A Middleware Enforcing Location Privacy in Mobile Platforms

Emerging indoor positioning and WiFi infrastructure enable building apps with numerous Location-based Services (LBS) that represent critical threats to smartphone users' location privacy provoking continuous tracking, profiling and unauthorized identification. Currently, the app eco-system relies on permission-based access control, which is proven ineffective at controlling how third party apps and/or library developers use and share users' data. In this paper we present the design, deployment and evaluation of PL-Protector, a location privacy-enhancing middleware, which through a caching technique minimises the interaction and data collection from wireless access points, content distributors and location providers. PL-Protector also provides a new series of control settings and privacy rules over both, the information and control flows between sources and sinks, to prevent user information disclosure during LBS queries. We implement PL-Protector on Android 6, and conduct experiments with real apps from five different categories of location-based services such as instant messaging and navigation. Experiments demonstrate acceptable delay overheads (lower than 22 milliseconds) within practical limits; hence, our middleware is practical, secure and effcient for location-demanding apps

Linear and Range Counting under Metric-based Local Differential Privacy

Local differential privacy (LDP) enables private data sharing and analytics without the need for a trusted data collector. Error-optimal primitives (for, e.g., estimating means and item frequencies) under LDP have been well studied. For analytical tasks such as range queries, however, the best known error bound is dependent on the domain size of private data, which is potentially prohibitive. This deficiency is inherent as LDP protects the same level of indistinguishability between any pair of private data values for each data downer. In this paper, we utilize an extension of $\epsilon$-LDP called Metric-LDP or $E$-LDP, where a metric $E$ defines heterogeneous privacy guarantees for different pairs of private data values and thus provides a more flexible knob than $\epsilon$ does to relax LDP and tune utility-privacy trade-offs. We show that, under such privacy relaxations, for analytical workloads such as linear counting, multi-dimensional range counting queries, and quantile queries, we can achieve significant gains in utility. In particular, for range queries under $E$-LDP where the metric $E$ is the $L^1$-distance function scaled by $\epsilon$, we design mechanisms with errors independent on the domain sizes; instead, their errors depend on the metric $E$, which specifies in what granularity the private data is protected. We believe that the primitives we design for $E$-LDP will be useful in developing mechanisms for other analytical tasks, and encourage the adoption of LDP in practice

Quantifying Location Privacy In Location-based Services

Mobile devices (e.g., smart phones) are widely used in people's daily lives. When users rely on location-based services in mobile applications, plenty of location records are exposed to the service providers. This causes a severe location privacy threat. The location privacy problem for location-based services in mobile devices has drawn much attention. In 2011, Shokri et al. proposed a location privacy framework that consists of users' background knowledge, location privacy preserving mechanisms (LPPMs), inference attacks, and metrics. After that, many works designed their own location privacy frameworks based on this structure. One problem of the existing works is that most of them use cell-based location privacy frameworks to simplify the computation. This may result in performance results that are different from those of more realistic frameworks. Besides, while many existing works focus on designing new LPPMs, we do not know how different the location information an adversary can obtain is, when users use different LPPMs. Although some works propose new complementary privacy metrics (e.g., geo-indistinguishability, conditional entropy) to show their LPPMs are better, we have no idea how these metrics are related to the location information an adversary can obtain. In addition, previous works usually assume a strong or weak adversary who has complete background knowledge to construct a user's mobility pro file, or who has no background knowledge about a user, respectively. What the attack results would be like when an adversary has different amounts of background knowledge, and can also take semantic background knowledge into account, is unknown. To address these problems, we propose a more realistic location privacy framework, which considers location points instead of cells as inputs. Our framework contains both geographical background knowledge and semantic background knowledge, different LPPMs with or without the geo-indistinguishability property, different inference attacks, and both the average distance error and the success rate metrics. We design several experiments using a Twitter check-in dataset to quantify our location privacy framework from an adversary's point of view. Our experiments show that an adversary only needs to obtain 6% of background knowledge to infer around 50% of users' actual locations that he can infer when having full background knowledge; the prior probability distribution of an LPPM has much less impact than the background knowledge; an LPPM with the geo-indistinguishability property may not have better performance against different attacks than LPPMs without this property; the semantic information is not as useful as previous work shows. We believe our findings will help users and researchers have a better understanding of our location privacy framework, and also help them choose the appropriate techniques in different cases

Privacy-Preserved Linkable Social-Physical Data Publication

In this dissertation, we investigate the privacy-preserved data publication problems towards pervasively existing linkable social-physical contents. On the one hand, data publication has been considered as a critical approach to facilitate numerous utilities for individuals, populations, platform owners, and all third-party service providers. On the other hand, the unprecedented adoption of mobile devices and the dramatic development of Internet-of-Thing (IoT) systems have pushed the collection of surrounding physical information among populations to a totally novel stage. The collected contents can provide a fine-grained access to both physical and social aspects of the crowds, which introduces a comprehensively linkable and potentially sensitive information domain. The linkage includes the related index like privacy, utility, and efficiency for sophisticated applications, the inherent correlations among multiple data sources or information dimensions, and the connections among individuals. As the linkage leads to various novel challenges for privacy preservation, there should be a body of novel mechanisms for linkable social-physical data publications. As a result, this dissertation proposes a series of mechanisms for privacy-preserved linkable social-physical data publication. Firstly, we study the publication of physical data where the co-existing useful social proles and the sensitive physical proles of the data should be carefully maintained. Secondly, we investigate the data publication problem jointly considering the privacy preservation, data utility, and resource efficiency for task completion in crowd-sensing systems. Thirdly, we investigate the publication of private contents used for the recommendation, where contents of a user contribute to the recommendation results for others. Fourthly, we study the publications of reviews in local business service systems, where users expect to conceal their frequently visited locations while cooperatively maintain the utility of the whole system. Fifthly, we study the acquisition of privacy-preserved knowledge on cyber-physical social networks, where third-party service providers can derive the community structure without accessing the sensitive social links. We also provide detailed analysis and discussion for proposed mechanisms, and extensively validate their performance via real-world datasets. Both results demonstrate that the proposed mechanisms can properly preserve the privacy while maintaining the data utility. At last, we also propose the future research topics to complete the whole dissertation. The first topic focuses on the privacy preservation towards correlations beneath multiple data sources. The second topic studies more privacy issues for the whole population during data publication, including both the novel threats for related communities, and the disclosure of trends within crowds

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

Context and Semantic Aware Location Privacy

With ever-increasing computational power, and improved sensing and communication capabilities, smart devices have altered and enhanced the way we process, perceive and interact with information. Personal and contextual data is tracked and stored extensively on these devices and, oftentimes, ubiquitously sent to online service providers. This routine is proving to be quite privacy-invasive, since these service providers mine the data they collect in order to infer more and more personal information about users. Protecting privacy in the rise of mobile applications is a critical challenge. The continuous tracking of users with location- and time-stamps expose their private lives at an alarming level. Location traces can be used to infer intimate aspects of users' lives such as interests, political orientation, religious beliefs, and even more. Traditional approaches to protecting privacy fail to meet users' expectations due to simplistic adversary models and the lack of a multi-dimensional awareness. In this thesis, the development of privacy-protection approaches is pushed further by (i) adapting to concrete adversary capabilities and (ii) investigating the threat of strong adversaries that exploit location semantics. We first study user mobility and spatio-temporal correlations in continuous disclosure scenarios (e.g., sensing applications), where the more frequently a user discloses her location, the more difficult it becomes to protect. To counter this threat, we develop adversary- and mobility-aware privacy protection mechanisms that aim to minimize an adversary's exploitation of user mobility. We demonstrate that a privacy protection mechanism must actively evaluate privacy risks in order to adapt its protection parameters. We further develop an Android library that provides on-device location privacy evaluation and enables any location-based application to support privacy-preserving services. We also implement an adversary-aware protection mechanism in this library with semantic-based privacy settings. Furthermore, we study the effects of an adversary that exploits location semantics in order to strengthen his attacks on user traces. Such extensive information is available to an adversary via maps of points of interest, but also from users themselves. Typically, users of online social networks want to announce their whereabouts to their circles. They do so mostly, if not always, by sharing the type of their location along with the geographical coordinates. We formalize this setting and by using Bayesian inference show that if location semantics of traces is disclosed, users' privacy levels drop considerably. Moreover, we study the time-of-day information and its relation to location semantics. We reveal that an adversary can breach privacy further by exploiting time-dependency of semantics. We implement and evaluate a sensitivity-aware protection mechanism in this setting as well. The battle for privacy requires social awareness and will to win. However, the slow progress on the front of law and regulations pushes the need for technological solutions. This thesis concludes that we have a long way to cover in order to establish privacy-enhancing technologies in our age of information. Our findings opens up new venues for a more expeditious understanding of privacy risks and thus their prevention

Preserving Users’ Location Privacy in Mobile Platforms

Mobile and interconnected devices both have witnessed rapid advancements in computing and networking capabilities due to the emergence of Internet-of-Things, Connected Societies, Smart Cities and other similar paradigms. Compared to traditional personal computers, these devices represent moving gateways that offer possibilities to influence new businesses and, at the same time, have the potential to exchange users’ sensitive data. As a result, this raises substantial threats to the security and privacy of users that must be considered. With the focus on location data, this thesis proposes an efficient and socially-acceptable solution to preserve users’ location privacy, maintaining the quality of service, and respecting the usability by not relying on changes to the mobile app ecosystem. This thesis first analyses the current mobile app ecosystem as to apply a privacy-bydesign approach to location privacy from the data computation to its visualisation. From our analysis, a 3-Layer Classification model is proposed that depicts the state-ofthe- art in three layers providing a new perspective towards privacy-preserving locationbased applications. Secondly, we propose a theoretically sound privacy-enhancing model, called LP-Cache, that forces the mobile app ecosystem to make location data usage patterns explicit and maintains the balance between location privacy and service utility. LP-Cache defines two location privacy preserving algorithms: on-device location calculation and personalised permissions. The former incorporates caching technique to determine the location of client devices by means of wireless access points and achieve data minimisation in the current process. With the later, users can manage each app and private place distinctly to mitigate fundamental location privacy threats, such as tracking, profiling, and identification. Finally, PL-Protector, implements LP-Cache as a middleware on Android platform. We evaluate PL-Protector in terms of performance, privacy, and security. Experimental results demonstrate acceptable delay and storage overheads, which are within practical limits. Hence, we claim that our approach is a practical, secure and efficient solution to preserve location privacy in the current mobile app ecosystem