Baik Hoh, Marco Gruteser
WINLAB / ECE Dept., Rutgers University
Ryan Herring, Jeff Bana, Dan Work, Juan-Carlos Herrera,
Alexandre Bayen
Civil Engineering Dept., UC Berkeley
Murali Annavaram, Quinn Jacobson
Nokia Research Center
Presentation By: Saurabh Hukerikar
30 th March 2009

 Geographic markers that indicate where vehicles should provide location updates
 Aggregating and cloaking several location updates based on trip line identifiers for privacy by preventing updates from VTL’s deemed private.
 Distributed architecture

 Eye witness reports
 Traffic cameras
 Loop detectors
 Cellular base station hand-off
 In-Vehicle Transponders (IVTs) and License Plate
Readers (LPRs) .

www.privacyrights.org
Preserving privacy in GPS traces via uncertainty-aware path cloaking
[B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady]
 Spatio-temporal characteristics of the data allows tracking and reidentification of anonymous vehicles when user density is low.
 Consecutive location samples from a vehicle exhibit temporal and spatial correlation, paths of individual vehicles can be reconstructed from a mix of anonymous samples belonging to several vehicles
 Process can be formalized and automated through target tracking algorithms
 Algorithms generally predict the target position using the last known speed and heading information and then decide which next sample to link to the same vehicle through Maximum Likelihood
Detection

 Mean Time To Confusion (MTTC)
 Mean Distance To Confusion (MDTC)
 Tracking Uncertainity

Traffic Monitoring With Virtual Trip Lines
Virtual trip lines control disclosure of location by sampling in space
Handset
VTL generator
ID proxy server
Traffic monitoring service provider
Virtual trip line (VTL): [id; x1; y1; x2; y2; d]

VTL Placement: Minimum Spacing
Speed variation
Penetration & Speed – impact on
Minimum spacing

VTL Placement: Road Layout
If trip lines are placed immediately before or after intersections, an adversary may be able to follow vehicles paths based on speed differences

VTL Placement: Minimum Spacing – Speed consideration

Experimental Evaluation
RMS error of about 80 seconds
Travel time of each link is computed with the length of a link and the mean speed that is obtained by averaging out speed readings from probe vehicles during an aggregation interval.

Experimental Evaluation – Privacy v Accuracy Trade-Off
Distance-to-confusion with two different sets of anonymous flow updates from both o The evenly spaced VTLs (with exclusion area) and o The evenly spaced VTLs (without exclusion area) o 1 – 2 % penetration o 500 meters exclusion area o Sets of equidistant trip lines with minimum spacing varying from 333 ft (100 meters) to 1670 ft (500 meters) o Uncertainty threshold of 0.2

Privacy v Accuracy Trade-Off
 Two successive anonymous updates that are sampled longer than 800 feet apart experience high tracking uncertainty.
 Existence of the exclusion area
 The travel time estimation generally improves with an increasing number of VTLs

Experimental Evaluation
Source: http://www.calccit.org/projects/PDF-2008/Mobile%20Century%20Fact%20Sheet.pdf

 Energy requirements
- dash board charger
 Processing and Communication overhead on Client phone
 Real time?
- Distributed architecture
 Exclusion of VTLs
- Generic exclusion risks undercoverage
- Individualized exclusion processing overhead or configuration

“The TomTom devices with HD Traffic all use a built-in receiver including a
SIM-card. Does this mean that I can be traced?
TomTom takes privacy of personal information very seriously, and the information retreived is entirely anonymous. TomTom only uses information about the speed and direction travelled of TomTom device users. We don't know anything about the devices themselves, nor who owns them”
“Data generated from the mobile phones is completely anonymous. TomTom, and has information about user direction and speed only - not the type of device, nor the owner of the mobile phone.”
WEBLINK: TomTom High Definition
Source: http://www.tomtom.com/services

WEBLINK: