MobiHide: A Mobile Peer-to-Peer System
for Anonymous Location-Based Queries
Gabriel Ghinita, Panos Kalnis, Spiros Skiadopoulos
National University of Singapore
and
University of Peloponnese, Greece
Location-Based Services

LBS users



Location server is NOT
trusted


Mobile devices with GPS
capabilities
NN and Range Queries
“Find closest hospital to
my present location”
Google Maps, Mapquest,
Microsoft Live, etc.
Privacy? Anonymity?
2
Problem Statement

Hide IP address and username

But user location may disclose identity




Triangulation of device signal
Publicly available databases
Physical surveillance
How to preserve query source anonymity?

Even when exact user locations are known
3
K-Anonymity [Swe02]
Quasi-identifier
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
Disease
Name
Flu
AIDS
Cancer
Gastritis
Dyspepsia
Bronchitis
Andy
Bill
Ken
Nash
Mike
Sam
(a) Microdata
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
[Swe02] L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty,
Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.
4
K-Anonymity (cont.)
Age
42-46
42-46
50-54
50-54
48-56
48-56
ZipCode
Disease
25000-35000
Flu
25000-35000
AIDS
20000-40000 Cancer
20000-40000 Gastritis
50000-55000 Dyspepsia
50000-55000 Bronchitis
(a) 2-anonymous microdata
Name
Andy
Bill
Ken
Nash
Mike
Sam
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
5
Anonymizing Spatial Region

Identification probability ≤ 1/K
6
Centralized Anonymizer

Intermediate tier between users and LBS
Bottleneck and single point of
attack/failure
7
MobiHide – Fully Distributed
8
Existing Work: CloakP2P [Chow06]
Find K-1 NN of query source
 Source likely to be closest to ASR center


Vulnerable to “center-of-ASR” attack
NOT SECURE !!!
uq
5-ASR
[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Locationbased Services, ACM GIS ’06
9
Existing Work: PRIVE [GKS07]
Aq has the reciprocity property iff
i.
ii.
|AS| ≥ K
 ui,uj  AS, ui  ASj  uj  ASi
[GKS07] – PRIVÉ: Anonymous Location-based Queries in Distributed Mobile Systems , WWW ‘07
10
PRIVE (cont.)

Based on Hilbert space-filling curve


index users by Hilbert value of location
partition Hilbert sequence into “K-buckets”
11
PRIVE (cont.)

Based on Hilbert space-filling curve


index users by Hilbert value of location
partition Hilbert sequence into “K-buckets”
Start
End
12
PRIVÉ Hierarchical Architecture

But requires “global knowledge”


Global rank of query source required
PRIVÉ employs an annotated tree index
13
Motivation
PRIVE
More secure
MobiHide
CloakP2P
Faster
14
MobiHide

Uses Hilbert transformation

Key Idea



Remove the need for global knowledge
Allow random group formation
Scalable DHT infrastructure employed

Chord DHT
15
MobiHide: Group Formation
K
16
MobiHide: Example
17
MobiHide: Privacy

MobiHide is not reciprocal

Privacy guaranty for uniform query
distribution only

But offers strong privacy features in
practice, even for skewed distribution
18
Correlation Attack (K = 4)
27 33 43 56 58 3 5 10 15 18
U6
U5
U8
U6 U7 U8 U9 U10 U1 U2 U3 U4 U5
U7
U4
U9
U3
U10
U1
U2
•4-anonymity not achieved
•However: Difficult attack in
practice
19
MobiHide Implementation

Two-layer Chord DHT

Each Chord node is a cluster of users

Bounded cluster size [,3)
20
User Join/Cluster Split
21
Load Balancing & Fault Tolerance

Load Balancing


Cluster head rotation mechanism
Fault Tolerance


Chord Periodic Stabilization Protocol
Leader election protocol

In case of cluster head failure
22
Experimental Setup

San Francisco Bay Area road network

Network-based Generator of Moving
Objects*



Up to 10000 users
Velocities from 18 to 68 km/h
Uniform and skewed query distribution
* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,
6(2):153–180, 2002.
23
“Center-of-ASR” Attack
24
Correlation Attack
25
ASR Formation Latency
Response Time (sec)
26
Points to Remember

LBS Privacy an important concern



Existing solutions are either not secure …
… or not scalable
MobiHide



Privacy guaranty for uniform query workload
Good best-effort privacy for skewed workload
Excellent scalability inherited from Chord DHT
27
Bibliography on LBS Privacy
http://anonym.comp.nus.edu.sg
28
Bibliography

[Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking
Algorithm for Anonymous Location-based Services, ACM GIS ’06

[Gru03] - Gruteser et al, Anonymous Usage of Location-Based
Services Through Spatial and Temporal Cloaking, MobiSys 2003

[GKS07] – Ghinita G., Kalnis P., Skiadopoulos S., PRIVÉ: Anonymous Location-based Queries in Distributed Mobile Systems,
WWW 2007

[Mok06] – Mokbel et al, The New Casper: Query Processing for
Location Services without Compromising Privacy, VLDB 2006
29