Mathematical Programming Algorithms for Spatial Cloaking

We consider a combinatorial optimization problem for spatial information cloaking. The problem requires computing one or several disjoint arborescences on a graph from a predetermined root or subset of candidate roots, so that the number of vertices in the arborescences is minimized but a given threshold on the overall weight associated with the vertices in each arborescence is reached. For a single arborescence case, we solve the problem to optimality by designing a branch-and-cut exact algorithm. Then we adapt this algorithm for the purpose of pricing out columns in an exact branch-and-price algorithm for the multiarborescence version. We also propose a branch-and-price-based heuristic algorithm, where branching and pricing, respectively, act as diversification and intensification mechanisms. The heuristic consistently finds optimal or near optimal solutions within a computing time, which can be three to four orders of magnitude smaller than that required for exact optimization. From an application point of view, our computational results are useful to calibrate the values of relevant parameters, determining the obfuscation level that is achieved

Query Processing In Location-based Services

With the advances in wireless communication technology and advanced positioning systems, a variety of Location-Based Services (LBS) become available to the public. Mobile users can issue location-based queries to probe their surrounding environments. One important type of query in LBS is moving monitoring queries over mobile objects. Due to the high frequency in location updates and the expensive cost of continuous query processing, server computation capacity and wireless communication bandwidth are the two limiting factors for large-scale deployment of moving object database systems. To address both of the scalability factors, distributed computing has been considered. These schemes enable moving objects to participate as a peer in query processing to substantially reduce the demand on server computation, and wireless communications associated with location updates. In the first part of this dissertation, we propose a distributed framework to process moving monitoring queries over moving objects in a spatial network environment. In the second part of this dissertation, in order to reduce the communication cost, we leverage both on-demand data access and periodic broadcast to design a new hybrid distributed solution for moving monitoring queries in an open space environment. Location-based services make our daily life more convenient. However, to receive the services, one has to reveal his/her location and query information when issuing locationbased queries. This could lead to privacy breach if these personal information are possessed by some untrusted parties. In the third part of this dissertation, we introduce a new privacy protection measure called query l-diversity, and provide two cloaking algorithms to achieve both location kanonymity and query l-diversity to better protect user privacy. In the fourth part of this dissertation, we design a hybrid three-tier architecture to help reduce privacy exposure. In the fifth part of this dissertation, we propose to use Road Network Embedding technique to process privacy protected queries

Third party geolocation services in LBS: privacy requirements and research issues

The advances in positioning technologies and the emergence of geolocation standards opens up to the development of innovative location-based services (LBS), e.g., web-based LBS. These services challenge existing privacy protection solutions. For example, the position information is provided by a third party, the location provider, and this party may be not fully trusted. In this paper, we analyze the web-based LBS model. Then we outline the privacy-aware geolocation strategy which minimizes the interaction with the untrusted location provider by caching the information that is useful to determine the position in proximity of the private positions, e.g., home, which have been already visited. The deployment of this strategy requires investigating several issues and novel tools. The objective of this paper is to discuss the technical challenges and suggest directions of research towards a comprehensive privacy-preserving framework. To our knowledge, this is the first work on privacy protection against untrusted location providers

Quantifying Location Privacy In Location-based Services

Mobile devices (e.g., smart phones) are widely used in people's daily lives. When users rely on location-based services in mobile applications, plenty of location records are exposed to the service providers. This causes a severe location privacy threat. The location privacy problem for location-based services in mobile devices has drawn much attention. In 2011, Shokri et al. proposed a location privacy framework that consists of users' background knowledge, location privacy preserving mechanisms (LPPMs), inference attacks, and metrics. After that, many works designed their own location privacy frameworks based on this structure. One problem of the existing works is that most of them use cell-based location privacy frameworks to simplify the computation. This may result in performance results that are different from those of more realistic frameworks. Besides, while many existing works focus on designing new LPPMs, we do not know how different the location information an adversary can obtain is, when users use different LPPMs. Although some works propose new complementary privacy metrics (e.g., geo-indistinguishability, conditional entropy) to show their LPPMs are better, we have no idea how these metrics are related to the location information an adversary can obtain. In addition, previous works usually assume a strong or weak adversary who has complete background knowledge to construct a user's mobility pro file, or who has no background knowledge about a user, respectively. What the attack results would be like when an adversary has different amounts of background knowledge, and can also take semantic background knowledge into account, is unknown. To address these problems, we propose a more realistic location privacy framework, which considers location points instead of cells as inputs. Our framework contains both geographical background knowledge and semantic background knowledge, different LPPMs with or without the geo-indistinguishability property, different inference attacks, and both the average distance error and the success rate metrics. We design several experiments using a Twitter check-in dataset to quantify our location privacy framework from an adversary's point of view. Our experiments show that an adversary only needs to obtain 6% of background knowledge to infer around 50% of users' actual locations that he can infer when having full background knowledge; the prior probability distribution of an LPPM has much less impact than the background knowledge; an LPPM with the geo-indistinguishability property may not have better performance against different attacks than LPPMs without this property; the semantic information is not as useful as previous work shows. We believe our findings will help users and researchers have a better understanding of our location privacy framework, and also help them choose the appropriate techniques in different cases

Privacy and Protection for Location Based Services

An LBS (location based service) provides services such as finding the nearest location, favourite entertainment areas etc, to the users based on either their residing area or based on the input the give. The services provided by a location based service are typically based on a point of interest database. Therefore retrieval of the data from the database server takes place. The work proposed is a novel protocol for location based queries that has major performance improvements, which is performed based on two stages- firstly, the user determining his/her location privately and secondly, the server protecting its data from unauthorized users for which they have not paid. This protocol enables security for the userrsquo;s details as well as protects the serverrsquo;s data. The user is protected because the server is unable to determine his/her location. In the same way, the serverrsquo;s data is protected as a Malicious user can only decrypt the part of data obtained to the user with the encryption key acquired in the previous phase, that is he/she cannot decrypt the remaining server data that they are not supposed to authorise. In other words, users can never get the data more than what they have paid for. A phase called oblivious transfer phase is present so as to ensure the privacy of the user and a phase called private information retrieval phase is carried out to protect serverrsquo;s data

Context and Semantic Aware Location Privacy

With ever-increasing computational power, and improved sensing and communication capabilities, smart devices have altered and enhanced the way we process, perceive and interact with information. Personal and contextual data is tracked and stored extensively on these devices and, oftentimes, ubiquitously sent to online service providers. This routine is proving to be quite privacy-invasive, since these service providers mine the data they collect in order to infer more and more personal information about users. Protecting privacy in the rise of mobile applications is a critical challenge. The continuous tracking of users with location- and time-stamps expose their private lives at an alarming level. Location traces can be used to infer intimate aspects of users' lives such as interests, political orientation, religious beliefs, and even more. Traditional approaches to protecting privacy fail to meet users' expectations due to simplistic adversary models and the lack of a multi-dimensional awareness. In this thesis, the development of privacy-protection approaches is pushed further by (i) adapting to concrete adversary capabilities and (ii) investigating the threat of strong adversaries that exploit location semantics. We first study user mobility and spatio-temporal correlations in continuous disclosure scenarios (e.g., sensing applications), where the more frequently a user discloses her location, the more difficult it becomes to protect. To counter this threat, we develop adversary- and mobility-aware privacy protection mechanisms that aim to minimize an adversary's exploitation of user mobility. We demonstrate that a privacy protection mechanism must actively evaluate privacy risks in order to adapt its protection parameters. We further develop an Android library that provides on-device location privacy evaluation and enables any location-based application to support privacy-preserving services. We also implement an adversary-aware protection mechanism in this library with semantic-based privacy settings. Furthermore, we study the effects of an adversary that exploits location semantics in order to strengthen his attacks on user traces. Such extensive information is available to an adversary via maps of points of interest, but also from users themselves. Typically, users of online social networks want to announce their whereabouts to their circles. They do so mostly, if not always, by sharing the type of their location along with the geographical coordinates. We formalize this setting and by using Bayesian inference show that if location semantics of traces is disclosed, users' privacy levels drop considerably. Moreover, we study the time-of-day information and its relation to location semantics. We reveal that an adversary can breach privacy further by exploiting time-dependency of semantics. We implement and evaluate a sensitivity-aware protection mechanism in this setting as well. The battle for privacy requires social awareness and will to win. However, the slow progress on the front of law and regulations pushes the need for technological solutions. This thesis concludes that we have a long way to cover in order to establish privacy-enhancing technologies in our age of information. Our findings opens up new venues for a more expeditious understanding of privacy risks and thus their prevention

A Predictive Model for User Motivation and Utility Implications of Privacy-Protection Mechanisms in Location Check-Ins

Location check-ins contain both geographical and semantic information about the visited venues. Semantic information is usually represented by means of tags (e.g., “restaurant”). Such data can reveal some personal information about users beyond what they actually expect to disclose, hence their privacy is threatened. To mitigate such threats, several privacy protection techniques based on location generalization have been proposed. Although the privacy implications of such techniques have been extensively studied, the utility implications are mostly unknown. In this paper, we propose a predictive model for quantifying the effect of a privacy-preserving technique (i.e., generalization) on the perceived utility of check-ins. We first study the users’ motivations behind their location check-ins, based on a study targeted at Foursquare users (N = 77). We propose a machine-learning method for determining the motivation behind each check-in, and we design a motivation-based predictive model for the utility implications of generalization. Based on the survey data, our results show that the model accurately predicts the fine-grained motivation behind a check-in in 43% of the cases and in 63% of the cases for the coarse-grained motivation. It also predicts, with a mean error of 0.52 (on a scale from 1 to 5), the loss of utility caused by semantic and geographical generalization. This model makes it possible to design of utility-aware, privacy-enhancing mechanisms in location-based online social networks. It also enables service providers to implement location-sharing mechanisms that preserve both the utility and privacy for their users