hiding in the mobile crowd location.pdf

8/10/2019 Hiding in the Mobile Crowd Location.pdf

1/14

Hiding in the Mobile Crowd: LocationPrivacy through Collaboration

Reza Shokri, George Theodorakopoulos, Panos Papadimitratos, Ehsan Kazemi, and

Jean-Pierre Hubaux, Fellow, IEEE

Abstract Location-aware smartphones support various location-based services (LBSs): users query the LBS server and learn on they about their surroundings. However, such queries give away private information, enabling the LBS to track users. We address thisproblem by proposing a user-collaborative privacy-preserving approach for LBSs. Our solution does not require changing the LBSserver architecture and does not assume third party servers; yet, it signicantly improves users location privacy. The gain stems fromthe collaboration of mobile devices: they keep their context information in a buffer and pass it to others seeking such information. Thus,a user remains hidden from the server, unless all the collaborative peers in the vicinity lack the sought information. We evaluate ourscheme against the Bayesian localization attacks that allow for strong adversaries who can incorporate prior knowledge in their attacks.We develop a novel epidemic model to capture the, possibly time-dependent, dynamics of information propagation among users. Usedin the Bayesian inference framework, this model helps analyze the effects of various parameters, such as users querying rates and thelifetime of context information, on users location privacy. The results show that our scheme hides a high fraction of location-basedqueries, thus signicantly enhancing users location privacy. Our simulations with real mobility traces corroborate our model-basedndings. Finally, our implementation on mobile platforms indicates that it is lightweight and the cost of collaboration is negligible.

Index Terms Mobile networks, location-based services, location privacy, Bayesian inference attacks, epidemic models

1 INTRODUCTION

SMARTPHONES , among other increasingly powerfulmobile computing devices, offer various methods of localization. Integrated GPS receivers, or positioning serv-ices based on nearby communication infrastructure (Wi-Fiaccess points or base stations of cellular networks), enableusers to position themselves fairly accurately, which has ledto a wide offering of Location-based Services (LBSs). Suchservices can be queried by users to provide real-time infor-mation related to the current position and surroundings of the device, e.g., contextual data about points of interest suchas petrol stations, or more dynamic information such as traf-c conditions. The value of LBSs is in their ability to obtainon the y up-to-date information.

Although LBSs are convenient, disclosing location infor-mation can be dangerous. Each time an LBS query is submit-ted, private information is revealed. Users can be linked totheir locations, and multiple pieces of such information can be linked together. They can then be proled, which leads tounsolicited targeted advertisements or price discrimination.

Even worse, the habits, personal and private preferen-ces, religious beliefs, and political afliations, for exam-ple, can be inferred from a users whereabouts. Thiscould make her the target of blackmail or harassment.Finally, real-time location disclosure leaves a person vul-nerable to absence disclosure attacks: learning that some-one is away from home could enable someone to breakinto her house or blackmail her [1]. An stalker can alsoexploit the location information.

All this information is collected by the LBS operators. So,they might be tempted to misuse their rich data by, e.g., sell-ing it to advertisers or to private investigators. The mereexistence of such valuable data is an invitation to attackers,who could break into the LBS servers and obtain logs of user queries, or governments that want to detect and sup-press dissident behavior. The result in all cases is the same:user-sensitive data fall in the hands of untrusted parties.

The difculty of the problem lies in protecting privacy of users who also want to earn the benets of LBSs. Therefore,solutions such as not using LBSs are not acceptable. Forinstance, a user could download a large volume of data andthen search through it for specic context information as theneed arises. But this would be cumbersome, if not impracti-cal, and it would be inefcient for obtaining informationthat changes dynamically over time.

The need to enhance privacy for LBS users is understoodand several solutions have been proposed, falling roughlyinto two main categories: centralized and user-centric.

Centralized approaches introduce a third party in the sys-

tem, which protects users privacy by operating between theuser and the LBS. Such an intermediary proxy server couldanonymize (and obfuscate) queries by removing any infor-mation that identies the user or her device. Alternatively, it

R. Shokri is with the Department of Computer Science, ETH Zurich, Zurich 8092, Switzerland. E-mail: [email protected].

G. Theodorakopoulos is with the School of Computer Science and Informat-ics, Cardiff University, Cardiff CF24 3AA, United Kingdom.E-mail: [email protected].

P. Papadimitratos is with the School of Electrical Engineering, KTH,Stockholm, Sweden. E-mail: [email protected].

E. Kazemi and J.-P. Hubaux are with EPFL, Switzerland.E-mail: {ehsan.kazemi, jean-pierre.hubaux}@ep.ch.

Manuscript received 31 July 2013; revised 17 Nov. 2013; accepted 1 Dec.2013; date of publication 11 Dec. 2013; date of current version 14 May 2014. For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identier below.Digital Object Identier no. 10.1109/TDSC.2013.57

266 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 3, MAY-JUNE 2014

1545-5971 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.


2/14

could blend a users query with those of other users, so thatthe LBS server always sees a group of queries [2]. However,such approaches only shift the problem: the threat of anuntrustworthy LBS server is addressed by the introductionof a new third-party server. Why would the new server beany more trustworthy? Additionally, new proxy servers become as attractive for attackers as centralized LBSs.

Other centralized approaches require the LBS to change itsoperation by, for example,mandatingthat it process modiedqueries (submitted in forms that aredifferent from actual userqueries, possibly encrypted using PIR [3]), or that it store datadifferently (e.g.,encrypted or encoded, to allow private access[4]). Centralized interventions or substantial changes to theLBS operation would be hard to adopt, simply because theLBS providers would have little incentive to fundamentallychange their operation. Indeed, if a revenue stream is to belost by user data not being collected, then not many LBS pro-viders canbe expected to comply. Misaligned incentives have been identied as the root of many security problems [5].

User-centric approaches operate on the device. Typically

they aim to blur the location information by, for example,having the users smartphone submit inaccurate, noisy GPScoordinates to the LBS server. However, obfuscationapproaches that protect user location-privacy can degradethe user experience if users need high privacy, e.g., LBSresponses would be inaccurate or untimely. Obfuscationalso is not effective against absence disclosure [6].

Our approach avoids the problems of these two extremes by having users collaborate with each other to jointly improvetheir privacy, without the need for a trusted third-party(TTP). In effect, the mobile crowd acts as a TTP, and the pro-tection mechanism becomes a distributed protocol among

users. Mobile users concerned about their location privacyare indeed the most motivated to engage in protecting them-selves. We require no change in the LBS server architectureand its normal operation, and we make no assumption on thetrustworthiness of the LBS or any third-party server.

The key idea of our scheme, called MobiCrowd, is thatusers only contact the LBS server if they cannot nd thesought information among their peers, i.e., other nearbyreachable user devices. Hence, users can minimize their loca-tion information leakage by hiding in the crowd. Clearly,MobiCrowd would be most effective when there are manypeers gathered at the same location. Indeed, this clusteringphenomenon has been observed in human mobility studies[7]. Moreover, the places where people gather are points of interest, where users are most likely to query an LBS. Thus,MobiCrowd would be used exactly where it is most effective.

We evaluate MobiCrowd through both an epidemic-baseddifferential equation model and a Bayesian framework for locationinference attacks. The epidemic model is a novel approach toevaluating a distributed location-privacy protocol. It helpsus analyze how the parameters of our scheme, combinedwith a time-dependent model of the users mobility, couldcause a high or low-degree privacy. We validate the model- based results (on the probability of hiding a user from theserver) with simulations on real mobility traces. We nd that

our epidemic model is a very good approximation of the realprotocol; it reects the precise hiding probability of a user.

Relying on hidden Markov models, the Bayesian infer-ence framework quanties the correctness with which an

adversary can estimate the location of users over time. Theerror of the adversary in this estimation is exactly our pri-vacy metric [8]. We evaluate MobiCrowd on a real location-trace data set and we show that it provides a high level of privacy for users with different mobility patterns, againstan adversary with varying background knowledge.

Note that this joint epidemic/Bayesian evaluation is nec-essary and, in fact, a signicant component of our approach,as MobiCrowd is a distributed protocol running on multiplecollaborating devices, so its performance depends on net-work characteristics (e.g., time-dependent mobility), not just on what an individual device does. The focus of theexisting work in the literature is more on privacy-preserv-ing functions (e.g., obfuscation functions run independently by each user [9], [10]). To the best of our knowledge, this isthe rst such evaluation, and it is signicantly more realisticthan our own previous work [11] that quantied privacywith just the fraction of queries hidden from the server.

We implemented our scheme on Nokia N800, N810 andN900 mobile devices, and we demonstrated it with the

Maemo Mapper (a geographical mapping software forpoints of interest) [12]. Our approach can be used in theupcoming technologies that enable mobile devices todirectly communicate to each other via (more energy-efcient) Wi-Fi-based technologies [13], [14] that aim at con-structing a mobile social network between mobile users.

The rest of the paper is organized as follows. We surveythe related work in Section 2. In Section 3, we describe ourassumptions for the location-based service, for mobile usersand the adversary, and we state our design objectives. Wepresent MobiCrowd in Section 4, and then we develop anepidemic model of its operation in Section 5. We present

our Bayesian localization attacks in Section 6. We evaluatethe effectiveness of MobiCrowd in Section 7.

2 R ELATED WORKThere are many collaborative schemes for mobile networks.Mobile users, for example, can collectively build a map of an area [15]. Collaboration is also needed when sharing con-tent or resources (e.g., Internet access) with other mobilenodes [16].

Various threats associated with sharing location informa-tion have been identied in the literature. For example, userscan be identied even if they share their location sporadi-cally [17]. Knowing the social relations between users canhelp an adversary to better de-anonymize their locationtraces [18]. Finally, location sharing of a user not only dimin-ishes her own privacy, but also the privacy of others [19].

Techniques proposed to protect location privacy in LBSscan be classied based on how they distort the usersqueries before the queries reach the LBS server. The queriescan be anonymized (by removing users identities), pseudony-mized (by replacing users real names with temporal identi-ers called pseudonyms), or obfuscated (by generalizing orperturbing the spatiotemporal information associated to thequeries). Queries can also be camouaged by adding some

dummy queries, or be completely eliminated and hidden fromthe LBS [10]. Combinations of these methods have beenemployed in the existing (centralized or distributed) mecha-nisms. We now discuss these approaches in more detail.

SHOKRI ET AL.: HIDING IN THE MOBILE CROWD: LOCATION PRIVACY THROUGH COLLABORATION 267


3/14

The mere anonymization of (especially the continuous)queries does not protect users location privacy: the queriesof a user are correlated in space and time; hence, the adver-sary can successfully link them to each other, by using tar-get-tracking algorithms [20], or can successfully identify thereal names of the users [21]. Changing user pseudonymswhile the users pass through pre-dened spots, called mixzones [22], makes it difcult to track the users along theirtrajectories. However, users must remain silent inside themix zones, which means that they cannot use the LBS. Tomitigate this problem, the size of the mix zones is keptsmall, which in turn limits the unlinkability of usersqueries. Even if the mix zones are optimally placed, theadversarys success is relatively high [23].

Perturbing the querys spatiotemporal content, in addi-tion to anonymization by a third party (central anonymityserver), has been proposed for obtaining a higher level of pri-vacy [2]. The main drawback is the reliance on a centralizedthird party, which limits the practicality of this proposal. Theconsiderable degradation of the quality of service imposed

by obfuscation methods is another deterrent for such solu-tions. In [24], for example, the need to construct the cloakingregions and to receive the responses from the server throughother users can considerably degrade the service. Manyobfuscation-based techniques are based on k-anonymity,which has been shown inadequate to protect privacy [8],[25]. Perturbation techniques with differential privacy guar-antee, however, have been shown effective against an adver-sary witharbitrary background knowledge [26].

Adding dummy queries to the users queries might helpto confuse the adversary about the real user location. Butgenerating effective dummy queries that divert the adver-

sary is a difcult task [27], as they need to look like actualqueries over space and time. An optimum algorithm forgenerating dummy queries is an open problem.

In all the above-mentioned mechanisms, there is alwaysa trade-off between users privacy and the quality of servicethey experience [28]. The tension is maximized when itcomes to hiding queries from the LBS server. Hiding a queryfrom the server minimizes the revealed user informationand thus maximizes her privacy with respect to that query.Simply put, it is more effective than the other three privacy-protection methods, and it protects users against both pres-ence and absence disclosure. This is what MobiCrowd pro-vides: It hides users from the server, yet allows them toreceive the query responses from other peers.

There exist cryptographic approaches that redesign theLBS: the service operator does not learn much about theusers queries, though it can still reply to their queries [4] orcan obtain imprecise information about user location [3]. Thelack of incentives for LBS operators to change their businessmodel and implement these solutions, and their high compu-tational overhead, have made themimpractical so far.

A game-theoretic evaluation of our protocol run by ratio-nal users is presented in [29].

3 P ROBLEM S TATEMENT3.1 Mobile Users and LBSWe consider N users who move in an area split into M dis-crete regions/locations. The mobility of each user u is a

discrete-time Markov chain on the set of regions: The probability that user u, currently in region r i , will next visit regionr j is denoted by pur j jr i. Let p ur i be the probability thatuser u is in region r i .

Each user possesses a location-aware wireless device,capable of ad hoc device-to-device communication and of connecting to the wireless infrastructure (e.g., cellular andWi-Fi networks). As users move between regions, theyleverage the infrastructure to submit local-search queries toan LBS, at some frequency that we term LBS access fre-quency. The frequency at which users query the LBS variesdepending on the type of requested information, on thedynamics of information update in the LBS database, or onthe geographical region.

The information that the LBS provides expires periodi-cally, in the sense that it is no longer valid. Note that infor-mation expiration is not equivalent to the user accessing theLBS: A user accesses the LBS when her information hasexpired and she wishes to receive the most up-to-date ver-sion of it.

In addition, the information the LBS provides is self-veriable, i.e., users can verify the integrity and authenticityof the server responses. This can be done in different ways;in our system, the user device veries a digital signature of the LBS on each reply by using the LBS providers publickey. As a result, a compromised access point or mobiledevice cannot degrade the experience of users by alteringreplies or disseminating expired information.

3.2 Adversary Model and Privacy MetricLBS servers concentrate location information from all user

queries. Thus, an untrusted service provider could act as abig brother, that is, it could monitor user whereaboutsand activities over time. In such a setting, the adversary can be categorized as a passive global long-term observer [10]. Weassume the adversary has some background knowledge aboutthe users mobility patterns. This background knowledgeconsists of each users mobility model, expressed as a Mar-kov chain, the users LBS access frequency, and the informa-tion lifetime.

The adversary aims to perform inference attacks againstthe locations of users. In other words, he uses his back-ground knowledge to estimate the locations from which theusers issue queries, but also the locations they visit betweensuccessive queries that are not directly disclosed to the LBS.

We quantify the location privacy of users as the expectederror of the adversary in estimating the actual location of each user at each time instant [30]. The more queries theadversary observes, the more successful he will be in recon-structing their actual trajectories; so privacy is proportionalto the distortion of the reconstructed trajectories.

We do not address the threat of local observers snifngthe wireless channel trying to infer users private informa-tion, as such a threat could exist with or without Mobi-Crowd, and it can be alleviated by frequently changingdevice identiers (e.g., changing MAC addresses for Wi-Fi

networks [31] similar to changing TMSI for GSM networks[32]). More importantly, local observers, to be effective,would need to be physically present next to any given victimuser, over long periods of time and across different



4/14

locations. In contrast, a centralized LBS can by defaultobserve all the queries of a user, which is why we focus onthis much greater threat in this paper.

Malicious users cannot mislead others into receiving fakeinformation, because messages are digitally signed by theLBS (as assumed in the previous section).

3.3 Design ObjectivesOverall, our goal is to design a practical and highly effectivelocation-privacy preserving mechanism for LBSs: We wantto protect privacy with a minimal compromise on LBS qual-ity of service. The nature of existing threats and the struc-ture of stakeholder incentives, outlined earlier, is thedetermining factor of our design objectives.

Our rst design objective is to not rely on architecturalchanges of the LBS; any such changes would be impracticaland highly unlikely to be adopted. Relying on centralizedtrusted third parties (e.g., central anonymity servers) to pro-vide privacy enhancing mechanisms can be as hard as hav-ing trusted LBS operators. This leads to our second designobjective: no reliance on any third party server to provide privacyprotection. In fact, we would like to place the privacy protectionexactly where there is incentive and motivation, that is, withthe users themselves.

4 O UR S CHEMEBased on the stated design objectives, we propose a novellocation-privacy preserving mechanism for LBSs. To takeadvantage of the high effectiveness of hiding user queriesfrom the server, which minimizes the exposed informationabout the users location to the server, we propose a mecha-nism in which a user can hide in the mobile crowd while usingthe service.

The rationale behind our scheme is that users whoalready have some location-specic information (originallygiven by the service provider) can pass it to other users whoare seeking such information. They can do so in a wirelesspeer-to-peer manner. Simply put, information about a loca-tion can remain around the location it relates to andchange hands several times before it expires. Our proposedcollaborative scheme enables many users to get such loca-tion-specic information from each other without contactingthe server, hence minimizing the disclosure of their locationinformation to the adversary.

4.1 Scheme DetailsWe build a mobile transparent proxy in each device that main-tains a buffer with location-specic information. This bufferkeeps the replies the user obtains from the server or otherpeers. Each piece of information associated with a givenregion has an expiration time (which is attached to the infor-mation and protected with the digital signature), afterwhich the information is no longer valid. Invalid informa-tion is removed from the buffer.

Each user with valid information about a region istermed informed user for that region. Users interested in get-

ting location-specic information about a region are calledinformation seekers of that region. A seeker, essentially auser who does not have the sought information in her buffer, rst broadcasts her query to her neighbors through

the wireless ad hoc interface of the device. We term this alocal query.

Any of the receivers of such a local query might respondto it, by what we term a local reply, as long as it has the infor-mation its peer seeks. However, an informed device will notnecessarily respond to any received query: this will happenif the device is not only informed, but also willing to collabo-rate. We design our system with this option for its users; thecollaborative status can be set explicitly by the user or auto-matically recommended or set by the device. Simply put,having each user collaborate a limited number of times (afraction of the times she receives a local query from herneighbors), or during a randomly selected fraction of time, balances the cost of collaboration with the benet of helpingother peers. In practice, this is equivalent to the case whereonly a fraction of users collaborate.

By obtaining a local reply, the seeker is now informedwhile, more importantly, her query has remained hiddenfrom the service provider. No privacy-sensitive informationhas been exposed to the server and the user has obtained the

sought service. Of course, in case there is no informed useraround the seeker willing to assist her, she has no choice butto contact the server directly. In essence, a subset of users inevery region has to contact the LBS to get the updated infor-mation, and the rest of the users benet from the peer-to-peer collaboration. Intuitively, the higher the proportion of hidden user queries, the higher her location privacy is.

5 E PIDEMIC MODEL FOR THE DYNAMICS OFMOBICROWD

The performance of our system depends on various param-eters, such as the rate of contacts and the level of collabora-tion between users, the rate of LBS query generation, etc.We now describe a model for MobiCrowd, with the help of which we can directly evaluate the effect of various parame-ters on users location privacy. Observing the effect of theparameters also helps when designing a system and testingwhat-if scenarios. For example, we can immediately seethe level of collaboration required to achieve a desired pri-vacy level or how the privacy level will change if the usersmake queries more frequently or less frequently.

We draw an analogy between our system and epidemicphenomena: location-context information spreads like aninfection from one user to another, depending on the userstate (seeking information, having valid information, etc.).For example, a seeker becomes infected when meeting aninfected user, that is, a user with valid information.

We want a model that describes transitions between, andkeeps track of, the various states a user is in as time pro-gresses. However, it is prohibitively complex to keep trackof the state of each individual user. Therefore, we make useof the mean eld approximation [33], which focuses on thefraction of users in each state; these fractions are collectivelycalled the network state. The approximation applies whenthe number of users is large and each individual interaction

contributes a vanishingly small change to the network state.The approximation requires a random contact patternamong users, rather than a spatially correlated pattern, andrandom contacts are not far from reality when users are



5/14

clustered in the same region (recall that we partition thewhole area into regions).

The mean-eld approximation tells us that the time evo-lution of the fraction of users in each state can be describedwith increasing accuracy, as the number of users grows, bya system of ordinary differential equations (ODEs). Bystudying the system of ODEs, we nd the steady state(s) towhich the network converges. Similar models have beenused in human virus epidemics [34], in worm propagationin wireless networks [35], and in research on forwarding/gossiping protocols [36].

To keep the presentation simple, we focus on one type of context information, hence we consider a single averageinformation lifetime. No loss of generality results from this, because, to model a complete system with multiple types of information, we can merge multiple versions of this model,one for each type.

5.1 Model States and System of ODEsAs mentioned earlier, users move in an area partitionedinto multiple regions. The state of context knowledgewithin a region intuitively corresponds to the diseasestatus in an epidemic. In general, a users knowledgestate would be multi-dimensional, because a differentpiece of information is relevant for each region. Thus,for each region we would have an associated epidemicmodel, with the same structure but different parameters.However, the state of knowledge about a region is unre-lated to the knowledge about other regions, so differentregions can be analyzed separately. We present ourmodel for a single region, with users entering and exit-ing it; and we describe the states and the dynamics of our epidemic model for that single region.

The collective mobility of users with respect to a region ismodeled using three parameters: b, the average number of times a user makes a proximity contact with other users pertime unit within a region; m, the probability of an outsideruser entering a region within a time unit; and , the probability of an insider user leaving a region within a time unit.We derive these parameters from the Markov mobility mod-els of users, as follows. Let parameters i and mi be theprobabilities of exiting and entering region r i , respectively.They correspond to the expected number of users who exit/enter ri normalized by the expected number of users who

are inside/outside of r i ,

i Pu;j 6i p ur i pur j jr iPu p ur i ; (1)

mi Pu;j 6i p ur j pur i jr j Pu1 p ur i : (2)

The contact rate b i between users in region r i corresponds tothe expected number of contacts of a device within its com-munication range

b i Xn i 1

k0k

ni 1k q k1 q n i 1 k; (3)

where q is the fraction of regions area that is within theusers communication range, and ni Pu p ur i is theexpected number of users in region r i . Note that the mobil-ity parameters ( , m, and b) can also be computed directlyfrom sample location traces. The list of all parameters of theepidemic model are listed in Table 1.

Seeker. Users who are interested in obtaining information(i.e., have requested the information but not yet received it)are in the Seeker state. Once they have it, they move into theInformed state. As long as a seeker user stays in the regionthat she seeks information about, she is called an insiderseeker. These users can receive information from otherInformed users in the region, or from the server, the ulti-mate source of information. A seeker who leaves the regionafter requesting information about that region is called anoutsider seeker. An Outsider Seeker can only receive informa-tion from the server, as users need to be in the same regionin order to be able to propagate information to each other.

Informed. Users who have information about the region arein the Informed state. If they are inside the region (called Insider Informed), they accept to spread the information ateach contact with a Seeker user with probability f . This is because the information spreading process imposes somecommunication cost on informed users, hence they mightnot always collaborate. If they are outside the region (calledoutsider informed), we assume they do not spread the infor-mation. The information that the Informed users have,whether they are inside or outside the region, expires withrate d and the users become Removed.

Removed. Users who do not have information and are notcurrently interested in obtaining information are in theRemoved state. We distinguish between insider removedand outsider removed users. An Insider Removed user becomes a Seeker if the user becomes interested inobtaining information about the region. As LBS usersusually query information about the region they are in,we assume that outsiders have to enter the region to become interested.

We denote by S t, S t, I t, I t, Rt, and R t,respectively, the fraction of seeker insider, seeker outsider,informed insider, informed outsider, removed insider, andremoved outsider users of a given region at time t. The net-work state yt is the vector of these values. The system of

equations that models the evolution of the network state isS t S t I t I t Rt R t 1; (4a)

TABLE 1List of the Symbols Used in the Epidemic Model



6/14

d dt

S t mS t bf I t v S t g Rt; (4b)

d dt

S t S t v mS t; (4c)

d dt

I t v S t bf S t d I t mI t; (4d)

d dt

I t v S t I t d mI t; (4e)

d dt

Rt dI t g Rt mR t; (4f)

d dt

R t dI t Rt mR t; (4g)

0 S t; S t; I t; I t; Rt; R t 1: (4h)

5.1.1 Stationary Regime Analysis We write system (4) succinctly as d dt y F y. We study thestationary regime of the system, i.e., the regime where, fort !1 , the network state does not change with time. In par-

ticular, we look for equilibrium points, i.e., network statesat which d dt y 0.

Setting F y 0 and solving for y, we reach the followingsystem of nonlinear equations:

S iS; (5a)

I aS bS c

; (5b)

I gS ebS c S; (5c)

R dgS f

bS c h S d; (5d)

R 1 g 1 d S a e f

bS c i h S d; (5e)

jS 2 kS cd g 0; (5f)

where

a vm m v d dv 2; (6a)

b bf md m 1 dv ; (6b)

c dm v d m; (6c)

d m m g 1; (6d)

e v m v d; (6e)

f v m v d m dd; (6f)

g v bf ; (6g)

h d m v ; (6h)

i v m 1; (6i)

j hb dg g abf bv im; (6j)

k f hc bd g cv im: (6k)

Having expressed all variables in terms of S , we need tosolve the quadratic equation (5f) for S , keeping in mind thatany solution S 0 has to satisfy 0 S 0 1. The value of S 0can be found from the quadratic formula:

S 0 12 j

k

ffiffiffiffiffiffik2 4 jcd g

p : (7)

Then, we substitute S 0 into (5a)-(5e) to nd the other val-ues S 0 ; I 0; I 0 ; R0; R0.

So, we found the only admissible equilibrium point of the network. We now give a sufcient condition for thispoint to be locally asymptotically stable, that is, all systemtrajectories starting near enough to the equilibrium pointwill eventually converge to it without wandering too faraway in the meantime. This condition is that the Jacobianmatrix of the system, evaluated at the equilibrium point,has eigenvalues with strictly negative real parts. Note that,

instead of using the differential equation for R , we substi-tute R 1 S S I I R and compute the Jacobianof an equivalent system with only the 5 variablesS; S ; I ; I ; R . The Jacobian J S; I is



7/14

bf I v m bf S 0 g v m 0 0 0

bf I v 0 bf S d m 00 v m d 0

m m d m m g m

0BBBB@

1CCCCA

(8)

which, as we see, is only a function of S and I . The eigenval-

ues of J S; I evaluated at the equilibrium point can befound by solving the fth order equation

J S 0; I 0 xI 5j j 0 (9)

for x, where I 5 is the 5 5 unit matrix. As we have men-tioned, if all the solutions have a strictly negative real part,then the equilibrium point is locally asymptotically stable.Moreover, if all the solutions have a strictly negative realpart, the equilibrium point persists under small perturba-tions of the system parameters. That is, if vyis any smoothvector eld on R 5, then for sufciently small the equation

d dt y F y vy (10)

has an equilibrium point near the original one, and the equi-librium point of the perturbed system is also locally asymp-totically stable.

In Section 7, we show that all the eigenvalues have astrictly negative real part for the range of system parameterswe consider; hence, the equilibrium point is stable, and itpersists under small perturbations of the system parame-ters. The stability analysis justies using the equilibriumpoint to evaluate our system. If it were unstable, then eitherthe system would not converge to it or the smallest distur-

bance would cause the system to leave it.

5.1.2 Time-Dependent Mobility So far, we have assumed that user mobility, expressedthrough parameters m, , and b , does not change with time.But mobility is usually time-dependent and periodic: usershave different mobility patterns in the morning than in theafternoon, but these patterns repeat almost everyday. Toaddress the time-dependence of mobility, we can split timeinto time periods and compute the mobility parameters foreach time period separately.

Making m, , and b time-dependent in (4) means thatthere is no longer an equilibrium point, because the fractionof users in each state (e.g., seeker, informed, removed) con-tinuously changes over time. We solve this system of non-linear differential equations using numerical methods (as itis difcult to nd their closed-form solutions), which pro-vide us with the fraction of users at each time unit.

5.2 Baseline MobiCrowd: Buffer OnlyTo be able to isolate the effect of collaboration, we study thecase where there is no collaboration among users and Mobi-Crowd relies only on its buffer to protect users privacy: A

user who becomes interested checks her buffer, and if thecontent is not there, she immediately contacts the server.Thus, there are no Seeker ( S and S ) users in the model forthis case

I t I t Rt R t 1; (11a)

d dt

I t g Rt mI t dI t; (11b)

d dt

I t I t m dI t; (11c)

d dt

Rt dI t mR t g Rt; (11d)

d dt

R t dI t Rt mR t; (11e)

0 I t; I t; Rt; R t 1: (11f)

For the stationary regime analysis, we compute the equi-librium point of the system, and study its stability as before

I zI; (12a)

R 1g

z m dI; (12b)

R 1 I 1 1g

z m d z ; (12c)

I mdg

g m1 z d m1 z 1

; (12d)

where z m d 1.To compute the stability of this point, we compute the

Jacobian for an equivalent system that arises after substi-tuting R 1 I I R . In this case the system is lin-ear, so if the eigenvalues are negative, then theequilibrium point is globally asymptotically stable, thatis, the system converges to it for any initial condition.The Jacobian is

J d m g

m d 0d m m m g

0@

1A

: (13)

The equation to solve for the eigenvalues is, similarly as before, jJ xI

3j 0. We will show the stability of the equi-

librium point in the next section.For time-dependent mobility parameters, as before, we

analyze the system numerically.



8/14

6 Q UANTITATIVE ANALYSISThe direct objective of MobiCrowd is to hide user queriesfrom the server. We quantify this objective, as our rst eval-uation metric, through the hiding probability: the probabilitythat a users query becomes hidden from the server due toMobiCrowd protocol. Under various user mobility andinformation spreading dynamics, we compute this metric

using the results of the time-dependent epidemic model,and we compare to the results of simulations on a data setof real mobility traces. In Section 7, we show that the simu-lation results corroborate our model-based ndings aboutthe hiding probability.

As our second evaluation metric, we quantify the locationprivacy that Mobicrowd offers to users against localizationattacks. Specically, we compute the expected error of anadversary who observes a users trace and then forms aprobabilistic estimate of her location. This probabilistic esti-mate is based on a Bayesian location inference approach[30] that enables us to incorporate both the backgroundknowledge and observation of the adversary and to pre-cisely quantify the location privacy of users. We link thisBayesian inference to our epidemic model, by computingthe observation probability of the adversary from the hidingprobability of MobiCrowd.

6.1 Probability of Hiding in the Mobile CrowdThe hiding probability in a given region is estimated as thefraction of queries per time unit that are not observed by theserver. The higher this fraction, the lower the adversaryssuccess in performing inference attacks on the observedqueries. Hiding some of the users locations from the adver-sary has two benets: (1) Users become less traceable overspace and time, as observed queries from a user are sparser,hence harder to correlate with each other and easier to beconfused with the queries of other users [8], [20], [37]; and(2) the set of a users observed queries becomes harder tolink to the users real name. The hiding probability canshow the reduction in the amount of information the adver-sary obtains from the users queries compared to the casewhere users directly contact the server for each query.

In the case of no collaboration among users, i.e., in buffer-only MobiCrowd, the users can retrieve the informationeither from their buffer or from the server. Only the I usershave the information in their buffers, whereas the R users

are forced to contact the server when they become inter-ested. The I users ask queries at a total rate of g I , and the Rusers at a total rate of g R . Therefore, the hiding probabilityin this case is

HP 0 I

I R; (14)

where I and R are computed from (11).In the case of collaboration with probability f > 0

among users, queries can also be answered by peers.Only an insider user who is not already a seeker, i.e.,insider informed and insider removed users, can send a

new query. So, we focus only on them and we computethe hiding probability as the probability that the usersquery, given that she is an Insider informed/removed, isanswered by buffer or a peer.

The user is insider informed with probability I I R. By def-inition, the query of an Insider Informed user is immedi-ately answered by the buffer. So, her hiding probability is 1.

Turning to insider removed users, the probability of being insider removed is RI R. By denition, such a user(who, right after sending the query, becomes an insiderseeker) needs to wait for an insider informed peer to collab-orate with her. If she cannot nd one before her waitingtime expires, she has to expose her location to the server.Either of the two that happens rst can be modeled as acompetition between two exponential random processes: P with mean 1=bf I , representing the time to get the responsefrom peers, and S with mean 1=v , representing the time toget the response from the server. Then, the hiding probabil-ity is the probability that process P wins

Pr f P < S g Z 1

1f S sds Z S P > 0 f P pdp

bf I

bf I v:

(15)

So, nally, we compute the hiding probability as

HP f I I R

RI R

bf I bf I v

; (16)

where I and R are computed from (4). We can see that if weset the collaboration probability f to zero, the hiding probability becomes equal to (14).

6.2 Location Privacy versus Inference AttacksIn a localization attack the adversary targets a specicuser at a specic time instant and computes the probabil-ity distribution over the regions where the user might be[38]. This distribution is computed given the observedtraces from the user. Formally, the adversary computesPr f A tu r jo ug for user u at time instant t for all regionsr , where A tu is the random variable for the actual loca-tion of user u at time t, and o u is the observed tracefrom user u. In the case of MobiCrowd users, the (serv-ers) observation at a time t is either null or the truelocation of the user. From the adversarys localizationprobability distribution, we quantify the location privacyof a user as the probability of error of the adversary in guess-ing the users true location, averaged over all times t.

We use Bayes rule to compute the localization probabil-ity for the adversary

Pr A tu r j o u Pr A tu r; o u

Pr f o ug

Pr A tu r; o 1:tu Pr o t 1:T u jA

tu r

Pr f o ug ;

(17)

where T is the length of the observed trace; note also that weuse the conditional independence of o t 1:T u and o 1:tu givenA tu r . The probabilities in the numerator can be computed

recursively using the forward-backward algorithm of hid-den Markov models (HMM). The normalizing factor Pr f o ugcan also be computed simply by summing the numeratorover all regions r [30].



9/14


10/14

with a higher probability non-expired information, eitherfrom their own buffer or from their peers; hence, a higherfraction of their queries will be hidden from the LBS. More-over, the hiding probability of each query for long lifetimesand low request rate values (i.e., long intervals betweenrequests) appears to be more or less the same as the hidingprobability for short lifetimes and high request rate values(i.e., short intervals between requests), as indicated by thevaulted shape of the contours. Also, adding collaboration tothe buffering technique in MobiCrowd increases the frac-tion of hidden queries even for a collaboration factor of f 0:5.

7.2 Evaluation of PrivacyWe use the location-privacy meter tool [8] to quantify thelocation privacy of users as the expected error of the adver-sary in guessing their correct location, including at timeswhen they do not issue a query, i.e., between two successiveLBS queries. We are interested in analyzing the privacyeffect of the following factors:

The adversarys background knowledge on usermobility, which can be

- the mobility model of each individual user ( Indi-viduals Mobility Model), or

- the average mobility model of the whole userpopulation ( Average Mobility Model).

The adversarys method of attack, which can consistof

- just observing exposed locations, i.e., not tryingto guess a users locations between two queries

(Observation adversary), or- perpetrating Bayesian localization attacks toinfer the whole location trace of each user ( Infer-ence adversary).

We compute privacy for multiple combinations of thesefactors, with and without our protection protocol. The con-crete scenarios we study are

Baseline: Inference without observations. No Protection versus observation/inference. MobiCrowd versus observation/inference.

In the Baseline scenario, we compute privacy against theinference attack, assuming that the adversary ignores hisLBS observations and relies only on his background knowl-edge. This scenario quanties the extent to which theadversarys knowledge is by itself sufcient to predictthe users locations over time. It is a baseline scenario, in thesense that no privacy mechanism can achieve better privacythan this.

In the No Protection scenario, users submit their queriesdirectly and immediately to the server without using anyprotection mechanism. This scenario reects the risk of unprotected use of LBSs. We compute privacy against theobservation and against the inference adversaries.

In the MobiCrowd scenarios, we again compute privacy

against the observation/inference adversaries. However, inthis case, users make use of MobiCrowd, hence theirobserved traces contain fewer locations than in the no pro-tection scenario.

7.2.1 Average Location Privacy To see how our system performs across a range of parame-ters, we compute, for all combinations of system parameters(request rate g , information lifetime 1=d, and collaborationprobability f ), the average location privacy of users againstthe localization attack, as explained in Section 6.2, for theMobiCrowd and No Protection scenarios.

Fig. 2 shows the location privacy of MobiCrowd usersagainst the localization attack, as well as the percent-improvement of their privacy over having no protection(i.e., when they send all their queries to the server). Figs. 2aand 2b illustrate the results for the cases where theadversarys knowledge is the mobility model of all individ-ual users and their average mobility model, respectively.Thus, the comparison between Figs. 2a and 2b shows theeffect of the adversarys background knowledge on theusers location privacy.

MobiCrowd achieves the best percent-improvement inthe high ( > 0:6) request rate regime, especially if the infor-mation lifetime is not too low. If the request rate is low, fewlocations are exposed in the rst place, so location privacy isalready high even without protection. Privacy is in dangerat high request rates, where MobiCrowds improvement issignicant: It ranges from 2 (100%) up to 6:5 (550%). Thisobservation holds true across all twelve cases in Fig. 2.

As expected, the adversary does considerably betterwhen using each users own mobility model in the attack,rather than using the average mobility model for everyone.More precisely, the success probability of our Bayesianinference attack, in estimating a users location between twosuccessive observations, signicantly increases if we pro-vide the adversary with a more precise mobility model.

However, we see that here again MobiCrowd helps when itis most needed, and signicantly improves (up to 550 percent)the users location privacy when the adversary is very power-ful due to his accurate background knowledge.

Finally, note that, although more collaboration is de-nitely better, full collaboration f 1 is not necessary to reapthe benets of MobiCrowd. Even at f 0:5 there is a con-siderable privacy gain.

The only cases where MobiCrowds improvement is below 100 percent is when privacy is already high, in whichcase a further increase does not really matter, or when infor-mation expires too fast, in which case the users are forced tocontact the server for most of their queries.

7.2.2 Cumulative Distribution of Location Privacy In order to better analyze the added value of the adversarysknowledge and his inference attack on the one hand, andthe effectiveness of MobiCrowd on the other hand, we com-pute users location privacy for all the scenarios we enumer-ated in Section 7.2, but only for a single set of parameters(g 0:4, d 0:1, and f 0:5). We plot the results in Fig. 3,which shows the cumulative distributions of users locationprivacy in different scenarios. Plotting cumulative distribu-tions allows us to observe Mobicrowds improvements for

all desirable percentiles of users, instead of being limited tothe previously computed averages over all users.

The baseline privacy in Figs. 3a and 3b show howmuch information is embedded in the background



11/14

knowledge of the adversary, i.e., how accurately he canpredict users locations, relying only on their mobilitymodels.

In each of the sub-gures, the Baseline (inference) and no

protection (inference) scenarios reect the risk of using loca-tion-based services without any protection. Even an adver-sary with knowledge of the average mobility cansignicantly decrease users location privacy, hence the

extreme need to employ privacy enhancing protocols suchas MobiCrowd.

The difference, approximately 35 percent, betweenlocation privacy in MobiCrowd (observation) and No

Protection (observation) shows the added value of Mobi-Crowd with respect to an observer (e.g., a curious butnot adversarial LBS operator). However, these privacyvalues do not constitute a lower bound on user privacy,

Fig. 2. Average location privacy of MobiCrowd users against the Bayesian inference localization attack (top row of each sub-gure), and the percent-improvement that MobiCrowd achieves over no protection, when MobiCrowd is not in place (bottom row of each sub-gure). The consideredadversarys background knowledge is the set of mobility models of all individual users, in (a), and the average mobility model of all users, in (b).



12/14

as an inference adversary can estimate the actual locationof users more accurately.

We can see the additional damage caused by an infer-ence adversary, compared to an observer, by comparingcorresponding (observation) and (inference) scenarios.There is a difference of about 3 for the individualsmobility model, and a much smaller one, 15-30 percent,for the average mobility model. This is to be expected,as the quality of the inference depends heavily on thequality of the background knowledge.

The added value of MobiCrowd against an inferenceadversary is about 50 percent, when the adversarys knowl-edge is individual mobility model, and a bit less than50 percent when the knowledge is average.

7.3 ImplementationWe implement MobiCrowd on three different Nokia mobiledevices (N800, N810, and N900) by building a mobile privacyproxy in each device. The proxy does not require any modi-cation of the supported applications and it is transparent totheir operation. The prototype works with the Maemo Map-per LBS and MobiCrowd acts as an HTTP transparent proxyto which the client trafc is redirected. Note that knowingthe format of the LBS queries and the data format of theserver replies is enough to adapt MobiCrowd to new LBSapplications. Our implementation in Python is 600 lines of code, including the proxy module, ad-hoc networking mod-ule, and the server interface module. Memory utilizationdoes not exceed 3 percent of the total device memory.

We perform measurements on a 5-device testbed to esti-mate the delay for obtaining a peer response. Three out of

the ve are randomly chosen to collaborate each time.Mobiles access the LBS server over a cellular link (e.g.,GSM) and communicate with each other via the Wi-Fi inter-face. Averaged over 100 queries, the delay is 0:17 sec. We

also note that cryptographic delays are (for a typicalOpenSSL distribution) low: the weakest of the three devices,the N800, can verify more than 460 RSA signatures per sec-ond ( 1;024 bit), or 130 signature verication per second (for2;048 bit modulus); this implies that the digitally signedLBS responses can be easily handled by the devices to pro-tect against malicious peers.

A popular technique that enhances privacy against localeavesdroppers is to change identiers frequently. Cellularnetwork operators make use of network-issued pseudonyms(TMSIs) to protect the location-privacy of their users [32].MobiCrowd-ready mobile devices can also mimic thisdefense (as has alreadybeen proposed for wireless networks,e.g., [31]). They can change their identiers (e.g., the MACaddresses) as often as desired, even while in a single point-of-interest area. This would essentially root out any threat byany curious local observer. Even in the case of a stalker, itwould not be possible to link together the successive identi-ers of a device, as multiple users identiers will be mixed

together. The only remaining option for the stalker is tomaintain visual contact with the target user, but defendingagainst this threat is clearly orthogonal to our problem.

8 C ONCLUSIONWe have proposed a novel approach to enhance the privacyof LBS users, to be used against service providers who couldextract information from their LBS queries and misuse it.We have developed and evaluated MobiCrowd, a schemethat enables LBS users to hide in the crowd and to reducetheir exposure while they continue to receive the location

context information they need. MobiCrowd achieves this byrelying on the collaboration between users, who have theincentive and the capability to safeguard their privacy. Wehave proposed a novel analytical framework to quantify

Fig. 3. Cumulative Fraction of users location privacy in different protection/attack scenarios. Users collaboration level is 0:5, the request rate is 0:4,and the information lifetime is 10. The graphs show what fraction of users (on the y-axis) have a privacy level up to a certain point (on the x-axis).Sub-gures (a) and (b) differ in terms of the background knowledge of the adversary (used in the Bayesian inference attack). The Baseline (infr)

graph shows their location privacy against the Bayesian inference attack, if the adversary relies only on his background knowledge. The No Protec- tion (infr) graph shows users location privacy against the Bayesian inference attack, if they do not use any protection mechanism and submit theirqueries to the server. The No Protection (obs) graph shows location privacy of users in terms of the fraction of times their true location is not exposedto the server, because they didnt have any query. The MobiCrowd (infr) shows location privacy of MobiCrowd users against the Bayesian inferenceattack. The MobiCrowd (obs) shows location privacy of MobiCrowd users in terms of the fraction of times their true location is not exposed to theserver, due to the protection or lack of a query.



13/14

location privacy of our distributed protocol. Our epidemicmodel captures the hiding probability for user locations, i.e., the fraction of times when, due to MobiCrowd, theadversary does not observe user queries. By relying on thismodel, our Bayesian inference attack estimates the locationof users when they hide. Our extensive joint epidemic/Bayesian analysis shows a signicant improvement thanksto MobiCrowd, across both the individual and the averagemobility prior knowledge scenarios for the adversary. Wehave demonstrated the resource efciency of MobiCrowd by implementing it in portable devices.

REFERENCES[1] Pleaserobme, http://www.pleaserobme.com, 2014.[2] J. Meyerowitz and R.R. Choudhury, Hiding Stars With Fire-

works: Location Privacy through Camouage, Proc. MobiCom09, 2009.

[3] F. Olumon, P.K. Tysowski, I. Goldberg, and U. Hengartner,Achieving Efcient Query Privacy for Location Based Services,Proc. 10th Intl Conf. Privacy Enhancing Technologies, 2010.

[4] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan,Private Queries in Location Based Services: Anonymizers areNot Necessary, Proc. ACM SIGMOD Intl Conf. Management of Data, 2008.

[5] R. Anderson and T. Moore, Information Security Economicsand Beyond, Proc. 27th Ann. Intl Cryptology Conf. Advances inCryptology, 2007.

[6] R. Shokri, J. Freudiger, M. Jadliwala, and J.-P. Hubaux, A Distor-tion-Based Metric for Location Privacy, Proc. Eighth ACM Work-shop on Privacy in the Electronic Society (WPES 09), pp. 21-30, 2009.

[7] M. Piorkowski, N. Sarajanovic-Djukic, and M. Grossglauser, AParsimonious Model of Mobile Partitioned Networks withClustering, Proc. First Intl Conf. Comm. Systems and Networks,2009.

[8] R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P.Hubaux, Quantifying Location Privacy, Proc. IEEE Symp. Secu-rity and Privacy, 2011.

[9] J. Krumm, A Survey of Computational Location Privacy, Per-sonal Ubiquitous Computing, vol. 13, no. 6, pp. 391-399, 2009.[10] R. Shokri, J. Freudiger, and J.-P. Hubaux, A Unied Framework

for Location Privacy, Proc. Ninth Intl Symp. Privacy EnhancingTechnologies (HotPETs), 2010.

[11] R. Shokri, P. Papadimitratos, G. Theodorakopoulos, and J.-P.Hubaux, Collaborative Location Privacy, Proc. IEEE Eighth IntlConf. Mobile Ad-Hoc and Sensor Systems, Oct. 2011.

[12] R. Shokri, P. Papadimitratos, and J.-P. Hubaux, Mobicrowd: ACollaborative Location Privacy Preserving LBS Mobile Proxy(Demonstration), Proc. Eighth ACM Intl Conf. Mobile Systems, Applications, and Services (MobiSys), 2010.

[13] NIC: Nokia Instant Community, http://conversations.nokia.com/2010/05/25/nokia-instant-community-gets-you-social/.

[14] Wi-Fi Direct, http://www.wi-.org/wi-_direct.php, 2013.[15] R.K. Ganti, N. Pham, H. Ahmadi, S. Nangia, and T.F. Abdelzaher,

GreenGPS: A Participatory Sensing Fuel-Efcient MapsApplication, Proc. ACM Eighth Intl Conf. Mobile Systems, Applica-tions, and Services (MobiSys 10), 2010.

[16] Y. Liu, A. Rahmati, Y. Huang, H. Jang, L. Zhong, Y. Zhang, and S.Zhang, xShare: Supporting Impromptu Sharing of MobilePhones, Proc. Seventh Intl Conf. Mobile Systems, Applications, andServices, 2009.

[17] J. Freudiger, R. Shokri, and J.-P. Hubaux, Evaluating the PrivacyRisk of Location-Based Services, Proc. Fifth Intl Conf. FinancialCryptography and Data Security (FC 11), pp. 31-46, 2012.

[18] M. Srivatsa and M. Hicks, Deanonymizing Mobility Traces:Using Social Network as a Side-Channel, Proc. ACM Conf. Com-puter and Comm. Security, pp. 628-637, 2012.

[19] N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. Hubaux,How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots, Proc. 13th Privacy Enhancing Tech-nologies Symp. (PETS), 2013.

[20] B. Hoh and M. Gruteser, Protecting Location Privacy throughPath Confusion, Proc. First Intl Conf. Security and Privacy forEmerging Areas in Comm. Networks, 2005.

[21] P. Golle and K. Partridge, On the Anonymity of Home/WorkLocation Pairs, Proc. Seventh Intl Conf. Pervasive Computing, 2009.

[22] A.R. Beresford and F. Stajano, Mix Zones: User Privacy in Loca-tion-Aware Services, Proc. Second IEEE Ann. Conf. Pervasive Com-puting and Comm. Workshops (PERCOMW 04), p. 127, 2004.

[23] J. Freudiger, R. Shokri, and J.-P. Hubaux, On the Optimal Place-ment of Mix Zones, Proc. Ninth Intl Symp. Privacy EnhancingTechnologies (PETS 09:), pp. 216-234, 2009.

[24] C.-Y. Chow, M.F. Mokbel, and X. Liu, A Peer-to-Peer SpatialCloaking Algorithm for Anonymous Location-Based Service,

Proc. 14th Ann. ACM Intl Symp. Advances in Geographic InformationSystems (GIS 06), 2006.[25] R. Shokri, C. Troncoso, C. Diaz, J. Freudiger, and J.-P. Hubaux,

Unraveling an Old Cloak: K-Anonymity for Location Privacy,Proc. Ninth Ann. ACM Workshop on Privacy in the Electronic Soc.,2010.

[26] M.E. Andres, N.E. Bordenabe, K. Chatzikokolakis, and C. Palami-dessi, Geo-Indistinguishability: Differential Privacy for Location-Based Systems, Proc. ACM SIGSAC Conf. Computer and Comm.Security, 2013.

[27] R. Chow and P. Golle, Faking Contextual Data for Fun, Prot,and Privacy, Proc. Eighth ACM Workshop on Privacy in the Elec-tronic Soc. (WPES 09), pp. 105-108, 2009.

[28] R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, and J.-Y. Le Boudec, Protecting Location Privacy: Optimal Strategyagainst Localization Attacks, Proc. ACM Conf. Computer andComm. Security, 2012.

[29] F. Santos, M. Humbert, R. Shokri, and J.-P. Hubaux,Collaborative Location Privacy with Rational Users, Proc. Deci-sion and Game Theory for Security, pp. 163-181, 2011.

[30] R. Shokri, G. Theodorakopoulos, G. Danezis, J.-P. Hubaux, and J.-Y. Le Boudec, Quantifying Location Privacy: The Case of Spo-radic Location Exposure, Proc. 11th Intl Conf. Privacy EnhancingTechnologies, 2011.

[31] T. Jiang, H.J. Wang, and Y.-C. Hu, Preserving Location Privacy inWireless LANs, Proc. Fifth Intl Conf. Mobile Systems, Applicationsand Services (MobiSys), pp. 246-257, 2007.

[32] 3rd Generation Partnership Project, 3GPP GSM R99, TechnicalSpecication Group Services and System Aspects, 1999.

[33] T.G. Kurtz, Approximation of Population Processes. SIAM, 1981.[34] W.O. Kermack and A.G. McKendrick, A Contribution to the

Mathematical Theory of Epidemics, Proc. Royal Soc. London A,vol. 115, pp. 700-721, 1927.

[35] G. Theodorakopoulos, J.-Y. Le Boudec, and J.S. Baras, SelshResponse to Epidemic Propagation, IEEE Trans. Automatic Con-trol, vol. 58, no. 2, pp. 363-376, Feb. 2013.

[36] X. Zhang, G. Neglia, J. Kurose, and D. Towsley, PerformanceModeling of Epidemic Routing, Computer Networks, vol. 51,pp. 2867-2891, July 2007.

[37] J. Krumm, Inference Attacks on Location Tracks, Proc. Fifth IntlConf. Pervasive Computing (Pervasive 07), 2007.

[38] R. Shokri, Quantifying and Protecting Location Privacy, PhDdissertation cole polytechnique f ed erale de Lausanne, 2013.

[39] M. Piorkowski, N. Sarajanovic-Djukic, and M. Grossglauser,CRAWDAD Data Set Ep/Mobility (v. 2009-02-24), 2009.

Reza Shokri received the MSc degree in com-

puter engineering from the University of Tehran,Iran, in 2007, and the PhD degree in communica-tion science from EPFL, Switzerland, in 2013.His research focuses on quantitative privacy.



14/14

George Theodorakopoulos received thediploma degree from the National Technical Uni-versity of Athens, Greece, in 2002, and the MSand PhD degrees from the University of Mary-land, College Park, MD in 2004 and 2007, all inelectrical and computer engineering. Hisresearch interests include privacy, security andtrust in networks.

Panos Papadimitratos received the PhDdegree from Cornell University, Ithaca, NewYork, in 2005. He is currently an associate pro-fessor in the School of Electrical Engineering atKTH, Stockholm, Sweden, where he leads theNetworked Systems Security group.

Ehsan Kazemi received the BS and MS degreesin communication systems from Sharif Universityof Technology, IRAN. He is currently workingtoward the PhD degree at LCA4, EPFL. Hisresearch is focused on complex networks, dataanalysis, and privacy.

Jean-Pierre Hubaux is currently a professor inthe School of Computer and Communication Sci-ences of EPFL and has pioneered researchareas such as the security of mobile ad hoc net-works and of vehicular networks. He is currentlyworking on data protection in mobile communica-tion systems and healthcare systems. He is a fel-low of the IEEE and ACM.

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


hiding in the mobile crowd location.pdf

Documents