CLOAKING AND MODELING TECHNIQUES FOR LOCATION PRIVACY PROTECTION

Ying CaiDepartment of Computer ScienceIowa State UniversityAmes, IA 50011

LOCATION-BASED SERVICES

RISKS ASSOCIATED WITH LBS Exposure of service uses Location privacy

Hospital Political Party Nightclub Stalking….

CHALLENGE Restricted space identification

Simply using a pseudonym is not sufficient because anonymous location data may be correlated with restricted spaces such as home and office for subject re-identification

………

identified

LOCATION DEPERSONALIZATION Basic idea: reducing location resolution

Report a cloaking region, instead of actual location

Location &Request

Answer Answer

Cloaked region& Request

BaseStation

AnonymityServer

LBS Server

Cellular Infrustructures

Internet ::::

Users

Com3

Com3

::::

LBS Server

LOCATION DEPERSONALIZATION Basic idea: reducing location resolution

Report a cloaking region, instead of actual location

Location &Request

Answer Answer

Cloaked region& Request

BaseStation

AnonymityServer

LBS Server

Cellular Infrustructures

Internet ::::

Users

Com3

Com3

::::

LBS Server

Key Issue Each cloaking area must provide a

desired level of depersonalization, and be as small as possible

EXISTING SOLUTION Ensuring each cloaking area contains a certain

number of users [MobiSys’03, ICDCS’05, VLDB’07]

Service Users

K = 4 K = 6

K = 5

PROBLEMS (1) The anonymity server

needs frequent location update from all users

Practicality

Scalability

Difficult to support continuous LBS Simply ensuring each

cloaking region contains K users does not support K-anonymity protection

Service User

PROBLEMS (2) Guarantee only anonymous uses of

services, but not location privacy An adversary may not know who requests the

service, but knows that the K users are all there at the time when the service is requested

Where you are and whom you are with are closely related with what you are doing …

THE ROOT OF THE PROBLEMS These techniques cloak a user’s position

based on his current neighbors

Service Users

K = 4 K = 6

K = 5

OBSERVATION Public areas are naturally depersonalized

A large number of visits by different people More footprints, more popular

Park Highway

PROPOSED SOLUTION [INFOCOM’08]

Using footprints for location cloaking A footprint is a historical location sample Each cloaking region contains at least K different

footprints

Neighboring users Footprints

vs.Location privacy protection An adversary may be able to identify all these users, but will not know who was there at what time

FOOTPRINT DATABASE Source of footprints

From wireless service carriers, which provide the communication infrastructure

From the users of LBSs, who need to report location for cloaking

FOOTPRINT DATABASE

::

::

uid tlink c1, c2, …, cn

database domaincell table

trajectories

Source of footprints From wireless service carriers, which provide the

communication infrastructure From the users of LBSs, who need to report location for

cloaking Trajectory indexing for efficient retrieval

Partition network domain into cells Maintain a cell table for each cell

CLOAKING TECHNIQUES Sporadic LBS

Each a cloaking region needs to 1) be as small as possible, 2) contain footprints from at least K different users

Continuous LBS Each trajectory

disclosed must be a K-anonymity trajectory (KAT)

c1c2

c3 c4

B1B2 B3 B4

additivetrajectory

PRIVACY REQUIREMENT MODELING K-anonymity model

To request a desired level of protection, a user needs to specify a value of K

Problem: choosing an appropriate K is difficult Privacy is about feeling, and it is

difficult to scale one’s feeling using a number

A user can always choose a large K, but this will reduce location resolution unnecessarily

A feeling-based approach A user specifies a public region

A spatial region which she feels comfortable that it is reported as her location should she request a service inside it

The public region becomes her privacy requirement All location reported on her behalf

will be at least as popular as the public region she identifies

PROPOSED SOLUTION [CCS09]

CHALLENGE How to measure the popularity of a spatial

region? More visitors higher popularity More even distribution higher popularity

Given a spatial region R, we define

Entropy E(R) =

Popularity P(R) = 2E(R)

CLOAKING TECHNIQUES Sporadic LBS

Each cloaking region needs to 1) be as small as possible, 2) have a popularity no less than P(R)

Continuous LBS A sequence of location updates which form a

trajectory The strategy for sporadic LBSs may not work

Adversary may identify the common set of visitors

CLOAKING TECHNIQUES Sporadic LBS

Each disclosed cloaking region must be as small as possible and have a popularity no less than P(R)

Continuous LBS The time-series sequence of location samples

must form a P-Populous Trajectory (PPT) A trajectory is a PPT if its popularity is no less

than P The popularity of each cloaking region in the trajectory

must be computed w.r.t. a common set of users

FINDING A CLOAKING SET A simple solution is to find the set of users who

have footprints closest to the service-user

Resolution becomes worse

There may exist another cloaking set which leads to a finer average resolution

PROPOSED SOLUTION Using populous users for cloaking

Popular users have more footprints spanning in a larger regions

Pyramid footprint indexing A user is l-popular if she has footprints in all

cells at level l

Sort users by the level l, and choose the most popular ones as the cloaking set

SIMULATION We implement two other strategies for comparison

Naive cloaks each location independently Plain selects cloaking set by finding footprints closest

to service user’s start position Performance metrics

Cloaking area Protection level

EXPERIMENT A Location Privacy Aware Gateway (LPAG)

ePost-It: a spatial messaging system [MobiSys’08]

CONCLUDING REMARKS Exploring historical location samples for location

cloaking Up to date, this is the only solution that can prevent

anonymous location data from being correlated with restricted spaces to derive who’s where at what time

A feeling-based approach for users to express their location privacy requirement K-anonymity model was the only choice

A suite of location cloaking algorithms Satisfy a required level of protection while resulting in

good location resolution A location privacy-aware gateway prototype has

been implemented