Unraveling an old cloak: k-anonymity for location privacy

Slides:

Advertisements

Similar presentations

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.

Advertisements

Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,

M-Invariance: Towards Privacy Preserving Re-publication of Dynamic Datasets by Tyrone Cadenhead.

Quantifying Location Privacy: The Case of Sporadic Location Exposure Reza Shokri George Theodorakopoulos George Danezis Jean-Pierre Hubaux Jean-Yves Le.

1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.

Mohamed F. Mokbel University of Minnesota

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

Introduction The concept of “SQL Injection”

1 A Distortion-based Metric for Location Privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009 Reza Shokri.

Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Privacy Preserving Publication of Moving Object Data Joey Lei CS295 Francesco Bonchi Yahoo! Research Avinguda Diagonal 177, Barcelona, Spain 6/10/20151CS295.

1 Dr. Xiao Qin Auburn University Spring, 2011 COMP 7370 Advanced Computer and Network Security Generalizing.

Finding Personally Identifying Information Mark Shaneck CSCI 5707 May 6, 2004.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Attacks against K-anonymity

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Data Privacy.

April 13, 2010 Towards Publishing Recommendation Data With Predictive Anonymization Chih-Cheng Chang †, Brian Thompson †, Hui Wang ‡, Danfeng Yao † †‡

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

A Customizable k-Anonymity Model for Protecting Location Privacy Written by: B. Gedik, L.Liu Presented by: Tal Shoseyov.

PRIVACY CRITERIA. Roadmap Privacy in Data mining Mobile privacy (k-e) – anonymity (c-k) – safety Privacy skyline.

Preserving Privacy in Clickstreams Isabelle Stanton.

C LOAKING AND M ODELING T ECHNIQUES FOR LOCATION P RIVACY PROTECTION Ying Cai Department of Computer Science Iowa State University Ames, IA

Preserving Privacy in Location-Based Services using Sudoku Structures A Presentation for ICISS-2014 IDRBT, Hyderabad Authors : Sumitra Biswal, Goutam Paul.

F EELING - BASED L OCATION P RIVACY P ROTECTION FOR L OCATION - BASED S ERVICES CS587x Lecture Department of Computer Science Iowa State University Ames,

Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.

Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011.

Introduction to: 1.  Goal[DEN83]:  Provide frequency, average, other statistics of persons  Challenge:  Preserving privacy[DEN83]  Interaction between.

Thwarting Passive Privacy Attacks in Collaborative Filtering Rui Chen Min Xie Laks V.S. Lakshmanan HKBU, Hong Kong UBC, Canada UBC, Canada Introduction.

Background Knowledge Attack for Generalization based Privacy- Preserving Data Mining.

Refined privacy models

Hiding in the Mobile Crowd: Location Privacy through Collaboration.

Accuracy-Constrained Privacy-Preserving Access Control Mechanism for Relational Data.

Survey on Privacy-Related Technologies Presented by Richard Lin Zhou.

On the Age of Pseudonyms in Mobile Ad Hoc Networks Julien Freudiger, Mohammad Hossein Manshaei, Jean-Yves Le Boudec and Jean-Pierre Hubaux Infocom 2010.

ACOMP 2011 A Novel Framework for LBS Privacy Preservation in Dynamic Context Environment.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

Data Anonymization – Introduction and k-anonymity Li Xiong CS573 Data Privacy and Security.

How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. Hubaux PETS.

Preserving Privacy in GPS Traces via Uncertainty- Aware Path Cloaking Baik Hoh, Marco Gruteser, Hui Xiong, Ansaf Alrabady Presented by Joseph T. Meyerowitz.

GameSec 2010 November 22, Berlin Mathias Humbert, Mohammad Hossein Manshaei, Julien Freudiger and Jean-Pierre Hubaux EPFL - Laboratory for Computer communications.

Privacy vs. Utility Xintao Wu University of North Carolina at Charlotte Nov 10, 2008.

Geo-Indistinguishability: Differential Privacy for Location Based Services Miguel Andres, Nicolas Bordenabe, Konstantinos Chatzikokolakis, Catuscia Palamidessi.

Differential Privacy Some contents are borrowed from Adam Smith’s slides.

Privacy-preserving data publishing

CSCI 347, Data Mining Data Anonymization.

Anonymizing Data with Quasi-Sensitive Attribute Values Pu Shi 1, Li Xiong 1, Benjamin C. M. Fung 2 1 Departmen of Mathematics and Computer Science, Emory.

Location Privacy Protection for Location-based Services CS587x Lecture Department of Computer Science Iowa State University.

Probabilistic km-anonymity (Efficient Anonymization of Large Set-valued Datasets) Gergely Acs (INRIA) Jagdish Achara (INRIA)

Differential Privacy (1). Outline  Background  Definition.

Differential Privacy Xintao Wu Oct 31, Sanitization approaches Input perturbation –Add noise to data –Generalize data Summary statistics –Means,

Reconciling Confidentiality Risk Measures from Statistics and Computer Science Jerry Reiter Department of Statistical Science Duke University.

A hospital has a database of patient records, each record containing a binary value indicating whether or not the patient has cancer. -suppose.

 A Two-level Protocol to Answer Private Location-based Queries Roopa Vishwanathan Yan Huang [RoopaVishwanathan, Computer Science and.

ACHIEVING k-ANONYMITY PRIVACY PROTECTION USING GENERALIZATION AND SUPPRESSION International Journal on Uncertainty, Fuzziness and Knowledge-based Systems,

Side-Channel Attack on Encrypted Traffic

Feeling-based location privacy protection for LBS

SocialMix: Supporting Privacy-aware Trusted Social Networking Services

Privacy-preserving Release of Statistics: Differential Privacy

Towards Measuring Anonymity

Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management – A Consolidated Proposal for Terminology Authors: Andreas.

By (Group 17) Mahesha Yelluru Rao Surabhee Sinha Deep Vakharia

Joins and other advanced Queries

TELE3119: Trusted Networks Week 4

Refined privacy models

Differential Privacy (1)

Presentation transcript:

Unraveling an old cloak: k-anonymity for location privacy unravel: disentangle Reza Shokri1, Carmela Troncoso2, Claudia Diaz2, Julien Freudiger1, and Jean-Pierre Hubaux1 1 EPFL 2 K.U.Leuven

Location-Based Services query, user, location, time local info, POIs, … LBS Provider Alice Problems of revealing location to LBS provider Sensitive information can be inferred from location Example: being at the hospital, lawyer, church… Profiling: daily routines, deviation from them, etc. Stalking Please rob me … manual queries separated in time (every hour, rather than every few seconds)

Some location privacy techniques Mix zones [BS04] Location / time perturbation [HG07] Add dummy queries [CG09] Solutions based on k-anonymity Anonymous usage of location-based services through spatial and temporal cloaking [Gruteser and Grunwald, 2003] 650 citations in Google Scholar Dozens of variants of the basic scheme have been proposed in the last years BS: Berestford, Stajano HG: Hoh, Gruteser CG: Chow, Golle Mix zones: Users change pseudonyms when traversing a mix zone. Unlink pieces of trajectories so that the full trajectory of a user is not revealed

k-anonymity in databases [SS98] Objective: ensure that an “anonymized” database record cannot be linked back to the data subject Adversary has access to background info (e.g., census) Removing explicit identifiers (SSN, name, …) not enough Quasi-identifiers: subsets of attributes that indirectly identify an individual (e.g., gender, DoB, zip code) k-anonymity: use generalization and suppression to ensure that each record could correspond to at least k individuals

Example Release Table External Data Source Name Birth Gender ZIP Race Andre 1964 m 02135 White Beth f 55410 Black Carol 90210 Dan 1967 02174 Ellen 1968 02237 Problems k-anonymity: Diversity, etc.

k-anonymity for “location privacy” Concept: Consider LBS query as an entry in the database Consider location/time as a (quasi-)identifier Generalize location/time so that it could correspond to k users CAS: Central Anonymity Server

Privacy properties Query anonymity: not being able to identify the person who sent a query; i.e.: not possible to link query to the user identity Location privacy: not being able to locate a user; i.e.: not possible to link (location,time) to the user identity What do these k-anonymity techniques actually achieve??

Is k related to location privacy? First look at the consistency of the k-anonymity metric Ability to accurately locate the user related to the size of the region R, rather than to k

Adversary with access to user location in real time Query anonymity: This adversary model and property are equivalent to what is achieved with k-anonymity in databases Adversary uses background knowledge on the location of users to try to link users to their queries k users are present in the region: queries are k-anonymous Location privacy: Huh? BY DEFINITION: Adversary knows the location of users! what happens when we specify the adversary model?

Adversary with no background information Adversary only sees <q,R> Query anonymity: ANY user of the system could be the issuer of the query Location privacy: ANY user of the system could be in region R This has nothing to do with k, or R With this adversary model, we do not need to construct any regions R: just send <q,l,t> to the LBS and the same privacy is achieved.

Adversary with some (statistical) background information “user i likely to be in location l at time t” Query <q,R> is probably coming from one of the users likely to be in R (at the time the query is made) This is the adversary’s guess independently of how many users are actually in R when the query is sent! Adversary cannot see who is actually there, so her guess is only based on <q,R> and the background information Whether there is actually 1 user or 3 users in R, the query would be 3- anonymous towards the adversary Constructing R based on who is actually in the region does not add anything

In both cases, the query is 4-anonymous likely (expected) region: A,B,C,D at home actual computed region In both cases, the query is 4-anonymous This technique actually enables the adversary to learn information she did not know! Adversary “expects” R (from background info), but instead receives R’ Learns: A,B,E,F at home; C and D probably not at home

Conclusions No clear distinction in a large body of literature between “query anonymity” and “location privacy” These are different properties! k-anonymity techniques provide “query anonymity”, but not necessarily “location privacy” (as it is claimed) Location privacy does not seem to depend on k Constructing cloaking regions based on the actual location of k users leaks information to an adversary relying on statistical background info “Adapting” techniques from one type of systems (e.g., databases) to another (e.g., LBSs) is not straightforward Need to carefully define privacy goals and adversarial knowledge and strategy This may sound obvious, but apparently it is not