1 (ece 256: wireless networking and mobile computing) location privacy in mobile computing topics:...
TRANSCRIPT
1
(ECE 256: Wireless Networking and Mobile Computing)
Location Privacy in Mobile Computing
Topics:Pseudonymns, CliqueCloak, Path Confusion, CacheCloak …
2
Context
Better localization technology+
Pervasive wireless connectivity
=
Location-based pervasive applications
3
Location-Based Apps
For Example: GeoLife shows grocery list on phone when near WalMart Micro-Blog allows querying people at a desired region Location-based ad: Phone gets coupon at Starbucks …
Location expresses context of user Facilitating content delivery
Location is the IP addressLocation is the IP addressIts as if for content
4
Double-Edged Sword
While location drives this new class of applications,it also violates user’s privacy
Sharper the location, richer the app, deeper the violation
5
The Location Based Service Workflow
Client Server LBS Database
(Location Based Service)
Request:Retrieve all available services in
client’s location
Forward to local service:Retrieve all available services in
location
Reply:Reply:
6
The Location Anonymity Problem
Client Server LBS Database
(Location Based Service)
Request: Retrieve all bus lines from location to address
= =
Privacy Violated
7
Moreover, range of apps are PUSH based.Require continuous location information
Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion
Double-Edged Sword
8
Location Privacy
Problem:
Research:
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Continuous location exposurea serious threat to privacy
Continuous location exposurea serious threat to privacy
Preserve privacy without sacrificing the quality of
continuous loc. based apps
Preserve privacy without sacrificing the quality of
continuous loc. based apps
9
Just Call Yourself ``Freddy”
Pseudonymns Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize
… think breadcrumbs
Romit’s OfficeRomit’s Office
John Leslie Jack Susan
Alex
10
A Customizable k-Anonymity Model for Protecting Location Privacy
Paper by: B. Gedik, L.Liu (Georgia Tech)
Slides adopted from: Tal Shoseyov
11
Location Anonymity
“A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.”
Database
12
k-Anonymity
“A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”
13
Implementation of Location Anonymity
Client sends plain request to the server
Server sends “anonymized”
message
Database executes request according to the
received anonymous dataDatabase replies to server
with compiled data
Server forwards data to client
Server transforms the message by
“anonymizing” the location data in the message
14
Implementation of Location k-Anonymity
Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”.
x
y
Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”.
t
15
Implementation of Location k-Anonymity
x
yt
Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”.
16
Previous solutions
M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different other clients, and monitoring that area over time until such k-1 clients are found.
Drawback:
Fixed anonymity value for all clients (service dependent)
17
The CliqueCloak Approach
Definitions: Constraint Area:
For a message m, a constraint area is a spatial-temporal area that contains the sending client’s location. A client sends his message along with a constraint area to prevent the database from sending the client useless information on locations outside the constraint area.
x
y
m
k=3
18
The CliqueCloak Approach
Definitions:
m2
k=3m1
k=2
m4
k=3
x
y
Cloaking Box:
A spatial and temporal area assigned to a transformed message. A valid cloaking box must comply to the following conditions:
1. The client that sent the message m is located in the cloaking box
2. The number of different clients inside the cloaking box must be at least m.k (the anonymity level of the message).
3. The cloaking box must be included inside the message’s constraint area.
19
The CliqueCloak Approach
Constraint Graph:
Each mobile node is a vertice in the graph, and 2 nodes are connected iff each of them is inside the other node’s constraint area.
x
y
m2
k=3m1
k=2
m3
k=2m4
k=3
Definitions: An l-clique in that graph such that l ≥ mi.k for each i is mapped by the algorithm to a spatial cloaking box, where all messages in the clique will be transformed using the cloaking box, making each of the messages’ senders indistinguishable from one another.
Approach:
20
The CliqueCloak Algorithm
The Idea:
xy
t
• For each plain message, along with its constraints and anonymity level k, we try to find a k-clique in the constraint graph and convert the clique into a spatial cloaking box.
• Each of the messages inside the cloaking box will be converted into transformed messages, replacing their location values with the cloaking box. • We try finding a cloaking box for a message until it is expired (exceeds its temporal constraints).
21
Does CliqueCloak solve the location privacy problem?
Any further concerns? Doubts?
22
Add Noise
K-anonymity and CliqueCloak Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region
Issues Poor quality of location Degrades in sparse regions Not real-time
YouBounding Box
K=4
23
Confuse Via Mixing
Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who
later
Issues Users may not be collocated in space and time Mixing still possible at the expense of delay
24
Existing solutions seem to suggest:
Privacy and Quality of Localization (QoL) is a zero sum game
Need to sacrifice one to gain the other
25
Ideal Solution Should
Break away from this tradeoff
Target: Spatial accuracyReal-time updatesPrivacy guarantees
Even in sparse populations
Another Idea: CacheCloakAnother Idea: CacheCloak
26
CacheCloak Intuition
Exploit mobility prediction to create future path intersections
User’s paths are like crossroads of breadcrumbsApp knows precise locations, but doesn’t know the user
27
CacheCloak
Assume trusted privacy provider Reveal location to CacheCloak CacheCloak exposes anonymized location to Loc. App
CacheCloakCacheCloak
Loc. App1Loc. App1 Loc. App2Loc. App2 Loc. App3Loc. App3 Loc. App4Loc. App4
28
CacheCloak Design
User A drives down path P1 P1 is a sequence of locations CacheCloak has cached response for each location
User A takes a new turn (no cached response) CacheCloak predicts mobility Deliberately intersects predicted path with another path
P2 Exposes predicted path to application
Application replies to queries for entire path
CacheCloak always knows user’s current location Forwards cached responses for that precise location
29
CacheCloak Design
Adversary confused New path intersects paths P1 and P2 (crossroads) Not clear where the user came from or turned onto
Example …
30
Example
31
Benefits
Real-time Response ready when user
arrives at predicted location
High QoL Responses can be specific to location Overhead on the wired backbone (caching helps)
Entropy guarantees Entropy increases at traffic intersections In low regions, desired entropy possible via false
branching
Sparse population Can be handled with dummy users
32
Quantifying Privacy
City converted into grid of small sqaures (pixels) Users are located at a pixel at a given time
Each pixel associated with 8x8 matrix Element (x, y) = probability that user enters x and exits
y
Probabilities diffuse At intersections Over time
Privacy = entropy
x
y
€
Euser = − pipixels∑ log pi
pixel
33
Diffusion
Probability of user’s presence diffuses Diffusion gradient computed based on history i.e., what fraction of users take right turn at this
intersection
Time t1
Time t2
Time t3
Road Intersection
34
Evaluation
Trace based simulation VanetMobiSim + US Census Bureau trace data Durham map with traffic lights, speed limits, etc.
Vehicles follow Google map paths Performs collision avoidance
6km x 6km10m x 10m pixel
1000 cars
6km x 6km10m x 10m pixel
1000 cars
35
Results
High average entropy Quite insensitive to user density (good for sparse
regions) Minimum entropy reasonably high
36
Results
Per-user entropy Increases quickly over time No user starves of location privacy
37
Issues and Limitations
CacheCloak overhead Application replies to lots of queries However, overhead on wired infrastructure Caching reduces this overhead significantly
CacheCloak assumes same, indistinguishable query Different queries can deanonymize Need more work
Per-user privacy guarantee not yet supported Adaptive branching & dummy users
38
Closing Thoughts
Two nodes may intersect in space but not in timeMixing not possible, without sacrificing timeliness
Mobility prediction creates space-time intersectionsEnables virtual mixing in future
39
Closing Thoughts
CacheCloak Implements the prediction and caching function
Significant entropy attained even under sparse population
Spatio-temporal accuracy remains uncompromised
40
Final Take Away
Chasing a car is easier on highways …Much harder in Manhattan crossroads
CacheCloak tries to turn a highway intoa virtual Manhattan
… Well, sort of …
41
Questions?
42
Emerging trends in content distribution
Content delivered to a location / context As opposed to a destination address
Thus, “location” is a key driver of content delivery
IP address : Internet = Location : CDN
New wave of applications
43
Emerging trends in content distribution
Content delivered to a location / context As opposed to a destination address
Thus, “location” is a key driver of content delivery
IP address : Internet = Location : CDN
New wave of applications
44
Example
45
Location Privacy
Problem:
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Continuous location exposuredeprives user of her privacy.
Continuous location exposuredeprives user of her privacy.
46
Location Frequency
Some location apps are reactive / infrequent E.g., List Greek restaurants around me now (PULL)
But, many emerging apps are proactive E.g., Phone detected at Starbucks, PUSH a coffee coupon
47
Location Frequency
Some location apps are reactive / infrequent E.g., List Greek restaurants around me now (PULL)
But, many emerging apps are proactive E.g., Phone detected at Starbucks, PUSH a coffee coupon
Opportunity for Big Bro to track youover space and time
Proactive apps requirecontinuous location
Proactive apps requirecontinuous location
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
48
Categorizing Apps
Some location apps are reactive You ask, App answers E.g., Pull all Greek restaurants around your location
But, many emerging apps are proactive E.g., Phone detected at Starbucks, PUSH a coffee coupon
49
Categorizing Apps
Some location apps are reactive You ask, App answers E.g., Pull all Greek restaurants around your location
But, many emerging apps are proactive E.g., Phone detected at Starbucks, PUSH a coffee coupon
Proactive apps requirecontinuous location
Proactive apps requirecontinuous location
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.