Preserving User Location Privacy in Mobile Data Management Infrastructures

1
Preserving User Location Privacy in Mobile Data
Management Infrastructures
The 6th Workshop on Privacy Enhancing
Technologies (2006)

• Reynold Cheng (csckcheng_at_comp.polyu.edu.hk)
• The Hong Kong Polytechnic University

A joint work with Yu Zhang, Elisa Bertino, and
Sunil Prabhakar Purdue University
2
Location-Based Services
Find a friend within 50m of my location.
Where is my nearest gas station?
Service Provider
3
The Location Privacy Problem

• Beresford et al. BG03 Location privacy is the
  ability to prevent other parties from learning
  ones current or past location
• Need to prevent
• Tracking of the users whereabouts
• Discovery of the users personal habits

4
Location Cloaking BS03,GG03
Actual Location
y
x
time
Uncertainty region seen by service provider
5
Privacy, Cloaking, and Quality
Location Cloaking
More uncertainty, More privacy
More uncertainty, Poorer service
Better service, lower privacy?
Location Privacy
Service Quality
6
Location Cloaking Framework CP04
Imprecise Location Service Request
Precise Location Service Request
Location Cloaking Engine
Service Provider
User
Service quality report
7
Our Contributions

• A framework that trades off location privacy and
  service quality
• An efficient algorithm for processing an
  important query class
• Definition of query quality
• Experimental simulations
• Privacy threats and solutions

8
Cloaked Location Model
Uniform distribution
Evaluated by imprecise queries to produce answers
with probabilistic confidence
9
The Cloaking Agent
10
The Policy Translator

• Possible privacy preferences
• k-anonymity BG03, GG03 at least k users in the
  cloaking region
• Privacy minimum uncertainty region size
• Accuracy maximum uncertainty region size
• Locations cloaking required when being near to a
  certain object (physical or logical)
• Other users/service providers presence
  known/hidden to them?

11
Service Translator and Service Provider

• Evaluate cloaked data, provide probabilistic
  answer, compute quality
• Example Range query (e.g., who is within 50m
  from me)

12
Result Translator

• Provide query result and quality reports
• Convert probabilistic answers to interpretable
  results
• Example Map probability ranges
  (0,0.2,(0.2,0.8,(0.8,1 to LOW, MEDIUM and HIGH

13
Precise Location-based Range Query
Example Who is within 100 metres from me?
Only S4 is the answer.
14
Imprecise Location-based Range Query
Overall probability (S2,0.1),, (S3,0.7),
(S4,0.9)
Q2 (S3,0.9), (S4,1)
Q1 (S2,0.2),, (S3,0.6), (S4,0.7)
15
Query Evaluation (1)

• Transformation decomposes imprecise queries into
  sub-queries
• Evaluation computes the probabilistic answers
  for each precise sub-queries
• Aggregation summarizes the final result from all
  sub-queries

16
Query Evaluation (2)

• Probability pj(u,v) of user Sj satisfying the
  range query issued at point (u,v) ? U

Can be Expensive!

• Probability pj of user Sj satisfying the range
  query issued by U

17
Efficient Query Evaluation

• Pruning removes all objects that do not have any
  chance of satisfying the query
• Transformation decomposes imprecise queries into
  sub-queries
• Evaluation computes the probabilistic answers
  for each precise sub-queries
• Aggregation summarizes the final result from all
  sub-queries

18
Pruning Cloaked Locations

• The Minkowski Sum can be evaluated with
  computational geometry techniques BK00

19
Quality of Imprecise Queries

• Query quality metric measures the effect of
  cloaking on service quality
• Query quality is affected by
• Uncertainty of query issuers location
• Uncertainty of data being queried

20
Quality of Imprecise Queries

• The larger the query issuers uncertainty, the
  more likely that different sub-query answers are
  generated
• Low quality when
• There are many different answer sets
• The members of different answer sets differ from
  each other significantly

21
Query Quality An Illustration
22
Query Quality Metric

• Precision of Rk with respect to R
• Probability that S gets the answer Rk
• Query Score

23
Experiment Model

• Based on the City Simulator 2.0 developed at IBM
  KMJ01
• 71 buildings, 48 roads, 6 road intersections and
  1 park
• 10,000 people moving in a city

24
Quality and Privacy
25
Privacy and Performance
26
Quality and Query Size
27
Implementation Issues

• Systems that dont track locations regularly
• Example GPS, RFID
• GPS receiver in user obtains info from satellites
• Cloaking agent controls when to report location
• Systems that track locations regularly
• Example GSM, PCS
• Cloaking agent reports cloaked locations in terms
  of neighboring cells regularly WL00

28
References

• BK00 M. Berg, M. Kreveld, M. Overmars and O.
  Schwarzkopf. Computational Geometry Algorithms
  and Applications. 2nd ed., Springer Verlag
  (2000).
• BS03 A. Beresford and F. Stajano. Location
  Privacy in Pervasive Computing. IEEE Pervasive
  Computing, 2(1)46-55, 2003.
• CKP03 R. Cheng, D. Kalashnikov and S.
  Prabhakar. Evaluating Probabilistic Queries over
  Imprecise Data. In Proc. of ACM SIGMOD, June
  2003.
• CKP04 R. Cheng, D. Kalashnikov and S.
  Prabhakar. Querying Imprecise Data in Moving
  Object Environments. . In Transactions of
  Knowledge and Data Engineering, 2004.
• CP04 R. Cheng and S. Prabhakar. Using
  uncertainty to provide privacy-preserving and
  high-quality location-based services. In Workshop
  on Location Systems Privacy and Control,
  MobileHCI 2004.
• GG03 M. Gruteser and D. Grunwald. Anonymous
  Usage of Location-based Services through Spatial
  and Temporal Cloaking. In Proc. of the 1st Intl.
  Conf. on Mobile Systems, Applications and
  Services, May 2003.
• GL05 B. Gedik and L. Liu. Location Privacy in
  Mobile Systems A Personalized Anonymization
  Model. ICDCS, 2005.
• KMJ01 J. Kaufman, J. Myllymaki and J. Jackson.
  IBM City Simulator Spatial Data Generator 2.0,
  2001.
• VL2000 V. Wong and V. Leung. Location
  management for next-generation personal
  communications network. IEEE Network (2000).

29
Conclusions and Future Work

• A framework for capturing uncertainty, location
  privacy, service quality
• Evaluation and quality metrics for imprecise
  range queries
• Future work
• Large-scale data indexing
• Other query types
• Possible privacy threats
• System prototype development

Contact Reynold Cheng (csckcheng_at_comp.polyu.edu.hk
) for more details http//www.comp.polyu.edu.hk/c
sckcheng
30
Related Work Cloaking

• Adaptive-Interval Cloaking Algorithm GG03
  partition the area into quadrants of equal area
  until the user and other k-1 users are included
• Clique-cloak algorithm GL05 each user has her
  own k-anonymity requirement
• These work did not provide probability
  computation and precise measurements over service
  quality

31
Related Work Uncertainty Management

• Probabilistic queries CKP03, CKP04 manage
  uncertain data in location and sensor databases
• Evaluation of answers with probabilities
• Metrics for query ambiguity
• Assume queries are precise (i.e., no uncertainty
  about the query issuer)

32
Privacy of Cloaking

• Size of uncertainty region
• Coverage of sensitive region

33
Privacy Threats
34
Possible Solutions to Privacy Threats
35
Uncertainty vs. Velocity
36
Quality vs. Privacy
37
Response Time vs. Velocity
38
Query Pruning

• Called the Minkowski Sum, which can be computed
  with computational geometric techniques BK00