SpotME If You Can: Randomized Responses for Location Obfuscation on Mobile Phones

Transcription

1 SotME If You Can: Randomized Resonses for Location Obfuscation on Mobile Phones Daniele Quercia, Ilias Leontiadis, Liam McNamara, Cecilia Mascolo, Jon Crowcroft Comuter Laboratory, University of Cambridge, Cambridge, CB3 FD, UK. Abstract Nowadays comanies increasingly aggregate location data from different sources on the Internet to offer locationbased services such as estimating current road traffic conditions, and finding the best nightlife locations in a city. However, these services have also caused outcries over rivacy issues. As the volume of location data being aggregated exands, the comfort of sharing one s whereabouts with the ublic at large will unavoidably decrease. Existing ways of aggregating location data in the rivacy literature are largely centralized in that they rely on a trusted location-based service. Instead, we roose a iece of software (SotME) that can run on a mobile hone and is able to estimate the number of eole in geograhic locations in a rivacy-reserving way: accurate estimations are made ossible in the resence of rivacy-conscious users who reort, in addition to their actual locations, a very large number of erroneous locations. The erroneous locations are selected by a randomized resonse algorithm. We evaluate the accuracy of SotME in estimating the number of eole uon two very different realistic mobility traces: the mobility of vehicles in urban, suburban and rural areas, and the mobility of subway train assengers in Greater London. We find that erroneous locations have little effect on the estimations (in both traces, the error is below 8% for a situation in which more than 99% of the locations are erroneous), yet they guarantee that users cannot be localized with high robability. Also, the comutational and storage overheads for a mobile hone running SotME are negligible, and the communication overhead is limited. I. INTRODUCTION If location-based services are to succeed, they will have to alleviate growing rivacy concerns over collecting eole s whereabouts. Loot.com, a mobile social-networking service, has done so by instituting safeguards against abuse: it sends reminders to users that their location is being shared and allows them to ost erroneous locations if they would like to hide their current location. Researchers have taken this aroach one ste further. They have roosed the use of aggregate location data instead of location data about single individuals [2] in order to reserve user rivacy. Comanies have followed suit and roosed services based on analysis of aggregate location data. TomTom, the Dutch maker of navigation devices, has refined its ability to redict road traffic congestion by analyzing the aths of millions of Vodafone subscribers [5]. The comany SenseNetworks analyzes tens of millions of location estimates from mobile hones to hel eole find the best corner to catch a cab in New York City or get ersonalized recommendations of the best nightlife locations in the city [8]. The resulting situation is that data about an individual s whereabouts is shared with comanies that then romise to aggregate such data. One finds it difficult to believe that comanies will discard data about individuals and kee only aggregate versions of it, not least because comanies generate revenue from targeted advertising, which can be done only with data about individuals. Often comanies claim to be using only aggregate anonymous data and then gloss over it in their terms and conditions [4]. Only few months ago, The Centre for Democracy & Technology, a rivacy grou, argued that the rivacy olicies of comanies collecting location data are uneven at best and inadequate at worst []. We set out to exlore a way of aggregating location data that suits rivacy-conscious individuals and, at the same time, results in fully-working location services. As we shall see in Section II, existing aroaches trust a central server (e.g., the location-based service itself, a location broker) to erform data aggregation or carry out distributed tasks other than counting eole in geograhic locations (e.g., distributed management of ush/ull queries [6, 22]). The idea behind our work is to choose a romising data obfuscation technique, aly it to the design of a rivacy-reserving way of counting eole in geograhic locations, and study when and how it works uon real-data on a large-scale. Researchers have long been designing distributed techniques for reserving location rivacy [7], but the quantitative roof of how a given technique works on a large-scale has not always been available. Being based on quantitative and large-scale location data, this work adds a new dimension to the current scholarshi. More imortantly, our findings create an exerimental basis for emerging mobile social-networking services. Peole count is a simle task yet suorts a wide variety of services such as real-time traffic regulation, urban areas rofiling, rare events detection, and crowd analysis (which is interested in modeling the behavior of crowds for redicting the use of sace, lanning accessibility, and lanning emergency evacuations). More secifically, we make two main contributions:. We roose a mechanism for aggregating user locations in real-time. The idea is that users can disguise their real osition using a large number of additional erroneous locations (Section III). A randomized resonse algorithm selects these locations so that the combined resonses can be statistically analyzed to estimate, for examle, the actual number of eole in a given location. The result is that: i) users claim to be at

2 a number of erroneous location so large that a location service cannot determine their real osition, even after reeated attemts (Section III-D); and ii) the accuracy of the rocessed data will be only marginally affected. 2. We evaluate the extent to which the accuracy of counting eole would be affected by SotME uon two sets of real mobility traces (Section IV): i) traces of vehicles in urban, suburban, and rural areas; and ii) real traces of the journeys made by subway assengers of all the train lines in Greater London. The results suggest that one can accurately estimate the number of users in a geograhical location in the resence of a large number of erroneous locations - the error is as low as % for both traces (Section IV-A). The large number of erroneous locations makes it difficult to localize single individuals, even over reeated user queries (Section III-D). Furthermore, if u to 6% of car drivers maliciously inject false location information, the estimations are unaffected (Section IV-B). We also find that, if 35% of the ublic use SotME, we can still estimate the number of individuals of the whole ublic (those who use SotME and those who do not) in a given location. The communication, comutational, and storage overheads on mobile hones are negligible, even when the number of erroneous locations for each user is essimistically high (Section IV-C). We conclude in Section V by summarizing the key exerimental results. Nowadays mobile social-networking comanies may go bust because they find it difficult to collect data from a critical mass of users. One way of solving this roblem is to make it ossible for comanies to collectively share a ool of aggregate location data. We exect that SotME users may be willing to contribute to this common ool as they now have the ossibility to obfuscate their whereabouts directly on their mobile hones. II. EXISTING SOLUTIONS Users may well trust location-based services to handle their rivate data and, if they do so, they simly need to disclose their location from their mobile hones in a way that no unauthorized third arty can access it. One way for a mobile hone to do this is to use a connection to the Internet that erforms onion routing [], whereby an Internet acket is reeatedly encryted and forwarded from one onion router (network node) to another u to the destination. Each onion router removes a layer of encrytion to uncover routing instructions. The result is that no third-arty (including the onion routers) knows the origin, destination, and content of the acket. Once a service receives location data, it stores the data along with users rivacy settings. The settings are then translated into machine-readable olicies [4], and access control mechanisms interret those olicies to grant or deny access to location data. For examle, users may want to tune their settings in a way that only their closest social contacts can know their location outside working hours. However, to regulate access in a variety of real-life situations, one would require very comlex, and therefore, hard to use rivacy settings [2]. That is why algorithms that automatically redict rivacy references from a user s behavior have also been roosed [6]. More recently, researchers have been working on access control mechanisms that not only control the access to rivate data but make it ossible to claim the data back. Geambasu et al. [8] roosed a system that, by integrating crytograhic techniques with distributed hash tables (DHTs), is able to make all coies of certain data become unreadable after a user-secified time, even if one obtains a cached coy of the data. Access control mechanisms either grant or deny access to location data. However, one may want to go beyond the simle dichotomy access granted/denied by, for examle, being able to make aggregate location data ublicly available. One way to do so is data generalization [2, 2, 7]. The idea is that a user sends her location to the service, which then generalizes the location with a coarser-grained satial range. The goal is to guarantee the user s k-anonymity. The user is considered k-anonymous if her location is indistinguishable from the location of at least (k-) other mobile users []. More recently, Hoh et al. roosed a decentralized aroach of data generalization that relies on geograhic markers in a vehicular infrastructure [3]. In ush/ull mobile query systems, Kido et al. [6] and Shankar et al. [22] roosed to reserve k-anonymity by generating fake queries based on usual atterns extracted from user mobility, and Pingley et al. [9] and Gedik and Liu [9] designed a family of rinciled rivacy-reserving techniques for query erturbation. In a similar vein, Ganti et al. roosed to camouflage location obfuscation by adding noise in a way that would not change exected atterns (e.g., exected number of eole in a certain location at a given time). They built a system called PoolView with which mobile users directly add erturbation to their location and tested the system uon the mobility of 3 GPSenable mobile hone users [7]. The aroaches of onion routing, access control, and data generalization are effective rivacy tools but are meant to work in secific situations. Those aroaches often assume that the location-based service is trusted and that it adheres to the rivacy references secified by users, they imose considerable comutational and communication overheads on mobile hones, and they assume that users will regularly fiddle with their rivacy settings. Those assumtions are reasonable for a secific class of alications and users but are not the best ones for designing mobile alications working on aggregate location data. It thus seems that a new mechanism for collecting aggregate location data is needed. But what sort of mechanism should we use? Ideally, the mechanism should: i) conservatively distrust location-based services; ii) run seamlessly on mobile hones; and iii) require little user intervention.

3 III. OUR PROPOSAL: SPOTME We design a mechanism (called SotME) that allows users to obfuscate their real location while still allowing aggregation. Next, we will describe what SotME is (Section III-A), when it works (Section III-B), how it works (Section III-C), and study its vulnerability to attacks (Section III-D). A. What it is Problem Statement: How a service accurately estimates the number of eole in a geograhic location without individuals unequivocally revealing their true osition. Symbol l k m t m t r yes l,t no l,t total l,t w u v Descrition Probability of forced yes A location in a ma Number of locations in a osition ma Position ma at time t Exanded osition ma at time t Rate of udate for osition mas Number of devices that claim to be in l at time t Number of devices that claim not to be in l at time t Number of answers given for location l at time t Window size for the moving average Proortion of the ublic using SotME Proortion of malicious users TABLE I SYMBOLS AND TERMINOLOGY. By accurate estimations, we mean that the estimate of the number of eole in a geograhic location is close to the real number of eole. SotME alleviates mobile users rivacy concerns by allowing them to reort erroneous locations in addition to their actual one. We use a technique called randomized resonse [23] to generate this reort. This technique is used in structured survey interviews to increase the validity and reliability of self-reorted behavior on sensitive issues. It has been used to ask eole sensitive questions, e.g., whether they use drugs, whether they have been with a rostitute this month, or whether they have evaded aying taxes. To see how it works, let us assume that we are interested in tax evasion. We ask an individual whether he has evaded aying taxes, but before he answers, we ask him to secretly fli a coin. He will then always answer yes if the coin came u tails, but will otherwise be truthful. So if he answers yes, nobody but him knows why it could be because he got tails or because he did evade his taxes. When alied to a large oulation, with a fair coin, half of those who did evade taxes will claim they did not, due to the coin toss. To find the roortion of eole who actually aid taxes, we double number of the eole who said no, as half of them were forced to answer yes. For instance, if 4% answered no then actually 8% of the oulation did not evade taxes. More generally, let the robability of answering forced yes be (which is the robability of a biased coin coming u tails). The roortion Pno of claimed no answers from the survey is: Pno = Pno Pno, where Pno is the true roortion of no. In other words, the roortion Pno of no answers from the survey comes from the roortion of truthful no answers P no minus the roortion of actual no answers that were forced yes ( Pno). So, given a survey answer, the roortion of actual no answers can be estimated: Pno = Pno = Pyes Going back to our revious examle, if 4% answered no (i.e., Pno = 4%), then Pno =.5 4 = 8%. Likewise, if a biased coin was used with =.2, then Pno =.8 4 = 5%. Similarly, the roortion of yes answers from the survey comes from the roortion of truthful yes answers P yes lus () the roortion of actual no answers that were forced yes : Pyes = Pyes + Pno. By substituting () and solving for Pyes we obtain: Pyes = Pyes P yes = Pyes From exression (2), one can estimate the number of true yes answers from the number of claimed ones. In Section III-C, we will see that, similarly, SotME uses exression (2) to estimate the number of eole in a given area on inut: i) of the number of yes and no answers in the area; and ii) of a fixed. B. When it works SotME works under the assumtion that it is ossible to divide a geograhic area into a set of locations. A ortable device is able to comute its osition and is able to lace the oint into the corresonding location. Without loss of generality, in our evaluation (Section IV), locations are geograhic squares in the case of the vehicular traces and subway stations in the case of the subway traces and, in general, locations can be of any shae. We do not assume that SotME users are truthful. In our robustness analysis (Section IV-B), we will see that SotME is robust against a large fraction of malicious individuals who inject false location information. C. How it works SotME ensures that users create and send their osition mas to a location-based service (Ste ), and that the service is able to accurately comute the number and flow of users in a location from those mas (Ste 2): Ste : Users create and send their osition mas. A ortable device s osition ma is a set of k locations the device claims to be in. One of those locations is the user s true location, while the remaining locations are chosen at random. For each location l in the ma, a randomized resonse algorithm is used to let the user claim to be resent there or not as follows: Claims to be in location l with robability. (2)

4 Or says the truth (whether it is actually in l or not) with robability ( ). A ortable device sends a new osition ma either at a fixed rate (e.g., every minute) or whenever it moves from one location to another. By contrast, if the device is stationary, it does not disclose anything but an acknowledgment. The acknowledgment is used to counter a simle localization attack that will become clear at the end of Section III-D. It is also used to signal that the user is still art of the system and the user s latest osition ma should be considered valid. It is imortant to say that the device will not just send the yes answers. It will send k answers where some of them will be yes and some no, and both yes and no answers are used to estimate the number of eole in a location. Ste 2: A service infers number and flow of eole from the mas. The location-based service collects all the mas it receives and then rocesses them to infer, at each location l, the number of individuals in l. More secifically, for a location l, the service receives total l,t answers at time t: yes l,t of which are yes and no l,t of which are no. The roortion of given yes answers for location l is then: Pyes l,t = yes l,t total l,t (3) Given this sum of randomized answers, we are able to estimate the real number of users at location l at time t: estimated l,t = total l,t Pyes l,t By substituting (2) and (3): estimated l,t = total l,t Pyes l,t SotME uses equation (4) to estimate the real number of users in location l. Clearly, this number deends on the roortion of the yes / no answers given and on the robability. For examle, if we received total l,t = answers for a location l, and 8% of them claim to be in l, then, for =.5, the estimated number of actual users is: estimated l,t = = 6. In reality, estimations are done at discrete time stes, and short-term fluctuations may likely erturb such estimations due to the variance of the binomial distribution. The simlest way to smooth out short-term fluctuations and highlight longerterm trends is to comute the moving average of the estimations for a window w. So our estimated number of individuals in location l at time [t w, t] now becomes: redicted l,t,w = ti=(t w) estimated l,t In this exression, to make a rediction, we average the last w estimations. In our evaluation (Section IV), we find that even for very low values of w, the redictions can be effectively smoothed out and, for w > 2, the rediction error remains stable. Therefore we will use a window size w = 2. w (4) (5) SotME is not only able to estimate the number of users in one location but also to infer the number of eole entering/exiting the location (the oulation flow). It may do so by ignoring stationary users. Distinguishing between stationary and mobile users is in fact very simle - stationary users send acknowledgments and mobile ones send osition mas. Then, given a location l, by excluding stationary users, the locationbased service only counts recent arrivals at the location and, as such, the resulting estimated l,t,w (as er exression (5)) is the redicted number of individuals who have recently arrived in location l. D. SotME attack vulnerability Let us assume now that the service is a malicious attacker that wants to localize a SotME user. To see how it might do so, consider that the attacker collects three osition mas m, m 2, and m 3 that the user generates at three consecutive time stes (Figure ). The black locations are the locations in which the user claims to be. After receiving m, the attacker knows that the user is currently in one of the black locations. In the next time ste, if the user moves one location, then they will be in one s of m s grey or black locations. m is the exanded version of m (locations adjacent to the black ones are selected) and is created by the attacker to infer where the user is likely to be next. In the next time ste, the user claims to be in the black locations in m 2. The intersection of m and m 2 gives the attacker four ossible locations (the black locations in m 2 ). Subsequently, the intersection of m 3 and the exanded m 2 gives a single ossible osition in m 3. The user s true osition has been found. In reality, localizing the user is not as easy as we have just shown. To disguise true locations, one may select fake locations in a way that they do not affect the overall eole count and aear to be lausible (e.g., locations users are likely to be in). For examle, for ush/ull mobile query systems, Kido et al. [6] and Shankar et al. [22] roosed to generate fake queries based on usual atterns extracted from user mobility. One may also select fake locations in a random way: we will evaluate the extent to which it works to select fake locations in the osition ma at random without any geograhical constraint. Critics might rightly say that randomly-chosen fake locations would be geograhically sarse, while true locations would be clustered or relatively continuous. But that is true only if the value of is low, as it is in Figure in which is roughly. - the number of black squares er ma is 6 out of 64, so In our Evaluation (Section IV), we will see that, for =.5 (i.e., the user claims to be in half of the location in m ), it is very difficult to localize the user, yet the fidelity of the results from aggregate location data remains extremely high. Of course, if the user is stationary and were to eriodically send new osition mas, then the attacker would quickly localize the users. That is why, as mentioned in the revious subsection, a stationary user does not send any new osition ma but just an acknowledgment.

5 m 2 3 ' Fig.. A malicious service rovider infers the location of a victim from the victim s osition mas. (a) Urban area (b) Suburban area (c) Rural area Fig. 2. The mobility traces of drivers are generated for three tyes of area in Zurich. IV. EVALUATION The goal of SotME is to make it ossible for mobile users to reort erroneous locations in addition to their actual one, without comromising the recision of alications that rely on aggregate location data. To ascertain the effectiveness of our roosal at meeting this goal, our evaluation ought to answer three questions: How effectively is the service able to estimate the number of eole in a location from the osition mas sent by SotME users (Section IV-A)? To what extent would a malicious service be able to infer a user s location from the user s osition mas? To what extent would malicious users who inject false locations be able to comromise the estimations (Section IV-B)? What communication, storage, and comutational overhead does SotME imose on a mobile hone and on a location-based service that suorts it (Section IV-C)? To answer those questions, we set u exeriments using movement data of different tyes of individuals. The mobility traces we use are of two tyes:. Drivers of vehicles. We also use the mobility traces of drivers generated by the widely-used microscoic traffic simulator develoed at ETHZ [3]. We generate the vehicular traces uon three real mas of the Zurich areas. On inut of historical flows of vehicles in those areas, the traces are generated in a way that the behavior of vehicles is reroduced (e.g., stoing at traffic lights, vehicles queuing after each other, riority to the right). Since the mas reflect three tyes of area (urban, suburban, and rural), the resulting traces reflect scenarios with different total number of vehicles, density of vehicles, and vehicle seed: Urban area: The number of vehicles is high (on average there are 88 vehicles at the same time), and so is the density of streets (see Figure 2(a)). The average seed is 2km/h and the maximum is 6km/h. Suburban area: The number of vehicles is medium (on average there are 42 vehicles at the same time), and so is the density of the streets (see Figure 2(b)). The average seed is 25km/h and the maximum seed is 6km/h. Rural area: The number of vehicles is low (on average there are 2 vehicles at the same time), and so is the density of streets (see Figure 2(c)). The average seed is 32km/h and the maximum is 7km/h. 2. Subway assengers in London. We use the mobility traces of subway assengers of all the London subway s lines during rush hour of a weekday. For each assenger, the traces kee track of the stations the assenger enters and exits. This is ossible for the 22% of the London underground assengers (which include commuters, shoers, and tourists) who use RFID tickets to ay their fares. The number of subway stations considered is 426. The total number of assengers is 3,, and the average number in a station each minute is 37 eole with a eak of 72. We divide the three mas in m grid cells, and each cell is what we have called location. Instead, for the traces of the subway assengers, a location is a subway station. Validation Execution. For each time ste t and each location l, we comute the fraction of overestimated/underestimated individuals: f l,t = real l,t redicted l,t,w real l,t where real l,t is the actual number of individuals in location l at time t and redicted l,t,w is the number of individuals SotME redicts based on the statistical analysis that we described in the revious section. Of course, the error is only defined for areas where there are more than one users. We then comute the Root Mean Square (RMSE) for time t over all locations l: nl= f l,t 2 error t = n where n is the number of locations considered (the number of data oints). We reeat this on all locations for 6 time units (seconds) for the vehicular traces and for 2 time units (2 hours) for the subway traces and take the average error of the whole simulation. We use RMSE because, in our case,

6 Urban Suburban Rural Fig. 3. The error versus when each driver reorts to be in all ossible locations with robability for the vehicular traces k = 426 k = 2 k = Fig. 4. The error versus when each subway assenger reorts to be in k locations (k maximum is 426). large errors are articularly undesirable, and, since the errors for each location are squared before they are averaged, the RMSE gives a relatively high weight to large errors [5]. A. Effectiveness One would exect that the ability to estimate the number of eole in a location is affected by three arameters:. The robability of forced yes. We consider the worst case in which k is maximum - a situation in which a user can otentially claim to be in all locations of the entire geograhic area. That is, k = 9 for drivers and k = 426 for subway assengers. k maximum corresonds to the case of highest error. That is because the error increases with the number of individuals who claim to be in a location but are not there, and this number is maximum when everybody claims to be everywhere (k maximum). Figure 3 lots the error versus for k = 9 in the three areas of the vehicular traces. As one exects, the error increases with. However, for robability =.5 (users can claim to be in half of the geograhic area), the error is high in the urban area (error = 4%) but is surrisingly low in the rural area (error = %). The error will always be higher in dense areas (urban areas) since the average number of eole who claim to be in a given location without being necessarily in it increases with the oulation density. Interestingly, for = (users claim to be in their true location), there is a residual error of 6% for the rural area and of % for the urban and suburban areas. That is because the moving average smooths short-term traffic fluctuations and cannot reroduce them (hence the error). Short-term traffic fluctuations are frequent in the urban area where intersections and traffic lights roduce bursty vehicular traffic. However, at the rice of having the residual error, we obtain a significantly reduced error for >. If we were not to use the moving average, the error would roughly trile. For subway assengers, the error for k maximum (which in this case is 426) is reasonable and lower than that for vehicular drivers (Figure 4); u to =.6, the error is lower than 2%. That is because the number of assengers is more than three order of magnitude higher than the number of drivers and, consequently, k s imact is greatly reduced. 2. The number k of otential locations. Since the error is unreasonably high for k maximum (esecially for vehicular drivers), we exlore the whole range of k = [, 9]. We find that the error remains the same for k < 5 and becomes undesirably high for k > 5. Consequently, to ease exlanation on how k and affects the error, we grah the error for k = {5,, 2, 5}. Figure 5 shows the error versus in the three different areas of the vehicular traces. From the three grahs, we learn that: High values of error are registered in the urban area because of bursty traffic and oulation density, as we have already found. For the considered k s in all the three areas, the error is low and stable for <.4 and becomes undesirable for >.5. Based on the last oint, we might say that, for <.5, the error is low. The same alies for subway assengers; more secifically, the error is well below 8% for =.5% (Figure 4 for k = {85, 42}). As we shall see in Section IV-B on the attacker model, for those values of, localizing users becomes hard and, using a value of [.4,.5], one is able to strike the balance between low error and high undetectability. Consequently, the location-based service fixes the value of in the range [.4,.5], and users tune k deending on the level of rivacy they would like to attain. The roduct k is the number of locations in which each user claims to be on average and exresses the level of rivacy one can exect from the service. For examle, if =.5, a user claims to be, on average, in 5 locations at the same time, if she sets k = ; or in 25 locations, if she sets k = 5. Of course, to attain very low error, the service may well choose a low value of, say,.2; in that case, the users need to set a high value of k, say, at least The fraction u of individuals running SotME. The revious results tell us that, by tuning the values of and k, one is able to accurately estimate the number of SotME users in a given location. Now, we will see that one is also able

7 .8 k=5 k= k=2 k=5.8 k=5 k= k=2 k=5.8 k=5 k= k=2 k= (a) urban area (b) suburban area (c) rural area Fig. 5. The error versus when each vehicular driver claims to be in 5,, 2 locations at the same time with robability. The results are for the three areas in Zurich: (a) urban; (b) suburban; and (c) rural. to estimate the number of eole (including those not using SotME) in a given location. Let us call u (utake) the fraction of SotME users in the oulation. One way to estimate the number of eole eole l,t in location l at time t is to comute: eole l,t = redicted l,t,w u where redicted l,t,w is the number of SotME users redicted to be in l at time t. Exression (6) assumes that SotME users are distributed uniformly across locations (it assumes that u is the same for all locations). In reality, we might have different enetration rates for SotME in different areas. To test the extent to which this assumtion affects the estimation of the number of eole, we comute the error in the estimation versus u for the three areas and for the subway traces. In Figure 6, we see that, for u = 25% ( 4 of the oulation has installed SotME), one can still estimate the number of eole (non-sotme users) with an error of 35% in the vehicular urban area and 9% in the rural area. For subway assengers, we also find a low error (below 2%) for a enetration rate of 2% (Figure 7). Interestingly, since the number of subway assengers is high, for enetration rates higher than 35%, the error does not significantly decrease. This would suggest that if 35% of the subway assengers of our London subway s traces were to adot SotME, then the number of eole who are not necessarily using SotME in each subway station could be accurately redicted. Clearly, the estimation of the number of SotME s users is unaffected by the enetration rate, and the error is that we have discussed in the revious oint. B. Robustness against malicious roviders and malicious users In Section III-D, we described how a malicious service rovider (attacker) could deduce the osition of a victim and we claimed that the higher the victim s robability, the more difficult localizing the victim. To measure how imacts the attacker s ability to localize the victim, we set u a simulation in which, at each time ste, the attacker collects a new osition ma from the victim and then selects from the ma the locations in which the victim is likely to be. Being about a single osition ma, this simulation is not affected (6) u Urban Suburban Rural Fig. 6. The error versus SotME s enetration rate u among vehicular drivers u Subway Fig. 7. The error versus SotME s enetration rate u among subway assengers. by mobility, so we do not use any mobility traces now. The ercentage c of the selected locations (out of the total ma) is a measure of the attacker s ability to localize the victim. The lower c, the more refined the localization. Figure 8 lots c versus time, for values of = {.,.2,.3,.5,.7,.9}. We see that c tends to quickly stabilize over time. If the victim s robability of forced yes is., then the attacker is able to quickly identify the location in which the victim is. By contrast, if is.5, then the attacker redicts that the victim is in half of the locations and cannot refine its rediction over

8 Percentage of Cells (%) =.9 =.7 =.5 =.3 =.2 = Urban Suburban Rural Time (stes) Fig. 8. The ercentage of locations a mobile victim is believed to be in by a malicious attacker. As time asses by, the attacker receives a set of osition mas from the victim uon which it then makes its redictions. time. That is because the attacker guesses the victim s osition by exanding the victim s ma; for examle, by exanding m of Figure into m. If =.5, then the victim claims to be in half of the ossible locations (that is, half of the squares in the victim s ma m are black) and, to guess where the victim is, the attacker exands that ma and obtain a new ma m in which the victim is equally likely to be in any location of the ma; for =.5, the attacker is unable to localize the victim. In general, we might say that, for a given, a user can exect a fixed and known level of rivacy rotection. This level is the roduct ( k), which is the number of locations the user claims to be at the same time (on average). In addition to a malicious rovider, we might also have malicious users who try to subvert the system by injecting false osition mas. Those users follow all the stes of the SotME s algorithm exect for one: they do not reort their current true locations, that is, they reort locations at random. If many users do so, then the corresonding error in counting the number of the remaining (honest) users is exected to increase. To measure the extent to which the error increases, in our vehicular traces, we add a set of malicious users who inject random location mas and we measure the resulting error. Figure 9 lots the error versus the fraction v of vehicular drivers who are malicious. This fraction is the number of drivers who are malicious over the total number of (honest and malicious) drivers. Interestingly, u to 6% of malicious drivers, the error in estimating the number of the honest ones only slightly increases. Again, for subway assengers, the results are quantitatively similar. C. Overheads Storage Overhead. A device that runs SotME stores one osition ma and the list of visited locations. This size of this information is very small (e.g., in our vehicular exeriments it was 3KB), making such an aroach feasible to be used in ortable devices. Comutational Overhead. The comutational overhead comes from the generation of k random numbers every Fig. 9. The error in estimating the number of honest drivers versus the fraction v of injected malicious vehicular drivers. time a new osition ma is created. Generating 25 random numbers (worst case) on a mobile hone takes few milliseconds and, as such, SotME is exected to run seamlessly on any modern mobile hone. Communication Overhead. The communication overhead a mobile hone would see in using SotME largely deends on three arameters: i) the number k of otential locations a SotME user can reort to be in, ii) the frequency which the hone sends a osition ma and iii) the dimensions of a location. One exects that the communication overhead increases linearly with the dimension k of the user s osition ma. Figure (a) shows that this is the case in our vehicular traces for the three tyes of areas (urban, suburban, and rural) and also shows that the overhead is extremely low: for k = 5, a user has to only transmit.2 KB/sec (72 KB/hour). To further decrease the communication overhead, one may have users not udating their osition mas every time they change location but udating them at a fixed rate. Figure (b) lots the communication overhead for car drivers (KB/sec) versus the frequency of udates (seconds). By comaring the curves for dynamic udates (mas udated at every change of location) to the curve for fixed udate (mas udated at every given number of seconds), one concludes that having users udating their mas with a frequency greater than 6 seconds would result in a further decrease of communication overhead (which is already low). An additional factor exected to imact the communication overhead is the dimension of each location in our mas. No matter whether users udate their ma at every change of location (dynamic udate) or udate them every seconds (fixed udate), the larger each location, the lower the communication overhead. To see why, consider that: For dynamic udate: The larger a location in the ma, the more time eole send in it, the fewer the number of total changes of location overall, and the fewer the number of udates that need be sent. For fixed udate: The larger each location in the ma, the lower the number of total locations, the smaller each v

9 Comm. Overhead er Vehicle (KB/second) (a) k Urban Suburban Rural Comm. Overhead er Vehicle (KB/second) Fixed Dynamic - Urban Dynamic - Suburban Dynamic - Rural Frequency of Udates ( seconds) (b) Comm. Overhead er Vehicle (KB/seconds).... e-5 e-6 Dynamic Fixed second Fixed seconds Fixed 2 seconds Square Dimension (meters) (c) Fig.. The communication overhead as a function of: (a) the number k of otential locations each driver can reort to be in; (b) the frequency of udates of osition mas in the range [, 3]seconds; and (c) the dimension of each location in the three mas of the areas in Zurich. udate (osition ma). Figure (c) lots the communication overhead (KB/second) for car drivers versus the dimension of a location (meters). For both tyes of udate, the network overhead decreases as exected, and it does so according to a ower-law relationshi. However, if users udate at every change of location, the overhead decreases more raidly than having users udating at a fixed rate. This suggests that the fixed rate should be set in a way that the resulting udating is less frequent than udating at every change of location, and the choice of the rate will be alication-deendent. For the subway assengers, the overall communication overhead is even lower than that for vehicular drivers. That is because the number of otential locations k is lower (at worst, it is the number of subway stations) and so is the frequency of udates (subway assengers move slower than vehicles). V. CONCLUSION SotME makes it ossible for services that rely on aggregate location data to work in the resence of rivacy-conscious individuals who reort erroneous locations in addition to the actual ones. Using real mobility traces in very different settings, we have seen that erroneous locations have little imact on the estimation of number of eole in a geograhical area and allow users to obfuscate their location. Also, SotME scales (it entails reasonable communication overhead, and negligible comutational and storage overheads on a mobile hone); is robust against injection of false location information; and is easily deloyable largely because it does not require any additional infrastructure or any secialized hardware. We are currently exerimenting with different ways of choosing locations in a osition ma other than random selection, and we are also designing user studies to ascertain to which extent SotME and other aroaches would imact users ercetion of rivacy. Acknowledgments. We thank EPSRC for its financial suort. We also thank Mirco Musolesi, Anastasios Noulas and Salvatore Scellato for their constructive feedbacks. REFERENCES [] The rivacy imlication of commercial location-based services. Center for Democracy & Technology, February 2. [2] G. Andrienko, N. Andrienko, F. Giannotti, A. Monreale, and D. Pedreschi. Movement data anonymity through generalization. In Proc. of the 2 nd SIGSPATIAL ACM Worksho on Security and Privacy in GIS and LBS, 29. [3] R. Baumann, F. Legendre, and P. Sommer. Generic mobility simulation framework (GMSF). In Proc. of the st ACM SIGMOBILE Worksho on Mobility Models, 28. [4] J. Bonneau and S. Preibusch. The Privacy Jungle: On the Market for Data Protection in Social Networks. In The 8 th Worksho on the Economics of Information Security (WEIS), 29. [5] N. Cohn. Real-time traffic information and navigation: An oerational system. Intelligent Transortation Systems and VehicleHighway Automation, 29. [6] M. Duckham and L. Kulik. A formal model of obfuscation and negotiation for location rivacy. In Proc. of the 3 rd Pervasive Comuting Conference (PERVASIVE), 25. [7] R. K. Ganti, N. Pham, Y. Tsai, and T. Abdelzaher. PoolView: stream rivacy for grassroots articiatory sensing. In Proceedings of the 6 th ACM conference on Embedded Network Sensor Systems (SenSys), ages , 28. [8] R. Geambasu, T. Kohno, A. Levy, and H. M. Levy. Vanish: Increasing data rivacy with self-destructing data. In USENIX Security Symosium, 29. [9] B. Gedik and L. Liu. Protecting Location Privacy with Personalized k-anonymity: Architecture and Algorithms. IEEE Transactions on Mobile Comuting, 7, January. [] B. Gedik and L. Liu. Protecting Location Privacy with Personalized k-anonymity: Architecture and Algorithms. IEEE Transactions on Mobile Comuting, 28. [] D. Goldschlag, M. Reed, and P. Syverson. Onion routing. Communications ACM, 42(2):39 4, 999. [2] M. Gruteser and D. Grunwald. Anonymous Usage of Location-Based Services Through Satial and Temoral

10 Cloaking. In Proc. of the st ACM Conference on Mobile Systems, Alications and Services (MobiSys), 23. [3] Hoh et al. Virtual tri lines for distributed rivacyreserving traffic monitoring. In Proc. of the 6 th ACM Conference on Mobile Systems, Alications and Services (MobiSys), 28. [4] R. Hull, B. Kumar, D. Lieuwen, P. F. Patel-Schneider, A. Sahuguet, S. Varadarajan, and A. Vyas. Enabling Context-Aware and Privacy-Conscious User Data Sharing. In Proc. of the 5 th IEEE Conference on Mobile Data Management (MDM), 24. [5] R. Jain. The Art of Comuter Systems Performance Analysis: Techniques for Exerimental Design, Measurement, Simulation, and Modeling. Wiley- Interscience, 99. [6] H. Kido, Yutaka, Yanagisawa, and T. Satoh. An Anonymous Communication Technique using Dummies for Location-based Services. In Proc. of the 2 nd International Conference on Pervasive Services (ICPS), ages 88 97, 25. [7] L. Pareschi, D. Riboni, A. Agostini, and C. Bettini. Comosition and Generalization of Context Data for Privacy Preservation. In Proc. of the 6 th IEEE Conference on Pervasive Comuting and Communications (PerCom), 28. [8] A. Pentland, D. Lazer, D. Brewer, and T. Heibeck. Using reality mining to imrove ublic health and medicine. Studies in Health Technology and Informatics, 29. [9] A. Pingley, W. Yu, N. Zhang, X. Fu, and W. Zhao. CAP: A Context-Aware Privacy Protection System for Location-Based Services. In Proceedings of the 29 th IEEE International Conference on Distributed Comuting Systems, ages 49 57, 29. [2] D. Riboni, L. Pareschi, and C. Bettini. Privacy in Georeferenced Context-Aware Services: A Survey. 29. [2] A. Sevtsuk and C. Ratti. Does urban mobility have a daily routine? learning from the aggregate data of mobile networks. Journal of Urban Technology, 2. [22] P. Shankar, V. Ganaathy, and L. Iftode. Privately querying location-based services with SybilQuery. In Proc. of the th ACM Conference on Ubiquitous comuting (Ubicom), ages 3 4, 29. [23] D. Wenliang and Z. Zhan. Using randomized resonse techniques for rivacy-reserving data mining. In Proc. of the 9 th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD), 23.