MobiShare: Flexible Privacy-Preserving
Location Sharing in
Mobile Online Social Networks
Wei Wei, Fengyuan Xu, Qun Li
The College of William and Mary
in INFOCOM IEEE 2012
A.C. Chen @ ADL
1
INTRODUCTION
Mobile Online Social Networks (mOSNs)
A.C. Chen @ ADL
2
Mobile Online Social Networks
(mOSNs)
• Many existing OSNs have created content and access
mechanisms tailored to mobile users
A.C. Chen @ ADL
3
New mOSNs
• Some mOSNs are designed specifically to be accessed by
mobile devices such as Foursquare and Gowalla
A.C. Chen @ ADL
4
Privacy Concerns
• While the location-based features make mOSNs more
popular, they also raise significant privacy concerns
– Because users’ physical locations are now being correlated
with their profiles
• All the current mOSNs are under centralized control
– Users’ location privacy will be compromised if the
location data collected by the mOSNs are abused,
inadvertently leaked, or under the control of hackers
A.C. Chen @ ADL
5
Related Work
• SmokeScreen [ACM MobiSys, 2007]
– Flexibly share presence with both friends and strangers
while preserving user privacy
• In [HotMobile, 2010] and [Privacy Enhancing
Technologies, 2007], locations are shared between
established relations in a privacy-preserving way
– limits a large class of mobile social applications
A.C. Chen @ ADL
6
The Main Idea of This Paper…
• In a mOSN, users should be able to control how their
own location information is accessed by others
• The system should work in a way that an adversary
controlling the mOSN cannot obtain users’ location
information
A.C. Chen @ ADL
7
MOBISHRE
USER
Cellular Tower
Location Server
Social Network Server
A.C. Chen @ ADL
8
MobiShare Architecture
A.C. Chen @ ADL
9
Trust and Threat Model
• Assumption:
– Either the social network server or the location server can
be compromised, but the adversary cannot control both
entities
• Threat Model
– Some users may also be malicious seeking to obtain the
location information
– The social network server or the location server may
collude with these malicious users
A.C. Chen @ ADL
10
The Cellular Towers are Trusted
• The cellular carrier generally knows the owner’s
name and address for each subscribed cell phone
– The FCC’s wireless Enhanced 9-1-1 rules [E9-1-1] require
that the cellular carriers can locate the subscribed cell
phones with an accuracy of 50 to 300 meters
• We make no attempt to conceal the devices’ locations
from the cellular networks
A.C. Chen @ ADL
11
Social Network Server and User
• The social network server manages users’ identityrelated information (profiles, friend lists…)
– It can be a server of any existing OSN that wants to provide
the location-sharing service
• Each user has a unique identifier at the social network
server, a public-private key pair, and a symmetric
session key
– the session key is sharing with all his social network
friends.
A.C. Chen @ ADL
12
Location server and Cellular Tower
• The location server is an untrusted 3rd-party server
storing anonymized location updates of the users
– A company may implement the location server so as to
profit from the OSNs or the users
– Shares a symmetric secret key with the cellular towers
• Each cellular tower has a unique identifier and
generates by itself a symmetric secret key
– It also shares its secret key with the location server
A.C. Chen @ ADL
13
SYSTEM DESIGN
Service Registration
Authentication
Location updates
Querying location
A.C. Chen @ ADL
14
MobiShare System
• Registration
– Before using the location-sharing service, each user needs
to register for the service at the social network server
• Authentication
– Establish an authenticated and secure communication link
between the user and the cellular tower
• Location updates
• Querying location
– Friends’ case
– Strangers’ case
A.C. Chen @ ADL
15
Service Registration
• User A shares his public key PubKeyA with the
social network server
• User A defines access control setting of dfA and dsA
– threshold distances of sharing with friends and strangers
• After registration, the social network server stores an
entry as <IDA,PubKeyA,dfA,dsA> in its
subscriber table
A.C. Chen @ ADL
16
Authentication
request(IDA, ts,
SigA(IDA,ts))
forward (IDA,dfA,dsA)
forward
(IDA, ts, SigA(IDA,ts))
Verification
(IDA,dfA,dsA)
Verification
OK
On the reception of the OK message,
the cellular tower stores an entry as
<IDA,dfA,dsA> in its `user info` table
A.C. Chen @ ADL
17
Location Updates
• The cellular tower perform anonymization when a
user upload his location updates to the location server
– Pseudonyms + dummy location updates
– Each cellular tower periodically generates fake IDs and
saves them in a fake ID pool
• the fake IDs can be efficiently generated using a cryptographic hash
function e.g. fake IDi = SHA(fake IDi−1⊕salt)
A.C. Chen @ ADL
18
Location Updates –
Anonymization
sends(IDA,(x,y),
SessA(x,y))
update `user info`
pick k fake IDs
and choose FIDA
store FIDA in
`user info`
sends mapping
(IDA, FIDA, FID1, ..., FIDk−1)
update
`fake ID`
A.C. Chen @ ADL
19
Location Updates –
Anonymization (con.)
1 real update
update
(FIDA,(x,y),SessA(x,y),dfA, dsA )
update
(FIDi,(xi,yi),stri,dfi,dsi )
k-1 dummy
updates
update
`regionA`
update
`regioni`
.
.
.
The cellular tower sends k location updates
to the location server in a random order
with random time intervals
following the exponential distribution
A.C. Chen @ ADL
20
Dummies Must Behave
Like True Users
• The cellular tower follows the method [Kido et al.
2005] to generates k−1 dummy locations within its
coverage
– Anonymous communication technique using false position
data (dummies) mixed with true position data
A.C. Chen @ ADL
21
Table View
- location
A.C. Chen @ ADL
22
Querying Friends’ Locations
query
(IDA,’f’,‘1mi’)
((IDi,Sessi(xi,yi)),
(IDj,Sessj(xj,yj))…)
forward (IDA,’f’,‘1mi’,
SecKeyLoc(CIDC,seq))
create `FIDlist` by looking
up `fake ID`
query(FIDA,’f’,FIDlist,’1mi’,
SecKeyLoc(CIDC,seq))
(SecKeyc((FIDi,Sessi(xi,yi
))…,seq),mapping entries)
access
control
SecKeyc
((FIDi,Sessi(xi,yi))…,seq)
decrypt location
entries
Each mapping entry is of
the form as (FIDj,IDj)
consists of the fake IDs of all of A’s friends
(real and dummies) of
all A’s friends
A.C. Chen @ ADL
23
Querying Strangers’ Locations
query
(IDA,’s’,‘1mi’)
forward (’s’,‘1mi’,
SecKeyLoc(FIDA,CIDC,seq))
forward
looks up
`region`
(SecKeyc((FIDi,(xi,yi)),
(FIDj,(xj,yj))…,seq),
FIDlist)
(SecKeyc((FIDi,(xi,yi)),
(FIDj,(xj,yj))…,seq),
mapping entries)
the n nearby fake
((IDi,(xi,yi)),
(IDj,(xj,yj))…)
decrypt location entries
and double check
Each mapping entry
is of the form as
(FIDj,IDj,dsj)
IDs are
mixed with the randomly
picks (k−1)n fake IDs from
the location update database
FIDlist consists of the n nearby
fake IDs mixed with the (k − 1)n
randomly selected fake IDs
A.C. Chen @ ADL
24
EVALUATION
Experiment and Evaluation
A.C. Chen @ ADL
25
Experimental Setup
• Cellular tower : emulated by a laptop
– the smartphone communicates with the laptop through
Verizon’s 3G data service
• Social network server : deployed on a third-party
cloud hosting services provided by JoyentCloud
• Location server : deployed on a 3rd-party cloud
hosting services provided Linode
A.C. Chen @ ADL
26
Experimental Setup (cont.)
• Client : implemented in java on a MOTOROLA
DROID 2 Global smartphone
– the size of this executable is 252KB.
– memory footprint of 12MB when running
• Use a data set consisting of 48,014 users and the
social network topology among them as a social
network sample
A.C. Chen @ ADL
27
Client Interface
A.C. Chen @ ADL
28
Experiment
• The anonymity level k is set to be 5
• Use 128-bit AES for symmetric key encryption and
decryption
• The client is set to update its location every 30
seconds, and query the locations of friends or nearby
strangers every 1 minute
A.C. Chen @ ADL
29
Experiment Results
• Low overhead of the client
– a client only consumes 1.5% of the battery power, with
average CPU utilization of 0.3%
• Low overhead incurred by our scheme on the cellular
towers
– when there are 1000 connecting users, the cellular tower
service only uses 4.1% of the CPU power and 91MB
memory
A.C. Chen @ ADL
30
Conclusion
• MobiShare supports the features of location sharing
in real-world mOSNs :
– querying locations within a certain range
– user-defined access control
– no change to the existing OSNs’ architectures, the
adversary cannot link a precise location to an identified
user
A.C. Chen @ ADL
31