Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011.

Similar presentations


Presentation on theme: "Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011."— Presentation transcript:

1 Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011

2 2

3 3 The contextual information attached to a trace tells much about our habits, interests, activities, and relationships A location trace is not only a set of positions on a map

4 4 envisioningdevelopment.net/map

5 5

6 6 Distort location information before exposing it to others Location-Privacy Protection

7 7 originallow accuracylow precision Pictures from Krumm 2007 Location-Privacy Protection Anonymization (pseudonymization) –Replacing actual username with a random identity Location Obfuscation –Hiding location, Adding noise, Reducing precision How to evaluate/compare various protection mechanisms? Which metric to use? A common formal framework is MISSING

8 Location Privacy: A Probabilistic Framework

9 9 Reconstructed Traces Attack KC Attacker Knowledge Construction riri rjrj P ij Users’ Mobility Profiles MC Transition Matrices uNuN u1u1 uNuN u1u1 Past Traces (vectors of noisy/missing events) … Location-Privacy Preserving Mechanism u1u1 u2u2 uNuN … 1234 T Users Timeline: Actual Traces (vectors of actual events) 1 … 1234 T Nyms Timeline: Observed Traces (vectors of observed events) 2 N LPPM ObfuscationAnonymization

10 10 Location-Privacy Preserving Mechanism LPPM Alice Location-Obfuscation Function: Hiding, Reducing Precision, Adding Noise, Location Generalization,… A Probabilistic Mapping of a Location to a Set of Locations

11 11 Location-Privacy Preserving Mechanism Anonymization Function: Replace Real Usernames with Random Pseudonyms (e.g., integer 1…N) LPPM Alice Charlie Bob 3 2 1 A Random Permutation of Usernames

12 12 Location-Privacy Preserving Mechanism AnonymizationLocation Obfuscation (for user u) Observed trace of user u, with pseudonym u’ Actual trace of user u Spatiotemporal Event:

13 13 Adversary Model ObservationKnowledge Anonymized and Obfuscated Traces Users’ mobility profiles PDF anonymization PDF obfuscation LPPM

14 14 Learning Users’ Mobility Profiles ((adversary knowledge construction)) KC riri rjrj P ij Users’ Profiles MC Transition Matrices uNuN u1u1 uNuN u1u1 Past Traces (vectors of noisy/missing past events) … From prior knowledge, the Attacker creates a Mobility Profile for each user Mobility Profile: Markov Chain on the set of locations Task: Estimate MC transition probabilities P u

15 15 Example – Simple Knowledge Construction Day –1001271420… Day –9913201925… … Day –112131219… Time8am9am10am11am… Prior Knowledge for (this example: 100 Training Traces) 71319 12⅓⅓⅓ Alice Mobility Profile for Alice How to consider noisy/partial traces? e.g., knowing only the user’s location in the morning (her workplace), and her location in the evening (her home)

16 16 Learning Users’ Mobility Profiles ((adversary knowledge construction)) KC riri rjrj P ij Users’ Profiles MC Transition Matrices uNuN u1u1 uNuN u1u1 Past Traces (vectors of noisy/missing past events) … From prior knowledge, the Attacker creates a Mobility Profile for each user Mobility Profile: Markov Chain on the set of locations Task: Estimate MC transition probabilities P u Our Solution: Using Monte-Carlo method: Gibbs Sampling to estimate the probability distribution of the users’ mobility profiles

17 17 Adversary Model ObservationKnowledge Anonymized and Obfuscated Traces Users’ mobility profiles PDF anonymization PDF obfuscation LPPM Inference Attack Examples Localization Attack : “Where was Alice at 8pm?” What is the probability distribution over the locations for user ‘Alice’ at time ‘8pm’? Tracking Attack : “Where did Alice go yesterday?” What is the most probable trace (trajectory) for user ‘Alice’ for time period ‘yesterday’? Meeting Disclosure Attack : “How many times did Alice and Bob meet?” Aggregate Presence Disclosure : “How many users were present at restaurant x, at 9pm?”

18 18 Inference Attacks Our Solution: Decoupling De-anonymization from De-obfuscation Computationally infeasible:  (anonymization permutation) can take N! values

19 19 De-anonymization 1 - Compute the likelihood of observing trace ‘i’ from user ‘u’, for all ‘i’ and ‘u’, using HMP: Forward-Backward algorithm. O(R 2 N 2 T) 2 - Compute the most likely assignment using a Maximum Weight Assignment algorithm (e.g., Hungarian algorithm). O(N 4 ) u1u1 u2u2 uNuN … Users 1 … Nyms 2 N

20 20 De-obfuscation Given the most likely assignment  *, the localization probability can be computed using Hidden Markov Model: the Forward-Backward algorithm. O(R 2 T) Tracking Attack Given the most likely assignment  *, the most likely trace for each user can be computed using Viterbi algorithm. O(R 2 T) Localization Attack

21 Location-Privacy Metric

22 22 Assessment of Inference Attacks In an inference attack, the adversary estimates the true value of some random variable ‘X’ (e.g., location of a user at a given time instant) Three properties of the estimation’s performance: How focused is the estimate on a single value? The Entropy of the estimated random variable How accurate is the estimate? Confidence level and confidence interval How close is the estimate to the true value (the real outcome)? Let x c (unknown to the adversary) be the actual value of X

23 23 Location-Privacy Metric The true outcome of a random variable is what users want to hide from the adversary Hence, incorrectness of the adversary’s inference attack is the metric that defines the privacy of users Location-Privacy of user ‘u’ at time ‘t’ with respect to the localization attack = Incorrectness of the adversary (the expected estimation error):

24 Location-Privacy Meter A Tool to Quantify Location Privacy http://lca.epfl.ch/projects/quantifyingprivacy

25 25 Location-Privacy Meter (LPM) You provide the tool with –Some traces to learn the users’ mobility profiles –The PDF associated with the protection mechanism –Some traces to run the tool on LPM provides you with –Location privacy of users with respect to various attacks: Localization, Tracking, Meeting Disclosure, Aggregate Presence Disclosure,…

26 26 LPM: An Example CRAWDAD dataset N = 20 users R = 40 regions T = 96 time instants Protection mechanism: –Anonymization –Location Obfuscation Hiding location Precision reduction (dropping low-order bits from the x, y coordinates of the location)

27 27 LPM: Results – Localization Attack No obfuscation

28 28 Assessment of other Metrics EntropyK-anonymity

29 29 Conclusion A unified formal framework to describe and evaluate a variety of location-privacy preserving mechanisms with respect to various inference attacks Modeling LPPM evaluation as an estimation problem –Throw attacks at the LPPM The right Metric: Expected Estimation Error An object-oriented tool (Location-Privacy Meter) to evaluate/compare location-privacy preserving mechanisms http://people.epfl.ch/reza.shokri

30 30

31 31 Hidden Markov Model OiOi {11,12,13}{6,7,8}{14,15,16}{18,19,20}… 11 13 12 6 8 7 14 16 15 18 20 19 P Alice (11  6)P Alice (6  14) P LPPM (6  {6,7,8}) P Alice (11) Alice


Download ppt "Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011."

Similar presentations


Ads by Google