Privacy Protection through Anonymity in Location-based Services - - PowerPoint PPT Presentation

privacy protection through anonymity in location based
SMART_READER_LITE
LIVE PREVIEW

Privacy Protection through Anonymity in Location-based Services - - PowerPoint PPT Presentation

Mar 05, 2023 187 likes •747 views

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Privacy Protection through Anonymity in Location-based Services Claudio Bettini Data, Knowledge, and Web

slide-1
SLIDE 1

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work

Privacy Protection through Anonymity in Location-based Services

Claudio Bettini

Data, Knowledge, and Web Engineering Lab. - Dip. di Informatica e Comunicazione Universit` a di Milano, Italy

Bolzano 2007

  • C. Bettini

Privacy in LBS

slide-2
SLIDE 2

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Location Based Service (LBS)

Location based service: internet service; provides information based on issuers location. Example “Give me the closest vegetarian restaurant”.

  • C. Bettini

Privacy in LBS

slide-3
SLIDE 3

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Commercial impact of LBS

Currently: car navigation is the most popular LBS. Future: more than 300 millions of users in 2011 (ABI research). The intuitive reason The technologies on which LBSs are based will become less expensive and more reliable: mobile device wireless communication positioning systems (e.g., dead reckoning, GPS)

  • C. Bettini

Privacy in LBS

slide-4
SLIDE 4

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Legal recognition of privacy

Privacy recognized as a human right European Convention on Human Rights, Article 8 “Everyone has the right to respect for his private and family life” National legislations provide directives to privacy protection. In Italy: legge 675/1996. Privacy in LBS explicitly identified as a particular kind of privacy. In the USA: “Location Privacy Protection Act of 2001”. Directives on how to manage sensitive data: the HIPAA specifications.

  • C. Bettini

Privacy in LBS

slide-5
SLIDE 5

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Users’ view of privacy

Social studies report that users: are becoming more aware about their privacy; perceive location information as particularly sensitive Will privacy concerns limit the diffusion of LBSs?

  • C. Bettini

Privacy in LBS

slide-6
SLIDE 6

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Objective

Ultimate objective of this research field: allow each user to enjoy LBSs while protecting his/her privacy.

  • C. Bettini

Privacy in LBS

slide-7
SLIDE 7

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Current research efforts

One basic idea: obfuscate data in the request through a generalization algorithm ensuring a user-specified level of privacy and an acceptable quality of service. centralized anonymizer. Gruteser et Al. [Mobisys-03], Gedik and Liu [ICDCS-05], Mokbel et Al. [VLDB-06], Kalnis et Al. [TR-06] distributed anonymizer. Ghinita et Al. [WWW-07]

  • C. Bettini

Privacy in LBS

slide-8
SLIDE 8

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Current research efforts (2)

Other techniques/ideas: generate fake requests (Kido et Al. [ICDE-05]) mix-zones (Beresford et Al. [PC-03]) Problems Informal description of attacks Unclear properties of proposed defense algorithms.

  • C. Bettini

Privacy in LBS

slide-9
SLIDE 9

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Our Project goals

We aim at providing: Unifying formal framework for LBS context-aware privacy New methodology to design generalization algorithms. Classification of existing solutions based on formal results. New generalization algorithms, proved to be correct through the framework. Performance evaluation through extensive experiments. Partners and Sponsors Joint Project with CSIS-GMU and CS-UVM, funded by NSF for the next three years. Mobility funded by MiUR Interlink project.

  • C. Bettini

Privacy in LBS

slide-10
SLIDE 10

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Location based services Privacy in LBS State of the Art and Goals

Impact on other areas

This research topic can also have impacts in the following areas: Release of database tables; Privacy preserving data mining.

  • C. Bettini

Privacy in LBS

slide-11
SLIDE 11

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

General privacy threat in LBS

requests issues requests issues requests issues attacker can infer private information user identity has has sensitive association

external knowledge

  • C. Bettini

Privacy in LBS

slide-12
SLIDE 12

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Private information

Examples of private information: political affiliations, health status, religious beliefs, sexual

  • rientations, sensitive locations . . .

Private information can be: part of the service parameters:

e.g.: “where is the closest religious building of religion X?”

part of user’s location

e.g.: user issuing a request while being in the red light district;

inferred from parameters and/or location.

  • C. Bettini

Privacy in LBS

slide-13
SLIDE 13

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

User’s identity

User’s identity can be: explicitly specified in the request; inferred from:

the service parameters; user’s location; a pattern involving one or both of the above.

  • C. Bettini

Privacy in LBS

slide-14
SLIDE 14

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Static, single-issuer case

request issues attacker can infer user identity attacker can infer has has private information sensitive association

external knowledge

  • C. Bettini

Privacy in LBS

slide-15
SLIDE 15

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Static, single-issuer case

request issues attacker can infer user identity attacker can infer has has private information sensitive association

external knowledge

Prevent

  • C. Bettini

Privacy in LBS

slide-16
SLIDE 16

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Dynamic, single-issuer case

request issues attacker can infer user identity attacker can infer has has request link request link request trace issues issues private information sensitive association time

external knowledge

  • C. Bettini

Privacy in LBS

slide-17
SLIDE 17

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Dynamic, single-issuer case

  • C. Bettini

Privacy in LBS

slide-18
SLIDE 18

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

The static, multiple-issuer case

request issues request issues request issues attacker can infer private information user identity has has sensitive association

external knowledge

  • C. Bettini

Privacy in LBS

slide-19
SLIDE 19

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Example, the static case

  • C. Bettini

Privacy in LBS

slide-20
SLIDE 20

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Example, the static case

  • C. Bettini

Privacy in LBS

slide-21
SLIDE 21

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Example, the static case

  • C. Bettini

Privacy in LBS

slide-22
SLIDE 22

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Example, the static case

  • C. Bettini

Privacy in LBS

slide-23
SLIDE 23

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Problem statement

How is it possible to guarantee that an attacker is not able to re-identify the issuer?

  • C. Bettini

Privacy in LBS

slide-24
SLIDE 24

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

k-anonymity extended to LBS: example

  • C. Bettini

Privacy in LBS

slide-25
SLIDE 25

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Example (cont. )

Solution: Generalize user’s location to a region with k users. Alice’s request: “the vegetarian restaurant closest to gl”. The attacker cannot identify the issuer in a group of 3 users.

  • C. Bettini

Privacy in LBS

slide-26
SLIDE 26

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Example (cont. 2)

The response contains the set of vegetarian restaurants that are the closest to each point of gl. If gl is small, the result is similar to what obtained providing the exact location. If gl is too coarse, the set of items in the result may be large:

network overhead; if results are filtered on the client, this implies computational

  • verheads;

if results are not filtered, the user may be provided with many useless results.

Objective: produce small gl.

  • C. Bettini

Privacy in LBS

slide-27
SLIDE 27

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Scenario

  • C. Bettini

Privacy in LBS

slide-28
SLIDE 28

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Explicit assumptions about attacker’s knowledge

A context specifies the assumptions about attacker’s knowledge and reasoning abilities. Idea Context must be explicit if the correctness of the generalization algorithm is to be proved.

  • C. Bettini

Privacy in LBS

slide-29
SLIDE 29

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

Problems arising when context is not explicit

Beresford [PhDThesis-2005] showed a counterexample to Gruteser’s defense called “the outlier problem”. The problem: previous papers implicitly assumes that the attacker knows users’ location; Beresford’s counterexample assumed the attacker also knows the generalization function.

  • C. Bettini

Privacy in LBS

slide-30
SLIDE 30

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

The attack

An attack AttC(r′, i) is the likelihood the attacker has about the fact that a user i issued a request r′. the context C specifies which knowledge and reasoning abilities the attacker has. Since the attack is a probabilistic distribution among the set of users in I:

  • i∈I

AttC(r′, i) = 1

  • C. Bettini

Privacy in LBS

slide-31
SLIDE 31

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Identification of privacy threats in LBS The notion of k-anonymity Scenario The formal framework

The defense

A request r′ is safe against an attack AttC with threshold h if the attack cannot recognize the correct issuer of r′ with likelihood greater than h. AttC(r′, issuer(r′)) ≤ h A function that transforms all input requests into safe requests is a defense function. An algorithm that computes a defense function is a defense algorithm.

  • C. Bettini

Privacy in LBS

slide-32
SLIDE 32

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

The static case

In the static case the attacker is not able to understand that a set

  • f requests is issued by the same (anonymous) user.

Example A service in which no pseudo-identification is required and in which requests are sporadic.

  • C. Bettini

Privacy in LBS

slide-33
SLIDE 33

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

Specification of context Cst

Many papers (implicitly) considered context Cst: the attacker knows the exact location of each user at each time instant. Why Cst: attacker may know the identity of the users that are in some locations AND the LTS does not know where the attacker can identify the users AND we want a conservative approach THEREFORE: assume the attacker knows the identity of each user in each location.

  • C. Bettini

Privacy in LBS

slide-34
SLIDE 34

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

Our contribution in context Cst

We prove, in terms of our framework, the correctness of the existing generalization algorithms: a k-anonymous request is safe against AttCst with threshold 1/k We designed the “optimal” algorithm that computes the generalization having the smallest generalized area; not practically applicable, but useful as a benchmark in the experiments. We implemented the algorithms and obtained experimental results.

  • C. Bettini

Privacy in LBS

slide-35
SLIDE 35

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

Specification of context Cst+g

In the “outlier problem” it is implicitly assumed that the attacker knows the generalization function. In context Cst+g the attacker knows: the exact location of each user at each time instant; the procedure used by the LTS to compute the generalization.

  • C. Bettini

Privacy in LBS

slide-36
SLIDE 36

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

Our contribution in context Cst+g

We prove that the only generalization algorithm proposed in the literature that does not suffer the “outlier problem” is a defense algorithm against AttCst+g We propose two defense algorithms and we prove their correctness. We implemented the algorithms and obtained experimental results.

  • C. Bettini

Privacy in LBS

slide-37
SLIDE 37

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

The Grid algorithm

i

y x block 0block 1 block 2

(a) First iteration

i

y x block 2 block 1 block 0

(b) Second iteration

i

y x

(c) Third iteration

  • C. Bettini

Privacy in LBS

slide-38
SLIDE 38

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

Experimental settings

Total area: 100 Km2; Number of users: 500, 000; Average density: 5, 000 users / Km2; Average values obtained through 1, 000 tests. User’s locations generated using a moving object generator [Brinkhoff-GeoInformatica2002]. Users move on the road network of the city of San Francisco.

  • C. Bettini

Privacy in LBS

slide-39
SLIDE 39

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

Comparison of defense algorithms against AttCst

2000 4000 6000 8000 4 6 8 10 12 14 16 18 20 avg area (m^2) k intervalCloaking casper nnASR

  • ptimal
  • C. Bettini

Privacy in LBS

slide-40
SLIDE 40

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Context Cst Context Cst+g Experimental results

Comparison of defense algorithms against AttCst+g

10000 20000 30000 40000 20 40 60 80 100 avg area (m^2) k hilbASR grid

  • C. Bettini

Privacy in LBS

slide-41
SLIDE 41

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Contexts Cst+pid and Cst+g+pid Experimental results

The dynamic case

Users make multiple requests to the same SP The attacker can obtain multiple requests and understand they are issued by the same anonymous user (e.g., by comparing pseudo-ids used for accounting/personalization) Linked requests Two or more requests are said to be linked if they can be associated by the attacker to the same issuer

  • C. Bettini

Privacy in LBS

slide-42
SLIDE 42

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Contexts Cst+pid and Cst+g+pid Experimental results

Specification of contexts Cst+pid and Cst+g+pid

Contexts Cst+pid and Cst+g+pid are the extension to the dynamic case of contexts Cst and Cst+g, respectively: the attacker can obtain and link the requests issued with the same pseudo-identifier. Intuition More extensive generalization is needed, since it is necessary to find a set of user that are “moving together” with the issuer.

  • C. Bettini

Privacy in LBS

slide-43
SLIDE 43

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Contexts Cst+pid and Cst+g+pid Experimental results

Example of attack under Cst+pid

The generalization of each request with a defense algorithm against AttCst is not a defense against AttCst+pid [BettiniEtAl-SDM05].

i1 i2 i3 t=1 i1 i5 i4 t=2 i5 i4 i2 i3

If the attacker can link the two requests, the second one is unsafe.

  • C. Bettini

Privacy in LBS

slide-44
SLIDE 44

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Contexts Cst+pid and Cst+g+pid Experimental results

Example of attack under Cst+pid

The same users that are in the generalized region of the first request have to be in the generalized region of the second request.

i1 i2 i3 t=1 i1 i5 i4 t=2 i5 i4 i2 i3

  • C. Bettini

Privacy in LBS

slide-45
SLIDE 45

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Contexts Cst+pid and Cst+g+pid Experimental results

Experimental settings

The generation of users’ locations is similar to the static case. In addition, movements of users are divided in 2 classes: car: moves up to 100 km/h; pedestrian: moves up to 4 km/h; Each user issues a requests every minute.

  • C. Bettini

Privacy in LBS

slide-46
SLIDE 46

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Contexts Cst+pid and Cst+g+pid Experimental results

Experimental results: Average length of traces

The value of h is fixed to 1/10

  • C. Bettini

Privacy in LBS

slide-47
SLIDE 47

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work

The static, multiple-issuer case

request issues request issues request issues attacker can infer private information user identity has has sensitive association

external knowledge

  • C. Bettini

Privacy in LBS

slide-48
SLIDE 48

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work

Anonymity and Diversity

Aset = collection of users indistinguishable from the actual issuer DRset = collection of requests issued by users in the same Aset

requests in the DRset can be grouped according to the value of PI contained in the requests

  • C. Bettini

Privacy in LBS

slide-49
SLIDE 49

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work

Anonymity and Diversity

Aset = collection of users indistinguishable from the actual issuer DRset = collection of requests issued by users in the same Aset

requests in the DRset can be grouped according to the value of PI contained in the requests

  • C. Bettini

Privacy in LBS

slide-50
SLIDE 50

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work

Anonymity and Diversity (2)

Homogeneity attack: each user in the Aset issues a request AND there is no diversity among private information in the DRset l-diversity with l ≥ 2 is necessary for providing privacy

  • C. Bettini

Privacy in LBS

slide-51
SLIDE 51

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work

Anonymity and Diversity (2)

Homogeneity attack: each user in the Aset issues a request AND there is no diversity among private information in the DRset l-diversity with l ≥ 2 is necessary for providing privacy

  • C. Bettini

Privacy in LBS

slide-52
SLIDE 52

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Conclusions Future Work References

Conclusions

There are several aspects to privacy in LBS and a lot of confusion in the current preliminary approaches The multiple-issuer and the dynamic cases have not yet received the necessary attention A formal framework is needed to evaluate safety of solutions with respect to specific attacks Solutions should also be empirically validated in terms of performance and quality of service. A big effort is required to

  • btain realistic simulations or useful real data.
  • C. Bettini

Privacy in LBS

slide-53
SLIDE 53

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Conclusions Future Work References

Future Work

Dealing with the general case: Dynamic, multiple issuers Extending techinques for LBS to general context-aware services Exporting results to (recurrent) publication of data from DB

  • C. Bettini

Privacy in LBS

slide-54
SLIDE 54

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Conclusions Future Work References

References

Bettini, Mascetti, Wang. Privacy Protection through Anonymity in Location-based Services. In Digital Privacy: Theory, Technologies, and Practices, Taylor and Francis, 2007. Bettini, Mascetti, Wang. Privacy Issues in Location-based

  • Services. In Encyclopedia of Geographical Information

Science, Springer, 2007. Sergio Mascetti. Privacy Protection through Anonymity in Location-based Services. PhD Dissertation, DICo, Universit` a di Milano, 2007. Technical papers in conf. proceedings (SDM-2005, MDM-2007, PALMS-2007, PERCOM-2007)

  • C. Bettini

Privacy in LBS

slide-55
SLIDE 55

6

Introduction A model for privacy in LBS The static case The dynamic case The multiple-issuer case Conclusions and Future Work Conclusions Future Work References

End

Thank you for your attention.

  • C. Bettini

Privacy in LBS