Protecting Location Privacy in Mobile Computing Systems: Architecture and AlgorithmsLing Liu, Georgia Tech, USA
With the rapid development in positioning technologies such as GPS, GSM, RFID, and WiFi (802.11) and the wide deployment of wireless local area networks (WLAN), many devices today are equipped with wireless communication capabilities and location-awareness. These new technologies have enabled a new class of applications, known as Location-Based Services (LBSs). While location-based services (LBSs) hold the promise of new business opportunities and a wide range of life enhancing services, the ability to locate users and mobile objects accurately also opens door for new threats - intrusion of location privacy. Location privacy threats refer to the risks that an adversary can obtain unauthorized access to raw location data, derived or computed location information by locating a transmitting device, hijacking the location transmission channel, and identifying the subject (person) using the device.
Location privacy refers to the
ability to prevent other
unauthorized parties from learning one's current or past location. In LBSs, there are conceivably
two types of location privacy -
personal subscriber level privacy and corporate enterprise-level
deployment of location-based services without safeguards
may endanger location privacy of mobile users due to
vulnerabilities for abuse. For example, location information can be
spam users with unwanted advertisements or to learn about users,
conditions, alternative lifestyles or unpopular political views.
can be drawn from visits to clinics, doctor offices,
entertainment districts, or political events. In extreme cases, public
information can lead to physical harm, for example in stalking or
Location privacy has attracted
attention by the research
community in the recent couple of years. Most of the solutions proposed
are focused on dealing with location privacy protection under a uniform
assumption (i.e., all mobile users have similar location privacy
Very few have studied personalized privacy protection strategies and
provided qualitative and quantitative analysis of the inherent tradeoff
the utility that LBSs can offer and the location
privacy they afford to risk. Furthermore, there is an inherent tradeoff
the utility that LBSs can offer and the location
privacy they afford to risk. On one hand, the quality of an
LBS depends on the accuracy of the location of mobile
users, and on the
other hand, the more accurate the location information is disclosed,
risk of location privacy being invaded. It is important to develop
that can help finding an acceptable balance between the extreme of
disclosure and completely withheld of location data. In this tutorial
present an in-depth description of location privacy and privacy-aware
services in mobile information systems, with the emphasis on
concepts, and techniques.
Tutorial Content (3 hours)
1. Motivation: Applications and Requirements (0.5 hours)
First, we motivate the need for
location privacy in future
mobile and ubiquitous computing environments and address different
for protecting location privacy. We also define the concept of location
privacy, and discuss the tradeoffs between the utility of locations,
quality of service provided by the LBS, and the desired location
privacy of the
user, and how to reach such a tradeoff through location cloaking
(1) Location Privacy and Location Service Quality
In mobile computing environments, location-based applications track people's movement so they can offer various location-dependent services. Users who do not want such services should be given the choice of refusing to be tracked and thus maintain their location privacy. Of course, if a user provides little location information to the service provider, the risk of her privacy being compromised will be significantly reduced. However, this may prevent an LBS from providing the best service to the user. Alternatively, before contacting the LBS provider, a user can have her location information filtered by reducing its precision/resolution in terms of time and space. An important question is how much privacy protection is necessary. Perfect privacy is clearly impossible as long as communication takes place. Moreover, different users may have varying privacy needs in different contexts. Therefore, it is important to develop customizable privacy protection mechanisms that can help users finding a comfortable balance between the extreme of fully disclosed and completely withheld location data. This includes the qualitative and quantitative analysis of the inherent tradeoff between the quality of service provided by the LBS and the desired location privacy of the user, and how fuzzy the location information sent by a mobile user to the LBS can be in order to reach such a tradeoff.
(2) Location Privacy and Personalization
We argue that location privacy is context sensitive. Different users may require different levels of privacy at different times. A user's willingness to share location data may depend on a range of factors, including different contextual information about the user (such as environmental context, task context, social context, etc.). Thus, ``one size fits all'' framework for location privacy does not work. We promote user-defined privacy rules combined with a personalized anonymization model since it allows users to tailor the system-level privacy protection strategies to meet their personal privacy preferences.
2. Protecting Location Privacy: Policy-based Model v.s. Location Anonymization (1 hour)
Several approaches have been proposed for protecting location privacy of a user. Most of them try to prevent disclosure of unnecessary information by techniques that explicitly or implicitly control what information is given to whom and when. These techniques can be classified into three categories:
- Location protection through user-defined or system-supplied privacy policies;
- Location protection through anonymous usage of information, such as location cloaking, by reducing temporal and spatial resolutions of location information; and
- Location protection through pseudonymity of user identities, which uses an internal pseudonym rather than the user’s actual identity. Such pseudonyms should be different for different services and frequently changing to prevent applications tracking them. More importantly, such pseudonyms should be generated in such a manner that makes the linking between the old and the new pseudonym very hard.
In this tutorial we will give an overview of two types of location privacy protection strategies: Policy-based models and anonymity-based models, describe different classes of location privacy threats, and provide an overview of the possible techniques and solutions for location privacy protection. We will describe the design and development of a secure and customizable architecture for privacy-aware location-based services, which provides a careful combination of policy-based location privacy mechanisms and location anonymization based privacy schemes. In the policy-based approach, mobile subscribers need to evaluate and choose privacy policies offered by the service provider. These policies serve as a contractual agreement about which data can be collected, for what purpose the data can be used, and how it can be distributed. Typically the mobile subscribers have to trust the service provider that private data is adequately protected. In contrast, the anonymity-based approach de-personalizes data before it is dispatched to service providers. Thus it can provide a high degree of privacy, save users from dealing with service providers’ privacy policies, and reduce the service providers’ requirements for safeguarding private information. However, guaranteeing anonymous usage of location services requires that the precise location information transmitted by a user cannot be easily used to re-identify the subject. One common way to anonymize location information is to provide location k-anonymity by location cloaking, which reduces temporal and spatial resolutions of location information.
3. Location k-anonymity and Location Privacy (1 hour)
4. Privacy and Security of Location Information (05. hours)
Security and privacy are two dimensions of the safety problem in future mobile and ubiquitous computing systems. I will discuss the intrinsic relationships between location security and location privacy, in terms of requirements, potential risks and defense mechanisms, and how the solutions to these problems will impact the future mobile computing systems, services, and applications.
Audience and Prerequisite Knowledge
The tutorial presents the necessary concepts, architectures, techniques, and infrastructure to understand location privacy in mobile location-based services (LBSs). The tutorial is designed to be self-contained, and gives the essential background for anyone interested in learning about the concept of location privacy, and the principles for design and development of a secure and customizable architecture for privacy-aware location-based services. This tutorial will guide the researchers, graduate students, and practitioners by highlighting best practices in building scalable and privacy-aware distributed location based services, including the location utility and location privacy trade-offs, the limitations of current approaches, the need for a careful combination of policy-based location privacy mechanisms and location anonymization based privacy schemes, as well as the set of safeguards for secure transmission, use and storage of location information, reducing the risks of unauthorized disclosure of location information. This tutorial is presented at a senior graduate student level and is accessible to data management administrators, advanced mobile location based service developers, and graduate students who are interested in mobile information systems, pervasive computing, and data privacy.
Biography of Presenter
Dr. Ling Liu is
an Associate Professor in the