efficient location privacy-aware forwarding in opportunistic mobile networks

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 63, NO. 2, FEBRUARY 2014 893

Efficient Location Privacy-Aware Forwarding inOpportunistic Mobile Networks

Sameh Zakhary, Milena Radenkovic, and Abderrahim Benslimane, Senior Member, IEEE

Abstract—This paper proposes a novel fully distributed andcollaborative k-anonymity protocol (LPAF) to protect users’ lo-cation information and ensure better privacy while forwardingqueries/replies to/from untrusted location-based service (LBS)over opportunistic mobile networks (OppMNets). We utilize alightweight multihop Markov-based stochastic model for locationprediction to guide queries toward the LBS’s location and toreduce required resources in terms of retransmission overheads.We develop a formal analytical model and present theoreticalanalysis and simulation of the proposed protocol performance. Wefurther validate our results by performing extensive simulationexperiments over a pseudorealistic city map using map-basedmobility models and using real-world data trace to compare LPAFto existing location privacy and benchmark protocols. We showthat LPAF manages to keep higher privacy levels in terms ofk-anonymity and quality of service in terms of success ratio anddelay, as compared with other protocols, while maintaining loweroverheads. Simulation results show that LPAF achieves up to an11% improvement in success ratio for pseudorealistic scenarios,whereas real-world data trace experiments show up to a 24%improvement with a slight increase in the average delay.

Index Terms—Anonymity, distributed computing, location pri-vacy, mobile ad hoc network.

I. INTRODUCTION

INCORPORATING location information in mobile networkshas sparked many innovative applications, such as [1]

and [2]. However, privacy-conscious users are more awareof the potential risks of such widely accessible informationand tracking capability [3]. Ensuring users’ location privacywhile accessing location-based services (LBSs) in Opportunis-tic Mobile Networks (OppMNets) is a challenging problem dueto sharing of users’ location information to receive tailoredservices. Users cannot typically rely on a trusted third party(TTP) to anonymize or obfuscate their location informationdue to the frequent disconnections from the infrastructure.Communication in OppMNets relies on multihop store-carry-forward transfer between mobile devices when they are in thecommunication area of each other (i.e., when an encounteroccurs).

Manuscript received December 22, 2012; revised May 13, 2013 and July 23,2013; accepted July 24, 2013. Date of publication August 26, 2013; date ofcurrent version February 12, 2014. The review of this paper was coordinatedby Prof. Y. Zhang.

S. Zakhary and M. Radenkovic are with the School of Computer Sci-ence, The University of Nottingham, Nottingham NG8 1BB, U.K. (e-mail:[email protected]; [email protected]).

A. Benslimane is in secondment from the University of Avignon, Avignon,France, currently, within French Ministry of European and Foreign Affairs, theFrench University in Egypt (e-mail: [email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TVT.2013.2279671

This paper is concerned with the source k-anonymity lo-cation privacy when contacting an LBS in OppMNet throughobfuscation [4]. We focus on a class of LBSs that does notrequire user identity to provide the service. Other anonymityand security aspects in OppMNet are outside the scope of thispaper. We utilize a stochastic model for location predicationand propose a lightweight Markov model to drive the privacy-preserving protocol. We recognize two possibilities based onwhether the nodes are capable of knowing their exact location(such as GPS coordinates). For the first case where the nodesare able to detect their exact location coordinates, inspired by[5], we propose a path prediction maintained locally at theindividual nodes using Markov model proximity. As for thesecond case where the nodes are unable to determine theirexact location coordinates, we use the recorded IDs for thesighting of fixed infrastructure points (either access points orGlobal System for Mobile Communications cell IDs) as thelocation identifier. Unlike [5], our proposed model utilizesmultihop prediction. Nodes exchange their local predictionsand that of their own friends when they meet each other, duringopportunistic encounters, to help obtain more accurate/updatedprediction estimate through shared knowledge exchanged in adistributed way.

Due to OppMNet challenges, users need to utilize eachencounter and leverage the social relationships efficiently withother nodes. Intelligent location predication is needed to betterenable queries to reach their final destination (LBS) duringthe obfuscation phase and, hence, increase efficiency (i.e., byincreasing overall network success ratio and decreasing numberof retransmissions and query delays). In this paper, we presenta forwarding protocol that aims to balance between the fol-lowing: 1) increasing users’ location privacy (k-anonymity);2) maintaining high quality of service (success ratio and delay);and 3) using limited resources (retransmission overhead). Weassume that users trust their friends in their social group withproviding location obfuscation when an encounter happens.During obfuscation, a node that carries a number of queriesto obfuscate searches for the best neighbors to forward thesequeries to increase the source privacy by keeping the querywithin the social group.

The three major contributions of this paper can be summa-rized as follows.

1) We present LPAF, i.e., a k-anonymity-based protocol,offering protection to the users’ location information andbetter privacy while forwarding queries/replies to/fromuntrusted LBS in OppMNet.

2) We develop a lightweight multihop Markov-basedlocation prediction model to adaptively inform the

0018-9545 © 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

894 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 63, NO. 2, FEBRUARY 2014

obfuscation protocol to achieve higher privacy throughmobile node limited/temporal neighborhood knowledge.

3) We present a formal mathematical model to analyticallyevaluate and simulate the proposed location-privacy pro-tocol in OppMNet.

The rest of this paper is organized as follows. Section IIpresents protocol design and underlying metrics. Section IIIpresents analytical analysis, including the model and its evalua-tion. In Section IV, we show performance evaluation comparingthe proposed protocol to other benchmark and contemporarylocation-privacy protocols in pseudorealistic simulation andusing real-world data traces. Section V presents related work,whereas Section VI concludes this paper.

II. ACHIEVING k-ANONYMITY WITH

LOCATION PRIVACY-AWARE FORWARDING

IN OPPORTUNISTIC MOBILE NETWORKS

Many LBSs are being delivered over OppMNet for threereasons.

1) As infrastructure coverage is not always available inurban congested areas and in most rural developing areas,LBS discovery and delivery over opportunistic networkshas gained considerable focus [6].

2) Users interested in location-specific information (e.g.,query social events [7] or location-based news [8]) wouldnormally be within a specific geographical location areafor the LBS reply to reach them, and in other cases, thereply delay does not affect the validity for query result.

3) Using OppMNet provides a free-of-charge way to accessservices and promote digital inclusion [9] of societymembers to bring equality between poor/deprived peopleand those from richer backgrounds.

Some LBS queries can have high sensitivity to delays, suchas real-time navigation for a fast-moving vehicle. However, thisis not the scope of this paper. In this paper, we focus on othertypes of queries that are less delay sensitive (e.g., a touristwho sends a query from a historical castle “which kings livedhere?”). For LBSs, delay sensitivity will largely depend on thetype of the query asked, the geographical scale for which thequery is relevant (e.g., city wide, natural reserves, or touristsattractions), and the urgency of that request.

Here, we present LPAF algorithm and introduce the differentcollaborative measures that are collected, calculated, and sharedlocally between nodes to provide obfuscation service to theirsocial group.

A. LPAF Algorithm

A user, who wishes to send a query to an LBS, searchesfor nearby friends Phigh and forwards a copy of her queryto one of the available friends. This friend then forwards thequery intrasocial group using social forwarding for a definednumber of hops k all within the user’s social group. Afterthe first k hops, the query can be forwarded using any delay-tolerant network (DTN) forwarding protocol [Spray and Wait(SnW) in this case]. This allows the source not to reveal herlocation by directly contacting the LBS but rely on the socialforwarding protocol to form an obfuscation path to the LBS.

If any intermediary node was unable to find a set of sociallymatching neighbors, then it attempts to use other more sociallydistant neighbors if they meet a lower privacy threshold Plow,and they are more likely to deliver the query to its finaldestination as predicted by their reported “multihop Markovproximity” (MMP ).

We propose two Privacy Qualities: “High Privacy” and “Besteffort Privacy.” The protocol adaptively tries to achieve one ofthese depending on the network topology (i.e., how often usersmeet their friends) and whether intermediaries have enough so-cially related neighbors to perform location obfuscation. “HighPrivacy” (Phigh = 1) refers to the source’s k-anonymity whenher query has been forwarded over at least k obfuscation hops,and all intermediate users belong to the source’s social group.“Best effort Privacy” (Plow < 1), on the other hand, refers tothe source’s k-anonymity when any of the intermediate nodesdoes not belong to the source’s social group (e.g., obfuscationcarried by friends of friends). An intermediate node aims tomaintain the source’s “High Privacy” quality while forwardinga query. It searches through the current neighbors for friendsof the source of that query and forwards the obfuscated queryto one of them. If none of the current neighbors is a friendof the source, it tries to offer “Best effort Privacy” quality byforwarding the query to one of its own friends to obfuscate,and so on. In which case, the intermediate node matches theneighbors against a lower privacy threshold and uses nodesthat pass this test. The detailed algorithm to be followed bythe source or intermediary nodes participating in obfuscationis shown in Algorithm 1 and can be explained as follows.

Algorithm 1: SENDING PRIVATE LBS QUERY USINGLPAF.

1: User of node Nr set the anonymity requirement of theLBS application Appr running on the node Nr in termsof (Plow/Phigh, k, Pc) that communicate with LBSsrvr

at different locations lr.2: Mobf ← φ, Generate node pseudoid3: for all m such that (m ∈ M) do4: if hr(m) > 0 then5: Mobf ← Mobf ∪ {m}6: else7: remove realid, path from m8: M ← M ∪ {m}9: end if

10: end for11: if Mobf = φ then go to line 37 end if12: for all Ni such that (Ni ∈ NghsCurr) do13: for all m such that (m ∈ Mobf) do14: if (path(m) ∩ {Ni}) �= φ then go to line 12 end if15: Calculate social distance sdci, multihop Markov

proximity MMPid

16: if sdci(Pc) > Phigh then17: OUTn ← OUTn ∪ {Ni,m, sdci,MMPid}18: Mobf ← Mobf \ {m}19: else if sdci(Pc) > Plow and MMPid > MMPcd

then

ZAKHARY et al.: EFFICIENT LOCATION PRIVACY-AWARE FORWARDING IN OPPORTUNISTIC MOBILE NETWORKS 895

20: OUTn ← OUTn ∪ {Ni,m, sdci,MMPid}21: Mobf ← Mobf \ {m}22: end if23: end for24: end for25: Sort OUTn by message priority, sdci, MMPid

26: for all Ti such that (Ti ∈ OUTn) do27: path(mi) ← path(mi) ∪ {Ni}28: Forward mi to Ni using DTN protocol29: Update reverse_addrtable ← reverse_addrtable ∪

{〈mi, pseudoid, realid, time〉}30: end for31: for all m such that (m ∈ Mobf) do32: if delay(mi) > delay_threshold then33: print Appr cannot send the query and maintain the

user preset location privacy requirements.34: Drop message (mi)35: end if36: end for37: for all m such that (m ∈ M) do38: Forward m using DTN forwarding39: end for40: LBSsrvr receives the LBS-query which has a location

query in (pseudoid, lr)41: LBSsrvr generates and forwards the LBS-reply through

social forwarding and send reply (pseudoid, reply)

Line 1–Line 11 is where user privacy requirements arespecified and initial preparation is carried. Line 3 goes over allincoming messages to extract queries that require obfuscation.Each query is checked for any remaining obfuscation hops. Ifmore obfuscation hops are needed, then they are added to Mobf .Else, the message has been fully obfuscated and the sourcerealid and the full path information are removed in preparationfor forwarding outside the social group. If no queries requireobfuscation, the algorithm exits.

Line 12–Line 24 is where nodes filter their neighbors anddecide on the best one to perform obfuscation. Each nodesearches for all existing neighbors and matches them withavailable queries to obfuscate Mobf . If a neighbor has alreadyobfuscated a query before, then it is not further consideredfor this query. If the current neighbor social distance meetsPhigh (i.e., “High Privacy”), then the query is scheduled forforwarding. If not, the social distance is checked against Plow,and the query is scheduled for forwarding if passed (i.e., “Besteffort Privacy”).

Line 25–Line 30 is the part of the code where obfuscationis carried out. The outgoing messages are sorted by priorityand privacy measures. For each outgoing message, the messageobfuscation path is updated, and the query is sent to that nexthop. To forward the reply back to the requester, we proposethat each node in the social group, which has been on theobfuscation path, maintains a mapping table that maintainsinformation about the obfuscated query and its source, whichis used to speed up LBS reply addressing. Each of theseentries is associated with a timeout value to keep the table sizemanageable and minimize lookup overhead.

Line 31–Line 41 are for maintenance. All expired obfus-cation messages are reported to the LBS application Apprand dropped. All remaining outgoing queries are sent usingDTN forwarding protocol. Intermediary nodes follow the sameprocess in algorithm 1 k − 1 times.

Because the LBS only knows the pseudoid of the incomingquery, it replies to pseudoid. Only the nodes on the requestobfuscation path know the realid of the requester. Forwardingof reply will use the mapping between pseudoid and realidto forward the reply back to the requester. Due to the asyn-chronous operation of forwarding in OppMNet, it is possiblethat the LBS reply never reaches any of the nodes k − 1 onthe original obfuscation path. In this case, we use a similarscheme as in [10] and [11], utilizing group labels in an attemptto reach the source of the query. The outbound node of the set ofintermediate nodes, i.e., last node number k on the obfuscationpath, removes the identity of the query source Nr and replacesit with a social group label before forwarding the query freelyto any neighboring nodes.

B. Distributed and Collaborative Measurements

Using k-anonymity attempts reducing the quality of the loca-tion information either in space (spatial) or in time (temporal),hence preventing meaningful use by various LBSs, particularlywith low user density scenarios [5]. Our idea of utilizing thesocial graph as an overlay is to provide the basis for a trustmodel between OppMNet users, where friends in a social net-work trust each other to obfuscate their location. Users build acollaborative obfuscation path over asynchronous social-basedk hop intermediate nodes. Hence, a temporal location-privacyobfuscation path is formed between the source and the LBSwhere intermediaries are the users’ own social acquaintances.As shown in algorithm 1, nodes require social awareness toselect the next hop (see Section II-B1) and location awareness(see Section II-B2) to forward queries toward the destinationLBS while building the obfuscation path.

1) Social Awareness: We utilize social links (i.e., friendshiprelations) to maintain the users’ location privacy. Here, weconsider the general case where social relations [12] are definedin terms of users’ social profile similarity [13]. The source ofthe query, or an intermediary node obfuscating it, calculatesthe social distance between the profiles of itself as i and thepossible next hop as j, under criterion Pc(sdij), which isdefined as the weighted number of matching profile attributesbetween the profiles of the two nodes (pi and pj), and it iscalculated as

sdij(Pc) =M(pi, pj , Pc)

C(pi)(1)

where function M() searches for the matching degree betweenthe two given social profiles using criterion Pc (as definedin Table I). C() returns the number of attributes in the givenprofile. pn represents the social profile of a node n. Matchingdegree reflects both the number of matched profile attributesand the weight each of these attributes in the social profile.


TABLE INOTATION REFERENCE TABLE

2) Location Awareness—Markov Proximity: We representthe location visits using first-order Markov chains as a directedweighted graph between map regions. Each map is denoted asa region R+ that is split into smaller regions with a total ofn×m squares. Each time a node moves from one region a toanother region b, the weight of the edge connecting the twovertices (a, b ∈ R+) on the graph is denoted by Eab. Theweight of each directed edge reflects the probability that thenode is going to move from the source vertex representinglocation lx(∀lx, x ∈ a) to the destination vertex representinglocation ly(∀ly, y ∈ b). Probability generation function is usinga first-order Markov model, in which the probability P (b|a) thatthe node will move to region b given that it is currently at re-gion a is

Pj(b|a) =Eab∑

l∈R+ Eal. (2)

Then, a node j is able to calculate its “Markov proximity”(MP ) as the probability of moving from the current location lcto the next location ln as the value Pj(n|c).

Assume that two socially related nodes i and j meet atlocation lj and i has a message that it wishes to obfuscatedto reach node d (the untrusted LBS). Then, node i will senda query to j asking for the estimate MPjd. Note that atthe time of encounter, the two nodes are within a Bluetoothcommunication area of about 10 m in radius; hence, we assumethat the current location is the same. MPjd query can be piggypacked on the normal transmitted data messages or inside thehello message as its size is negligible compared to the payloadsize. MPjd is calculated using (3) and is locally tracked byeach node and only shared with each node social group. Nodesonly respond and calculate MPjd for their current location toprevent external exposure of location information

MPjd =

{0, for vjd ∈ ∅Pj(ld|lj), otherwise

(3)

where vjd represents the directed edge connecting the twovertices corresponding to locations lj and ld, and the directionof movement is from lj to ld.

3) Distributed Multihop Location Obfuscation Prediction:We now consider the multilevel prediction problem, wheretwo meeting nodes wish to calculate the prediction, not onlyconsidering the probability of the other node visiting the LBSslocation directly but also using the combined probability ofall their respective contacts. For example, node A meets twonodes B and C, where A is interested in location obfuscationservice toward LBS. A asks both nodes B and C to providetheir probability to visit the LBS considering all their contacts.If node B rarely visits LBS location directly but its contacts dowith higher probability than that of node C, then node A willchose node B as the next hop and not C. More formally, let theset of nodes that B encounters over time be called Nb; then, wedefine MMP as

MMPjd(A,B) =

{0, Nb ∈ ∅α×MPjd + β ×RMP, otherwise

RMP =

∑i∈Nb

MPlid ×MPjli

Nb(4)

where α and β are weighting factors. The values of bothwill be adaptively determined depending on the stage of theobfuscation phase. Let k be the privacy requirements indicatingthe obfuscation path length and hr be the remaining numberof obfuscation hops to achieve this privacy requirement. Thisallows intermediate nodes to use multihop prediction usinglocalized view of their next hops about their various contacts,instead of relying on greedy and naive single-node prediction.During the obfuscation phase, α and β are defined as follows:

α =k − hr

k, β = 1 − α, hr < k, k �= 0

α = 1, β = 0, hr = 0. (5)

In (5), it is shown that the values of both α and β aredependent on k and hr. The value of α is increasing withincreasing k, and it decreases with fewer remaining obfuscationhops (i.e., hr). The value of β is the complement of α to one,which allows nodes to give more weight to the first term in (4)as queries are about to achieve their anonymity requirementof k hops. Meanwhile, at the start of the obfuscation process,the protocol gives more weight to using intermediate nodesto reach the LBS, which subsequently offers better privacy.When a query has passed k obfuscation hops (i.e., hr = 0),intermediate nodes give all the weight to their next hops’ directMP prediction (or α = 1 and β = 0) in (4).

C. Security Discussion

We assume a trusted-community security model and consideronly an external attacker capable of eavesdropping on limitedtraffic in the network. By trusted community, we refer to themutual trust between users who belong to the same social group(as defined in Section I), which includes only known friendsthat the user entrusts to perform location obfuscation.


TABLE IIANALYTICAL MODEL: LIST OF PARAMETERS AND THEIR MEANING

Traffic analysis attacks can be harmful to k-anonymity pro-tocols, including LPAF. Using traffic analysis, the attacker col-lects information about who is communicating with whom andwhen. We only consider an attacker with limited presence, i.e.,able to eavesdrop over all the traffic along the obfuscation path,but only a subset of forwarded queries over the obfuscationpath. In the case where the attacker is omnipresent (i.e., theattacker can monitor all traffic in the network), privacy attackscan be easily launched to identify a certain query source.

The proposed privacy protocol relies on the user social net-work; subsequently, the movement pattern of users in this groupcan greatly affect the user privacy. Considering real-life humanmovements, similarity between the users’ visited locations isbeing observed [12], but it is shared among the whole socialgroup, which subsequently provides a larger anonymity set andplausible deniability [14].

III. LPAF ANALYTICAL ANALYSIS

A. Analytical Model

Here, we model our protocol using a probabilistic analyticalmodel. A number of models have been proposed to modelopportunistic communication in ad hoc networks [15]–[17]. Forthe purpose of this paper, we focus on driving a model that isnot only temporal with respect to timing of event but also spatial(incorporating location knowledge). We use a spatial Poissonprocess [18], which is also known as spatial point process, withan associated rate of events λ. The spatial Poisson process isuseful for modeling ad hoc wireless networks [19] in generaland particularly location-dependent protocol. Using the spatialdimension, we can calculate the probability of a node being ina certain location once the system has reached a steady stateand the probability of nodes being neighbors. Let N be the setof nodes moving within a region on the map denoted as R+,where R+ is an L× L square area. Table II shows a list ofmodel parameters along with their interpretation.

Communication can occur only between two nodes thatare within the communication area of each other. Assume

that all nodes have the same communication area R and thatcommunication can take place without interference either fromphysical obstacles or on the wireless channel. Let two nodesa, b ∈ N , and let the location of the two nodes at time t bela,t, lb,t ∈ R+. The two nodes can communicate directly ifand only if [[l1, l2]] ≤ r. Let P (#(R(v))) be the probabilitythat i nodes exist within the communication area R(v) ⊂ R+.P (#(R(v)) = i) is formally defined as follows:

P (# (R(v)) = i) =e−λπr2(λπr2)i

i!, λ =

|N |L2

. (6)

Subsequently, we define the probability that a node v has atmost i nodes within the communication area R(v) ⊂ R+ asfollows:

P (# (R(v)) ≤ i) =

i∑x=0

P (# (R(v)) = x) . (7)

Let P 1(#(R(v))) be the probability that a node v has atleast one neighbor, i.e., the two nodes are able to communicatewith each other. According to Poisson’s theory, the interarrivaldistance between events is an independent and identically dis-tributed (i.i.d.) random variable, and the process is memoryless.This leads to the number of arrival events at any location in R+

occurring after time t to be independent from the number ofevents occurring before time t

P 1 (# (R(v))) = P (# (R(v)) ≥ 1) . (8)

From the probability theory,∑

i≥0 P (#(R(v)) = i) = 1,which can be rewritten as P (#(R(v)) ≥ 1) + P (#(R(v)) =0) = 1. We can write (8) as follows:

P 1 (# (R(v))) = 1 − P (# (R(v)) = 0)

= 1 − e−λπr2 . (9)

For the purpose of developing the LPAF model, we needto focus on the obfuscation path rather than the immediateneighboring nodes. We are interested in modeling the multihopcommunication path used for obfuscation. Let P (|E(v) ≥ i) bethe probability of node v forming i multihop path of successiveencounters (i.e., using any available nodes) using epidemicprotocol. This is equal to the probability that each node fromthe set of the i intermediate nodes has at least one successfulencounter at its first hop (because the interarrival of events inthe Poisson process is i.i.d.). P (|E(v) ≥ i) can be formallydefined as follows:

P (|E(v)| ≥ i) =∏i

P (# (R(v)) ≥ i)

=(P 1 (# (R(v)))

)ifrom (9)

=(

1 − e−λπr2)i

. (10)

When the node’s communication area is very small comparedwith the dimensions of the network, i.e., R � L, [16] showsthat we can obtain an approximate rate of encounters (or


intermeeting time) for any node in the network p. This rate ofencounter can be obtained using the following formula:

p = cvrelr

L2, c : mobility constant (11)

where c is a mobility model-related constant. For the purposeof our analytical evaluation, we consider only the random di-rection model with c = 1 and epidemic packet forwarding. Formore complex real-life validation, we evaluate LPAF throughintensive simulation in different scenarios. In addition, vrelis the relative speed between nodes and can be calculatedassuming an average stable node speed in the network va.According to [15], we can obtain the number of nodes I(t)that has received a packet after time t assuming a single initialsource as follows:

I(t) =|N |

1 + e−p|N |t (|N | − 1)(12)

where p is the rate of encounters, as calculated in (11). There-fore, we can then calculate the ratio of nodes that has receiveda packet after time t as ϕe(t) for the epidemic protocol

ϕe(t) =I(t)

|N | =1

1 + e−p|N |t (|N | − 1). (13)

In the case of the proposed protocol LPAF, the probabilitythat a node communicates during the obfuscation phase islimited to only within its social community due to privacyconstraints. We develop a new probabilistic model to reflect thisbehavior. Consider two nodes a and b, where node a wants toobfuscate a query by sending it through node b. Let event Abe that node a has at least one neighbor b (i.e., at least a andb are within the communication area of each other), and letB be the event that one of these neighbors is from the socialgroup of a (i.e., b is a social friend of a). More formally, let A:[[la,t, lb,t]] ≤ r and B: b ∈ Sa. Let P (A|B) be the conditionalprobability that event A will occur given the knowledge thatevent B occurred. Note that since we are using a randomdirection model, the probability of encounter between sociallyconnected nodes is not affected, i.e., it is shown in the literaturethat human encounters are not random and that friends meeteach other more often than they would meet someone who is acomplete stranger [20], [21]. Taking this into consideration, weemphasize that the analytical study presents the worst case viewof LPAF performance due to the lack of this connection betweenthe social layer and nodes’ mobility. This can be expressed asfollows:

P (A|B) = P (A). (14)

Let Pf (i) denote the probability that a node v meets i suc-cessive disjoint friend nodes (i.e., different nodes belonging tonode v social group Sv). Probability Pf (i) can be expressed as

Pf (|E(v)| = i) =

i−1∏x=0

(|S| − 1 − x)

|N | , 0 < i < |S|

=(|S| − 1)!

|N |i × (|S| − i− 1)!, 0 < i < |S|.

(15)

Now, we would like to calculate the probability that a nodev will successfully communicate under a privacy requirementof one hop obfuscation. We use the set of intermediate disjointnodes from the multihop path E(v) from node v to the desti-nation and not the set of nodes within the transmission rangeof v because we are calculating the probability of forming amultihop path, rather than the nodes’ immediate neighborhood(i.e., one hop). To this end, we define two events A and B asfollows:A: {meeting at least one node};B: {the node is a friend}.Using probability theory and (14), we can find the probability

Ps(|(E(v))| = 1) that a node v will successfully communicateunder a privacy requirement of one hop obfuscation can beexpressed as follows:

Ps (|E(v)| = 1) =P (A ∩B)=P (A)× P (B). (16)

The first operand in (16) is the probability that a node vwill encounter at least one node. The second operand can becalculated using (15), as Pf when i = 1

Ps (|E(v)| = 1) =P (|E(v)| ≥ 1)× Pf (|E(v)| = 1)=P (# (R(v)) ≥ 1)× Pf (|E(v)| = 1)=P 1 (# (R(v)))× Pf (|E(v)| = 1) . (17)

Using definitions from (9) and (15)

Ps (|E(v)| = 1) =(

1 − e−λπr2)∗ (|S| − 1)

|N | . (18)

From the definition of LPAF, a node v needs to form an i hopobfuscation path using i disjoint nodes for the communicationwith an LBS to be successful (i.e., in LPAF case, the nodes aremore constrained by the privacy requirements and will not beable to forward packets as freely as when using epidemic). Letevents A, B denote the following:

A: {meeting at least one node for i successive hops};B: {i nodes belong to the source’s social group}.Furthermore, let Ps(|E(v)| ≥ i) be the probability that a

node v will successfully communicate over i hop obfuscationpath. Ps(|E(v)| ≥ i) is formally defined as follows:

Ps (|E(v)| ≥ i)= P (A ∩B) = P (A) ∗ P (B), 0 < i < |S|.

Let us focus only on event A; the probability of forming amultihop path using i nodes can be obtained using (10). Thesecond operand that represents the probability that event Boccurs can be obtained using (15)

Ps (|E(v)| ≥ i)= (P (|E(v)| ≥ i)) ∗ Pf (|E(v)|= i)

=(

1−e−λπr2)i

× (|S|−1)!|N |i ∗ (|S|−i−1)!

. (19)

From the definition of LPAF, it is important to note thatwe are interested in the events where i nodes will encountereach other following the DTN store-carry-forward paradigm.Hence, event A relates to the nodes’ ability to form an imultihop path to reach the destination. This event is quite


different from the event of having a neighborhood that has ineighbors. Substituting into (19), the probability that a node vwill successfully communicate over i hop obfuscation path canbe expressed as follows:

Ps (|E(v)| ≥ i) =

⎧⎪⎨⎪⎩

(1 − e−λπr2

)i

×∏i−1

x=0(|S|−x−1)

|N | , 0 < i < |S|0, otherwise.

(20)

Let γ be the ratio between the probability that a node v cansuccessfully communicate using LPAF over i hop obfuscationpath and the probability that a node can form i hop path usingany nodes, i.e., without obfuscation restrictions using epidemicrouting. We define γ as follows:

γ =Ps (|E(v)| ≥ i)

P (|E(v)| ≥ 1)i. (21)

Using (9) and (20), γ can be simplified as follows:

γ =(|S| − 1)!

|N |i ∗ (|S| − i− 1)!. (22)

For the proposed protocol LPAF, we can then calculate thenumber of nodes that received a query after time t assuming asingle initial source Is(t). We substitute γ into (12) taking intoconsideration the value calculated in (22)

Is(t) =|N |

1 + e−pγ|N |t (|N | − 1). (23)

Let ϕs be the ratio of nodes that has received a query aftertime t using LPAF. ϕs is defined as follows:

ϕs(t) =Is(t)

|N | =1

1 + e−pγ|N |t (|N | − 1). (24)

B. Analytical Model Evaluation

Here, we propose an analytical model that enables the studyof LPAF, in terms of logical and quantitative relationships, tosee how the model reacts to different parameters such as privacylevels k and social group sizes |S| and what impact each has onthe quality of service such as delivery ratio and delay.

Hence, we perform extensive simulations using the proposedanalytical model for LPAF to study the feasibility/limits ofconceiving obfuscation path for different privacy levels k andsocial group sizes |S|. We show that with using the proposedLPAF, an obfuscation path can be still constructed even at highprivacy levels k at the expense of lower quality of servicerepresented by lower delivery ratio and higher delays. It isworth mentioning that although we show that the protocol canwork in OppMNet at extreme situations (characterized by lowsocial groups sizes |S| ≤ 30% and high privacy level of k = 8),these situations are not likely to exist in real life and present aworst-case scenario for LPAF. This is because the analyticalmodel does not consider the network topology and how it isdynamically influenced by social ties.

To validate the proposed analytical model for LPAF, westart by comparing its performance to epidemic forwarding, asshown in Fig. 1. LPAF has a three-hop obfuscation path at social

Fig. 1. Percentage of nodes (y-axis) that receive a packet after time t (x-axis).ϕe(t) for epidemic and ϕs(t) for LPAF using (k = 3 and |S| = 50).

Fig. 2. Probability (y-axis) to form various obfuscation path lengths i (x-axis)under different numbers of social group size. Ps(|E(v)| ≥ i) is for LPAF, andP (|E(v)| ≥ i) is for epidemic.

group size of 50% of the total nodes in the network. We choosea moderate social group size using information obtained fromexperiments shown in Fig. 2. The number of obfuscation hops(k = 3) was chosen at the number of hops where the protocolachieves about 25% probability to reaching all nodes or at 50%of the protocol maximum achievable probability Ps. The resultsshown assume a single initial source sending one query. Wecan see that epidemic protocol is capable of disseminating thepacket quicker and that LPAF manages to follow with a slightdelay due to the higher location anonymity provided.

To understand the impact that the social group size |S| hason the probability of forming obfuscation path, we conduct theexperiments shown in Fig. 2. The figure shows the probabilityof forming obfuscation path of different lengths i for an increas-ing trend of the social group size |S|, and we compare them tothe probability using epidemic (which forms the same numberof hops i using any node even several times). The size of socialgroup ranged from 50 to 200 nodes or 25% to 100%. We can seea decreasing probability of forming a successful delivery withlonger obfuscation path (as i increases), which is due to the extrarestriction on finding socially related nodes (i.e., of course, not


Fig. 3. Percentage of nodes (y-axis) that receive a packet after time t (x-axis)with different values of |S|. ϕe(t) is for epidemic, and ϕs(t) is for LPAF.

yet used). Finding such friend nodes is affected primarily bythe social group size |S|, among other factors such as nodes’average speed and communication area R, and the total areaof R+. We can see that increasing |S| allows for an increasedprobability of reaching higher privacy. As |S| approaches |N |,i.e., theoretically, the whole network is one social group, theprobability falls as i increases, and this is because intermediatenodes are selected only once. This validates the privacy restric-tions developed through the analytical model for obfuscation-based communication using LPAF. Interestingly, this showsthat the probability of forming obfuscation path logarithmicallydrops with respect to the number of obfuscation hops i.

We can see the probability to form the same i multihop pathusing epidemic protocol in Fig. 2, as derived using (10). Itis considerably much higher compared with LPAF, and it isapproaching 0.99 for i < 15 hops. This is because epidemicprotocol can form any multihop path and reuse nodes previ-ously been on that path, i.e., nodes that have participated inquery forwarding before. Meanwhile, for LPAF, a node cannotreforward a query to a node that has obfuscated it beforebecause this does not increase the source’s privacy (i.e., theanonymity set does not increase).

We evaluate the LPAF performance convergence over timewith respect to social group size |S| (see Fig. 3) and location-privacy requirements k (see Fig. 4). Fig. 3 shows LPAF perfor-mance under different conditions of social group sizes rangingbetween 10% and 60% of the total number of nodes |N | undermoderate location privacy (k = 3). The graph shows that LPAFmanages to disseminate the packets to all nodes in the socialgroup. For example, about 40% of the social group nodesreceive packets in less than 1600 s, for an average social groupsize (|S| ≥ 50%). We can see that as the social group sizegrows, the percentage of nodes receiving the packet sharplyincreases, i.e., the time required to reach the group gets shorteras more friends participate in forwarding. This is because theprobability of meeting socially related nodes becomes higher,which allows the packet to be forwarded faster and to morenodes than in scenarios with small social group size.

To choose the best suitable protocol configuration parametersin a given environment, we need to combine the main param-

Fig. 4. Percentage of nodes (y-axis) that receive a packet for various socialgroup sizes (x-axis). ϕe(t) is for epidemic, and ϕs(t) is for LPAF. k rangesbetween two and eight hops.

eters to show their impact on the protocol performance (e.g.,percentage of nodes receiving a packet ϕs(t)). Taking both timeand |S| as the protocol two degrees of freedoms is shown inFig. 3, whereas |S| and k are shown in Fig. 4. Fig. 4 showsLPAF theoretical performance under various location-privacyrequirements. Function ϕs(t) is sampled at t = ts to compareperformance, where (ts = 200[s]) is chosen because it is thetime when the protocols are in transition with respect to |S|, asshown in Fig. 3. We can see that ϕs(t) generally increases as |S|increases, and this validates the same impact shown in Fig. 3.The figure also shows that as k increases, the slope of the curvebecomes steeper (i.e., the social group size has less impact onthe protocol performance as k increases). Moreover, for thesame value of |S|, we see that as k increases, the performancedrops (i.e., the curve gets lower). For example, at k = 2 andk = 4, we see that when the social group size is about 85%of the total number of nodes in the network (|S| = 85%), thepercentage of reached social nodes is in the range of 30% and10% at t = ts, respectively.

Fig. 5 shows a 3-D performance comparison of two differentlocation privacy levels from low to high (k = 2 and 8). Thefigure clearly shows the impact of the privacy level and socialgroup size on the delay and percentage of nodes receiving thequery. On the x-axis, we show social group size |S|, the timet on the y-axis, and the result achieved ϕs(t). We can see thatthe achieved level of packet penetration to other nodes at somesocial group size can be easily obtained.

Using Fig. 5, we can draw a plane perpendicular to thex-axis at a point equal to a given social group size |S| inthe network, and we obtain a 2-D plane showing the variousexpected performances over time. In the figure, we observe ageneral increase in the percentage of reached nodes as we moveto a bigger group size, which is consistent with both Figs. 2and 3. We can see faster convergence (less time) to reach morenodes as k decreases (less privacy). This figure can be used toguide the user selection of the level of location privacy k underspecific network conditions by determining the expected ϕs(t)as the average required user data utility and user tolerated levelof delay.


Fig. 5. LPAF performance comparing the percentage of nodes receiving aquery ϕs(t). |S| on the x-axis, time on the y-axis, and ϕs(t) on the z-axisat k = 2 and 8.

Fig. 6. Maximum number of obfuscation hops k (y-axis) for various socialgroup sizes |S| (x-axis) for k between 1 and 25 hops.

For example, for a network with a known social group size|S| equal to 50% and a user data utility requirement to reach40% of the nodes within 500 s, the user will be able to achievethis combination under privacy level k = 2 but not at a higherprivacy level of k = 8. On the other hand, if the number ofsocial group size can be controlled, then the previous graphcan be used to show the required percentage of social nodes toachieve a certain privacy level. For example, if a user wishes tomaintain privacy level of k = 2 and a data utility requirementto reach 50% of the nodes within 1000 s, then the requiredpercentage of social group nodes must be more than 60%.

Fig. 6 shows LPAF achievable privacy level at various socialgroup sizes in the network for three different probabilities tosuccessfully encounter k friends Pf . Pf , as defined in (15),directly affects the probability that a user will have successfulcommunication with the LBS. The figure shows the tradeoffbetween privacy levels k for different social group sizes |S| inthe networks, i.e., the user has higher probability of successfulobfuscation for higher k as |S| increases. For example, a userwho belongs to a social group of size 120 has 50% probability

of successful communication for k range below two hops whileonly 10% probability in case of higher k (from four to fiveobfuscation hops).

IV. PERFORMANCE EVALUATION

We compare LPAF performance against No_Privacy, Oracle-based k-anonymity [22] (OBK), social-only [22] (SLPD), andAntiLocalization Anonymous Routing (ALAR) [23] protocols.We implement all privacy-preserving protocols as extensions tothe Opportunistic Network Environment (ONE) simulator [24].We track the performance across three dimensions: 1) qualityof service expressed as success ratio SR and end-to-end delay;2) quality of anonymization reflected in the achieved numberof obfuscation hops k; and 3) energy efficiency tracked throughthe retransmission overhead.

In addition to using an urban scenario, we perform evaluationusing real-world data trace of Bluetooth and Wi-Fi collectedat the University of Illinois at Urbana-Champaign (UIUC).For ALAR, we set the number of the alternative disjoint path(k = 2) and the number of splits (S = 2), which is similar tothe settings used in [23]. The remaining simulation parametersare as in [4]. Using these evaluation results, we confirm theanalytical model results in Section III-B for an increasingprivacy level k. Although we study performance for differentsocial group sizes |S|, we include only the results for thechallenging low social scenario and omit other results due tolack of space.

A. Pseudosimulation in Urban Scenario inHelsinki City Center

For the purpose of initial evaluation, we experimented with awell-known benchmark urban scenario for Helsinki city center.We combine the ONE simulator [24] probabilistic map-basedmovement models with a Helsinki map to generate a semirealis-tic urban scenario in Helsinki city center. The objective of thisset of experiments is to study the proposed privacy-preservingprotocol in pseudorealistic city-center scenario and measure itseffectiveness.

Without loss of generality, we develop LPAF over a quota-based DTN forwarding protocol, i.e., SnW [25]. We evaluate thesocial-based protocols (i.e., SLPD and LPAF) across varyingsocial matching thresholds, i.e., users can select different valuesfor Plow/Phigh (as defined in Table I). Users who desire moreprivacy set both Phigh and Plow to a value closer to 1 and viceversa. Plow is configurable and was set to 0.5 (50IGNORE)for all experiments. Location queries are sent every 20 s froma number of nodes belonging to a pool of 40 tourists scatteredwalking and querying locations around the city. Each memberof this group has a defined social profile, and it is used tomeasure the social distance to other nodes (as explained inSection II-B1). We assume that all scenarios have one movingLBS, with nodes reporting and sharing latest location of the LBS.

1) Network Model: We consider a network that has a set ofN nodes that are actively relaying messages in the OppMNetswhen requested. Consideration of selfish or other maliciousbehaviors that would cause nodes to not participate in theforwarding process are out of the scope of this paper.


This paper is not concerned with vehicular technology andfocuses only on social opportunistic network. We utilize a setof heterogeneous mobile nodes (pedestrians, cars, and trams)positioned on top of the Helsinki city map, where cars and tramsare used to ferry data between pedestrians when the possibilityoccurs. Communication between pedestrians is performed overOppMNet using Bluetooth, whereas communication betweentrams and cars is over Wi-Fi. The different nodes exhibitdifferent characteristics. People-carried mobile devices havesmaller buffers compared with other mobile nodes. The city-center scenario consists of 80 pedestrians, 40 cars, six trams,and 10 access points. Pedestrians communicate between themthrough Bluetooth and receive information from cars, trams,and access points if within communication range using Wi-Fi.

We assume, as in a typical city scenario, that these tramshave contact with access points when in communication rangeor otherwise be disconnected. Trams are expected to executeLPAF protocol and that users trust the trams’ operator tohandle their queries and perform obfuscation operations. If anode encounters a tram, it includes a profile-matching criterionand the required privacy level for the query to obfuscate andforwards this information over to the tram. Tram extracts theprivacy-related information and searches for other nodes usingthe profile-matching criterion to obfuscate this query.

2) Simulation Results in the City Center: We evaluate LPAFunder varying privacy-level requirements k, varying number ofsource nodes accessing the LBS (senders), and different socialgroup sizes |S|. All experiments were conducted at high socialmatching threshold (P = 1) for both SLPD and LPAF. Eachpoint on the graphs is the average of 50 runs, and in eachrun, nodes were initially positioned randomly over the map.The senders are selected from a pool of highly social nodes(central nodes or hubs), starting with one sender or 3% of thepool size, then five (or 13% of the pool size), 10, 15, etc.,until we get to 40 senders (or 100%). Increasing the numberof senders increases the offered load to the network, henceshowing protocols’ stability. Experiments examining the effectof the social group size were conducted using only one singlesender selected at random at each run.

Fig. 7(a) shows the normalized success ratio for LPAFcompared with No_Privacy and the other privacy protocols. Forboth SLPD at k > 3 and LPAF at k > 6, results are 0%; thus,they are not shown on any of the graphs. The graph shows thatLPAF is able to deliver queries in a privacy-preserving way fork = 3 higher than the other location-privacy protocols (namely,SLPD and ALAR). The figure shows that ALAR has a steadybut low success ratio, and it is considerably lower than otherprotocols (≈ 5%). LPAF has a rising success ratio as the numberof senders increases, whereas SLPD is constantly below by anaverage of 11%. LPAF is able to achieve a maximum of ≈50%,which is higher than both SLPD and ALAR, because nodescollaborate and share predictions to achieve the privacy leveland move toward the LBS. LPAF is approaching the theoreticalmaximum success ratio maintained by OBK that uses an Oracle.

Fig. 7(b) shows the average delay in seconds for each ofthe protocols. No_Privacy and OBK opportunistic forwardinghave the lowest delay as they deliver queries with no ob-fuscation or using an Oracle. We include both protocols as

Fig. 7. (a) Comparing LBS query success ratio for different protocols usingvarious senders’ ratio. (b) Comparing LBS query average delay for differentprotocols using various senders’ ratio. (c) Retransmissions overhead for differ-ent protocols using various senders’ ratio.

benchmark for comparison, where OBK is not suitable forreal-world OppMNets scenario because it uses a centralizedserver and assumes future knowledge of network events.

In both Fig. 7(a) and (b), it is shown that ALAR has lowsuccess ratio and high delay; this is because nodes wait fork distinctive neighbors for each of the S splits belonging tothe same query. This means that each query requires (S × k)distinctive neighbors for all splits to be forwarded out of asource, or a total of four unique neighbors in our case, butin two sets, we have one for each split (S = 2). Moreover,ALAR excludes neighbors from being the possible next hop fora particular query rapidly, as soon as neighbors have receivedone split, and this causes additional fragmentation to an alreadyfragmented network topology in OppMNets.


Fig. 8. Weighted MMP relative to number of messages at each hop fordifferent k.

Fig. 7(c) shows the normalized average retransmission over-head, i.e., relative to the maximum number of relayed queries.We observe that LPAF retransmission overhead is linearlyincreasing with the number of senders and below No_Privacyforwarding. LPAF overhead is generally greater than OBK. ForALAR, it reaches a steady overhead level when senders aregreater than 25% to reach around 22%, which is due to the lowsuccess ratio (≈ 7%). No_Privacy has higher overhead becauseit utilizes a greedier approach to maximize delivery [25]. Thisis because location-privacy requirements act as a leash thatcontrols and selectively forwards queries hence less retransmis-sions overhead. LPAF is efficient because other protocols sendmany replicas of a query (or its splits) that never reach the desti-nation and get dropped, but LPAF aims to use each replica withprediction to better direct them toward the destination LBS.

Fig. 8 shows MMP , which is a weighted measure of MMPwith respect to the number of queries successfully reachingeach hop. Using MMP has the effect of normalizing theMMP measurement across the different values of k whilemaintaining per-hop distinctive results. The figure shows thatmessages have better MMP as they are forwarded over eachsuccessive hop toward the LBS. The figure shows that theweighted MMP drops as k increases. This is because lessqueries successfully pass through the whole obfuscation path,which leads to a drop in the weighted Markov proximityobtained through multiple-hop prediction; thus, LPAF (k = 4)has lower weighted proximity compared with LPAF (k = 3).

As expected from the analytical model evaluation (seeSection III-B), we notice in Fig. 9(a) that LPAF success ratioincreases as we increase the social group size |S|, whichvalidates Figs. 2 and 3 in the evaluation of the analytical model,and decreases with increased value of k validating results inFig. 4. |S| is increased by selecting more nodes from the pool of40 nodes (around 30% of the total network nodes). We cansee that as the social group size increases, the success ratioincreases because LPAF is able to find more socially relatednodes. This is shown as a higher probability of forming k ob-fuscation path shown in the analytical model in Fig. 2. LPAF’sability to utilize these extra social-related nodes enhances theoverall success ratio as more encounters are being utilized forobfuscation and to achieve the targeted k. Fig. 9(b) shows theassociated overall average message delay; we notice that as kincreases, we experience greater delay as message gets buffered

Fig. 9. Comparison of LPAF performance at different ratios of social groupsizes |S| and for various privacy levels k. (a) Success ratio. (b) Delay.

longer awaiting suitable encounters. On the other hand, wecan see that as social group size increases, the delay drops tominutes. This drop in delay with higher |S| is consistent withthe time delay presented in the x-axis in Fig. 5 with differentvalues of |S| in the analytical model evaluation. As shown,ϕs(t) rising faster in time (less delay) |S| increases.

B. Real-World Data Trace Simulation Using UIUC Data Set

1) Network Model: The UIUC [26] data set is a real-worlddata trace collected at the UIUC. It contains the media accesscontrol (MAC) addresses of 28 Bluetooth devices and multipleWi-Fi access points collected over a three-week period duringMarch 2010. Despite the lack of nodes’ exact location infor-mation (e.g., GPS) at the time of recording events, this dataset is particularly useful in evaluating location privacy as itcontains the MAC addresses of stationary Wi-Fi access pointsencountered by the mobile devices.

To build the social relationship between users, we performanalysis on the regularity of users existing at the same locationsimilar to [12] and [27]. We statistically study the frequencyof devices encountering each other and encountering similarWi-Fi access points, which indicates that users carrying thesedevices exist at the same location regularly. We then generatea user-to-user (pairwise) total encounter frequency. As partic-ipants in this data set are faculty, staff, and students, moresocially connected nodes meet inside and outside the universitycampus. We experimented with two distinct social networkscenarios (i.e., low and moderate social networks |S|) to com-pare performance obtained with that from the analytical model


in Figs. 3 and 5. In low |S|, two users are considered friends iftheir encounter frequency falls within the upper quartile (the top25%) of the distribution of all node pairs’ encounter frequency.The resulting social network has an average |S| equal to 5 anda standard deviation of 4 (i.e., |S| ≈ 18%). In moderate |S|,two users are socially connected if their encounter frequencyis greater than the average encounter frequency of all users’pairs. The resulting social network has an average |S| equalto 10 friends and a standard deviation of 5 (i.e., |S| ≈ 50%).We observed generally better results for the moderate socialscenarios compared with low social scenarios, but we omitdetails due to space limitations.

The data set duration is split into three equal simulationduration periods of one week each (seven days). All MACaddresses for external devices were discarded, i.e., only the28 participants were sending/receiving/relaying message duringthe simulations. We repeat the simulation three times, andthe results were averaged. A socially well-connected node ischosen to be the untrusted LBS, and the remaining 27 nodes actas query sources (senders). LBS queries were sent at randomintervals with a constant rate of one query every 6 h.

2) Simulation Results in UIUC: Here, the success ratio anddelay comparing protocols that offer location privacy in theOppMNet are shown. We examine the performance of LPAFunder two social scenarios (i.e., low and moderate social net-works). This is to validate the impact of the social group size,with results obtained from the analytical model evaluation inSection III-B.

Fig. 10 shows a set of experiments comparing location-privacy protocols’ performance using UIUC real-world datatrace. The social network between nodes is a low social networkscenario (|S| ≈ 18%). Fig. 10(a) shows that LPAF manages tobe slightly higher, i.e., better, in mean success ratio than theother two protocols and that LPAF performance drops (lowerboxplot) to become very close to SLPD and ALAR. This isdue to the restriction imposed by the limited number of friendsto obfuscate queries and the drop in probability of forming kobfuscation path shown in the analytical model Fig. 2. LPAFdrop in success ratio validates the analytical model performanceshown in Fig. 3, where we see lower percentage of nodesreceiving packets as |S| decreases.

Fig. 10(b) shows the delays incurred by the different proto-cols. First, we can see that LPAF and SLPD have both sufferedadditional delays higher than ALAR. This is due to the twoprotocols’ reliance on the social network size |S|; hence, moretime is spent searching for friends in a low social network.This relation validates the earlier finding in the analytical modelin Fig. 3, which shows a slower rise and higher delay as |S|decreases.

V. RELATED WORK

There has been little attention given to location privacythreats in OppMNets, with insufficient user-centric analysis andsolutions. Most existing research studies rely on an online TTP,such as mobile phone operators [28] or online centralized server[29], which is generally not applicable to OppMNets.

One way to provide higher location privacy is to limit accessto location information through access control mechanisms

Fig. 10. Low social: Using real-world data trace for LPAF performancecomparison. (a) Relative success ratio. (b) Relative delay.

[7], [29]. PShare [29] is a secure location sharing protocol.It distributes location data across multiple location servers toincrease robustness against attack and ensure imprecise userposition in case a server is compromised. [7] presents a solutionwhere Location Servers (LS) are treated as un-trusted data-stores, and LBSs are offered by friends in the network. Alllocation information sent to the LS is encrypted, and only au-thorized users or applications are granted access. Both schemesassume an online LS, and access control is applied usingpublic–private keys or multisecret sharing.

Another approach to providing higher location privacy is toobfuscate the location information by generating false locationupdate events that cause diluted users movement traces atLBSs’ side. CacheCloak [5] is an anonymization system forcommunication in Vehicular Ad hoc NETworks (VANETs).SPRING [30], where road-side units (RSUs) are positioned athighly social intersects, is used to temporarily store the for-warded packets and hence prevent an adversary from trackingits source. The two approaches rely on pretrusted and controllednodes (e.g., anonymizing server or RSUs) to offer obfuscation.

Our proposed protocol is based on k-anonymity [31], whichis a widely used approach to anonymity in many fields such as


communication networks and databases. One popular way ofoffering location k-anonymity is through cloaking. Cloaking isthe technique by which the geospatial dimension is divided intoareas called cloaks, and the user is k-anonymized if the formedcloaking region is occupied by at least k − 1 other users; hence,the user’s location is hidden among k anonymity set. Spatialand temporal cloaking techniques such as [32] use a centralizedlocation broker service that is used to form the cloaking region.Cloaking techniques are not suitable for OppMNets because oflimited communication area and diverse nodes’ mobility.

On the other hand, mixing offers location privacy by ensuringthat user’s identity is kept private, and it is based on untraceableemail communication proposed by Chaum [33]. A number ofmixing techniques have been proposed [34]. During the mixingprocess, a trusted entity performs shuffling of users’ identitiesinside a specially constructed mix zone so that old and newuser identities are not linkable. This process requires that nodesphysically move into and stay inside the mix zone throughoutthe mixing process to prevent eavesdropping by an attacker.Mixing is not suitable for OppMNets as it requires that aspecified number of nodes coexist inside the mix zone for thewhole duration this operation.

Reference [35] proposes anonymization for users of LBSsin mobile environments using a TTP entity, which hides thelocation and profile attributes of the query from untrustedservice. Source Unobservability by Network Coding (SUNC)[36] is a privacy-preserving scheme that maintains the sourceunobservability in multihop wireless networks. SUNC utilizesnetwork coding and specifically designed dummy messagesto ensure packet unlinkability and source anonymity. SUNCassumes a multihop wireless network and does not consider thelong delays, mobility, and disruption impact typically expectedin DTNs. SpotME [37] is a technique to preserve users’ loca-tion privacy through reporting of fake locations. The approachuses randomized response algorithm and is addressing specifictargeted applications.

SLPD [22] is a location-privacy protocol that obfuscatesqueries using the social relationship between nodes. SLPD isnot adaptive to the topology or individual nodes’ connectivitypatterns. The authors compare their work with OBK: a bench-mark k-anonymity location-privacy protocol which requires anOracle with complete future knowledge of the network. OBKrelies on centralized and trusted matchmaker server and isnot practically applicable to OppMNets scenario. ALAR [23]enables a source to send messages without revealing its physicallocation while opportunistically communicating over DTNs.The source splits each message into multiple S segments (eachis called split), and each split is transmitted through an alter-native disjoint path k. ALAR nodes only forward a split whenthey have k neighbors that have not been observed for any ofthe previously sent splits of the same message.

VI. CONCLUSION AND FUTURE WORK

We have proposed new privacy-preserving protocol LPAFthat offers adaptive, fully distributed, and socially drivenlocation-privacy forwarding. LPAF employs a distributedlightweight Markov-based location prediction model to guide

the obfuscation phase of message propagation to the LBSs.LPAF utilizes social links between nodes to form an obfuscationpath between the source and the LBS to offer best effort k-anonymity location privacy. We evaluate the proposed protocolusing analytical model simulation and extensive experiments inboth city-center map-based heterogeneous mobility scenariosand using real-world data trace. Results show that by adaptingthe privacy within tolerance to nodes’ own connectivity andincorporating location prediction, LPAF performs better thanexisting location-privacy protocols in terms of success ratiowith small overhead. LPAF is able to maintain around 10%success ratio at high user privacy-level requirement when otherprotocols fail by adaptively lowering the achievable locationprivacy to the network conditions.

As future work, we plan to extend the protocol to handlesituations in which the exact location of the nodes is not knownand examine additional movement models and rural scenarios.

ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewers fortheir constructive and detailed review of this paper.

REFERENCES

[1] S. Siersdorfer and S. Sizov, “Social recommender systems forweb 2.0 folksonomies,” in Proc. ACM Hypertext Hypermedia, 2009,pp. 261–270.

[2] Y. Zheng and X. Xie, “Learning travel recommendations from user-generated GPS traces,” ACM TIST , vol. 2, no. 1, pp. 2:1–2:29, Jan. 2011.

[3] J. Krumm, “A survey of computational location privacy,” Pers. UbiquitousComput., vol. 13, no. 6, pp. 391–399, Aug. 2009.

[4] S. Zakhary, M. Radenkovic, and A. Benslimane, “The quest for location-privacy in opportunistic mobile social networks,” in Proc. IWCMC, 2013,pp. 667–673.

[5] J. Meyerowitz and R. Roy Choudhury, “Hiding stars with fireworks: Loca-tion privacy through camouflage,” in Proc. MobiCom, 2009, pp. 345–356.

[6] K. Abrougui, A. Boukerche, and R. W. N. Pazzi, “Design and evaluationof context-aware and location-based service discovery protocols for vehic-ular networks,” IEEE Trans. Intell. Transp. Syst., vol. 12, no. 3, pp. 717–735, Sep. 2011.

[7] K. P. N. Puttaswamy and B. Y. Zhao, “Preserving privacy in location-based mobile social applications,” in Proc. HotMobile, 2010, pp. 1–6.

[8] W. Xu, C.-Y. Chow, M. L. Yiu, Q. Li, and C. K. Poon, “MobiFeed: Alocation-aware news feed system for mobile users,” in Proc. 20th Int.Conf. Adv. Geographic Inf. Syst., 2012, pp. 538–541.

[9] A. Sathiaseelan and J. Crowcroft, “Internet on the move: challenges andsolutions,” ACM SIGCOMM Comput. Commun. Rev., vol. 43, no. 1,pp. 51–55, 2012.

[10] P. Hui and J. Crowcroft, “How small labels create big improvements,” inProc. IEEE PerCom, 2007, pp. 65–70.

[11] M. Musolesi, P. Hui, C. Mascolo, and J. Crowcroft, “Writing on the cleanslate: Implementing a socially-aware protocol in haggle,” in Proc. IEEEWoWMoM, 2008, pp. 1–6.

[12] G. S. Thakur, A. Helmy, and W.-J. Hsu, “Similarity analysis andmodeling in mobile societies: The missing link,” in Proc. CHANTS, 2010,pp. 13–20.

[13] H. Wei-jen, D. Dutta, and A. Helmy, “Profile-cast: Behavior-aware mobilenetworking,” in Proc. IEEE WCNC, 2008, pp. 3033–3038.

[14] S. K. Belle and M. Waldvogel, Consistent Deniable Lying: Privacy in Mo-bile Social Networks. Konstanz, Germany: Bibliothek Univ. Konstanz,2008.

[15] T. Small and Z. J. Haas, “The shared wireless infostation model: A newad hoc networking paradigm (or where there is a whale, there is a way),”in Proc. MobiHoc, 2003, pp. 233–244.

[16] R. Groenevelt, “Stochastic models in mobile ad hoc networks,” Ph.D.dissertation, Univ. Nice Sophia Antipolis, Nice, France, 2005.

[17] A. Chaintreau, P. Hui, J. Crowcroft, C. Diot, R. Gass, and J. Scott, “Impactof human mobility on the design of opportunistic forwarding algorithms,”in Proc. IEEE INFOCOM, 2006, pp. 1–13.


[18] A. Kottas and B. Sansó, “Bayesian mixture modeling for spatial Poissonprocess intensities, with applications to extreme value analysis,” J. Statist.Planning Inference, vol. 137, no. 10, pp. 3151–3163, Oct. 2007.

[19] J. G. Andrews, R. K. Ganti, M. Haenggi, N. Jindal, and S. Weber, “Aprimer on spatial modeling and analysis in wireless networks,” Proc.IEEE Commun. Mag., vol. 48, no. 11, pp. 156–163, Nov. 2010.

[20] P. Hui, K. Xu, V. O. K. Li, J. Crowcroft, V. Latora, and P. Lio, “Selfishness,altruism and message spreading in mobile social networks,” in Proc. IEEEINFOCOM, 2009, pp. 1–6.

[21] G. Zyba, G. M. Voelker, S. Ioannidis, and C. Diot, “Dissemination inopportunistic mobile ad-hoc networks: The power of the crowd,” in Proc.IEEE INFOCOM, 2011, pp. 1179–1187.

[22] S. Zakhary and M. Radenkovic, “Utilizing social links for location pri-vacy in opportunistic delay-tolerant networks,” in Proc. IEEE ICC, 2012,pp. 1059–1063.

[23] X. Lu, P. Huib, D. Towsleyc, J. Pua, and Z. Xionga, “Anti-localizationanonymous routing for delay tolerant network,” Comput. Netw., vol. 54,no. 11, pp. 1899–1910, Aug. 2010.

[24] A. Keränen, J. Ott, and T. Kärkkäinen, “The ONE simulator for DTNprotocol evaluation,” in Proc. SIMUTools. ICST , 2009, pp. 55:1–55:10.

[25] T. Spyropoulos, K. Psounis, and C. S. Raghavendra, “Spray and wait: Anefficient routing scheme for intermittently connected mobile networks,”in Proc. SIGCOMM Workshop DTN, 2005, pp. 252–259.

[26] L. Vu, K. Nahrstedt, S. Retika, and I. Gupta, “Joint Bluetooth/Wifi scan-ning framework for characterizing and leveraging people movement inuniversity campus,” in Proc. MSWIM, 2010, pp. 257–265.

[27] I. Parris and T. Henderson, “Privacy-enhanced social-network routing,”Comput. Commun., vol. 35, no. 11, pp. 62–74, Jan. 2012.

[28] J. G. Khuong Vu and R. Zheng, “Efficient algorithms for k-anonymouslocation privacy in participatory sensing,” in Proc. IEEE INFOCOM,2012, pp. 2399–2407.

[29] M. Wernke, F. Dürr, and K. Rothermel, “PShare: Position sharing forlocation privacy based on multi-secret sharing,” in Proc. IEEE PerCom,2012, pp. 153–161.

[30] L. Rongxing, L. Xiaodong, and S. Xuemin, “SPRING: A social-basedprivacy-preserving packet forwarding protocol for vehicular delay tolerantnetworks,” in Proc. IEEE INFOCOM, 2010, pp. 1–9.

[31] L. Sweeney, “k-anonymity: A model for protecting privacy,” Int. J.Uncertain. Fuzziness Knowl.-Based Syst., vol. 10, no. 5, pp. 557–570,Oct. 2002.

[32] M. Gruteser and D. Grunwald, “Anonymous usage of location-based ser-vices through spatial and temporal cloaking,” in Proc. MobiSys, 2003,pp. 31–42.

[33] D. L. Chaum, “Untraceable electronic mail, return addresses, and digitalpseudonyms,” Commun. ACM, vol. 24, no. 2, pp. 84–90, Feb. 1981.

[34] A. R. Beresford and F. Stajano, “Location privacy in pervasive comput-ing,” IEEE Pervasive Comput., vol. 2, no. 1, pp. 46–55, Jan.–Mar. 2003.

[35] M. Mano and Y. Ishikawa, “Anonymizing user location and profileinformation for privacy-aware mobile services,” in Proc. LBSN, 2010,pp. 68–75.

[36] F. Yanfei, J. Chen, X. Lin, and X. Shen, “Preventing traffic explosion andachieving source unobservability in multi-hop wireless networks usingnetwork coding,” in Proc. IEEE GLOBECOM, 2010, pp. 1–5.

[37] D. Quercia, I. Leontiadis, L. McNamara, C. Mascolo, and J. Crowcroft,“SpotME if you can: Randomized responses for location obfuscation onmobile phones,” in Proc. IEEE ICDCS, 2011, pp. 363–372.

Sameh Zakhary received the B.Eng. degree in 2000from Cairo University, Giza, Egypt; the M.B.A.degree in 2009 from The American University inCairo (AUC), Cairo, Egypt; and the M.S. degree incomputer science in 2009 from The University ofNottingham (UoN), Nottingham, U.K., where he iscurrently working toward the Ph.D. degree.

Prior to starting the Ph.D. degree, he was a Tech-nology and Business Consultant for public sectorand international organizations. He has publishedwork in venues, such as the Association for Com-

puting Machinery Annual International Conference on Mobile Computing andNetworking, the IEEE Annual Conference on Wireless On-demand NetworkSystems and Services, the IEEE International Wireless Communications andMobile Computing Conference, and the IEEE International Conference onCommunications. His research interests include privacy and security, delay-tolerant and mobile ad hoc networks, and peer-to-peer and distributed systems.

Mr. Zakhary received the Jameel Fellowship from AUC in 2007 and theBest ITI M.S. Dissertation Award and the International Research Excellencescholarship from UoN in 2009 and 2010, respectively.

Milena Radenkovic received the Dipl.Ing. degreefrom the University of Niš, Niš, Serbia, and thePh.D. degree from The University of Nottingham,Nottingham, U.K.

She is currently with the School of ComputerScience, University of Nottingham. She has been anInvestigator of four Engineering and Physical Sci-ences Research Council grants. Her research spansthe areas of mobile and delay-tolerant networking,energy efficiency, and security and privacy, as wellas their applications to pervasive gaming, social net-

working, and environmental monitoring.Dr. Radenkovic has organized and chaired multiple conferences, served on

many program committees and editorial boards, and published in premiumvenues, including Elsevier Ad Hoc, the IEEE International Conference onCommunications, the IEEE International Wireless Communications and Mo-bile Computing Conference, the IEEE WiMob, the Association for ComputingMachinery (ACM) Mobile Computing and Communications Review, the IEEEAnnual Conference on Wireless On-demand Network Systems and Services,IEEE Multimedia, the Massachusetts Institute of Technology Press Presence,the ACM Multimedia Conference, IEEE Multimedia, the ACM Symposiumon Virtual Reality Software and Technology, and the ACM InternationalSymposium on Cluster, Cloud, and Grid Computing.

Abderrahim Benslimane (SM’08) received the B.S.degree from the University of Nancy, Nancy, France,in 1987 and the D.E.A., M.S., and Ph.D. degreesfrom the Université de Franche-Comté, Besançon,France, in 1989 and 1993, respectively, all in com-puter science. He received the HDR degree (the titleto supervise research) from the University of Cergy-Pontoise, Cergy-Pontoise, France, in 2000.

He was a Technical International Expert with theFrench Ministry of Foreign and European Affairsas the Coordinator of the Faculty of Engineering,

French University of Egypt, El Shorouk, Egypt, where he was also the Headof the Informatics Research Center. He was an Associate Professor with theUniversity of Technology with Belfort-Montbéliard, Belfort, France, from 1994to 2001. He has been a Professor of computer science with the University ofAvignon, Avignon, France, since 2001, from which he is now in secondment.Currently,he is a Technical International Expert with the French Ministry ofForeign and European Affairs as the Coordinator of the Faculty of Engineering,French University of Egypt, El Shorouk, Egypt, where he is also the Head ofthe Informatics Research Center. He has several international collaborationsfor funded research projects and is a supervisor of Ph.D. students. He has morethan 130 refereed international publications. His current research and teachinginterests are in wireless and mobile networks.

Prof. Benslimane has been a Board Committee Member and the Vice-Chair of Student Activities of IEEE France section/Region 8 since 2008and was the Publication Vice-Chair of the Communications and InformationSecurity Technical Committee of Communication and Information Security in2009–2011. He participates in steering and program committees of many IEEEinternational conferences. He has been serving as the General Chair of the IEEEWiMob since 2008 and as the General Chair of the International Conferenceon Smart Homes and Health Telematics and the International Conference onSelected Topics in Mobile and Wireless Networking since 2011. He has servedas a Symposium Co-chair/Leader at many IEEE international conferences, suchas the International Conference on Communications, the Global Communi-cations Conference, the International Conference on Advanced InformationNetworking and Applications, and the Vehicular Technology Conference. Heis a member of several editorial boards of international journals, includingthe IEEE Wireless Communication Magazine, Wiley Wireless Communicationsand Mobile Computing, SAP Community Network, the International Journalof Communication Systems, Elsevier Ad Hoc, and the Journal of Network andComputer Applications. He has been a Guest Editor of many special issues.He received the French Award of Scientific Excellence (2011–2014).

efficient location privacy-aware forwarding in opportunistic mobile networks

Documents