Cloaking locations for anonymous location based services: a hybrid approach

An important privacy issue in Location Based Services is to hide a user’s identity while still provide quality location based services. Previous work has addressed the problem of locational $\mathcal{K}$-anonymity either based on centralized or decentralized schemes. However, a centralized scheme relies on an anonymizing server (AS) for location cloaking, which may become the performance bottleneck when there are large number of clients. More importantly, holding information in a centralized place is more vulnerable to malicious attacks. A decentralized scheme depends on peer communication to cloak locations and is more scalable. However, it may pose too much computation and communication overhead to the clients. The service fulfillment rate may also be unsatisfied especially when there are not enough peers nearby. This paper proposes a new hybrid framework called HiSC that balances the load between the AS and mobile clients. HiSC partitions the space into base cells and a mobile client claims a surrounding area consisting of base cells. The number of mobile clients in the surrounding cells is kept and updated at both client and AS sides. A mobile client can either request cloaking service from the centralized AS or use a peer-to-peer approach for spatial cloaking based on personalized privacy, response time, and service quality requirements. HiSC can elegantly distribute the work load between the AS and the mobile clients by tuning one system parameter base cell size and two client parameters - surrounding cell size and tolerance count. By integrating salient features of two schemes, HiSC successfully preserves query anonymity and provides more scalable and consistent service. Both the AS and the clients can enjoy much less work load. Additionally, we propose a simple yet effective random range shifting algorithm to prevent possible privacy leakage that would exist in the original P2P approach. Our experiments show that HiSC can elegantly balance the work load based on privacy requirements and client distribution. HiSC provides close to optimal service quality. Meanwhile, it reduces the response time by more than an order of magnitude from both the P2P scheme and the centralized scheme when anonymity level(value of $\mathcal{K}$) or number of clients is large. It also reduces the update message cost of the AS by nearly 6 times and the peer searching message cost of the clients by more than an order of magnitude.

[1]  Setsuo Ohsuga,et al.  INTERNATIONAL CONFERENCE ON VERY LARGE DATA BASES , 1977 .

[2]  Einar Snekkenes,et al.  Concepts for personal location privacy policies , 2001, EC '01.

[3]  Marc Langheinrich,et al.  Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems , 2001, UbiComp.

[4]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[5]  Marco Gruteser,et al.  Framework for security and privacy in automotive telematics , 2002, WMC '02.

[6]  Thomas Brinkhoff,et al.  A Framework for Generating Network-Based Moving Objects , 2002, GeoInformatica.

[7]  Latanya Sweeney,et al.  Achieving k-Anonymity Privacy Protection Using Generalization and Suppression , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[8]  Marco Gruteser,et al.  USENIX Association , 1992 .

[9]  William G. Griswold,et al.  Challenge: ubiquitous location-aware computing and the "place lab" initiative , 2003, WMASH '03.

[10]  Frank Stajano,et al.  Mix zones: user privacy in location-aware services , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[11]  Ling Liu,et al.  Location Privacy in Mobile Systems: A Personalized Anonymization Model , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[12]  Lars Kulik,et al.  A Formal Model of Obfuscation and Negotiation for Location Privacy , 2005, Pervasive.

[13]  Marco Gruteser,et al.  Protecting Location Privacy Through Path Confusion , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[14]  Tetsuji Satoh,et al.  An anonymous communication technique using dummies for location-based services , 2005, ICPS '05. Proceedings. International Conference on Pervasive Services, 2005..

[15]  Roberto J. Bayardo,et al.  Data privacy through optimal k-anonymization , 2005, 21st International Conference on Data Engineering (ICDE'05).

[16]  David J. DeWitt,et al.  Incognito: efficient full-domain K-anonymity , 2005, SIGMOD '05.

[17]  David J. DeWitt,et al.  Mondrian Multidimensional K-Anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[18]  Chi-Yin Chow,et al.  A peer-to-peer spatial cloaking algorithm for anonymous location-based service , 2006, GIS '06.

[19]  Ernesto Damiani,et al.  Supporting location-based conditions in access control policies , 2006, ASIACCS '06.

[20]  Yu Zhang,et al.  Preserving User Location Privacy in Mobile Data Management Infrastructures , 2006, Privacy Enhancing Technologies.

[21]  Panos Kalnis,et al.  PRIVE: anonymous location-based queries in distributed mobile systems , 2007, WWW '07.

[22]  Panos Kalnis,et al.  MobiHide: A Mobilea Peer-to-Peer System for Anonymous Location-Based Queries , 2007, SSTD.

[23]  X. S. Wang,et al.  Preserving Anonymity in Location-based Services When Requests from the Same Issuer May Be Correlated , 2007 .

[24]  Walid G. Aref,et al.  Casper*: Query processing for location services without compromising privacy , 2006, TODS.

[25]  Panos Kalnis,et al.  Providing K-Anonymity in location based services , 2010, SKDD.