On Locational Privacy in the Absence of Anonymous Payments

In this paper we deal with the situation that in certain contexts vendors have no incentive to implement anonymous payments or that existing regulation prevents complete customer anonymity. While the paper discusses the problem also in a general fashion, we use the recharging of electric vehicles using public charging infrastructure as a working example. Here, customers leave rather detailed movement trails, as they authenticate to charge and the whole process is post-paid, i.e., are billed after consumption. In an attempt to enforce transparency and give customers the information necessary to dispute a bill they deem inaccurate, Germany and other European countries require to retain the ID of the energy meter used in each charging process. Similar information is also retained in other applications, where Point of Sales terminals are used. While this happens in the customers’ best interest, this information is a location bound token, which compromises customers’ locational privacy and thus allows for the creation of rather detailed movement profiles. We adapt a carefully chosen group signature scheme to match these legal requirements and show how modern cryptographic methods can reunite the, in this case, conflicting requirements of transparency on the one hand and locational privacy on the other. In our solution, the user’s identity is explicitly known during a transaction, yet the user’s location is concealed, effectively hindering the creation of a movement profile based on financial transactions.

[1]  Anna Lysyanskaya,et al.  Pay as you go , 1980, Nature.

[2]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[3]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[4]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[5]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[6]  N. Sandlin PAY AS YOU GO , 1989 .

[7]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[8]  Jan Camenisch,et al.  An Efficient Electronic Payment System Protecting Privacy , 1994, ESORICS.

[9]  Ian W. Jackson Anonymous Addresses and Confidentiality of Location , 1996, Information Hiding.

[10]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[11]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[12]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[13]  Frank Stajano,et al.  Location Privacy in Pervasive Computing , 2003, IEEE Pervasive Comput..

[14]  Srdjan Capkun,et al.  The security and privacy of smart vehicles , 2004, IEEE Security & Privacy Magazine.

[15]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[16]  U Moeller,et al.  Mixmaster Protocol Version 2 , 2004 .

[17]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[18]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[19]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[20]  Florian Dötzer,et al.  Privacy Issues in Vehicular Ad Hoc Networks , 2005, Privacy Enhancing Technologies.

[21]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[22]  David Pointcheval,et al.  Dynamic Fully Anonymous Short Group Signatures , 2006, VIETCRYPT.

[23]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[24]  Kevin Fu,et al.  Privacy for Public Transportation , 2006, Privacy Enhancing Technologies.

[25]  Maxim Raya,et al.  Mix-Zones for Location Privacy in Vehicular Networks , 2007 .

[26]  John Krumm,et al.  Inference Attacks on Location Tracks , 2007, Pervasive.

[27]  Radha Poovendran,et al.  AMOEBA: Robust Location Privacy Scheme for VANET , 2007, IEEE Journal on Selected Areas in Communications.

[28]  Refik Molva,et al.  PSP: private and secure payment with RFID , 2009, WPES '09.

[29]  Andrew J. Blumberg,et al.  VPriv: Protecting Privacy in Location-Based Vehicular Services , 2009, USENIX Security Symposium.

[30]  T. Strufe,et al.  PSP : private and secure payment with RFID WPES 2009 , 2009 .

[31]  Carmela Troncoso,et al.  PrETP: Privacy-Preserving Electronic Toll Pricing , 2010, USENIX Security Symposium.

[32]  Andrew J. Blumberg,et al.  Privacy and accountability for location-based aggregate statistics , 2011, CCS '11.

[33]  Hovav Shacham,et al.  The Phantom Tollbooth: Privacy-Preserving Electronic Toll Collection in the Presence of Driver Collusion , 2011, USENIX Security Symposium.

[34]  Kitae Kim,et al.  Batch Verification and Finding Invalid Signatures in a Group Signature Scheme , 2011, Int. J. Netw. Secur..

[35]  C. Li Anonymous Payment Mechanisms for Electric Car Infrastructure , 2011 .

[36]  Zhendong Ma,et al.  Location privacy in vehicular communication systems: a measurement approach , 2011 .

[37]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[38]  Dogan Kesdogan,et al.  Design and Evaluation of a Privacy-Preserving Architecture for Vehicle-to-Grid Interaction , 2011, EuroPKI.

[39]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[40]  Joseph K. Liu,et al.  Enhancing Location Privacy for Electric Vehicles (at the Right time) , 2012, ESORICS.

[41]  Jun Pang,et al.  A Group Signature Based Electronic Toll Pricing System , 2011, 2012 Seventh International Conference on Availability, Reliability and Security.

[42]  César A. Hidalgo,et al.  Unique in the Crowd: The privacy bounds of human mobility , 2013, Scientific Reports.

[43]  David K. Y. Yau,et al.  Privacy vulnerability of published anonymous mobility traces , 2010, MobiCom.