Embed Size (px)
Citation preview
Quantifying Location Privacy: The Case of Sporadic Location Exposure
Reza ShokriGeorge TheodorakopoulosGeorge DanezisJean-Pierre HubauxJean-Yves Le Boudec
The 11th Privacy Enhancing Technologies Symposium (PETS), July 2011
2
Actual Trajectory
Mobility
Observation
Distorted Trajectory
Protection
Exposed Trajectory
Application
Attack
Reconstructed Trajectory
Metric
● Assume time and location are discrete…
Location-based Services
• Sporadic vs. Continuous Location Exposure
• Application Model
3
Mobility Model
Actual Location of user ‘u’ at time ‘t’
Is the location exposed?
0/1
4
Protection Mechanisms
1 2 3 4 5
6 7 8 9 10
11 12 13 14 15
16 17 18 19 20
21 22 23 24 25
Actual Location
● Consider a given user at a given time instant
obfuscate
anonymize
1 2 3 4 5
6 7 8 9 10
11 12 13 14 15
16 17 18 19 20
21 22 23 24 25
Observed Location
exposed
Application
hide
fake
Protection Mechanism
ui
Actual Trajectory
5
Protection Mechanisms
• Model
● User pseudonyms stay unchanged over time…
user to pseudonym assignment
Observed location of pseudonymous user u’ at time t
6
Adversary
• Background Knowledge
– Stronger: Users’ transition probability between locations• Markov Chain transition probability matrix
– Weaker: Users’ location distribution over space• Stationary distribution of the ‘transition probability matrix’
● Adversary also knows the PDFs associated to the ‘application’ and the ‘protection mechanism’
7
Adversary
• Localization Attack– What is the probability that Alice is at a given location at a
specific time instant? (given the observation and adversary’s background knowledge)
– Bayesian Inference relying on Hidden Markov Model • Forward-Backward algorithm, Maximum weight assignment
● Find the details of the attack in the paper
8
Location Privacy Metric
• Anonymity?– How successfully can the adversary link the user
pseudonyms to their identities?– Metric: The percentage of correct assignments
• Location Privacy?– How correctly can the adversary localize the users?– Metric: Expected Estimation Error (Distortion)
● Justification: R. Shokri, G. Theodorakopoulos, J-Y. Le Boudec, J-P. Hubaux. ‘Quantifying Location Privacy’. IEEE S&P 2011
9
Evaluation
• Location-Privacy Meter– Input: Actual Traces
• Vehicular traces in SF, 20 mobile users moving in 40 regions
– Output: ‘Anonymity’ and ‘Location Privacy’ of users over time
– Modules: Associated PDFs of ‘Location-based Application’ and ‘Location-Privacy Preserving Mechanisms’
● More information here: http://lca.epfl.ch/projects/quantifyingprivacy
10
Evaluation
• Location-based Applications– once-in-a-while APP(o, Θ)
– local search APP(s, Θ)
• Location-Privacy Preserving Mechanisms– fake-location injection (with rate φ)
• (u) Uniform selection• (g) Selection according to the average mobility profile
– location obfuscation (with parameter ρ)• ρ: The number of removed low-order bits from the location identifier
LPPM(φ, ρ, {u,g})
11
Resu
lts -
Anon
ymity
12
Resu
lts –
Loc
ation
Priv
acy
φ: the fake-location injection rate
00.00.0
20.00.0
40.00.0
00.30.0
00.50.0
00.00.3
00.00.5
More Results – Location Privacy
obfuscationfake injectionhiding
uniform selection
14
Conclusions & Future Work• The effectiveness of ‘Location-Privacy Preserving Mechanisms’ cannot be
evaluated independently of the ‘Location-based Application’ used by the users
• Fake-location injection technique is very effective for ‘sporadic location exposure’ applications– Advantage: no loss of quality of service– Drawback: more traffic exchange
• The ‘Location-Privacy Meter’ tool is enhanced in order to model the applications and also new protection mechanisms, notably fake-location injection
• Changing pseudonyms over time: to be added to our probabilistic framework
15
Location-Privacy Meter (LPM):A Tool to Quantify Location Privacy
http://lca.epfl.ch/projects/quantifyingprivacy
16
