C LOAKING AND M ODELING T ECHNIQUES FOR LOCATION P RIVACY PROTECTION Ying Cai Department of Computer Science Iowa State University Ames, IA 50011

L OCATION - BASED S ERVICES

R ISKS A SSOCIATED WITH LBS Exposure of service uses Location privacy HospitalPolitical Party Nightclub Stalking….

C HALLENGE Restricted space identification Simply using a pseudonym is not sufficient because anonymous location data may be correlated with restricted spaces such as home and office for subject re-identification …… … identified

L OCATION D EPERSONALIZATION Basic idea: reducing location resolution Report a cloaking region, instead of actual location

L OCATION D EPERSONALIZATION Basic idea: reducing location resolution Report a cloaking region, instead of actual location Key Issue Each cloaking area must provide a desired level of depersonalization, and be as small as possible

E XISTING S OLUTION Ensuring each cloaking area contains a certain number of users [MobiSys’03, ICDCS’05, VLDB’07]

P ROBLEMS (1) The anonymity server needs frequent location update from all users Practicality Scalability Difficult to support continuous LBS Simply ensuring each cloaking region contains K users does not support K-anonymity protection

P ROBLEMS (2) Guarantee only anonymous uses of services, but not location privacy An adversary may not know who requests the service, but knows that the K users are all there at the time when the service is requested Where you are and whom you are with are closely related with what you are doing …

T HE ROOT OF THE PROBLEMS These techniques cloak a user’s position based on his current neighbors

O BSERVATION Public areas are naturally depersonalized A large number of visits by different people More footprints, more popular Park Highway

P ROPOSED SOLUTION [I NFOCOM ’08] Using footprints for location cloaking A footprint is a historical location sample Each cloaking region contains at least K different footprints Location privacy protection An adversary may be able to identify all these users, but will not know who was there at what time

F OOTPRINT DATABASE Source of footprints From wireless service carriers, which provide the communication infrastructure From the users of LBSs, who need to report location for cloaking

F OOTPRINT DATABASE Source of footprints From wireless service carriers, which provide the communication infrastructure From the users of LBSs, who need to report location for cloaking Trajectory indexing for efficient retrieval Partition network domain into cells Maintain a cell table for each cell

C LOAKING T ECHNIQUES Sporadic LBS Each a cloaking region needs to 1) be as small as possible, 2) contain footprints from at least K different users Continuous LBS Each trajectory disclosed must be a K- anonymity trajectory (KAT)

P RIVACY R EQUIREMENT M ODELING K -anonymity model To request a desired level of protection, a user needs to specify a value of K Problem: choosing an appropriate K is difficult Privacy is about feeling, and it is difficult to scale one’s feeling using a number A user can always choose a large K, but this will reduce location resolution unnecessarily

A feeling -based approach A user specifies a public region A spatial region which she feels comfortable that it is reported as her location should she request a service inside it The public region becomes her privacy requirement All location reported on her behalf will be at least as popular as the public region she identifies P ROPOSED S OLUTION [CCS09]

C HALLENGE How to measure the popularity of a spatial region? More visitors  higher popularity More even distribution  higher popularity Given a spatial region R, we define Entropy E(R) = Popularity P(R) = 2 E(R)

C LOAKING T ECHNIQUES Sporadic LBS Each cloaking region needs to 1) be as small as possible, 2) have a popularity no less than P(R) Continuous LBS A sequence of location updates which form a trajectory The strategy for sporadic LBSs may not work Adversary may identify the common set of visitors

C LOAKING T ECHNIQUES Sporadic LBS Each disclosed cloaking region must be as small as possible and have a popularity no less than P(R) Continuous LBS The time-series sequence of location samples must form a P-Populous Trajectory (PPT) A trajectory is a PPT if its popularity is no less than P The popularity of each cloaking region in the trajectory must be computed w.r.t. a common set of users

F INDING A CLOAKING SET A simple solution is to find the set of users who have footprints closest to the service-user Resolution becomes worse There may exist another cloaking set which leads to a finer average resolution

P ROPOSED SOLUTION Using populous users for cloaking Popular users have more footprints spanning in a larger regions Pyramid footprint indexing A user is l -popular if she has footprints in all cells at level l Sort users by the level l, and choose the most popular ones as the cloaking set

S IMULATION We implement two other strategies for comparison Naive cloaks each location independently Plain selects cloaking set by finding footprints closest to service user’s start position Performance metrics Cloaking area Protection level

E XPERIMENT A Location Privacy Aware Gateway (LPAG) ePost-It: a spatial messaging system [MobiSys’08]

C ONCLUDING R EMARKS Exploring historical location samples for location cloaking Up to date, this is the only solution that can prevent anonymous location data from being correlated with restricted spaces to derive who’s where at what time A feeling-based approach for users to express their location privacy requirement K-anonymity model was the only choice A suite of location cloaking algorithms Satisfy a required level of protection while resulting in good location resolution A location privacy-aware gateway prototype has been implemented