Location Privacy Preserving Mechanisms Friederike Groschupp April - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Location Privacy Preserving Mechanisms

Friederike Groschupp

April 21, 2017 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Contents

Introduction Basic Concepts Approaches Cloaking Mix zones Dummy queries Private Information Retrieval Conclusion

Friederike Groschupp – Location Privacy Preserving Mechanisms 2

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Location-Based Service (LBS)

Application that uses geographical information in order to pro- vide a service.

Friederike Groschupp – Location Privacy Preserving Mechanisms 3

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Location-Based Service (LBS)

Application that uses geographical information in order to pro- vide a service. Use cases:

• Navigation
• Finding POIs
• Pervasive computing
• Receiving location-specific service

Friederike Groschupp – Location Privacy Preserving Mechanisms 3

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Location Privacy

The capability of precluding other parties from learning the user’s current or former location [2].

Friederike Groschupp – Location Privacy Preserving Mechanisms 4

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Location Privacy

The capability of precluding other parties from learning the user’s current or former location [2].

• No single location information may identify the user
• Several disclosed locations may not identify or profile the user

Friederike Groschupp – Location Privacy Preserving Mechanisms 4

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Assumptions

• User provides the location information in service request
• No other information than location information can reveal identity
• Applications are able to work with (short term) pseudonyms
• Adversary: Location-based service

Friederike Groschupp – Location Privacy Preserving Mechanisms 5

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Introduction Basic Concepts Approaches Cloaking Mix zones Dummy queries Private Information Retrieval Conclusion

Friederike Groschupp – Location Privacy Preserving Mechanisms 6

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

k-anonymity [1]

A set is k-anonymous if it includes the user and at least k − 1

• ther users identical to it in regards of the attributes considered.

Distribution of users Friederike Groschupp – Location Privacy Preserving Mechanisms 7

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

k-anonymity [1]

A set is k-anonymous if it includes the user and at least k − 1

• ther users identical to it in regards of the attributes considered.

Distribution of users k=3 Friederike Groschupp – Location Privacy Preserving Mechanisms 7

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

k-anonymity [1]

A set is k-anonymous if it includes the user and at least k − 1

• ther users identical to it in regards of the attributes considered.

Distribution of users k=3 k=6 Friederike Groschupp – Location Privacy Preserving Mechanisms 7

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Location Server (LS)

Trusted third party operating between the user and the LBS.

• Receives the service request containing location information from

the user

• Computes anonymized request according to the approach
• Forwards the request with processed information to LBS
• Filters the response and forwards it to user

Friederike Groschupp – Location Privacy Preserving Mechanisms 8

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Introduction Basic Concepts Approaches Cloaking Mix zones Dummy queries Private Information Retrieval Conclusion

Friederike Groschupp – Location Privacy Preserving Mechanisms 9

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking [6]

Goal: construct area as small as possible that is still k-anonymous.

Friederike Groschupp – Location Privacy Preserving Mechanisms 10

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking [6]

Goal: construct area as small as possible that is still k-anonymous.

• Relies on Location Server
• Spatial cloaking: based on quadtree-algorithm
• Temporal cloaking: delay request for more accurate location infor-

mation

Friederike Groschupp – Location Privacy Preserving Mechanisms 10

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Goal: construct area as small as possible that is still 3-anonymous

Friederike Groschupp – Location Privacy Preserving Mechanisms 11

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Goal: construct area as small as possible that is still 3-anonymous

Friederike Groschupp – Location Privacy Preserving Mechanisms 11

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Goal: construct area as small as possible that is still 3-anonymous

Friederike Groschupp – Location Privacy Preserving Mechanisms 12

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Goal: construct area as small as possible that is still 3-anonymous

Friederike Groschupp – Location Privacy Preserving Mechanisms 13

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Goal: construct area as small as possible that is still 3-anonymous

Friederike Groschupp – Location Privacy Preserving Mechanisms 14

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Goal: construct area as small as possible that is still 3-anonymous

Friederike Groschupp – Location Privacy Preserving Mechanisms 15

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Area computed is unnecessarily large!

Friederike Groschupp – Location Privacy Preserving Mechanisms 16

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Spatial Cloaking [6]

Area computed is unnecessarily large!

Friederike Groschupp – Location Privacy Preserving Mechanisms 17

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Temporal Cloaking [6]

Wait until at least k − 1 other users have resided in a predefined area.

Friederike Groschupp – Location Privacy Preserving Mechanisms 18

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Mix zones [2]

• Use of a Location Server
• Use of short term pseudonyms
• Predefined areas: mix zones and application zones
• Application zone: users send location updates in order to receive

a service

• Mix zone: area where no user sends location updates, identities

are mixed

Friederike Groschupp – Location Privacy Preserving Mechanisms 19

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Mix zones - Security Analysis [2]

Size of the anonymity set is determined by the numbers of users present User movement is in reality mostly not equiprobable:

D A B

C

Mix zone

Friederike Groschupp – Location Privacy Preserving Mechanisms 20

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Dummy queries [3]

User generates data for k − 1 synthetic users and sends the requests to the LBS.

Friederike Groschupp – Location Privacy Preserving Mechanisms 21

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Dummy queries [3]

User generates data for k − 1 synthetic users and sends the requests to the LBS. Dummies created have to be realistic!

Friederike Groschupp – Location Privacy Preserving Mechanisms 21

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Dummy queries - SybilQuery [7]

• Considers users traveling along predefined routes
• No Location Server required
• Dummy routes have similar characteristics to real route
• Dummy requests are sent while travelling along the route

Friederike Groschupp – Location Privacy Preserving Mechanisms 22

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Peer-to-peer systems - MobiHide [5]

• Registered users self-organize e.g. in Chord Structure

Chord structure

Source: tutorials.jenkov.com/p2p/peer-routing-table.html, last accessed 14-4-17

Hilbert Curve

Source: antonantonov.wordpress.com/2012/01/16/205/, last accessed 14-4-17

Friederike Groschupp – Location Privacy Preserving Mechanisms 23

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Peer-to-peer systems - MobiHide [5]

Friederike Groschupp – Location Privacy Preserving Mechanisms 24

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Peer-to-peer systems - MobiHide [5]

Friederike Groschupp – Location Privacy Preserving Mechanisms 25

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Peer-to-peer systems - MobiHide [5]

Friederike Groschupp – Location Privacy Preserving Mechanisms 26

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Private Information Retrieval (PIR) [4]

Retrieving data from the database without the database knowing which entry was queried.

Friederike Groschupp – Location Privacy Preserving Mechanisms 27

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Private Information Retrieval (PIR) [4]

Retrieving data from the database without the database knowing which entry was queried.

• Strong anonymity based on cryptographic assumptions
• Large overhead: O(n) at the server, O(√n) for client-server com-

munication

Friederike Groschupp – Location Privacy Preserving Mechanisms 27

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Conclusion

• No single location privacy-preserving mechanism exists for all use-

cases

• Cloaking: option of temporal cloaking
• Mix zones: predefined areas
• Dummy queries: no dependency on others, data required
• P2P: decentralized real-life data without TTP
• PIR: strongest anonymity with the highest overhead

Friederike Groschupp – Location Privacy Preserving Mechanisms 28

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Conclusion

• No single location privacy-preserving mechanism exists for all use-

cases

• Cloaking: option of temporal cloaking
• Mix zones: predefined areas
• Dummy queries: no dependency on others, data required
• P2P: decentralized real-life data without TTP
• PIR: strongest anonymity with the highest overhead

Raise the user’s attention towards location privacy, make solutions easy to deploy and use.

Friederike Groschupp – Location Privacy Preserving Mechanisms 28

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Do you have any questions?

Friederike Groschupp – Location Privacy Preserving Mechanisms 29

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

References I

[1]

• M. H. Au and K.-K. R. Choo.

Mobile Security and Privacy: Advances, Challenges and Future Research Directions. Syngress, Boston, 1. edition, 2017. [2]

• A. R. Beresford and F. Stajano.

Location privacy in pervasive computing. IEEE Pervasive Computing, 2(1):46–55, 2003. [3]

• C. Bettini, S. Jajodia, and P

. Samarati. Privacy in Location-Based Applications: Research Issues and Emerging Trends, volume 5599 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin Heidelberg, 2009. [4]

• G. Ghinita, P

. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan. Private queries in location based services. In J. Wang, editor, SIGMOD-PODS ’08, page 121, New York, NY, 2009. ACM. [5]

• G. Ghinita, P

. Kalnis, and S. Skiadopoulos. Mobihide: A mobilea peer-to-peer system for anonymous location-based queries. In D. Papadias, D. Zhang, and G. Kollios, editors, Advances in spatial and temporal databases, volume 4605 of Lecture Notes in Computer Science, pages 221–238. Springer, Berlin, 2007. [6]

• M. Gruteser and D. Grunwald.

Anonymous usage of location-based services through spatial and temporal cloaking. In D. Siewiorek, M. Baker, and R. T. Morris, editors, Proceedings of the 1st international conference on Mobile systems, applications and services - MobiSys ’03, pages 31–42, New York, New York, USA, 2003. ACM Press.

Friederike Groschupp – Location Privacy Preserving Mechanisms 30

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

References II

[7] P . Shankar, V. Ganapathy, and L. Iftode. Privately querying location-based services with sybilquery. In A. A. Helal, editor, UbiComp ’09, page 31, New York, N.Y, 2009. Association for Computing Machinery.

Friederike Groschupp – Location Privacy Preserving Mechanisms 31

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Cloaking - Security Analysis [6]

Attack: spoofing a large number of false user requests Threat: simultaneous user requests:

2 1 3 4

1 2 1 2

Friederike Groschupp – Location Privacy Preserving Mechanisms 32

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Dummy queries - SybilQuery [7]

k (synthetic) endpoints Endpoint Generator Path Generator Query Generator k (synthetic) paths Source, Destination k queries Response LBS k Traffic statistics Maps

Friederike Groschupp – Location Privacy Preserving Mechanisms 33