F EELING - BASED L OCATION P RIVACY P ROTECTION FOR L OCATION - BASED S ERVICES CS587x Lecture Department of Computer Science Iowa State University Ames, IA 50011

L OCATION - BASED S ERVICES

D ILEMMA Users have to report their locations to LBS providers LBS providers may abuse the collected location data

L OCATION E XPOSURE P RESENTS S IGNIFICANT T HREATS Threat1: Anonymity of service use A user may not want to be identified as the subscriber E.g., where is the nearest Threat2: Location privacy A user may not want to reveal where she is E.g., a query is sent from

RESTRICTED SPACE IDENTIFICATION A user’s location can be correlated to her identity ……… E.g., a location belonging to a private property indicates the user is most likely the property owner A single location sample may not be linked to an individual, but a time-series sequence will do identified Once the user is identified All her visits may be disclosed

L OCATION D EPERSONALIZATION Protect anonymous use of service Cloak the service user with her neighbors Location privacy leak Protect location privacy Cloak the service user with nearby footprints Adversary cannot know who’s there when the service is requested

M OTIVATION Privacy modeling Users specify their desired privacy with a number K Privacy is about personal feeling, and it is difficult for users to choose a K value Robustness Just ensuring each cloaking region has been visited by K people may NOT provide protection at level K It has to do with footprints distribution

OUR SOLUTION Feeling-based modeling A user specifies a public region A spatial region which a user feels comfortable that it is reported as her location should she request a service inside it The public region becomes her privacy requirement All location reported on her behalf will be at least as popular as the public region she identifies

C HALLENGE How to measure the privacy level of a region? The privacy level is determined by Number of visitors Footprints distribution A good measure should involve both factors

E NTROPY We borrow the concept of entropy Entropy of R is computed using the number of footprints in R belonging to different users Entropy of R is E(R) = Its value denotes the amount of information needed for the adversary to identify the client

P OPULARITY Popularity of R is P(R) = 2 E(R) Its value denotes the actual number of users among which the client is indistinguishable Popularity is a good measure of privacy More visitors – higher popularity More evener distribution – higher popularity

L OCATION C LOAKING WITH O UR P RIVACY M ODEL Sporadic LBSs Each location update is independent Cloaking strategy: Ensuring each reported location is a region which has a popularity no less than P(R) Continuous LBSs A sequence of location updates which form a trajectory The strategy for sporadic LBSs may not work Adversary may identify the common set of visitors

P-P OPULOUS T RAJECTORY We should compute the popularity of cloaking boxes with respect to a common user set, called cloaking set Only the footprints of users in the cloaking set are considered in entropy computation Entropy w.r.t. cloaking set U is Popularity w.r.t. U is P U (R) = 2 Eu(R) P-Populous Trajectory (PPT) The popularity of each cloaking box in the trajectory w.r.t. a cloaking set is no less than P(R)

S YSTEM S TRUCTURE

F OOTPRINT I NDEXING Grid-based pyramid structure 4 i-1 cells at level i Cells at the bottom level keep the footprint index

T RAJECTORY C LOAKING To receive an LBS, a client needs to submit Public region R Travel bound B Location updates repeatedly during her travel In response, the server will Generate a cloaking box for each location update Ensure the sequence of cloaking boxes form a PPT

C HALLENGE How to find the cloaking set? Basic solution: Finding the users who have footprints closest to the service-user o Resolution becomes worse o There may exist another cloaking set which leads to a finer average resolution

SELECTING CLOAKING SET Observation Popular user: Who have footprints spanning the entire travel bound B Cloaking with popular users tends to have a fine cloaking resolution Easy to find their footprints close to the service user no matter where she moves Idea Use the most popular users as the cloaking set

FINDING MOST POPULAR USERS l -popular : the user has visited all cells at level l overlapping with B Larger l : more popular user u 1, u 2, u 3 : 2-popular u 2, u 3 : 3-popular u 3 : 4-popular E.g. Strategy: Sort users by the level l, and choose the most popular ones as the cloaking set

C LOAKING C LIENT ’ S L OCATION Let S be the cloaking set, p be the client’s location, we cloak p in three steps 1.Find closest footprints to p for each user in S 2.Compute the minimal bounding box of these footprints, say b 3.Calculate P S (b) If P S (b) < P(R), for each user find her closest footprint to p among her footprints outside b, and goto 2. If P S (b) ≥ P(R), b is reported as the client’s location

S IMULATION We implement two other strategies for comparison Naive cloaks each location independently Plain selects cloaking set by finding footprints closest to service user’s start position Performance metrics Cloaking area Protection level

E XPERIMENT Location privacy aware gateway (LPAG) A prototype which involves location privacy protection into a real LBS system Two software components LBS system: Spatial messaging

C ONCLUSION Feeling-based privacy modeling for location privacy protection in LBSs Public region instead of K value Trajectory cloaking Algorithm, simulation, experiment Future work Investigate attacks other than restricted space identification Observation implication attack