A Unified Framework for Location Privacy

Reza……..ShokriJulien.....FreudigerJean-Pierre....Hubaux

http://lca.epfl.ch/privacy

2

Exposing Location Information

3

Location Privacy

“… a special type of information privacy which concerns the claim of individuals to determine for themselves when, how, and to what extent location information about them is communicated to others.”

Duckham, M. and L. Kulik, Location privacy and location-aware computing, 2006.

4

Research on Location PrivacyAchievements So Far

• Attracted researchers from various disciplines– Database, Network Anonymity, Ubiquitous

Computing, Cryptography• Variety of protection mechanisms proposed

– Highly influenced by methods that are not tailored for location privacy (e.g., K-anonymity)

• Different terminologies and models make the proposed methods difficult to compare

5

A Unified Framework

• Organizing and classifying location privacy fundamental components

• Providing a generic model and terminology

• Modeling and understanding existing efforts• Identifying missing elements• Designing new schemes

6

Components of the Framework

• Basic elements– Spatial Model– Events and Traces

• Threat Model

• Protection Mechanisms

• Measurement

7

Basic Elements

8

Spatial ModelLayer I - location instances e.g., <latitude, longitude>

Layer II - location sites e.g., hospital A at 45th St.

Layer III - location types e.g., bar, hospital

9

Events and TracesEvents

<who, when, where>

- Who: identifier- When: time-stamp- Where: location-stamp

Trace- Set of events

10

Threat Model

11

Threat Model

LBS Operator

Eavesdroppers

Adversary is an observer of users’ events

12

Adversary Statistical InformationStatistical information about users’ actual events.

e.g., users’ spatiotemporal distribution and mobility pattern

13

Adversary Knowledge

• Real-time location information– A set of events (observed by the adversary)

• Statistical information– Users’ population– Users’ mobility pattern– Users’ spatiotemporal distribution– …

14

?

AttacksTargeting individuals or communities

Tracking Identification

Bob’s Home

Bob’s Workplace

15

Consequences Presence Disclosure

– Layer I: Finding mobility traces/patterns

– Layer II: Disclosing visits to some places

– Layer III: Profiling the type of visited locations• Personal activities => My Hobbies/Interests

• Professional activities => Where I Work

• Social activities => My Social Network

16

Absence Disclosure

Consequences

17

Protection

18

Location Privacy Preservation

Actual Events

Obs

erva

tion

Observable Events

Modifying the set of events before they are

observable to the adversary

19

Location Privacy Preservation

Actual Events

Use

rs

Appl

icati

ons

Priv

acy

Tool

s

MethodsEntities

Observable Events

20

Location Privacy Preservation

Actual Events

Hiding Events

Use

rs

Appl

icati

ons

Priv

acy

Tool

s

MethodsEntities

Observable Events

21

Location Privacy Preservation

Actual Events

Hiding Events

Adding Dummy EventsU

sers

Appl

icati

ons

Priv

acy

Tool

s

MethodsEntities

Observable Events

22

Location Privacy Preservation

Actual Events

Obfuscation

Hiding Events

Adding Dummy EventsU

sers

Appl

icati

ons

Priv

acy

Tool

s

MethodsEntities

Observable Events

23

Location Privacy Preservation

Actual Events

Obfuscation

Hiding Events

Adding Dummy EventsU

sers

Appl

icati

ons

Priv

acy

Tool

s

MethodsEntities

Observable EventsAnonymization

24

Measurement

25

Location Privacy Measurement

• Notions of location privacy in two different scales:

• Microscopic Location Privacy– How far is the adversary’s estimation of a user’s location

by having a single event observed from the user?

• Macroscopic Location Privacy– How far is the adversary’s estimation of a user’s location

by observing a set of events from the users?

26

Microscopic Location Privacy with respect to a single observed event

<ID: abc, Location-stamp: Midtown Center Manhattan, Time-stamp: 1pm>

who is abc? Alice, Bob, …?

where is abc?

?

27

Macroscopic Location Privacy with respect to a set of observed events

what are the trajectories?

whom the trajectories belong to?

Bob’s House

Alice’s House

Eve’s House

28

Location Privacy Metrics

• Uncertainty-based Metrics

• K-anonymity, l-diversity, …

• Clustering-based Metrics

• Distortion-based Metrics

29

Distortion-based Metric

Darkness: the probability that a user is there. The darker, the more probable.

User’s actual locationHypothesized locations for the user

Obfuscated Area

Location Privacy=

Distortion in the user’s reconstructed location

by the adversary

Sumi (pi*di)

30

Location Privacy Measurement

• Existing schemes only focus on measuring location privacy in 1st layer of the spatial model

• What about other layers?

31

Location Privacy Measurement

Diversity matters

Layer II – Location Sites

Distance (to user’s location) matters

Suggestion: Distortion-based Metric

32

Location Privacy Measurement

bar

bar

bar

casino

Layer III – Location Types

Suggestion: Uncertainty-based or Distortion-based Metric

33

Conclusion

34

Conclusion

• Proposed a unified framework for location privacy– Helps to design, understand and compare location

privacy schemes

• Embedded existing schemes in our framework