On Non- Cooperative Location Privacy : A Game- theoreticAnalysis

1. On Non-Cooperative Location Privacy: A Game-theoreticAnalysis CCS 2009 Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes

2. Pervasive Wireless Networks Vehicular networks Mobile Social networks Human sensors Personal WiFi bubble

3. Peer-to-Peer Communications WiFi/Bluetooth enabled 1 2 Identifier Message Signature || Certificate

4. Location Privacy Problem Passive adversary monitors identifiers used in peer-to-peer communications 1 13h00: Lunch 11h00: Art Institute 10h00: Millenium Park

5. Previous Work Message Pseudonym • Pseudonymity is not enough for location privacy [1, 2] • Removing pseudonyms is not enough either [3] Spatio-Temporal correlation of traces Identifier Message [1] P. Golle and K. Partridge. On the Anonymity of Home/Work Location Pairs. Pervasive Computing, 2009 [2] B. Hoh et al. Enhancing Security & Privacy in Traffic Monitoring Systems. Pervasive Computing, 2006 [3] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. SECURECOMM, 2005

6. Location Privacy with Mix Zones • Spatial decorrelation: Remain silent Temporal decorrelation: Change pseudonym ? y 1 1 x 2 2 Mix zone Why should a node participate? [1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. Percom, 2004

7. Mix Zone Privacy Gain B D 1 x 2 y t- t=T Number of nodes in mix zone

8. Cost caused by Mix Zones • Turn off transceiver • Routing is difficult • Load authenticated pseudonyms + + =

9. Problem Tension between costand benefit of mix zones When should nodes change pseudonym?

10. Method Rational Behavior Selfishoptimization Security protocols Multi-party computations • Game theory • Evaluate strategies • Predict evolution of security/privacy • Example • Cryptography • Revocation • Privacymechanisms

11. Outline • User-centric Model • Pseudonym Change Game • Results

12. Mix Zone Establishment • In pre-determined regions [1] • Dynamically [2] • Distributed protocol [1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. PercomW, 2004 [2] M. Li et al. Swing and Swap: User-centric approaches towards maximizing location privacy . WPES, 2006

13. User-Centric Location Privacy Model Privacy = Ai(T) – PrivacyLoss Privacy Ai(T1) Ai(T2) t Traceable

14. Pros/Cons of user-centric Model • Pro • Control when/where to protect your privacy • Con • Misaligned incentives

15. Outline • User-centric Model • Pseudonym Change Game • Results

16. Assumptions Pseudonym Change game • Simultaneous decision • Players want to maximize their payoff • Consider privacy upperboundAi(T) = log2(n(t)) 2 1

17. Game Model • Players • Mobile nodes in transmission range • There is a game iif • Strategy • Cooperate (C) : Change pseudonym • Defect (D): Do not change pseudonym

18. C D C Pseudonym Change Game 3 2 1 t t1 Silent period

19. Payoff Function • ui = privacy - cost If C & Not alone, then ui = Ai(T)- γ If C & Alone, then ui = ui-- γ If D, then ui = ui-

20. Sequence of Pseudonym Change Games E1 1 4 ui 3 2 Ai(T1)- γ E2 Ai(T2)- γ 5 6 7 C3 γ 8 E3 E1 9 E2

21. Outline • User-centric Model • Pseudonym Change Game • Results

22. C-Game Complete information Each player knows the payoff of its opponents

23. 2-Player C-Game Two pure-strategy Nash Equilibria (NE): (C,C)&(D,D) One mixed-strategy NE

24. Best Response Correspondence 1 mixed-strategy NE 2 pure-strategy NE

25. n-Player C-Game • All Defection is always a NE • A NE with cooperation exists iif there is a group of k users with • Theorem • The static n-player pseudonym change C-game has • at least 1 and at most 2 pure strategy Nash equilibria. in the group of k nodes

26. C-Game Results Result 1: high coordination among nodes at NE • Change pseudonyms only when necessary • Otherwise defect

27. I-Game Incomplete information Players don’t know the payoff of their opponents

28. Bayesian Game Theory Define type of playerθi = ui- • Predict action of opponents based on pdf over type

29. Environment Lowprivacy Middle privacy High privacy

30. Threshold Strategy • A threshold determines players’ action • Probability of cooperation is θi D ~ θi C t

31. 2-Player I-Game Bayesian NE ~ Find threshold θi* such that Average utility of cooperation = Average utility of defection

32. Result 2: Large costincreasescooperationprobability.

33. Result 3: Strategiesadapt to yourenvironment.

34. Result 4: A large number of nodes n provides incentive not to cooperate

35. Conclusion Rational behavior in location privacy protocol • Propose a user-centric model of location privacy • Introduce Pseudonym Change game • Derive existence of equilibrium strategies • Evaluate effect of non-cooperative behavior Outcome: Protocol for distributed pseudonym changes among rational nodes Future: Evaluate performance of protocol

36. lca.epfl.ch/privacy

37. Backup Slides

38. Payoff Function If , then C If , then If , then D where the payoff function at the time immediately prior to the strategy of the opponents of i the number of cooperating nodes besides i

39. Best Response Correspondence 1 mixed-strategy NE 2 pure-strategy NE

40. Type • Incomplete information =>imperfect information [1] • Type captures the private information of players • Assume type is distributed with probability known to all players • Each player can predict the behavior of its opponents with Bayesian Game Theory [1] J. Harsanyi. Games with Incomplete Information Played by Bayesian Players . Management Science , 1967

41. Result 3: Strategies adapt to environment.

42. PseudoGame Protocol