Privacy-Preserving Distance Computation and Proximity Testing on Earth, Done Right

In recent years, the availability of GPS-enabled smartphones have made location-based services extremely popular. A multitude of applications rely on location information to provide a wide range of services. Location information is, however, extremely sensitive and can be easily abused. In this paper, we introduce the first protocols for secure computation of distance and for proximity testing over a sphere. Our secure distance protocols allow two parties, Alice and Bob, to determine their mutual distance without disclosing any additional information about their location. Through our secure proximity testing protocols, Alice only learns if Bob is in close proximity, i.e., within some arbitrary distance. Our techniques rely on three different representations of Earth, which provide different trade-os between accuracy and performance. We show, via experiments on a prototype implementation, that our protocols are practical on resource- constrained smartphone devices. Our distance computation protocols runs, in fact, in 54 to 78 ms on a commodity Android smartphone. Similarly, our proximity tests require between 1.2 s and 2.8 s on the same platform. The imprecision introduced by our protocols is very small, i.e., between 0.1% and 3% on average, depending on the distance

Server-Aided Privacy-Preserving Proximity Testing

Proximity testing is at the core of many Location-Based online Services (LBS) which we use in our daily lives to order taxis, find places of interest nearby, connect with people. Currently, most such services expect a user to submit his location to them and trust the LBS not to abuse this information, and use it only to provide the service. Existing cases of such information being misused (e.g., by the LBS employees or criminals who breached its security) motivates the search for better solutions that would ensure the privacy of user data, and give users control of how their data is being used.In this thesis, we address this problem using cryptographic techniques. We propose three cryptographic protocols that allow two users to perform proximity testing (check if they are close enough to each other) with the help of two servers.In the papers 1 and 2, the servers are introduced in order to allow users not to be online at the same time: one user may submit their location to the servers and go offline, the other user coming online later and finishing proximity testing. The drastically improves the practicality of such protocols, since the mobile devices that users usually run may not always be online. We stress that the servers in these protocols merely aid the users in performing the proximity testing, and none of the servers can independently extract the user data.In the paper 3, we use the servers to offload the users\u27 computation and communication to. The servers here pre-generate correlated random data and send it to users, who can use it to perform a secure proximity testing protocol faster. Paper 3, together with the paper 2, are highly practical: they provide strong security guarantees and are suitable to be executed on resource-constrained mobile devices. In fact, the work of clients in these protocols is close to negligible as most of the work is done by servers

Privacy-preserving proximity detection with secure multi-party computational geometry

Over the last years, Location-Based Services (LBSs) have become popular due to the global use of smartphones and improvement in Global Positioning System (GPS) and other positioning methods. Location-based services employ users' location to offer relevant information to users or provide them with useful recommendations. Meanwhile, with the development of social applications, location-based social networking services (LBSNS) have attracted millions of users because the geographic position of users can be used to enhance the services provided by those social applications. Proximity detection, as one type of location-based function, makes LBSNS more flexible and notifies mobile users when they are in proximity. Despite all the desirable features that such applications provide, disclosing the exact location of individuals to a centralized server and/or their social friends might put users at risk of falling their information in wrong hands, since locations may disclose sensitive information about people including political and religious affiliations, lifestyle, health status, etc. Consequently, users might be unwilling to participate in such applications. To this end, private proximity detection schemes enable two parties to check whether they are in close proximity while keeping their exact locations secret. In particular, running a private proximity detection protocol between two parties only results in a boolean value to the querier. Besides, it guarantees that no other information can be leaked to the participants regarding the other party's location. However, most proposed private proximity detection protocols enable users to choose only a simple geometric range on the map, such as a circle or a rectangle, in order to test for proximity. In this thesis, we take inspiration from the field of Computational Geometry and develop two privacy-preserving proximity detection protocols that allow a mobile user to specify an arbitrary complex polygon on the map and check whether his/her friends are located therein. We also analyzed the efficiency of our solutions in terms of computational and communication costs. Our evaluation shows that compared to the similar earlier work, the proposed solution increases the computational efficiency by up to 50%, and reduces the communication overhead by up to 90%. Therefore, we have achieved a significant reduction of computational and communication complexity

Faster Privacy-Preserving Location Proximity Schemes

Peer reviewe

Strangers Sets: Preserving Drones' Location Privacy while Avoiding Invasions of Critical Infrastructures

Preserving the location privacy of drones while allowing Critical Infrastructures (CIs) to detect invasions represents a significant challenge. To allow for the detection of such invasions, the current standard by the Federal Aviation Administration mandates drones to disclose their location (in cleartext). However, such a strategy provides malicious entities with significant possibilities for tracking and profiling, thus jeopardizing drones' privacy. A recent proposal suggested using geo-indistinguishability to sanitize drones’ locations while allowing CIs to detect invasions. However, due to the statistical nature of the approach, the risk of false invasion detection is inversely proportional to the privacy guarantees of drones. In this paper, we propose Privacy Preserving Invasion Detection (PPID), a novel approach based on a private set intersection algorithm to simultaneously protect drones' location privacy and allow CIs to detect invasions while avoiding the problem of false invasion detection. We propose two versions of the protocol: i) PPID, which uses an elliptic curve-based private set intersection to detect the co-presence of drone and CI in a given area, and ii) e-PPID, which extends the protocol with an approximation of the future location of the drone, to predict possible future invasions. To validate our proposal, we implement our protocols and deployed them on a proof of concept involving resource-constrained devices. We compute performance in terms of security, execution time, communication cost, and memory overhead. Our results show that PPID and e-PPID provide accurate results about an invasion requiring approx. 52ms and 84ms, respectively, in the worst-case scenario (i.e., the highest possible number of messages exchanged) and for a 256 bits security level.Preserving the location privacy of drones while allowing Critical Infrastructures (CIs) to detect invasions represents a significant challenge. To allow for the detection of such invasions, the current standard by the Federal Aviation Administration mandates drones to disclose their location (in cleartext). However, such a strategy provides malicious entities with significant possibilities for tracking and profiling, thus jeopardizing drones' privacy. A recent proposal suggested using geo-indistinguishability to sanitize drones’ locations while allowing CIs to detect invasions. However, due to the statistical nature of the approach, the risk of false invasion detection is inversely proportional to the privacy guarantees of drones. In this paper, we propose Privacy Preserving Invasion Detection (PPID), a novel approach based on a private set intersection algorithm to simultaneously protect drones' location privacy and allow CIs to detect invasions while avoiding the problem of false invasion detection. We propose two versions of the protocol: i) PPID, which uses an elliptic curve-based private set intersection to detect the co-presence of drone and CI in a given area, and ii) e-PPID, which extends the protocol with an approximation of the future location of the drone, to predict possible future invasions. To validate our proposal, we implement our protocols and deployed them on a proof of concept involving resource-constrained devices. We compute performance in terms of security, execution time, communication cost, and memory overhead. Our results show that PPID and e-PPID provide accurate results about an invasion requiring approx. 52ms and 84ms, respectively, in the worst-case scenario (i.e., the highest possible number of messages exchanged) and for a 256 bits security level

Security and Privacy for Ubiquitous Mobile Devices

We live in a world where mobile devices are already ubiquitous. It is estimated that in the United States approximately two thirds of adults own a smartphone, and that for many, these devices are their primary method of accessing the Internet. World wide, it is estimated that in May of 2014 there were 6.9 billion mobile cellular subscriptions, almost as much as the world population. of these 6.9 billion, approximately 1 billion are smart devices, which are concentrated in the developed world. In the developing world, users are moving from feature phones to smart devices as a result of lower prices and marketing efforts. Because smart mobile devices are ubiquitous, security and privacy are primary concerns. Threats such as mobile malware are already substantial, with over 2500 different types identified in 2010 alone. It is likely that, as the smart device market continues to grow, so to will concerns about privacy, security, and malicious software. This is especially true, because these mobile devices are relatively new. Our research focuses on increasing the security and privacy of user data on smart mobile devices. We propose three applications in this domain: (1) a service that provides private, mobile location sharing; (2) a secure, intuitive proximity networking solution; and (3) a potential attack vector in mobile devices, which utilizes novel covert channels. We also propose a first step defense mechanism against these covert channels. Our first project is the design and implementation of a service, which provides users with private and secure location sharing. This is useful for a variety of applications such as online dating, taxi cab services, and social networking. Our service allows users to share their location with one another with trust and location based access controls. We allow users to identify if they are within a certain distance of one another, without either party revealing their location to one another, or any third party. We design this service to be practical and efficient, requiring no changes to the cellular infrastructure and no explicit encryption key management for the users. For our second application, we build a modem, which enables users to share relatively small pieces of information with those that are near by, also known as proximity based networking. Currently there are several mediums which can be used to achieve proximity networking such as NFC, bluetooth, and WiFi direct. Unfortunately, these currently available schemes suffer from a variety of drawbacks including slow adoption by mobile device hardware manufactures, relatively poor usability, and wide range, omni-directional propagation. We propose a new scheme, which utilizes ultrasonic (high frequency) audio on typical smart mobile devices, as a method of communication between proximal devices. Because mobile devices already carry the necessary hardware for ultrasound, adoption is much easier. Additionally, ultrasound has a limited and highly intuitive propagation pattern because it is highly directional, and can be easily controlled using the volume controls on the devices. Our ultrasound modem is fast, achieving several thousand bits per second throughput, non-intrusive because it is inaudible, and secure, requiring attackers with normal hardware to be less than or equal to the distance between the sender and receiver (a few centimeters in our tests). Our third work exposes a novel attack vector utilizing physical media covert channels on smart devices, in conjunction with privilege escalation and confused deputy attacks. This ultimately results in information leakage attacks, which allow the attacker to gain access to sensitive information stored on a user\u27s smart mobile device such as their location, passwords, emails, SMS messages and more. Our attack uses our novel physical media covert channels to launder sensitive information, thereby circumventing state of the art, taint-tracking analysis based defenses and, at the same time, the current, widely deployed permission systems employed by mobile operating systems. We propose and implement a variety of physical media covert channels, which demonstrate different strengths such as high speed, low error rate, and stealth. By proposing several different channels, we make defense of such an attack much more difficult. Despite the challenging situation, in this work we also propose a novel defense technique as a first step towards research on more robust approaches. as a contribution to the field, we present these three systems, which together enrich the smart mobile experience, while providing mobile security and keeping privacy in mind. Our third approach specifically, presents a unique attack, which has not been seen in the wild , in an effort to keep ahead of malicious efforts

Applications of Internet of Things

This book introduces the Special Issue entitled “Applications of Internet of Things”, of ISPRS International Journal of Geo-Information. Topics covered in this issue include three main parts: (I) intelligent transportation systems (ITSs), (II) location-based services (LBSs), and (III) sensing techniques and applications. Three papers on ITSs are as follows: (1) “Vehicle positioning and speed estimation based on cellular network signals for urban roads,” by Lai and Kuo; (2) “A method for traffic congestion clustering judgment based on grey relational analysis,” by Zhang et al.; and (3) “Smartphone-based pedestrian’s avoidance behavior recognition towards opportunistic road anomaly detection,” by Ishikawa and Fujinami. Three papers on LBSs are as follows: (1) “A high-efficiency method of mobile positioning based on commercial vehicle operation data,” by Chen et al.; (2) “Efficient location privacy-preserving k-anonymity method based on the credible chain,” by Wang et al.; and (3) “Proximity-based asynchronous messaging platform for location-based Internet of things service,” by Gon Jo et al. Two papers on sensing techniques and applications are as follows: (1) “Detection of electronic anklet wearers’ groupings throughout telematics monitoring,” by Machado et al.; and (2) “Camera coverage estimation based on multistage grid subdivision,” by Wang et al

Learning in the Real World: Constraints on Cost, Space, and Privacy

The sheer demand for machine learning in fields as varied as: healthcare, web-search ranking, factory automation, collision prediction, spam filtering, and many others, frequently outpaces the intended use-case of machine learning models. In fact, a growing number of companies hire machine learning researchers to rectify this very problem: to tailor and/or design new state-of-the-art models to the setting at hand. However, we can generalize a large set of the machine learning problems encountered in practical settings into three categories: cost, space, and privacy. The first category (cost) considers problems that need to balance the accuracy of a machine learning model with the cost required to evaluate it. These include problems in web-search, where results need to be delivered to a user in under a second and be as accurate as possible. The second category (space) collects problems that require running machine learning algorithms on low-memory computing devices. For instance, in search-and-rescue operations we may opt to use many small unmanned aerial vehicles (UAVs) equipped with machine learning algorithms for object detection to find a desired search target. These algorithms should be small to fit within the physical memory limits of the UAV (and be energy efficient) while reliably detecting objects. The third category (privacy) considers problems where one wishes to run machine learning algorithms on sensitive data. It has been shown that seemingly innocuous analyses on such data can be exploited to reveal data individuals would prefer to keep private. Thus, nearly any algorithm that runs on patient or economic data falls under this set of problems. We devise solutions for each of these problem categories including (i) a fast tree-based model for explicitly trading off accuracy and model evaluation time, (ii) a compression method for the k-nearest neighbor classifier, and (iii) a private causal inference algorithm that protects sensitive data

Smittestopp − A Case Study on Digital Contact Tracing

This open access book describes Smittestopp, the first Norwegian system for digital contact tracing of Covid-19 infections, which was developed in March and early April 2020. The system was deployed after five weeks of development and was active for a little more than two months, when a drop in infection levels in Norway and privacy concerns led to shutting it down. The intention of this book is twofold. First, it reports on the design choices made in the development phase. Second, as one of the only systems in the world that collected population data into a central database and which was used for an entire population, we can share experience on how the design choices impacted the system's operation. By sharing lessons learned and the challenges faced during the development and deployment of the technology, we hope that this book can be a valuable guide for experts from different domains, such as big data collection and analysis, application development, and deployment in a national population, as well as digital tracing