Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unraveling an old cloak: k-anonymity for location privacy

Published byHilda Payne Modified over 8 years ago

Similar presentations

Presentation on theme: "Unraveling an old cloak: k-anonymity for location privacy"— Presentation transcript:

1 Unraveling an old cloak: k-anonymity for location privacy
unravel: disentangle Reza Shokri1, Carmela Troncoso2, Claudia Diaz2, Julien Freudiger1, and Jean-Pierre Hubaux1 1 EPFL 2 K.U.Leuven

2 Location-Based Services
query, user, location, time local info, POIs, … LBS Provider Alice Problems of revealing location to LBS provider Sensitive information can be inferred from location Example: being at the hospital, lawyer, church… Profiling: daily routines, deviation from them, etc. Stalking Please rob me manual queries separated in time (every hour, rather than every few seconds)

3 Some location privacy techniques
Mix zones [BS04] Location / time perturbation [HG07] Add dummy queries [CG09] Solutions based on k-anonymity Anonymous usage of location-based services through spatial and temporal cloaking [Gruteser and Grunwald, 2003] 650 citations in Google Scholar Dozens of variants of the basic scheme have been proposed in the last years BS: Berestford, Stajano HG: Hoh, Gruteser CG: Chow, Golle Mix zones: Users change pseudonyms when traversing a mix zone. Unlink pieces of trajectories so that the full trajectory of a user is not revealed

4 k-anonymity in databases [SS98]
Objective: ensure that an “anonymized” database record cannot be linked back to the data subject Adversary has access to background info (e.g., census) Removing explicit identifiers (SSN, name, …) not enough Quasi-identifiers: subsets of attributes that indirectly identify an individual (e.g., gender, DoB, zip code) k-anonymity: use generalization and suppression to ensure that each record could correspond to at least k individuals

5 Example Release Table External Data Source Name Birth Gender ZIP Race
Andre 1964 m 02135 White Beth f 55410 Black Carol 90210 Dan 1967 02174 Ellen 1968 02237 Problems k-anonymity: Diversity, etc.

6 k-anonymity for “location privacy”
Concept: Consider LBS query as an entry in the database Consider location/time as a (quasi-)identifier Generalize location/time so that it could correspond to k users CAS: Central Anonymity Server

7 Privacy properties Query anonymity: not being able to identify the person who sent a query; i.e.: not possible to link query to the user identity Location privacy: not being able to locate a user; i.e.: not possible to link (location,time) to the user identity What do these k-anonymity techniques actually achieve??

8 Is k related to location privacy?
First look at the consistency of the k-anonymity metric Ability to accurately locate the user related to the size of the region R, rather than to k

9 Adversary with access to user location in real time
Query anonymity: This adversary model and property are equivalent to what is achieved with k-anonymity in databases Adversary uses background knowledge on the location of users to try to link users to their queries k users are present in the region: queries are k-anonymous Location privacy: Huh? BY DEFINITION: Adversary knows the location of users! what happens when we specify the adversary model?

10 Adversary with no background information
Adversary only sees <q,R> Query anonymity: ANY user of the system could be the issuer of the query Location privacy: ANY user of the system could be in region R This has nothing to do with k, or R With this adversary model, we do not need to construct any regions R: just send <q,l,t> to the LBS and the same privacy is achieved.

11 Adversary with some (statistical) background information
“user i likely to be in location l at time t” Query <q,R> is probably coming from one of the users likely to be in R (at the time the query is made) This is the adversary’s guess independently of how many users are actually in R when the query is sent! Adversary cannot see who is actually there, so her guess is only based on <q,R> and the background information Whether there is actually 1 user or 3 users in R, the query would be 3- anonymous towards the adversary Constructing R based on who is actually in the region does not add anything

12 In both cases, the query is 4-anonymous
likely (expected) region: A,B,C,D at home actual computed region In both cases, the query is 4-anonymous This technique actually enables the adversary to learn information she did not know! Adversary “expects” R (from background info), but instead receives R’ Learns: A,B,E,F at home; C and D probably not at home

13 Conclusions No clear distinction in a large body of literature between “query anonymity” and “location privacy” These are different properties! k-anonymity techniques provide “query anonymity”, but not necessarily “location privacy” (as it is claimed) Location privacy does not seem to depend on k Constructing cloaking regions based on the actual location of k users leaks information to an adversary relying on statistical background info “Adapting” techniques from one type of systems (e.g., databases) to another (e.g., LBSs) is not straightforward Need to carefully define privacy goals and adversarial knowledge and strategy This may sound obvious, but apparently it is not

Download ppt "Unraveling an old cloak: k-anonymity for location privacy"

Similar presentations

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.
Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,

Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,
M-Invariance: Towards Privacy Preserving Re-publication of Dynamic Datasets by Tyrone Cadenhead.

M-Invariance: Towards Privacy Preserving Re-publication of Dynamic Datasets by Tyrone Cadenhead.
Quantifying Location Privacy: The Case of Sporadic Location Exposure Reza Shokri George Theodorakopoulos George Danezis Jean-Pierre Hubaux Jean-Yves Le.

Quantifying Location Privacy: The Case of Sporadic Location Exposure Reza Shokri George Theodorakopoulos George Danezis Jean-Pierre Hubaux Jean-Yves Le.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.

1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.
Mohamed F. Mokbel University of Minnesota

Mohamed F. Mokbel University of Minnesota
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
1 A Distortion-based Metric for Location Privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009 Reza Shokri.

1 A Distortion-based Metric for Location Privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009 Reza Shokri.
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Privacy Preserving Publication of Moving Object Data Joey Lei CS295 Francesco Bonchi Yahoo! Research Avinguda Diagonal 177, Barcelona, Spain 6/10/20151CS295.

Privacy Preserving Publication of Moving Object Data Joey Lei CS295 Francesco Bonchi Yahoo! Research Avinguda Diagonal 177, Barcelona, Spain 6/10/20151CS295.
1 Dr. Xiao Qin Auburn University Spring, 2011 COMP 7370 Advanced Computer and Network Security Generalizing.

1 Dr. Xiao Qin Auburn University Spring, 2011 COMP 7370 Advanced Computer and Network Security Generalizing.
Finding Personally Identifying Information Mark Shaneck CSCI 5707 May 6, 2004.

Finding Personally Identifying Information Mark Shaneck CSCI 5707 May 6, 2004.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Attacks against K-anonymity

Attacks against K-anonymity

Similar presentations

Ads by Google