Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection” The Lives of Others, 2006

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 2/37 Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy 8.3 Privacy preserving routing in ad-hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 3/37 Privacy related notions  Anonymity: hiding who performed a given action  Untraceability: making difficult for an adversary to identify that a given set of actions were performed by the same subject  Unlinkability: generalization of the two former notions: hiding information about the relationships between any item  Unobservability: hiding of the items themselves (e.g., hide the fact that a message was sent)  Pseudonymity: making use of a pseudonym instead of the real identity 8.1 Important privacy related notions

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 4/37 Privacy metrics (1/3) The adversary tries to de-anonymize an observed action  Anonymity set: set of subjects that might have performed the action –Is a good measure only if all the members of the set are equally likely to have performed the observed action  Entropy-based measure of anonymity: 8.1 Important privacy related notions

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 5/37 Privacy metrics (2/3) The adversary tries to link elements  Entropy-based measure for unlinkability: 8.1 Important privacy related notions

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 6/37 Privacy metrics (3/3) 8.1 Important privacy related notions How focused is the estimate on a value? Entropy How accurate is the estimate? Confidence intervals How close is the estimate to the true value? Expected error

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 7/37 Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 8/37 Location privacy 8.2 Location privacy in vehicular networks The contextual information attached to a trace tells much about our habits, interests, activities, and relationships A location trace is not only a set of positions on a map

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 9/37 A first example: Vehicular networks 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 10/37 Vehicle Communication (VC)  VC promises safer roads,  … more efficient driving, Warning: Accident at (x,y) Warning: Accident at (x,y) ! ! TOC RSU Traffic Update: Congestion at (x,y) ! Congestion Warning: At (x,y), use alt. route 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 11/37 Vehicle Communication (VC)  … more fun, MP3-Download Text message: We'll stop at next roadhouse  … and easier maintenance. Software Update Malfunction Notification: Arriving in 10 minutes, need ignition plug RSU Car Manuf. 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 12/37 Security and Privacy  More fun, but for whom? Position Beacon  … and a lot more … Your new ignition-control-software RSU Location Tracking 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 13/37 The location privacy problem and a solution  vehicles continuously broadcast heart beat messages, containing their ID, position, speed, etc.  tracking the physical location of vehicles is easy just by eavesdropping on the wireless channel  one possible solution is to change the vehicle identifier, or in other words, to use pseudonyms 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 14/37 Adversary model  changing pseudonyms is ineffective against a global eavesdropper  hence, the adversary is assumed to be able to monitor the communications only at a limited number of places and in a limited range A, GPS position, speed, direction predicted position at the time of the next heart beat B, GPS position, speed, direction 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 15/37 The mix zone concept  the unobserved zone functions as a mix zone where the vehicles change pseudonym and mix with each other  vehicles do not know where the mix zone is (this depends on where the adversary installs observation spots)  vehicles change pseudonyms frequently s.t. each vehicle changes pseudonym while in the mix zone 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 16/37 Example of mix zone 8.2 Location privacy in vehicular networks Pseudonym: X12 Pseudonym: Y23 Pseudonym: Z34 Pseudonym: W45 mix zone

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 17/37  time is divided into discrete steps  p ij = Pr{ exiting at j | entering at i }  D ij is a random variable (delay) that represents the time that elapses between entering at i and exiting at j  d ij (t) = Pr{ D ij = t }  Pr{ exiting at j at t | entering at i at  } = p ij d ij (t-  ) Model of the mix zone d ij (t) t 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 18/37 Observations t n1n1 n2n2 nknk x1x1 x2x2 xkxk 22 kk t1t1 tktk N1N1 N2N2 NkNk X1X1 X2X2 XkXk  1 = 0  the adversary can observe the points (n i, x i ) and the times (  i, t i ) of enter and exit events (N i, X i )  nodes change pseudonyms inside the mix zone  no easy way to determine which exit event corresponds to which enter event  each possible mapping between exit and enter events is represented by a permutation  of {1, 2, …, k}: m  = (N 1 ~ X  [1], N 2 ~ X  [2], …, N k ~ X  [k] ) where  [i] is the i-th element of the permutation  we want to determine Pr{ m  | N, X } 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 19/37 Computing the level of privacy 8.2 Location privacy in vehicular networks where m π is the mapping described by the permutation π where p ij is a cell of the matrix P of size nxn, where n is the number of gates of the mix zone and d ij (t) describes the probability distribution of the delay when crossing the mix zone from gate i to gate j.

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 20/37 Another privacy metric  tracking game: –the adversary picks a vehicle v in the observed zone –she tracks v until it enters the mix zone at port s –then, she observes the exiting events until time T (where the probability that v leaves the mix zone until T is close to one) –for each exiting vehicle at port j and time t, the adversary computes q jt = p sj d sj (t) –the adversary decides to the exiting vehicle v’ for which q jt is maximal this realizes a Bayesian decision (minimizes the error probability of the decision) –the adversary wins if v’ = v  the level of privacy achieved is characterized by the success probability of the adversary –if success probability is high, then level of privacy is low 8.2 Location privacy in vehicular networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 21/37 Location-Based Services  People share their location on-line –Social purposes –Contextual services 8.2 Location privacy in location-based services

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 22/37 Quantifying location privacy 8.2 Location privacy in location-based services  The Framework

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 23/37 Protecting location privacy 8.2 Location privacy in location-based services  Anonymization –Pseudonyms  Obfuscation –Deleting –Randomizing –Discretizing –Sub-sampling

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 24/37 Adversary Model 8.2 Location privacy in location-based services ObservationKnowledge Anonymized and Obfuscated Traces Users’ mobility profiles PDF anonymization PDF obfuscation LPPM Inference Attack Examples Localization Attack : “Where was Alice at 8pm?” What is the probability distribution over the locations for user ‘Alice’ at time ‘8pm’? Tracking Attack : “Where did Alice go yesterday?” What is the most probable trace (trajectory) for user ‘Alice’ for time period ‘yesterday’?

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 25/37 Inference Attacks 8.2 Location privacy in location-based services A practical solution: Decoupling De-anonymization from De-obfuscation Computationally infeasible:  (anonymization / permutation) can take N! values (A u is the actual trace of user u)

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 26/37 De-anonymization 8.2 Location privacy in location-based services 1 - Compute the likelihood of observing trace ‘i’ from user ‘u’, for all ‘i’ and ‘u’, using HMP (Hidden Markov Process): Forward-Backward algorithm. 2 - Compute the most likely assignment using a Maximum Weight Assignment algorithm (e.g., Hungarian algorithm). O(N 4 ) u1u1 u2u2 uNuN … Users 1 … Nyms 2 N

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 27/37 De-obfuscation 8.2 Location privacy in location-based services Given the most likely assignment  *, the localization probability can be computed using Hidden Markov Model: the Forward-Backward algorithm Tracking Attack Given the most likely assignment  *, the most likely trace for each user can be computed using Viterbi algorithm Localization Attack

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 28/37 The game 8.2 Location privacy in location-based services User Adversary (leader) (follower) LBS message user gain / adversary loss

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 29/37 Hands-on Exercises Location privacy in location-based services  Part A –Wireless traces –Analysis –De-anonymization –Countermeasures –Bonus: Track (multiple) users  Part B –LPPM evaluation using LPM –E.g., sub-sampling: hoe3_lpm configFile s subsamplingProb –Bonus: Analyze and understand the privacy levels obtained

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 30/37 Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy in vehicular networks 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 31/ Privacy preserving routing in ad hoc networks  Goal: unlinkability (make it very hard for a global observer to know who communicates with whom)  Some nodes may be compromised  even the forwarding nodes should not know who the source and the destination are  We also want to hide the identity of the forwarding nodes from each other (because this information would be useful for the attacker) 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 32/37 Effective but inefficient solution  Route establishment: flooding the network with a route request  Source: -1 –generates an asymmetric key-pair (K,K -1 ), a secret key k 0, and a nonce n 0 -1 –Encrypts D, S, and K -1 with the public key K D of the destination –Encrypts k 0 and n 0 with K –Broadcasts the route request: 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 33/37 Effective but inefficient solution  F1 receives this route request  It verifies if it is the target of the request: –decrypts with its private key  If F1 is not the target: –Generates a secret key k 1 and a nonce n 1 –Concatenates them to –Encrypts the result with K –Broadcasts  General format of the route request message: 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 34/37 Effective but inefficient solution  D attempts to decrypt and it succeeds  D broadcasts a dummy request:  It decrypts and obtains the secret keys and the nonces of the forwarding nodes  It generates a link key for each link and sends a route reply: 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 35/37 Effective but inefficient solution  F i receives route reply: decrypts it with k i  If k i works: checks if it received back its n i  If this is the case: –F i peels the outer layer off the route reply –Applies some padding to retain its original length – Re-broadcasts  Sending data: –Source encrypts the packet with k out 0 and broadcasts it –Each node tries to decrypt it with its incoming link keys –If F i succeeds to decrypt the packet with k i in : it re-encrypts it with k i out, and re-broadcasts it –Until the packet arrives to the destination 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 36/37 Improving efficiency  Much computation from the nodes: –Solution: replace the public key encryption with symmetric key encryption  Source and destination share a secret key k SD and a counter c SD  Source computes a one-time hint for the destination: h(k SD,c SD )  Each node can pre-compute the hint of each possible source: –only a table lookup when processing route request messages 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 37/37 Improving efficiency  Modified route request:  Modified route reply:  Hint for F i : hashing n i with g  When processing route reply: –Only a table lookup to determine which key should be used to decrypt the route reply 8.3 Privacy preserving routing in ad hoc networks

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 38/37 Summary on Privacy Protection  Location privacy in LBS services: –Aversary model: sporadic location exposure (with LPPM) –The level of location privacy can be quantified based on the result of the inference –Trade-off with utility  Location privacy in vehicular networks: –Adversary model: monitored zones and unmonitored zones –The level of location privacy can be quantified using an entropy-based metric  Privacy in ad hoc network routing protocols: –A routing protocol that makes it very hard for a global observer to know who communicates with whom

Security and Cooperation in Wireless Networks Chapter 8: Privacy protection Our research projects on privacy protection -Privacy in mobile and pervasive networks: To probe further on some aspects presented in this lecture: - R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. Quantifying Location Privacy. In Proc. of the IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, 2011.Quantifying Location Privacy - R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, and J.-Y. Le Boudec. Protecting Location Privacy: Optimal Strategy against Localization Attacks. In Proc. of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, USA, Protecting Location Privacy: Optimal Strategy against Localization Attacks -Genome privacy: -Privacy and security mechanisms with selfish players: