1 Realtime Location Privacy Via Mobility Prediction Creating Confusion at Crossroads Joseph Meyerowitz Romit Roy Choudhury Undergraduate Senior,Asst. Professor

1

Realtime Location Privacy Via Mobility PredictionCreating Confusion at Crossroads

Joseph Meyerowitz Romit Roy ChoudhuryUndergraduate Senior, Asst. Professor ECE and Physics, Dept. of ECE and CSDuke University Duke University

2

Context

Better localization technology+

Pervasive wireless connectivity

=

Location-based pervasive applications

3

Location-Based Apps

For Example: GeoLife shows grocery list on phone when near WalMart Micro-Blog allows querying people at a desired region Location-based ad: Phone gets coupon at Starbucks …

Location expresses context of user Facilitating content delivery

Location is the IP addressLocation is the IP addressIts as if for content

4

Double-Edged Sword

While location drives this new class of applications,it also violates user’s privacy

Sharper the location, richer the app, deeper the violation

5

While location drives this new class of applications,it also violates user’s privacy

Sharper the location, richer the app, deeper the violation

Moreover, range of apps are PUSH based.Require continuous location information

Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion

Double-Edged Sword

6

Location Privacy

Problem:

Research:

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.



Continuous location exposurea serious threat to privacy

Continuous location exposurea serious threat to privacy

Preserve privacy without sacrificing the quality of

continuous loc. based apps

Preserve privacy without sacrificing the quality of

continuous loc. based apps

7

Just Call Yourself ``Freddy”

Pseudonymns Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize

… think breadcrumbs

Romit’s OfficeRomit’s Office

John Leslie Jack Susan

Alex

8

Add Noise

K-anonymity Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region

Issues Poor quality of location Degrades in sparse regions Not real-time

YouBounding Box

K=4

9

Confuse Via Mixing

Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who

later

Issues Users may not be collocated in space and time Mixing still possible at the expense of delay

10

Existing solutions seem to suggest:

Privacy and Quality of Localization (QoL) is a zero sum game

Need to sacrifice one to gain the other

11

Our Goal

Break away from this tradeoff

Target: Spatial accuracyReal-time updatesPrivacy guarantees

Even in sparse populations

We design: CacheCloakWe design: CacheCloak

12

CacheCloak Intuition

Exploit mobility prediction to create future path intersections

User’s paths are like crossroads of breadcrumbsApp knows precise locations, but doesn’t know the user

13

CacheCloak

Assume trusted privacy provider Reveal location to CacheCloak CacheCloak exposes anonymized location to Loc. App

CacheCloakCacheCloak

Loc. App1Loc. App1 Loc. App2Loc. App2 Loc. App3Loc. App3 Loc. App4Loc. App4

14

CacheCloak Design

User A drives down path P1 P1 is a sequence of locations CacheCloak has cached response for each location

User A takes a new turn (no cached response) CacheCloak predicts mobility Deliberately intersects predicted path with another path

P2 Exposes predicted path to application

Application replies to queries for entire path

CacheCloak always knows user’s current location Forwards cached responses for that precise location

15

CacheCloak Design

Adversary confused New path intersects paths P1 and P2 (crossroads) Not clear where the user came from or turned onto

Example …

16

Example

17

Benefits

Real-time Response ready when user

arrives at predicted location

High QoL Responses can be specific to location Overhead on the wired backbone (caching helps)

Entropy guarantees Entropy increases at traffic intersections In low regions, desired entropy possible via false

branching

Sparse population Can be handled with dummy users

18

Quantifying Privacy

City converted into grid of small sqaures (pixels) Users are located at a pixel at a given time

Each pixel associated with 8x8 matrix Element (x, y) = probability that user enters x and exits

y

Probabilities diffuse At intersections Over time

Privacy = entropy

x

y

€

Euser = − pipixels∑ log pi

pixel

19

Diffusion

Probability of user’s presence diffuses Diffusion gradient computed based on history i.e., what fraction of users take right turn at this

intersection

Time t1

Time t2

Time t3

Road Intersection

20

Evaluation

Trace based simulation VanetMobiSim + US Census Bureau trace data Durham map with traffic lights, speed limits, etc.

Vehicles follow Google map paths Performs collision avoidance

6km x 6km10m x 10m pixel

1000 cars

6km x 6km10m x 10m pixel

1000 cars

21

Results

High average entropy Quite insensitive to user density (good for sparse

regions) Minimum entropy reasonably high

22

Results

Per-user entropy Increases quickly over time No user starves of location privacy

23

Issues and Limitations

CacheCloak overhead Application replies to lots of queries However, overhead on wired infrastructure Caching reduces this overhead significantly

CacheCloak assumes same, indistinguishable query Different queries can deanonymize Need more work

Per-user privacy guarantee not yet supported Adaptive branching & dummy users

24

Closing Thoughts

Two nodes may intersect in space but not in timeMixing not possible, without sacrificing timeliness

Mobility prediction creates space-time intersectionsEnables virtual mixing in future

25

Closing Thoughts

CacheCloak Implements the prediction and caching function

Significant entropy attained even under sparse population

Spatio-temporal accuracy remains uncompromised

26

Final Take Away

Chasing a car is easier on highways …Much harder in Manhattan crossroads

CacheCloak tries to turn a highway intoa virtual Manhattan

… Well, sort of …

27

Thank You

For more related work, visit:http://synrg.ee.duke.edu

28

Emerging trends in content distribution

Content delivered to a location / context As opposed to a destination address

Thus, “location” is a key driver of content delivery

IP address : Internet = Location : CDN

New wave of applications

29

Emerging trends in content distribution

Content delivered to a location / context As opposed to a destination address

Thus, “location” is a key driver of content delivery

IP address : Internet = Location : CDN

New wave of applications

30

Example

31

Location Privacy

Problem:





Continuous location exposuredeprives user of her privacy.

Continuous location exposuredeprives user of her privacy.

32

Location Frequency

Some location apps are reactive / infrequent E.g., List Greek restaurants around me now (PULL)

But, many emerging apps are proactive E.g., Phone detected at Starbucks, PUSH a coffee coupon

33

Location Frequency

Some location apps are reactive / infrequent E.g., List Greek restaurants around me now (PULL)


Opportunity for Big Bro to track youover space and time

Proactive apps requirecontinuous location






34

Categorizing Apps

Some location apps are reactive You ask, App answers E.g., Pull all Greek restaurants around your location


35

Categorizing Apps

Some location apps are reactive You ask, App answers E.g., Pull all Greek restaurants around your location








Documents

1 Realtime Location Privacy Via Mobility Prediction Creating Confusion at Crossroads Joseph Meyerowitz Romit Roy Choudhury Undergraduate Senior,Asst. Professor