Elsevier

Computer Networks

Volume 56, Issue 11, 31 July 2012, Pages 2551-2568
Computer Networks

A context-aware scheme for privacy-preserving location-based services

https://doi.org/10.1016/j.comnet.2012.03.022Get rights and content

Abstract

We address issues related to privacy protection in location-based services (LBSs). Most existing privacy-preserving LBS techniques either require a trusted third-party (anonymizer) or use cryptographic protocols that are computationally and communicationally expensive. Our design of privacy-preserving techniques is principled on not requiring a trusted third-party while being highly efficient in terms of time and space complexities. The problem has two interesting and challenging characteristics: First, the degree of privacy protection and LBS accuracy depends on the context, such as population and road density, around a user’s location. Second, an adversary may violate a user’s location privacy in two ways: (i) based on the user’s location information contained in the LBS query payload and (ii) by inferring a user’s geographical location based on the device’s IP address. To address these challenges, we introduce CAP, a context-aware privacy-preserving LBS system with integrated protection for both data privacy and communication anonymity. We have implemented CAP and integrated it with Google Maps, a popular LBS system. Theoretical analysis and experimental results validate CAP’s effectiveness on privacy protection, LBS accuracy, and communication QoS (Quality-of-Service).

Introduction

Location-based service (LBS) provides a user with contents customized by the user’s current location, such as the nearest restaurants/hotels/clinics, which are retrieved from a spatial database stored remotely in the LBS server. LBS not only serves individual mobile users, but also plays an important role in public safety, transportation, emergency response, and disaster management. With an increasing number of mobile devices featuring built-in Global Positioning System (GPS) technology, LBS has experienced rapid growth in the past few years. According to the ABI research report [1], the number of GPS-enabled LBS subscribers is projected to reach 315 million by 2013.

A request for LBS can be considered a query over the LBS server’s spatial database. For example, a query for the ten nearest four-star hotels can be expressed as the following SQL-like top-k query:

  • SELECT TOP 10 FROM Hotel

  • WHERE STARRATING = 4

  • ORDER BY DISTANCE (Hotel.Location, userLoc) ASC;

where userLoc is the user’s location. Notice that the user’s location is specified as a constant in the ranking function and should be sent along with the query to the LBS server.

Despite the benefits provided by LBS, users may not be willing to provide their current location to the LBS server due to concerns on location privacy. Such concerns can be attributed to the seriousness of location disclosure and misuse: For example, an adversary may learn a user’s political and religious affiliations based on the locations, where the user regularly visits. In recent years, there have been several reports on the abuse of LBS by individuals and companies to intrude others’ privacy [32], [44].

The objective of a privacy-preserving LBS is to protect the privacy of a user’s location while maintaining a high level of LBS accuracy (e.g., the rank of a 4-star hotel in the above example). It has received growing attention from the research community. A k-anonymity based framework was proposed to protect location privacy by using a trusted third-party called the anonymizer [14], [18], [24], [30]. With this framework, a user sends her location to the centralized anonymizer, which subsequently generates a k-anonymized [45] cloaking region that covers not only this user, but also k  1 other users. Then, the anonymizer transmits the cloaking region to the LBS server as the constant in the LBS query, and forwards the query answer to the user. This framework prevents the LBS server from distinguishing a user among at least k  1 others.

Unfortunately, in real systems, it may be difficult, if not impossible, to find a trusted third-party anonymizer, especially one which has a large user base to shrink the cloaking region for better LBS privacy. To the best of our knowledge, the only existing work which removes the requirement of a trusted third-party is a private information retrieval (PIR)-based approach [15]. Nonetheless, this approach has two critical drawbacks. First, it can only be applied to LBS servers which support the PIR-based protocol. Second, as a common problem for PIR-based techniques, it may incur high computational and communication overhead unaffordable to mobile devices and the LBS server. Indeed, it was shown that PIR may incur even higher communication overhead than an oblivious transfer of the entire server-side database [42]. Such a cost may become prohibitive for the LBS server if it needs to process concurrently a large number of LBS queries.

In this paper, we investigate a privacy-preserving technique that is efficient in terms of both time and space complexities, does not require a trusted third-party, and is transparent to the LBS server so that it can be readily integrated into existing LBS systems. Such a technique may have to make a tradeoff between the privacy protection and LBS accuracy. Nonetheless, it should provide effective guarantees on both measures.

A straightforward method for efficient privacy protection is to randomly perturb a user’s location based on pre-determined noise distributions on longitude and latitude. This method is, in principle, similar to the randomization approach for privacy-preserving data mining [50]. Nonetheless, it is unlikely to suffice for LBS because, with a pre-determined noise distribution, the levels of privacy protection and LBS accuracy largely depend on the “context”, such as road and population density, around a user’s location. For example, intuition suggests that, to achieve the same level of privacy and LBS accuracy, a user should (or could) deviate more from her real location in a rural area than in a downtown area.

Thus, a critical challenge for privacy-preserving LBS is to achieve context-aware privacy protection. The existing k-anonymity framework does so by leveraging the anonymizer’s global knowledge of user distribution (so that the cloaking region is automatically larger in a rural area which has fewer users). Without a trusted third-party, we must acquire the context information from other sources. A simple solution is for each mobile device to store a complete topology map and retrieve it before perturbation to compute the adjacent area’s context. However, this may lead to computational and storage overhead unaffordable to mobile devices that are not designated GPS navigation systems.

In this paper, we introduce CAP, a Context-Aware Privacy-preserving LBS system. The main idea behind CAP is a dimension-reducing projection of every 2-d geographical location to a 1-d space, such that (i) every point in the 1-d space has homogeneous context (e.g., equal road/population density) and (ii) adjacent locations remain close after the projection. We refer to such a projection as a Various-grid-length Hilbert Curve (VHC)-mapping. With CAP, a user first projects her current location to the 1-d space based on VHC-mapping, and then randomly perturbs the 1-d value based on a pre-determined noise distribution. The perturbed value is then mapped back to the 2-d space according to an inverse VHC-mapping and transmitted as the user’s location to the LBS server.

VHC-mapping is designed to provide guarantees on both privacy protection and LBS accuracy, which are independent of the context of a user’s location. It is also very efficient in terms of both the time and space complexities: The VHC-map itself is computed offline based on a real-world topology map, but only has minimal storage space and retrieval cost. For example, a VHC-map of Texas, USA is about 1/2000 the size of a topology map, and only requires 4 KB to store. Furthermore, the usage of perturbation technique ensures transparency to the LBS server, and enables CAP to be readily integrated into existing LBS systems.

In the design of CAP, we also investigate the network anonymity for user’s location privacy. The premise here is that a user’s location may be derived from her IP address based on public information about base stations’ locations and IP addresses, an example of which is the IP address locator at http://www.geobytes.com/. When 802.11b base stations are used, a user may be positioned within a small radius of 50 m. As a result, location privacy may be breached through not only an LBS query, but also the traffic that carries the query. To tackle this problem, we use Tor [9], a popular anonymous communication network over Internet, to hide a user’s IP address. Unfortunately, we found that Tor suffers from serious QoS (e.g., response time) degradation, which may be unbearable for mobile (e.g., driving) applications with a short response time. To solve the problem, we introduce a set of new routing algorithms for Tor, which are able to reduce the latency and maximize the throughput. Additionally, we evaluate the tradeoff between communication QoS and anonymity for the proposed routing algorithms.

To the best of our knowledge, CAP is the first real privacy-preserving LBS system that provides an efficient and context-aware solution for both data privacy and communication anonymity without the presence of a trusted third-party. We have implemented CAP in both SUSE Linux 11.0 and Mac OS X Operating Systems, and are porting the system to Linux and OS X-based mobile devices. More information about the system implementation can be found at http://seas.gwu.edu/∼nzhang10/cap.

The remainder of the paper is organized as follows. In Section 2, we formally specify the problem and present the architecture of CAP. Section 3 is devoted to the development of VHC-mapping. In Section 4, we report the experimental evaluation results of CAP. In Section 5, we present the front-end interface of a prototypical system of CAP and demonstrate some results using Google Maps. In Section 6, we review the related work. Finally, we conclude the paper in Section 7.

Section snippets

System overview of CAP

In this section, we present an overview of CAP, our context-aware privacy-preserving LBS system. The focus is on the system infrastructure of CAP and its performance measures.

Location perturbing based on VHC-mapping

We focus on the location perturbing component of CAP in this section. We begin with introducing our basic ideas, and then substantiating the ideas of VHC-mapping, our main technique for this component.

Experimental results

In this section, we present the implementation and experimental evaluation of CAP. We will first introduce the implementation and the experimental setup, and then present the results for the location perturbing and anonymous routing components, respectively.

CAP interface

The front-end interface for CAP is shown in Fig. 20. Firstly, users of CAP are provided with following two options in order to obtain their current location: (i) they can opt to use a GPS receiver,7 or (ii) they can choose to input address manually as shown in Fig. 20. Notice that CAP will use geocoding services to obtain location.

Secondly, the front-end interface allows a user to search for all kinds of

Location privacy

There are a large number of researches on location privacy and anonymity. In the following, we will review most related research. Existing schemes on preserving location privacy in LBS can be generally classified into two categories: trusted third-party based and user based schemes.

Most research on trusted third-party based schemes adopts a k-anonymity based framework. In this framework, a trusted third-party called anonymizer is used to protect location privacy [14], [18], [19], [29], [48].

Conclusion

In this paper, we developed CAP to address two challenging issues in privacy-preserving LBS: (i) protection of user location privacy from both location data and (ii) network communication perspectives. CAP seamlessly integrates both the location perturbation and anonymous routing components. We measure CAP in terms of location privacy, LBS query accuracy, and communication QoS of the entire system. Its effectiveness is demonstrated by theoretical analysis, simulations, and experiments with an

Acknowledgement

This work was supported in part by the National Science Foundation under Grants 1117297, 0915834, 0852673, 0852674, 1116644, 0942113, 0958477 and 0943479 and 1117175. Any opinions, findings, conclusions, and/or recommendations expressed in this material, either expressed or implied, are those of the authors and do not necessarily reflect the views of the sponsor listed above.

Aniket Pingley is a PhD student at the George Washington University in Washington DC. He received Bachelors and Masters degree in Computer Science from Nagpur University, India in 2005 and from the University of Texas at Arlington in 2008, respectively. He research interests are privacy and security in wireless networks.

References (50)

  • T. Asano et al.

    Space-filling curves and their use in the design of geometric data structures

    Theoretical Computer Science

    (1997)
  • ABI Research, GPS-Enabled Location-Based Services (LBSs) Subscribers will Total 315million in 5years,...
  • B. Arai, G. Das, D. Gunopulos, N. Koudas, Anytime measures for top-k algorithms, in: VLDB,...
  • C.A. Ardagna, M. Cremonini, E. Damiani, S.D.C. di Vimercati, P. Samarati, Location privacy protection through...
  • P. Bahl, V.N. Padmanabhan, RADAR: An in-building RF-based user location and tracking system, in: Proceedings of IEEE...
  • J. Bentley

    K-d trees for semidynamic point sets

  • Boost Community, Boost C++ Library, 2008....
  • deluogps.com, SiRF Star III Based Mouse Type USB GPS Receiver for Laptop,...
  • R. Dingledine, N. Mathewson, Tor: An Anonymous Internet Communication System, 2006....
  • M. Duckham, L. Kulik, A formal model of obfuscation and negotiation or location privacy, in: Proceedings of the 3rd...
  • P. Enge et al.

    Special issue on global positioning system

    Proceedings of the IEEE

    (1999)
  • C. Faloutsos et al.

    Fractals for secondary key retrieval

  • J. Freidman et al.

    An algorithm for finding best matches in logarithmic expected time

    ACM Transactions on Mathematical Software (TOMS)

    (1977)
  • B. Gedik and L. Liu. A customizable k-anonymity model for protecting location privacy, in: Proceedings of the IEEE...
  • G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, Tan, Kian-Lee, Private queries in location based services:...
  • G. Gidofalvi, X. Huang, T.B. Pedersen, Privacy-Preserving Data Mining on Moving Object Trajectories, Technical Report...
  • D.R. Glover et al.

    The effect of population density on infrastructure: the case of road building

    Economic Development and Cultural Change

    (1975)
  • M. Gruteser, D. Grunwald, Anonymous usage of location-based services through spacial and temporal cloaking, in:...
  • M. Gruteser et al.

    Protecting privacy in continuous location-tracking applications

    IEEE Security and Privacy

    (2004)
  • A. Harter, A. Hopper, P. Steggles, A. Ward, P. Webster, The anatomy of a context-aware application, in: Proceedings of...
  • J.I. Hong, J.A. Landay, An architecture for privacy-sensitive uniquitous computing, in: Proceedings of the 2nd...
  • Y.-C. Hu, H.J. Wang, Location privacy in wireless networks, in: Proceedings of the ACM SIGCOMM Asia Workshop,...
  • H. Jagadish et al.

    iDistance: an adaptive B+-tree based indexing method for nearest neighbor search

    ACM Transactions on Database Systems (TODSs)

    (2005)
  • P. Kalnis et al.

    Preventing location-based identity inference in anonymous spatial queries

    IEEE Transactions on Knowledge and Data Engineering

    (2007)
  • E.F. Krause

    Taxicab Geometry

    (1987)
  • Cited by (42)

    • Privacy and security of Internet of Things devices

      2019, Real-Time Data Analytics for Large Scale Sensor Data
    • Location-aware service applied to mobile short message advertising: Design, development, and evaluation

      2015, Information Processing and Management
      Citation Excerpt :

      Mobile marketing is generally highly customer-centered, message-straightforward, and privacy-sensitive (Abbas, Michael, Michael, & Nicholls, 2013; Raper et al., 2007; Wilson, 2012; Xu, Luo, Carroll, & Rosson, 2011). One of the main dilemmas in using LAS is location privacy, which may cause a considerable barrier to its adoption by users (e.g., Pingley, Yu, Zhang, Fu, & Zhao, 2012; Xu et al., 2011; Zhou, 2011; Chen & Hsieh, 2012; Abbas et al., 2013). However, Xu et al. (2011) reported that personalization somehow overrides privacy concerns for both covert- and overt-based location-aware marketing.

    • Triggered query with strong location privacy in mobile network

      2015, Journal of China Universities of Posts and Telecommunications
    View all citing articles on Scopus

    Aniket Pingley is a PhD student at the George Washington University in Washington DC. He received Bachelors and Masters degree in Computer Science from Nagpur University, India in 2005 and from the University of Texas at Arlington in 2008, respectively. He research interests are privacy and security in wireless networks.

    Dr. Wei Yu is an assistant professor in the Department of Computer and Information Sciences, Towson University, Towson, MD 21252. Before that, He worked for Cisco Systems Inc. for almost nine years. He received the BS degree in Electrical Engineering from Nanjing University of Technology in 1992, the MS degree in Electrical Engineering from Tongji University in 1995, and the PhD degree in computer engineering from Texas A&M University in 2008. His research interests include cyber space security, computer network, and distributed systems. Personal Web: www.towson.edu/∼wyu.

    Dr. Nan Zhang is an Assistant Professor of Computer Science at the George Washington University. He received the BS degree from Peking University in 2001 and the PhD degree from Texas A&M University in 2006, both in computer science. His current research interests include security and privacy issues in databases, data mining, and computer networks, in particular privacy and anonymity in data collection, publishing, and sharing, privacy-preserving data mining, and wireless network security and privacy. Personal Web: http://www.seas.gwu.edu/∼nzhang10/.

    Dr. Xinwen Fu is an assistant professor in the Department of Computer Science, University of Massachusetts Lowell. He received his BS (1995) and MS (1998) in Electrical Engineering from Xi’an Jiaotong University, China and University of Science and Technology of China respectively. He obtained his PhD (2005) in Computer Engineering from Texas A&M University. From 2005 to 2008, he was an assistant professor with the College of Business and Information Systems at Dakota State University. In summer 2008, he joined University of Massachusetts Lowell as a faculty member. Dr. Fu has been publishing papers in prestigious conferences such as S&P, INFOCOM and ICDCS, journals such as TPDS, and book chapters. His group won the best paper award at International Conference on Communications (ICC) 2008. His current research interests are in network security and privacy. Personal Web: http://www.cs.uml.edu/∼xinwenfu/.

    Dr. Wei Zhao is currently the Rector of the University of Macau. Before joining the University of Macau, he served as the Dean of the School of Science at Rensselaer Polytechnic Institute. Between 2005 and 2006, he served as the director for the Division of Computer and Network Systems in the US National Science Foundation when he was on leave from Texas A&M University, where he served as Senior Associate Vice President for Research and Professor of Computer Science. Dr. Zhao completed his undergraduate program in physics at Shaanxi Normal University, Xian, China, in 1977. He received the MS and PhD degreesin Computer and Information Sciences at the University of Massachusetts at Amherst in 1983 and 1986, respectively. Since then, he has served as a faculty member at Amherst College, the University of Adelaide, and Texas A&M University. As an elected IEEE fellow, Wei Zhao has made significant contributions in distributed computing, real-time systems, computer networks, and cyber space security. Personal Web: http://www.umac.mo/rectors_office/WeiZhao_biography.html.

    View full text