Multidimensional User Privacy in Context-Aware Mobile Networks

Transcription

1 EDIC RESEARCH PROPOSAL 1 Multidimensional User Privacy in Context-Aware Mobile Networks Igor Bilogrevic Laboratory for Computer communications and Applications I&C - LCA1, EPFL Abstract Modern hand-held devices are far more than just mobile phones. Their powerful processing units and embedded physical sensors are continuously polled by applications, in order to enhance the user experience. These applications use personal data (such as location, speed, preferences and activities) in order to provide their services, which raises concerns about the consequences of the exposure of private information to thirdparties. In this paper, we present research directions to address and protect user privacy by considering the multifaceted and dynamic user information acquired over time. Our intent is to study the relationships among privacy, quality of service and efficiency in context-aware applications by exploring nondeterministic models for privacy and using multidimensional (space, time, activity) accumulated data. Index Terms Wireless, Privacy, Context. I. INTRODUCTION Information is not knowledge is a famous quote by Albert Einstein. However, information originates knowledge when it is processed by reasoning or association [16]. The current trend of revealing personal information to third-parties Proposal submitted to committee: June 29th, 2010; Candidacy exam date: July 7th, 2010; Candidacy exam committee: Prof. Karl Aberer, Prof. Jean-Pierre Hubaux, Prof. Patrick Thiran. This research plan has been approved: Date: Doctoral candidate: (name and signature) Thesis director: (name and signature) Thesis co-director: (if applicable) (name and signature) Doct. prog. director: (R. Urbanke) (signature) EDIC-ru/ is fostered by the availability of attractive services, such as finding the closest restaurant, the shortest path or the socially most similar friend, which are based on such information. Yet, providers of such services need to extrapolate knowledge out of mere information to build truthful user profiles and suggest relevant recommendations. Usually, the more information is gathered about a user, the better the recommendations for the user are. Today, technological advances have brought to the consumer market devices equipped with an increasing number and variety of physical sensors, such as GPS, accelerometer, compass, light, temperature and noise. These instruments are constantly sensing the environment and acquiring contextual (physical, activity and preference) data in order to provide the most accurate representation of the current situation of the user to third-party service providers. Even though personal information is usually protected from unauthorized access, both by laws and computational techniques, the risk of leaking sensitive private data is still high. Privacy of user data is paramount for the success of contextbased services, as the potential abuses of private information can have severe consequences both for private citizens and businesses. More than 80 million private records concerning financial, medical and military service have been leaked in [10], with an average cost per affected customer of $ 204 [41]. Location traces gathered from mobile devices, coupled with activity schedules and preferences, not only have the potential to expose user identities and home/work positions, but also to predict their movements, their modes of transportation, their political inclinations, their age and drinking habits [43], [39]. Google Location History [26] is a very recent example of such profiling feature that is used to infer users current and future locations. Several techniques to protect location privacy in mobile networks have been studied in the past. Adding noise to the actual location, transmitting fake location reports and not transmitting at certain times are the most relevant means that have been explored by the research community. However, as people are using more and more their mobile devices to store personal data (such as schedules, activities and favorites web sites) [48], new opportunities arise for misbehaving entities to infer even more personal information about users. Our goal is to present research directions that address user privacy, by taking into account accumulated information from several sources (such as physical sensors, personal schedules and preferences) in order to provide more accurate measures

2 EDIC RESEARCH PROPOSAL 2 and better protection of user privacy. Moreover, in addition to the deterministic approaches studied so far, we intend to explore efficient strategies based on non-deterministic models to study the relationships between privacy, quality of service and efficiency in mobile networks. By considering existing network architectures (infrastructure-based and hybrid infrastructure/ad hoc) and novel context-based applications (Google Latitude [34], CitySense [9], Subway Friend Finder [1]), our intent is to foster the adoption of privacy techniques within such applications. The remainder of this paper is organized as follows. In Section II we review the main concepts about location privacy through a recent survey of the research field. In Section III we present an initial attempt to model and use past location traces to improve the quality of service in mobile networks, while preserving location privacy. We devote Section IV to the efficient use of dynamic location data acquired over time in order to provide an accurate measure of location privacy. Finally, we outline our research proposal in Section V. II. A SURVEY OF COMPUTATIONAL LOCATION PRIVACY In this section, we review the state of the art in location privacy through a recent survey article written by J. Krumm [33]. In his work, the author describes three relevant aspects in order to understand the use of location information and the necessity for its protection vis-à-vis third-parties. First, the article outlines people s inclinations towards revealing location data and their concerns about the misuse of such information. Second, the evolution over time of threats to location and context privacy are studied, by delineating the information about users, which can be inferred from such geographic data. Third, computational countermeasures that mitigate the risk of misuse of personal location data are presented and discussed with respect to their shortcomings. A. Sharing Location Data As pointed out in [33], there would not be concerns with the privacy of users locations if such information did not have to be sent to third-parties. But people are often required to learn or to provide their geographic position to a thirdparty in order to obtain services that they need, such as emergency calls, navigation or recommendation systems. The author describes two types of location measurement systems: those that do not require any involvement from a third-party, such as GPS, and the others that need an external entity to perform the measurement, such as information from a nearby cell-tower used by Google My Location [35]. By determining the positions of the users, Google knows their locations and is therefore in a better position to exploit this information to its own advantage. Existing applications that take advantage of user provided locations can be found in the traffic optimization and pricing domains, as well as in social networking services. TomTom [47] and Dash [15] are navigation system providers that use such information in order to reduce the waiting times for their customers, whereas Flickr [21], Facebook [19] and GoWalla [22] are social networking applications enabling users to geotag their pictures, show them on a map and share their locations with friends. The willingness of users to share their locations with friends or third-parties indicates their unawareness of the privacy risks that this may conceal. In fact, a substantial number of user studies suggests that people s attitudes towards location privacy are rather soft ([11], [14], [30]), with an increased concern only if the information is to be used commercially [13] or by specific people [14]. According to Krumm [33], the reason for such insensitivity about location privacy might reside in the relatively scarce mediatization of the negative consequences of location data leaks. B. Location Privacy Threats In contrast to the limited awareness of people about the consequences of location data leaks, privacy researchers have investigated and developed a number of automated methods to analyze the movements of people, ranging from mere pattern analysis to sophisticated context inferring algorithms. For instance, early works such as [37], [38] consider places where the GPS signal was weak or lost to be important for the user, whereas [25] is entirely based on cell-tower and WiFi radio signals. These initial studies aim at identifying important places for people, without considering the privacy risks or consequences for users. Research efforts that explicitly considered the negative consequences of location data leaks were carried by several authors ([2], [24]), who showed the inference potential of algorithms that analyzed both anonymized and genuine location traces. Beresford et al. [2] successfully determined the identity of people by examining where and for how long they were staying at a particular desk in an office building. Hoh et al. [28] obtained a similar result by observing the GPS traces of taxi drivers, thus managing to disclose the home and work locations of about 85% of them. An even more astonishing achievement, albeit on a smaller set of users, was made by Gruteser et al. [24]: they re-identified location traces of three different users, even though the traces were anonymized with multiple unlinkable IDs, by successfully clustering traces using multi-target tracking algorithms [7]. Where GPS coordinates were not available, Wilson et al. [49] developed probabilistic algorithms that used presence sensors inside a house to correctly associate 85% of the time the person who triggered each sensor. In addition to identifying important places and identities, the most sophisticated location inference algorithms are able to determine information such as trip destinations [18], mode of transportation and route [43], significant events [40] or even people s habits (such as smoking, drinking, age, work role) by only using location information. Therefore, Krumm [33] points out that, even without a name associated with the location data, much private information can be automatically inferred by aggregating information from public sources, such as the Internet, and thus effective privacy-preserving mechanisms need to be studied. In the following subsection, we summarize some of the most relevant ones.

3 EDIC RESEARCH PROPOSAL 3 C. Countermeasures for Location Privacy The survey [33] presented refers to four general categories of privacy protection mechanisms, that encompass legal aspects as well as computational mechanisms. However, only the latter are further discussed, which are based on the anonymity and obfuscation techniques. The first technique, anonymity, is based on the replacement of genuine names and IDs with untraceable IDs or pseudonyms. An even better method to use pseudonyms is to frequently reassign them, instead of using a single pseudonym for each user, in areas called mix zones. The mix zones are safe places, where attackers are not present, in which users change their pseudonyms simultaneously, i.e., they mix, such that it is difficult for an attacker outside the mix zone to link the previous with the new pseudonym for each user inside the mix zone. This technique was first proposed by Beresford et al. [2] in order to reduce the chances of an attacker of reidentifying a user based on accumulated anonymized location traces. Another concept, k-anonymity for location privacy, is analyzed in [23], where users report a region (instead of a precise point) that contains at least other k 1 users that are likely to have generated the same request. The effect on privacy is that, from the attacker s perspective, any user in that region is indistinguishable from the other k 1 users, and therefore the re-identification is ambiguous. However, both techniques, i.e., frequently changing pseudonyms and k-anonymity, are vulnerable to privacy attacks. In [2], the authors agree that their solution would not work well if user preferences were stored on a central server, as the attacker would then be able to link all pseudonyms used to obtain a particular user s data and therefore compromise his privacy. Likewise, past location traces could be successfully used in order to re-identify users even if they are k-anonymous [3], and therefore further efforts need to be made to improve these schemes. One other technique that has been proposed is to generate false location reports together with the genuine ones, but concerns about the usefulness and efficiency of this scheme remain [31], as it is often difficult to generate meaningful false locations and be efficient with respect to the message transmissions. The second method to protect location privacy is based on spatial and temporal degradation of the location messages. Works such as ([17], [32]) investigate the area and study the effectiveness of the scheme with respect to the quality of service. Krumm [32] concluded that a surprisingly high amount of spatial degradation (additive Gaussian noise) was needed for a significant reduction of the chance of a successful attack. Time degradation, consisting in increasing the delay between location reports, is proven to reduce the chance of a successful re-identification attack in [28], [29]. Specialized queries, containing location information that is as detailed as required by the specific applications, represent ways of dealing with privacy requirements while still enabling location-based applications to deliver their services. Although weather forecasts usually require only the ZIP code, navigation systems are much more demanding in terms of spatial resolution, and therefore the level of detail does not need to be the same for both applications. Collaborative filtering and privacy-preserving aggregation techniques are also ways of obtaining services while relying on other users for the recommendations and generic data statistics [44], such as the average temperature or the neighbor density. D. Open Questions Although it is still unclear whether one can define which privacy preserving technique is the best, the author [33] states that a good compromise might reside in the aggregated use of several mechanisms, depending on the users needs in a particular situation. It has been observed that people tend to simplify privacy-related decisions by grouping other individuals based on privacy preferences and information access policies [12], [42]. These could then be used to determine a person s privacy profile, which could be refined afterwards for location-based applications, uniquely for each individual. The last point that is raised in the article is that of a standard measure for location privacy. In general, the higher is the ambiguity in determining a user s location, the greater his privacy level is, but there is still no standard metric for quantifying location privacy. The most popular metrics include the distance between the attacker s guess and the true location of the user [27], k-anonymity [23] and behavioral entropybased measures [2]. In addition to metrics, in most studies there is a clear tradeoff between quality of service and privacy. We discuss the k- anonymity and entropy-based privacy metrics in the following sections. III. EXPLORING HISTORICAL LOCATION DATA FOR ANONYMITY PRESERVATION IN LOCATION-BASED SERVICES In this section, we review the work by Xu et al. [50] on k-anonymity for location privacy. This work is one of the first to explore the use of accumulated past information about users locations, in order to improve the quality of service and reduce the communication and computational overhead. With regard to this thesis, the paper constitutes an initial step towards efficiently using the time dimension in addition to the space dimension for analyzing user privacy. A. The Problem Xu et al. [50] are concerned with the protection of user location privacy in location-based services (LBS). In particular, they focus on protecting not only the current location but also the time-ordered set of future locations (trajectories) that users are going to visit. The most suited scenario for such a scheme is a system in which users continuously request LBSs, and untrusted third-party providers satisfy such requests while trying to learn as much as possible about users locations. For instance, users of applications that continuously monitor people, goods [46] or live traffic probes [45] could benefit the most from such a privacy protection mechanism.

4 EDIC RESEARCH PROPOSAL 4 Additive trajectories Base trajectory c 1 c 2 c 3 c 4 C 1 C 2 C 3 C4 KAT into a better KAT. The concern is that an exhaustive search for the best KAT would involve intensive computations, as the number of possible combinations of trajectories and orderings is important. Therefore, the authors [50] propose two methods for selecting potential candidates for trajectory cloaking based on heuristics. The first algorithm has a linear running time with respect to the number of trajectories, whereas the second has quadratic one. Fig. 1. K-anonymity trajectory cloaking, where K = 3 and n = 4. [Adapted from [50]]. B. Solutions and Results Xu et al. [50] propose a novel approach for k-anonymity protection for location privacy. The main component of k- anonymity in location privacy is the cloaking region, which is a geographic area containing k users, such that any of the k users has the same chance of having generated any LBS requests for that area. Clearly, the more dense the user population is, the smaller is the cloaking region. In their paper, instead of protecting a user s location by reporting a region currently containing this and other k 1 users, the authors propose a scheme that relies on the past locations of other users (or footprints) in order to protect the current and future locations of a user (or trajectory). In other words, for each location that a user is going to visit, the system looks for other users that have visited these same locations some time in the past, and generates an accordingly sized cloaking region that is then sent to the LBS provider. The system model that the authors describe is composed of mobile devices that receive continuous LBSs through a trusted anonymity server, controlled by a mobile network operator, which is the only entity that knows precisely the positions and identities of all users in the system. After an initial location sampling phase, the anonymity server knows the past locations (footprints) of each user and is therefore able to create cloaking regions for each LBS request. The goal of the adversary, the LBS provider, is to link the LBS requests to individuals. When a user wants to receive continuous LBS, he should first communicate to the anonymity server a base trajectory T 0 = {c 1, c 2,..., c n } that he will take, where c i is a location sample along this trajectory. Then, based on the anonymity level K and the base trajectory T 0, the server selects from the footprint database K 1 other users trajectories (each with at least n footprints), and computes a K-anonymity trajectory (KAT) T = {C 1, C 2,..., C n }, where C i is a region containing the user s location sample c i and footprints from other K 1 different users. The trajectories of the other users are called additive trajectories. Figure 1 shows an example of a KAT. A trajectory T is a KAT if and only if (i) for each cloaking region C i in T, at least K location samples from different trajectories are covered and (ii) the time-order of the n footprints in each additive trajectory needs to be the same as it appears in the base trajectory T 0 that the server wants to protect. The quality of a KAT is measured by the average size of the cloaking circles C i, where a smaller average size translates The first, linear complexity algorithm works as follows. For each additive trajectory T i, it computes the cloaking trajectory T i. If T i has a better quality than T j, j i, then T i is closer to T 0 than T j. All cloaking trajectories are then sorted based on their distance to T 0, and at the end only the first K 1 (the closest to T 0 ) are selected as final additive trajectories. The second algorithm, with quadratic running time, operates on a similar basis but instead of only comparing the distance between additive trajectories and base trajectory, it also considers the distance among additive trajectories. At the end of each iteration, the quadratic algorithm selects only the best (closest) trajectory as the additive trajectory, as opposed to already selecting K 1 of them, and builds a KAT. During the successive iteration, the algorithm compares the distance between the previously defined KAT and the remaining trajectories that have not yet been used, and chooses only the best one of these as the next additive trajectory before continuing with the successive iterations. For a complete description of the algorithms, we refer the reader to the actual paper [50]. Xu et al. [50] provide a performance comparison of their two algorithms with respect to the baseline algorithm, which only looks at the current K 1 neighbors, on synthetic data. The metric used is the average size of the cloaking circles in the KAT. Usually, a smaller radius would guarantee a lower computational and communication complexity while retrieving data from the LBS provider and is therefore better than a larger radius. Three parameters (the anonymity level required K, the length n of the base trajectory T 0 and the number of historical trajectories in the footprint database) are analyzed with respect to their effect on the performance metric. First, the results show that the two proposed algorithms consistently generate cloaking circles that have 10 times smaller radiuses than the baseline case, and that the type of road (highway, secondary) also affects the radius due to the different number of trajectories that populate these roads. Second, the length n of the base trajectory T 0 highly affects the cloaking range of the baseline algorithm, as opposed to the proposed algorithms that perform much better (5-10 times lower radius) as n increases from 30 to 80. Third, increasing the number of trajectories in the footprint database does not affect the baseline algorithm, as this does not consider past trajectories. However, the impact on the two proposed schemes is, unsurprisingly, rather significant, as more trajectories can be searched for the best ones in order to cloak the base trajectory. Between the two proposed algorithms (linear and quadratic), the quadratic consistently achieves 10% better results than the linear for all parameters.

5 EDIC RESEARCH PROPOSAL 5 C. Shortcomings and Discussion The idea of using past location traces in order to protect location privacy was, at the time of the writing (2008), rather novel. Xu et al. [50] successfully integrated past information, which increased the quality of service for continuous LBSs and demonstrated through simulations that the results are consistent on a wide array of parameters. However, there are some points upon which improvements could be envisaged. First, the authors themselves identify some limitations, such as the choice of trajectories with significantly different speeds and on-the-fly route changes, which need further research. Using location samples of people with significantly different speeds might hinder the success of the cloaking mechanisms, whereas a predefined and fixed route is a quite unusual assumption. People often adapt their route to the traffic conditions or unexpected events and therefore their route might deviate from the predefined one. In addition to the previous points, we feel that there are two other limitations with the model proposed by Xu et al. [50]. First, k-anonymity might not be the best metric for location privacy in cases where some locations are more likely to be populated than others, such as highly dense roads, shorelines or public places. In these scenarios, the actual cloaking region might not faithfully represent the real level of ambiguity that users are experiencing. The second shortcoming we identified resides in the unspecified validity time of the past location samples of other users, which are used to compute the KAT. The trade-off between longer validity and higher anonymity is an aspect that the authors do not elaborate on, and it might severely affect the quality of the cloaking as the adversary (LBS provider) might efficiently distinguish between recent traces, that are good for anonymity, and old traces that might be very uncorrelated with the actual places people might have visited afterwards. IV. MEASURING LOCATION PRIVACY IN V2X COMMUNICATION SYSTEMS WITH ACCUMULATED INFORMATION In this section, we present the work by Ma et al. [36] on location privacy in vehicular networks. The authors develop a location privacy metric and compare two approaches that use location information accumulated over time in order to measure users location privacy. In relation to this thesis, the study [36] provides recent insights into non-deterministic approaches for location privacy, and also a comparison of the effectiveness of several approaches with respect to accumulated information. A. The Problem The question that Ma et al. try to answer is how to define a location privacy metric for vehicular networks, which is able to represent in a rigorous way the level of privacy of the moving users while exploiting information accumulated over time (days, weeks). The authors argue that current metrics, by using only the information contained in one time instant (or snapshot), do not take well into account the evolution of location data over time, and are therefore too simplistic in their assumption. The adversaries will try to accumulate p mm p c i s p 11 p 12 p 2m.. p 1m p 22 p 21 Fig. 2. Hub-and-spoke diagram for user i s, with m possible locations as trip origin and destination. The values p j,k express the probabilities that user i s makes the trip o j d k [Adapted from [36]]. as much location data over time as possible, in order to decrease their uncertainties in linking such data with users identities. Therefore, efficient methods to process and utilize this dynamic data should be studied, in order to assess in a rigorous way the level of location privacy as it evolves over time. B. Solutions and Results Ma et al. [36] propose methods to model and process accumulated information about users locations, in order to measure the level of privacy in a more rigorous manner than current metrics do. The authors analyze two approaches that learn from accumulated information, and compare their performance in measuring location privacy with an entropybased metric. The first approach is based only on how often a trip has been observed for a particular user in the past, whereas the second approach is also based on the probability of each past trip being linked with that user. Both techniques are used in order to measure the probability of successfully linking a particular user to a given trip (source, destination) by an attacker. The system model considered in the work is that of a vehicular network, where vehicles communicate both directly with each other, in a peer-to-peer fashion, and with a centrally managed infrastructure. The latter is assumed to deploy roadside communication equipment (antennas, controllers) that are operated by a central authority. Moreover, a vehicle in the system periodically broadcasts a message containing its trip information, which includes the origin and destination of the trip, as well as the unlinkable ID of the vehicle (or pseudonym). The goal of the attacker, who is listening to the broadcast messages, is then to link the true identity of the vehicle owner to the trip information, which is captured in arbitrary defined areas and time instances. The authors refer to such observations as snapshots of the dynamic vehicular system. In each snapshot, each user makes at most one trip. The information acquired in each snapshot is modeled as a weighted tripartite graph with three distinct sets of vertices: the true identities of the n users (I = {i 1,..., i n }), the m origins (O = {o 1,..., o m }) and destinations (D = {d 1,..., d m }) of

6 EDIC RESEARCH PROPOSAL 6 the trips. The adversarial knowledge about the linkability of an identity with origin-source pairs is expressed with probability distributions over the links among these sets of vertices, which are p(i s, o j ), p(o j, d k ) and p(d k, i s ) respectively. A cycle starting from the vertex i s and passing through o j and d k represents the probability of user i s, s {1,..., n}, making the trip o j d k, where j, k {1,..., m}. These probabilities are represented as a hub-and-spoke structure (Figure 2), where p j,k denotes the probability of user i s making the trip o j d k. p c is the probability of the user not making a trip at all. The normalized probabilities in the diagram are computed as ˆp jk = m j=1 p(i s, o j )p(o j, d k )p(d k, i s ) m k=1 p(i s, o j )p(o j, d k )p(d k, i s ) + ˆp c where ˆp c = 1 m j=1 p(i s, o j ). The level of location privacy for each user is then expressed as the uncertainty of the adversary about the user s trip and is computed as the entropy [8] m m H(i s ) = ( ˆp jk log(ˆp jk ) + ˆp c log(ˆp c )) j=1 k=1 where the base of the logarithm is 2. The entropy (and thus location privacy) is maximum if all trips are equally likely. Given the previous statements, Ma et al. [36] evaluate two approaches that use and learn from accumulated information, based on several snapshots obtained over time (days or weeks). The first approach only considers the frequency of observing each trip while accumulating snapshots and is defined as Ŝ ω t = {(T k, αp k ω t k), k = 1,..., n t } where Ŝω t is the set of trips T k with their corresponding probabilities p k, n t is the total number of trips in the snapshot at time t, α = 1/ k p kwk t is a normalization constant calculated by requiring that all probabilities in Ŝω t sum to 1, ωk t = i pi k /f k t, i = 1,..., t, is the average probability of the trip T k and fk t = {S i S i S, i = 1,..., t, (T k, p K ) S i } is a counter of how often trip T k has been linked to user i over all snapshots S i up to time t. The second approach takes also into account the probability of each trip within a snapshot (Bayesian approach), which updates the trip probabilities according to Bayes theorem P (h k E) = P (E h k)p (h k ) k P (E h k)p (h k ) where P (h k E) is the conditional probability of the hypothesis h k given the evidence E, P (h k ) is the prior probability of h k and P (E h k ) is the probability of observing the evidence if the hypothesis h k is true. In our settings, h k represents the hypothesis of the trip k being the one that has been taken by the user, whereas E represents the information about the trip probabilities contained in the current snapshot S. In order to update the trip probabilities with new information, Bayes expression is used repeatedly by updating, before each iteration, the current prior probabilities with the corresponding past posterior ones. More details about the update process can be found in [36]. In other words, the frequency-based approach processes accumulated information by only checking how often the same trip has already been observed in past snapshots and updating the probabilities of future trips accordingly. The Bayesian approach considers the probability of each trip within each snapshot, in addition to observing whether trips have been observed or not, in order to update the future trip probabilities. Without loss of generality, the performance of the two approaches is evaluated by examining the snapshots for only one user i, and trying to determine his trips. The parameters of the simulations that are expected to have a major impact on the entropy-based privacy metric are the number of trips in each snapshot (one trip per day), their probabilities and the number of snapshots. The evaluation criteria are that (i) for irregular trips (with quite different origins and destinations in each snapshot) the accumulated information should give no (or little) extra information, whereas (ii) for regular trips the accumulated data should give extra information that would enable the attacker to detect the user s trip patterns and significantly reduce the uncertainty. The results show that, as expected, in the first case (irregular trips), none of the two approaches provides additional information about the trip patterns. In the second case (regular trips), we distinguish between one regular trip (with fixed probability) and three regular trips (with fixed probabilities) among 100 total trips. With one regular trip, the Bayesian approach is significantly better than the frequency-based approach, because it manages to lower the uncertainty from 6.3 to 0.79 bits as the number of observed snapshots increases. With three regular trips, the same scenario in which the Bayesian approach reduces (although slower) the entropy is observed. However, as the Sunday trip is random, the entropy sharply increases on the Sunday snapshot and then decreases again with the subsequent observations. Overall, the Bayesian approach is better than the frequency approach as it uses the accumulated information more efficiently. C. Shortcomings and Discussion Even though the proposed metric and methods are compliant with the evaluation criteria, the authors acknowledge they only work for regular trips and for fixed trip constellations, i.e., when the same origins and destinations are present in each snapshot. For privacy protection, this might be an advantage, as users could devise mechanisms to generate false trip messages in order to maximize the uncertainty of the adversary. However, it is unclear why vehicles are expected to transmit trip information containing the [origin, destination] pair, as we feel that a user has no advantage in revealing the origin of the trip. In order to optimize the route to the destination, a user at most needs to send only its destination and current position to other users or the infrastructure, and it would be more difficult for adversaries to link trips with users if they use pseudonyms efficiently. Additionally, Ma et al. [36] justify the trip information assumption by claiming that information on current locations and tracks is less likely to be useful in identifying users and their activities, compared to the information about trips. However, past efforts ([2], [24], [28]) have proven that not only this is possible, but with high precision as well.

7 EDIC RESEARCH PROPOSAL 7 V. RESEARCH PROPOSAL User privacy (and location privacy in particular) is an interesting research area that has been explored only recently, and some of the major results in terms of computational techniques have only been developed in the last seven years. Unsurprisingly, that time was also the beginning of the era of large-scale availability and accessibility of mobile devices equipped with physical sensors, such as GPS. Nowadays, GPS is just another means of capturing information about the users context, and many more sensors (accelerometer, compass, gyroscope [20], temperature, noise) are starting to populate our everyday digital companions. Moreover, the storage of other personal information on the devices, such as agendas, notes and to-do lists, is even more compelling thanks to the growing, always-on mobile internet connectivity. In the previous sections, we have provided the context and the research directions that this thesis will likely pursue. These articles present the state of the art in using location information over time to infer users information such as work/home, preferences, affiliations and habits. Moreover, the availability of different types of users private information (in addition to location) to third-parties is going to push the latter to use it even more effectively, in order to increase their benefits or to succeed in their goals. The users might sometimes not immediately realize what the risks of a prolonged exposure of such information are, and therefore their private life and habits should be protected from undesired scrutiny. The present thesis will be developed along four major axes (Figure 3), with the goal of preserving users privacy while enabling them to obtain the context-based services they might need. The first axis, multidimensional user-privacy, concerns the efficient and effective characterization about which user information can potentially reveal sensitive details about users. The second axis, augmented knowledge, analyzes the evolution of such data and threat level while it is being combined and accumulated over time, space, and over people. The third axis, applications and services, represents the realistic system model for which our solutions are going to be designed and evaluated. Finally, the fourth axis, non-deterministic models, shows some of the theoretical models and tools that will be explored in order to formalize our intuitions and define the mechanisms upon which our solutions will be optimized. We believe that users often negotiate privacy with utility and adapt their sensitivity to privacy depending on the situation, and therefore they could greatly benefit from non-deterministic approaches towards privacy related decisions. Our intuition is that in order to better reflect the incertitude about other users intents and knowledge, people might be more interested in having a privacy interval rather than a fixed value. With regards to the aforementioned research directions, we began investigating the domain of applications and services, and how to enable misbehavior traceability in the network in order to ensure correct operation. In our recent work [6], central authorities and users have the possibility to evict misbehaving devices through an efficient, reputation-based multiparty decision mechanism. Mobile devices take part in revocations of public-key certificates of misbehaving nodes, Augmented (and incomplete) knowledge Past events, places, trips, activities Adversarial strength Improve quality of service, adoption, usability Fig. 3. Multidimensional user privacy Location + activity + environment + social relationships User Privacy Server client, semi honest 3 rd party, P2P + server client Applications and services Data aggregation, Cryptographic techniques Non deterministic Models Processing efficiency Time series, Markov decision process, Bayesian inference, Game theory Existing network architectures, new applications, traceability Four major research axes that are going to be studied in the thesis. establishing in a distributed manner the unique outcome that is optimal with respect to the record of past behavior of each node involved in the local revocation process. We also investigate the way user location privacy is managed in real cellular networks, such as UMTS and LTE [4]. We show how malicious users are able to track other users movements by exploiting novel, low-cost and low-power base stations (femtocells) and how these threats could be mitigated by allowing mobile devices to dynamically re-assign pseudonyms based on their context. Currently, we are working on privacy-preserving mechanisms for existing application scenarios [5] such as activity scheduling, where users want to determine in an efficient way common availabilities while not revealing any additional information to other users or to the scheduling server. This is yet another example where personal data, such as individual schedules stored on mobile devices, are combined in order to automate a repetitive manual action in a privacy-preserving way. REFERENCES [1] N. Belloni, L. E. Holmquist, and J. Tholander. See you on the subway: exploring mobile social software. In CHI 09: Proceedings of the 27th international conference extended abstracts on Human factors in computing systems, pages , New York, NY, USA, ACM. [2] A.R. Beresford and F. Stajano. Location privacy in pervasive computing. IEEE Pervasive Computing, pages 46 55, [3] C. Bettini, X. Wang, and S. Jajodia. Protecting privacy against locationbased personal identification. Secure Data Management, pages , [4] I. Bilogrevic, M. Jadliwala, and J.-P. Hubaux. Security Issues in Next Generation Mobile Networks: LTE and Femtocells. 2nd International Femtocell Workshop, Luton, UK, June [5] I. Bilogrevic, M. Jadliwala, J.-P. Hubaux, I. Aad, and V. Niemi. Privacypreserving scheduling: Practical approaches. (under submission). [6] I. Bilogrevic, MH. Manshaei, M. Raya, and J.-P. Hubaux. Optimal Revocations in Ephemeral Networks: A Game-Theoretic Framework. In Proceedings of the 8th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt 2010), pages , [7] SS Blackman. Multiple-target tracking with radar applications

8 EDIC RESEARCH PROPOSAL 8 [8] Shannon C E and W. Weaver. A mathematical theory of communication. Bell Syst. Tech. J, 27: , [9] Sense Networks CitySense. Retrieved on [10] Privacy Rights Clearinghouse. chrondatabreaches.htm. Retrieved on [11] M. Colbert. A diary study of rendezvousing: implications for positionaware computing and communications for the general public. In Proceedings of the 2001 International ACM SIGGROUP Conference on Supporting Group Work, page 23. ACM, [12] J. Cornwell, I. Fette, G. Hsieh, M. Prabaker, J. Rao, K. Tang, K. Vaniea, L. Bauer, L. Cranor, J. Hong, et al. User-controllable security and privacy for pervasive computing. In Eighth IEEE Workshop on Mobile Computing Systems and Applications, HotMobile 2007, pages 14 19, [13] D. Cvrcek, M. Kumpost, V. Matyas, and G. Danezis. A study on the value of location privacy. In Proceedings of the 5th ACM workshop on Privacy in electronic society, page 118. ACM, [14] G. Danezis, S. Lewis, and R. Anderson. How much is location privacy worth. In Fourth Workshop on the Economics of Information Security. Citeseer, [15] now Research In Motion Dash Navigation. Retrieved on [16] Merriam-Webster dictionary. Retrieved on [17] M. Duckham and L. Kulik. A formal model of obfuscation and negotiation for location privacy. Pervasive Computing, pages , [18] M. Duckham, L. Kulik, and A. Birtley. A spatiotemporal model of strategies and counter strategies for location privacy protection. Geographic, Information Science, pages 47 64, [19] Facebook. Retrieved on [20] Apple Iphone 4 features. [21] Flickr. Retrieved on [22] GoWalla. Retrieved on [23] M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In Proceedings of the 1st international conference on Mobile systems, applications and services, page 42. ACM, [24] M. Gruteser and B. Hoh. On the anonymity of periodic location samples. Security in Pervasive Computing, pages , [25] J. Hightower, S. Consolvo, A. LaMarca, I. Smith, and J. Hughes. Learning and recognizing the places we go. UbiComp 2005: Ubiquitous Computing, pages , [26] Google Location History. Retrieved on [27] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. In Security and Privacy for Emerging Areas in Communications Networks, SecureComm First International Conference on, pages , [28] B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady. Enhancing security and privacy in traffic-monitoring systems. IEEE Pervasive Computing, 5(4):38 46, [29] B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady. Preserving privacy in gps traces via uncertainty-aware path cloaking. In Proceedings of the 14th ACM conference on Computer and communications security, page 171. ACM, [30] G. Iachello, I. Smith, S. Consolvo, G.D. Abowd, J. Hughes, J. Howard, F. Potter, J. Scott, T. Sohn, J. Hightower, et al. Control, deception, and communication: Evaluating the deployment of a location-enhanced messaging service. UbiComp 2005: Ubiquitous Computing, pages , [31] H. Kido, Y. Yanagisawa, and T. Satoh. An anonymous communication technique using dummies for location-based services. In Pervasive Services, ICPS 05. Proceedings. International Conference on, pages 88 97, [32] J. Krumm. Inference attacks on location tracks. Pervasive Computing, pages , [33] J. Krumm. A survey of computational location privacy. Personal and Ubiquitous Computing, 13(6): , [34] Google Latitude. us/mobile/latitude/. Retrieved on [35] Google My Location. mylocation/index.html. Retrieved on [36] Z. Ma, F. Kargl, and M. Weber. Measuring location privacy in v2x communication systems with accumulated information. In The Sixth IEEE International Conference on Mobile Ad-hoc and Sensor Systems (IEEE MASS09), Macau SAR, China, [37] N. Marmasse. Providing lightweight telepresence in mobile communication to enhance collaborative living. PhD thesis, Citeseer, [38] N. Marmasse and C. Schmandt. Location-aware information delivery with commotion. In Handheld and Ubiquitous Computing, pages Springer, [39] Y. Matsuo, N. Okazaki, K. Izumi, Y. Nakamura, T. Nishimura, and K. Hasida. Inferring Long-term User Property based on Users. In Location History, in 20th International Joint Conference on Artificial Intelligence (IJCAI). Citeseer, [40] W.M. Newman, M.A. Eldridge, and M.G. Lamming. PEPYS: Generating autobiographies by automatic tracking. In Proceedings of the second conference on European Conference on Computer-Supported Cooperative Work, page 188. Kluwer Academic Publishers, [41] Fourth Annual U.S. Cost of Data Breach study (Ponemon Institute. January 2009), [42] J.S. Olson, J. Grudin, and E. Horvitz. A study of preferences for sharing and privacy. In CHI 05 extended abstracts on Human factors in computing systems, page ACM, [43] D. Patterson, L. Liao, D. Fox, and H. Kautz. Inferring high-level behavior from low-level sensors. In UbiComp 2003: Ubiquitous Computing, pages Springer, [44] N. Ravi, M. Gruteser, and L. Iftode. Non-inference: An information flow control model for location-based services. In Mobile and Ubiquitous Systems-Workshops, rd Annual International Conference on, pages 1 10, [45] TomTom Live Services. service.php?id=14. Retrieved on [46] General Motors OnStar System. Retrieved on [47] TomTom. Retrieved on [48] CHI Labs PDA use study. nberg/chilabs/pda.htm. Retrieved on [49] DH Wilson and C. Atkeson. Simultaneous tracking and activity recognition (STAR) using many anonymous, binary sensors. Pervasive Computing, pages 62 79, [50] T. Xu and Y. Cai. Exploring historical location data for anonymity preservation in location-based services. In IEEE INFOCOM The 27th Conference on Computer Communications, pages , 2008.