Enforcing privacy for location based services

Abstract

The ubiquity of mobile devices has led to the deployment of many mobile applications for providing different types of services, like internet access, route recommendation, cab finder, nearby friends, etc. Some of these services are categorized as location-based services (LBS), which require access to users’ personal information including identity, location, and personal preferences to provide highly personalized service. Although such private information may be essential for providing a service, it may be used for unintended or even malicious purpose by someone privy to that information, including the service provider. In fact, instances of malevolent actions of this kind have been reported numerous times in the past. This concern has given rise to the area of privacy-preserving location-based services. Many different techniques have been proposed to ensure the privacy of the user’s personal information. Some of the popular techniques include: Information Obfuscation that meaningfully obfuscates the sensitive information in a service query, Differential Privacy that adds Gaussian noise to the sensitive information ensuring provable guarantee to achieve desired privacy level, and Information Encryption that encrypts the sensitive parameter(s) before sending it to a service provider. An objective of this thesis is to analyze obfuscation based privacy preserving mechanisms.

Further, based on the type of interaction between the user and the service provider, such as one-time or multiple-times, we may characterize LBS as snapshot-LBS or continuous-LBS. The privacy-preserving mechanisms for the two types of services are not the same. Over the last decade, many obfuscation based privacy-preserving techniques for snapshot-LBS have been proposed. They differ in their robustness against additional information available to the malevolent entity (aka. adversary). In general, there is no limit to the external knowledge an adversary can possess. Such information can be a publicly available knowledge like home address, office address, preferred outdoor activities performed by the user, map of a region like restricted area, lake, statistical information associated with the map like user’s density in different areas, and many more. Thus, an important ingredient in obfuscation techniques is a model for the knowledge possessed by an adversary.

There are additional challenges for a continuous-LBS query scenario. Apart from using external context information, an adversary can also breach the privacy by correlating the multiple queries of the same user. The disclosures so happened are named as tracking attacks. In this thesis, our focus is on an analysis of obfuscation based techniques for protecting private information in continuous-LBSs against tracking attacks, while ensuring the utility of the data. In brief, we aim to build frameworks for a continuous-LBS scenario that can quantify privacy, measure user’s privacy level, and therefore, can detect privacy breaches (if any). It should provide assistance to the user in making an informed decision and thus enable building applications that can efficiently preserve privacy to a customizable extent. We observe that most of the privacy-preserving techniques in literature have been designed to enforce a certain privacy notion, but the other important goal of data-utility is either overlooked completely or not considered practically. Driven by this, we explore the usability of obfuscated data for legitimate purposes such as enhancing the quality of the services.

The significant contributions of this thesis are the following:

• It is certain that even the best possible obfuscation mechanism may fall short of user expectation due to an external context information an adversary may possess. Therefore, while a good obfuscation mechanism is essential, it is equally essential to be able to detect an occurrence of a privacy breach, and its extent. Motivated by this argument, in Chapter 4, we proposed a theoretical framework to analyze the location privacy breaches in an obfuscation based mechanism for continuous-LBS. We formally showed that obfuscation alone cannot prevent the location privacy breaches in a continuous setting. However, based on the user’s privacy need, assistance can be provided to make an informed decision.

• We identified disclosures and analyzed the properties of the disclosure for a fixed grid-based obfuscation mechanism. Using this, we aim to derive an additional strategy together with obfuscation that can provide complete location privacy for a continuous-LBS. Location privacy is complete if none of the user locations can be disclosed below a user-defined privacy threshold. In Chapter 5, we showed that by introducing an additional strategy ‘delay in querying at some of the locations’ such an objective can be achieved, with a provable guarantee.

• As the next problem, we tried to achieve query privacy together with location privacy for a moving user. In Chapter 6, we consider an activity trajectory of a moving user that is a sequence of locations annotated with the activities performed at those locations. The user may consider some of the locations and the activities along her disclosed trajectory as sensitive information. We proposed an algorithm to find an anonymized trajectory for a given user’s trajectory that (a) satisfies user-specified privacy constraints i.e. k-anonymity, l-diversity, and m-invariance, and (b) try to have a low compromise in quality of service (QoS). To achieve reasonable QoS, information about the past trajectories of other users (historical data) is used to predict close-by user trajectories. We defined a distance function to measure the closeness of spatio-textual trajectories and proposed an indexing structure to efficiently retrieve nearby trajectories from the historical database.

• The current trend of anonymization to avoid privacy breach makes it difficult to identify any correlation in the data, thus making it harder, if not impossible, to look for actual trajectory-patterns. Having identified this difficulty, we proposed in Chapter 7, the problem of mining important trajectory-patterns over anonymized trajectory data. We developed a theoretical framework to define the relevance of trajectory-patterns in anonymized data. Further, we designed an efficient pattern-growth algorithm to mine trajectory-patterns with high relevance value by ensuring controlled exploration of an ordered search tree. For pattern mining, choosing a minimum-relevance threshold is always challenging. A too low value may give so many patterns whereas too high value may give no pattern. To workaround this, we have developed a top-k variant of the proposed technique that efficiently initializes threshold value and wisely updates it during the execution. We have also used a couple of pruning strategies for the early termination of our top-k approach.