On Non-Cooperative Location Privacy: A Game-theoreticAnalysis CCS 2009 Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes

Pervasive Wireless Networks Vehicular networks Mobile Social networks Human sensors Many new devicesequippedwith Wireless interfaces. Many new applications. Personal WiFi bubble

Peer-to-Peer Communications WiFi/Bluetooth enabled 1 2 Peer-to-Peer wireless network WiFi, Bluetooth Location privacy problem Third party can track location of nodes by monitoring identifiers Obtain location traces MAC address, authentication credentials Message Identifier Signature || Certificate

Location Privacy Problem Passive adversary monitors identifiers used in peer-to-peer communications 1 13h00: Lunch 11h00: Art Institute 10h00: Millenium Park Easy mass surveillance of location (not by network operator, but by anyone with WiFi sniffer)

Spatio-Temporal correlation of traces Previous Work Message Pseudonym Message Identifier Pseudonymity is not enough for location privacy [1, 2] Removing pseudonyms is not enough either [3] Spatio-Temporal correlation of traces Linkability breaks anonymity. Need spatial and temporal decorrelation of traces => Filtering based on tracking model [1] P. Golle and K. Partridge. On the Anonymity of Home/Work Location Pairs. Pervasive Computing, 2009 [2] B. Hoh et al. Enhancing Security & Privacy in Traffic Monitoring Systems. Pervasive Computing, 2006 [3] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. SECURECOMM, 2005

Location Privacy with Mix Zones Spatial decorrelation: Remain silent Temporal decorrelation: Change pseudonym y ? 1 1 Notionof cooperation x 2 2 Mix zone Why should a node participate? [1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. Percom, 2004

Mix Zone Privacy Gain B D 1 x 2 y t- t=T Number of nodes in mix zone Note: A node not changing does not get anything => no free-riding Need for coordination here! Number of nodes in mix zone

Cost caused by Mix Zones Turn off transceiver Routing is difficult Load authenticated pseudonyms + + Inconvenience of =

When should nodes change pseudonym? Problem Tension between cost and benefit of mix zones When should nodes change pseudonym? A lot of discussions of “human nature” and evolution often get down to a game theory Game theoryallows to predictbehavior of nodes

Method Game theory Example Evaluate strategies Rational Behavior Selfishoptimization Security protocols Multi-party computations Game theory Evaluate strategies Predict evolution of security/privacy Example Cryptography Revocation Privacymechanisms Traditionally: global optimization, derive good moment to change pseudonym. Here, consider rational behavior. Allows to predictevolution: Notion of equilibriumstrategy, best wecan do withoutbeingexploited.

Outline User-centric Model Pseudonym Change Game Results Contributions User centricdoesntmeanusers have to makeanydecisions. Meansdecisionsdepend on usersproperties. Contributions Propose user-centric model of location privacy Derivestrategies of rational nodes Evaluate effect of rationality on location privacy

Mix Zone Establishment In pre-determined regions [1] Dynamically [2] Distributed protocol Particularly appealing for MANET because no need for infrastructure nor prior knowledge We rely on their protocol. [1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. PercomW, 2004 [2] M. Li et al. Swing and Swap: User-centric approaches towards maximizing location privacy . WPES, 2006

User-Centric Location Privacy Model Privacy = Ai(T) – PrivacyLoss Privacy Ai(T1) Ai(T2) Not cumulative Traceable for some time t Traceable

Pros/Cons of user-centric Model Control when/where to protect your privacy Con Misaligned incentives

Outline User-centric Model Pseudonym Change Game Results

Assumptions Pseudonym Change game Simultaneous decision 1 2 Pseudonym Change game Simultaneous decision Players want to maximize their payoff Consider privacy upperboundAi(T) = log2(n(t))

Game Model Players Strategy Mobile nodes in transmission range There is a game iif Strategy Cooperate (C) : Change pseudonym Defect (D): Do not change pseudonym

Pseudonym Change Game C D 3 2 1 t t1 Silent period

Payoff Function ui = privacy - cost If C & Not alone, then ui = Ai(T)- γ If C & Alone, then ui = ui-- γ Formally Alpha is a more subtle cost that models the fact that the more errors the more unhappy we are Abstract time If D, then ui = ui-

Sequence of Pseudonym Change Games 5 6 E2 7 8 9 C3 2 3 4 E1 1 ui Ai(T1)- γ Ai(T2)- γ Costs are gamma and beta γ E3 E1 E2

Outline User-centric Model Pseudonym Change Game Results

Each player knows the payoff of its opponents C-Game Complete information Each player knows the payoff of its opponents

Two pure-strategy Nash Equilibria (NE): (C,C)&(D,D) 2-Player C-Game Two pure-strategy Nash Equilibria (NE): (C,C)&(D,D) One mixed-strategy NE Log2(2)=1 Coordination game: situation in which all parties can realize mutual gains, but only by making mutually consistent decisions. Mixed strategy, each other depend on the other’s utility.

Best Response Correspondence 1 mixed-strategy NE 2 pure-strategy NE Explain the meaning of Best resp

n-Player C-Game All Defection is always a NE Theorem The static n-player pseudonym change C-game has at least 1 and at most 2 pure strategy Nash equilibria. All Defection is always a NE A NE with cooperation exists iif there is a group of k users with NE with cooperation does not always exists. Depends on users and their private information. Payoffs are asymmetric. in the group of k nodes

Result 1: high coordination among nodes at NE C-Game Results Result 1: high coordination among nodes at NE Change pseudonyms only when necessary Otherwise defect Idea:Whenever gain issufficient, change pseudonym.

I-Game Incomplete information Players don’t know the payoff of their opponents Explain why it makes more sense to consider incomplete information

Predict action of opponents based on pdf over type Bayesian Game Theory Define type of playerθi = ui- Predict action of opponents based on pdf over type If you cannot know, they you guess Private information = what others don’t know, determines move (E.g. mixed strategies)

Environment Lowprivacy Middle privacy High privacy

Threshold Strategy A threshold determines players’ action Probability of cooperation is θi D ~ θi C t Idea: Change pseudonym only when expected gain is better than current privacy level

2-Player I-Game Bayesian NE ~ Find threshold θi* such that Average utility of cooperation = Average utility of defection This is a sufficient condition for the existence of BNE assuming that we have threshold strategies.

Result 2: Large costincreasescooperationprobability. Solve numerically (Matlabfsolve) with varying gamma Symmetric equilibria, three equilibria. Probability of cooperation increases with a higher cost of pseudonyms. Intermediate equilibrium varies according to distribution of types.

Result 3: Strategiesadapt to yourenvironment. Surprisingresult:

Result 4: A large number of nodes n provides incentive not to cooperate Surprising result: As n increases, probability to cooperate (ratio max theta, theta*) at eq decreases => non-coop behavior is less important

Conclusion Rational behavior in location privacy protocol Propose a user-centric model of location privacy Introduce Pseudonym Change game Derive existence of equilibrium strategies Evaluate effect of non-cooperative behavior Outcome: Protocol for distributed pseudonym changes among rational nodes Future: Evaluate performance of protocol

lca.epfl.ch/privacy

Backup Slides

Payoff Function C D If , then If , then If , then where Formally Alpha is a more subtle cost that models the fact that the more errors the more unhappy we are Abstract time where the payoff function at the time immediately prior to the strategy of the opponents of i the number of cooperating nodes besides i

Best Response Correspondence 1 mixed-strategy NE 2 pure-strategy NE Explain the meaning of Best resp

Type Incomplete information =>imperfect information [1] Type captures the private information of players Assume type is distributed with probability known to all players Each player can predict the behavior of its opponents with Bayesian Game Theory If you cannot know, they you guess Private information = what others don’t know, determines move (E.g. mixed strategies) [1] J. Harsanyi. Games with Incomplete Information Played by Bayesian Players . Management Science , 1967

Result 3: Strategies adapt to environment.

PseudoGame Protocol