to produce,

7

Operator Obfuscated area A=〈x,y,r〉 Commentx y r

1st EAi,Ri(Ai,Rm) xi yi ri

qRiRm

r from Eq. (4)

RAi,Ri(Ai,Rm) xi yi ri

qRmRi

r from Eq. (6)SAi,Ri

(Ai,Rm) xi+d sin θ yi+d cos θ ri d from Eq. (9)θ random

2ndEAi,Ri(Am,Rf ) xm ym > rm r from Eq. (8)

RAi,Ri(Am,Rf ) xm ym < rm r from Eq. (8)

SAi,Ri(Am,Rf ) xm+d sin θ ym+d cos θ rm d from Eq. (8)

θ random

Fig. 7. Redefinition of the obfuscation operators

starting from the original location measurement Ai, anintermediate area with relevance Rm; ii) in the secondstep (2nd) of a composed operator to produce, startingfrom an intermediate area Am, the final obfuscated areawith relevance Rf .

Let AAi,Ribe the set of all possible obfuscated areas

generated by the application over area Ai with relevanceRi of the basic and of all composed operators (i.e., ES,SE, RS, and SR). We are interested in finding the setO of (basic and composed) obfuscation operators thatis complete and minimal, as introduced by the followingdefinition.

Definition 5.2 (Complete and minimal): Given a set O ofobfuscation operators and the set AO

Ai,Riof areas gen-

erated by applying any obfuscation operator in O overa reference area Ai with relevance Ri, O is said to becomplete and minimal iff:

• AOAi,Ri

= AAi,Ri(completeness);

• ∀O′ ⊂ O, ∃A′ ∈ AOAi,Ri

: A′ /∈ AO′

Ai,Ri(minimality).

A set O of obfuscation operators is then complete andminimal when it can produce every possible obfuscatedarea and therefore does not exist another set O′ ofobfuscation operators that can produce every possibleobfuscated area and that is a proper subset of O. Todetermine a complete and minimal set of obfuscationoperators, it is important to note that the order in whichoperators are applied affects the set of areas that can beproduced, as showed by the following lemma.

Lemma 5.2: Let Ai with relevance Ri be the referencearea. Given composed operators SE, ES, SR, and RS, thesets of areas that can be produced by applying themover Ai satisfy the following relationships: 1) ASE

Ai,Ri6⊆

AESAi,Ri

; 2) ASRAi,Ri

6⊆ ARSAi,Ri

; 3) AESAi,Ri

6⊆ ASEAi,Ri

; and 4)ARS

Ai,Ri⊆ ASR

Ai,Ri.

Proof:1) ASE

Ai,Ri6⊆ AES

Ai,Ri. Let Af ∈ ASE

Ai,Ribe an ob-

fuscated area such that Af contains the originalarea Ai. Af can never be produced by operatorES. As a matter of fact, in operator ES, the firststep (enlargement) would produce an area Am thatnecessarily includes Ai. From Lemma 5.1, Am hasthe same radius as Af and therefore, by definition(Equation 2) has the same relevance as Af . Since

each step of a composed operator must decreasethe relevance (Definition 5.1), Af can never bereturned by the second (shifting) step.

2) ASRAi,Ri

6⊆ ARSAi,Ri

. Let Af ∈ ASRAi,Ri

be an obfuscatedarea included in the original area Ai. The proof isanalogous to case 1 above as reduction applied asa first step would produce an area Am included inAi and therefore with same relevance as Af , whichtherefore could never be returned by the second(shifting) step.

3) AESAi,Ri

6⊆ ASEAi,Ri

. Let Af ∈ AESAi,Ri

be an obfuscatedarea such that the distance d between the center ofAi and the center of Af is greater than 2ri. Af cannever be produced by operator SE. As a matter offact, to produce Af with operator SE, the first step(shifting) would have to produce an area Am thathas empty intersection with original area Ai; this isnot possible by definition (Definition 5.1, Condition2).

4) ARSAi,Ri

⊆ ASRAi,Ri

. It is easy to see that ∀Af ∈ ARSAi,Ri

with relevance Rf < Ri, Af is always partiallyoverlapped with Ai, and the distance d betweenthe center of Ai and the center of Af is less thanor equal to ri + rf . This implies that ∀Af ∈ ARS

Ai,Ri,

Af can also be obtained by first shifting Ai, thusobtaining an area Am with (xm, ym) = (xf , yf ) andRm < Ri, and then by reducing the radius of Am

until rm becomes equal to rf , thus obtaining anarea Af with relevance Rf < Rm < Ri. �

From Lemma 5.2, we can immediately conclude thatcomposed operator RS is redundant since it can onlyproduce areas that can be produced by composed op-erator SR. The set O={E,R,S,ES,SE,SR} of obfuscationoperators over Ai and Ri is then complete and minimal,as captured by the following theorem.

Theorem 5.1: Given a reference area Ai with relevanceRi, the set O={E,R,S,ES,SE,SR} of obfuscation operatorsover Ai and Ri is complete and minimal.

Proof: The proof follows from Lemmas 5.1 and 5.2. �

Figure 8 summarizes our composed operators report-ing, for each of them, the coordinate of the centerand the radius of the intermediate area Am, computedthrough the first operator of the composed operator,and the coordinate of the center and the radius of thefinal obfuscated area Af , computed through the secondoperator of the composed operator and satisfying userprivacy preference Rf . Note that for composed operatorsSE and SR the figure distinguishes two different cases,depending on whether the resulting obfuscated area Af :1) is partially overlapped with Ai, 2) is fully included inAi (for SR), or it fully includes Ai (for SE). The reason forthis is that the partial overlapping and inclusion casesmust be treated separately, since they have differentbehaviors when analyzed with respect to the adversarythat tries to reduce the obfuscation effects.

8

Op Schema 1st step (Am=〈xm,ym,rm〉) 2nd step (Af =〈xf ,yf ,rf 〉) Commentxm ym rm xf yf rf

1st Step 2nd Step

ES xi yi ri

qRiRf

xm + d sin θ ym + d cos θ rmd from Eq. (8)θ random

SE partial overlapping1st Step 2nd Step

SE

xi+d sin θ yi+d cos θ ri xm ym >rmd from Eq. (9)rf from Eq. (8)

SE inclusion (particular case)1st Step 2nd Step

xi+d sin θ yi+d cos θ ri xm ym rm

qRiRf

d from Eq. (9)θ random

SR partial overlapping1st Step 2nd Step

SR

xi+d sin θ yi+d cos θ ri xm ym <rmd from Eq. (9)rf from Eq. (8)

SR inclusion (particular case)1st Step 2nd Step

xi+d sin θ yi+d cos θ ri xm ym rm

qRf

Ri

d from Eq. (9)θ random

Fig. 8. Composed operators

6 ADVERSARY MODEL

A sound definition of relevance as a metric for estimatingthe location accuracy and the privacy is not enoughto measure the real privacy protection provided by theobfuscation operators, because the degree of robustnessof each operator must be evaluated with respect to pos-sible de-obfuscation attempts adversaries can perform.Accordingly, we say that an obfuscation operator is robustif and only if it cannot be reversed by an adversary to obtain alocation measurement that approximates the original locationmeasurement better than the obfuscated area, meaning thatthe relevance associated with the de-obfuscated area isgreater than the relevance associated with the obfuscatedarea. It follows that two issues must be considered whenthe obfuscation robustness is analyzed:

• the adversary can manipulate an obfuscated areaand obtain a more accurate location;

• the adversary can evaluate the resulting relevancegain or loss after the de-obfuscation attempt.

While it is relatively straightforward to de-obfuscate anarea by applying some transformations, understanding

whether the de-obfuscated area is more or less accuratethan the obfuscated area could be an irresolvable task forthe adversary. In this situation, called blind de-obfuscation,the adversary can only act randomly and the obfuscationoperators that permit just this possibility are consideredstrongly robust. However, we will see that some oper-ators, called weakly robust, may provide the adversarywith a preferred de-obfuscation strategy.

In our analysis, we assume an adversary model whereall parties that receive or manage an obfuscated areawithout knowing the original location measurement areconsidered untrusted and could behave as adversaries.In addition, we assume that the adversary is aware ofi) the obfuscated area, ii) the location sensing technologyadopted by the location service, and iii) all the availableobfuscation operators. The specific obfuscation operatorsapplied to produce the obfuscated area, as well as therelevance of the obfuscated area, are instead assumed tobe unknown. Note that, we do not explicitly consider theproblem of an adversary that infers location informationfrom subsequent queries of a user location. Intuitively,

9

our solution offers a degree of protection because, bydesign, each location measurement is obfuscated byapplying a technique randomly chosen among a set ofpossibly obfuscation techniques. Therefore, the uncer-tainty is increased for an adversary aiming at inferringinformation. There is also no obvious way for the adver-sary to calculate a location that proves better, in term ofrelevance, with respect to the obfuscated areas. However,an extensive analysis of this case is expected in futureworks.

We can then consider two different scenarios. In thefirst scenario, the adversary cannot infer any informationfrom the obfuscated area and therefore she only knowsthat the area has been produced by using an obfuscationoperator belonging to the whole set of available oper-ators, which we call *-family={E,R,S,ES,SE,SR}. In thesecond scenario, an adversary can collect some reliableapplication context information that is exploited to inferwhether the obfuscated area has a radius apparently“unusually small”, meaning that the obfuscated areahas been computed through set {R, SR} of operators,or “unusually large”, meaning that the obfuscated areahas been computed through set {E, SE, ES} of operators.Given their importance in the analysis, we call these twosubsets R-family and E-family, respectively. Note that theadversary cannot recognize whether operator S has beenused to produce obfuscated areas. Moreover, operatorS introduces a random parameter (the rotation angleθ) that the adversary cannot evaluate. The consequenceis that if the adversary tries to de-obfuscate the givenobfuscated area through a shifting of the center, it cannotevaluate whether the de-obfuscated area has a relevancegreater than the relevance associated with the obfuscatedarea. Therefore, we assume that the adversary tries to de-obfuscate the observed area by enlarging or reducing itsradius only.

The ability to recognize the R-family and the E-familyallows an adversary to decide if the de-obfuscationattempts should be based on enlarging or reducing theradius of the obfuscated area, respectively. However,the task of recognizing if an obfuscated area has beenproduced by an operator of these two families could becostly and time-consuming due to the very nature of lo-cation measurements, whose accuracy strongly dependson environmental factors, such as weather conditionsor building materials. Such a task, except for evidentlyabnormal values for the radius, is based on the averagemeasurement errors produced by the specific locationtechnique in the specific area of interest (and possiblyin the same measurement conditions). Performing thisevaluation implies, in general, the availability of a reli-able statistic of measurement errors in the observed area,which can be collected as a result of field tests duringdifferent days with different environmental conditions.

In the following analysis, we consider the worst sce-nario, where an adversary is able to distinguish thefamily of operators used to produce the obfuscated area.

Fig. 9. De-obfuscation attempt on area Af producedthrough composed operator SR (partial overlapping)

6.1 R-family de-obfuscation

The R-family de-obfuscation attempts are focused onreversing the obfuscation through an enlargement of theradius of the obfuscated area. As an example, considerthe areas reported in Figure 9, where Ai is the originallocation measurement (the gray area) unknown to theadversary, Af is the obfuscated area (the area filled withhorizontal lines) obtained through operator SR, and Ad

is the de-obfuscated area produced by enlarging theradius of Af (the area with dashed line). We have that(Ai∩Ad)·(Ai∩Ad)

Ai·Ad>

(Ai∩Af )·(Ai∩Af )Ai·Af

, meaning that Ad hasrelevance greater than the relevance associated with Af

(see Equation (7)). For each operator of the R-family, Fig-ure 10 shows the variation of the relevance (Y axis) as afunction of the radius of the de-obfuscated area (X axis),where the result of a de-obfuscation attempt is intuitivelyrepresented by the + and − labels: a de-obfuscationattempt succeeds when the adversary recovers an areawith a relevance greater than the relevance associatedwith the obfuscated area (label +); it fails, otherwise(label −). In the analysis, important radii are:

• radius rf of the obfuscated area, which representsthe starting point for a de-obfuscation attempt;

• radius rmax of the area with best relevance Rmax,which represents the best de-obfuscation that theadversary can achieve;

• radius ri,d of the de-obfuscated area including theoriginal location measurement and intersecting it ina single point. Radius ri,d = ri + d, where ri is theradius of the original location measurement Ai andd is the distance between the centers of Ai and Af ;

• radius rbp of an area with the same relevance Rf

associated with the obfuscated area Af . It representsthe breakpoint radius after which the adversaryproduces a de-obfuscated area of less relevance thanRf .

From Figure 10, it is easy to see that starting froman obfuscated area Af with radius rf , the adversarymay increase the relevance (thus decreasing the privacyof the users’ locations) by enlarging the radius of theobfuscated area from rf to rbp. The maximum relevanceis obtained for radius rmax, then the relevance decreases,while remaining greater than the relevance associatedwith the obfuscated area until radius rbp is reached.

10

(a) R

(b) SR (partial overlapping)

(c) SR (inclusion)

Fig. 10. Relevance variations in de-obfuscation attemptsagainst the R-family

Note that the adversary does not know the values ofradii rmax and rbp. Furthermore, the curve representingthe variation of the relevance (i.e., the adversary gain)depends on the specific obfuscation operator used forproducing Af , which is again an information that theadversary does not know. There are therefore three cases.First, if the obfuscated area was produced by operatorR, the equations that model the relevance variation (seeFigure 10(a)) are based on the quadratic function ofoperator R (Equation (5)), between rf and rmax, andon the quadratic function of operator E (Equation (3)),between rmax and rbp, because the relevance decreasesas in the case of an obfuscation produced by enlargingthe radius. Radius rmax coincides with radius ri of theoriginal location measurement, which is associated withmaximum relevance Rmax=Ri.

Second, if the obfuscated area was produced by oper-ator SR (partial overlapping), the equations that modelthe relevance variation (see Figure 10(b)) are based onthe partial overlapping produced by operator S (Equa-tion (7)), between rf and ri,d, and the quadratic functionof operator E (Equation (3)), between ri,d and rbp. In this

(a) (b)

Fig. 11. De-obfuscation attempt on area Af produced viaoperator SE (inclusion) (a) and operator ES (b)

case, the maximum relevance Rmax that an adversarycan achieve in correspondence with radius rmax is lessthan Ri, since to obtain relevance Ri, operator S usedin the SR process should be de-obfuscated too.

Third, if the obfuscated area was produced by operatorSR (inclusion), the only difference with the previouscase is that the initial slope of the curve representingthe relevance variation (see Figure 10(c)) follows thequadratic function of operator R (Equation (5)).

From this analysis, it follows that a radius enlargementis the strategy that the adversary must apply when anobfuscated area has been produced by an operator of theR-family. For this reason, the R-family exhibits a weakrobustness, because if the adversary is able to guessthe obfuscation family, she can apply a preferred de-obfuscation strategy based on the enlargement of radiusrf . However, since the adversary is not able to calculateor infer boundary rbp, she can exceed rbp, thus retrievingan area with relevance less than Rf .

6.2 E-family de-obfuscationAlthough it may seem that to de-obfuscate an areaproduced by an operator of the E-family the adversaryshould just reduce the radius of the obfuscated area,actually this is not always the case. In fact, to obtain ade-obfuscated area with relevance greater than relevanceRf , the adversary should try to increase the overlappingbetween Ai and Af . If Ai is included in Af , the adversaryshould reduce the radius of obfuscated area Af , while ifAi and Af are partially overlapped, the adversary shouldenlarge the radius. To better understand the rationale be-hind this observation, consider the examples reported inFigure 11, where Ai is the original location measurement,Af is the obfuscated area, and Ad is the de-obfuscatedarea produced by manipulating the radius of area Af .Figure 11(a) illustrates an area Af obtained throughoperator SE and such that Ai is included in Af . In thiscase, the adversary can actually recover an area havinga relevance better that the relevance associated with Af

by reducing the radius of the observed obfuscated area.Considering Equation (3), it follows that r2

i /r2d > r2

i /r2f ,

meaning that the relevance associated with area Ad isgreater than the relevance Rf associated with area Af ,and then the location privacy of the user decreases.

11

(a) E

(b) SE (inclusion)

(c) ES/SE (partial overlapping)

Fig. 12. Relevance variations in de-obfuscation attemptsagainst the E-family

Figure 11(b) illustrates instead an obfuscated area Af

obtained through operator ES and a de-obfuscated areaAd, with a relevance better that the relevance associatedwith Af , obtained by enlarging, rather than reducing, theradius of the obfuscated area. Considering Equation (7),we have that (Ai∩Ad)·(Ai∩Ad)

Ai·Ad>

(Ai∩Af )·(Ai∩Af )Ai·Af

, meaningthat the relevance associated with area Ad is greater thanthe relevance Rf associated with area Af , and again thelocation privacy of the user decreases.

Like for the R-family, Figure 12 illustrates, for alloperators of the E-family, how the relevance varies withrespect to a manipulation of the radius of the obfuscatedarea. Here, again we use radii rf , rmax, ri,d, and rbp to de-note the radius of the obfuscated area, the radius of thede-obfuscated area with maximal relevance, the radius ofthe de-obfuscated area including Ai and intersecting Ai

in a single point, and the breakpoint radius, respectively.We need to discuss two cases separately.Case 1: operators E and SE (inclusion) (Figure 12(a) andFigure 12(b)). When the obfuscated area is obtainedthrough operators E and SE (inclusion), the adversarymay increase the relevance (thus decreasing the privacyof the users’ locations) by reducing the radius of theobfuscated area from rf to rbp. The maximum relevance

is obtained for radius rmax, from which the relevancedecreases and falls below the relevance associated withthe obfuscated area when radius rbp is exceeded. Fig-ure 12(a) shows that for operator E the relevance vari-ation obtained by reducing the radius rf is modeledby the quadratic function of operator E (Equation (3)),between rmax and rf , and is modeled as an obfuscationproduced by reducing the radius (Equation (5)), betweenrbp and rmax. Radius rmax coincides with radius ri ofthe original location measurement, which is associatedwith maximum relevance Rmax=Ri. Figure 12(b) showsthat for operator SE the relevance variation obtained byreducing the radius rf is again modeled by the quadraticfunction of operator E (Equation (3)), between ri,d andrf , and is then modeled as a function of the overlappingof the areas (Equation (7)), between rbp and ri,d. Amaximum relevance Rmax <Ri can be achieved by theadversary with radius rmax.Case 2: operators ES and SE (partial overlapping)(Figure 12(c)). When the obfuscated area is obtainedthrough operators ES and SE (partial overlapping), theadversary may increase the relevance (thus decreasingthe privacy of the users’ locations) by enlarging theradius of the obfuscated area from rf to rbp. Themaximum relevance is still obtained for radius rmax

and radius rbp is the breakpoint. Figure 12(c) showsthat for these operators the relevance variation obtainedby enlarging the radius rf is modeled by the partialoverlapping produced by operator S (Equation (7)),between rf and ri,d, and by the quadratic function ofoperator E (Equation (3)), between ri,d and rbp.

From our analysis, we can conclude that for the E-family there is not a preferred de-obfuscation strategy.This implies that the adversary is forced to act blindly byrandomly choosing a reduction or an enlargement withno information about the outcome. Being the adversaryunable to assess the actual relevance gain or loss of thede-obfuscated area with respect to the obfuscated one,the E-family is said to be strongly robust.

6.3 *-family de-obfuscationThe adversary that cannot distinguish between the R-family or the E-family is forced to consider the whole setof available obfuscation operators. According to the pre-vious discussions, an obfuscated area produced throughobfuscation operators S, ES, SE (partial overlapping), R,and SR should be de-obfuscated by enlarging its radius,while an obfuscated area produced through obfuscationoperators SE (inclusion) and E should be de-obfuscatedby reducing its radius. The radius enlargement is thenthe most likely de-obfuscation strategy for the *-family,although a degree of uncertainty is due to those twooperators for which radius reduction would have beenthe right choice. For this reason, the *-family, in general,shows an intermediate robustness level between thestrong one of the E-family and the weak one of the R-family.

12

7 EXPERIMENTAL STUDY

We experimentally evaluated our obfuscation operatorson a dataset of obfuscated areas and by simulating theadversary behavior under different assumptions. Duringthe tests we have measured the robustness of our opera-tors, compared one with the others, and with the trivialsolution based on just an enlargement of the location.

7.1 Experimental setup

To build up the datasets of obfuscated locations weproduced 20,000 random location measurements, and20,000 random relevances Rf to simulate users privacypreferences. We associated each location measurementwith a relevance and applied our different obfuscationoperators. We produced three different datasets of 20,000obfuscated areas each produced by applying: 1) theoperators belonging to the R-family, randomly; 2) theoperators belonging to the E-family, randomly; and 3)operator E only to test the behavior of traditional solu-tions.

We developed a simulator of the adversary behavior,using MATLAB 2007a, which let us apply different de-obfuscation strategies. We considered two main adver-sary behaviors: i) no contextual awareness, when the ad-versary is not aware of any contextual information andis not able to infer the obfuscation family applied; ii)contextual awareness, when the adversary knows enoughcontextual information to infer the obfuscation familyapplied. The different assumptions regarding the con-textual awareness have consequences on the adversarybehaviour that has to be assumed during the evaluationof the R-family: i) the adversary with no contextual infor-mation does not know that an operator of the R-familyhas been applied, thus she cannot infer that enlargingthe obfuscated area is the best strategy. In this case,she will act randomly, either by reducing or enlargingthe obfuscated area; ii) the adversary that knows thatone operator of the R-family has been applied, will onlyenlarge the obfuscated area.

For the other two types of obfuscation, the whole E-family and operator E, the different adversary behaviorsresulting from the contextual awareness are less mean-ingful. For the E-family, as we illustrated previously,there is not a preferred strategy, and the adversary willalways de-obfuscate randomly by either reducing or en-larging the obfuscated areas, regardless to her contextualawareness. For operator E the adversary knows that shehas an advantage in reducing an obfuscated area.

Finally, we assume that de-obfuscation attempts con-sist in enlarging/reducing the radius of the obfuscatedarea by a de-obfuscation level of 10%, 30%, 50%, and70%. This is aimed to test different adversary behaviors,from the most conservative to the greediest. The hypoth-esis is that high de-obfuscation levels are associated withboth high gains in relevance and low success rates, whilelow de-obfuscation levels result in low gains and high

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

10 30 50 70

Suc

cess

pro

babi

lity

De-obfuscation level (%)

ER-family (context)

R-family (no context)E-family

Fig. 13. Rate of successful de-obfuscations attemptsbased on different degrees of manipulations

success rates. However, we will see that not all operatorsconfirm this hypothesis.

7.2 Experimental results

Quantitative evaluations and comparisons are pro-duced based on both the successful de-obfuscation rateachieved by the adversary and the relevance gain or lossthe adversary obtains as a result of a de-obfuscationattempt. Analyzing both aspects (i.e., the success rateand the amount of gain/loss) is relevant because in a realscenario the adversary is assumed to behave strategicallyby, implicitly or explicitly, maximizing them.

Success rate analysis. A success happens when the re-sulting de-obfuscated area has a relevance greater thanthe one associated with the obfuscated area. The datasetproduced by applying the operators of the R-family hasbeen tested twice for the two different adversary behav-iors depending on the presence or absence of contextualawareness.

Figure 13 shows how de-obfuscation success ratevaries (y-axis) with different levels of de-obfuscation (x-axis), based on the type of obfuscation and contextualawareness. Comparing the four cases, we observe that:

• de-obfuscation attacks against the E-family and theR-family with no contextual awareness never exceeda success rate of 50%, which confirms our theoreticalresult that at best (i.e., for very small radius manip-ulation) the adversary achieves the same probabilityof success or failure and she has neither a preferredattack strategy nor the possibility to guess whetherthe de-obfuscation succeeds;

• de-obfuscation attacks against operator E and theR-family with contextual awareness have a successrate ranging from more than 95% for very smallradius modification to 80% for a de-obfuscation of30%;

13

0

10

20

30

40

50

60

70

80

90

100

10 30 50 70De-obfuscation level (%)

% success% gain% loss

0

10

20

30

40

50

60

70

80

90

100



(a) E (b) R-family (context)

0

10

20

30

40

50

60

70

80

90

100



0

10

20

30

40

50

60

70

80

90

100



(c) R-family (no context) (d) E-family

Fig. 14. Adversary successes, gains, and losses

• in the R-family with contextual awareness, the ad-versary always succeeds except for very high de-obfuscation levels. This behavior is due to operatorS that, when used in the R-family, reduces the prob-ability of exceeding the breakpoint and, therefore, ofretrieving a resulting de-obfuscation relevance lessthan the initial one;

• operator E performs adequately only for high de-obfuscation levels (more than 50%), since, in aver-age, when the radius is considerably enlarged thede-obfuscation fails.

Analyzing just the success rates, we can conclude that:• the E-family is the most robust, since it exhibits the

lowest success rates among all operators;• the R-family obfuscation is highly sensitive to the

adversary’s contextual awareness: if the adversarycannot infer the type of obfuscation it providesstrong obfuscation; otherwise the resulting obfusca-tion is weak;

• operator E is robust against greedy adversaries only.Most conservative adversaries, which de-obfuscateup to 50%, mostly succeed.

Adversary gain analysis. We have tested how relevancegains and losses vary by increasing the levels of de-obfuscation. When the strategy adopted is suitable to de-

obfuscate the obfuscation operator under consideration,the risk for the adversary is to exceed in the radiusmodification and produce a de-obfuscated area with arelevance less than the one of the obfuscated area. Thisanalysis is useful because a rational adversary will lookfor that amount of radius manipulation that maximizesthe combination of the success rate and relevance gainachieved, while minimizing the relevance loss. Formally,we define the utility function for the adversary as U =W ·G− (1−W ) ·L, where W is the rate of success, G isthe mean gain, and L is the mean loss. U assumes valuesin [−1, 1] where positive values represent an incentive tode-obfuscate; negative values indicate a disincentive tode-obfuscate; and U = 0 represents neutrality.

For each adversary behaviour, Figure 14 illustratesthe success rate, and the mean relevance gain and loss.Mean gain and loss are obtained by calculating the valuereturned by each de-obfuscation attempt for every ob-fuscated area in our dataset, and then by computing themean for each de-obfuscation level. Figure 15 comparesthe utility function values (y-axis) for the different rateof radius modification (x-axis).Operator E. Figure 14(a) shows the results for operator E.The maximum mean gain is obtained for radius manipu-lations of 50%, corresponding to a relevance gain of 64%.The mean loss is lower than 20% up to 50% of radius

14

-0.6

-0.5

-0.4

-0.3

-0.2

-0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

10 30 50 70

Util

ity

De-obfuscation level (%)

ER-family (context)

R-family (no context)E-family

Fig. 15. Adversary’s utility function

manipulation and increases for larger de-obfuscationlevels. The adversary utility function, as shown in Figure15, is maximum (with a value of 0.5) in correspondenceof 30% of radius manipulation.R-family. For the R-family, we have to consider two sce-narios. Figure 14(b) shows the case of a contextual awareadversary. The maximum mean gain is 42%, achievedfor 50% of radius enlargement. The adversary utilityfunction (Figure 15) is maximum (with a value of 0.29)for 30% of radius manipulation. Figure 14(c) shows thecase of an adversary with no contextual information.Here, the maximum gain is 21%, achieved at both 50%and 70% of radius manipulation, and the utility functionreturns an increasingly negative value for every radiusmanipulation. A de-obfuscation level of 10% gives avalue of -0.002.E-family. Figure 14(d) shows the results produced whenthe E-family operators are de-obfuscated. The highestrelevance gain is 18% corresponding to a radius manip-ulation of 30%. The utility function has the same shapeas for the R-family with no contextual awareness and isalways negative. A de-obfuscation level of 10% gives avalue of -0.008.

Analyzing these results, we can conclude that:• only when a preferred strategy exists (i.e., operatorE only and the R-family with contextual awareness)the adversary has an incentive to de-obfuscate and30% of radius manipulation is the best choice;

• when the adversary acts randomly (i.e., the R-family without contextual awareness and the E-family) there is no incentive to de-obfuscate becausefor every radius manipulation the utility functionreturns negative values;

• operator E is the weakest obfuscation operatorbecause, regardless to any contextual informationknown by the adversary, it provides the highestutility function value among the families;

• the E-family is the strongest obfuscation familybecause, regardless to any contextual informationknown by the adversary, the success rate is always

less than 50% and the adversary’s utility function isalways negative;

• the robustness of the R-family depends on the adver-sary awareness. When the adversary knows that theR-family has been used for obfuscation, the R-familyis weak and exhibits a behavior similar to operatorE. Instead, when the adversary has no contextualinformation, the R-family is strong and similar tothe E-family.

8 A MOBILE SOCIAL NETWORK SCENARIO

A Mobile Social Network (MSN) represents a suitableapplication scenario for our obfuscation techniques sinceit can be easily enriched with location information. Forinstance, Loopt [26] is an available online service thatlocates friends through cell phones by georeferentiatingGPS coordinates on a map. Each Loopt user can decideto share or not the information about her physical po-sition on a friend-by-friend basis or for all friends atonce. Users of MSN cannot be anonymized, are ofteninvolved in large web of relation (friends, co-workers,relatives, or just acquaintances), and typically restrictinformation made available to others according to thetype of relationship or on a person-by-person basis.Location information could be managed in a similar wayby integrating our obfuscation-based solution into theMSN. A typical scenario may involve a user that requiresthe position of a person in her own web of relation orasks the MSN for users in her proximity. Such a locationinformation should be managed according to the privacypreferences of all users involved. A possible architecturecould include a trusted middleware, implementing ourtechniques, which receives location requests and privacypreferences from the MSN, retrieves actual locationsfrom a location service (e.g., a cell phone operator), andreturns them to the MSN, obfuscated according to theprivacy preferences of the users.

The adversary could be any user of the MSN who maywant to breach the location privacy required by a personin her web of relation. With our solution, a potentialadversary receives an obfuscated location and can justmanipulate it trying to achieve a more accurate area.

The MSN management system can be considered atrusted party since it manages users privacy preferences(i.e., different mobile services would manage their ownusers location privacy preferences). In a different setup,we could imagine that mobile services are untrusted,therefore the middleware should centralize and manageusers privacy preferences and apply them to all locationrequests. In either cases, the architecture does not affectthe application of our obfuscation operators.

9 RELATED WORK

Location-based information and its management havebeen considered in several works in the area of mobileapplications, including approaches aimed at protectingthe privacy of users. Some works are based on the

15

definition of privacy policies that define restrictions thatmust be enforced when the location information is usedby or released to external parties [17], [24].

The line of research closest to the work in this paperexploits obfuscation as the process of degrading theaccuracy of the location information to provide pri-vacy protection. Obfuscation-based techniques perturbthe location information while maintain a binding withthe users identities. Duckham and Kulik [14] present aframework that provides a mechanism for balancing theindividuals needs for high-quality information servicesand the location privacy. The authors propose to degradethe quality of the location information and to provideobfuscation features by adding n points at the sameprobability to the real user position. In general, all theseobfuscation solutions share some common drawbacks.First, they do not provide a quantitative estimation ofthe provided privacy level, making them difficult tointegrate into a full fledged location-based applicationscenario [1]. Second, such solutions implement a singleobfuscation technique based on the enlargement of thelocation area whose effect can be easily undid by theadversary. Our previous works [2], [3] address theseshortcomings by presenting some techniques aimed atpreserving location privacy by artificially perturbinglocation information. In this paper, we substantiallyimprove our previous proposals by first providing theprobabilistic fundamentals of our obfuscation operators,by showing how these operators can be composed, byevaluating the robustness of the operators against de-obfuscation attempts performed by adversaries, and byshowing some experiments that validate our solution.

Another important line of research exploits the con-cept of anonymity to provide techniques suitable whenthe identity of the users is not relevant for the provisionof a service. Beresford and Stajano [6], [7] introducea solution based on the concepts of application zones,representing similar application interests in specific ge-ographic areas, and mix zones, which are areas where auser cannot be tracked. Within each mix zone, the iden-tities of all users are mixed and become indiscernible,and users entering the mix zone are unlinkable fromother users leaving it. Bettini et al. [8] propose a frame-work for evaluating the risk of disseminating sensitivelocation-based information, and introduce a techniqueaimed at supporting k-anonymity [10], [30]. The authorsput forward the idea that the geo-localized history ofthe requests submitted by a user can be consideredas a quasi-identifier, that is, a set of attributes that canbe linked with external information, thus reducing theuncertainty over the identity of the user. The serviceprovider gathering both users requests and personalhistories of locations should be able to link a requestto at least k-1 users having a personal history of loca-tions compatible with the issued requests. Gruteser andGrunwald [19] propose a middleware architecture andan algorithm to adjust location information resolution,in spatial or temporal dimensions, to comply with a

specific k-anonymity requirement. Gedik and Liu [16]describe another k-anonymity model where each useris able to define the minimum level of anonymity andthe maximum acceptable temporal and spatial resolutionfor her location measurement. They define a messageperturbation engine responsible for providing locationanonymization of user’s requests through identity re-moval and spatio-temporal obfuscation of location infor-mation. Mokbel et al. [27] present a framework whereeach user defines her privacy preferences through aparameter k, which is the k-anonymity requirement ofthe user, and an area Amin that is the minimum ac-ceptable resolution of her location information. Thatframework includes a location anonymizer, for perturbingthe location information of users to achieve their privacypreferences, and a privacy-aware query processor, for themanagement of anonymous queries and cloaked spatialareas. Ghinita et al. [18] propose PRIVE, a decentralizedarchitecture for preserving query anonymization basedon the definition of k-anonymous areas. A commondrawback of all these anonymity-based techniques isthat their applicability and performances depend on thenumber of users physically located in a particular area.Another line of research, which is not directly related toour work, is aimed at protecting the path privacy of theusers [21], [22].

10 CONCLUSIONSWe presented different obfuscation operators that protectthe location privacy of users by changing their locationinformation. Our proposal takes into consideration boththe accuracy of location measurements and the usersneeds of privacy. We also provided an evaluation ofthe robustness of such operators. The analysis and theexperimental results prove that our operators providebetter protection than the simple enlargement usuallyapplied by current solutions.

The work presented in this paper leaves space forfurther work: the analysis of our solution assumingGaussian-like distributions and complex location mea-surement shapes; the introduction of map constraintsin the computation of obfuscated areas; the definitionof additional techniques for degrading the temporalaccuracy of location measurements; the extension of oursolution to protect the path privacy of the users; and theactual integration and extensive test of our solution in areal scenario.

ACKNOWLEDGMENTSThis work was supported in part by the EU, withinthe 7th Framework Programme (FP7/2007-2013) undergrant agreement no. 216483 “PrimeLife”.

REFERENCES[1] C.A. Ardagna, M. Cremonini, E. Damiani, S. De Capitani di

Vimercati, and P. Samarati. Supporting location-based conditionsin access control policies. In Proc. of ACM ASIACCS 2006, Taipei,Taiwan, March 2006.

16

[2] C.A. Ardagna, M. Cremonini, E. Damiani, S. De Capitani diVimercati, and P. Samarati. A middleware architecture for in-tegrating privacy preferences and location accuracy. In Proc. ofIFIP SEC 2007, Sandton, South Africa, May 2007.

[3] C.A. Ardagna, M. Cremonini, E. Damiani, S. De Capitani diVimercati, and S. Samarati. Location privacy protection throughobfuscation-based techniques. In Proc. of IFIP DBSEC 2007,Redondo Beach, CA, USA, July 2007.

[4] L. Barkhuus and A. Dey. Location-based services for mobiletelephony: A study of user’s privacy concerns. In Proc. of IFIPINTERACT 2003, Zurich, Switzerland, September 2003.

[5] P. Bellavista, A. Corradi, and C. Giannelli. Efficiently managinglocation information with privacy requirements in wi-fi networks:A middleware approach. In Proc. of ISWCS 2005, Siena, Italy,September 2005.

[6] A.R. Beresford and F. Stajano. Location privacy in pervasivecomputing. IEEE Pervasive Computing, 2(1):46–55, 2003.

[7] A.R. Beresford and F. Stajano. Mix zones: User privacy in location-aware services. In Proc. of IEEE PERCOMW 2004, Orlando, FL,USA, March 2004.

[8] C. Bettini, X.S. Wang, and S. Jajodia. Protecting privacy againstlocation-based personal identification. In Proc. of the 2nd VLDBWorkshop on Secure Data Management, Trondheim, Norway, 2005.

[9] Chicago Tribune. Rental firm uses GPS in speeding fine. July 2nd,p9. Associated Press: Chicago, IL, 2001.

[10] V. Ciriani, S. De Capitani di Vimercati, S. Foresti, and P. Samarati.k-Anonymity. In T. Yu and S. Jajodia, editors, Secure DataManagement in Decentralized Systems. Springer-Verlag, 2007.

[11] V. Ciriani, S. De Capitani di Vimercati, S. Foresti, and P. Samarati.Microdata protection. In T. Yu and S. Jajodia, editors, Secure DataManagement in Decentralized Systems. Springer-Verlag, 2007.

[12] E. Damiani, M. Anisetti, and V. Bellandi. Toward exploitinglocation-based and video information in negotiated access controlpolicies. In Proc. of ICISS 2005, Kolkata, India, December 2005.

[13] T. D’Roza and G. Bilchev. An overview of location-based services.BT Technology Journal, 21(1):20–27, January 2003.

[14] M. Duckham and L. Kulik. A formal model of obfuscation andnegotiation for location privacy. In Proc. of PERVASIVE 2005,Munich, Germany, May 2005.

[15] M. Duckham and L. Kulik. Dynamic & mobile GIS: Investigatingchange in space and time. In Location privacy and location-awarecomputing. Taylor & Francis, 2006.

[16] B. Gedik and L. Liu. Protecting location privacy with personalizedk-anonymity: Architecture and algorithms. IEEE Transactions onMobile Computing, 7(1):1–18, January 2008.

[17] Geographic Location/Privacy (geopriv), September 2006. http://www.ietf.org/html.charters/geopriv-charter.html.

[18] G. Ghinita, P. Kalnis, and S. Skiadopoulos. Prive: Anonymouslocation-based queries in distributed mobile systems. In Proc. ofWWW 2007, Banff, Canada, May 2007.

[19] M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In Proc. ofMobiSys 2003, San Francisco, CA, USA, May 2003.

[20] F. Gustafsson and F. Gunnarsson. Mobile positioning using wire-less networks: Possibilities and fundamental limitations based onavailable wireless network measurements. IEEE Signal ProcessingMagazine, July 2005.

[21] B. Ho and M. Gruteser. Protecting location privacy through pathconfusion. In Proc. of IEEE/CreateNet SecureComm 2005, Athens,Greece, September 2005.

[22] B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady. Preservingprivacy in GPS traces via density-aware path cloaking. In Proc.of ACM CCS 2007, Alexandria, VA, USA, October 2007.

[23] M. Langheinrich. Privacy by design-principles of privacy-awareubiquitous systems. In Proc. of UBICOMP 2001, Atlanta, Georgia,USA, September-October 2001.

[24] M. Langheinrich. A privacy awareness system for ubiquitouscomputing environments. In Proc. of UBICOMP 2002, Goteborg,Sweden, September-October 2002.

[25] J-W. Lee. Location-tracing sparks privacy concerns. Korea Times.http://times.hankooki.com, 16 November 2004. Accessed 22 De-cember 2006.

[26] Loopt. http://www.loopt.com/, December 2008.[27] M.F. Mokbel, C-Y. Chow, and W.G. Aref. The new casper: Query

processing for location services without compromising privacy.In Proc. of VLDB 2006, Seoul, Korea, September 2006.

[28] P. Olofsson. Probability, Statistics and Stochastic Processes. JohnWiley & Sons, Inc., 2005.

[29] Privacy Rights Clearinghouse/UCAN. A Chronology ofData Breaches, 2006. http://www.privacyrights.org/ar/ChronDataBreaches.htm.

[30] P. Samarati. Protecting respondents’ identities in microdata re-lease. IEEE TKDE, 13(6):1010–1027, November/December 2001.

[31] H. Shin, V. Atluri, and J. Vaidya. A profile anonymization modelfor privacy in a personalized location based service environment.In Proc. of MDM 2008, Beijing, China, April 2008.

[32] G. Sun, J. Chen, W. Guo, and K.J. Ray Liu. Signal processingtechniques in network-aided positioning: A survey of state-of-the-art positioning designs. IEEE Signal Processing Magazine, July2005.

[33] B. Thuraisingham. Dependable infrastructures and data managersfor sensor networks. In Proc. of IEEE WORDS 2003, Guadalajara,Mexico, October 2003.

[34] B. Thuraisingham. Directions for security and privacy for seman-tic e-business applications. Communications of the ACM (CACM),48(12):71–73, December 2005.

[35] B. Thuraisingham. Privacy constraint processing in a privacy-enhanced database management system. Data & Knowledge Engi-neering, 55(2):159–188, November 2005.

Claudio A. Ardagna is an assistant professor atthe Department of Information Technology, Uni-versita degli Studi di Milano, Italy. He receivedthe laurea and PhD degrees, both in computerscience, from the Universita degli Studi di Milanoin 2003 and 2008, respectively. His researchinterests are in the area of information security,privacy, access control, mobile networks, andopen source.http://www.dti.unimi.it/ardagna

Marco Cremonini is an assistant professor atthe Department of Information Technology of theUniversity of Milan, Italy. He previously workedas a Research Assistant at the Institute for Se-curity Technology Studies (ISTS) of the Dart-mouth College, NH, USA. His research activity isfocused on network security, economic aspectsof security technologies, privacy, and security inubiquitous computing.

Sabrina De Capitani di Vimercati is a professorat the Department of Information Technology,Universita degli Studi di Milano, Italy. Her re-search interests are in the area of informationsecurity, databases, and information systems.She has been an international fellow in theComputer Science Laboratory at SRI, CA (USA).She is co-recipient of the ACM-PODS’99 BestNewcomer Paper Award.http://www.dti.unimi.it/decapita

Pierangela Samarati is a professor at the De-partment of Information Technology, Universitadegli Studi di Milano, Italy. Her main researchinterests are in data protection, access controlmodels, and information privacy and security.She has published more than 150 papers ininternational journals and conferences. She hasbeen a computer scientist at SRI International,CA (USA) and a visiting researcher at Stan-ford University, CA (USA), and George MasonUniversity, VA (USA). She is the chair of the

Steering Committees of the ACM Workshop on Security and Privacy,and of the European Symposium on Research in Computer Security.She is a member of the steering committee of several conferences.She is the vice-chair of the ACM SIGSAC - Special Interest Group onSecurity, Audit, and Control.http://www.dti.unimi.it/samarati

an obfuscation-based approach for protecting location...

Documents