1

Location Privacy

2

Context

Better localization technology

+

Pervasive wireless connectivity

=

Location-based applications

3

Location-Based Apps

For Example: GeoLife shows grocery list near WalMart Micro-Blog allows location scoped querying Location-based ad: Coffee coupon at Starbucks …

Location expresses context of user Facilitating content delivery

Location is the IP addressLocation is the IP addressIts as if for content

4

While location drives this new class of applications,

it also violates user’s privacy

Sharper the location, richer the app, deeper the violation

Double-Edged Sword

5

The Location Based Service Workflow

Client Server LBS Database

(Location Based Service)

Request:Retrieve all available services in

client’s location

Forward to local service:Retrieve all available services in

location

Reply:Reply:

6

The Location Anonymity Problem

Client Server LBS Database

(Location Based Service)

Request: Retrieve all bus lines from location to address

= =

Privacy Violated

7

Moreover, range of apps are PUSH based.

Require continuous location information

Phone detected at Starbucks, PUSH a coffee coupon

Phone located on highway, query traffic congestion

Double-Edged Sword

8

Location Privacy

Problem:

Research:

Continuous location exposure

a serious threat to privacy

Continuous location exposure

a serious threat to privacy

Preserve privacy without

sacrificing the quality of

continuous loc. based apps

Preserve privacy without

sacrificing the quality of

continuous loc. based apps

9

Just Call Yourself ``Freddy”

Pseudonymns [Gruteser04] Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize

… think breadcrumbs

Romit’s OfficeRomit’s Office

John Leslie Jack Susan

Alex

10

A Customizable k-Anonymity Model for Protecting Location Privacy

Paper by:

B. Gedik, L.Liu

(Georgia Tech)

Slides adopted from: Tal Shoseyov

11

Location Anonymity

“A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.”

Database

12

k-Anonymity

“A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”

13

Implementation of Location Anonymity

Client sends plain request to the server

Server sends “anonymized”

message

Database executes request according to the

received anonymous dataDatabase replies to server

with compiled data

Server forwards data to client

Server transforms the message by

“anonymizing” the location data in the message

14

Implementation of Location k-Anonymity

Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”.

x

y

Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”.

t

15

Implementation of Location k-Anonymity

x

yt

Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”.

16

Previous solutions

M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different other clients, and monitoring that area over time until such k-1 clients are found.

Drawback:

Fixed anonymity value for all clients (service dependent)

17

Add Noise

K-anonymity [Gedic05] Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region

Issues Poor quality of location Degrades in sparse regions Not real-time

YouBounding Box

K=4

18

Confuse Via Mixing

Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who later

19

Confuse Via Mixing

Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who later

Unfortunately, users may not intersect

in both space and time

Unfortunately, users may not intersect

in both space and time

Hospital

Airport

?

?

20

Hiding Until Mixed

Partially hide locations until users mixed [Gruteser07] Expose after a delay

Hospital

Airport

21

Hiding Until Mixed

Partially hide locations until users mixed [Gruteser07] Expose after a delay

But delays unacceptable to real-time appsBut delays unacceptable to real-time apps

Hospital

Airport

22

Existing solutions seem to suggest:

Privacy and Quality of Localization (QoL) is a zero sum game

Need to sacrifice one to gain the other

23

Hiding Stars with Fireworks:Location Privacy through Camouflage

24

Goal

Break away from this tradeoff

Target: Spatial accuracy

Real-time updates

Privacy guarantees

Even in sparse populations

New Proposal: CacheCloakNew Proposal: CacheCloak

25

The Intuition

Predict until paths intersect

Hospital

Airport

26

The Intuition

Predict until paths intersect

Hospital

Airport

Predict

Predict

27

The Intuition

Predict until paths intersect Expose predicted intersection to application

Hospital

Airport

Cache the information on each predicted locationCache the information on each predicted location

Predict

Predict

28

CacheCloak

System Design and Evaluation

29

Assume trusted privacy provider Reveal location to CacheCloak CacheCloak exposes anonymized location to Loc. App

Architecture

CacheCloakCacheCloak

Loc. App1Loc. App1 Loc. App2Loc. App2 Loc. App3Loc. App3 Loc. App4Loc. App4

30

In Steady State …

Location Based ApplicationLocation Based Application

CacheCloak

31

Prediction

Location Based ApplicationLocation Based Application

Backward

prediction

Forward

prediction

CacheCloak

32

Prediction

Location Based ApplicationLocation Based Application

CacheCloak

33

Predicted Intersection

Location Based ApplicationLocation Based Application

Predicted Path

CacheCloak

34

Query

Location Based ApplicationLocation Based Application

Predicted Path

CacheCloak

35

Query

Location Based ApplicationLocation Based Application

?

? ?

?

CacheCloak

36

LBA Responds

Location Based ApplicationLocation Based Application

Array of responses

CacheCloak

37

Cached

Location Based ApplicationLocation Based Application

Cached Responses

Location based

Information

CacheCloak

38

Cached Response

Location Based ApplicationLocation Based Application

Cached Responses

Location based

Information

CacheCloak

39

Cached Response

Location Based ApplicationLocation Based Application

Cached Responses

Location based

Information

CacheCloak

40

Cached Response

Location Based ApplicationLocation Based Application

Cached Responses

CacheCloak

41

Cached Response

Location Based ApplicationLocation Based Application

Predicted

Path

CacheCloak

42

Benefits

Real-time Response ready when user

arrives at predicted location

High QoL Responses can be specific to location Overhead on the wired backbone (caching helps)

Entropy guarantees Entropy increases at traffic intersections

Sparse population Can be handled with dummy users, false branching

Predicted Path

43

Quantifying Privacy

City converted into grid of small sqaures (pixels) Users are located at a pixel at a given time

Each pixel associated with 8x8 matrix Element (x, y) = probability that user enters x and exits y

Probabilities diffuse At intersections Over time

Privacy = entropy

x

y

€

Euser = − pipixels∑ log pi

pixel

44

Diffusion

Probability of user’s presence diffuses Diffusion gradient computed based on history i.e., what fraction of users take right turn at this

intersectionTime t1

Time t2

Time t3

Road

Intersection

45

Evaluation

Trace based simulation VanetMobiSim + US Census Bureau trace data Durham map with traffic lights, speed limits, etc.

Vehicles follow Google map paths Performs collision avoidance

6km x 6km

10m x 10m pixel

1000 cars

6km x 6km

10m x 10m pixel

1000 cars

46

Results

High average entropy Quite insensitive to user density (good for sparse regions) Minimum entropy reasonably high

Number of Users (N)Time (Minutes)

Min.

Max.

Bit

s o

f M

ean

En

tro

py

47

Results

Peak Counting # of places where attacker’s confidence is > Threshold

Time (Seconds)Time (Seconds)

Me

an

# o

f P

ea

ks

48

Results

Peak Counting # of places where attacker’s confidence is > Threshold

Number of Users (N)

Me

an

# o

f P

ea

ks

49

Limitations, Discussions …

CacheCloak overhead Application replies to lot of queries However, overhead on wired infrastructure Caching reduces this overhead significantly

CacheCloak assumes same, indistinguishable query Different queries can deanonymize Possible through query combination … future work

Per-user privacy guarantee not yet supported Adaptive branching & dummy users

CacheCloak - a central trusted entity Distributed version proposed in the paper

50

Closing Thoughts

Two nodes may intersect in space but not in time

Mixing not possible, without sacrificing timeliness

Mobility prediction creates space-time intersections

Enables virtual mixing in future

51

Closing Thoughts

CacheCloak Implements the prediction and caching function

High entropy possibleeven under sparse population

Spatio-temporal accuracy remains uncompromised

52

53

54

Thank You

For more related work, visit:

http://synrg.ee.duke.edu