Privacy of Location
Information in
Vehicular Ad Hoc
Networks
Walaa El-Din M. Moustafa
Smart Vehicles

An important evolution for the
automotive industry is the one toward
context awareness.

A vehicle is aware of its neighborhood
including the presence and location of
other vehicles.
Smart Vehicles

Modern cars now possess a network of
processors connected to a central
computing platform that provides
Ethernet, Bluetooth, and IEEE 802.11
interfaces.
Smart Vehicles

Newer cars also have such features as
 Event
Data Recorder (EDR)
 GPS Receiver
 Front and End Radar for detecting obstacles
VANET

Vehicles connected to each others through
an ad hoc formation form a wireless
network called “Vehicular Ad Hoc
Network”
VANET
VANET
Decentralized
 Self-organizing
 Multi-hop routes
 Nodes move with high speeds
 Number of nodes is very large

Architecture
V2V
V2I
Road Side
Unit (RSU)
Server (Traffic
Monitoring)
Server (Location
Based Service)
Applications
Applications
Obstacles

A major hurdle in moving forward is that
only a small subset of vehicles will be
smart

V2V applications requires most of the
vehicles be equipped with these systems
Obstacles

The feeling of being permanently
monitored by some arbitrary authority
will limit the user acceptance to these
schemes
Privacy Threat Examples

The police uses hello beacons to calculate
driving behavior and issues speeding
tickets.

An employer is overhearing the
communications from cars on the
company parking lot.
Privacy Threat Examples

A private investigator easily follows a car
without being noticed by extracting
position information from messages and
hello beacons.
First Step to Privacy

In the first example, a pseudonym may be
used.

Unless there is no provable mapping
between the pseudonym and real-world
identity, the police will have a hard time
issuing a ticket.
First Step to Privacy

In the second example this may not be
enough

The employer can correlate real-world
identities and pseudonyms.

Change the car’s identifiers from time to
time.
First Step to Privacy

In the third example, even these
precautions would not be enough.

To prevent being followed, the car’s
identifier would have to be changed while
moving.
Basic Privacy Requirements
Use pseudonyms as identifiers instead of
real-world identities.
 Change these pseudonyms.
 The number of pseudonym changes
depends on the application and its privacy
threat model.
 Pseudonyms used during communication
can be mapped to real-world identities in
special situations
Trusted Authority

Are we missing something?
ID 50c7eab4
 ID d667a062
 ID cc6946d2
 ID 3b99e1f6

Pos (6, 6)
Pos (4, 4)
Pos (2, 1)
Pos (0, 1)
Are we missing something?
ID c77b6e7a
 ID c511c120
 ID d6130970
 ID 3e086548

Pos (-6, -6)
Pos (-4, -4)
Pos (2, 0)
Pos (0, 0)
Are we missing something?
Silent Period
for A
Silent Period
for B
More Privacy – V2V

For V2V scenarios, actually it is hard to
achieve more privacy.

The silent period is bound by the
maximum time between broadcast
messages.
More Privacy – V2I

For V2I applications:
 Vehicles
in geographical proximity share
redundant information such as road and
traffic conditions.
 Not all vehicles need to send information.
More Privacy – V2I
Vehicles form a group.
 Vehicles are in a group if each group
member can hear broadcasts of every
other group member.
 The group leader is doing the
communication on behalf of the group.

More Privacy – V2I

The silent period of a group member
vehicle is extended.

Unnecessary redundancy is reduced.

Reduced number of pseudonym updates
More Privacy – LBS
Pseudonyms are not enough
 Most of the time, users access LBS from an
“identifiable area”
 E.g. “Find me the nearest Pizza Hut to
8100 Greenbelt Road”

 You
are the resident of 8100 Greenbelt Road.
More Privacy – LBS

The request needs to be done through a
proxy
 Can
be the group leader
 Can be a Location Anonymizer

A user needs to specify a cloaking region
 It
is used to hide the user among different
others, so that she is indistinguishable.
More Privacy – LBS

A user can specify the cloaking region
through:
 Its
minimum area.
 The minimum number of users inside of it.

This metric is called k-anonymity
 The
distribution of users across the area.
Tracking
Assume smin, smax are the minimum and
maximum speed limits, respectively
 Assume tmin, tmax are the minimum and
maximum silent period values,
respectively

Tracking

Given the current position, the next
broadcast should take place inside the
Ar
area:
Privacy Measure

Size of anonymity set
 The
number of users that the target is
indistinguishable among

The maximum tracking time
 The
maximum time that the anonymity set
remains 1
Privacy Measure


If v(Ar) is the number of vehicles inside Ar
The expected size of anonymity set of a target is
E

{|SA|} = E { v(Ar) | v(Ar) ≥ 1 }
The probability that the target can be uniquely
identified at each transmission
 ptrack=

Pr { v(Ar) = 1 | v(Ar) ≥ 1 }
The expected maximum tracking time is
Is privacy always good?

Traceability due to cross-layer influence
 Changing
the pseudonym on one
communication layer does not make sense if
protocols on other layers also use identifiers

Security implications
 With
pseudonyms, misbehaving nodes can
evade the network without being identified
Is privacy always good?

Problems with application protocols
 There
are applications that need a long-term
communication relationship
 E.g. File-transfer or interactive chat-sessions

Impact on communication protocols
 Negative
effect on routing protocols due to
invalid routing tables.
References





J.-P. Hubaux, S. Capkun, J. Luo. The Security and Privacy of Smart Vehicles
IEEE Security and Privacy Magazine, 2(3):49-55, May-June 2004.
Hubaux, et. al. present a broad overview of VANET security and privacy
issues
F. Dotzer. Privacy Issues in Vehicular Ad Hoc Networks. Workshop on
Privacy Enhancing Technologies, May 2005
K. Sampigethava, L. Huang, M. Li, R. Poovendran, K. Matsuura, K. Sezaki.
CARAVAN: Providing Location Privacy for VANET Proceedings of the 3rd
international workshop on Vehicular ad hoc networks, 2006
Mohamed F. Mokbel, Chi-Yin Chow and Walid G. Aref. The New Casper:
Query Processing for Location Services without Compromising Privacy, In
Proceedings of VLDB 2006
E. Schoch, F. Kargl, T. Leinmuller, S. Schlott, and P. Papadimitratos. "Impact
of Pseudonym Changes on Geographic Routing in VANETs." In proceedings
of the European Workshop on Security and Privacy in Ad hoc and Sensor
Networks (ESAS), Hamburg, Germany, October 2006
Thanks !!