Privacy and accountability for location-based aggregate statistics

A significant and growing class of location-based mobile applications aggregate position data from individual devices at a server and compute aggregate statistics over these position streams. Because these devices can be linked to the movement of individuals, there is significant danger that the aggregate computation will violate the location privacy of individuals. This paper develops and evaluates PrivStats, a system for computing aggregate statistics over location data that simultaneously achieves two properties: first, provable guarantees on location privacy even in the face of any side information about users known to the server, and second, privacy-preserving accountability (i.e., protection against abusive clients uploading large amounts of spurious data). PrivStats achieves these properties using a new protocol for uploading and aggregating data anonymously as well as an efficient zero-knowledge proof of knowledge protocol we developed from scratch for accountability. We implemented our system on Nexus One smartphones and commodity servers. Our experimental results demonstrate that PrivStats is a practical system: computing a common aggregate (e.g., count) over the data of 10,000 clients takes less than 0.46 s at the server and the protocol has modest latency (0.6 s) to upload data from a Nexus phone. We also validated our protocols on real driver traces from the CarTel project.

[1]  Ian Goldberg,et al.  Louis, Lester and Pierre: Three Protocols for Location Privacy , 2007, Privacy Enhancing Technologies.

[2]  Deborah Estrin,et al.  PEIR, the personal environmental impact report, as a platform for participatory sensing systems research , 2009, MobiSys '09.

[3]  Hui Xiong,et al.  Enhancing Security and Privacy in Traffic-Monitoring Systems , 2006, IEEE Pervasive Computing.

[4]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[5]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[6]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[7]  Carmela Troncoso,et al.  PrETP: Privacy-Preserving Electronic Toll Pricing , 2010, USENIX Security Symposium.

[8]  Hui Xiong,et al.  Preserving privacy in gps traces via uncertainty-aware path cloaking , 2007, CCS '07.

[9]  Ling Liu,et al.  Location Privacy in Mobile Systems: A Personalized Anonymization Model , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[10]  Ben Y. Zhao,et al.  Preserving privacy in location-based mobile social applications , 2010, HotMobile '10.

[11]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[12]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[13]  Ueli Maurer,et al.  Unifying Zero-Knowledge Proofs of Knowledge , 2009, AFRICACRYPT.

[14]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[15]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[16]  Martín Abadi,et al.  Bankable Postage for Network Services , 2003, ASIAN.

[17]  Xenofontas A. Dimitropoulos,et al.  SEPIA: Privacy-Preserving Aggregation of Multi-Domain Network Events and Statistics , 2010, USENIX Security Symposium.

[18]  Dan Boneh,et al.  Location Privacy via Private Proximity Testing , 2011, NDSS.

[19]  Andrew J. Blumberg,et al.  VPriv: Protecting Privacy in Location-Based Vehicular Services , 2009, USENIX Security Symposium.

[20]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[21]  Yang Zhang,et al.  CarTel: a distributed mobile sensor computing system , 2006, SenSys '06.

[22]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[23]  Michael Walfish,et al.  Distributed Quota Enforcement for Spam Control , 2006, NSDI.

[24]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[25]  Jan Camenisch,et al.  Balancing accountability and privacy using E-cash , 2006 .

[26]  Bernhard Koerber,et al.  IT works , 2006, LOG IN.

[27]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[28]  Marco Gruteser,et al.  USENIX Association , 1992 .

[29]  Elaine Shi,et al.  Privacy-Preserving Aggregation of Time-Series Data , 2011, NDSS.

[30]  David R. Karger,et al.  Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web , 1997, STOC '97.

[31]  Steven Myers,et al.  Mobile location tracking in metro areas: malnets and others , 2010, CCS '10.

[32]  Jacques Stern,et al.  Security Analysis of a Practical "on the fly" Authentication and Signature Generation , 1998, EUROCRYPT.

[33]  John Krumm,et al.  Inference Attacks on Location Tracks , 2007, Pervasive.

[34]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[35]  Alexandre M. Bayen,et al.  Virtual trip lines for distributed privacy-preserving traffic monitoring , 2008, MobiSys '08.

[36]  Marco Gruteser,et al.  On the Anonymity of Periodic Location Samples , 2005, SPC.

[37]  Patrick Riley,et al.  The tolls of privacy: An underestimated roadblock for electronic toll collection usage , 2008, Comput. Law Secur. Rev..

[38]  Nathan Chenette,et al.  Order-Preserving Symmetric Encryption , 2009, IACR Cryptol. ePrint Arch..

[39]  Jan Camenisch,et al.  Balancing Accountability and Privacy Using E-Cash (Extended Abstract) , 2006, SCN.