anonymizing user location and profile information for privacy-aware mobile services masanori mano,...
TRANSCRIPT
Anonymizing User Location and Profile Information
for Privacy-aware Mobile Services
Masanori Mano, Yoshiharu Ishikawa
Nagoya University
11/2/2010
1
Outline
1. Background & Motivation
2. Related Work
3. System Framework
4. Matching Degree
5. Algorithm
6. Experimental Evaluation
7. Conclusions and Future work
11/2/2010 2
3
BACKGROUND & MOTIVATION
11/2/2010
Location-Based Services (LBSs)
11/2/2010 4
Where is the nearest
café?
Location-based
Services
Positioning Technologies
Mobile Communication
Database Technologies
Profile-Based LBSs
• LBSs typically utilize user locations and map information– Finding nearby restaurants– Presenting a map around the user– Computing the best route to the destination
• Use of user profiles (user’s property) can improve the quality of service– Property- and location-based
services– Application areas
• Mobile shopping• Mobile advertisements
11/2/2010 5
Example: Mobile Advertisements
• Provides local ads to mobile users– Example: Announcement of time-limited sales
of nearby shops• Use of user profiles
– Properties: age, sex, address, marital status, etc.– Send selected ads to appropriate person
• Example: {sex: F, age: 28, has_kids: yes}– Cosmetics for women: good– Computers: maybe– Cosmetics for men: bad– Toys for kids: good
11/2/2010 6
Alice
Example: Mobile Advertisements
11/2/2010 7
Alice came to a shopping mall
Alice
Mobile Ads Provider
Shopping Mall
Example: Mobile Advertisements
11/2/2010 8
Alice wanted adsMobile Ads Provider
Alice
Shopping Mall
Example: Mobile Advertisements
11/2/2010 9
Anonymizer construct a cloaked regionand send property
Mobile Ads Provider
Cloaked Region
Request with(sex: F, age: 28, …)
Example: Mobile Advertisements
11/2/2010 10
Ads provider returns selected ads for Alice Mobile Ads Provider
Alice
Example: Mobile Advertisements
11/2/2010 11
But, Alice is the only female within the region
Cloaked Region
Security CameraMobileAds Provider
Example: Mobile Advertisements
11/2/2010 12
Identify
Adversary
Get information
If an adversary obtains information, he can detect target user
Security CameraMobileAds Provider
Example
11/2/2010 13
In this anonymization,the adversary can’t identify the user
Can’tIdentify
Security Camera
Adversary
MobileAds Provider
RELATED WORK
11/2/2010 14
Related Work (1)
• Techniques for location anonymity are classified into two extreme types [Ling Liu, 2009]– Anonymous location services: Only consider user
locations– Identity-driven location services: Also consider user
identities
• Our method lies between the two extremes, but considers user properties– Another dimension
11/2/2010 15
Anonymous Partial Identity Identity-driven
Use of User Properties Our Approach
No User Properties
Related Work (2)
• k-anonymity is the most popular approach in the proposals for location anonymity– User’s location is indistinguishable from
locations of at least other k -1 users• Our approach is also based on the
concept of k-anonymity– Extended by considering user
properties
11/2/2010 16
Related Work (3)
• Various approaches to anonymous location services
• Casper [Mokbel+06]: The anonymizer utilize a grid-based pyramid data structure like quad-tree
• PrivacyGrid [Bamba+08]: Computes cloaked region by dynamic cell expansion
• XStar [Wang+09]: Intended for the problem for automobiles on road networks
11/2/2010 17
SYSTEM FRAMEWORK
11/2/2010 18
System Architecture (1)
• There is a service called Matchmaker between users and ads providers
• Roles of Matchmaker– Maintains user & ad profiles– Matchmaking: Recommend good ads for a given ads
request– Anonymization of locations and user properties
11/2/2010 19
User
User
User
Ads Provider
Ads Provider
Ad
Ad
Ad
Ad
Ad
Matchmaker
System Architecture (2)
• Matchmaker is a trusted third-party server• Given an ad request, Matchmaker sends
anonymized request to ads providers– Use of the user’s profile/location and ad
profiles– Even if some providers are untrusted, the
user’s privacy is protected
11/2/2010 20
User Ads providerMatchmakerraw data
trusted route
anonymized data
User Profile
• Represents the user’s properties– k : minimum population
• A cloaked region should contain at least k users
– l : minimum length• Minimum length of each side of a cloaked region (square)
– s : distance threshold• The user wants ads within this distance
– Additional attributes (e.g., age and sex)• Value ranges are specified
ID k l s age sex
u1 3 40 20 20-25 M-M
u2 4 30 10 10-29 F-* k users l
s
11/2/2010 21
Advertisement Profile
• Represents properties of each advertisement
• An advertisement that satisfies the following conditions should be sent– The ad area overlaps with
the user’s requesting area – Other properties (age and sex)
match (overlap) the user’s properties
ID ad area age sex
a1 (100, 200, 400, 500) [20, 29] M
a2 (500, 500, 700, 700) [60, ∞] *
Ad1
Ad2
s
11/2/2010 22
MATCHING DEGREE
11/2/2010 23
Motivation: Bad Anonymization
• The cloaked region contains aged/young and male/female users– The properties of the region is vague
• The ads provider has a cosmetic ad for female• The ads provider may have a question: Is it
valuable to send the ad?
11/2/2010 24
Ads provider
?
Age: young to agedSex: * (all)
Motivating Example: Good Anonymization
• Good anonymization would be that the users in the cloaked region have similar properties to the target user– Matching degree is introduced as a similarity
11/2/2010 25
Bad Anonymization Good Anonymization
different sex different age similar sex and age
Matching Degree
• A matching degree is computed as the overlapped area of attribute values– Range: [0, 1]– Treated as if it were a probability value
11/2/2010 26
Attribute Values ofTarget User
Overlapped Area
Attribute Values ofOther User
Matching Degree for Spatial Attributes
Matching Degree for Interval Attributes
Matching Degree
11/2/2010 27
name age
Alice 21-30
Bob 21-25
Dave 61-80
Target user is BobCompared user is Alice match = 1.0
Target user is AliceCompared user is Bobmatch = 0.5
Target user is DaveCompared user is Alicematch = 0.0
Ilength
IIoverlapslengthP jj
,
Attribute of target user
ANONYMIZATION ALGORITHM
11/2/2010 28
Anonymity Conditions
• The cloaked region contains the target user
• The region contains at least k – 1 other users
• The length of each side of the region is longer than l
• The matching degrees between the target user and k - 1 users are more than a certain threshold value
11/2/2010 29
target user
l
k-1 users
Anonymization Process
1. Consider a rectangular region centered target user
2. Randomly select one user as a seed from the users within the region
3. Compute a rectangle around the seed
4. If the rectangle contains at least k users with good matching degrees, anonymization is completed
Q
A
B
C D
E
F
11/2/2010 30
Anonymization Example
11/2/2010 31
Alice
• Alice required ad– k = 3– Threshold for
matching degree = 0.5Joe
Kent
Dave Mary
Mike
Anonymization Example
11/2/2010 32
Alice
1.0
0.5
0.0
0.2
0.2
• Alice is young woman– match = 1.0
• Mary is also young woman– match = 1.0
• Kent is young man– match = 0.5
• Joe is aged man– match = 0.0
• Dave and Mike are middle age men– match = 0.2
1.0
Joe
Dave
Kent
Mary
Mike
Anonymization Example
11/2/2010 33
Alice
1.0
0.5
0.0
0.2
0.2
• A region centered Alice contains Kent and Mike
• We assume that Kent is selected as the seed user
1.0
Joe
Dave
Kent
Mary
Mike
Anonymization Example
11/2/2010 34
Alice
1.0
0.5
0.0
0.2
0.2
• Compute region around Kent
• Check whether anonymization is appropriate
1.0
Joe
Dave
Kent
Mary
Mike
Anonymization Example
11/2/2010 35
Alice
1.0
0.5
0.0
0.2
0.2
• Cloaked region contains three users with good matching degrees
• We can’t detect target user– Alice, Kent and
Mary are young person
• It is good anonymization
target user is young person
1.0
Joe
Dave
Kent
Mary
Mike
EXPERIMENTAL EVALUATION
11/2/2010 36
Experimental Evaluation
• CPU 2.8GHz• RAM 512MB• Linux• Evaluation on
synthetic data
Experimental Settings
11/2/2010 37
Property Value
Target area [(0.0, 0.0), (100.0, 100.0)]
No. User 1000
k [5, 10]
l [2.0, 10.0]
s [0.1, 5.0]
No. of Profile Attributes
2
Attribute Value [0, 1], [0, 2], [0, 3], [0, 4], [1, 2], [1, 3], [1, 4], [2, 3], [2, 4], [3, 4] (randomly)
Threshold Values and Success Rates
• Matchmaker specifies a threshold value of matching degree– Find out an
appropriate threshold
• Success rate is sensitive to population– Need to change
threshold flexibly
11/2/2010 38
Containing more than or equal to k users with good matching degree (i.e.
threshold) is successful ≧anonymization
Computation Time
• We compare computation times of two approaches– Compute matching
degrees – Does not compute
matching degrees• Only consider the number
of users
• Computing of matching degrees takes more than twice times– We’ll try to improve
algorithms of computing matching degrees
11/2/2010 39
1000 5000 100000
102030405060708090
Computed not Computed
Number of UsersC
om
pu
tati
on
Tim
e(m
s)
CONCLUSIONS & FUTURE WORK
11/2/2010 40
Conclusions and Future work
Conclusions– Proposed an approach to anonymization for LBSs– Utilizing user profiles to specify users’ properties and
anonymization preferences– Property-aware anonymization using matching
degrees
Future work– More experimental evaluation– Improving algorithm
11/2/2010 41
Thank you
11/2/2010 42