Visualization of Location Cloaking process for Supporting Anonymous
Location Based Queries in Mobile Environments
Balaji Palanisamy and Saurabh Taneja
(balaji@cc.gatech.edu, saurabhtaneja@gatech.edu)
Abstract
PrivacyGrid − is a framework for supporting anonymous location-based queries in mobile information
delivery systems. In PrivacyGrid, mobile users explicitly define their preferred location privacy
requirements in terms of location hiding measures (e.g., location k-anonymity and location l- diversity)
and location service quality measures (e.g., maximum spatial resolution and maximum temporal
resolution). The framework supports dynamic bottom-up and top-down grid cloaking algorithms that
achieve high anonymization success rate and efficiency in terms of both time complexity and
maintenance cost. This project incorporates a visualization tool for the PrivacyGrid framework to
visualize the spatial cloaking process of PrivacyGrid. The tool also visualizes the mobility of the users
along the road segments of the geographical maps. The tool would be handy to understand and
demonstrate the working of the location perturbation process to naïve mobile users.
1.Motivation
Increasing use of mobile devices and rapid advancements in sensing and location devices suggest that
location-based services (LBSs) would be a popular feature in the next generation mobile devices . As
LBSs are largely dependent on the location data of the mobile users, it poses new challenges to the
location privacy of the users. Location privacy is defined as the ability to prevent unauthorized parties
from learning one’s current or past location. Location Privacy in general refers to the ability of a person
to hide his location information from others. In the context of using a mobile device, location privacy
refers to the ability of the mobile users to hide their location information while using the device. An
LBS-enabled mobile device would support location based queries that heavily depend on the location
data for retrieving precise results. For instance, an LBS-query to find the nearest hospital from an
user’s current location would require the location information of the user. As there could be a large
number of untrusted location-based service providers in the system, users may not feel comfortable to
share their location information with these service providers. Thus, location privacy is a big concern
while using these location based services.
As the location based services are gaining increasing popularity, soon mobile users need to be aware of
location privacy threats and the various location privacy metrics such as k-anonymity and l-diversity.
As an effort to help naïve users appreciate the location privacy metrics and the location perturbation
process in a mobile environment, we in this project, develop a visualization tool that explains the
mobility of the users on the road segments and their location cloaking regions pertaining to their
anonymity requirements as they move across the road segments. Such a visualization would help users
understand the location cloaking process and help them set their appropriate location privacy
requirements.
2.PrivacyGrid
The privacyGrid framework has three cloaking algorithms supported: top-dpwn cloaking, bottom-up
cloaking and hybrid approach. Before we describe each of these, we briefly explain the various
anonymization parameters and the associated performance metrics.
PrivacyGrid uses a personalized location privacy model. A user registered with the anonymization
server specifies her location privacy requirements in terms of her desired user anonymity level k,
desired location diversity level l, maximum spatial resolution {dx, dy} and maximum temporal
resolution dt. We describe each of these parameters below:
Anonymity Level k: A location based query is k-anonymous if the location of the message is
indistinguishable from k other users in the system. An user sets a desired k-anonymity level in order to
achieve his desired level of privacy.
Maximum tolerable spatial tolerance: This refers to the maximum tolerable spatial area that the user
is willing to tolerate for the cloaking box. A small region yields efficient cloaking box. However, it is
hard to find the requested level of privacy guarantees in a small region.
We briefly explain the metrics used to evaluate the effectiveness and efficiency of PrivacyGrid location
cloaking algorithms:
Anonymization Success Rate (ASR): Anonymization success rate is defined as the fraction of
messages cloaked successfully by an algorithm with respect to the set of received anonymization
requests.
Relative Anonymity:Relative Anonymity Level (RAL) measures the ratio of anonymity achieved by
the cloaking algorithm to the user specified k-anonymity level, i.e., k′/ k .
Relative Spatial Resolution (RSR): This metric measures the ability of a cloaking algorithm to
provide the smallest cloaking area that meets the k-anonymity and l-diversity requirements. Given a
message ms and its perturbed version mt, we can measure the RSR by using the minimum spatial
cloaking area as calculated by the cloaking algorithm. Higher relative spatial resolution measure
implies that the cloaked spatial region is smaller relative to the user-specified maximum spatial
resolution area and the cloaking algorithm is more effective.
Anonymization Time : Anonymization time refers to the average time the cloaking algorithm takes to
perturb the given message for the given privacy profile. The smaller the anonymization time, the more
efficient is the cloaking algorithm.
2.1 Spatial Cloaking Algorithms
In this section, we present an overview of the dynamic spatial cloaking algorithms of Privacy grid. The
following sub-sections explain their mode of working and discuss on their appropriateness for various
scenarios.
2.2.1 Bottom-Up Grid Spatial Cloaking
The bottom-up grid cloaking approach starts the cloaking process by taking the base cell containing the
mobile object from which the cloaking request has originated as the can-didate cloaking area. Firstly, a
check is made to determine if the current cell meets the user-specified maximum spatial resolution and
k-anonymity constraints. If the check is successful, the candidate cloaking area will be chosen as the
cloaking region. If not, the algorithm starts the cell expansion process to enlarge the candidate cloaking
area to neighboring cells. The cell expansion process stops when both k-anonymity and l-diversity
requirements for the cloaked message are met. Dynamic cell expansion takes an opportunistic approach
to expand the candidate cloaking region to any of the four neighboring set of cells. The decision on
which of the four cells to choose first is based on the object counts; the neigh-boring cell(s) with the
highest object count will be chosen for expansion, generating the new candidate cloaking box. Upon
meeting both the privacy and the QoS requirements, the algorithm uses the selected rows and columns
to determine the grid cells forming the final cloaking area.
Figure: Bottom Up Cloaking
2.2.2 Top-Down Grid spatial Cloaking
In PrivacyGrid, the top-down dynamic grid cloaking algorithm starts with the largest grid cell region
within the user-specified maximum spatial resolution area, and encodes this candidate cloaking area by
a set of selectedRows and selectedCols. If the largest possible candidate cloaking box fails to meet the
desired privacy requirements, the message cannot be cloaked using user-defined privacy and QoS
requirements and the algorithm terminates. Otherwise, the top-down cloaking approach starts searching
for the smallest possible cloaking box that meets the k-anonymity and l-diversity requirements by
iteratively removing either an outermost row or column with the lowest object count from the candidate
cloaking area. This iterative process shrinks the candidate cloaking box along one of the four directions
and terminates when object counts in candidate cloaking area fall below the privacy requirement. In
some scenarios, the top-down cloaking process out-performs the bottom-up approach in terms of
cloaking time. For example, high k- anonymity and low maximal spatial resolution constraints may
help the system quickly locate appropriate cloaking areas by using a top-down dynamic reduction
approach.
Figure: Top Down Cloaking
2.2.3 Hybrid Spatial Cloaking
The hybrid approach takes advantage of the strengths of both the above described approaches for
spatial cloaking and runs faster than either of them. There are several ways to combine the bottom-up
and top-down methods. The ability of the hybrid approach to identify whether it should proceed in a
bottom-up or top-down manner upon receiving a cloaking request is crucial to its effectiveness. The
first prototype of PrivacyGrid adopts a straightforward approach where for lower k-anonymity level
and higher maximum spatial resolution values, the algorithm benefits by proceeding in a bottom-up
manner. On the other hand, for higher k- anonymity level and lower maximum spatial resolution
values, the algorithm adopts a top-down approach that runs faster than the bottom-up approach for
finding the ideal cloaking box.
3. Implementation and Methodology
We use the PrivacyGrid framework as the underlying location privacy scheme. We use the simulator
from [4] to generate a trace of cars moving on a real-world road network, obtained from maps available
at the National Mapping Division of the USGS [6]. We generate requests based on the position
information from the trace. We simulate the movements of the mobile nodes on the visualization with
the trace information provided by the trace generator. Also, the trace generator extracts the road
network based on three types of roads − expressway, arterial and collector roads and we highlight them
with different colors.
The underlying location cloaking is performed by the dynamic spatial cloaking algorithms of
PrivacyGrid. For each request generated, the perturbed location of the mobile user is visually
displayed.
For implementing the GUI part of our application, we used Sun’s JFC/Swing, our choice of Sun's
JFC/Swing is motivated by its platform-independent and configurable properties. The input interface
would accept all the simulation and visualization parameters.
We implement the zoom-in feature of the tool using Sun's JFC/swing. When the client wants to zoom-
in on a particular mobile node, the area surrounding the mobile node will be continuously stored in
'BufferedImage' object, this replaces the existing image object (the present image) stored at
'BufferedImage'. Thus, the original image would be of the same size as the currently zoomed image that
is a sub-image of the previous image.
4.PrivacyGrid – GUI
Figure 1 shows the basic GUI of our application. We have the map of the Chamblee region on the left
side, and on the right we have all the controls for our application.
Figure 1
4.1. User’s Location Privacy Preference Profile
The user has the option of setting up a personal privacy profile. The application allows the user to
select the K-anonymity level, the Spatial Tolerance and the Grid-cell size.
After setting up the privacy preference parameters the user can enter the Object ID to be tracked and
use any of the preferred cloaking algorithms.
4.2. Cloaking Algorithms
After setting up the privacy preference profile the user can select a cloaking algorithm.
The application allows the user to choose any one of the three cloaking algorithms, Top-Down
Cloaking, Bottom-Up Cloaking or Hybrid Cloaking.Figure 1 above shows the result of a simulation
where the user has selected the K-anonymity level as 100-150, Spatial tolerance to be 1000-1200 m,
Grid-cell size to be 32x32 and Top-Down Cloaking algorithm.
The blue dot in the output represents the actual position of the user who has sent a query and the red
box is the cloaking region which has been created by the Top-Down Cloaking algorithm for the user
keeping the User’s Location Privacy Preference Profile in mind.
4.3. Dual Cloaking Mode
The Application also provides an option called Dual Cloaking mode. Figure 2 shown below
exemplifies the use of such an option.
The user after setting up the Location Privacy Preference Profile can select this option to compare the
result of the Top-Down and Bottom-Up Cloaking algorithms. The Red box in the figure shows the
output for the Top-Down Cloaking algorithm and the green box shows the output for the Bottom-Up
Cloaking
algorithm.
Figure 2
4.4. All Queries Mode
The Application also provides an option called the All Queries. Figure 3 shown below exemplifies the
use of such an option.
Figure 3
The user after setting up the Location Privacy Preference Profile can select this option to view all the
positions at which the user with the specified object ID asked the Queries. The output represents the
journey of the user with Object ID 2000 from a point A to a point B where the blue dot represents the
exact position of the query and the red boxes the cloaking regions for those queries for a specified
interval of time.
4.5 Move mode
The Application also provides an option called the MOVE. This option can be used by the user to have
a dynamic view of the process of the user asking the query and the application providing the cloaking
box.
It dynamically shows a user with a specified Object ID moving from one point to another and asking
queries and the cloaking algorithms providing a suitable cloaking box for each of those queries.
Figure 4
Figure 5
Figure 6
Figure 4,5 and 6 clearly depict the move mode of our application. It can be clearly seen how the object
is traversing its path and asking queries and the system responding with the cloaked regions.
4.6 Zoom
Figure 7
Figure 7 demonstrates the Zoom feature of our application. The user after choosing the privacy
preference parameters and running the Cloaking algorithms can analyze the result more closely with
the help of the zoom feature, as shown in the figure.
4.7.Next and Previous mode
The Application also provides the options of manually scrolling and analyzing the queries asked by a
specific Object ID for a certain interval of time.
Statistics
Figure 8
As shown above in Figure 8, The Application also provides an option called the Statistics which
provide the following parameters for the simulation and Cloaking Algorithms
1. Current Object ID
2. Current K Anonymity Level
3. Current Spatial Tolerance
4. Grid-cell size
5. Relative Anonymity Level
6. Relative Spatial Resolution
7. Anonymization Time
8. Cloaking Mode used
9. Number of Queries for that simulation
10. Success Rate of Cloaking
5. Future Work:
In future, we would be implementing the following features in the proposed visualization tool:
1. Visualization of the geographic map from map sources such as Google maps and Yahoo maps
corresponding to the simulation area, embedding the grid on top of the geographic map based on the
user-defined grid cell size.
2. Visualization of the movement of the mobile users on the road segments based on the user specified
velocity range.
3. A close visualization of the dynamic expansion and reduction algorithms of the PrivacyGrid
framework namely the Bottom-up Dynamic Expansion and Top-down Dynamic Reduction. In addition
to the city-wide visualization of the location perturbation process, we also develop a single-instance
visualization of the dynamic expansion reduction process of the PrivacyGrid cloaking algorithms.
4. We would incorporate mouse gestures in our application to let the user zoom-in on a mobile node by
clicking on it or by dragging an area around it. We use the iGesture and Smardec's Mouse Gesture
software libraries to incorporate the mouse gestures. We plan to create a mashup of our application’s
user interface with JXMapViewer using swing to enable map movements in our visualization.
References:
[1] B. Bamba, L. Liu, P. Pesti and T. Wang. Supporting Anonymous Location Queries in Mobile
Environments using PrivacyGrid. In WWW, 2008.
[2] M. Mokbel, C. Chow, and W. Aref. The New Casper: Query Processing for Location Services
without Compromising Privacy. In VLDB, 2006.
[3] Mohamed F. Mokbel, Chi-Yin Chow and Walid G. Aref. "The New Casper: A Privacy-Aware
Location-Based Database Server". In Proceedings of the International Conference of Data Engineering,
IEEE ICDE 2007, Istanbul, Turkey, pp. 1499-1500, Apr. 2007.
[4] B. Gedik and L. Liu. Location Privacy in Mobile Systems: A Personalized Anonymization Model.
In ICDCS, 2005.
[5]G. Ghinita, P. Kalnis, and S. Skiadopoulos. PRIVE: Anonymous Location-Based Queries in
Distributed Mobile Systems. In WWW, 2007.
[6] U.S. Geological Survey. http://www.usgs.gov.