CLOAKING AND MODELING
TECHNIQUES FOR LOCATION
PRIVACY PROTECTION
Ying Cai
Department of Computer Science
Iowa State University
Ames, IA 50011
LOCATION-BASED SERVICES
RISKS ASSOCIATED WITH LBS
 Exposure
of service uses
 Location privacy
Hospital
Political Party
Nightclub
Stalking….
CHALLENGE
 Restricted

space identification
Simply using a pseudonym is not sufficient because
anonymous location data may be correlated with
restricted spaces such as home and office for subject
re-identification
identified
……
…
LOCATION DEPERSONALIZATION
 Basic

idea: reducing location resolution
Report a cloaking region, instead of actual location
3Com
Cloaked region
& Request
Location &
Request
::
::
LBS Server
Internet
Answer
Answer
::
::
3Com
Base
Station
Anonymity
Server
Users
LBS Server
Cellular Infrustructures
LOCATION DEPERSONALIZATION
 Basic

idea: reducing location resolution
Report a cloaking region, instead of actual location
3Com
Cloaked region
& Request
Location &
Request
::
::
LBS Server
Internet
Answer
Answer
::
::
3Com
Base
Station
Anonymity
Server
Users
LBS Server
Cellular Infrustructures
Key Issue
Each cloaking area must provide a
desired level of depersonalization, and
be as small as possible
EXISTING SOLUTION
 Ensuring
each cloaking area contains a certain
number of users [MobiSys’03, ICDCS’05, VLDB’07]
K=4
K=6
Service Users
K=5
PROBLEMS (1)


The anonymity server needs
frequent location update from
all users

Practicality

Scalability
Difficult to support
continuous LBS

Simply ensuring each cloaking
region contains K users does
not support K-anonymity
protection
Service User
PROBLEMS (2)

Guarantee only anonymous uses of services,
but not location privacy

An adversary may not know who requests the
service, but knows that the K users are all there
at the time when the service is requested
Where you are and whom you
are with are closely related
with what you are doing …
THE ROOT OF THE PROBLEMS
 These
techniques cloak a user’s position based
on his current neighbors
K=4
K=6
Service Users
K=5
OBSERVATION

Public areas are naturally depersonalized


A large number of visits by different people
More footprints, more popular
Park
Highway
PROPOSED SOLUTION [INFOCOM’08]

Using footprints for location cloaking


A footprint is a historical location sample
Each cloaking region contains at least K different footprints
Location privacy protection
vs.
Neighboring users
An adversary may be able to
identify all these users, but will
not know who was there at
what time
Footprints
FOOTPRINT DATABASE

Source of footprints


From wireless service carriers, which provide the
communication infrastructure
From the users of LBSs, who need to report location for
cloaking
FOOTPRINT DATABASE

Source of footprints



From wireless service carriers, which provide the
communication infrastructure
From the users of LBSs, who need to report location for
cloaking
Trajectory indexing for efficient retrieval


Partition network domain into cells
Maintain a cell table for each cell
uid tlink
c1, c2, …, cn
:
:
:
:
cell table
database domain
trajectories
CLOAKING TECHNIQUES

Sporadic LBS


Each a cloaking region
needs to 1) be as small
as possible, 2) contain
footprints from at least
K different users
Continuous LBS

Each trajectory
disclosed must be a Kanonymity trajectory
(KAT)
additive
trajectory
c4
c3
c2
c1
B2
B1
B3
B4
PRIVACY REQUIREMENT MODELING

K-anonymity model


To request a desired level of protection,
a user needs to specify a value of K
Problem: choosing an appropriate K
is difficult


Privacy is about feeling, and it is
difficult to scale one’s feeling using a
number
A user can always choose a large K, but
this will reduce location resolution
unnecessarily
PROPOSED SOLUTION [CCS09]

A feeling-based approach

A user specifies a public region


A spatial region which she feels
comfortable that it is reported as her
location should she request a service
inside it
The public region becomes her
privacy requirement

All location reported on her behalf
will be at least as popular as the
public region she identifies
CHALLENGE

How to measure the popularity of a spatial
region?
More visitors  higher popularity
 More even distribution  higher popularity


Given a spatial region R, we define

Entropy E(R) =

Popularity P(R) = 2E(R)
CLOAKING TECHNIQUES

Sporadic LBS


Each cloaking region needs to 1) be as small as possible,
2) have a popularity no less than P(R)
Continuous LBS
A sequence of location updates which form a
trajectory
 The strategy for sporadic LBSs may not work


Adversary may identify the common set of visitors
CLOAKING TECHNIQUES

Sporadic LBS


Each disclosed cloaking region must be as small as
possible and have a popularity no less than P(R)
Continuous LBS
The time-series sequence of location samples must
form a P-Populous Trajectory (PPT)
 A trajectory is a PPT if its popularity is no less than P


The popularity of each cloaking region in the trajectory must
be computed w.r.t. a common set of users
FINDING A CLOAKING SET

A simple solution is to find the set of users who have
footprints closest to the service-user
Resolution becomes worse
There may exist another
cloaking set which leads to
a finer average resolution
PROPOSED SOLUTION

Using populous users for cloaking


Popular users have more footprints spanning in a
larger regions
Pyramid footprint indexing

A user is l-popular if she has footprints in all cells
at level l
Sort users by the level
l, and choose the most
popular ones as the
cloaking set
SIMULATION

We implement two other strategies for comparison
Naive cloaks each location independently
 Plain selects cloaking set by finding footprints closest to
service user’s start position


Performance metrics

Cloaking area

Protection level
EXPERIMENT
A
Location Privacy Aware Gateway (LPAG)
 ePost-It:
a spatial messaging system [MobiSys’08]
CONCLUDING REMARKS

Exploring historical location samples for location
cloaking


A feeling-based approach for users to express their
location privacy requirement


K-anonymity model was the only choice
A suite of location cloaking algorithms


Up to date, this is the only solution that can prevent
anonymous location data from being correlated with
restricted spaces to derive who’s where at what time
Satisfy a required level of protection while resulting in good
location resolution
A location privacy-aware gateway prototype has been
implemented