scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Protecting Location Privacy with Personalized k-Anonymity: Architecture and Algorithms

01 Jan 2008-IEEE Transactions on Mobile Computing (IEEE)-Vol. 7, Iss: 1, pp 1-18
TL;DR: A scalable architecture for protecting the location privacy from various privacy threats resulting from uncontrolled usage of LBSs is described, including the development of a personalized location anonymization model and a suite of location perturbation algorithms.
Abstract: Continued advances in mobile networks and positioning technologies have created a strong market push for location-based applications. Examples include location-aware emergency response, location-based advertisement, and location-based entertainment. An important challenge in the wide deployment of location-based services (LBSs) is the privacy-aware management of location information, providing safeguards for location privacy of mobile clients against vulnerabilities for abuse. This paper describes a scalable architecture for protecting the location privacy from various privacy threats resulting from uncontrolled usage of LBSs. This architecture includes the development of a personalized location anonymization model and a suite of location perturbation algorithms. A unique characteristic of our location privacy architecture is the use of a flexible privacy personalization framework to support location k-anonymity for a wide range of mobile clients with context-sensitive privacy requirements. This framework enables each mobile client to specify the minimum level of anonymity that it desires and the maximum temporal and spatial tolerances that it is willing to accept when requesting k-anonymity-preserving LBSs. We devise an efficient message perturbation engine to implement the proposed location privacy framework. The prototype that we develop is designed to be run by the anonymity server on a trusted platform and performs location anonymization on LBS request messages of mobile clients such as identity removal and spatio-temporal cloaking of the location information. We study the effectiveness of our location cloaking algorithms under various conditions by using realistic location data that is synthetically generated from real road maps and traffic volume data. Our experiments show that the personalized location k-anonymity model, together with our location perturbation engine, can achieve high resilience to location privacy threats without introducing any significant performance penalty.
Citations
More filters
Proceedings ArticleDOI
01 Sep 2006
TL;DR: Zhang et al. as mentioned in this paper presented Casper1, a new framework in which mobile and stationary users can entertain location-based services without revealing their location information, which consists of two main components, the location anonymizer and the privacy-aware query processor.
Abstract: This paper tackles a major privacy concern in current location-based services where users have to continuously report their locations to the database server in order to obtain the service. For example, a user asking about the nearest gas station has to report her exact location. With untrusted servers, reporting the location information may lead to several privacy threats. In this paper, we present Casper1; a new framework in which mobile and stationary users can entertain location-based services without revealing their location information. Casper consists of two main components, the location anonymizer and the privacy-aware query processor. The location anonymizer blurs the users' exact location information into cloaked spatial regions based on user-specified privacy requirements. The privacy-aware query processor is embedded inside the location-based database server in order to deal with the cloaked spatial areas rather than the exact location information. Experimental results show that Casper achieves high quality location-based services while providing anonymity for both data and queries.

1,239 citations

BookDOI
01 Oct 2011
TL;DR: This book presents an overview on both fundamentals and the state-of-the-art research inspired by spatial trajectory data, as well as a special focus on trajectory pattern mining, spatio-temporal data mining and location-based social networks.
Abstract: Spatial trajectories have been bringing the unprecedented wealth to a variety of research communities. A spatial trajectory records the paths of a variety of moving objects, such as people who log their travel routes with GPS trajectories. The field of moving objects related research has become extremely active within the last few years, especially with all major database and data mining conferences and journals. Computing with Spatial Trajectories introduces the algorithms, technologies, and systems used to process, manage and understand existing spatial trajectories for different applications. This book also presents an overview on both fundamentals and the state-of-the-art research inspired by spatial trajectory data, as well as a special focus on trajectory pattern mining, spatio-temporal data mining and location-based social networks. Each chapter provides readers with a tutorial-style introduction to one important aspect of location trajectory computing, case studies and many valuable references to other relevant research work. Computing with Spatial Trajectories is designed as a reference or secondary text book for advanced-level students and researchers mainly focused on computer science and geography. Professionals working on spatial trajectory computing will also find this book very useful.

564 citations


Cites background or methods from "Protecting Location Privacy with Pe..."

  • ...tasks and thus can be extended for trajectory data reduction [19, 22, 20, 21]....

    [...]

  • ...Spatial databases [19, 76, 130, 142], where the data items may have dimensionality and extent, but are (relatively) static over time; 2....

    [...]

  • ...sliding window algorithm developed for time series data mining can be adapted for trajectory approximation [19, 24]....

    [...]

  • ...One version of T-query is to discover common sub-trajectories [20, 19] and another version targets the problem...

    [...]

  • ...Identifying these regions with R-query is important in trajectory clustering [19, 17]....

    [...]

Proceedings ArticleDOI
08 Jul 2014
TL;DR: Evaluation results show that the proposed DLS algorithm can significantly improve the privacy level in terms of entropy, and an enhanced-DLS algorithm that can enlarge the cloaking region while keeping similar privacy level as the DLS algorithms.
Abstract: Location-Based Service (LBS) has become a vital part of our daily life. While enjoying the convenience provided by LBS, users may lose privacy since the untrusted LBS server has all the information about users in LBS and it may track them in various ways or release their personal data to third parties. To address the privacy issue, we propose a Dummy- Location Selection (DLS) algorithm to achieve k-anonymity for users in LBS. Different from existing approaches, the DLS algorithm carefully selects dummy locations considering that side information may be exploited by adversaries. We first choose these dummy locations based on the entropy metric, and then propose an enhanced-DLS algorithm, to make sure that the selected dummy locations are spread as far as possible. Evaluation results show that the proposed DLS algorithm can significantly improve the privacy level in terms of entropy. The enhanced-DLS algorithm can enlarge the cloaking region while keeping similar privacy level as the DLS algorithm. I. INTRODUCTION With the rapid development of mobile devices and social networks, Location-Based Service (LBS) has become a vital part in our daily activities in recent years. With smartphones or tablets, users can download location-based applications from Apple Store or Google Play Store. With the help of these

386 citations

Proceedings ArticleDOI
Yonghui Xiao1, Li Xiong1
12 Oct 2015
TL;DR: A new definition, "δ-location set" based differential privacy, is proposed, to account for the temporal correlations in location data and a planar isotropic mechanism (PIM) for location perturbation, which is the first mechanism achieving the lower bound of differential privacy.
Abstract: Concerns on location privacy frequently arise with the rapid development of GPS enabled devices and location-based applications. While spatial transformation techniques such as location perturbation or generalization have been studied extensively, most techniques rely on syntactic privacy models without rigorous privacy guarantee. Many of them only consider static scenarios or perturb the location at single timestamps without considering temporal correlations of a moving user's locations, and hence are vulnerable to various inference attacks. While differential privacy has been accepted as a standard for privacy protection, applying differential privacy in location based applications presents new challenges, as the protection needs to be enforced on the fly for a single user and needs to incorporate temporal correlations between a user's locations. In this paper, we propose a systematic solution to preserve location privacy with rigorous privacy guarantee. First, we propose a new definition, "δ-location set" based differential privacy, to account for the temporal correlations in location data. Second, we show that the well known l1-norm sensitivity fails to capture the geometric sensitivity in multidimensional space and propose a new notion, sensitivity hull, based on which the error of differential privacy is bounded. Third, to obtain the optimal utility we present a planar isotropic mechanism (PIM) for location perturbation, which is the first mechanism achieving the lower bound of differential privacy. Experiments on real-world datasets also demonstrate that PIM significantly outperforms baseline approaches in data utility.

322 citations

Journal ArticleDOI
TL;DR: Overall the proposed IT solution, which delivers a personalized service but avoids transmitting users' personal information to third parties, reduces users' perceptions that their information boundaries are being intruded upon, thus mitigating the personalization--privacy paradox and increasing both process and content gratification.
Abstract: Privacy has been an enduring concern associated with commercial information technology (IT) applications, in particular regarding the issue of personalization. IT-enabled personalization, while potentially making the user computing experience more gratifying, often relies heavily on the user's personal information to deliver individualized services, which raises the user's privacy concerns. We term the tension between personalization and privacy, which follows from marketers exploiting consumers' data to offer personalized product information, the personalization--privacy paradox. To better understand this paradox, we build on the theoretical lenses of uses and gratification theory and information boundary theory to conceptualize the extent to which privacy impacts the process and content gratifications derived from personalization, and how an IT solution can be designed to alleviate privacy concerns. Set in the context of personalized advertising applications for smartphones, we propose and prototype an IT solution, referred to as a personalized, privacy-safe application, that retains users' information locally on their smartphones while still providing them with personalized product messages. We validated this solution through a field experiment by benchmarking it against two more conventional applications: a base nonpersonalized application that broadcasts non-personalized product information to users, and a personalized, nonprivacy safe application that transmits user information to a central marketer's server. The results show that (compared to the non-personalized application), while personalized, privacy-safe or not increased application usage (reflecting process gratification), it was only when it was privacy-safe that users saved product messages (reflecting content gratification) more frequently. Follow-up surveys corroborated these nuanced findings and further revealed the users' psychological states, which explained our field experiment results. We found that saving advertisements for content gratification led to a perceived intrusion of information boundary that made users reluctant to do so. Overall our proposed IT solution, which delivers a personalized service but avoids transmitting users' personal information to third parties, reduces users' perceptions that their information boundaries are being intruded upon, thus mitigating the personalization--privacy paradox and increasing both process and content gratification.

318 citations


Cites background or methods from "Protecting Location Privacy with Pe..."

  • ...…a field experiment that provided users with our self-designed applications to assess their response in the actual commercial context, and corroborated our findings through surveys to gain more robust understandings that incorporate both the perceptual beliefs and the actual behaviors of users....

    [...]

  • ...One such stream attempts to design security solutions, such as anonymizing techniques (e.g., Bulander et al. 2005; Gedik and Liu 2008) and peer-topeer user agents (e.g., Brar and Kay 2004)—to ensure the transmission of user information over communication networks is properly handled, but these…...

    [...]

  • ...…and that such a stream would be a good complement to the extant research focused on ensuring data transmission security (e.g., Brar and Kay 2004; Gedik and Liu 2008) and on providing users with the assurance that the information transmitted about them will not be abused (e.g., Andrade et al.…...

    [...]

References
More filters
Journal ArticleDOI
TL;DR: The solution provided in this paper includes a formal protection model named k-anonymity and a set of accompanying policies for deployment and examines re-identification attacks that can be realized on releases that adhere to k- anonymity unless accompanying policies are respected.
Abstract: Consider a data holder, such as a hospital or a bank, that has a privately held collection of person-specific, field structured data. Suppose the data holder wants to share a version of the data with researchers. How can a data holder release a version of its private data with scientific guarantees that the individuals who are the subjects of the data cannot be re-identified while the data remain practically useful? The solution provided in this paper includes a formal protection model named k-anonymity and a set of accompanying policies for deployment. A release provides k-anonymity protection if the information for each person contained in the release cannot be distinguished from at least k-1 individuals whose information also appears in the release. This paper also examines re-identification attacks that can be realized on releases that adhere to k- anonymity unless accompanying policies are respected. The k-anonymity protection model is important because it forms the basis on which the real-world systems known as Datafly, µ-Argus and k-Similar provide guarantees of privacy protection.

7,925 citations


"Protecting Location Privacy with Pe..." refers background in this paper

  • ...…Published by the IEEE CS, CASS, ComSoc, IES, & SPS location with identity, such as person A lives in location L, and if it observes that all request messages within location L are from a single user, then it can infer that the identity of the user requesting the roadside information service is A....

    [...]

Proceedings ArticleDOI
01 May 1990
TL;DR: The R*-tree is designed which incorporates a combined optimization of area, margin and overlap of each enclosing rectangle in the directory which clearly outperforms the existing R-tree variants.
Abstract: The R-tree, one of the most popular access methods for rectangles, is based on the heuristic optimization of the area of the enclosing rectangle in each inner node. By running numerous experiments in a standardized testbed under highly varying data, queries and operations, we were able to design the R*-tree which incorporates a combined optimization of area, margin and overlap of each enclosing rectangle in the directory. Using our standardized testbed in an exhaustive performance comparison, it turned out that the R*-tree clearly outperforms the existing R-tree variants. Guttman's linear and quadratic R-tree and Greene's variant of the R-tree. This superiority of the R*-tree holds for different types of queries and operations, such as map overlay, for both rectangles and multidimensional points in all experiments. From a practical point of view the R*-tree is very attractive because of the following two reasons 1 it efficiently supports point and spatial data at the same time and 2 its implementation cost is only slightly higher than that of other R-trees.

4,686 citations

Journal ArticleDOI
TL;DR: A novel system for the location of people in an office environment is described, where members of staff wear badges that transmit signals providing information about their location to a centralized location service, through a network of sensors.
Abstract: A novel system for the location of people in an office environment is described. Members of staff wear badges that transmit signals providing information about their location to a centralized location service, through a network of sensors. The paper also examines alternative location techniques, system design issues and applications, particularly relating to telephone call routing. Location systems raise concerns about the privacy of an individual and these issues are also addressed.

4,315 citations


"Protecting Location Privacy with Pe..." refers methods in this paper

  • ...According to the report by the Computer Science and Telecommunications Board in IT Roadmap to a Geospatial Future [3], location-based services (LBSs) are expected to form an important part of the future computing environments that will be seamlessly and ubiquitously integrated into our lives....

    [...]

Proceedings ArticleDOI
05 May 2003
TL;DR: A middleware architecture and algorithms that can be used by a centralized location broker service that adjusts the resolution of location information along spatial or temporal dimensions to meet specified anonymity constraints based on the entities who may be using location services within a given area.
Abstract: Advances in sensing and tracking technology enable location-based applications but they also create significant privacy risks. Anonymity can provide a high degree of privacy, save service users from dealing with service providers’ privacy policies, and reduce the service providers’ requirements for safeguarding private information. However, guaranteeing anonymous usage of location-based services requires that the precise location information transmitted by a user cannot be easily used to re-identify the subject. This paper presents a middleware architecture and algorithms that can be used by a centralized location broker service. The adaptive algorithms adjust the resolution of location information along spatial or temporal dimensions to meet specified anonymity constraints based on the entities who may be using location services within a given area. Using a model based on automotive traffic counts and cartographic material, we estimate the realistically expected spatial resolution for different anonymity constraints. The median resolution generated by our algorithms is 125 meters. Thus, anonymous location-based requests for urban areas would have the same accuracy currently needed for E-911 services; this would provide sufficient resolution for wayfinding, automated bus routing services and similar location-dependent services.

2,430 citations


"Protecting Location Privacy with Pe..." refers background in this paper

  • ...An adversary can utilize such location information to infer details about the private life of an individual such as their political affiliations, alternative lifestyles, or medical problems [8] or the private businesses of an organization such as new business initiatives and partnerships....

    [...]

  • ...…data, the CyberGuide [5] project investigates context-aware location-based electronic guide assistants, and the Federal Communications Commission (FCC)’s Phase II E911 requires wireless carriers to provide precise location information within 125 m in most cases for emergency purposes [6]....

    [...]

  • ...For instance, the NextBus [4] service provides location-based transportation data, the CyberGuide [5] project investigates context-aware location-based electronic guide assistants, and the Federal Communications Commission (FCC)’s Phase II E911 requires wireless carriers to provide precise location…...

    [...]

  • ...By semihonest we mean that the third-party LBS providers are honest and can correctly process and respond to messages, but are curious in that they may attempt to determine the identity of a user based on what they “see,” which includes information in the physical world that can lead to…...

    [...]

  • ...If a user submits her service request messages with raw position information, the privacy of the user can be compromised in several ways, assuming that the LBS providers are not trusted but semihonest....

    [...]

Journal ArticleDOI
TL;DR: This paper addresses the problem of releasing microdata while safeguarding the anonymity of respondents to which the data refer and introduces the concept of minimal generalization that captures the property of the release process not distorting the data more than needed to achieve k-anonymity.
Abstract: Today's globally networked society places great demands on the dissemination and sharing of information. While in the past released information was mostly in tabular and statistical form, many situations call for the release of specific data (microdata). In order to protect the anonymity of the entities (called respondents) to which information refers, data holders often remove or encrypt explicit identifiers such as names, addresses, and phone numbers. Deidentifying data, however, provides no guarantee of anonymity. Released information often contains other data, such as race, birth date, sex, and ZIP code, that can be linked to publicly available information to reidentify respondents and inferring information that was not intended for disclosure. In this paper we address the problem of releasing microdata while safeguarding the anonymity of respondents to which the data refer. The approach is based on the definition of k-anonymity. A table provides k-anonymity if attempts to link explicitly identifying information to its content map the information to at least k entities. We illustrate how k-anonymity can be provided without compromising the integrity (or truthfulness) of the information released by using generalization and suppression techniques. We introduce the concept of minimal generalization that captures the property of the release process not distorting the data more than needed to achieve k-anonymity, and present an algorithm for the computation of such a generalization. We also discuss possible preference policies to choose among different minimal generalizations.

2,291 citations