GPS privacy: Enabling Proximity-basedServices while Keeping GPS Locations Private

Athindran Ramesh Kumar, Liang Heng, Grace X. GaoUniversity of Illinois at Urbana-Champaign

BIOGRAPHYAthindran Ramesh Kumar received his B.Tech degree inelectrical engineering from the Indian Institute of Technol-ogy, Madras in 2009. He is currently pursuing his M.Sin Electrical Engineering from the University of Illinois,Urbana-Champaign. His research interests are in signalsand systems, with particular focus on the Global Position-ing System (GPS).Liang Heng received the B.S. and M.S. degrees in electri-cal engineering from Tsinghua University, Beijing, Chinain 2006 and 2008. He received the PhD degree in electri-cal engineering from Stanford University under the direc-tion of Per Enge in 2012. He is currently a postdoctoralresearch associate in the Department of Aerospace Engi-neering, University of Illinois at Urbana-Champaign. Hisresearch interests are cooperative navigation and satellitenavigation. He is a member of the IEEE and the Instituteof Navigation (ION).Grace Xingxin Gao received the B.S. degree in mechani-cal engineering and the M.S. degree in electrical engineer-ing from Tsinghua University, Beijing, China in 2001 and2003. She received the PhD degree in electrical engineer-ing from Stanford University in 2008. From 2008 to 2012,she was a research associate at Stanford University. Since2012, she has been with University of Illinois at Urbana-Champaign, where she is presently an assistant professorin the Aerospace Engineering Department. Her researchinterests are systems, signals, control, and robotics. Sheis a member of the IEEE and the Institute of Navigation(ION).

ABSTRACTLocation-based services have revolutionized people’s ev-eryday lives. Proximity-based services in particular, arecommonly used to identify nearby friends and other land-marks. However, these services endanger the privacy ofusers as the location information is provided to the serviceprovider.In this work, we propose a privacy protection scheme whichleverages the low-level data used in GPS location estima-tion for privacy protection. The anonymous range vector ofa user to visible satellites is instead provided to the service

provider. The exact location of the user cannot be inferredfrom the anonymous range vector. An efficient algorithmfor proximity detection using the anonymous range vectoris presented. A proof of concept of the proximity detectionscheme is illustrated using experiments with u-blox LEA-6T receivers and Android phones.

1 INTRODUCTIONUbiquitous GPS-enabled mobile devices and ever-growinglocation-based services (LBSs) are becoming more and moreembedded in people’s everyday lives. The advancementsin low-power positioning technology (assisted GPS), LBSmiddleware technology and 3G mobile services led to theboom of location-based services. The evolution and thecommercialization of location-based services (LBS) afterthe initial failure is elaborated in detail in [1]. There areseveral types of location-based services. Some commonuses include navigation and geo-spatial crowdsourcing. Be-sides, there are also proximity detection services and loca-tion based services which allow users to search for friendsor other points around them [2]. Further in some servicessuch as WeChat, users can even find all nearby strangersby shaking his/her phone. However, the locations of usersare generally logged in a third party server. A maliciousattacker can collect this location information and infer thepersonal attributes of a user including his whereabouts, lifestyle, political and religious affiliations [3]. The high levelof intrusion and privacy threats associated has created a re-luctance among users to use location-based services [4].

There are two major forms of privacy associated withLBS [7], namely - Query privacy and Location privacy.Query privacy refers to users’ private information, such astheir identity and lifestyle that can be exposed by lookingat query attributes. Location privacy refers to users’ pri-vate information directly or indirectly exposed by their lo-cations. These two notions of privacy are intertwined andloss of one type of privacy often leads to the loss of theother. Several of the privacy protection schemes focus onpreserving query privacy. A class of these schemes de-grade or transform location data in such a way that an ad-versary cannot infer the actual locations from the dataset.Anonymization, obfuscation, and adding random perturba-

tions are three such techniques. Gruteser et al. [8] in-troduced “cloaking” for query privacy and expanded theidea of k-anonymity, which was more commonly used indatabase security. Every user must be indistinguishablefrom k − 1 other users to satisfy the k-anonymity met-ric. The path confusion [9] approach proposed by Hoh andGruteser focuses on protecting privacy in crowdsourcingapplications. In their approach, the paths of the users areperturbed in order to ensure that an intelligent attacker us-ing advanced tracking algorithms cannot track users. Onthe other hand, cryptographic schemes provide “perfect se-crecy” but depend on pre-shared secrets and can be compu-tationally expensive. Private information retrieval [11] is acryptographic approach directed towards protecting queryprivacy.

Besides, there have also been a lot of privacy-protectionschemes pertaining to our interest area of proximity detec-tion services. The first techniques to enable private proxim-ity detection used distance preserving transformations [12]to not reveal actual user locations. Most of the work in thisdomain assume the existence of pre-shared secrets or pri-vate shared functions. Secure computational geometry [13]used a more probabilistic approach. It introduced proto-cols to privately compute scalar products and test for vectordominance. These protocols could be extended to test forpoint-inclusion in a polygon. Zhong et al [14] discuss theshortcomings of this approach and introduce three proto-cols Louis, Lester and Pierre for private proximity testing.These were based on public key encryption schemes andevery pair of users have to establish a secure communica-tion channel in order to test for proximity. The number ofconnections can quickly escalate in a large scale geo-socialnetwork. More recently, Arvind Narayanan et al. [15] pro-pose the use of location tags for privacy protection. Lo-cation tags are unpredictable and reproducible signals thatcan be derived from the surrounding environment. SHARP[18] used location tags to establish proximity detection tostrangers. During an initial phase, users embed a key intheir location tag and send it to the server. Only users whoshare the same location tag can extract this key.

However, all of the above schemes treat GPS as ablack box. In this work, we open the black box and lever-age some of the “information” inside for privacy protection.We extract privacy-preserving location information directlyfrom an intermediate step in GPS location estimation. Weimplement private proximity detection using anonymizedpseudorange measurements. The anonymous range vectorsof each user can also be interpreted as the location hash ofan user. Further, we propose a simple, efficient and effec-tive algorithm to detect whether two users are close. Thisalgorithm is first validated using actual pseudorange mea-surements released by the IGS tracking network. Also, ex-periments using Android phones and u-blox LEA-6T re-ceivers were performed to show the proof of concept on asmaller scale.

The rest of the paper is organized as follows. In sec-tion 2, we define the concept of a location hash and formu-late a problem statement. Section 3 briefly describes thealgorithms used for matching and introduce some perfor-mance measures. In section 4, we present experiments tovalidate our algorithms. In section 5, we summarize ourwork and discuss about avenues for future research.

2 PROBLEM STATEMENTOur goal is to enable private proximity detection betweenusers. In this section, we specify the adversary model inour framework. We consider a centralized social networkwhere the proximity detection between all pairs of users isperformed by a centralized server. A centralized networksignificantly decreases the number of connections requiredwhen there are a huge number of users. Also, note thatthere will be no user adversaries in a centralized social net-work as the server can easily hide information from otherusers. However, the server can itself be malicious and cantry to infer the actual locations of the user from the infor-mation provided. Also, we assume that all communicationchannels are secure (via TLS, IPsec, etc.), i.e., there is noconcern about eavesdropping or interception.

In order to achieve our goal, we seek a location hashfunction h(xk ) of the location xk of a user k. The hashfunction should not be easily invertible in order to pre-vent an attacker from inferring the actual locations fromthe hash. More formally, it should be computationally in-tensive to find a solution to the equation h(x) = h(xk ).Besides, there could be multiple locations that map to thesame value of h(x), thus creating ambiguity about the ac-tual user location. Also, it should be feasible to test forproximity detection on the location hashes. Let t be thethreshold distance we intend to use for testing proximitybetween the users. There must exist a detection statisticT ( f (h(xi ),h(x j ), τ)) such that we can conclude that twousers are close with high probability whenever T exceedsan adjustable threshold τ. In this paper, we use the anony-mous range vector of an user as the location hash and derivethe detection statistic T using a matching algorithm.

3 PRIVATE PROXIMITY DETECTION USINGANONYMOUS RANGE MEASUREMENTS

In this work, we use a set of range measurements to GPSsatellites (without PRN designated) as the location hash ofthe user. Without the PRN’s designated to the range mea-surements, it is impractical for an adversary to compute theactual location of the user. We propose a scheme for prox-imity detection using anonymous range measurements. Letus denote the range vector of the ith user

ρi =[ρ(1)i , ρ(2)

i , . . . , ρ(Ki )i

]T, (1)

where Ki is the number of satellites visible to the user.The range measurements ρ(l )

i do not include the user clock

bias which is removed beforehand. Further the range vectorρi is sorted beforehand in ascending order.

Consider two users at locations xi and x j . Let therange vectors to the set of visible satellites of the two usersbe denoted by ρi and ρ j respectively. Suppose there isa satellite visible to both users with corresponding rangemeasurements ρi1 and ρ j1, with elevation and azimuth αand β. We know that

���ρi1 − ρ j1��� ≈

xi − x j 2

���cos (α) cos(β) ��� . (2)

Thus for any threshold distance t,

���ρi1 − ρ j1��� ≤

xi − x j 2≤ t . (3)

Thus, if two users at a distance t see a common satel-lite with ranges ρi1 and ρ j1, it is a necessary condition that���ρi1 − ρ j1

��� < t.However, in our scheme, the server has to do blind

matching of range measurements. In other words, the usersdo not designate PRN numbers to each range measurementin order to protect their privacy. We formulate this prob-lem of “blind matching” in an optimization framework andpropose an algorithm to do the same.

3.1 Blind matching of range vectorsLet ⊂ denote the subset relation between two sorted vec-tors. We write x ⊂ y if each element in x also belongsto y. Let card(x) denote the cardinality, i.e., number ofelements, of a vector (or a set) x. The proximity detectionproblem can be formulated as the following optimizationproblem:

maximize c,

subject to c = card(φ1) = card(φ2),φ1 ⊂ ρ1,

φ2 ⊂ ρ2,

‖φ1 − φ2‖∞ ≤ t,

(4)

where the infinity norm ‖[u1, . . . ,un]T ‖∞ = max{|u1 |, . . . ,|un |}. Further, we define the proximity detection statistic Tas the number of mismatches,

T = min{card(ρ1),card(ρ2)} − c.

Two users are said to be close if the proximity detectionstatistic T is less than a threshold τ. The decision thresholdτ is selected to adjust the false alarms and missed detec-tions that can occur.

The optimization problem in gather (4) is similar tothe longest common sub-sequence problem in the litera-ture. Let ρ[n] denote the nth element in the sorted vectorρ, and let ρ[n] denote the vector of the first n elements,i.e., ρ[n] = [ρ[1], ρ[2], . . . , ρ[n]]T . We have the following

recursive equation:

c(ρ1[k1],ρ2[k2]) =

0if k1 = 0 or k2 = 0;

c(ρ1[k1 − 1],ρ2[k2 − 1]) + 1if |ρ1[k1] − ρ2[k2]| ≤ t;

c(ρ1[k1 − 1],ρ2[k2])if ρ1[k1] > ρ2[k2] + t;

c(ρ1[k1],ρ2[k2 − 1])if ρ1[k1] < ρ2[k2] − t .

(5)

where we use c(., .) as a metric of matching between thetwo vectors. Assume that the vectors ρ1 and ρ2 are sorted.An efficient dynamic programming algorithm to find c ispresented below.Require: two sorted vectors ρi = [ρ(1)

i , ρ(2)i , . . . , ρ(Ki )

i ]T ,i ∈ {1,2}

Require: distance tolerance t > 0ki ← 1, i ∈ {1,2}c ← 0while k1 ≤ card(ρ1) and k2 ≤ card(ρ2) do

if |ρ(k1)1 − ρ(k2)

2 | < t thenc ← c + 1k1 ← k1 + 1k2 ← k2 + 1

else if ρ(k1)1 < ρ(k2)

2 thenk1 ← k1 + 1

elsek2 ← k2 + 1

end ifend whilereturn c

Since the lengths of the two range vectors ρ1 and ρ2 are fi-nite in practice, we can consider the time complexity of thealgorithm to be O(1). Therefore, our proximity detectionalgorithm is very efficient.

As a statistical hypothesis test, private proximity de-tection has a probability of making two types of errors:false alarm and missed detection. Suppose there are Nusers and let S denote the set of all pairs of users, card(S) =(N2

). Let X be the set of pairs of users who are within a

threshold distance t. Let Y be the set of pairs of users whoare detected to be close to each other. We define the fol-lowing performance measures:

• Probability of false alarm

PFA =card(Y \ X )card(S \ X )

. (6)

where the set difference Y \ X = {e ∈ Y |e < X }.

• Probability of missed detection

PMD =card(X \ Y )

card(X ). (7)

• Probability of detection error

PDE =card(Y \ X ) + card(X \ Y )

card(S). (8)

4 EVALUATION AND EXPERIMENTS4.1 Global EvaluationWe first evaluate our proposed private proximity detectionscheme in a global setting by using the IGS network. Wetreat the stations around the world as nodes to test for prox-imity using the scheme outlined in section. These stationsare usually very far apart so we need to choose our thresh-old distances for proximity appropriately. Further, the pseu-doranges recorded by these stations still have the user clockbias in them. The pseudorange measurement ρ̃(k) to thek th satellite at epoch t can be modeled as

ρ̃(k) (t) = r (k) + c[δtu − δt(k)]+

I (k) (t) + T (k) (t) + ε (k) (t) (9)

where r (k) is the actual distance to the satellite, δtu andδt (k ) are the user and satellite clock offsets respectively,I (k) and T (k) are the ionospheric and tropospheric prop-agation delays and ε (k) include the other sources of errorsuch as multipath and measurement noise. Most receiversuse a Newton-Raphson based technique to solve for theuser position and user clock bias, given the pseudorangesand the ephemeris. We use a similar such technique andextract the clock bias out of every station’s pseudorangemeasurements. We then find

ρ(k) (t) = ρ̃(k) (t) − c.δtu (10)

= r (k) − c.δt(k) + I (k) + T (k) (11)

and use ρ(k) (t) to form the range vector. Note thatthe range measurements will still have the errors due to at-mospheric terms. However, this is actually a benefit forprivacy protection. It is an additional source of random-ness that is correlated for nearby users.The algorithm was validated using the IGS data recordedon January 10, 2014. The pseudorange measurements re-leased by 1171 stations around the world at the start of theday at one time epoch was used to aggregate the statis-tics for validation. For each pair of stations, the numberof matches in the pseudorange vector and the proximitydetection statistic ζ was computed. Figure 1 shows thefrequency of the number of visible satellites from the IGSstations at the chosen time epoch. The number of visiblesatellites is around 9 on the average. In Figure 2, we plotthe proximity detection statistic as a function of distance fora threshold of t = 5000 m. We can clearly see that the num-ber of mismatches is higher for stations which are farther

Figure 1. Frequency of number of visible satellites as seen byIGS stations

Figure 2. Statistics of the proximity detection statistic T for theIGS reported pseudorange measurements. Note that thenumber of mismatches is consistently higher for sta-tions which are farther than the threshold distance of5000 m

than the threshold distance. Figure 3 shows the variationof PFA with the threshold distance. The variation is as ex-pected from the theoretical results. From figure 4, we seethat the missed detections go to 0 for τ ≥ 1. However, thefalse alarms ratio is obviously higher for higher values of τ.Thus, the experimental results clearly illustrate the viabil-ity of our scheme for efficient private proximity detection.

4.2 Local EvaluationWith the evaluation using the IGS tracking network, the"user" locations were fixed. Further, most pairs of stations

Figure 3. Probability of false alarm versus threshold distance tfor the IGS evaluation.

Figure 4. Probability of missed detection versus threshold dis-tance t for the IGS evaluation.

were very far apart and the locations of the stations in thetracking network do not model the distribution of mobile-phone users very well. Thus, we perform some local ex-periments to further validate the algorithm. An androidapp was written to continually log range data. Upon post-processing, we evaluate the utility of our scheme. However,working with the Android API presents a fresh set of chal-lenges. An additional evaluation using u-blox receivers ispresented to further strengthen the proof of concept.

4.2.1 Android application data

The goal of our scheme is to enable privacy protection inmobile devices. Thus, a prototypical android app was de-veloped to test the scheme with the GPS engine in Android.

Figure 5. Basic architecture of an android proximity detectionservice.

In an ideal scenario, an implementation of a proximity-based service using an android app would just have the an-droid app interacting with a friend-finder server as shownin figure 5. However, there were several challenges whileworking with the Android location API which is the onlymode of accessing the underlying GPS engine. We providea description of the challenges and the suitable modifica-tions required below.

• Pseudorange measurements not available from theAPI

An app developer can only access(x, y, z

)informa-

tion of an user. Thus, we had to set up an externalserver to continually download high rate ephemerisfrom nearby IGS stations. The high rate ephemerisfrom the stations NIST and GODS were downloadedand hosted on a server. The android app downloadedand updated the ephemeris from the server periodi-cally. Further, android provides a GPSSatellite classwhich reports the satellites currently in view alongwith the elevation and azimuth. Using the last knownlocation, the satellites in view and the downloadedephemeris, we find the range measurements and formthe anonymous range vector for proximity detection.In an ideal scenario, we would expect the chipsetto provide pseudorange measurements as well in theNMEA messages.

• Unknown clock bias and time sync issues

Another major issue is that the android API does notreport accurate GPS time. It only reports the UTCtime at fix and the clock error can be as large as afew minutes. In order to circumvent this problem, theapp was forced to compute the satellite positions andrange measurements at fixed time epochs. Initially,we manually configured each of the devices used fortesting to not have time lag more than 5-10 seconds.However, the range measurements vary rapidly as thesatellites are continually moving. In order to ensure

Figure 6. IGS stations used for downloading ephemeris (markedin red).

time sync between users, the app was forced to reportrange measurements at fixed time epochs, i.e, integermultiples of 20 seconds.

• Fluctuating satellite set

As stated earlier, the GPSSatellite class reports thesatellites currently in view along with the elevationand azimuth. However, the satellites in view werevery fluctuant and the 4-5 satellites reported changedvery rapidly ( on the order of seconds ). Thus, weaggregated the reports over 10 seconds to find all thesatellites in view.

• Synchronous vs Asynchronous implementation

In an asychronous implementation, the user notifiesthe LBS server when he/she is looking for friendsnearby. The LBS server can then notify the user’sfriends and obtain their location hash to test for prox-imity. In a synchronous implementation, the usersreport their location hashes periodically at fixed timeepochs. The former implementation is obviously bet-ter in terms of privacy because the users give awayless information. Also, there is the extra communi-cation overhead of continuously reporting data in thesynchronous implementation. However, we resort toa synchronous implementation in this work for sim-plicity. Further, we dont implement a friend-finderserver as we are simply recording data for researchpurposes. The android app just logs all the pseu-dorange data in a text file. We processed the filesfrom all users after the recording to evaluate our al-gorithms.

Figure 7 encapsulates the final structure of the android ap-plication to over come the challenges involved. Figure 8shows a screenshot of the android application with all thelogged data.The app was distributed to 6 graduate students who livedand worked in Urbana-Champaign, IL. They primarily workedindoors and were close to each other for most part of the

Figure 7. Final architecture of the app for logging data.

Figure 8. Android application for logging data.

data collection. We present the results from this data col-lection in figures 9,10 and 11. In figure 9, we plot the ratioof correct decisions , false alarms and missed detections.Unlike the IGS stations, most users in this experiment wereclose to each other for the most period. Hence, we seea relatively higher ratio of false alarms as the denomina-tor in equation (6) is considerable smaller. Figures 10 and11 shown an interesting comparison of the number of mis-matches between the anonymous range vectors of two usersusing two different threshold distance parameters t. We seethat the results are consistent with what we expect.

4.2.2 u-blox LEA-6T receiver

In the previous section, we elaborated on the challengesand our approach to android data collection. We had toconstruct our own range measurements from the satelliteephemeris and the last known position. We thus decided toperform another experiment with u-blox LEA-6T receivers.It is well known that these receivers give out RXM-RAWmessages with pseudorange measurements. Four graduatestudents from our lab took part in this experiment. Two ofthem drove in opposite directions from Urbana-Champaign,ILfor a few kilometers. Two others were walking around near

Figure 9. Performance of the proximity detection algorithm withthe data logged through Android phones

Figure 10. Variation of number of mismatches with distance fortwo users over a day with t = 250 m

Figure 11. Variation of number of mismatches with distance fortwo users over a day with t = 1500 m

Talbot lab in Urbana, IL. The paths of these users are pre-sented in figure 12. The results from these experiments arepresented in figures 13, 14 and 15 respectively. From figure13, we can see that there is a sharp jump in the number ofmismatches when the distance between the users increasesmore than the threshold of t = 5000m. This demonstrates

Figure 12. Paths of the four users during data collection

Figure 13. Variation of number of mismatches with distance forfirst pair of users over a day with t = 750 m

the robustness of the algorithm. For the same pair of users,we see in figure 14 that, a lesser threshold of t = 750mgives appropriate results in terms of the number of mis-matches. We further reiterate these ideas by comparing theproximity detection statistic T on a different pair of usersin figure 15.With the different experimental evaluations, we have cov-ered a wide range of test cases. In the IGS evaluation,the stations were very far apart. However, this evaluationhelped understand the statistics of the false alarms and misseddetections. The android app based evaluation was usefulin understanding the challenges that one might face whiletrying to implement proximity detection using anonymousrange measurements in the real world. The u-blox receiverevaluation clearly demonstrated the efficiency and robust-ness of this scheme for performing proximity detection.

5 CONCLUSION AND FUTURE WORKWith the widespread use of location-based services in mo-bile devices, efficient schemes for privacy protection are es-sential. Here, we introduced a scheme for private proxim-ity detection using pseudorange/range measurements asso-ciated with GPS satellites. We hide the PRN numbers asso-

Figure 14. Variation of number of mismatches with distance forfirst pair of users over a day with t = 5000 m

Figure 15. Variation of number of mismatches with distance forsecond pair of users over a day with t = 1000 m

ciated with the range measurements, and present a schemefor proximity detection using the range vectors. The proofof concept of this scheme was presented using experimentswith android phones and u-blox receivers.The implementation of the scheme with android phoneswas severely constrained by the limited information avail-able from the Android API. However, the results prove theviability of the scheme for use in mobile phones. The ex-periment with u-blox receivers gave very promising resultswith actual pseudorange measurements. Integrating thisscheme with those existing in the security literature canpossible strengthen privacy, thus opening up a new avenuefor GPS privacy research.

REFERENCES[1] Bellavista, P., Kupper, A., and Helal, S., Location-

Based Services: Back to the Future, Pervasive Com-puting, IEEE, 7(2), 85-89, 2008.

[2] Schiller, J., and Voisard, A., "Location BasedServices", Morgan Kaufmann Publishers,ISBN:1558609296, 2004.

[3] Minch, R.P., "Privacy Issues in Location-Aware Mo-bile Devices", Proceedings of the 37th Annual HawaiiInternational Conference on System Sciences, 2004.

[4] Zickuhr, K., and Smith, A., "4% of online Ameri-cans use location-based services", Pew Research Cen-ter, Tech. Rep., Nov. 2010.

[5] Siksnys, L., Thomsen, J. R., Saltenis, S., & Yiu, M. L.(2010, May). "Private and flexible proximity detectionin mobile social networks". In Mobile Data Manage-ment (MDM), 2010 Eleventh International Conferenceon (pp. 75-84). IEEE.

[6] Amir, A., Efrat, A., Myllymaki, J., Palaniappan, L., &Wampler, K. (2007). "Buddy tracking - efficient prox-imity detection among mobile friends". Pervasive andMobile Computing, 3(5), 489-511.

[7] Shin, K. G., Ju, X., Chen, Z., & Hu, X.. "Privacy pro-tection for users of location-based services". WirelessCommunications, IEEE, 19(1), 30-39, 2012.

[8] Gruteser, M., and Grunwald, D., "Anonymous usageof location-based services through spatial and tempo-ral cloaking." Proceedings of the 1st international con-ference on Mobile systems, applications and services.ACM, 2003.

[9] Hoh, B., and Gruteser, M., "Protecting location privacythrough path confusion" in Security and Privacy forEmerging Areas in Communications Networks, 2005.SecureComm 2005. First International Conference on,2005, pp. 194–205.

[10] Ghinita, G., "Privacy for Location-Based Services",Synthesis Lectures on Information Security, Privacy,and Trust. Morgan & Claypool Publishers, 2013.

[11] Ghinita, G., Kalnis, P., Khoshgozaran, A., Shahabi,C., & Tan, K. L., "Private queries in location basedservices: anonymizers are not necessary". In Proceed-ings of the ACM SIGMOD international conference onManagement of data (pp. 121-132), ACM, 2008.

[12] Ruppel, P., Treu, G., KÃijpper, A., Linnhoff-Popien,C., "Anonymous user tracking for location-based com-munity services". In Proceedings of the Second Inter-national Workshop on Location and Context Aware-ness, vol. LNCS 3987, pp. 116–133., Springer, 2006.

[13] Atallah, M.J., Du, W., "Secure Multi-party Computa-tional Geometry" . In Proceedings of 7th InternationalWorkshop on Algorithms and Data Structures, 2001.

[14] Zhong, G., Goldberg, I., Hengartner, U., Louis, L.,Pierre: "Three protocols for location privacy". In Pri-vacy Enhancing Technologies, vol. LNCS 4776, pp.62–76. Springer, 2007.

[15] Narayanan, A., Thiagarajan, N., Lakhani, M., Ham-burg, M., and Boneh, D., "Location privacy via privateproximity testing", In Network and Distributed SystemSecurity Symposium, Internet Society, Feb 2011.

[16] Mascetti, S., Freni, D., Bettini, C., Wang, X. S., &Jajodia, S., "Privacy in geo-social networks: proximitynotification with untrusted service providers and curi-ous buddies", The VLDB Journal—The InternationalJournal on Very Large Data Bases, 20(4), 541-566,2011.

[17] Lin, Z., Kune, D. F, & Hoppe, N., "Efficient privateproximity testing with GSM location sketches". In Pro-ceedings of 32nd International Cryptology Conference,2012.

[18] Zheng, Y., Li, M., Lou, W., & Hou, T., "SHARP: Pri-vate proximity test and secure handshake with cheat-proof location tags," in Proceedings of ESORICS,2012, pp. 361–378