Achieving Perfect Location Privacy in Wireless Devices Using Anonymization

The popularity of mobile devices and location-based services (LBS) have created great concerns regarding the location privacy of the users of such devices and services. Anonymization is a common technique that is often being used to protect the location privacy of LBS users. This technique assigns a random pseudonym to each user and these pseudonyms can change over time. Here, we provide a general information theoretic definition for perfect location privacy and prove that perfect location privacy is achievable for mobile devices when using the anonymization technique appropriately. First, we assume that the user’s current location is independent from her past locations. Using this i.i.d model, we show that if the pseudonym of the user is changed before O(n2/(r−1)) number of anonymized observations is made by the adversary for that user, then she has perfect location privacy, where n is the number of users in the network and r is the number of all possible locations that the user might occupy. Then, we model each user’s movement by a Markov chain so that a user’s current location depends on his previous locations, which is a more realistic model when approximating real world data. We show that perfect location privacy is achievable in this model if the pseudonym of the user is changed before O(n2/(|E|−r)) anonymized observations is collected by the adversary for that user where |E| is the number of edges in the user’s Markov model

ReverseCloak: A Reversible Multi-level Location Privacy Protection System

With the fast popularization of mobile devices and wireless networks, along with advances in sensing and positioning technology, we are witnessing a huge proliferation of Location-based Services (LBSs). Location anonymization refers to the process of perturbing the exact location of LBS users as a cloaking region such that a user's location becomes indistinguishable from the location of a set of other users. However, existing location anonymization techniques focus primarily on single level unidirectional anonymization, which fails to control the access to the cloaking data to let data requesters with different privileges get information with varying degrees of anonymity. In this demonstration, we present a toolkit for ReverseCloak, a location perturbation system to protect location privacy over road networks in a multi-level reversible manner, consisting of an 'Anonymizer' GUI to adjust the anonymization settings and visualize the multilevel cloaking regions over road network for location data owners and a 'De-anonymizer' GUI to de-anonymize the cloaking region and display the reduced region over road network for location data requesters. With the toolkit, we demonstrate the practicality and effectiveness of the ReverseCloak approach

De-anonymizable location cloaking for privacy-controlled mobile systems

The rapid technology upgrades of mobile devices and the popularity of wireless networks significantly drive the emergence and development of Location-based Services (LBSs), thus greatly expanding the business of online services and enriching the user experience. However, the personal location data shared with the service providers also leave hidden risks on location privacy. Location anonymization techniques transform the exact location of a user into a cloaking area by including the locations of multiple users in the exposed area such that the exposed location is indistinguishable from that of the other users. However in such schemes, location information once perturbed cannot be recovered from the cloaking region and as a result, users of the location cannot obtain fine granular information even when they have access to it. In this paper, we propose Dynamic Reversible Cloaking (DRC) a new de-anonymziable location cloaking mechanism that allows to restore the actual location from the perturbed information through the use of an anonymization key. Extensive experiments using realistic road network traces show that the proposed scheme is efficient, effective and scalable

Exploring the effectiveness of geomasking techniques for protecting the geoprivacy of Twitter users

With the ubiquitous use of location-based services, large-scale individual-level location data has been widely collected through location-awareness devices. Geoprivacy concerns arise on the issues of user identity de-anonymization and location exposure. In this work, we investigate the effectiveness of geomasking techniques for protecting the geoprivacy of active Twitter users who frequently share geotagged tweets in their home and work locations. By analyzing over 38,000 geotagged tweets of 93 active Twitter users in three U.S. cities, the two-dimensional Gaussian masking technique with proper standard deviation settings is found to be more effective to protect user\u27s location privacy while sacrificing geospatial analytical resolution than the random perturbation masking method and the aggregation on traffic analysis zones. Furthermore, a three-dimensional theoretical framework considering privacy, analytics, and uncertainty factors simultaneously is proposed to assess geomasking techniques. Our research offers insights into geoprivacy concerns of social media users\u27 georeferenced data sharing for future development of location-based applications and services

Reversible Spatio-temporal Perturbation for Protecting Location Privacy

Ubiquitous deployment of low-cost mobile positioning devices and the widespread use of high-speed wireless networks has resulted in a huge proliferation of location-based services and location-based data in the big data era. However, the exposure of location information poses significant privacy risks that can invade the location privacy of the users. Location anonymization refers to the process of perturbing the exact location of users as a spatially and temporally cloaked region such that a user's location becomes indistinguishable from the location of a set of other users. A fundamental limitation of existing location perturbation techniques is that location information once perturbed to provide a certain anonymity level cannot be reversed to reduce anonymity or the degree of perturbation. Conventional location anonymization techniques are developed as unidirectional and irreversible techniques which fail to support multi-level access control to location data when data users have different access privileges to the exposed location information. In this paper, we present ReverseCloak, a new class of reversible spatial and spatio-temporal cloaking mechanisms that effectively provides multi-level location privacy protection, allowing selective de-anonymization of the cloaking region when suitable access credentials are provided. Extensive experiments on real road networks show that our techniques are efficient, scalable and demonstrate strong attack resilience against adversarial attacks

Bounded Privacy: Formalising the Trade-Off Between Privacy and Quality of Service

Many services and applications require users to provide a certain amount of information about themselves in order to receive an acceptable quality of service (QoS). Exemplary areas of use are location based services like route planning or the reporting of security incidents for critical infrastructure. Users putting emphasis on their privacy, for example through anonymization, therefore usually suffer from a loss of QoS. Some services however, may not even be feasible above a certain threshold of anonymization, resulting in unacceptable service quality. Hence, there need to be restrictions on the applied level of anonymization. To prevent the QoS from dropping below an unacceptable threshold, we introduce the concept of Bounded Privacy, a generic model to describe situations in which the achievable level of privacy is bounded by its relation to the service quality. We furthermore propose an approach to derive the optimal level of privacy for both discrete and continuous data

Leveraging Client Processing for Location Privacy in Mobile Local Search

Usage of mobile services is growing rapidly. Most Internet-based services targeted for PC based browsers now have mobile counterparts. These mobile counterparts often are enhanced when they use user\u27s location as one of the inputs. Even some PC-based services such as point of interest Search, Mapping, Airline tickets, and software download mirrors now use user\u27s location in order to enhance their services. Location-based services are exactly these, that take the user\u27s location as an input and enhance the experience based on that. With increased use of these services comes the increased risk to location privacy. The location is considered an attribute that user\u27s hold as important to their privacy. Compromise of one\u27s location, in other words, loss of location privacy can have several detrimental effects on the user ranging from trivial annoyance to unreasonable persecution. More and more companies in the Internet economy rely exclusively on the huge data sets they collect about users. The more detailed and accurate the data a company has about its users, the more valuable the company is considered. No wonder that these companies are often the same companies that offer these services for free. This gives them an opportunity to collect more accurate location information. Research community in the location privacy protection area had to reciprocate by modeling an adversary that could be the service provider itself. To further drive this point, we show that a well-equipped service provider can infer user\u27s location even if the location information is not directly available by using other information he collects about the user. There is no dearth of proposals of several protocols and algorithms that protect location privacy. A lot of these earlier proposals require a trusted third party to play as an intermediary between the service provider and the user. These protocols use anonymization and/or obfuscation techniques to protect user\u27s identity and/or location. This requirement of trusted third parties comes with its own complications and risks and makes these proposals impractical in real life scenarios. Thus it is preferable that protocols do not require a trusted third party. We look at existing proposals in the area of private information retrieval. We present a brief survey of several proposals in the literature and implement two representative algorithms. We run experiments using different sizes of databases to ascertain their practicability and performance features. We show that private information retrieval based protocols still have long ways to go before they become practical enough for local search applications. We propose location privacy preserving mechanisms that take advantage of the processing power of modern mobile devices and provide configurable levels of location privacy. We propose these techniques both in the single query scenario and multiple query scenario. In single query scenario, the user issues a query to the server and obtains the answer. In the multiple query scenario, the user keeps sending queries as she moves about in the area of interest. We show that the multiple query scenario increases the accuracy of adversary\u27s determination of user\u27s location, and hence improvements are needed to cope with this situation. So, we propose an extension of the single query scenario that addresses this riskier multiple query scenario, still maintaining the practicability and acceptable performance when implemented on a modern mobile device. Later we propose a technique based on differential privacy that is inspired by differential privacy in statistical databases. All three mechanisms proposed by us are implemented in realistic hardware or simulators, run against simulated but real life data and their characteristics ascertained to show that they are practical and ready for adaptation. This dissertation study the privacy issues for location-based services in mobile environment and proposes a set of new techniques that eliminate the need for a trusted third party by implementing efficient algorithms on modern mobile hardware

Towards trajectory anonymization: A generalization-based approach

Trajectory datasets are becoming,popular,due,to the massive,usage,of GPS and,location- based services. In this paper, we address privacy issues regarding the identification of individuals in static trajectory datasets. We first adopt the notion of k-anonymity,to trajectories and propose,a novel generalization-based approach,for anonymization,of trajectories. We further show,that releasing anonymized,trajectories may,still have,some,privacy,leaks. Therefore we propose,a randomization based,reconstruction,algorithm,for releasing anonymized,trajectory data and,also present how,the underlying,techniques,can be adapted,to other anonymity,standards. The experimental,results on real and,synthetic trajectory datasets show,the effectiveness of the proposed,techniques