1 SpaceTwist: A Flexible Approach for Hiding Query User Location Speaker: Man Lung Yiu Aalborg University Joint work with Christian S. Jensen, Xuegang Huang, Hua Lu

2 Outline Motivation Related work Our solution and its privacy analysis Experimental results Conclusions

3 Why location privacy? Queries in location-based services (LBS) POI Points-of-interest (e.g., cinema locations) Nearest neighbor (NN) query Find the closest POI to user location q Client-server architecture Client (user) sends the point q to server (LBS server) Server reports the result (i.e., p 1 ) back to client Server may not be trusted clientserver What should I do? Want to find my result Don ’ t want to leak my location

4 Related work: spatial cloaking Extend the point q into a cloaked region Q’ K-anonymous region, trusted anonymizer [Mokbel et al., 2006] Other types: dummy, obfuscation Other architectures: peer communication, client itself Server receives Q’ (instead of q) Computes a candidate result set that contains the result of any possible query location in Q’ Example: candidate set: {p 1, p 2, p 3, p 4, p 5, p 6 } Returns the candidate result set Disadvantages Server incurs high processing and communication cost Requires specialized query processing algorithms, not readily implemented in existing LBS servers Anonymizer LBS server

5 Related work: transformation-based matching Evaluates the query in a transformed space No guarantee for the exact result Theoretical study [Indyk et al., 2006] A protocol with asymptotic communication cost  N Hilbert transformation [Khoshgozaran et al., 2007] Key ( H ) for specifying the Hilbert ordering, known by client and a trusted entity but not server Preprocessing: a trusted entity converts each point p (e.g., restaurant) to the value H (p), uploads it to server Query time: client sends H (q) to server, which reports the closest Hilbert value to H (q), client decodes the reported value into the result location Double Hilbert curve, improve result accuracy drawbacks

6 Features of our solution Our solution (SpaceTwist) retrieves POI’s from the server incrementally until the client is guaranteed to have accurate results Fundamental differences from previous approaches No cloaked region (unlike spatial cloaking) Query evaluated in the original space (unlike transformation-based matching) Readily applicable on existing systems Simple client-server architecture (i.e., no trusted components, peers) Simple server-side query processing: incremental nearest neighbor search Granular search (optional server-side functionality) Reduces communication cost but guarantees accuracy bound of results Spatial cloaking incurs high cost at the server Transformation-based matching does not offer result accuracy guarantees

7 SpaceTwist: overview Anchor location (fake client location) Define an ordering of points in the space Client fetches points from server incrementally Supply space Space of objects retrieved from the server Supply space known by both server and client Grows as more objects retrieved Demand space Target space guaranteed to cover the actual result Demand space known only by client Shrinks when a “better” result is found Termination: supply space contains the demand space the beginning the end

8 Transmission of points Communication cost number of packets received by the client Points are sent from server to client through (TCP/IP) packets Inefficient to use one packet for one point Multiple points are packed into a packet before transmission Packet capacity  : number of points in a packet Actual value of  ? Depends on Maximum Transmission Unit (MTU) Our experiments: MTU=576 bytes, and  =67

9 SpaceTwist: example Input: user location q, anchor location q’ Client asks server to report points in ascending distance from anchor q’ iteratively [Hjaltason et al. 1999] Note: server only knows q’ and reported points Supply space radius , initially 0 Distance of the current reported point from anchor q’ Demand space radius , initially  Nearest neighbor distance to user (found so far) Update  to dist(q,p) when a point p closer to q is found Stop when dist(q,q’) +  ≤  Supply space covers demand space Guarantee that exact nearest neighbor of q found 1 st point 2 nd point 3 rd point

10 Privacy analysis What does the server (malicious attacker) know? Anchor location q’ Reported points (in reported order): p 1, p 2, …, p m  Termination condition: dist(q,q’) +  ≤  Possible query location q c Client did not stop at the point p (m-1)  dist(q c, q’) + min{ dist(q c, p i ) : i  [1,(m-1)  ] } > dist(q’, p (m-1)  ) Client stops at the point p m  dist(q c, q’) + min{ dist(q c, p i ) : i  [1,m  ] } ≤ dist(q’, p m  ) Inferred privacy region  : the set of all possible q c Quantification of privacy Privacy value:  (q,  ) = average dist. of location in  from q …… 1 2 m m-1

11 Visualization of  Visualization with different types of points Characteristics of  (i.e., possible locations q c ) A ring with center at q’ Radius approx. dist(q,q’) What if the server considers searching on a small sample instead of the whole dataset Low communication cost  becomes large at low data density But less accurate result How this can be done?  =4 coarser granularity

12 Granular search requirement Granular search: search POI’s at coarser granularity Advantages Reduce communication cost Enhance location privacy protection Accuracy requirement User specifies an error bound  A point p  P is a relaxed NN of q if dist(q, p)   + min { dist(q, p’) : p’  P } Actual NN distance

13 Granular search Given an error bound , impose a grid in the space with cell length =  /  2 As in incremental search, the server still reports points in ascending distance from anchor q’ Server discards a data point p if it falls in the same cell of any reported point With granular searching (anchor q’) Server reports p 1, client updates its NN to p 1 Server discards p 2, p 3 Server reports p 4, client updates its NN to p 4 Client receives fewer points and has a larger inferred privacy region  regular grid

14 Granular search implementation Materialization of results not feasible Error bound  only known at query time Different users specify different values of  Data points are indexed by a (disk-based) R-tree on server We extend the incremental NN search [Hjaltason et al. 1999] Use a cell list V to keep track of the cells of reported points Discard entries or points that are fully covered by cells in V Remove cells in V when they are not useful anymore

15 Parameter selection guide Appropriate parameter values for the user (client)? Error bound  Set  = v max  t max based on t max : maximum time delay acceptable by user v max : maximum travel speed (walking, cycling, driving) Anchor point q’ Decide the anchor distance dist(q, q’) Based on privacy value, i.e., privacy value at least dist(q, q’) Or, based on acceptable value of m (communication cost) Set the anchor q’ to a random location with distance dist(q, q’) from q

16 Experimental study Our solution GST (Granular SpaceTwist) Client-side: SpaceTwist ; Server-side: granular search Spatial datasets (domain: [0,10000] 2 ) Two real datasets: SC ( pts), TG ( pts) Synthetic uniform random UI datasets Performance metrics (workload size=100) Communication cost (in number of packets) Result error (result NN distance – actual NN distance) Privacy value of inferred privacy region  Default parameter values Anchor distance dist(q,q’): 200 Error bound  : 200, Data size N (million): 0.5 packet capacity=67, derived from MTU

17 Transformation-based matching vs. GST Hilbert transformation [Khoshgozaran et al., 2007] SHB: single Hilbert curve DHB: two orthogonal Hilbert curves GST computes result with low error Very low error on real data (skewed) distribution Stable error for different data distribution result error

18 Spatial cloaking vs. GST Our problem setting: no trusted middleware Competitor: client-side spatial cloaking (CLK) Trusted third party cloaking not applicable to our problem! CLK: enlarge q into a square with side length 2*dist(q,q’) Extent comparable to inferred privacy region  of GST GST produces result at low communication cost Low cost even at high privacy Cost independent of N varying dist(q,q ’ ) varying data size N communication cost (# of packets)

19 Effect of error bound communication cost result error privacy value

20 Effect of anchor distance result error privacy value communication cost

21 Effect of data size (UI data only) result error privacy value communication cost

22 Conclusion Develop a novel solution for protecting location privacy of query users SpaceTwist at client Granular search at server Advantages Low communication cost (due to granular searching) Low result error Sufficient privacy protection Future work Extension for other location based queries Road network application

23 References M. F. Mokbel, C.-Y. Chow, and W. G. Aref. The New Casper: Query Processing for Location Services without Compromising Privacy. In VLDB, P. Indyk and D.Woodruff. Polylogarithmic Private Approximations and Efficient Matching. In Theory of Cryptography Conference, A. Khoshgozaran and C. Shahabi. Blind Evaluation of Nearest Neighbor Queries Using Space Transformation to Preserve Location Privacy. In SSTD, G. R. Hjaltason and H. Samet. Distance Browsing in Spatial Databases. TODS, 24(2):265–318, 1999.