Visualization of Location Cloaking process for Supporting Anonymous Location Based Queries in Mobile Environments Balaji Palanisamy and Saurabh Taneja (balaji@cc.gatech.edu, saurabhtaneja@gatech.edu) Abstract PrivacyGrid − is a framework for supporting anonymous location-based queries in mobile information delivery systems. In PrivacyGrid, mobile users explicitly define their preferred location privacy requirements in terms of location hiding measures (e.g., location k-anonymity and location l- diversity) and location service quality measures (e.g., maximum spatial resolution and maximum temporal resolution). The framework supports dynamic bottom-up and top-down grid cloaking algorithms that achieve high anonymization success rate and efficiency in terms of both time complexity and maintenance cost. This project incorporates a visualization tool for the PrivacyGrid framework to visualize the spatial cloaking process of PrivacyGrid. The tool also visualizes the mobility of the users along the road segments of the geographical maps. The tool would be handy to understand and demonstrate the working of the location perturbation process to naïve mobile users. 1.Motivation Increasing use of mobile devices and rapid advancements in sensing and location devices suggest that location-based services (LBSs) would be a popular feature in the next generation mobile devices . As LBSs are largely dependent on the location data of the mobile users, it poses new challenges to the location privacy of the users. Location privacy is defined as the ability to prevent unauthorized parties from learning one’s current or past location. Location Privacy in general refers to the ability of a person to hide his location information from others. In the context of using a mobile device, location privacy refers to the ability of the mobile users to hide their location information while using the device. An LBS-enabled mobile device would support location based queries that heavily depend on the location data for retrieving precise results. For instance, an LBS-query to find the nearest hospital from an user’s current location would require the location information of the user. As there could be a large number of untrusted location-based service providers in the system, users may not feel comfortable to share their location information with these service providers. Thus, location privacy is a big concern while using these location based services. As the location based services are gaining increasing popularity, soon mobile users need to be aware of location privacy threats and the various location privacy metrics such as k-anonymity and l-diversity. As an effort to help naïve users appreciate the location privacy metrics and the location perturbation process in a mobile environment, we in this project, develop a visualization tool that explains the mobility of the users on the road segments and their location cloaking regions pertaining to their anonymity requirements as they move across the road segments. Such a visualization would help users understand the location cloaking process and help them set their appropriate location privacy requirements. 2.PrivacyGrid The privacyGrid framework has three cloaking algorithms supported: top-dpwn cloaking, bottom-up cloaking and hybrid approach. Before we describe each of these, we briefly explain the various anonymization parameters and the associated performance metrics. PrivacyGrid uses a personalized location privacy model. A user registered with the anonymization server specifies her location privacy requirements in terms of her desired user anonymity level k, desired location diversity level l, maximum spatial resolution {dx, dy} and maximum temporal resolution dt. We describe each of these parameters below: Anonymity Level k: A location based query is k-anonymous if the location of the message is indistinguishable from k other users in the system. An user sets a desired k-anonymity level in order to achieve his desired level of privacy. Maximum tolerable spatial tolerance: This refers to the maximum tolerable spatial area that the user is willing to tolerate for the cloaking box. A small region yields efficient cloaking box. However, it is hard to find the requested level of privacy guarantees in a small region. We briefly explain the metrics used to evaluate the effectiveness and efficiency of PrivacyGrid location cloaking algorithms: Anonymization Success Rate (ASR): Anonymization success rate is defined as the fraction of messages cloaked successfully by an algorithm with respect to the set of received anonymization requests. Relative Anonymity:Relative Anonymity Level (RAL) measures the ratio of anonymity achieved by the cloaking algorithm to the user specified k-anonymity level, i.e., k′/ k . Relative Spatial Resolution (RSR): This metric measures the ability of a cloaking algorithm to provide the smallest cloaking area that meets the k-anonymity and l-diversity requirements. Given a message ms and its perturbed version mt, we can measure the RSR by using the minimum spatial cloaking area as calculated by the cloaking algorithm. Higher relative spatial resolution measure implies that the cloaked spatial region is smaller relative to the user-specified maximum spatial resolution area and the cloaking algorithm is more effective. Anonymization Time : Anonymization time refers to the average time the cloaking algorithm takes to perturb the given message for the given privacy profile. The smaller the anonymization time, the more efficient is the cloaking algorithm. 2.1 Spatial Cloaking Algorithms In this section, we present an overview of the dynamic spatial cloaking algorithms of Privacy grid. The following sub-sections explain their mode of working and discuss on their appropriateness for various scenarios. 2.2.1 Bottom-Up Grid Spatial Cloaking The bottom-up grid cloaking approach starts the cloaking process by taking the base cell containing the mobile object from which the cloaking request has originated as the can-didate cloaking area. Firstly, a check is made to determine if the current cell meets the user-specified maximum spatial resolution and k-anonymity constraints. If the check is successful, the candidate cloaking area will be chosen as the cloaking region. If not, the algorithm starts the cell expansion process to enlarge the candidate cloaking area to neighboring cells. The cell expansion process stops when both k-anonymity and l-diversity requirements for the cloaked message are met. Dynamic cell expansion takes an opportunistic approach to expand the candidate cloaking region to any of the four neighboring set of cells. The decision on which of the four cells to choose first is based on the object counts; the neigh-boring cell(s) with the highest object count will be chosen for expansion, generating the new candidate cloaking box. Upon meeting both the privacy and the QoS requirements, the algorithm uses the selected rows and columns to determine the grid cells forming the final cloaking area. Figure: Bottom Up Cloaking 2.2.2 Top-Down Grid spatial Cloaking In PrivacyGrid, the top-down dynamic grid cloaking algorithm starts with the largest grid cell region within the user-specified maximum spatial resolution area, and encodes this candidate cloaking area by a set of selectedRows and selectedCols. If the largest possible candidate cloaking box fails to meet the desired privacy requirements, the message cannot be cloaked using user-defined privacy and QoS requirements and the algorithm terminates. Otherwise, the top-down cloaking approach starts searching for the smallest possible cloaking box that meets the k-anonymity and l-diversity requirements by iteratively removing either an outermost row or column with the lowest object count from the candidate cloaking area. This iterative process shrinks the candidate cloaking box along one of the four directions and terminates when object counts in candidate cloaking area fall below the privacy requirement. In some scenarios, the top-down cloaking process out-performs the bottom-up approach in terms of cloaking time. For example, high k- anonymity and low maximal spatial resolution constraints may help the system quickly locate appropriate cloaking areas by using a top-down dynamic reduction approach. Figure: Top Down Cloaking 2.2.3 Hybrid Spatial Cloaking The hybrid approach takes advantage of the strengths of both the above described approaches for spatial cloaking and runs faster than either of them. There are several ways to combine the bottom-up and top-down methods. The ability of the hybrid approach to identify whether it should proceed in a bottom-up or top-down manner upon receiving a cloaking request is crucial to its effectiveness. The first prototype of PrivacyGrid adopts a straightforward approach where for lower k-anonymity level and higher maximum spatial resolution values, the algorithm benefits by proceeding in a bottom-up manner. On the other hand, for higher k- anonymity level and lower maximum spatial resolution values, the algorithm adopts a top-down approach that runs faster than the bottom-up approach for finding the ideal cloaking box. 3. Implementation and Methodology We use the PrivacyGrid framework as the underlying location privacy scheme. We use the simulator from [4] to generate a trace of cars moving on a real-world road network, obtained from maps available at the National Mapping Division of the USGS [6]. We generate requests based on the position information from the trace. We simulate the movements of the mobile nodes on the visualization with the trace information provided by the trace generator. Also, the trace generator extracts the road network based on three types of roads − expressway, arterial and collector roads and we highlight them with different colors. The underlying location cloaking is performed by the dynamic spatial cloaking algorithms of PrivacyGrid. For each request generated, the perturbed location of the mobile user is visually displayed. For implementing the GUI part of our application, we used Sun’s JFC/Swing, our choice of Sun's JFC/Swing is motivated by its platform-independent and configurable properties. The input interface would accept all the simulation and visualization parameters. We implement the zoom-in feature of the tool using Sun's JFC/swing. When the client wants to zoom- in on a particular mobile node, the area surrounding the mobile node will be continuously stored in 'BufferedImage' object, this replaces the existing image object (the present image) stored at 'BufferedImage'. Thus, the original image would be of the same size as the currently zoomed image that is a sub-image of the previous image. 4.PrivacyGrid – GUI Figure 1 shows the basic GUI of our application. We have the map of the Chamblee region on the left side, and on the right we have all the controls for our application. Figure 1 4.1. User’s Location Privacy Preference Profile The user has the option of setting up a personal privacy profile. The application allows the user to select the K-anonymity level, the Spatial Tolerance and the Grid-cell size. After setting up the privacy preference parameters the user can enter the Object ID to be tracked and use any of the preferred cloaking algorithms. 4.2. Cloaking Algorithms After setting up the privacy preference profile the user can select a cloaking algorithm. The application allows the user to choose any one of the three cloaking algorithms, Top-Down Cloaking, Bottom-Up Cloaking or Hybrid Cloaking.Figure 1 above shows the result of a simulation where the user has selected the K-anonymity level as 100-150, Spatial tolerance to be 1000-1200 m, Grid-cell size to be 32x32 and Top-Down Cloaking algorithm. The blue dot in the output represents the actual position of the user who has sent a query and the red box is the cloaking region which has been created by the Top-Down Cloaking algorithm for the user keeping the User’s Location Privacy Preference Profile in mind. 4.3. Dual Cloaking Mode The Application also provides an option called Dual Cloaking mode. Figure 2 shown below exemplifies the use of such an option. The user after setting up the Location Privacy Preference Profile can select this option to compare the result of the Top-Down and Bottom-Up Cloaking algorithms. The Red box in the figure shows the output for the Top-Down Cloaking algorithm and the green box shows the output for the Bottom-Up Cloaking algorithm. Figure 2 4.4. All Queries Mode The Application also provides an option called the All Queries. Figure 3 shown below exemplifies the use of such an option. Figure 3 The user after setting up the Location Privacy Preference Profile can select this option to view all the positions at which the user with the specified object ID asked the Queries. The output represents the journey of the user with Object ID 2000 from a point A to a point B where the blue dot represents the exact position of the query and the red boxes the cloaking regions for those queries for a specified interval of time. 4.5 Move mode The Application also provides an option called the MOVE. This option can be used by the user to have a dynamic view of the process of the user asking the query and the application providing the cloaking box. It dynamically shows a user with a specified Object ID moving from one point to another and asking queries and the cloaking algorithms providing a suitable cloaking box for each of those queries. Figure 4 Figure 5 Figure 6 Figure 4,5 and 6 clearly depict the move mode of our application. It can be clearly seen how the object is traversing its path and asking queries and the system responding with the cloaked regions. 4.6 Zoom Figure 7 Figure 7 demonstrates the Zoom feature of our application. The user after choosing the privacy preference parameters and running the Cloaking algorithms can analyze the result more closely with the help of the zoom feature, as shown in the figure. 4.7.Next and Previous mode The Application also provides the options of manually scrolling and analyzing the queries asked by a specific Object ID for a certain interval of time. Statistics Figure 8 As shown above in Figure 8, The Application also provides an option called the Statistics which provide the following parameters for the simulation and Cloaking Algorithms 1. Current Object ID 2. Current K Anonymity Level 3. Current Spatial Tolerance 4. Grid-cell size 5. Relative Anonymity Level 6. Relative Spatial Resolution 7. Anonymization Time 8. Cloaking Mode used 9. Number of Queries for that simulation 10. Success Rate of Cloaking 5. Future Work: In future, we would be implementing the following features in the proposed visualization tool: 1. Visualization of the geographic map from map sources such as Google maps and Yahoo maps corresponding to the simulation area, embedding the grid on top of the geographic map based on the user-defined grid cell size. 2. Visualization of the movement of the mobile users on the road segments based on the user specified velocity range. 3. A close visualization of the dynamic expansion and reduction algorithms of the PrivacyGrid framework namely the Bottom-up Dynamic Expansion and Top-down Dynamic Reduction. In addition to the city-wide visualization of the location perturbation process, we also develop a single-instance visualization of the dynamic expansion reduction process of the PrivacyGrid cloaking algorithms. 4. We would incorporate mouse gestures in our application to let the user zoom-in on a mobile node by clicking on it or by dragging an area around it. We use the iGesture and Smardec's Mouse Gesture software libraries to incorporate the mouse gestures. We plan to create a mashup of our application’s user interface with JXMapViewer using swing to enable map movements in our visualization. References: [1] B. Bamba, L. Liu, P. Pesti and T. Wang. Supporting Anonymous Location Queries in Mobile Environments using PrivacyGrid. In WWW, 2008. [2] M. Mokbel, C. Chow, and W. Aref. The New Casper: Query Processing for Location Services without Compromising Privacy. In VLDB, 2006. [3] Mohamed F. Mokbel, Chi-Yin Chow and Walid G. Aref. "The New Casper: A Privacy-Aware Location-Based Database Server". In Proceedings of the International Conference of Data Engineering, IEEE ICDE 2007, Istanbul, Turkey, pp. 1499-1500, Apr. 2007. [4] B. Gedik and L. Liu. Location Privacy in Mobile Systems: A Personalized Anonymization Model. In ICDCS, 2005. [5]G. Ghinita, P. Kalnis, and S. Skiadopoulos. PRIVE: Anonymous Location-Based Queries in Distributed Mobile Systems. In WWW, 2007. [6] U.S. Geological Survey. http://www.usgs.gov.