490 likes | 655 Views
(ECE 256: Wireless Networking and Mobile Computing) Location Privacy in Mobile Computing Topics: Pseudonymns, CliqueCloak, Path Confusion, CacheCloak …. Context. Better localization technology + Pervasive wireless connectivity = Location-based pervasive applications. Location-Based Apps.
E N D
(ECE 256: Wireless Networking and Mobile Computing)Location Privacy in Mobile ComputingTopics:Pseudonymns, CliqueCloak, Path Confusion, CacheCloak …
Context Better localization technology + Pervasive wireless connectivity = Location-based pervasive applications
Location-Based Apps • For Example: • GeoLife shows grocery list on phone when near WalMart • Micro-Blog allows querying people at a desired region • Location-based ad: Phone gets coupon at Starbucks • … • Location expresses context of user • Facilitating content delivery Location is the IP address Its as if for content
Double-Edged Sword While location drives this new class of applications, it also violates user’s privacy Sharper the location, richer the app, deeper the violation
Forward to local service: Retrieve all available services in location Request: Retrieve all available services in client’s location Reply: Reply: The Location Based Service Workflow Client LBS Database (Location Based Service) Server
Request: Retrieve all bus lines from location to address = = The Location Anonymity Problem Privacy Violated Client LBS Database (Location Based Service) Server
Double-Edged Sword Moreover, range of apps are PUSH based. Require continuous location information Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion
Location Privacy • Problem: • Research: Continuous location exposure a serious threat to privacy Preserve privacy without sacrificing the quality of continuous loc. based apps
Just Call Yourself ``Freddy” • Pseudonymns • Effective only when infrequent location exposure • Else, spatio-temporal patterns enough to deanonymize … think breadcrumbs Leslie Jack John Susan Alex Romit’s Office
A Customizable k-Anonymity Model for Protecting Location Privacy Paper by: B. Gedik, L.Liu (Georgia Tech) Slides adopted from: Tal Shoseyov
Location Anonymity “A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.” Database
k-Anonymity “A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”
Implementation of Location Anonymity Server transforms the message by “anonymizing” the location data in the message Database executes request according to the received anonymous data Server forwards data to client Server sends “anonymized” message Database replies to server with compiled data Client sends plain request to the server
y x t Implementation of Location k-Anonymity Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”. Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”.
t y x Implementation of Location k-Anonymity Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”.
Previous solutions M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different otherclients, and monitoring that area over time until suchk-1 clients are found. Drawback: Fixed anonymity value for all clients (service dependent)
y x The CliqueCloakApproach Definitions: Constraint Area: For a message m, a constraint area is a spatial-temporal area that contains the sending client’s location. A client sends his message along with a constraint area to prevent the database from sending the client useless information on locations outside the constraint area. m k=3
y x The CliqueCloakApproach Definitions: Cloaking Box: A spatial and temporal area assigned to a transformed message. A valid cloaking box must comply to the following conditions: 1. The client that sent the message m is located in the cloaking box 2. The number of different clients inside the cloaking box must be at least m.k (the anonymity level of the message). 3. The cloaking box must be included inside the message’s constraint area. m4 k=3 m2 k=3 m1 k=2
y x The CliqueCloakApproach Definitions: Approach: Constraint Graph: Each mobile node is a vertice in the graph, and 2 nodes are connected iff each of them is inside the other node’s constraint area. An l-clique in that graph such that l≥ mi.k for each i is mapped by the algorithm to a spatial cloaking box, where all messages in the clique will be transformed using the cloaking box, making each of the messages’ senders indistinguishable from one another. m3 k=2 m4 k=3 m2 k=3 m1 k=2
t y x The CliqueCloak Algorithm The Idea: • For each plain message, along with its constraints and anonymity level k, we try to find a k-clique in the constraint graph and convert the clique into a spatial cloaking box. • Each of the messages inside the cloaking box will be converted into transformed messages, replacing their location values with the cloaking box. • We try finding a cloaking box for a message until it is expired (exceeds its temporal constraints).
Does CliqueCloak solve the location privacy problem? Any further concerns? Doubts?
Add Noise • K-anonymity and CliqueCloak • Convert location to a space-time bounding box • Ensure K users in the box • Location Apps reply to boxed region • Issues • Poor quality of location • Degrades in sparse regions • Not real-time Bounding Box You K=4
Confuse Via Mixing • Path intersections is an opportunity for privacy • If users intersect in space-time, cannot say who is who later • Issues • Users may not be collocated in space and time • Mixing still possible at the expense of delay
Existing solutions seem to suggest: Privacy and Quality of Localization (QoL) is a zero sum game Need to sacrifice one to gain the other
Ideal Solution Should Break away from this tradeoff Target: Spatial accuracy Real-time updates Privacy guarantees Even in sparse populations Another Idea: CacheCloak
CacheCloak Intuition Exploit mobility prediction to create future path intersections User’s paths are like crossroads of breadcrumbs App knows precise locations, but doesn’t know the user
CacheCloak • Assume trusted privacy provider • Reveal location to CacheCloak • CacheCloak exposes anonymized location to Loc. App Loc. App1 Loc. App2 Loc. App3 Loc. App4 CacheCloak
CacheCloak Design • User A drives down path P1 • P1 is a sequence of locations • CacheCloak has cached response for each location • User A takes a new turn (no cached response) • CacheCloak predicts mobility • Deliberately intersects predicted path with another path P2 • Exposes predicted path to application • Application replies to queries for entire path • CacheCloak always knows user’s current location • Forwards cached responses for that precise location
CacheCloak Design • Adversary confused • New path intersects paths P1 and P2 (crossroads) • Not clear where the user came from or turned onto Example …
Benefits • Real-time • Response ready when user arrives at predicted location • High QoL • Responses can be specific to location • Overhead on the wired backbone (caching helps) • Entropy guarantees • Entropy increases at traffic intersections • In low regions, desired entropy possible via false branching • Sparse population • Can be handled with dummy users
Quantifying Privacy • City converted into grid of small sqaures (pixels) • Users are located at a pixel at a given time • Each pixel associated with 8x8 matrix • Element (x, y) = probability that user enters x and exits y • Probabilities diffuse • At intersections • Over time • Privacy = entropy y x pixel
Diffusion • Probability of user’s presence diffuses • Diffusion gradient computed based on history • i.e., what fraction of users take right turn at this intersection Time t1 Time t2 Time t3 Road Intersection
Evaluation • Trace based simulation • VanetMobiSim + US Census Bureau trace data • Durham map with traffic lights, speed limits, etc. • Vehicles follow Google map paths • Performs collision avoidance 6km x 6km 10m x 10m pixel 1000 cars
Results • High average entropy • Quite insensitive to user density (good for sparse regions) • Minimum entropy reasonably high
Results • Per-user entropy • Increases quickly over time • No user starves of location privacy
Issues and Limitations • CacheCloak overhead • Application replies to lots of queries • However, overhead on wired infrastructure • Caching reduces this overhead significantly • CacheCloak assumes same, indistinguishable query • Different queries can deanonymize • Need more work • Per-user privacy guarantee not yet supported • Adaptive branching & dummy users
Closing Thoughts Two nodes may intersect in space but not in time Mixing not possible, without sacrificing timeliness Mobility prediction creates space-time intersections Enables virtual mixing in future
Closing Thoughts CacheCloak Implements the prediction and caching function Significant entropy attained even under sparse population Spatio-temporal accuracy remains uncompromised
Final Take Away Chasing a car is easier on highways … Much harder in Manhattan crossroads CacheCloak tries to turn a highway into a virtual Manhattan … Well, sort of …
Emerging trends in content distribution • Content delivered to a location / context • As opposed to a destination address • Thus, “location” is a key driver of content delivery IP address : Internet = Location : CDN • New wave of applications
Emerging trends in content distribution • Content delivered to a location / context • As opposed to a destination address • Thus, “location” is a key driver of content delivery IP address : Internet = Location : CDN • New wave of applications
Location Privacy • Problem: Continuous location exposure deprives user of her privacy.
Location Frequency • Some location apps are reactive / infrequent • E.g., List Greek restaurants around me now (PULL) • But, many emerging apps are proactive • E.g., Phone detected at Starbucks, PUSH a coffee coupon
Location Frequency • Some location apps are reactive / infrequent • E.g., List Greek restaurants around me now (PULL) • But, many emerging apps are proactive • E.g., Phone detected at Starbucks, PUSH a coffee coupon Opportunity for Big Bro to track you over space and time Proactive apps require continuous location
Categorizing Apps • Some location apps are reactive • You ask, App answers • E.g., Pull all Greek restaurants around your location • But, many emerging apps are proactive • E.g., Phone detected at Starbucks, PUSH a coffee coupon
Categorizing Apps • Some location apps are reactive • You ask, App answers • E.g., Pull all Greek restaurants around your location • But, many emerging apps are proactive • E.g., Phone detected at Starbucks, PUSH a coffee coupon Proactive apps require continuous location