Protecting Location Privacy in Mobile Computing Systems: Architecture and Algorithms
Ling Liu, Georgia Tech, USAIntroduction
With the rapid development in positioning technologies such as GPS, GSM, RFID, and WiFi (802.11) and the wide deployment of wireless local area networks (WLAN), many devices today are equipped with wireless communication capabilities and location-awareness. These new technologies have enabled a new class of applications, known as Location-Based Services (LBSs). While location-based services (LBSs) hold the promise of new business opportunities and a wide range of life enhancing services, the ability to locate users and mobile objects accurately also opens door for new threats - intrusion of location privacy. Location privacy threats refer to the risks that an adversary can obtain unauthorized access to raw location data, derived or computed location information by locating a transmitting device, hijacking the location transmission channel, and identifying the subject (person) using the device.
Location privacy refers to the
ability to prevent other
unauthorized parties from learning one's current or past location. In LBSs, there are conceivably
two types of location privacy -
personal subscriber level privacy and corporate enterprise-level
privacy. Extensive
deployment of location-based services without safeguards
may endanger location privacy of mobile users due to
significant
vulnerabilities for abuse. For example, location information can be
used to
spam users with unwanted advertisements or to learn about users,
medical
conditions, alternative lifestyles or unpopular political views.
Inferences
can be drawn from visits to clinics, doctor offices,
entertainment districts, or political events. In extreme cases, public
location
information can lead to physical harm, for example in stalking or
domestic
abuse scenarios.
Location privacy has attracted
attention by the research
community in the recent couple of years. Most of the solutions proposed
so far
are focused on dealing with location privacy protection under a uniform
assumption (i.e., all mobile users have similar location privacy
requirements).
Very few have studied personalized privacy protection strategies and
have
provided qualitative and quantitative analysis of the inherent tradeoff
between
the utility that LBSs can offer and the location
privacy they afford to risk. Furthermore, there is an inherent tradeoff
between
the utility that LBSs can offer and the location
privacy they afford to risk. On one hand, the quality of an
LBS depends on the accuracy of the location of mobile
users, and on the
other hand, the more accurate the location information is disclosed,
the higher
risk of location privacy being invaded. It is important to develop
mechanisms
that can help finding an acceptable balance between the extreme of
fully
disclosure and completely withheld of location data. In this tutorial
we
present an in-depth description of location privacy and privacy-aware
location-based
services in mobile information systems, with the emphasis on
architectures,
concepts, and techniques.
Tutorial Content (3 hours)
1. Motivation: Applications and Requirements (0.5 hours)
First, we motivate the need for
location privacy in future
mobile and ubiquitous computing environments and address different
requirements
for protecting location privacy. We also define the concept of location
privacy, and discuss the tradeoffs between the utility of locations,
the
quality of service provided by the LBS, and the desired location
privacy of the
user, and how to reach such a tradeoff through location cloaking
mechanisms.
(1) Location Privacy and Location Service Quality
In mobile computing environments, location-based applications track people's movement so they can offer various location-dependent services. Users who do not want such services should be given the choice of refusing to be tracked and thus maintain their location privacy. Of course, if a user provides little location information to the service provider, the risk of her privacy being compromised will be significantly reduced. However, this may prevent an LBS from providing the best service to the user. Alternatively, before contacting the LBS provider, a user can have her location information filtered by reducing its precision/resolution in terms of time and space. An important question is how much privacy protection is necessary. Perfect privacy is clearly impossible as long as communication takes place. Moreover, different users may have varying privacy needs in different contexts. Therefore, it is important to develop customizable privacy protection mechanisms that can help users finding a comfortable balance between the extreme of fully disclosed and completely withheld location data. This includes the qualitative and quantitative analysis of the inherent tradeoff between the quality of service provided by the LBS and the desired location privacy of the user, and how fuzzy the location information sent by a mobile user to the LBS can be in order to reach such a tradeoff.
(2) Location Privacy and Personalization
We argue that location privacy is context sensitive. Different users may require different levels of privacy at different times. A user's willingness to share location data may depend on a range of factors, including different contextual information about the user (such as environmental context, task context, social context, etc.). Thus, ``one size fits all'' framework for location privacy does not work. We promote user-defined privacy rules combined with a personalized anonymization model since it allows users to tailor the system-level privacy protection strategies to meet their personal privacy preferences.
2. Protecting Location Privacy: Policy-based Model v.s. Location Anonymization (1 hour)
Several approaches have been proposed for protecting location privacy of a user. Most of them try to prevent disclosure of unnecessary information by techniques that explicitly or implicitly control what information is given to whom and when. These techniques can be classified into three categories:
- Location protection through user-defined or system-supplied privacy policies;
- Location protection through anonymous usage of information, such as location cloaking, by reducing temporal and spatial resolutions of location information; and
- Location protection through pseudonymity of user identities, which uses an internal pseudonym rather than the user’s actual identity. Such pseudonyms should be different for different services and frequently changing to prevent applications tracking them. More importantly, such pseudonyms should be generated in such a manner that makes the linking between the old and the new pseudonym very hard.
Some location-based services can operate completely anonymously, such as ``when I pass a gas station, alert me with the unit price of the gas". Others can not work without the user's identity, such as ``when I am inside the office building, let my colleagues find out where I am". Between these two extremes are those applications that cannot be accessed anonymously but do not require the user's true identity, such as ``when I walk past a computer screen, let me teleport my desktop to it". Here, the application must know whose desktop to teleport but it could do this using an internal pseudonym rather than the user's true identity. For those LBSs that require our true identity, strong security mechanisms, such as location authentication and authorization, have to be enforced in conjunction with their location privacy policy.
In this tutorial we will give an overview of two types of location privacy protection strategies: Policy-based models and anonymity-based models, describe different classes of location privacy threats, and provide an overview of the possible techniques and solutions for location privacy protection. We will describe the design and development of a secure and customizable architecture for privacy-aware location-based services, which provides a careful combination of policy-based location privacy mechanisms and location anonymization based privacy schemes. In the policy-based approach, mobile subscribers need to evaluate and choose privacy policies offered by the service provider. These policies serve as a contractual agreement about which data can be collected, for what purpose the data can be used, and how it can be distributed. Typically the mobile subscribers have to trust the service provider that private data is adequately protected. In contrast, the anonymity-based approach de-personalizes data before it is dispatched to service providers. Thus it can provide a high degree of privacy, save users from dealing with service providers’ privacy policies, and reduce the service providers’ requirements for safeguarding private information. However, guaranteeing anonymous usage of location services requires that the precise location information transmitted by a user cannot be easily used to re-identify the subject. One common way to anonymize location information is to provide location k-anonymity by location cloaking, which reduces temporal and spatial resolutions of location information.
3. Location k-anonymity and Location Privacy (1 hour)
The concept of k-anonymity is originally introduced in the context of relational data privacy research. In the context of LBSs and mobile users, location k-anonymity refers to k-anonymous usage of location information. A larger k indicates more difficulty in linking a location to a particular user. This uncertainty will increase with the increasing value of k. Users can specify the value of k in her location privacy policy as a parameter to control her desired level of privacy. Location perturbation is an effective technique for implementing location k-anonymity. Two fundamental questions are raised frequently with location k-anonymity: (1) how large the value of k should be? and (2) should we use different k values for different users or even different service requests of the same user (context sensitivity)? We argue that there is a close synergy between location privacy and location k-anonymity. Larger k in location anonymity usually implies higher guarantees for location privacy. We will present the design of several personalized anonymization models and location cloaking algorithms, and discuss issues such as safeguards for secure transmission, use and storage of location information, reducing the risks of unauthorized disclosure of location information. We also describe our impact study on both the performance of the system and the quality of service by incorporating different location privacy protection strategies into the proposed distributed location service middleware architecture.
Security and privacy are two dimensions of the safety problem in future mobile and ubiquitous computing systems. I will discuss the intrinsic relationships between location security and location privacy, in terms of requirements, potential risks and defense mechanisms, and how the solutions to these problems will impact the future mobile computing systems, services, and applications.
Audience and Prerequisite Knowledge
The tutorial presents the necessary concepts, architectures, techniques, and infrastructure to understand location privacy in mobile location-based services (LBSs). The tutorial is designed to be self-contained, and gives the essential background for anyone interested in learning about the concept of location privacy, and the principles for design and development of a secure and customizable architecture for privacy-aware location-based services. This tutorial will guide the researchers, graduate students, and practitioners by highlighting best practices in building scalable and privacy-aware distributed location based services, including the location utility and location privacy trade-offs, the limitations of current approaches, the need for a careful combination of policy-based location privacy mechanisms and location anonymization based privacy schemes, as well as the set of safeguards for secure transmission, use and storage of location information, reducing the risks of unauthorized disclosure of location information. This tutorial is presented at a senior graduate student level and is accessible to data management administrators, advanced mobile location based service developers, and graduate students who are interested in mobile information systems, pervasive computing, and data privacy.
Biography of Presenter
Dr. Ling Liu is
an Associate Professor in the