Download presentation
Presentation is loading. Please wait.
1
Location Privacy
2
Better localization technology + Pervasive wireless connectivity =
Context Better localization technology + Pervasive wireless connectivity = Location-based applications
3
Location is the IP address
Location-Based Apps For Example: GeoLife shows grocery list near WalMart Micro-Blog allows location scoped querying Location-based ad: Coffee coupon at Starbucks … Location expresses context of user Facilitating content delivery Its as if Location is the IP address for content
4
Double-Edged Sword While location drives this new class of applications, it also violates user’s privacy Sharper the location, richer the app, deeper the violation
5
The Location Based Service Workflow
Forward to local service: Retrieve all available services in location Request: Retrieve all available services in client’s location Reply: Reply: Client Server LBS Database (Location Based Service)
6
The Location Anonymity Problem
Privacy Violated Request: Retrieve all bus lines from location to address = Client Server LBS Database (Location Based Service)
7
Double-Edged Sword Moreover, range of apps are PUSH based.
Require continuous location information Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion
8
Location Privacy Continuous location exposure
Problem: Research: Continuous location exposure a serious threat to privacy Preserve privacy without sacrificing the quality of continuous loc. based apps
9
Just Call Yourself ``Freddy”
Pseudonymns [Gruteser04] Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize … think breadcrumbs John Leslie Jack Susan Alex Romit’s Office
10
A Customizable k-Anonymity Model for Protecting Location Privacy
Paper by: B. Gedik, L.Liu (Georgia Tech) Slides adopted from: Tal Shoseyov
11
Location Anonymity “A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.” Database
12
k-Anonymity “A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”
13
Implementation of Location Anonymity
Server transforms the message by “anonymizing” the location data in the message Database executes request according to the received anonymous data Server forwards data to client Server sends “anonymized” message Database replies to server with compiled data Client sends plain request to the server
14
Implementation of Location k-Anonymity
Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”. Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”. x y t
15
Implementation of Location k-Anonymity
Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”. x y t
16
Previous solutions M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different other clients, and monitoring that area over time until such k-1 clients are found. Drawback: Fixed anonymity value for all clients (service dependent)
17
Add Noise K-anonymity [Gedic05] Issues
Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region Issues Poor quality of location Degrades in sparse regions Not real-time Bounding Box You K=4
18
Confuse Via Mixing Path intersections is an opportunity for privacy
If users intersect in space-time, cannot say who is who later
19
Unfortunately, users may not intersect
Confuse Via Mixing Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who later ? Hospital Unfortunately, users may not intersect in both space and time Airport
20
Hiding Until Mixed Hospital Airport
Partially hide locations until users mixed [Gruteser07] Expose after a delay Hospital Airport
21
But delays unacceptable to real-time apps
Hiding Until Mixed Partially hide locations until users mixed [Gruteser07] Expose after a delay Hospital Airport But delays unacceptable to real-time apps
22
Existing solutions seem to suggest:
Privacy and Quality of Localization (QoL) is a zero sum game Need to sacrifice one to gain the other
23
Hiding Stars with Fireworks: Location Privacy through Camouflage
24
Goal New Proposal: CacheCloak Break away from this tradeoff
Target: Spatial accuracy Real-time updates Privacy guarantees Even in sparse populations New Proposal: CacheCloak
25
The Intuition Predict until paths intersect Hospital Airport
26
The Intuition Hospital Airport Predict until paths intersect Predict
27
The Intuition Hospital Airport Predict until paths intersect
Expose predicted intersection to application Hospital Predict Airport Predict Cache the information on each predicted location
28
System Design and Evaluation
CacheCloak System Design and Evaluation
29
Architecture CacheCloak Assume trusted privacy provider
Reveal location to CacheCloak CacheCloak exposes anonymized location to Loc. App Loc. App1 Loc. App2 Loc. App3 Loc. App4 CacheCloak
30
Location Based Application
In Steady State … Location Based Application CacheCloak
31
Location Based Application
Prediction Location Based Application Backward prediction Forward prediction CacheCloak
32
Location Based Application
Prediction Location Based Application CacheCloak
33
Predicted Intersection
Location Based Application Predicted Path CacheCloak
34
Location Based Application
Query Location Based Application Predicted Path CacheCloak
35
Location Based Application
Query Location Based Application ? ? ? ? CacheCloak
36
Location Based Application
LBA Responds Location Based Application Array of responses CacheCloak
37
Location Based Application
Cached Location Based Application Cached Responses CacheCloak Location based Information
38
Location Based Application
Cached Response Location Based Application Cached Responses CacheCloak Location based Information
39
Location Based Application
Cached Response Location Based Application Cached Responses CacheCloak Location based Information
40
Location Based Application
Cached Response Location Based Application Cached Responses CacheCloak
41
Location Based Application
Cached Response Location Based Application Predicted Path CacheCloak
42
Benefits Real-time High QoL Entropy guarantees Sparse population
Predicted Path Real-time Response ready when user arrives at predicted location High QoL Responses can be specific to location Overhead on the wired backbone (caching helps) Entropy guarantees Entropy increases at traffic intersections Sparse population Can be handled with dummy users, false branching
43
Quantifying Privacy City converted into grid of small sqaures (pixels)
Users are located at a pixel at a given time Each pixel associated with 8x8 matrix Element (x, y) = probability that user enters x and exits y Probabilities diffuse At intersections Over time Privacy = entropy y x pixel
44
Diffusion Probability of user’s presence diffuses
Diffusion gradient computed based on history i.e., what fraction of users take right turn at this intersection Time t1 Time t2 Time t3 Road Intersection
45
Evaluation Trace based simulation
VanetMobiSim + US Census Bureau trace data Durham map with traffic lights, speed limits, etc. Vehicles follow Google map paths Performs collision avoidance 6km x 6km 10m x 10m pixel 1000 cars
46
Results High average entropy
Quite insensitive to user density (good for sparse regions) Minimum entropy reasonably high Max. Bits of Mean Entropy Min. Time (Minutes) Number of Users (N)
47
Results Peak Counting # of places where attacker’s confidence is > Threshold Mean # of Peaks Time (Seconds) Time (Seconds)
48
Results Peak Counting # of places where attacker’s confidence is > Threshold Mean # of Peaks Number of Users (N)
49
Limitations, Discussions …
CacheCloak overhead Application replies to lot of queries However, overhead on wired infrastructure Caching reduces this overhead significantly CacheCloak assumes same, indistinguishable query Different queries can deanonymize Possible through query combination … future work Per-user privacy guarantee not yet supported Adaptive branching & dummy users CacheCloak - a central trusted entity Distributed version proposed in the paper
50
Closing Thoughts Two nodes may intersect in space but not in time
Mixing not possible, without sacrificing timeliness Mobility prediction creates space-time intersections Enables virtual mixing in future
51
Closing Thoughts CacheCloak
Implements the prediction and caching function High entropy possible even under sparse population Spatio-temporal accuracy remains uncompromised
54
For more related work, visit:
Thank You For more related work, visit:
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.