Putting People in their Places

1
Putting People in their Places

• An Anonymous and Privacy-Sensitive Approach to
  Collecting Sensed Data in Location-Based
  Applications

Karen P. Tang Pedram Keyani, James Fogarty,
Jason I. Hong Human-Computer Interaction
Institute Carnegie Mellon University
2
Location-Aware Computing Is Here

• In-car navigation system
• PDAs, phones, laptops WiFi GSM

3
Types of Location-Aware Apps

• Person-centric
• What restaurants are near me?
• Where are my friends?
• Whats happening around me?

4
Privacy treated as a tradeoff
Anonymity Privacy
Disclosure Fidelity
Specific Location Query Where are the
closest restaurants near me?
5
Privacy treated as a tradeoff
Anonymity Privacy
Disclosure Fidelity
Specific Location Query Where are the
closest restaurants near me?
More Anonymous Location Query Where are all
the restaurants in Montreal?
6
Types of Location-Aware Apps

• Person-centric
• What restaurants are near me?
• Where are my friends?
• Whats happening around me?
• Location-centric
• Whats happening at the mall?
• How busy is the restaurant?
• Whats happening on highway 5?

7
Zipdash a Location-Centric App

• Commercial (acquired by Google)
• How it works
• Runs on GPS-enabled phones
• Continuously disclose GPS
• Server infers traffic congestion
• View traffic information on phone

8
Zipdash How it works

• Each car reports GPS data
• Server collects all GPS reports

9
Zipdash Privacy Threat

• Each car reports GPS data
• Server collects all GPS reports
• Can you trust the server?
• Data is leaked
• Someone is eavesdropping

Car A 800AM 45.587ºN,
73.921ºW 805AM 45.527ºN, 73.822ºW 810AM 45.594ºN
, 73.838ºW 815AM 45.594ºN, 73.871ºW
10
Zipdash Privacy Threat

• Observation consistent routes
• Start/End is Work or Home

Car A 800AM 45.587ºN,
73.921ºW 805AM 45.527ºN, 73.822ºW 810AM 45.594ºN
, 73.838ºW 815AM 45.594ºN, 73.871ºW
11
Zipdash Privacy Threat

• Observation consistent routes
• Start/End is Work or Home
• Malicious Server Threat
• Hijack GPS log for each car
• Infer start of route as Home
• Lookup via consumer database

Car A 800AM 45.587ºN,
73.921ºW 805AM 45.527ºN, 73.822ºW 810AM 45.594ºN
, 73.838ºW 815AM 45.594ºN, 73.871ºW
Home
12
Zipdash Privacy Threat

• Observation consistent routes
• Start/End is Work or Home
• Malicious Server Threat
• Hijack GPS log for each car
• Infer start of route as Home
• Lookup via consumer database
• Result Your Home and your identity are revealed

Car A 800AM 45.587ºN,
73.921ºW 805AM 45.527ºN, 73.822ºW 810AM 45.594ºN
, 73.838ºW 815AM 45.594ºN, 73.871ºW
Home
13
Zipdash Use Fidelity Tradeoff ?

• Car calculates actual GPS
• Car reports blurred GPS

Car A 800AM in Montreal,
QC 805AM in Montreal, QC 810AM in Montreal,
QC 815AM in Montreal, QC
Car A 800AM 45.587ºN,
73.921ºW 805AM 45.527ºN, 73.822ºW 810AM 45.594ºN
, 73.838ºW 815AM 45.594ºN, 73.871ºW
14
Zipdash Use Fidelity Tradeoff ?

• Car calculates actual GPS
• Car reports blurred GPS
• Application loses usefulness
• Fidelity tradeoff lessens utility

Car A 800AM in Montreal,
QC 805AM in Montreal, QC 810AM in Montreal,
QC 815AM in Montreal, QC
Car A 800AM 45.587ºN,
73.921ºW 805AM 45.527ºN, 73.822ºW 810AM 45.594ºN
, 73.838ºW 815AM 45.594ºN, 73.871ºW
15
Limits of Fidelity Tradeoff

• Fidelity tradeoff doesnt work for Zipdash

16
A New Approach to Privacy

• Fidelity tradeoff doesnt work for Zipdash
• Location-centric applications need a better way
  to protect users privacy

Hitchhiking
17
Overview

• Motivation Limits of Fidelity Tradeoff
• Hitchhiking
• Example Applications
• Privacy Analysis Hitchhiking principles
• Client computation
• Location of interest approval
• Sensing physical identifiers
• Conclusion

18
Overview

• Motivation Limits of Fidelity Tradeoff
• Hitchhiking
• Example Applications
• Privacy Analysis Hitchhiking principles
• Client computation
• Location of interest approval
• Sensing physical identifiers
• Conclusion

19
Hitchhiking Definition

• Client-focused, software-based approach to
  privacy-sensitive, location-centric apps
• on commodity devices and networks
• Key location is the entity of interest
• Ensure complete user anonymity no new privacy
  threats, even with malicious server

20
Hitchhiking Definition

• Client-focused, software-based approach to
  privacy-sensitive, location-centric apps
• on commodity devices and networks
• Key Location is the entity of interest
• Ensure complete user anonymity no new privacy
  threats, even with malicious server

21
Hitchhiking Approach to Zipdash

• Bridge location of interest
• Only report GPS when on bridge

22
Hitchhiking Approach to Zipdash

• Bridge location of interest
• Only report when on bridge
• Prevent malicious server threat
• No start/end pattern
• Every report from the same areas
• No lookups are possible

Car A 805AM 45.527ºN,
73.822ºW Car B 806AM 45.633ºN, 73.862ºW Car
C 807AM 45.549ºN, 73.792ºW
B
A
C
23
Hitchhiking Example Bus

• Is my bus running late?
• Detection of on/off the bus
• When on the bus
• Device senses location
• Device models on/off bus
• Device anonymously reports bus location to server
• Server shares bus info

Location of interest Bus route
Patterson, 2003
24
Hitchhiking Example Coffee shop

• Is Starbucks busy now?
• When in the coffee shop
• Device senses WiFi location
• Device senses other devices
• Device anonymously reports device count WiFi
  info
• Server infers shops busyness

Location of interest Coffee shop
25
Hitchhiking Example Meeting Room

• Location of interest
• Meeting Room

• Can I use that room now?
• When in the meeting room
• Device senses WiFi location
• Device anonymously reports WiFi data to server
• Server infers room availability

26
Research Contribution

• Hitchhiking is
• a privacy-sensitive approach
• applicable to location-centric apps
• provides complete user anonymity while
• maintaining applications full utility
• By using Hitchhiking principles, we can build
  interesting sensor-based location applications
  without sacrificing the users privacy

27
Overview

• Motivation Limits of Fidelity Tradeoff
• Hitchhiking
• Example Applications
• Privacy Analysis Hitchhiking principles
• Client computation
• Location of interest approval
• Sensing physical identifiers
• Conclusion

28
Overview

• Motivation Limits of Fidelity Tradeoff
• Hitchhiking
• Example Applications
• Privacy Analysis Hitchhiking principles
• Client computation
• Location of interest approval
• Sensing physical identifiers
• Conclusion

29
Meeting Room Availability

• Is that meeting room available right now?

30
Standard Approach Always Track

• Most common approach for current systems
• Privacy Threat from Malicious Server
• Most people spend bulk of time in an office
• Correlate location trails to a specific person

31
Hitchhiking Solution

• Define meeting rooms as locations of interest
• Privacy defense Client computation
• Compute location on the device
• Only report while at this location

Office 1
Office 2
Office 3
Office 4
Office 5
Office 6
Office 6
Office 7
Office 8
Meeting Room A
Meeting Room B
32
Hitchhiking Solution

• Define meeting rooms as locations of interest
• Privacy defense Client computation
• Compute location on the device
• Only report while at this location

Office 1
Office 2
Office 3
Office 4
Office 5
Office 6
Office 6
Office 7
Office 8
Meeting Room A
Meeting Room B
33
Client location computation

• Prior work Place Lab LaMarca et al, 2005
  Schilit, 2003
• Client-based approach alone is not enough
• Hitchhiking thoroughly investigates these other
  privacy threats and extends prior work to address
  them

34
Overview

• Motivation Limits of Fidelity Tradeoff
• Hitchhiking
• Example Applications
• Privacy Analysis Hitchhiking principles
• Client computation
• Location of interest approval
• Sensing physical identifiers
• Conclusion

35
Threat Location Spoofing

• Privacy Threat from Malicious Server
• Add fake locations of interest (e.g. your office)

Office 1
Office 2
Office 3
Office 4
Office 5
Office 6
Office 6
Office 7
Office 8
Meeting Room A
Meeting Room B
36
Threat Location Spoofing

• Privacy Threat from Malicious Server
• Add fake locations of interest (e.g. your office)
• Mislabel a fake location of interest
• Enables tracking of potential private places

Meeting Room C
Office 1
Office 2
Office 3
Office 4
Office 5
Office 6
Office 6
Office 7
Office 8
Meeting Room A
Meeting Room B
37
Hitchhiking Solution

• Make threat apparent to the user
• Privacy defense Location of interest approval
• In Office 4 You appear to be in a location that
  another user has indicated is Meeting Room C. Do
  you want to disclose your info?

Meeting Room C
Office 1
Office 2
Office 3
Office 4
Office 5
Office 6
Office 6
Office 7
Office 8
Meeting Room A
Meeting Room B
38
Hitchhiking Solution

• Make threat apparent to the user
• Privacy defense Location of interest approval
• In Office 4 You appear to be in a location that
  another user has indicated is Meeting Room C. Do
  you want to disclose information from your
  current location?

Meeting Room C
Office 1
Office 2
Office 3
Office 4
Office 5
Office 6
Office 6
Office 7
Office 8
Meeting Room A
Meeting Room B
39
Overview

• Motivation Limits of Fidelity Tradeoff
• Hitchhiking
• Example Applications
• Privacy Analysis Hitchhiking principles
• Client computation
• Location of interest approval
• Sensing physical identifiers
• Conclusion

40
Threat Link identifiers to a person

• Privacy Threat from Malicious Server
• Attach unique identifiers to locations of
  interest
• Craft identifiers to each individual
• People-specific reports for each location of
  interest

Meeting Room B
B John
B Mary
Malicious Server
41
Hitchhiking Solution

• Privacy defense Sensed physical identifiers
• Use device to sense surrounding identifiers
• Ensures every device sees the same identifiers
• Anonymizes reports from devices

00-0C-F1-5C-04-A8
Meeting Room B
00-0C-F1-5C-04-A8
00-0C-F1-5C-04-A8
Hitchhiking Server
42
Hitchhiking Putting it Together

• Device reports after detecting Meeting Room B
• If first time, device prompts for disclosure
  approval
• Device anonymously reports sensed WiFi to server
• Server only knows someone is in Meeting Room B
• No person-specific location trail for any users

Office 1
Office 2
Office 3
Office 4
Office 5
Office 6
Office 6
Office 7
Office 8
00-0C-F1-5C-04-A8
Meeting Room A
Meeting Room B
43
Related issues

• Other issues surrounding Hitchhiking
• Query Anonymity
• Live Reports vs. Offline Collection
• Transport Layer Attack
• Denial-of-Service Attack
• Timing-Based Attack
• Defenses for these threats exist

44
Overview

• Motivation Limits of Fidelity Tradeoff
• Hitchhiking
• Example Applications
• Privacy Analysis Hitchhiking principles
• Client computation
• Location of interest approval
• Sensing physical identifiers
• Conclusion

45
Conclusion Hitchhiking Highlights

• It is a client-focused, software-based approach
  to privacy-sensitive location-centric apps
• It works on existing devices networks
• It uses location constraints anonymity

46
Conclusion Hitchhiking Highlights

• Hitchhiking is an extreme architecture
• Assumes a system with minimum trust
• Systems with implicit trust can relax principles
• Provides application developers a way to build
  useful location apps while avoiding well-known
  privacy risks

47
Thank you!

• Questions and comments?
• Karen P. Tang
• kptang_at_cs.cmu.edu
• Human-Computer Interaction Institute
• Carnegie Mellon University
• Acknowledgements
• This is based upon work supported by the Defense
  Advanced Research Projects Agency (DARPA) under
  Contract No. NBCHD030010, by an ATT Labs
  fellowship, and by the National Science
  Foundation under grants IIS-0121560 and
  IIS-032531. We also thank contributors to Place
  Lab, jpcap, libpcap, and JDesktop Integration
  Components, which were utilized in this work.

48
Potential Questions Slides

• K-anonymity
• Mixed Zones
• Query Anonymity
• Live Reports vs. Offline Collection
• Transport Layer Attack
• Denial-of-Service Attacks
• Timing-based Attacks

49
K-Anonymity

• Server obscures clients location by including
  client k-1 others
• However
• Requires a trusted middleware server
• Not applicable to location-centric applications
  supported by Hitchhiking
• k-1 others may not be in the meeting room

50
Mixed Zones

• Client gets new ID when entering location
• However Requires trusted middleware server
• Server keeps tab of all used IDs
• Server provides new IDs to clients

51
Query Anonymity

• Hitchhiking Anonymizes locations report
• Doesnt anonymize queries about a location
• Problem What if you ask about a location?
• If youve already been there before
• Used sensed identifiers to ask server

52
Query Anonymity

• Hitchhiking Anonymizes locations report
• Doesnt anonymize queries about a location
• Problem What if you ask about a location?
• If you havent been there before
• Mask queries
• Cached, local model

53
Live Reports vs Offline Collection

• Live reports not a Hitchhiking requirement
• Hitchhiking doesnt assume connectivity
• Alternative local cache, upload later
• However, might need to change app
• Real-time availability
• Temporal models of availability

54
Transport Layer Attacks

• Problem
• Phone networks providers know your location
• WiFi networks provider could log MAC address
• Reality People trust their network providers

55
Transport Layer Attacks

• Problem
• Phone networks providers know your location
• WiFi networks provider could log MAC address
• Reality People trust their network providers
• Hitchhiking
• Give app developers same level of trust
• Does not introduce any new privacy threats by
  allowing apps to collect sensed data

56
Denial-of-Service Attacks

• What if server flooded with bad reports
• Standard approach
• Give everyone an unique ID
• Ban the ID that sends fraudulent data
• Doesnt allow for anonymity

57
Denial-of-Service Attacks

• What if server flooded with bad reports
• More anonymous approaches
• Note IP address which reports
• Unlikely to report from many places in short time
  
• Seed database with false data
• Insert non-existent MAC address in identifier
  list
• Ban reports that include false identifiers

58
Timing-Based Attacks

• Hitchhiking Content cannot lead to tracking
• Can we infer from consecutive reports?
• 2 reports received around same time for same
  location of interest
• Use reports from 2 close locations of interest

59
Timing-Based Attacks

• Hitchhiking Content cannot lead to tracking
• Can we infer from consecutive reports?
• 2 reports received around same time for same
  location of interest
• Use reports from 2 close locations of interest
• Solution Limit frequency of reports
• Not just for an application but for all reports
• E.g. report 1x/10 min for any app sparse