1 / 54

Location Privacy

Explore the double-edged sword of location-based apps, which provide personalized services but also violate user privacy. Discover solutions like pseudonyms, k-anonymity, and CacheCloak that aim to protect location privacy while maintaining app quality.

wloeffler
Download Presentation

Location Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Location Privacy

  2. Context Better localization technology + Pervasive wireless connectivity = Location-based applications

  3. Location-Based Apps • For Example: • GeoLife shows grocery list near WalMart • Micro-Blog allows location scoped querying • Location-based ad: Coffee coupon at Starbucks • … • Location expresses context of user • Facilitating content delivery Its as if Location is the IP address for content

  4. Double-Edged Sword While location drives this new class of applications, it also violates user’s privacy Sharper the location, richer the app, deeper the violation

  5. Forward to local service: Retrieve all available services in location Request: Retrieve all available services in client’s location Reply: Reply: The Location Based Service Workflow Client LBS Database (Location Based Service) Server

  6. Request: Retrieve all bus lines from location to address = = The Location Anonymity Problem Privacy Violated Client LBS Database (Location Based Service) Server

  7. Double-Edged Sword Moreover, range of apps are PUSH based. Require continuous location information Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion

  8. Location Privacy • Problem: • Research: Continuous location exposure a serious threat to privacy Preserve privacy without sacrificing the quality of continuous loc. based apps

  9. Just Call Yourself ``Freddy” • Pseudonymns [Gruteser04] • Effective only when infrequent location exposure • Else, spatio-temporal patterns enough to deanonymize … think breadcrumbs Leslie Jack John Susan Alex Romit’s Office

  10. A Customizable k-Anonymity Model for Protecting Location Privacy Paper by: B. Gedik, L.Liu (Georgia Tech) Slides adopted from: Tal Shoseyov

  11. Location Anonymity “A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.” Database

  12. k-Anonymity “A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”

  13. Implementation of Location Anonymity Server transforms the message by “anonymizing” the location data in the message Database executes request according to the received anonymous data Server forwards data to client Server sends “anonymized” message Database replies to server with compiled data Client sends plain request to the server

  14. y x t Implementation of Location k-Anonymity Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”. Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”.

  15. t y x Implementation of Location k-Anonymity Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”.

  16. Previous solutions M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different otherclients, and monitoring that area over time until suchk-1 clients are found. Drawback: Fixed anonymity value for all clients (service dependent)

  17. Basically, Add Noise • K-anonymity[Gedic05] • Convert location to a space-time bounding box • Ensure K users in the box • Location Apps reply to boxed region • Issues • Poor quality of location • Degrades in sparse regions • Not real-time Bounding Box You K=4

  18. Confuse Via Mixing • Path intersections is an opportunity for privacy • If users intersect in space-time, cannot say who is who later

  19. ? ? Unfortunately, users may not intersect in both space and time Confuse Via Mixing • Path intersections is an opportunity for privacy • If users intersect in space-time, cannot say who is who later Hospital Airport

  20. Hiding Until Mixed • Partially hide locations until users mixed [Gruteser07] • Expose after a delay Hospital Airport

  21. Hiding Until Mixed • Partially hide locations until users mixed [Gruteser07] • Expose after a delay Hospital Airport But delays unacceptable to real-time apps

  22. Existing solutions seem to suggest: Privacy and Quality of Localization (QoL) is a zero sum game Need to sacrifice one to gain the other

  23. Hiding Stars with Fireworks:Location Privacy through Camouflage

  24. Goal Break away from this tradeoff Target: Spatial accuracy Real-time updates Privacy guarantees Even in sparse populations New Proposal: CacheCloak

  25. The Intuition • Predict until paths intersect Hospital Airport

  26. The Intuition • Predict until paths intersect Hospital Predict Airport Predict

  27. The Intuition • Predict until paths intersect • Expose predicted intersection to application Hospital Predict Airport Predict Cache the information on each predicted location

  28. CacheCloak System Design and Evaluation

  29. Architecture • Assume trusted privacy provider • Reveal location to CacheCloak • CacheCloak exposes anonymized location to Loc. App Loc. App1 Loc. App2 Loc. App3 Loc. App4 CacheCloak

  30. In Steady State … Location Based Application CacheCloak

  31. Prediction Location Based Application Backward prediction Forward prediction CacheCloak

  32. Prediction Location Based Application CacheCloak

  33. Predicted Intersection Location Based Application Predicted Path CacheCloak

  34. Query Location Based Application Predicted Path CacheCloak

  35. Query Location Based Application ? ? ? ? CacheCloak

  36. LBA Responds Location Based Application Array of responses CacheCloak

  37. Cached Location Based Application Cached Responses CacheCloak Location based Information

  38. Cached Response Location Based Application Cached Responses CacheCloak Location based Information

  39. Cached Response Location Based Application Cached Responses CacheCloak Location based Information

  40. Cached Response Location Based Application Cached Responses CacheCloak

  41. Cached Response Location Based Application Predicted Path CacheCloak

  42. Predicted Path Benefits • Real-time • Response ready when user arrives at predicted location • High QoL • Responses can be specific to location • Overhead on the wired backbone (caching helps) • Entropy guarantees • Entropy increases at traffic intersections • Sparse population • Can be handled with dummy users, false branching

  43. Quantifying Privacy • City converted into grid of small sqaures (pixels) • Users are located at a pixel at a given time • Each pixel associated with 8x8 matrix • Element (x, y) = probability that user enters x and exits y • Probabilities diffuse • At intersections • Over time • Privacy = entropy y x pixel

  44. Diffusion • Probability of user’s presence diffuses • Diffusion gradient computed based on history • i.e., what fraction of users take right turn at this intersection Time t1 Time t2 Time t3 Road Intersection

  45. Evaluation • Trace based simulation • VanetMobiSim + US Census Bureau trace data • Durham map with traffic lights, speed limits, etc. • Vehicles follow Google map paths • Performs collision avoidance 6km x 6km 10m x 10m pixel 1000 cars

  46. Results • High average entropy • Quite insensitive to user density (good for sparse regions) • Minimum entropy reasonably high Max. Bits of Mean Entropy Min. Time (Minutes) Number of Users (N)

  47. Results • Peak Counting • # of places where attacker’s confidence is > Threshold Mean # of Peaks Time (Seconds) Time (Seconds)

  48. Results • Peak Counting • # of places where attacker’s confidence is > Threshold Mean # of Peaks Number of Users (N)

  49. Limitations, Discussions … • CacheCloak overhead • Application replies to lot of queries • However, overhead on wired infrastructure • Caching reduces this overhead significantly • CacheCloak assumes same, indistinguishable query • Different queries can deanonymize • Possible through query combination … future work • Per-user privacy guarantee not yet supported • Adaptive branching & dummy users • CacheCloak - a central trusted entity • Distributed version proposed in the paper

  50. Closing Thoughts Two nodes may intersect in space but not in time Mixing not possible, without sacrificing timeliness Mobility prediction creates space-time intersections Enables virtual mixing in future

More Related