1 / 33

A Distortion-based Metric for Location Privacy

Explore a framework for assessing location privacy, including distortion-based metric effectiveness against existing tools. A focus on location privacy mechanisms and adversary profiling strategies.

rswearengin
Download Presentation

A Distortion-based Metric for Location Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reza Shokri Julien Freudiger MurtuzaJadliwala Jean-Pierre Hubaux A Distortion-based Metric for Location Privacy http://lca.epfl.ch/privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009

  2. Privacy in Mobile Networks Location-based Services Pervasive Networks

  3. Privacy in Mobile Networks

  4. Location Privacy Protection • Several privacy preserving mechanisms • No common notation in previous work • Various metrics for location privacy • How to compare different mechanisms? • Which metric to use? • Is location privacy captured properly?

  5. Our Contributions • A generic framework for location privacy • Analysis of the effectiveness of existing location privacy metrics • A distortion-based metric that can capture location privacy more accurately

  6. Outline • A Framework for Location Privacy • Location Privacy Metrics • A Distortion-based Metric

  7. A Framework for Location Privacy • Mobile Users • Actual Identities, Pseudonyms • Events and Traces (Trajectories)

  8. events ----------------------------------------------- Color: user identity Number: time-stamp Position in the map: location-stamp 01 01 01 02 03 01 02 04 03 17 04 17 05 06 18 05 07 08 09 18 10 16 11 12 16 13 06 14 15 13 14 12 07 15 11 10 08 09 Actual Events/Traces

  9. A Framework for Location Privacy Mobile Users Actual Identities, Pseudonyms Events and Traces (Trajectories) Location Privacy Preserving Mechanisms

  10. A Framework for Location Privacy Location Privacy Preserving Mechanism Attack Elimination Observation Reconstruction Actual Events Observable Events Obfuscation Anonymization Transformation function

  11. Location Privacy Preserving Mechanisms 01 02 03 01 02 04 03 17 04 17 05 06 18 05 07 08 09 18 10 16 11 12 16 13 06 14 15 13 14 12 07 15 11 10 08 09

  12. Location Privacy Preserving Mechanisms • Elimination 01 03 02 17 04 05 18 05 18 16 11 14 15 13 12 07 09

  13. Location Privacy Preserving Mechanisms • Elimination • Obfuscation 01 03 02 17 04 05 18 16 05 18 11 14 15 13 12 07 09

  14. Location Privacy Preserving Mechanisms • Elimination • Obfuscation • Anonymization 01 03 02 17 04 05 18 16 05 18 11 14 15 13 12 07 09

  15. A Framework for Location Privacy Mobile Users Actual Identities, Pseudonyms Events and Traces (Trajectories) Location Privacy Preserving Mechanisms Adversary

  16. Adversary • Knows the privacy preserving mechanism • Knows how users tend to move • Profiles users mobility • What is the probability of going from a location to another location in a given time period • What is the probability of being in a location at a time instance (density of users on the map) • Aims at reconstructing users actual events

  17. A Framework for Location Privacy Mobile Users Actual Identities, Pseudonyms Events and Traces (Trajectories) Location Privacy Preserving Mechanisms Adversary Location Privacy Metrics

  18. Linkablity Graph Vertices: observed events Directed edges: linking subsequent events of the same user Weight of an edge: linkability probability 01 03 02 17 04 05 18 05 18 16 11 14 15 13 12 07 09

  19. Outline • A Framework for Location Privacy • Location Privacy Metrics: Description • A Distortion-based Metric

  20. Existing Location Privacy Metrics • Uncertainty-based • “Clustering Error”-based • K-anonymity

  21. Uncertainty-based Metrics 01 User privacy at the time of an observed event adversary’s uncertainty (i.e., Entropy) in linking that event with its subsequent events 03 02 17 04 05 18 05 18 16 11 14 15 13 12 07 09 C. Diaz, S. Seys, J. Claessens, and B. Preneel. Towards measuring anonymity. In PET, 2002. A. Serjantov and G. Danezis. Towards an information theoretic metric for anonymity. In PET, 2002. A. R. Beresford and F. Stajano. Mix zones: User privacy in location-aware services. IEEE PerCom Workshops, 2004.

  22. 01 03 02 17 04 05 18 05 18 16 11 14 15 13 12 07 09 “Clustering Error”-based Metrics 01 System privacy Average distance of the adversary set partition and the actual set partition 03 02 17 04 05 18 05 18 16 11 14 15 13 12 07 Actual set partition ■■ Adversary set partition ■■ 09 B. Hoh and M. Gruteser. Protecting location privacy through path confusion. In SECURECOMM, 2005. L. Fischer, S. Katzenbeisser, and C. Eckert. Measuring unlinkability revisited. In ACM WPES, 2008.

  23. K-anonymity 01 At an observed event, a user is k-anonymous if there are at least k-1 other users that have the same observed events 03 05 05 02 17 04 05 18 05 18 16 11 14 15 13 12 07 09 P. Samarati and L. Sweeney. Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. In IEEE Symposium Research in Security and Privacy, 1998. L. Sweeney. k-anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst., 10(5), 2002. M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In ACM MobiSys, 2003.

  24. Outline A Framework for Location Privacy Location Privacy Metrics: Evaluation A Distortion-based Metric

  25. 02 02 04 04 05 05 17 18 18 16 11 14 15 13 12 Evaluation: Scenario 1 Drawback of uncertainty-based and k-anonymity metrics Adversary’s Probability of error Adversary’s tracking error

  26. Evaluation: Scenario 2 Drawback of “clustering error”-based metrics 01 03 02 Adversary mistake 17 04 05 18 05 18 16 11 14 15 13 12 07 09 The clustering error is high although both users are tracked most of the time

  27. Outline • A Framework for Location Privacy • Location Privacy Metrics • A Distortion-based Metric

  28. A Distortion-based Metric (1) For each observed event for a given user For each time instance Predict the subsequent events (based on the adversary knowledge) Until the next observed event Distortion at each time instance The expected error (in space) in predicted events observed p1 02 03 d1 p2 d2 03 03 actual predicted D = P1.d1+p2.d2

  29. 02 02 03 04 04 05 06 05 07 05 08 09 10 11 11 12 07 13 09 A Distortion-based Metric (2) 02 Actual trace 03 03 04 04 05 05 06 06 07 08 07 09 06 10 08 11 09 10 11 07 08 09 11 08 10 11 10 09 Linkability graph

  30. Evaluation: Scenario 1 02 02 04 04 05 05 17 18 18 16 11 14 15 13 12 Adversary’s Probability of error Adversary’s tracking error

  31. Evaluation: Scenario 2 01 03 02 Adversary mistake 17 04 05 18 05 18 16 11 14 15 13 12 07 09

  32. Sensitivity to Location/Time Home Sensitivity of a user to a locations at a specific time instance 01 03 02 17 04 Friend’s Place 05 18 05 18 16 11 Work Place 14 15 13 12 07 09 We weight the distortion based on the sensitivity of a user to a location/time parir

  33. http://lca.epfl.ch/privacy Conclusion and Future Work • A framework for location privacy • Modeling different metrics within our framework • A new distortion-metric for measuring location privacy that satisfies the expected criteria • Future: Modeling time obfuscation methods • Future: Using the metric in different scenarios

More Related