On Non-Cooperative Location Privacy: A Game-theoreticAnalysis

Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux

David C. Parkes

CCS 2009

2

Pervasive Wireless Networks

Human sensors

Vehicular networks Mobile Social networks

Personal WiFi bubble

3

Peer-to-Peer Communications

1

MessageIdentifier

2

WiFi/Bluetooth enabled

Signature || Certificate

4

Location Privacy Problem

1

Passive adversary monitors identifiers used in peer-to-peer communications

10h00: Millenium Park11h00: Art Institute

13h00: Lunch

5

Previous Work

• Pseudonymity is not enough for location privacy [1, 2]

• Removing pseudonyms is not enough either [3]

Spatio-Temporal correlation of traces

MessageIdentifier

[1] P. Golle and K. Partridge. On the Anonymity of Home/Work Location Pairs. Pervasive Computing, 2009[2] B. Hoh et al. Enhancing Security & Privacy in Traffic Monitoring Systems. Pervasive Computing, 2006[3] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. SECURECOMM, 2005

Pseudonym Message

6

Location Privacy with Mix Zones

Mix zone

2121

xy?

Temporal decorrelation: Change pseudonym

[1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. Percom, 2004

Why should a node participate?

Spatial decorrelation: Remain silent

Mix Zone Privacy Gain

7

( )

| 2 |1

( ) log ( )n t

i d b d bd

A T p p

t- t=T

1

2

x

y

B D

( )n t Number of nodes in mix zone

Cost caused by Mix Zones

• Turn off transceiver

• Routing is difficult

• Load authenticated pseudonyms

8

+

+

=

9

Problem

Tension between cost and benefit of mix zones

When should nodes change pseudonym?

10

Method

• Game theory– Evaluate strategies– Predict evolution of security/privacy

• Example– Cryptography– Revocation– Privacymechanisms

Rational BehaviorSelfishoptimization

Security protocolsMulti-party computations

11

Outline

1. User-centric Model

2. Pseudonym Change Game

3. Results

Mix Zone Establishment

• In pre-determined regions [1]

• Dynamically [2]– Distributed protocol

12

[1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. PercomW, 2004[2] M. Li et al. Swing and Swap: User-centric approaches towards maximizing location privacy . WPES, 2006

User-Centric Location Privacy Model

Privacy = Ai(T) – PrivacyLoss

13

2t1t

Privacy

Traceable

t

Ai(T1)Ai(T2)

14

Pros/Cons of user-centric Model

• Pro– Control when/where to protect your privacy

• Con– Misaligned incentives

15

Outline

1. User-centric Model

2. Pseudonym Change Game

3. Results

1

2

Assumptions

Pseudonym Change game– Simultaneous decision– Players want to maximize their payoff

– Consider privacy upperboundAi(T) = log2(n(t))

16

• Strategy– Cooperate (C) : Change pseudonym– Defect (D): Do not change pseudonym

Game Model

• Players– Mobile nodes in transmission range– There is a game iif

17

( ) 1n t

18

Pseudonym Change Game

t

C

D

C

t1 Silent period

3

1

2

Payoff Function

19

If C & Not alone, thenui = Ai(T)- γ

If C & Alone, thenui = ui

-- γ

If D, thenui = ui

-

ui = privacy - cost

Sequence of Pseudonym Change Games

20

5

6

E2

23

4E1

7

8

9

C3

1

E2E1

1t 2tE3

3tt

ui

Ai(T1)- γ

Ai(T2)- γ

γ

21

Outline

1. User-centric Model

2. Pseudonym Change Game

3. Results

C-GameComplete information

Each player knows the payoff of its opponents

22

2-Player C-Game

23

Two pure-strategy Nash Equilibria (NE): (C,C)&(D,D)

One mixed-strategy NE

Best Response Correspondence

24

2 pure-strategy NE

1 mixed-strategy NE

n-Player C-Game

• All Defection is always a NE• A NE with cooperation exists iif there is a

group of k users with

25

2log ( ) ik u

TheoremThe static n-player pseudonym change C-game has at least 1 and at most 2 pure strategy Nash equilibria.

, i in the group of k nodes

C-Game Results

Result 1: high coordination among nodes at NE

• Change pseudonyms only when necessary

• Otherwise defect

26

I-GameIncomplete information

Players don’t know the payoff of their opponents

27

Bayesian Game Theory

Define type of playerθi = ui-

28

)( if Predict action of opponents based on pdf over type

29

Environment

Lowprivacy

High privacy

Middle privacy

• A threshold determines players’ action

• Probability of cooperation is

Threshold Strategy

30

0( ) ( ) ( )i

i i i i iF Pr f d

tC

Dθi

θi

~

2-Player I-Game Bayesian NE

Find threshold θi* such that

Average utility of cooperation =

Average utility of defection

31

~

32

Result 2: Large costincreasescooperationprobability.

33

Result 3: Strategiesadapt to yourenvironment.

34

Result 4: A large number of nodes n provides incentive not to cooperate

Conclusion

Rational behavior in location privacy protocol– Propose a user-centric model of location privacy

– Introduce Pseudonym Change game

– Derive existence of equilibrium strategies

– Evaluate effect of non-cooperative behavior

Outcome: Protocol for distributed pseudonym changes among rational nodes

Future: Evaluate performance of protocol

35

lca.epfl.ch/privacy

37

BACKUP SLIDES

Payoff Function

38

( ) ( , ) ( , )i i i i i i iu A T t T t T

If , then( ) ( ( ) 0)i C is C n s

:( , , , ) : ( )

i

i i i i i

T tu t T C s A T

If , then( ) ( ( ) 0)i C is C n s

( , , , ) : max(0, )i i i iu t T C s u

If , then( )is D( , , , ) : max(0, )i i i iu t T D s u

where the payoff function at the time immediately prior to tthe strategy of the opponents of iis

(s )C in the number of cooperating nodes besides i

C

D

Best Response Correspondence

39

2 pure-strategy NE

1 mixed-strategy NE

Type

• Incomplete information =>imperfect information [1]• Type captures the private information of players

• Assume type is distributed with probability known to all players

• Each player can predict the behavior of its opponents with40

i i i iA

)( if

)( if

Bayesian Game Theory

[1] J. Harsanyi. Games with Incomplete Information Played by Bayesian Players . Management Science , 1967

41

Result 3: Strategies adapt to environment.

42

PseudoGame Protocol