Location Privacy

Better localization technology + Pervasive wireless connectivity = Context Better localization technology + Pervasive wireless connectivity = Location-based applications

Location is the IP address Location-Based Apps For Example: GeoLife shows grocery list near WalMart Micro-Blog allows location scoped querying Location-based ad: Coffee coupon at Starbucks … Location expresses context of user Facilitating content delivery Its as if Location is the IP address for content

Double-Edged Sword While location drives this new class of applications, it also violates user’s privacy Sharper the location, richer the app, deeper the violation

The Location Based Service Workflow Forward to local service: Retrieve all available services in location Request: Retrieve all available services in client’s location Reply: Reply: Client Server LBS Database (Location Based Service)

The Location Anonymity Problem Privacy Violated Request: Retrieve all bus lines from location to address = Client Server LBS Database (Location Based Service)

Double-Edged Sword Moreover, range of apps are PUSH based. Require continuous location information Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion

Location Privacy Continuous location exposure Problem: Research: Continuous location exposure a serious threat to privacy Preserve privacy without sacrificing the quality of continuous loc. based apps

Just Call Yourself ``Freddy” Pseudonymns [Gruteser04] Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize … think breadcrumbs John Leslie Jack Susan Alex Romit’s Office

A Customizable k-Anonymity Model for Protecting Location Privacy Paper by: B. Gedik, L.Liu (Georgia Tech) Slides adopted from: Tal Shoseyov

Location Anonymity “A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.” Database

k-Anonymity “A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”

Implementation of Location Anonymity Server transforms the message by “anonymizing” the location data in the message Database executes request according to the received anonymous data Server forwards data to client Server sends “anonymized” message Database replies to server with compiled data Client sends plain request to the server

Implementation of Location k-Anonymity Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”. Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”. x y t

Implementation of Location k-Anonymity Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”. x y t

Previous solutions M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different other clients, and monitoring that area over time until such k-1 clients are found. Drawback: Fixed anonymity value for all clients (service dependent)

Add Noise K-anonymity [Gedic05] Issues Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region Issues Poor quality of location Degrades in sparse regions Not real-time Bounding Box You K=4

Confuse Via Mixing Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who later

Unfortunately, users may not intersect Confuse Via Mixing Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who later ? Hospital Unfortunately, users may not intersect in both space and time Airport

Hiding Until Mixed Hospital Airport Partially hide locations until users mixed [Gruteser07] Expose after a delay Hospital Airport

But delays unacceptable to real-time apps Hiding Until Mixed Partially hide locations until users mixed [Gruteser07] Expose after a delay Hospital Airport But delays unacceptable to real-time apps

Existing solutions seem to suggest: Privacy and Quality of Localization (QoL) is a zero sum game Need to sacrifice one to gain the other

Hiding Stars with Fireworks: Location Privacy through Camouflage

Goal New Proposal: CacheCloak Break away from this tradeoff Target: Spatial accuracy Real-time updates Privacy guarantees Even in sparse populations New Proposal: CacheCloak

The Intuition Predict until paths intersect Hospital Airport

The Intuition Hospital Airport Predict until paths intersect Predict

The Intuition Hospital Airport Predict until paths intersect Expose predicted intersection to application Hospital Predict Airport Predict Cache the information on each predicted location

System Design and Evaluation CacheCloak System Design and Evaluation

Architecture CacheCloak Assume trusted privacy provider Reveal location to CacheCloak CacheCloak exposes anonymized location to Loc. App Loc. App1 Loc. App2 Loc. App3 Loc. App4 CacheCloak

Location Based Application In Steady State … Location Based Application CacheCloak

Location Based Application Prediction Location Based Application Backward prediction Forward prediction CacheCloak

Location Based Application Prediction Location Based Application CacheCloak

Predicted Intersection Location Based Application Predicted Path CacheCloak

Location Based Application Query Location Based Application Predicted Path CacheCloak

Location Based Application Query Location Based Application ? ? ? ? CacheCloak

Location Based Application LBA Responds Location Based Application Array of responses CacheCloak

Location Based Application Cached Location Based Application Cached Responses CacheCloak Location based Information

Location Based Application Cached Response Location Based Application Cached Responses CacheCloak Location based Information

Location Based Application Cached Response Location Based Application Cached Responses CacheCloak Location based Information

Location Based Application Cached Response Location Based Application Cached Responses CacheCloak

Location Based Application Cached Response Location Based Application Predicted Path CacheCloak

Benefits Real-time High QoL Entropy guarantees Sparse population Predicted Path Real-time Response ready when user arrives at predicted location High QoL Responses can be specific to location Overhead on the wired backbone (caching helps) Entropy guarantees Entropy increases at traffic intersections Sparse population Can be handled with dummy users, false branching

Quantifying Privacy City converted into grid of small sqaures (pixels) Users are located at a pixel at a given time Each pixel associated with 8x8 matrix Element (x, y) = probability that user enters x and exits y Probabilities diffuse At intersections Over time Privacy = entropy y x pixel

Diffusion Probability of user’s presence diffuses Diffusion gradient computed based on history i.e., what fraction of users take right turn at this intersection Time t1 Time t2 Time t3 Road Intersection

Evaluation Trace based simulation VanetMobiSim + US Census Bureau trace data Durham map with traffic lights, speed limits, etc. Vehicles follow Google map paths Performs collision avoidance 6km x 6km 10m x 10m pixel 1000 cars

Results High average entropy Quite insensitive to user density (good for sparse regions) Minimum entropy reasonably high Max. Bits of Mean Entropy Min. Time (Minutes) Number of Users (N)

Results Peak Counting # of places where attacker’s confidence is > Threshold Mean # of Peaks Time (Seconds) Time (Seconds)

Results Peak Counting # of places where attacker’s confidence is > Threshold Mean # of Peaks Number of Users (N)

Limitations, Discussions … CacheCloak overhead Application replies to lot of queries However, overhead on wired infrastructure Caching reduces this overhead significantly CacheCloak assumes same, indistinguishable query Different queries can deanonymize Possible through query combination … future work Per-user privacy guarantee not yet supported Adaptive branching & dummy users CacheCloak - a central trusted entity Distributed version proposed in the paper

Closing Thoughts Two nodes may intersect in space but not in time Mixing not possible, without sacrificing timeliness Mobility prediction creates space-time intersections Enables virtual mixing in future

Closing Thoughts CacheCloak Implements the prediction and caching function High entropy possible even under sparse population Spatio-temporal accuracy remains uncompromised

For more related work, visit: Thank You For more related work, visit: http://synrg.ee.duke.edu