are using portable devices, such as mobile phones, laptop computers and .... the deployment of a PKI suitable for lightweight devices used by mobile clients.
Security and Privacy for Location Based Services Thibault Candebat, Cameron Ross Dunne and David Gray School of Computing, Dublin City University, Dublin 9, Ireland {candebat,cameron,dgray}@computing.dcu.ie
Abstract. In this paper we outline the security requirements for any infrastructure that facilitates secure location based services over the Internet. We describe an architecture that allows the provisioning of location based services, and consider security requirements for guaranteeing privacy to end users.
1. Introduction 1.1 Connected Mobility There are many services that can be acquired using the Internet. Currently, the vast majority of these services are accessed from static desktop computers. In many cases users can be located anywhere in the world. With this model, the Internet requires no knowledge or concept of location. While static access to the Internet will continue to grow, it is very likely that the number of mobile Internet users will soon outstrip the number of static Internet users (Merrill Lynch 2000). Many users access the Internet from different locations and increasing numbers are using portable devices, such as mobile phones, laptop computers and Personal Digital Assistants (PDAs). With the deployment of 3rd Generation phone networks (3G) [1], it will become increasingly common for devices to maintain their connection to the Internet while they move. 1.2 Positioning Technologies Another technology that has seen rapid development is the Global Positioning System (GPS) [2]. GPS can now accurately position devices to within 10 meters of their actual location. The GPS units are becoming cheaper and more readily available, and will be integrated into many mobile devices. Mobile network operators are also deploying more advanced network infrastructures that allow mobile phones to be located. These typically work by triangulating the mobile phone signals with the three nearest base stations. 1.3 Location Based Services Connected mobility together with the location awareness, creates enormous opportunities for new location based services. These services offer huge potential for operators to offer services that are useful to customers and which can generate substantial revenues. Examples of location based services include locating people/devices, fleet management or facilitating emergency services.
2. Security risks Significant privacy and security concerns are raised by location-based services. While mobile users will be happy to let safety related location based services know their location details, they might be reluctant to provide personal information to other third party services. Indeed, potential misuse of location information raises some important issues. Real time location information may fall into the hands of someone with malicious intentions and place users in life threatening situations. In companies, user tracking may be useful in some situations. For example, fleet management is considered as one of the main corporate applications of location based services (LBS). However, many employees will express concerns over their employer
knowing their location at any given point in time. Privacy will therefore be a determinant factor in LBS acceptance [3].
3. The Orient Platform The few existing location based applications incorporate all the functionality needed to deal with location directly into their code, for example the GUIDE project [4]. Our goal is to separate this functionality from the location based application. This allows developers to focus on writing applications using a common approach to location based services. The technique of factoring-out common functionality is widely used in computing, (for example the Common Object Request Broker Architecture (CORBA), the World Wide Web and Public Key Infrastructures (PKIs)) and can help to establish new paradigms such as location based services. In order to achieve this goal, we have designed an infrastructure, known as The Orient Platform, that supports all the security requirements of mobile users, wireless network operators, and third party location based services. This infrastructure is built entirely upon open protocols. 3.1. Architecture There are three main entities involved in any basic location based transaction. These are: • The User: This entity represents the end user of the infrastructure. Typically, the user owns a mobile device that enables him to connect to a web site through the Internet. We assume that the user is registered with the mobile operator. • The Location Based Services: The location based service is a third party that interacts with the middleware infrastructure and the user. The location based service is a web service that processes location information and creates suitable web content for the user. • The Middleware Infrastructure: The Orient Platform is the middleware infrastructure that is responsible for receiving and processing location related requests from the location based service. It obtains user location information from the mobile operator. The middleware infrastructure is trusted by the user. There are two main architectural approaches that are considered suitable for location based services. These are described below.
Figure 1.a
Figure 1.b
Direct Approach: In this architecture the user communicates directly with the location based service. The location based service then communicates with the middleware infrastructure whenever this service needs to obtain location information, or to supply charging details. An overview of
this architecture is shown below in figure 1.a. This approach is already very popular in similar infrastructures for location based services such as [5,6]. The fact that the location based service only contacts the infrastructure when needed means that this architecture is scalable, and the reliance on any one component is greatly reduced. The main disadvantage of this approach is that it is more difficult for the user to authenticate himself to the location based service. This approach also requires that the user’s mobile device is more powerful and that it contains more customized software. This is a significant disadvantage in terms of achieving high levels of usage with current and future mobile phones. Proxy Approach: The alternative architecture is to locate the middleware infrastructure between the user and the location based service, as shown in figure 1.b. In this scenario all transactions between the user and the location based service go through the infrastructure. The infrastructure is in fact acting as a proxy. A regular HTTP proxy simply passes request forwards and backwards between the client and the server. However, the infrastructure is acting as an active proxy that is monitoring and modifying content as it passes through. This form of active proxy has been considered before for improving web browsing [7,8]. Indeed, Escudero and Maguire have already proposed an XML based proxy between the client and the location based service [9]. The main advantage of this approach is that because the middleware infrastructure is located between the user and the location based service it has the ability to monitor and modify all the content passing through it. This architecture also completely shields the user identity from the location based service, because the user is now only required to authenticate himself to the infrastructure. This is extremely important in the context of current and future mobile phones. The main disadvantage of this approach is the high level of reliance on the middleware infrastructure. The middleware must be capable of handling a very high number of transactions. This is a potential bottleneck, and a significant single point of failure. However, the workload is no greater than the workload of a normal HTTP proxy server. Protecting users’ privacy is one of our main concerns. By hiding their identity from third party services, the proxy architecture guarantees the non disclosure of personal details to non trusted entities. Moreover it facilitates the design of reliable billing mechanisms and helps to monitor location related queries. Therefore, we believe that the proxy approach is the most suitable architecture to preserve users’ privacy.
4. Security Services The fear of third parties building user profiles constitutes a rising threat to current Internet services. This is especially true in the context of location based services. Users must be able to trust the system not to misuse their location details. Users trust The Orient Platform. However, they may not be prepared to trust location based services providers. Therefore, sensitive data must be kept hidden from these location based services. Users must be authenticated to The Orient Platform for access control and billing purposes. They may have to authenticate themselves to service providers as well. Confidentiality, Integrity, Non repudiation, Authentication, and Authorization involve the deployment of a PKI suitable for lightweight devices used by mobile clients. 4.1 The PKI
The majority of current PKIs are based on X.509 [10]. While this technology is suitable for many existing applications, the limited processing power, storage, and network connectivity of mobile devices makes full-blown X.509 unsuitable for most mobile applications. Traditionally, X.509 PKIs use Certificate Revocation Lists (CRLs) to inform users if a certificate has been revoked. A CRL is a signed document containing the serial numbers of revoked certificates issued by a Certificate Authority (CA). In many circumstances CRLs can be large. Therefore, downloading and validating their signatures with a small mobile device with constrained bandwidth can be problematic [11]. Many alternatives are discussed in [12,13]. However, we believe that a solution based on our infrastructure design would be more suitable. By using server-aided cryptography [14], we remove the need for revocation and enable thin clients to communicate securely with location based services. 4.2 Our Approach Identity based mediated RSA [15] is a new technique that combines identity based cryptography(use of some public identifier as the public key) with threshold cryptography[16]. This approach enables a client to perform some cryptographic operations with the aid of an online trusted server. The main benefits of this system are that none of the parties involved can cheat: neither the server nor the client can produce a valid ciphertext or signature without a validation of the corresponding party. Moreover, it supports fine-grained revocation because users only need to notify the online trusted server when they need to have their cryptographic capabilities revoked. Finally, given that the system is identity based, we do not need to rely on public key certificates anymore. All the burden of certificate retrieval and validation disappears. However, if the need arises, IBE-mRSA can still be used within existing PKIs when individual certificates are needed. This makes this solution quite convenient to deploy All these features are particularly suitable for our infrastructure. Since The Orient Platform is trusted, it will therefore incorporate the online trusted server. Users’ cryptographic capabilities will be managed through the infrastructure. This will enable our infrastructure to control transactions even though sensitive data will still be kept secret from it.
5. Location Privacy In the previous section, we examined cryptographic methods for making private information more secure. In this section, we show how reducing information sensitivity can enhance user privacy. Providing accurate information about one's location has significant security implications. Currently, phone companies have such information - they know where landlines are located and they can determine which cell a mobile phone is using. However, providing such information to arbitrary location based services on the Internet is unlikely to be acceptable. There are many location based services that users would not consider using if they were forced to divulge their exact locations. However, they may consider using these same services if they have control over their location accuracy [17,18]. 5.1 What is Location Blurring? Location blurring is the process of taking a user’s location as accurately as the locating technology allows, and then intentionally decreasing the accuracy. The extent of the blurring can be based on many different parameters. For example, User ID, Service ID or Target ID. It is possible to have a very wide range of different blurring amounts. However, in practice it is likely that a few well-chosen different accuracies will be sufficient. For example, within 10m, 100m, 200m, 500m, 1km, 5 km, 10km, and 100km.
Location blurring is important because it reduces the amount of sensitive information that is provided to the location based services. This in turn increases user confidence and acceptance of location based services. Location blurring is successful because not all location based services require high levels of location accuracy. Consider a location based service that allows a user to locate a petrol station within the vicinity of his/her current location. Since petrol stations tend to occur fairly infrequently, and are normally well distributed, a search engine does not need to know the user's exact location. In this scenario, the user's location can be blurred by 5 kilometers without adversely affecting the usefulness of this location based service. 5.2 Assumptions In order for location blurring to be effective the user must have a clear understanding of how it works, and how it should be used. This is because there are many real world events that reduce the effectiveness of location blurring. In particular, the user must specify his location blurring relative to his lifestyle. For example, a user might specify that his location accuracy must be reduced to 5km. This appears to be sufficient to keep his exact location private. Using the knowledge that most humans are in their beds at 4:00 in the morning, an attacker may try to locate the user’s house. If the user lives in a built up area the attacker will not be successful. However, if the user lives in a rural area then there may not be any other houses within 5km of the user. Therefore, it would be trivial for the attacker to establish the user’s house, and his location at that time. It is also important to note that the user can always be located to a certain extent. This is due to the nature of using a location based service – location information is being supplied to a location based service. The easiest method for preventing this is to use infinitely high blurring. However, that defeats the purpose of using a location based service. 5.3 Location Blurring Requirements Location blurring works by taking accurate location details, and making them less accurate. If the user’s location is not blurred enough then sufficient privacy will not be provided. If too much blurring is done then the location based service will not be able to offer a meaningful service to the user. Therefore, it is vital that the location blurring provides exactly the correct amount of location blurring, and that it behaves in a consistent and secure manner. Consequently, we have identified the following conditions that the location blurring algorithm should adhere to: • The location blurring algorithm will generate a region that contains the user, and a timestamp indicating when the user was located within that region. It is very important that this information is always truthful. If the location information is too sensitive the algorithm will either increase the size of the blurred region, or provide details of an older sighting of the user. The algorithm will never lie about the user’s location. • The algorithm will provide the maximum accuracy that is requested by the location based service, and that is allowed by the user. Nothing more, and nothing less! • The algorithm will supply information such that the user could be located anywhere within the blurred area with equal probability. Otherwise, the location privacy offered to the user would be seriously compromised.
6. Conclusion In this paper we introduced the general area of location based services, and described the need for an infrastructure to facilitate offering these services over the Internet. We provided an overview of the infrastructure that we are developing, known as The Orient Platform. We illustrated the system architecture that our infrastructure operates within. We discussed some
of the security requirements of our infrastructure. We then introduced and described several of the features that we are employing to guarantee user privacy and security. Most of the research presented in this paper is still a work in progress. We are currently implementing our infrastructure, and improving its functionality. To date our testing has been on a very small group of simulated users who behave in a very simple and consistent manner. In the near future we hope to assess the performance of our infrastructure on a very large group of users who are behaving in a very realistic manner. Finally, from our work to date we believe that successful security mechanisms can be developed that will provide users with confidence to use location based services over the Internet.
7. References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]
3rd Generation Partnership Project (3GPP) http://www.3gpp.org/. Parkinson, Bradford, W., Spilker, J. Global Positioning System: Theory and Practice. Volumes I,II. Washington, DC: American Institute of Aeronautics and Astronautics, Inc ,1996. Fink, S. The Fine Line Between Location-Based Services & Privacy. Sun Microsystems. http://www.jlocationservices.com/. Cheverst, K., Davies, N., Mitchell, K., Friday, A. Developing a Context-aware Electronic Tourist Guide: Some Issues and Experiences. Proceedings. of CHI'2000. Leonhardi, A., Rothermel, K. Architecture of a Large-scale Location Service. Technical Report TR-2001-01, University of Stuttgart, 2001 Myles, G., Friday. A., Davies, N. Preserving Privacy in Environments with LocationBased Applications. IEEE Pervasive Computing, pp 56-64, January-March 2003. Brooks, C., Mazer, M. S., Meeks, S., Miller. J. Application-specific Proxy Servers as HTTP Stream Transducers. Proceedings of 4th International. World Wide Web Conference, pp. 539-548, Boston, MA, USA, 1995. Bharadvaj, H., Joshi, A., Auephanwiriyakul, S. An Active Transcoding Proxy to Support Mobile Web Access. Proceedings of SRDS, West Lafayette, IN, USA, 1998. Escudero, A., Maguire, G.Q. Role(s) of a proxy in location based services. PIMRC2002. Lisbon. Portugal, 2002. ITUT Recommendation, X.509:The Directory Authentication Framework.Technical report X.509, ITU, 1997. Wohlmacher, P. Digital Certificates: A Survey of Revocation Methods. ACM Multimedia 2000. Russell, S. Fast Checking of Individual Certificate Revocation on Small Systems. Annual Computer Security Applications Conference, 1999. Naor, M., Nissim, K. Certificate Revocation and Certificate Update. Proceedings 7th USENIX Security Symposium, San Antonio, Texas, 1998. Ding, X., Mazzocchi, D., Tsudik, G. Experimenting with Server-Aided Signatures. Network and Distributed System Security Symposium, 2002. Ding, X., Tsudik, G. Simple Identity-based Encryption with Mediated RSA. SA Conference 2003, Cryptographer's Track (CT-RSA'03), San Francisco, 2003. Gemmell, P.S. An Introduction to Threshold Cryptography. RSA Laboratories Cryptobytes Volume 2, No. 3, 1997. Hengartner, U., Steenkiste, P. Protecting Access to People Location Information. First International Conference on Security in Pervasive Computing, Boppard, 2003. Gruteser, M., Grunwald, D. Anonymous Usage of Location-based Services through Spatial and Temporal Cloaking. International Conference on Mobile Systems, Applications, and Services (MobiSys), 2003.
