HCMC University of Technology Information System Security Course Presenter: Nguyen Ba Anh 1. Location-based service concepts 2. Preserving Privacy in Location-based Mobile Social Applications 2.1. 2.2. 2.3. 2.4. 2.5. Introduction Motivating applications Goals, system and threat model Building blocks and their usage Privacy analysis and tradeoffs 3. Privacy-Preserving Techniques for Locationbased Services 3.1. Problems 3.2. Two main approach 3.3. PROBE (Privacy-preserving Obfuscation Environment) 3.4. Private information retrieval (PIR) techniques 3.5. Privacy in some kind of LBS 4. Conclusion A general class of computer programlevel services used to include specific controls for location and time data as control features in computer programs (Wikipedia) Users Usages ◦ Wide-spread adoption (tremendous penetration) ◦ Empower users with knowledge of their vicinity ◦ Numerous untrusted servers offering different services ◦ Proposed design: simple encrypted data store & move the application functionality to client smartphones. ◦ ◦ ◦ ◦ ◦ Collaborative Content Downloading Social Recommendations Local Businesses Locations-Based Reminders Friend Locator System model: ◦ iPhone 3G comes with a 412MHz processor and 512MB of RAM ◦ Smartphones decrypt and consume friends’ data, the server stores users’ data, backs them up, and serve data to users Threat model: ◦ third-party storage server is untrusted ◦ user privacy lost even when the data stored on the server is leaked to an attacker Friendship Proof: ◦ a cryptographic attestation A -> B using symmetric key ◦ Users stores all their proofs from their friends ◦ Communicate via a wireless interface and exchange using a cryptographically secure handshake Transaction Proof: ◦ cryptographically attests that a piece of information belongs to a user ◦ Include message for friends (current location, opinion, something helpful) ◦ message is application-dependent, encrypted with the user’s session key when it is stored on the storage server Interfaces Exposed by the Storage Server Server Interface Privacy and Tradeoffs ◦ Only the friend users with appropriate keys can decrypt the data ◦ improve the performance by tagging each proof stored via a putLocationInfo call with an Id (or public key) of the user that generated the proof ◦ achieve both performance and privacy in this call is to tag the proofs with an userId that changes periodically in a known pattern (known only to friends) Impact of Several Potential Attacks ◦ A compromised client can leak the location privacy of all her friends ◦ Compromised Third-party Storage Server (Stronger Threat Model) ◦ DoS Attacks on the Server Location information is critical for providing customized services, on the other hand, can lead to privacy breaches attacker may infer sensitive information about the individual by cross-referencing location information about an individual with other information and by exploiting domain knowledge Location obfuscation k-anonymization Based on key elements The 1st element: sensitive entities and unreachable entities The 2nd element: personal profile The 3rd element: probabilistic privacy model preferences are recorded in the individual personal profile does not require intermediate parties to generate cloaked regions nor the presence of other individuals to achieve anonymity may be quite expensive Privacy in Location-aware LBS Purpose specification Compliance User consent Limited collection Openness Privacy principles Accuracy and context preservation Limited use Limited retention Limited disclosure Privacy in Location-aware LBS Privacy in Real-time LBS Privacy and Location Anonymization in LBS LBS present an important parts in the development of human Customers, regulators and legislators all have an interest in privacy Privacy can and should be designed into systems by minimizing personal data collection, storage