Location Privacy for Mobile Crowd Sensing through Population Mapping

Opportunistic sensing allows applications to “task” mobile devices to measure context in a target region. For example, one could leverage sensor-equipped vehicles to measure traffic or pollution levels on a particular street or users\u27 mobile phones to locate (Bluetooth-enabled) objects in their vicinity. In most proposed applications, context reports include the time and location of the event, putting the privacy of users at increased risk: even if identifying information has been removed from a report, the accompanying time and location can reveal sufficient information to de-anonymize the user whose device sent the report. We propose and evaluate a novel spatiotemporal blurring mechanism based on tessellation and clustering to protect users\u27 privacy against the system while reporting context. Our technique employs a notion of probabilistic k-anonymity; it allows users to perform local blurring of reports efficiently without an online anonymization server before the data are sent to the system. The proposed scheme can control the degree of certainty in location privacy and the quality of reports through a system parameter. We outline the architecture and security properties of our approach and evaluate our tessellation and clustering algorithm against real mobility traces

Spatio-Temporal Techniques for User Identification by means of GPS Mobility Data

One of the greatest concerns related to the popularity of GPS-enabled devices and applications is the increasing availability of the personal location information generated by them and shared with application and service providers. Moreover, people tend to have regular routines and be characterized by a set of "significant places", thus making it possible to identify a user from his/her mobility data. In this paper we present a series of techniques for identifying individuals from their GPS movements. More specifically, we study the uniqueness of GPS information for three popular datasets, and we provide a detailed analysis of the discriminatory power of speed, direction and distance of travel. Most importantly, we present a simple yet effective technique for the identification of users from location information that are not included in the original dataset used for training, thus raising important privacy concerns for the management of location datasets.Comment: 11 pages, 8 figure

Strangers Sets: Preserving Drones' Location Privacy while Avoiding Invasions of Critical Infrastructures

Preserving the location privacy of drones while allowing Critical Infrastructures (CIs) to detect invasions represents a significant challenge. To allow for the detection of such invasions, the current standard by the Federal Aviation Administration mandates drones to disclose their location (in cleartext). However, such a strategy provides malicious entities with significant possibilities for tracking and profiling, thus jeopardizing drones' privacy. A recent proposal suggested using geo-indistinguishability to sanitize drones’ locations while allowing CIs to detect invasions. However, due to the statistical nature of the approach, the risk of false invasion detection is inversely proportional to the privacy guarantees of drones. In this paper, we propose Privacy Preserving Invasion Detection (PPID), a novel approach based on a private set intersection algorithm to simultaneously protect drones' location privacy and allow CIs to detect invasions while avoiding the problem of false invasion detection. We propose two versions of the protocol: i) PPID, which uses an elliptic curve-based private set intersection to detect the co-presence of drone and CI in a given area, and ii) e-PPID, which extends the protocol with an approximation of the future location of the drone, to predict possible future invasions. To validate our proposal, we implement our protocols and deployed them on a proof of concept involving resource-constrained devices. We compute performance in terms of security, execution time, communication cost, and memory overhead. Our results show that PPID and e-PPID provide accurate results about an invasion requiring approx. 52ms and 84ms, respectively, in the worst-case scenario (i.e., the highest possible number of messages exchanged) and for a 256 bits security level.Preserving the location privacy of drones while allowing Critical Infrastructures (CIs) to detect invasions represents a significant challenge. To allow for the detection of such invasions, the current standard by the Federal Aviation Administration mandates drones to disclose their location (in cleartext). However, such a strategy provides malicious entities with significant possibilities for tracking and profiling, thus jeopardizing drones' privacy. A recent proposal suggested using geo-indistinguishability to sanitize drones’ locations while allowing CIs to detect invasions. However, due to the statistical nature of the approach, the risk of false invasion detection is inversely proportional to the privacy guarantees of drones. In this paper, we propose Privacy Preserving Invasion Detection (PPID), a novel approach based on a private set intersection algorithm to simultaneously protect drones' location privacy and allow CIs to detect invasions while avoiding the problem of false invasion detection. We propose two versions of the protocol: i) PPID, which uses an elliptic curve-based private set intersection to detect the co-presence of drone and CI in a given area, and ii) e-PPID, which extends the protocol with an approximation of the future location of the drone, to predict possible future invasions. To validate our proposal, we implement our protocols and deployed them on a proof of concept involving resource-constrained devices. We compute performance in terms of security, execution time, communication cost, and memory overhead. Our results show that PPID and e-PPID provide accurate results about an invasion requiring approx. 52ms and 84ms, respectively, in the worst-case scenario (i.e., the highest possible number of messages exchanged) and for a 256 bits security level

Spatial generalization and aggregation of massive movement data.

Movement data (trajectories of moving agents) are hard to visualize: numerous intersections and overlapping between trajectories make the display heavily cluttered and illegible. It is necessary to use appropriate data abstraction methods. We suggest a method for spatial generalization and aggregation of movement data, which transforms trajectories into aggregate flows between areas. It is assumed that no predefined areas are given. We have devised a special method for partitioning the underlying territory into appropriate areas. The method is based on extracting significant points from the trajectories. The resulting abstraction conveys essential characteristics of the movement. The degree of abstraction can be controlled through the parameters of the method. We introduce local and global numeric measures of the quality of the generalization, and suggest an approach to improve the quality in selected parts of the territory where this is deemed necessary. The suggested method can be used in interactive visual exploration of movement data and for creating legible flow maps for presentation purposes

Spatio-temporal techniques for user identification by means of GPS mobility data

One of the greatest concerns related to the popularity of GPS-enabled devices and applications is the increasing availability of the personal location information generated by them and shared with application and service providers. Moreover, people tend to have regular routines and be characterized by a set of \u201csignificant places\u201d, thus making it possible to identify a user from his/her mobility data. In this paper we present a series of techniques for identifying individuals from their GPS movements. More specifically, we study the uniqueness of GPS information for three popular datasets, and we provide a detailed analysis of the discriminatory power of speed, direction and distance of travel. Most importantly, we present a simple yet effective technique for the identification of users from location information that are not included in the original dataset used for training, thus raising important privacy concerns for the management of location datasets

Seguridad en redes sociales: problemas, tendencias y retos futuros

Proceeding of: VII Congreso Iberoamericano en Seguridad Informática (CIBSI), Panamá, 29 al 31 de octubre de 2013El abrumador crecimiento de las Redes Sociales (RSs) junto con su gran utilización, estimulan su constante investigación y mejora. Sin embargo, el uso de las RSs no está exento de problemas de seguridad y, en concreto, de privacidad. De hecho, es aquí donde este trabajo contribuye. En base a las recientes investigaciones y tendencias, se presentan un total de diez problemas asociados con la privacidad en las RSs. Además, cada problema es acompañado de directrices que pretenden ser la base de futuras investigaciones y desarrollos. Finalmente, se analiza de forma global la dificultad técnica de abordar estos problemas, así como su alcance en las RS.No publicad

An Approach for Ensuring Robust Support for Location Privacy and Identity Inference Protection

The challenge of preserving a user\u27s location privacy is more important now than ever before with the proliferation of handheld devices and the pervasive use of location based services. To protect location privacy, we must ensure k-anonymity so that the user remains indistinguishable among k-1 other users. There is no better way but to use a location anonymizer (LA) to achieve k-anonymity. However, its knowledge of each user\u27s current location makes it susceptible to be a single-point-of-failure. In this thesis, we propose a formal location privacy framework, termed SafeGrid that can work with or without an LA. In SafeGrid, LA is designed in such a way that it is no longer a single point of failure. In addition, it is resistant to known attacks and most significantly, the cloaking algorithm it employs meets reciprocity condition. Simulation results exhibit its better performance in query processing and cloaking region calculation compared with existing solutions. In this thesis, we also show that satisfying k-anonymity is not enough in preserving privacy. Especially in an environment where a group of colluded service providers collaborate with each other, a user\u27s privacy can be compromised through identity inference attacks. We present a detailed analysis of such attacks on privacy and propose a novel and powerful privacy definition called s-proximity. In addition to building a formal definition for s-proximity, we show that it is practical and it can be incorporated efficiently into existing systems to make them secure

Privacy by Design in Data Mining

Privacy is ever-growing concern in our society: the lack of reliable privacy safeguards in many current services and devices is the basis of a diffusion that is often more limited than expected. Moreover, people feel reluctant to provide true personal data, unless it is absolutely necessary. Thus, privacy is becoming a fundamental aspect to take into account when one wants to use, publish and analyze data involving sensitive information. Many recent research works have focused on the study of privacy protection: some of these studies aim at individual privacy, i.e., the protection of sensitive individual data, while others aim at corporate privacy, i.e., the protection of strategic information at organization level. Unfortunately, it is in- creasingly hard to transform the data in a way that it protects sensitive information: we live in the era of big data characterized by unprecedented opportunities to sense, store and analyze complex data which describes human activities in great detail and resolution. As a result anonymization simply cannot be accomplished by de-identification. In the last few years, several techniques for creating anonymous or obfuscated versions of data sets have been proposed, which essentially aim to find an acceptable trade-off between data privacy on the one hand and data utility on the other. So far, the common result obtained is that no general method exists which is capable of both dealing with “generic personal data” and preserving “generic analytical results”. In this thesis we propose the design of technological frameworks to counter the threats of undesirable, unlawful effects of privacy violation, without obstructing the knowledge discovery opportunities of data mining technologies. Our main idea is to inscribe privacy protection into the knowledge discovery technol- ogy by design, so that the analysis incorporates the relevant privacy requirements from the start. Therefore, we propose the privacy-by-design paradigm that sheds a new light on the study of privacy protection: once specific assumptions are made about the sensitive data and the target mining queries that are to be answered with the data, it is conceivable to design a framework to: a) transform the source data into an anonymous version with a quantifiable privacy guarantee, and b) guarantee that the target mining queries can be answered correctly using the transformed data instead of the original ones. This thesis investigates on two new research issues which arise in modern Data Mining and Data Privacy: individual privacy protection in data publishing while preserving specific data mining analysis, and corporate privacy protection in data mining outsourcing

Privacy protection in location based services

This thesis takes a multidisciplinary approach to understanding the characteristics of Location Based Services (LBS) and the protection of location information in these transactions. This thesis reviews the state of the art and theoretical approaches in Regulations, Geographic Information Science, and Computer Science. Motivated by the importance of location privacy in the current age of mobile devices, this thesis argues that failure to ensure privacy protection under this context is a violation to human rights and poses a detriment to the freedom of users as individuals. Since location information has unique characteristics, existing methods for protecting other type of information are not suitable for geographical transactions. This thesis demonstrates methods that safeguard location information in location based services and that enable geospatial analysis. Through a taxonomy, the characteristics of LBS and privacy techniques are examined and contrasted. Moreover, mechanisms for privacy protection in LBS are presented and the resulting data is tested with different geospatial analysis tools to verify the possibility of conducting these analyses even with protected location information. By discussing the results and conclusions of these studies, this thesis provides an agenda for the understanding of obfuscated geospatial data usability and the feasibility to implement the proposed mechanisms in privacy concerning LBS, as well as for releasing crowdsourced geographic information to third-parties