Context and Semantic Aware Location Privacy

With ever-increasing computational power, and improved sensing and communication capabilities, smart devices have altered and enhanced the way we process, perceive and interact with information. Personal and contextual data is tracked and stored extensively on these devices and, oftentimes, ubiquitously sent to online service providers. This routine is proving to be quite privacy-invasive, since these service providers mine the data they collect in order to infer more and more personal information about users. Protecting privacy in the rise of mobile applications is a critical challenge. The continuous tracking of users with location- and time-stamps expose their private lives at an alarming level. Location traces can be used to infer intimate aspects of users' lives such as interests, political orientation, religious beliefs, and even more. Traditional approaches to protecting privacy fail to meet users' expectations due to simplistic adversary models and the lack of a multi-dimensional awareness. In this thesis, the development of privacy-protection approaches is pushed further by (i) adapting to concrete adversary capabilities and (ii) investigating the threat of strong adversaries that exploit location semantics. We first study user mobility and spatio-temporal correlations in continuous disclosure scenarios (e.g., sensing applications), where the more frequently a user discloses her location, the more difficult it becomes to protect. To counter this threat, we develop adversary- and mobility-aware privacy protection mechanisms that aim to minimize an adversary's exploitation of user mobility. We demonstrate that a privacy protection mechanism must actively evaluate privacy risks in order to adapt its protection parameters. We further develop an Android library that provides on-device location privacy evaluation and enables any location-based application to support privacy-preserving services. We also implement an adversary-aware protection mechanism in this library with semantic-based privacy settings. Furthermore, we study the effects of an adversary that exploits location semantics in order to strengthen his attacks on user traces. Such extensive information is available to an adversary via maps of points of interest, but also from users themselves. Typically, users of online social networks want to announce their whereabouts to their circles. They do so mostly, if not always, by sharing the type of their location along with the geographical coordinates. We formalize this setting and by using Bayesian inference show that if location semantics of traces is disclosed, users' privacy levels drop considerably. Moreover, we study the time-of-day information and its relation to location semantics. We reveal that an adversary can breach privacy further by exploiting time-dependency of semantics. We implement and evaluate a sensitivity-aware protection mechanism in this setting as well. The battle for privacy requires social awareness and will to win. However, the slow progress on the front of law and regulations pushes the need for technological solutions. This thesis concludes that we have a long way to cover in order to establish privacy-enhancing technologies in our age of information. Our findings opens up new venues for a more expeditious understanding of privacy risks and thus their prevention

User-side adaptive protection of location privacy in participatory sensing

The participatory sensing paradigm, through the growing availability of cheap sensors in mobile devices, enables applications of great social and business interest, e.g., electrosmog exposure measurement and early earthquake detection. However, users' privacy concerns regarding their activity traces need to be adequately addressed as well. The existing static privacy-enabling approaches, which hide or obfuscate data, offer some protection at the expense of data value. These approaches do not offer privacy guarantees and heterogeneous user privacy requirements cannot be met by them. In this paper, we propose a user-side privacy-protection scheme; it adaptively adjusts its parameters, in order to meet personalized location-privacy protection requirements against adversaries in a measurable manner. As proved by simulation experiments with artificial- and real-data traces, when feasible, our approach not only always satisfies personal location-privacy concerns, but also maximizes data utility (in terms of error, data availability, area coverage), as compared to static privacy-protection schemes

Location Data: Perils, Profits, Promise

Most of the modern online economy is based on websites offering free services and content in exchange for advertising access and user data. Web companies collect vast troves of data about their users in order to better target their advertisements. An important subset of this harvested data is the locations visited by users. Location data is valuable as it is a ``real world" signal compared to online behaviors: a visit to a store is a stronger signal than a visit to a website, and location data can reveal user attributes that are interesting to advertisers. The collection of this data, however, raises many concerns. Location data can reveal important attributes that users may not wish to disclose: ZIP codes can reveal income and race, visits to places of worship may allow discrimination, and insurers may want to know about trips to hospitals. The risks exist at both an individual level, with location tied to physical safety, and at a collective level, with inference about group membership a necessary step towards discrimination. In this thesis, I examine issues of privacy and fairness in the use of location data. In the first portion, I empirically demonstrate new attacks on the anonymity and privacy of users, including a theoretical basis for user identification. In the second portion, I propose and analyze new solutions for dealing with privacy, anonymity, and fairness in the collection and use of location data. In contrast to previous work which presents privacy in abstract ways or ignores the power of data aggregators, the work presented here focuses on concretely informing users and incorporates the economic incentives driving privacy and fairness concerns

Machine learning techniques for identification using mobile and social media data

Networked access and mobile devices provide near constant data generation and collection. Users, environments, applications, each generate different types of data; from the voluntarily provided data posted in social networks to data collected by sensors on mobile devices, it is becoming trivial to access big data caches. Processing sufficiently large amounts of data results in inferences that can be characterized as privacy invasive. In order to address privacy risks we must understand the limits of the data exploring relationships between variables and how the user is reflected in them. In this dissertation we look at data collected from social networks and sensors to identify some aspect of the user or their surroundings. In particular, we find that from social media metadata we identify individual user accounts and from the magnetic field readings we identify both the (unique) cellphone device owned by the user and their course-grained location. In each project we collect real-world datasets and apply supervised learning techniques, particularly multi-class classification algorithms to test our hypotheses. We use both leave-one-out cross validation as well as k-fold cross validation to reduce any bias in the results. Throughout the dissertation we find that unprotected data reveals sensitive information about users. Each chapter also contains a discussion about possible obfuscation techniques or countermeasures and their effectiveness with regards to the conclusions we present. Overall our results show that deriving information about users is attainable and, with each of these results, users would have limited if any indication that any type of analysis was taking place

When Whereabouts is No Longer Thereabouts:Location Privacy in Wireless Networks

Modern mobile devices are fast, programmable and feature localization and wireless capabilities. These technological advances notably facilitate mobile access to Internet, development of mobile applications and sharing of personal information, such as location information. Cell phone users can for example share their whereabouts with friends on online social networks. Following this trend, the field of ubiquitous computing foresees communication networks composed of increasingly inter-connected wireless devices offering new ways to collect and share information in the future. It also becomes harder to control the spread of personal information. Privacy is a critical challenge of ubiquitous computing as sharing personal information exposes users' private lives. Traditional techniques to protect privacy in wired networks may be inadequate in mobile networks because users are mobile, have short-lived encounters and their communications can be easily eavesdropped upon. These characteristics introduce new privacy threats related to location information: a malicious entity can track users' whereabouts and learn aspects of users' private lives that may not be apparent at first. In this dissertation, we focus on three important aspects of location privacy: location privacy threats, location-privacy preserving mechanisms, and privacy-preservation in pervasive social networks. Considering the recent surge of mobile applications, we begin by investigating location privacy threats of location-based services. We push further the understanding of the privacy risk by identifying the type and quantity of location information that statistically reveals users' identities and points of interest to third parties. Our results indicate that users are at risk even if they access location-based services episodically. This highlights the need to design privacy into location-based services. In the second part of this thesis, we delve into the subject of privacy-preserving mechanisms for mobile ad hoc networks. First, we evaluate a privacy architecture that relies on the concept of mix zones to engineer anonymity sets. Second, we identify the need for protocols to coordinate the establishment of mix zones and design centralized and distributed approaches. Because individuals may have different privacy requirements, we craft a game-theoretic model of location privacy to analyze distributed protocols. This model predicts strategic behavior of rational devices that protects their privacy at a minimum cost. This prediction leads to the design of efficient privacy-preserving protocols. Finally, we develop a dynamic model of interactions between mobile devices in order to analytically evaluate the level of privacy provided by mix zones. Our results indicate the feasibility and limitations of privacy protection based on mix zones. In the third part, we extend the communication model of mobile ad hoc networks to explore social aspects: users form groups called "communities" based on interests, proximity, or social relations and rely on these communities to communicate and discover their context. We analyze using challenge-response methodology the privacy implications of this new communication primitive. Our results indicate that, although repeated interactions between members of the same community leak community memberships, it is possible to design efficient schemes to preserve privacy in this setting. This work is part of the recent trend of designing privacy protocols to protect individuals. In this context, the author hopes that the results obtained, with both their limitations and their promises, will inspire future work on the preservation of privacy

Privacy-preserving spatiotemporal multicast for mobile information services

Mobile devices have become essential for accessing information services anywhere at any time. While the so-called geographic multicast (geocast) has been considered in detail in existing research, it only focuses on delivering messages to all mobile devices that are currently residing within a certain geographic area. This thesis extends this notion by introducing a Spatiotemporal Multicast (STM), which can informally be described as a "geocast into the past". Instead of addressing users based on their current locations, this concept relates to the challenge of sending a message to all devices that have resided within a geographic area at a certain time in the past. While a wide variety of applications can be envisioned for this concept, it presents several challenges to be solved. In order to deliver messages to all past visitors of a certain location, an STM service would have to fully track all user movements at all times. However, collecting this kind of information is not desirable considering the underlying privacy implications, i.e., users may not wish to be identified by the sender of a message as this can disclose sensitive personal information. Consequently, this thesis aims to provide a privacy-preserving notion of STM. In order to realize such a service, this work first presents a detailed overview of possible applications. Based on those, functional, non-functional, as well as security and privacy objectives are proposed. These objectives provide the foundation for an in-depth literature review of potential mechanisms for realizing an STM service. Among the suggested options, the most promising relies on Rendezvous Points (RPs) for datagram delivery. In simple terms, RPs represent "anonymous mailboxes" that are responsible for certain spatiotemporal regions. Messages are deposited at RPs so that users can retrieve them later on. Protecting the privacy of users then translates to obfuscating the responsibilities of RPs for specific spatiotemporal regions. This work proposes two realizations: CSTM, which relies on cryptographic hashing, and OSTM, which considers the use of order-preserving encryption in a CAN overlay. Both approaches are evaluated and compared in detail with respect to the given objectives. While OSTM yields superior performance-related properties, CSTM provides an increased ability of protecting the privacy of users.Mobilgeräte bilden heute die Grundlage allgegenwärtiger Informationsdienste. Während der sogenannte geografische Multicast (Geocast) hier bereits ausführlich erforscht worden ist, so bezieht sich dieser nur auf Geräte, welche sich aktuell innerhalb einer geografischen Zielregion befinden. Diese Arbeit erweitert dieses Konzept durch einen räumlich-zeitlichen Multicast, welcher sich informell als "Geocast in die Vergangenheit" beschreiben lässt. Dabei wird die Zustellung einer Nachricht an alle Nutzer betrachtet, die sich in der Vergangenheit an einem bestimmten Ort aufgehalten haben. Während eine Vielzahl von Anwendungen für dieses Konzept denkbar ist, so ergeben sich hier mehrere Herausforderungen. Um Nachrichten an ehemalige Besucher eines Ortes senden zu können, müsste ein räumlich-zeitlicher Multicast-Dienst die Bewegungen aller Nutzer vollständig erfassen. Aus Gründen des Datenschutzes ist das zentralisierte Sammeln solch sensibler personenbezogener Daten jedoch nicht wünschenswert. Diese Arbeit befasst sich daher insbesondere mit dem Schutz der Privatsphäre von Nutzern eines solchen Dienstes. Zur Entwicklung eines räumlich-zeitlichen Multicast-Dienstes erörtert diese Arbeit zunächst mögliche Anwendungen. Darauf aufbauend werden funktionale, nicht-funktionale, sowie Sicherheits- und Privatsphäre-relevante Anforderungen definiert. Diese bilden die Grundlage einer umfangreichen Literaturrecherche relevanter Realisierungstechniken. Der vielversprechendste Ansatz basiert hierbei auf der Hinterlegung von Nachrichten in sogenannten Rendezvous Points. Vereinfacht betrachtet stellen diese "anonyme Briefkästen" für bestimmte räumlich-zeitliche Regionen dar. Nachrichten werden in diesen so hinterlegt, dass legitime Empfänger sie dort später abholen können. Der Schutz der Nutzer-Privatsphäre entspricht dann der Verschleierung der Zuständigkeiten von Rendezvous Points für verschiedene räumlich-zeitliche Regionen. Diese Arbeit schlägt zwei Ansätze vor: CSTM, welches kryptografische Hashfunktionen nutzt, sowie OSTM, welches ordnungserhaltende Verschlüsselung in einem CAN Overlay einsetzt. Beide Optionen werden detailliert analytisch sowie empirisch bezüglich ihrer Diensteigenschaften untersucht und verglichen. Dabei zeigt sich, dass OSTM vorteilhaftere Leistungseigenschaften besitzt, während CSTM einen besseren Schutz der Nutzer-Privatsphäre bietet

A new location-based service architecture with efficient transmission method using control channels

Location-based services (LBS) are services that are provided to users according to their location; these services can either be provided to the user when requested (pulled), for example, when the user asks, “Where is the nearest hospital?” or sent automatically (pushed) when the user’s location changes, such as in commercial advertising. The main components of the LBS needed to secure an end to end service are: mobile terminal, positioning system, communications network, and service and data provider. In general, the communication network used to transfer the data between the user and the data and service provider is the Internet. Therefore, if the user is offline because of the Internet connection is unavailable or damaged, the LBS cannot be completed, and the mobile operator cannot exchange data with the data and service provider. There are some qualities of service that are essential to achieve a good service in LBS like security, privacy, response time, coverage and many others. In a standard architecture, the data and service provider are an external third-party company, but this raises some concerns regarding response time and user privacy, as the user information could be shared. To solve the problem regarding disconnection, a solution is proposed to use the spare extension of the random access channel (RACH), which is carried by the physical random access channel (PRACH) for the uplink to send the user request to the core network. Then, the spare extension of the forward access channel (FACH) will be used, which is carried by secondary common physical control channel (S-CCPCH) for the downlink to send the location information from the core network to the user. Moreover, to solve the privacy and response time issues, a database is attached to the gateway mobile location centre (GMLC) in the core network of mobile operator to act as a data and service provider. Thus, there is no need for the request and the information to be sent to a third-party company anymore. One of the main contributions of this research is the end to end connection between the user and the service provider being always available, even if the Internet is unavailable. Also, the user obtains the information faster in a secure and confidential way as this information are not being shared with other parties. Matlab is used as a simulation tool in this research. The results show that the connection between the user and the data provider is used successfully; the request and the data are sent using the RACH and FACH; the response time has been reduced; and the user privacy is enhanced

Internet of Things From Hype to Reality

The Internet of Things (IoT) has gained significant mindshare, let alone attention, in academia and the industry especially over the past few years. The reasons behind this interest are the potential capabilities that IoT promises to offer. On the personal level, it paints a picture of a future world where all the things in our ambient environment are connected to the Internet and seamlessly communicate with each other to operate intelligently. The ultimate goal is to enable objects around us to efficiently sense our surroundings, inexpensively communicate, and ultimately create a better environment for us: one where everyday objects act based on what we need and like without explicit instructions