Quantifying Location Privacy: The Case of Sporadic Location Exposure

Reza ShokriGeorge TheodorakopoulosGeorge DanezisJean-Pierre HubauxJean-Yves Le Boudec

The 11th Privacy Enhancing Technologies Symposium (PETS), July 2011

2

Actual Trajectory

Mobility

Observation

Distorted Trajectory

Protection

Exposed Trajectory

Application

Attack

Reconstructed Trajectory

Metric

● Assume time and location are discrete…

Location-based Services

• Sporadic vs. Continuous Location Exposure

• Application Model

3

Mobility Model

Actual Location of user ‘u’ at time ‘t’

Is the location exposed?

0/1

4

Protection Mechanisms

1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

Actual Location

● Consider a given user at a given time instant

obfuscate

anonymize

1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

Observed Location

exposed

Application

hide

fake

Protection Mechanism

ui

Actual Trajectory

5

Protection Mechanisms

• Model

● User pseudonyms stay unchanged over time…

user to pseudonym assignment

Observed location of pseudonymous user u’ at time t

6

Adversary

• Background Knowledge

– Stronger: Users’ transition probability between locations• Markov Chain transition probability matrix

– Weaker: Users’ location distribution over space• Stationary distribution of the ‘transition probability matrix’

● Adversary also knows the PDFs associated to the ‘application’ and the ‘protection mechanism’

7

Adversary

• Localization Attack– What is the probability that Alice is at a given location at a

specific time instant? (given the observation and adversary’s background knowledge)

– Bayesian Inference relying on Hidden Markov Model • Forward-Backward algorithm, Maximum weight assignment

● Find the details of the attack in the paper

8

Location Privacy Metric

• Anonymity?– How successfully can the adversary link the user

pseudonyms to their identities?– Metric: The percentage of correct assignments

• Location Privacy?– How correctly can the adversary localize the users?– Metric: Expected Estimation Error (Distortion)

● Justification: R. Shokri, G. Theodorakopoulos, J-Y. Le Boudec, J-P. Hubaux. ‘Quantifying Location Privacy’. IEEE S&P 2011

9

Evaluation

• Location-Privacy Meter– Input: Actual Traces

• Vehicular traces in SF, 20 mobile users moving in 40 regions

– Output: ‘Anonymity’ and ‘Location Privacy’ of users over time

– Modules: Associated PDFs of ‘Location-based Application’ and ‘Location-Privacy Preserving Mechanisms’

● More information here: http://lca.epfl.ch/projects/quantifyingprivacy

10

Evaluation• Location-based Applications

– once-in-a-while APP(o, Θ)

– local search APP(s, Θ)

• Location-Privacy Preserving Mechanisms

– fake-location injection (with rate φ)• (u) Uniform selection• (g) Selection according to the average mobility profile

– location obfuscation (with parameter ρ)• ρ: The number of removed low-order bits from the location identifier

LPPM(φ, ρ, {u,g})

11

Resu

lts -

Anon

ymity

12

Resu

lts –

Loca

tion

Priv

acy

φ: the fake-location injection rate

00.00.0

20.00.0

40.00.0

00.30.0

00.50.0

00.00.3

00.00.5

More Results – Location Privacy

obfuscationfake injectionhiding

uniform selection

14

Conclusions & Future Work• The effectiveness of ‘Location-Privacy Preserving Mechanisms’ cannot be

evaluated independently of the ‘Location-based Application’ used by the users

• Fake-location injection technique is very effective for ‘sporadic location exposure’ applications– Advantage: no loss of quality of service– Drawback: more traffic exchange

• The ‘Location-Privacy Meter’ tool is enhanced in order to model the applications and also new protection mechanisms, notably fake-location injection

• Changing pseudonyms over time: to be added to our probabilistic framework

15

Location-Privacy Meter (LPM):A Tool to Quantify Location Privacy

http://lca.epfl.ch/projects/quantifyingprivacy

16