1 (ece 256: wireless networking and mobile computing) location privacy in mobile computing topics:...

1

(ECE 256: Wireless Networking and Mobile Computing)

Location Privacy in Mobile Computing

Topics:Pseudonymns, CliqueCloak, Path Confusion, CacheCloak …

2

Context

Better localization technology+

Pervasive wireless connectivity

=

Location-based pervasive applications

3

Location-Based Apps

For Example: GeoLife shows grocery list on phone when near WalMart Micro-Blog allows querying people at a desired region Location-based ad: Phone gets coupon at Starbucks …

Location expresses context of user Facilitating content delivery

Location is the IP addressLocation is the IP addressIts as if for content

4

Double-Edged Sword

While location drives this new class of applications,it also violates user’s privacy

Sharper the location, richer the app, deeper the violation

5

The Location Based Service Workflow

Client Server LBS Database

(Location Based Service)

Request:Retrieve all available services in

client’s location

Forward to local service:Retrieve all available services in

location

Reply:Reply:

6

The Location Anonymity Problem

Client Server LBS Database

(Location Based Service)

Request: Retrieve all bus lines from location to address

= =

Privacy Violated

7

Moreover, range of apps are PUSH based.Require continuous location information

Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion

Double-Edged Sword

8

Location Privacy

Problem:

Research:

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.



Continuous location exposurea serious threat to privacy

Continuous location exposurea serious threat to privacy

Preserve privacy without sacrificing the quality of

continuous loc. based apps

Preserve privacy without sacrificing the quality of

continuous loc. based apps

9

Just Call Yourself ``Freddy”

Pseudonymns Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize

… think breadcrumbs

Romit’s OfficeRomit’s Office

John Leslie Jack Susan

Alex

10

A Customizable k-Anonymity Model for Protecting Location Privacy

Paper by: B. Gedik, L.Liu (Georgia Tech)

Slides adopted from: Tal Shoseyov

11

Location Anonymity

“A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.”

Database

12

k-Anonymity

“A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”

13

Implementation of Location Anonymity

Client sends plain request to the server

Server sends “anonymized”

message

Database executes request according to the

received anonymous dataDatabase replies to server

with compiled data

Server forwards data to client

Server transforms the message by

“anonymizing” the location data in the message

14

Implementation of Location k-Anonymity

Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”.

x

y

Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”.

t

15

Implementation of Location k-Anonymity

x

yt

Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”.

16

Previous solutions

M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different other clients, and monitoring that area over time until such k-1 clients are found.

Drawback:

Fixed anonymity value for all clients (service dependent)

17

The CliqueCloak Approach

Definitions: Constraint Area:

For a message m, a constraint area is a spatial-temporal area that contains the sending client’s location. A client sends his message along with a constraint area to prevent the database from sending the client useless information on locations outside the constraint area.

x

y

m

k=3

18


Definitions:

m2

k=3m1

k=2

m4

k=3

x

y

Cloaking Box:

A spatial and temporal area assigned to a transformed message. A valid cloaking box must comply to the following conditions:

1. The client that sent the message m is located in the cloaking box

2. The number of different clients inside the cloaking box must be at least m.k (the anonymity level of the message).

3. The cloaking box must be included inside the message’s constraint area.

19


Constraint Graph:

Each mobile node is a vertice in the graph, and 2 nodes are connected iff each of them is inside the other node’s constraint area.

x

y

m2

k=3m1

k=2

m3

k=2m4

k=3

Definitions: An l-clique in that graph such that l ≥ mi.k for each i is mapped by the algorithm to a spatial cloaking box, where all messages in the clique will be transformed using the cloaking box, making each of the messages’ senders indistinguishable from one another.

Approach:

20

The CliqueCloak Algorithm

The Idea:

xy

t

• For each plain message, along with its constraints and anonymity level k, we try to find a k-clique in the constraint graph and convert the clique into a spatial cloaking box.

• Each of the messages inside the cloaking box will be converted into transformed messages, replacing their location values with the cloaking box. • We try finding a cloaking box for a message until it is expired (exceeds its temporal constraints).

21

Does CliqueCloak solve the location privacy problem?

Any further concerns? Doubts?

22

Add Noise

K-anonymity and CliqueCloak Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region

Issues Poor quality of location Degrades in sparse regions Not real-time

YouBounding Box

K=4

23

Confuse Via Mixing

Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who

later

Issues Users may not be collocated in space and time Mixing still possible at the expense of delay

24

Existing solutions seem to suggest:

Privacy and Quality of Localization (QoL) is a zero sum game

Need to sacrifice one to gain the other

25

Ideal Solution Should

Break away from this tradeoff

Target: Spatial accuracyReal-time updatesPrivacy guarantees

Even in sparse populations

Another Idea: CacheCloakAnother Idea: CacheCloak

26

CacheCloak Intuition

Exploit mobility prediction to create future path intersections

User’s paths are like crossroads of breadcrumbsApp knows precise locations, but doesn’t know the user

27

CacheCloak

Assume trusted privacy provider Reveal location to CacheCloak CacheCloak exposes anonymized location to Loc. App

CacheCloakCacheCloak

Loc. App1Loc. App1 Loc. App2Loc. App2 Loc. App3Loc. App3 Loc. App4Loc. App4

28

CacheCloak Design

User A drives down path P1 P1 is a sequence of locations CacheCloak has cached response for each location

User A takes a new turn (no cached response) CacheCloak predicts mobility Deliberately intersects predicted path with another path

P2 Exposes predicted path to application

Application replies to queries for entire path

CacheCloak always knows user’s current location Forwards cached responses for that precise location

29

CacheCloak Design

Adversary confused New path intersects paths P1 and P2 (crossroads) Not clear where the user came from or turned onto

Example …

30

Example

31

Benefits

Real-time Response ready when user

arrives at predicted location

High QoL Responses can be specific to location Overhead on the wired backbone (caching helps)

Entropy guarantees Entropy increases at traffic intersections In low regions, desired entropy possible via false

branching

Sparse population Can be handled with dummy users

32

Quantifying Privacy

City converted into grid of small sqaures (pixels) Users are located at a pixel at a given time

Each pixel associated with 8x8 matrix Element (x, y) = probability that user enters x and exits

y

Probabilities diffuse At intersections Over time

Privacy = entropy

x

y

€

Euser = − pipixels∑ log pi

pixel

33

Diffusion

Probability of user’s presence diffuses Diffusion gradient computed based on history i.e., what fraction of users take right turn at this

intersection

Time t1

Time t2

Time t3

Road Intersection

34

Evaluation

Trace based simulation VanetMobiSim + US Census Bureau trace data Durham map with traffic lights, speed limits, etc.

Vehicles follow Google map paths Performs collision avoidance

6km x 6km10m x 10m pixel

1000 cars

6km x 6km10m x 10m pixel

1000 cars

35

Results

High average entropy Quite insensitive to user density (good for sparse

regions) Minimum entropy reasonably high

36

Results

Per-user entropy Increases quickly over time No user starves of location privacy

37

Issues and Limitations

CacheCloak overhead Application replies to lots of queries However, overhead on wired infrastructure Caching reduces this overhead significantly

CacheCloak assumes same, indistinguishable query Different queries can deanonymize Need more work

Per-user privacy guarantee not yet supported Adaptive branching & dummy users

38

Closing Thoughts

Two nodes may intersect in space but not in timeMixing not possible, without sacrificing timeliness

Mobility prediction creates space-time intersectionsEnables virtual mixing in future

39

Closing Thoughts

CacheCloak Implements the prediction and caching function

Significant entropy attained even under sparse population

Spatio-temporal accuracy remains uncompromised

40

Final Take Away

Chasing a car is easier on highways …Much harder in Manhattan crossroads

CacheCloak tries to turn a highway intoa virtual Manhattan

… Well, sort of …

41

Questions?

42

Emerging trends in content distribution

Content delivered to a location / context As opposed to a destination address

Thus, “location” is a key driver of content delivery

IP address : Internet = Location : CDN

New wave of applications

43

Emerging trends in content distribution

Content delivered to a location / context As opposed to a destination address

Thus, “location” is a key driver of content delivery

IP address : Internet = Location : CDN

New wave of applications

44

Example

45

Location Privacy

Problem:





Continuous location exposuredeprives user of her privacy.

Continuous location exposuredeprives user of her privacy.

46

Location Frequency

Some location apps are reactive / infrequent E.g., List Greek restaurants around me now (PULL)

But, many emerging apps are proactive E.g., Phone detected at Starbucks, PUSH a coffee coupon

47

Location Frequency

Some location apps are reactive / infrequent E.g., List Greek restaurants around me now (PULL)


Opportunity for Big Bro to track youover space and time

Proactive apps requirecontinuous location






48

Categorizing Apps

Some location apps are reactive You ask, App answers E.g., Pull all Greek restaurants around your location


49

Categorizing Apps

Some location apps are reactive You ask, App answers E.g., Pull all Greek restaurants around your location








1 (ece 256: wireless networking and mobile computing) location privacy in mobile computing topics:...

Documents