The SIGSPATIAL Special

Download PDF
3 downloads 1325 Views 1MB Size Report
Comment
Jul 2, 2009 - Secretary, Chang-Tien Lu, Virginia Tech. Treasurer, Markus Schneider, University of Florida. Newsletter Editor, Egemen ...... ZIP/Postal Code/ ...
The SIGSPATIAL Special Newsletter of the Association for Computing Machinery Special Interest Group on Spatial Information

Editorial Letters on Privacy in Location-based Services Privacy-Preserving Techniques for Location-based Services by Elisa Bertino Privacy in Location-aware Systems by Johann-Christoph Freytag Privacy for Real-time Location-based Services by Lars Kulik Privacy and Location Anonymization in Location-based Services by Ling Liu Privacy in Location-based Services: A System Architecture Perspective by Chi-Yin Chow and Mohamed F. Mokbel Foot-Driven Computing: Our First Glimpse of Location Privacy Issues by Frank Stajano

Announcements

Volume 1

Number 2

July 2009

The SIGSPATIAL Special The SIGSPATIAL Special is the newsletter of the Association for Computing Machinery (ACM) Special Interest Group on Spatial Information (SIGSPATIAL). ACM SIGSPATIAL addresses issues related to the acquisition, management, and processing of spatially-related information with a focus on algorithmic, geometric, and visual considerations. The scope includes, but is not limited to, geographic information systems. Current ACM SIGSPATIAL officers are: Chair, Hanan Samet, University of Maryland Vice-Chair, Walid G. Aref, Purdue University Secretary, Chang-Tien Lu, Virginia Tech Treasurer, Markus Schneider, University of Florida Newsletter Editor, Egemen Tanin, University of Melbourne For more details and membership information for ACM SIGSPATIAL as well as for accessing the newsletters please visit http://www.sigspatial.org. The SIGSPATIAL Special serves the community by publishing short contributions such as SIGSPATIAL conferences’ highlights, calls and announcements for conferences and journals that are of interest to the community, as well as short technical notes on current topics. The newsletter has three issues every year, i.e., March, July, and November. For more detailed information regarding the newsletter or suggestions please contact the editor via email at [email protected]. Notice to contributing authors to The SIGSPATIAL Special: By submitting your article for distribution in this publication, you hereby grant to ACM the following nonexclusive, perpetual, worldwide rights: • • • •

to publish in print on condition of acceptance by the editor, to digitize and post your article in the electronic version of this publication, to include the article in the ACM Digital Library, to allow users to copy and distribute the article for noncommercial, educational or research purposes.

However, as a contributing author, you retain copyright to your article and ACM will make every effort to refer requests for commercial use directly to you. Notice to the readers: Opinions expressed in articles and letters are those of the author(s) and do not necessarily express the opinions of the ACM, SIGSPATIAL or the newsletter.

The SIGSPATIAL Special (ISSN 1946-7729) Volume 1, Number 2, July 2009.

Table of Contents

Editorial

1

Letters on Privacy in Location-based Services Privacy-Preserving Techniques for Location-based Services by Elisa Bertino

2

Privacy in Location-aware Systems by Johann-Christoph Freytag

4

Privacy for Real-time Location-based Services by Lars Kulik

9

Privacy and Location Anonymization in Location-based Services by Ling Liu

15

Privacy in Location-based Services: A System Architecture Perspective by Chi-Yin Chow and Mohamed F. Mokbel

23

Foot-Driven Computing: Our First Glimpse of Location Privacy Issues by Frank Stajano

28

Announcements SIGSPATIAL & ACM Membership Information

33

Editorial

Dear Colleagues, In the second issue of The SIGSPATIAL Special, we focus on the topic of privacy in Location-based Services (LBSs). Privacy and security in LBSs have become a popular topic of interest in spatial information research during the last few years. Mobile devices, with ever increasing availability, precision, and connectivity, have introduced the feeling of continuous monitoring and being monitored. Thus, in addition to the benefits of LBSs, users have started to consider the disadvantages. In this issue, we visit some of the related definitions, existing research results, as well as future research directions. The format of the July issue of the newsletter is in the form of letters. We have requested from a few leading researchers in the area to write brief notes on the topic. Authors were kind to respond to our request in a very limited amount of time. The letters cover a large range of issues related to privacy in LBSs. These include privacy risks and classifications; privacy principles and definitions; privacy metrics; system architectures and privacy; user’s context and privacy; continuous query processing and privacy. A common theme that appears to be repeated by the authors is that there is quite a bit of work that needs to be done in the area. We hope that you find the July issue useful in your future research, implementations, teaching, and studies. Again, we invite you to contact us at [email protected] for any suggestions regarding the newsletter.

Egemen Tanin, Editor Department of Computer Science and Software Engineering University of Melbourne, Victoria 3010, Australia Tel: +61 3 8344 1350 Fax: +61 3 9348 1184 Email: [email protected]

1

Privacy-Preserving Techniques for Location-based Services Elisa Bertino CS Department and CERIAS Purdue University [email protected] Recent advances in positioning techniques, small devices, GIS-based services, and ubiquitous connectivity, have enabled a large variety of location-based services able to tailor services according to the location of the individual requiring the service. Location information, however, if on one side is critical for providing customized services, on the other hand, if misused, can lead to privacy breaches. By cross-referencing location information about an individual with other information and by exploiting domain knowledge, an attacker may infer sensitive information about the individual, such as healthcare or financial information. To address such problems, different techniques have been proposed that are based on two main approaches: location cloaking, under which a suitable large region is returned to the service provider instead of the precise user location [1]; location k-anonymization, under which the location of an individual is returned to the service provider only if it is indistinguishable with respect to the location of other k-1 individuals [5, 6]. These techniques have, however, a major drawback in that they do not take into account domain knowledge, and are thus prone to location inference attacks [2]. Given a generalized location of an individual, obtained for example through location cloaking, such an attack exploits the knowledge about the semantics of spatial entities to infer bounds about the location of an individual that are more precise with respect to the generalized location. Another major drawback is that those approaches do not support personalized privacy preferences. We believe that supporting such preferences is crucial in that different individuals have different preferences with respect to which location are considered privacy-sensitive. A recent system developed by Damiani et al. [2, 3] addresses such shortcomings. The system, referred to as PROBE (Privacy-preserving Obfuscation Environment), is based on a number of key elements. The first element is represented by a classification of spatial entities into two categories: sensitive entities and unreachable entities. An entity is sensitive for an individual if the individual may wish to hide his/her presence in the location represented by the entity; examples of such entities are hospitals. An entity is unreachable if an individual is not able to enter the location represented by the entity; examples of such entities are military bases. The second key element of PROBE is represented by the personal profile; each individual may specify both the types of entity, among a predefined set of spatial entity types, that are sensitive and unreachable for him/her and privacy preference thresholds. Such preferences are recorded in the individual personal profile; different individuals may have different profiles. The third element is represented by a probabilistic privacy model that, based on the personal profile of the individual and on additional spatial semantic knowledge about the reference space, computes the probability that an attacker may be able to obtain a tight bound about the actual location of the individual. Based on such model and on the privacy preference thresholds specified by the 2

individual, PROBE is able to generate a generalized location so that the probability that an attacker is able to determine the actual individual location is below such threshold. To efficiently generate such location, PROBE adopts a strategy based on Hilbert space-filling curves [7]. Experimental results [2] show that such an approach is efficient and the size of obfuscated maps is very small and thus suitable for storage on small devices. A different approach, based on private information retrieval (PIR) techniques, has been recently proposed by Ghinita et al. [4]. The main innovation of this approach is that it does not require intermediate parties to generate cloaked regions nor the presence of other individuals to achieve anonymity. The main drawback of this approach is that it may be quite expensive. Despite initial promising solutions like PROBE and the PIR-based approach by Ghinita et al., more work is needed to address the many challenges of LBS privacy. The whole spectrum of possible attacks still need to be identified; even though in the context of PROBE an inference attack has been identified and addressed, other attacks based on information such as the user speed may be possible. More detailed privacy preference models must be devised based on ontological definitions of spatial entities and relationships. Time is also relevant in that whether an individual may wish to hide his/her presence in a given location may depend on time.

References [1] R. Cheng, Y. Zhang, E. Bertino, and S. Prabhakar. Preserving user location privacy in mobile data management infrastructures. In 6th Workshop on Privacy Enhancing Technologies, volume 4258 of LNCS, pages 393–412, 2006. [2] M.L. Damiani, E. Bertino, and C. Silvestri. PROBE: an obfuscation system for the protection of sensitive location information in LBS. CERIAS Technical Report, 2008. [3] G. Ghinita, M.L. Damiani, E. Bertino, C. Silvestri. Interactive location cloaking with the PROBE obfuscator. In International Conference on Mobile Data Management (MDM 2009), Taipei (Taiwan), May 18-20, 2009. [4] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan. Private queries in location based services, anonymizers are not necessary. In ACM SIGMOD Conference on Management of Data (SIGMOD 2008), Vancouver (Canada), June 10-12, 2008. [5] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias. Preventing location-based identity inference in anonymous spatial queries. IEEE Transactions on Knowledge and Data Engineering, 19(12):1719–1733, 2007. [6] M.F. Mokbel, C.-Y. Chow, and W. Aref. The New Casper: query processing for location services without compromising privacy. In 32nd International Conference on Very Large Databases (VLDB 2006), Seoul (Korea), September 12-15, 2006. [7] H. Samet. Foundations of multidimensional and metric data structures. Morgan Kaufmann Publishers, 2006.

3

Privacy in Location-aware Systems1  

Johann-Christoph Freytag Institut für Informatik Humboldt-Universität zu Berlin http://www.dbis.informatik.hu-berlin.de   

Abstract As our world becomes more and more proliferated by sensors and mobile devices - often connected by wireless networks - there is the urging need to develop appropriate abstractions for application development and deployment. Those abstractions should shield applications from the physical properties of the devices thereby allowing applications to focus on information processing based on global conceptual views (of the world) in form of context models. This paper will briefly elaborate on the concern for privacy in location-aware systems by providing a few examples that should highlight the complexity of such concerns. We show that privacy needs well founded bases for handling user requirements appropriately. Additionally, we argue that privacy aspects in context model based systems should include and embed privacy protection and control mechanism as an integral part on all systems levels therefore increasing the usability of such systems from a user's point of view.

1. Introduction This recent development of ubiquitous devices and applications that access, combine, and transform context information from different sources has lead to the class of context-aware systems. Baldauf et al. [1] trace back the term of context-aware systems to Schilit and Theimer who describe context as “… location, identities of nearby people, objects, and changes to those objects” [2]. Dey et al. give a more general definition; they define context as “… any information that can be used to characterize the situation of entities (i.e. whether a person, place, or object) that are considered relevant to the interaction between a user and an application, including the user and the application themselves.” [3]. Using context information as an important source for configuring and driving the system behavior has lead to the class of context-aware systems. If these context-aware systems are predominantly location oriented we call them location-aware systems. Since location based information reflects and describes properties of real-world scenarios and situations it is important to develop context models that provide a general basis to interpret sensor based information in a coherent, consistent and meaningful manner. The NEXUS project is one example project whose goal is to “… to provide an infrastructure to support spatial-aware applications” [4] by developing “… methods and approaches for designing and implementing global and detailed (location-based) context models for mobile context-aware applications. Context models should include stationary                                                              1

This article is an excerpt from the invited paper “Context Quality and Privacy – Friends or Rivals?” for the QALCON workshop in Stuttgart, Germany, June 25/26, 2009. 4

as well as mobile objects of the real world. In addition, these objects should be complemented by virtual objects and services.” (translated into English from [5]). When people use location-aware systems to support them in their tasks they usually take those systems around with them. Thus, these systems reveal location information about the user since the location information created by a sensor is identical with the location information about the user of such system. If, for example, the location of a device (and therefore of the user) is transmitted to another system (let it be a mobile or stationary system) this information might be essential to perform a user-requested task such as helping two people to meet or to generate a list of nearby restaurants. However, such information might also be used to the disadvantage of that user, either at the time of transmission – for example, to send unwanted advertisement – or at a later point in time – for example, to determine that the user violated the speed limit while driving a car. This paper therefore argues that location-aware systems should also be privacy-aware when personal data is involved. The next section, Section 2, investigates the terms private information and privacy in general. Section 3 lists of general privacy principles that - from our point of view - should guide the development of any location-aware system that uses personal data to give the user the freedom and the control over private data that (s)he shares with other systems. As an example of such a system we briefly introduce the EU-funded project PRECIOSA (PRivacy Enabled Capability In Co-Operative Systems and Safety Applications), i.e., a location-aware system, in Section 4 before Section 5 lists future challenges for privacy-location-aware systems.

2. Private Data and Privacy We first introduce and discuss the term sensitive and private data, and the term privacy, since those are important to understand the technical challenges and threads that today's information technology poses to the individual's right to privacy in various areas and systems, in particular in location-aware systems. For the purpose of personal context-aware systems personal (or private) data “… means any information about a living individual that includes personal data revealing racial or ethnic origin, criminal record information, political opinions, religious or philosophical beliefs, trade-union memberships, and the processing of data concerning health or sex life”. This definition resembles the definition of personal data as stated in the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 2, Subsection a [6]. The right for personal privacy was continuously been challenged and continuously endangered even before massive advances in IT technology provided the means for “automated” privacy breaches on a large scale. Already in his book Privacy and Freedom published in 1967, Alan Westin was one of the first to define the concept of privacy in the context of modern communication infrastructures. For him privacy is “the claim (right) of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” [7]. The term privacy itself was coined much earlier in the American legal system by the article of Warren and Brandeis in 1890 when large scale printing forced a clear standing of the law regarding individual's rights [8].

5

3. Privacy Principles The discussion on privacy enabling solutions for location-aware systems poses the important and challenging question if the solutions described are sufficient to satisfy the needs for privacy protection. We argue that there exist several more aspects to information privacy that must be taken into account for a comprehensive solution. More specifically, we are convinced that we need guidelines or principles that describe, in an implementation independent manner, different aspects of privacy, supported and maintained by any system. That is, those guidelines should describe specific functional needs for system designers and system implementers when building systems that deal with personal data. We shall call systems that adhere to those principles, privacy-aware systems. We argue that location-aware systems handle personal data and should therefore adhere to those principles. For the purpose of this paper we use the principles of the paper Hippocratic Databases by Agrawal, Kirnan, Srikant, and Xu [9] as a source for designing those guiding principles for privacy and location-aware systems. We adapt their principles slightly for the context of privacy and location-aware systems. The principles clearly articulate in an implementation independent manner what it means for location-aware systems to access and to manage private information under its control responsibly. Furthermore, the principles also express for users what they can (and should) expect from the location-aware systems without being technically adept. The principles are as follows: purpose specification (i.e. for which purpose to use the personal data), explicit or implicit user consent (i.e. user explicitly gives consent how to use the data, possibly with restrictions), limited collection (i.e. keep storage and communication of data to a minimum necessary), limited use (i.e. any location-aware system shall execute operations that are consistent with the purposes specified), limited disclosure (personal information will not be communicated outside the system), limited retention (i.e. keep information only as long as necessary), accuracy and context preservation (i.e. keep information accurate, up-to-date, and never be decoupled from its context and purpose), security (protect personal information appropriately), openness (i.e. user is be able to access all information that is stored and related to him), and compliance (verification of compliance with the principles by the user). We refer the interested reader to the original paper for more detailed information and discussion [9].

4. Privacy Awareness Implemented in PRECIOSA The principles presented in the previous section look like a “wish list”; it is not clear per se if and how those are reflected in any system design or system implementation. To demonstrate the feasibility the author of this paper is involved in a two year European project called PRECIOSA (PRivacy Enabled Capability In Co-Operative Systems and Safety Applications) [10] whose goal is to design and implement an example prototype system in the area of Intelligent Transportation Systems (ITSs), a specialized location-aware system, that implements the above principles for protecting privacy in ITSs. In the following, we briefly describe the design of one special ITS system under consideration in PRECIOSA which uses the future abilities of cars to access the Internet on a continuous basis. Rather than describing a general approach, the project focuses on a car based hotel reservation system that allows a driver or person in a car to make a hotel reservation by contacting a hotel reservation system (to make a reservation) and a credit card payment system (to secure the reservation), see Figure 1. The system uses a communication environment that consists of a 6

client system (in the car), a road side unit (RSU) whose routing capabilities guarantee continuous connectivity with the Internet, and two server nodes for the two tasks, respectively.

Figure 1: Basic architecture for example application

Obviously, there is an exchange of private data between the different nodes, all of which might be sources of privacy breaches. To ensure better privacy protection we envisage that each node of our (distributed) system relies on a basic, privacy-aware infrastructure. That is, the overall privacy-aware architecture for this application consists of privacy-aware ITS nodes (also called privacy-aware ITS components) that control the communication and the access to data. Each node executes its (part of the) application using a (standardized) privacy-aware ITS component that adheres the privacy principles previously introduced.

5. Analysis and Future Challenges In the following we briefly describe the three important challenges that need further discussion: the role of metadata, the timely enforcement of policies, and the concept of system privacy. Data and Metadata. The principles for ITS and location-aware systems in general together with the above example clearly show that user data must be accompanied with additional data that go beyond determining possible domain values or structural properties when enforcing privacy. In the context of privacy-aware ITS those kind of metadata must be extended to guarantee the proper access and dissemination of data within such a system. Privacy Policy Enforcement. Enforcing privacy requirements in a privacy-aware ITS must be embedded in the overall life cycle designing and building privacy-aware systems. Therefore, privacy policies must be enforced at different phases of the system development process: during the design and implementation phase, during the deployment phase of the system, and during the execution phase of ITS components. System Privacy. Since privacy-aware ITSs are distributed systems consisting of several components and an underlying (communication) network, it becomes especially important to understand who builds such a system from basic components. Similar to building correct distributed system from correct components (independently of the definition of correctness), we must understand and ensure how to build privacy-aware ITS from individual components that already exhibit privacy properties that are known. That is, the composition of a privacy-aware ITS from different components must include a clear process that derives and guarantees a level of privacy for 7

the privacy-aware ITS based on the privacy properties of the individual components. Only such a composition approach will guarantee that the overall system enjoy a verifiable level of privacy.

Acknowledgement I would like to thank all members of the PRECIOSA team for a creative and stimulating project environment. In particular, I am grateful to Frank Kargl (University of Ulm), Antonio Kung (Trialog, Paris), and my assistants Martin Kost and Lukas Dölle for many fruitful discussions, creative ideas, and for being reliable project partners.

References [1] M. Baldauf and S. Dustdar. A survey on context-aware systems. International Journal of Ad Hoc and Ubiquitous Computing, 263-27, 2004. [2] B. Schilit and M. Theimer. Disseminating active map information to mobile hosts. IEEE Network, 8:22-32, 1994. [3] G.D. Abowd, A.K. Dey, P.J. Brown, N. Davies, M. Smith, and P. Steggles. Towards a better understanding of context and context-awareness. In 1st International Symposium on Handheld and Ubiquitous Computing (HUC 1999), Karlsruhe (Germany), pages 304-307, 1999. [4] F. Hohl, U. Kubach, A. Leonhardi, K. Rothermel, and M. Schwehm. Next century challenges: Nexus - an open global infrastructure for spatial-aware applications. In 5th annual ACM/IEEE International Conference on Mobile Computing and Networking (MobiCom 1999), Seattle (Washington), pages 249-255, 1999. [5] K. Rothermel, T. Ertl, D. Fritsch, P.J. Kühn, B. Mitschang, E. Westkämper, C. Becker, D. Dudkowski, A. Gutscher, C. Hauser, L. Jendoubi, D. Nicklas, S. Volz, and M. Wieland. SFB 627 - Umgebungsmodelle für mobile kontextbezogene Systeme, Informatik, Forschung und Entwicklung, 21(1-2):105-113, 2006. [6] Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data, 1995, http://www.cdt.org/privacy/eudirective/EU_Directive_.html#HD_NM_28, accessed May 17, 2009. [7] A. Westin. Privacy and freedom. New York: Atheneum, 1967, 487 pages, ISBN 0-37001325-5. [8] L. Brandeis and S. Warren. The right to privacy. Harvard Law Review, 4(5): 193-220, 1890. [9] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Hippocratic databases. In 28th VLDB Conference, Hongkong (China), pages 143-154, 2002. [10]

EU project PRECIOSA, http://www.preciosa-project.org, 2009, accessed May 17, 2009. 8

Privacy for Real-time Location-based Services Lars Kulik Department of Computer Science and Engineering University of Melbourne

Introduction Location-Based Services (LBSs) are developing at an amazing pace. Whereas the first generation of LBSs required manual user input of location information via simple web-based interfaces, current GPS-enabled devices such as smartphones or in-car navigation systems can automatically initiate and negotiate LBSs based on their current position. The latest generation of LBSs combines high position accuracy with real-time position updates, which enables numerous applications including asset tracking, location-based advertising, location-sensitive billing, and street-level routing and positioning. Real-time LBSs continually sense a user’s location to provide and instantaneously update information services based on that location. Examples include a tourist who might query the closest Points Of Interests (POIs) such as the five closest restaurants while walking in a city center, or a heart patient who might need constant updates about the closest hospital. Queries that require continuous access to a Location-based Service Provider (LSP) are called continuous queries. Although continuous LBSs hold a tremendous potential and could change the way how and when we access services, they also incur privacy risks. Due to the high degree of spatial and temporal precision, an LSP who actively tracks an individual could generate a complete user profile and history that reveals which information has been accessed where and when. An individual’s location is sensitive information. For example, an individual might want to restrict others from inferring that she is suffering from a certain illness or that she is talking to a competing company about a new job. There are concerns [21] that a lack of addressing location privacy might significantly inhibit the growth and acceptance of future LBSs. Undesirable consequences include [13, 16, 22]: location-based spam, i.e, swamping individuals with unsolicited marketing information depending on their locations, and compromising personal safety and intrusive inferences, e.g., stalking or inferring personal information such as an individual’s health. As a result research into location privacy has become an urgent research issue.

Main Issues Most research addressing location privacy has focused on snapshot queries. In a snapshot query, a user sends a single service request to an LSP, for example asking for the closest Japanese restaurant, and the LSP returns the answer, i.e., the closest restaurant, possibly including driving directions. The service request is completed once the LSP returns the answer. In contrast, for a continuous query, a user sends a single request that requires continuous updates from the LSP. These updates

9

could comprise a constantly updated list of closest POIs, recomputed driving directions, or realtime information about the traffic flow along a user’s route. Concerns about privacy will be multiplied in the near future as there are new real-time LBSs on the horizon that collect significant amounts of real-time information about individuals, including even those individuals who are not actively requesting any LBS. One key application area are systems that deliver real-time information about traffic conditions. These real-time services will not only provide real-time information about traffic flow but also rely on sensor-enabled cars to provide up to date information about road conditions, for example, to warn about oil spills or icy patches. In order to support accurate information, these systems have to continuously monitor the movements of a large number of individuals. The success of real-time LBSs will critically depend on the quality and type of the monitored data. A traffic monitoring system, for example, can only accurately estimate the current traffic flow if it has received a sufficient number of updates. Current systems aim to collect data with a high degree of spatial and temporal precision from as many road users as possible. Although such an approach appears to be an obvious choice, it is neither efficient nor highly scalable. The number of monitored drivers in a city is typically very large as it is multiplied by frequent time-stamped location updates for each driver, and in turn leads to vast amounts of data. More importantly, such an approach will severely impact the privacy of every road user. In summary, real-time tracking of items and in particular individuals will present one of the greatest challenges for the next generation of LBSs. On the hand, they have an enormous potential due to their ability to deliver instantaneous services that require real-time observations, for example informing drivers in real-time about traffic hazards of traffic jams. On the other hand, they will greatly increase surveillance and tracking of individuals, and consequently significantly increase privacy concerns.

Approaches and Background There are two recent surveys about location privacy. The first survey [7] gives a general introduction to location privacy including regulatory strategies, privacy policies, anonymity-based approaches and obfuscation-based techniques, the second survey [19] focuses on computational approaches to location privacy including computation threats. Two main geometric strategies have been proposed for privacy protection: k-anonymity and obfuscation. K-anonymity techniques (e.g., [12, 20]) make a user’s location indistinguishable from the locations of k − 1 other individuals. Obfuscation-based approaches [5] deliberately degrade the quality of information about an individual’s location based on the assumption that the greater the imperfect knowledge about an individual’s location, the greater the individual’s privacy. Most research on location privacy has focused on snapshot location-based queries (e.g., [9, 14, 17, 20, 25]). Techniques based on k-anonymity or obfuscation were developed with snapshot queries in mind, which are evaluated only once. Although these techniques could be used for continuous LBSs, they cannot ensure privacy for continuous LBSs, because each request is treated as an independent event. Even if a user only reveals an imprecise part of his trajectory, for example as a rectangle, to the LSP for a continuous query, the disclosed regions have to overlap for consecutive queries. These overlaps enable an LSP to render more precise locations of a user. Furthermore, if an LSP collects the query regions from the same user at different times and knows the user’s maximum velocity, then it is possible for continuous and even for static queries to refine a user’s approximated location from the overlap of the query regions and the maximum movement

10

bound [2]. None of the current techniques have sufficiently addressed the threats of overlapping consecutive query regions or the maximum movement bounds. The first thorough experiment that studies the effectiveness of approaches aiming to protect location data has been given in [18]. This work uses inference attacks on location tracks to disclose individuals’ home locations and applies a reverse lookup to reveal their identities. Most approaches protecting location privacy did not explicitly tailor their techniques to decentralized architectures. There are well-known disadvantages of centralized architectures, including a single point of failure, bottlenecks due to communication overheads between mobile agents and the LSP, and security threats since all information is stored in a single place. Access to location information always requires some level of trust, whether it is the infrastructure provider, e.g., the mobile phone operator or the Internet service provider, or a location anonymizer, which anonymizes requests before they are passed on to an LSP. As a result, a number of decentralized approaches have been proposed ([3, 11, 14]). In [14], the user who requires a location service, the query initiator [11], is distinguished from the user who actually requests this service, i.e., is the query requestor. To anonymize a user’s location, they suggest the use of wireless personal area networks (WPANs) to randomly select a query requestor within the WPAN. A decentralized architecture also requires some level of trust but it is distributed among all peers. The peers might wish to encrypt location data before transmitting it to other parties [10, 23].

Future and Open Research Problems This section gives a survey of open questions and possible future research problems. Aggregation. Systems collecting data for real-time LBSs typically do not take into account that most services do not require detailed data about individuals but often only need aggregated data. To compute the current traffic flow it is not necessary to track the position and velocity of each individual driver with a high degree of temporal resolution. For many traffic monitoring applications, it suffices to simply record the number and (average) velocity of cars at dedicated observation points such as intersections, highway tunnels, or ramps. Although aggregated data can be used to report the average speed, its potential is considerably larger. One work in this area [24] uses a spatial data structure called Distributed Euler Histogram (DEH) to determine the total number of entries to a query region, which would allow traffic authorities to redirect traffic once all parking spaces in a shopping area are already taken. The full potential of aggregated data structures is yet to be explored but one likely future direction is to identify the type of queries that can be answered based on aggregation-based data collection and data structures. Negative data surveys. A second important aggregation technique that is largely unexplored for privacy protection in LBSs are negative data surveys [8, 15]. These surveys aim to avoid the disclosure of sensitive or private data. In a positive survey individuals reveal to which category they belong. In a negative survey, individuals indicate to which category they do not belong. The larger the number of categories, the more difficult it becomes for an adversary to infer to which category an individual belongs. Both aggregation techniques, histograms and negative surveys, are highly scalable and have a tremendous potential to protect an individual’s privacy. Continuous attacks. There is little research on how to safeguard privacy for continuous queries and there is currently no systematic approach to protect other mobile individuals whose movements are monitored for the provision of real-time LBSs. As explained above, the current snapshot-based approaches to protecting users who access continuous LBSs, would be ineffective in practice. A key question is how to overcome the attack on the user’s trajectory, which is possible from

11

consecutive position updates while accessing a continuous LBS. Quantification of location privacy. It is important to assess the efficacy of an approach that aims to protect location privacy. Without a measure, it is difficult to even compare two different approaches. Despite its importance, there is no universally accepted standard to measure or quantify location privacy. Most approaches have their own way of measuring location privacy. Examples include entropy [1], the number of locations in the obfuscation set [6], or for a given location the number of people indistinguishable from an individual issuing an LBS query [12] (cf. [19] for a more detailed discussion). Importance of location privacy. There is no general consensus how much people value location privacy. Some studies suggest that people do not value their location privacy highly [4, 19]. One possible explanation for this could be that people are not aware of the consequences of revealing their spatio-temporal profile with a high degree of precision. It is conceivable that for real-time tracking applications, people’s opinion regarding location privacy might change. However, there is no systematic study that thoroughly investigates people’s opinions about the importance of location privacy. Importance of decentralized architectures. Researchers have just begun to investigate decentralized architectures safeguarding location privacy. Forming cliques for individuals accessing continuous LBSs is more difficult than for snapshot queries. This might lead to more tailored approaches, for example one approach for road users and one for visitors of a shopping mall. Road users can achieve relatively high speeds but are more likely to be grouped together for longer periods of time (e.g., at traffic lights or arterial roads) whereas pedestrians are relatively slow but their movement directions vary considerably more. A further crucial question is the number of hostile peers that are required until a decentralized system becomes compromised. There are a number of further important research issues for continuous LBSs, which we omit due to space constraints. However, research into location privacy is a relatively young field and many of the research issues outlined above are likely to be addressed in the near future.

References [1] A. Beresford and F. Stajano. Location privacy in pervasive computing. IEEE Pervasive Computing Magazine, 2(1):46–55, 2003. [2] R. Cheng, Y. Zhang, E. Bertino, and S. Prabhakar. Preserving user location privacy in mobile data management infrastructures. In Privacy Enhancing Technologies 2006, pages 393–412, 2006. [3] C.-Y. Chow, M. F. Mokbel, and X. Liu. A peer-to-peer spatial cloaking algorithm for anonymous location-based services. In ACM-GIS 2006, pages 171–178, 2006. [4] D. Cvrcek, M. Kumpost, V. Matyas, and G. Danezis. A study on the value of location privacy. In WPES ’06: Proceedings of the 5th ACM Workshop on Privacy in Electronic Society, pages 109–118, 2006. [5] M. Duckham and L. Kulik. A formal model of obfuscation and negotiation for location privacy. In PERVASIVE 2005, 3rd Int. Conf., pages 152–170, 2005. [6] M. Duckham and L. Kulik. Simulation of obfuscation and negotiation for location privacy. In Spatial Information Theory, Int. Conf., COSIT 2005, pages 31–48. Springer, 2005.

12

[7] M. Duckham and L. Kulik. Location privacy and location-aware computing. In J. Drummond, R. Billen, E. Jo˜ao, and D. Forrest, editors, Dynamic & Mobile GIS: Investigating Change in Space and Time, pages 35–51. CRC Press, Boca Rator, FL, 2006. [8] F. Esponda. Everything that’s not important. IEEE Computational Intelligence, 3(2):60–63, 2008. [9] B. Gedik and L. Liu. Protecting location privacy with personalized k-anonymity: Architecture and algorithms. IEEE Transactions on Mobile Computing, 7(1):1–18, 2008. [10] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan. Private queries in location based services: anonymizers are not necessary. In SIGMOD 2008, pages 121–132, 2008. [11] G. Ghinita, P. Kalnis, and S. Skiadopoulos. PRIVE: Anonymous location-based queries in distributed mobile systems. In 16th Int. World Wide Web Conf., pages 371–389, 2007. [12] M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In MobiSys 2003, pages 31–42, 2003. [13] M. Gruteser and D. Grunwald. A methodological assessment of location privacy risks in wireless hotspot networks. In First Int. Conf. on Security in Pervasive Computing, pages 10–24, 2004. [14] T. Hashem and L. Kulik. Safeguarding location privacy in wireless ad-hoc networks. In UbiComp 2007, 9th Int. Conf., pages 372–390, 2007. [15] J. Horey, M. M. Groat, S. Forrest, and F. Esponda. Anonymous data collection in sensor networks. In MobiQuitous 2007, pages 1–8, 2007. [16] E. Kaasinen. User needs for location-aware mobile services. Personal and Ubiquitous Computing, 7(1):70–79, 2003. [17] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias. Preventing location-based identity inference in anonymous spatial queries. IEEE TKDE, 19(12):1719–1733, 2007. [18] J. Krumm. Inference attacks on location tracks. In PERVASIVE 2007, 5th Int. Conf., pages 127–143, 2007. [19] J. Krumm. A survey of computational location privacy. Personal and Ubiquitous Computing, 2009. [20] M. F. Mokbel, C.-Y. Chow, and W. G. Aref. The new casper: query processing for location services without compromising privacy. In VLDB 2006, pages 763–774, 2006. [21] R. R. Muntz, T. Barclay, J. Dozier, C. Faloutsos, A. MacEachren, J. L. Martin, C. Pancake, and M. Satyanarayanan. IT Roadmap to a Geospatial Future. The National Academies Press, 2003. [22] B. Schilit, J. Hong, and M. Gruteser. Wireless location privacy protection. IEEE Computer, 36(12):135–137, 2003.

13

[23] A. Solanas and A. Martinez-Balleste. Privacy protection in location-based services through a public-key privacy homomorphism. In EuroPKI 2007, pages 362–368, 2007. [24] H. Xie, E. Tanin, and L. Kulik. Distributed histograms for processing aggregate data from moving objects. In 8th Int. Conf. on Mobile Data Management (MDM 2007), pages 152–157. IEEE, 2007. [25] M. L. Yiu, C. S. Jensen, X. Huang, and H. Lu. Spacetwist: Managing the trade-offs among location privacy, query performance, and query accuracy in mobile services. In ICDE 2008, pages 366–375, 2008.

14

Privacy and Location Anonymization in Location-based Services Ling Liu Distributed Data Intensive Systems Lab (DiSL) School of Computing Science, College of Computing Georgia Institute of Technology

Abstract This article presents an overview of privacy problems and solutions to date in location based services, with the emphasis on understanding location privacy issues, alternative models, and architectures. It concludes with an outlook in location privacy research and its impact on mobile Internet, pervasive computing, and geo-spatial data management.

Privacy Risks in Location Based Services With the rapid advances in positioning technologies such as GPS, GSM, RFID, and WiFi (802.11) and the wide deployment of wireless local area networks (WLAN), many devices today are equipped with wireless communication capabilities and location-awareness. These new technologies have enabled a new class of applications, known as Location-Based Services (LBSs). Public disclosure of location information, on one hand, enables many useful location based information services, new business opportunities, and a wide array of new quality of life enhancing services. But on the other hand, the ability to locate users and mobile objects accurately also opens door to new threats - intrusion of location privacy [1,5,6]. In real world, the location of a mobile user, especially the location trace (time series of locations) of a mobile, is considered private information, even when such location information contains no individually identifiable values. This is because the association of private location information with any identifiable entity can lead to unauthorized disclosure of information about the entity. Inference and computing over a sequence of location updates may lead to exposure of individual privacy or organizational privacy, even when the identity information is removed from all LBSs. For instance, successive position updates can be linked together, even if identifiers are removed from location updates. A known location owned by location-identity relationship can link a location update to an identity. External observation, if available, can be used to link a location update to an identity. Location privacy can be broadly defined as the ability to prevent other unauthorized parties from learning one's current or past location. From the privacy policy perspective, location privacy refers to the claim (right) of individuals, groups, and institutions to determine for themselves, when, how and to what extent location information about them can be communicated to others. From the software system perspective, location privacy refers to the capability of a mobile node or a trusted location server to conceal the relation between the location information of a mobile and its personal (or organizational) identifiable information 15

from third parties. In LBSs, there are conceivably two types of location privacy: (i) personal and individual level privacy and (ii) corporate organization level privacy. The former amounts to say that individually identifiable information should not be exposed after performing any LBS. This is because the location trace of an individual (sequence of locations), when linked to external knowledge on personal identity (such as public voter database, real estate database, social network sites), can uniquely identify an individual [16,21]. The latter intends to protect knowledge about a collection of entities from unauthorized location-based inferences, such as trade secrets and corporate plans. Location privacy threats refer to the risks that an adversary can obtain unauthorized access to raw location data, derived or computed location information by locating a transmitting device, hijacking the location transmission channel, and identifying the subject (person) using the device. For example, a service provider can track the whereabouts of a mobile user and discover her personal habits, as inferences can be drawn from visits to clinics, doctors’ offices, entertainment districts, or political events. In addition to learn about users’ medical conditions, alternative lifestyles, or unpopular political views, public disclosure of location information can also be used to spam users with unwanted advertisements, or lead to physical harm, such as in stalking or domestic abuse scenarios [16].

Privacy Driven Classification of Location Based Services Location based services can be categorized into three types based on their location privacy requirements [16]. The first type of LBSs refers to those location-based services that can operate completely anonymously, such as “when I pass a gas station, alert me with the unit price of the gas”. Neither user identity nor pseudonym is required for service provisioning. We call this type of LBSs anonymous location services. Many spatial alert and spatial reminder applications and location-dependent query services belong to the category of anonymous location services [4]. Location obfuscation techniques, which transform the exact location of a mobile at a given time to a cloaked spatial area with a cloaked temporal period, are typically used to guard the release of the user’s precise location information, such that the one-to-one association between a publically identifiable entity and its private location information is removed upon the release of the location information of the entity. One common technique is location cloaking through reducing temporal and spatial resolutions of location information [3,7,8,11,18]. The second type of LBSs refers to the location based services that cannot work without the user's identity, such as “when I am inside the office building, let my colleagues find out where I am”, “turn on the projector when I enter this conference room”, or “when I am outside my office, inform my friends in Facebook, who are within the vicinity of 10 miles, about my presence”. For those LBSs that require a user’s true identity, strong security mechanisms have to be enforced, such as location authentication and authorization, in conjunction with his or her location privacy policy. We call this type of LBSs identity-driven location services. Encryption based techniques are typically used for protecting both user identity and user’s private location information. Another interesting development is the use of Private Information Retrieval (PIR) techniques, which allow a user to issue a service request to a service provider without the service provider learning the content of the request [9,15]. Between these two extremes are those location based services that cannot be accessed anonymously but do not require the user's actual identity [1,2], such as “when I walk past a computer screen, let me teleport my desktop to it” or “when I enter a Starbuck coffee store,

16

enable my WiFi connection”. Here, the application must know whose desktop to teleport or whose WiFi connection to turn on, but it could perform both services using an internal pseudonym rather than the user's actual identity. We call this third type of LBSs the pseudonym driven location services. There are three important issues regarding location protection through pseudonymity of user identities. First, such pseudonyms should be different for different services. Second, pseudonyms should change frequently to prevent applications tracking them. More importantly, such pseudonyms should be generated in such a manner that makes the linking between the old and the new pseudonym very hard. Mix-zone approach [2], in conjunction with user’s location privacy policy, is typically used to meet the privacy requirements of pseudonym driven location services. Due to the space constraints, we below focus on the location privacy research in the context of anonymous location services, including the state of art, the important research issues, and some future directions.

Privacy via Location Anonymization: Important Tradeoffs I argue that there are two important tradeoffs in privacy enforcement for location based services: tradeoff between privacy and quality of services (QoS) and tradeoff between privacy and personalization. Location Privacy v.s. Location Service Quality. It is widely recognized that the quality of an LBS depends on the accuracy of the location of mobile users. However, the more accurate the private location information is disclosed, the higher risk of location privacy is being invaded. There is an inherent tradeoff between the quality of service that LBSs can offer and the location privacy they afford to risk [7, 8]. A strong location privacy solution should present a better tradeoff between the level of location privacy protection and the level of quality of service preserved. Different types of service provision usually require different spatial and temporal resolutions of location information for a mobile. An important question is how much privacy protection is necessary. Perfect privacy is clearly impossible as long as communication takes place. Moreover, users may have varying privacy needs in different contexts. Therefore, it is important to develop customizable privacy protection mechanisms that can help users finding a comfortable balance between the extreme of fully disclosed location data and the extreme of completely withheld location data. This includes the qualitative and quantitative analysis of the inherent tradeoff between the quality of service provided by an LBS and the desired level of privacy provided to the mobile user, and the level of obfuscation required before sending the location information of a mobile user to the LBS. Location Privacy v.s. Personalization. In parallel to quality of service, we argue that privacy is also a highly personalized metric for two reasons. First, different users may require different levels of privacy. Second, the level of privacy need for a single user often changes from time to time and from service to service. In general, a user's willingness to share location data may depend on a range of factors, including different contextual information about the user (e.g., environmental context, task context, social context, etc.), the type of services that the user acquires (e.g., highly personal, highly corporate secrecy), and the location (and the time) where (and when) the services are requested.

17

Location Anonymization with Privacy Metrics Location anonymization refers to a location information transformation process that perturbs the exact location of a mobile to a cloaked location box that meets the given location privacy metrics. There are three important metrics for measuring the level of location privacy guarantee one could provide: (i) location k-anonymity, (ii) location l-diversity, and (iii) road segment s-diversity. Each of these metrics represents an orthogonal perspective of the location privacy of mobiles in LBSs. All of them address the question of how can a data holder release a version of its private data with scientific guarantees that the individuals who are the subjects of the data cannot be reidentified while the data remain practically useful [7,8]. Location k-anonymity. Anonymity can be seen as “a state of being not identifiable within a set of subjects, the anonymity set” [1]. The concept of k-anonymity is originally introduced in the context of relational data privacy research [16,20]. Location k-anonymity refers to kanonymous usage of location information. A subject is considered k-anonymous with respect to its location information if and only if the location information sent from a mobile user (the subject) to a LBS is indistinguishable from the location information of at least k-1 other subjects (e.g., k-1 different mobiles) [11]. A larger k indicates higher uncertainty in linking a location to a particular user. Similarly, in pseudonymous applications, a location value is associated with a fake user identity, called pseudonym. When the user is observed to stay at a certain place for a long time, her identity can be easily revealed even though she is using a pseudonym. Several [1,2,3,7,8,11,13] have shown that location privacy can be protected through a trusted middleware that renames pseudonyms frequently, so that a user’s identify cannot be traced. Moreover, this renaming could be done on the fly whenever there are at least k users in the same zone at the same time period [2]. Location l-diversity. Location l-diversity is introduced in [3] as an extension to l-diversity in relational databases [17]. A location is l-diversified if there are at least l ( > 1) different geographical (or postal) addresses associated to this location upon release. A location area that satisfies location k-anonymity but fails to observe location l-diversity may be in danger of the location privacy of a mobile, because all k users are associated to only one geographical address (such as a AIDs treatment center or a church), thus an adversary can infer with the certainty that all k users are linked to that address. Road Segment s-diversity. Road segment s-diversity is first introduced in [22]. A location is s-diversified if there are at least s (>1) different road segments associated to this location upon release. Mobiles typically travel on road networks or walk paths. Thus, the location privacy of a mobile also depends on road segment s-diversity. This is because a location area that satisfies location k-anonymity but fails to observe road segment s-diversity may jeopardize the location privacy of a mobile. Concretely, when the cloaked area contains only one road segment and an adversary can infer with the certainty that all k users are linked to one road segment. This is particularly risky in the case where some sensitive locations, such as an AIDs treatment center or a specific church, are associated uniquely to a particular road segment, then the release of the private location information in terms of the road segment will endanger the location privacy of the k mobile users, even though the cloaked location area meets the location k-anonymity metric. Two fundamental questions are raised frequently with location anonymization, be it location kanonymity, location l-diversity or road segment s-diversity: (i) how large the value of k (or l, s) should be? and (2) should we use different k (or l, s) values for different users or even different

18

service requests of the same user (context sensitivity)? Larger k, l, s in location anonymization usually imply higher guarantees for location privacy. Therefore, to ensure that a subject is k anonymous, l diversified or s diversified, one can transform the exact location to a cloaked location box by reducing its spatial or temporal resolution. By reducing the spatial resolution, a spatial area that contains k-1 other users’ messages and l-diverse addresses or s-diverse segments will be released as the spatial location of the subject. By reducing the temporal resolution, the message will be delayed to some extent to include k-1 other users’ messages. The main challenge is to find a better trade off between location resolution reduction and quality of service loss in terms of both low resolution and extra delay introduced through spatio-temporal cloaking of location information.

Location Anonymization Models and Architectures The state of art research in location privacy can be classified into two alternative models: collaborative anonymization model and non-collaborative anonymization model [16]. The collaborative anonymization model assumes certain trust establishment between mobiles and the third party location anonymization server or among a subset of mobiles. It can be implemented using either centralized server with trusted third party [1,3,7,8,11,13] or decentralized peer to peer architecture [10]. The collaborative anonymization model is capable of supporting both location k-anonymity and location l-diversity or road segment s-diversity. It is interesting to note that the collaborative anonymization model was first proposed under uniform k for location kanonymity [11]. The CliqueCloak anonymization method [7,8] is the first one introducing both personalized location k-anonymity with variable k at per message level, and the tradeoff between privacy guarantee and quality of service through maximum spatio-temporal resolution constraints. The privacy and quality of service tradeoff as well as location privacy personalization have been embraced as the “gold standard” for location anonymization by many [7,11,13] since the CliqueCloak model [7]. The non-collaborative anonymization model is developed primarily under client-centric architecture [23] under the assumption that mobiles do not trust anyone but themselves. Under the client centric architecture, the location information of other mobiles is unavailable. Thus, location k-anonymity is not supported in the same manner as in the collaborative anonymization model. Instead, geometric transformation of current locations of a mobile is favorable. SpaceTwist [23] is a representative approach that applies geometric transformation methods [16] in data privacy to the location privacy problem.

Challenges in Location Privacy Research The first challenge in location privacy research is the increasing need for understanding various location privacy vulnerabilities through the development of privacy threat models and the corresponding defense methods. For example, it is important to distinguish public location data from private location data. The former refers to publicly known location objects accessible or visible from roads or walk paths, and postal addresses available in yellow-book, white-book, MapQuest, and Google Earth. The latter refers to private location data, including location updates of a mobile client, and movement patterns or trajectory data of mobile clients. Today, location privacy research has been developing independent privacy protection methods for each of the three types of LBSs: (i) LBSs that require true identity (Security policy, 19

Cryotographic Encryption techniques), (ii) LBSs that require only pseudonyms (Privacy policy, Pseudonym maintenance protocols, mix-zone based location anonymization), and (iii) LBSs that require neither identity nor pseudonyms (Privacy policy, customizable location anonymization). The second challenge is to develop a unifying framework for supporting privacy in all types of LBSs in order to enable wide deployment of location privacy protection solutions and techniques. We have discussed the use of location k-anonymity to guarantee that for each location release, there are at least k-1 other users’ messages with the same location information, which guarantees that the adversary can only associate location information to k participants instead of to a particular individual/group/institution through location inference attacks. We also introduced location l-diversity (and segment s-diversity) to ensure that, for each released location, in addition to location k-anonymity (k different users sharing the same location), there are at least l different geo-addresses (or s different road segments) associated with each of the k users. However, we have not studied the necessary constraint on the relationship between consecutive location cloaking boxes or between versions of released location datasets, which I consider to be an important research challenge. Other related open issues include how to best define k, l, and s to address various privacy concerns of mobiles in present and future LBSs.

Acknowledgement This research is partially supported by grants in NSF CyberTrust program, grants from Intel research council, IBM faculty award, and IBM SUR grant.

References [1] A. Beresford and F. Stajano. Location privacy in pervasive computing. IEEE Pervasive Computing, 2003. [2] A. Beresford and F. Stajano. Mix zones: user privacy in location-aware services. In International Workshop on Pervasive Computing and Communications Security, 2004. [3] B. Bamba, L. Liu, P. Pesti, and T. Wang. Supporting anonymous location queries in mobile environments with privacygrid. In WWW, 2008. [4] B. Bamba, L. Liu, P. Yu, and A. Iyengar. Distributed processing of spatial alarms: a safe region-based approach. In ICDCS, 2009. [5] J. Cuellar, J. Morris, and D. Mulligan. Internet Engineering Task Force Geopriv Requirements. Technical Report, http://www.ietf.org/html.charters/geopriv-charter.html, October, 2002. [6] M. Duckham and L. Kulik. A formal model of obfuscation and negotiation for location privacy. In 3rd International Conference on Pervasive Computing, 2005. [7] B. Gedik and L. Liu. Protecting location privacy: a personalized anonymization model. In ICDCS, 2005.

20

[8] B. Gedik and L. Liu. Protecting location privacy with personalized k-anonymity: architecture and algorithms. IEEE Transactions on Mobile Computing, 2008. [9] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan. Private queries in location based services: anonymizers are not necessary. In SIGMOD, 2008. [10] G. Ghinita, P. Kalnis, and S. Skiadopoulos. PRIVE: anonymous location-based queries in distributed mobile systems. In WWW, 2007. [11] M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In 1st International Conference on Mobile Systems, Applications and Services, 2002. [12] B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady. Preserving privacy in GPS traces via uncertainty-aware path cloaking. In ACM Conference on Computer and Communications Security, pages 161-171, 2007. [13] B. Hoh, M. Gruteser, R. Herring, J. Ban, D. Work, J. Herrera, A. Bayen, M. Annavaram, and Q. Jacobson. Virtual trip lines for distributed privacy-preserving traffic monitoring. In MobiSys 2008, pages 15-28, 2008. [14] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias. Preventing location-based identity inference in anonymous spatial queries. IEEE TKDE, 19(12), 2007. [15] A. Khoshgozaran, H. Shirani-Mehr, and C. Shahabi. Spiral: a scalable private information retrieval approach to location privacy. In Int. Workshop on Privacy-Aware Location-based Mobile Services, 2008. [16] L. Liu. From data privacy to location privacy: models and algorithms, Tutorial, VLDB 2007. [17] A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubramaniam. l-Diversity: Privacy beyond k-anonymity. In ICDE, 2006. [18] M.F. Mokbel, C.-Y. Chow, and W.G. Aref. The New Casper: query processing for location services without compromising privacy. In VLDB, 2006. [19] M. Terrovitis and N. Mamoulis. Privacy preservation in the publication of trajectories. In MDM, 2008. [20] P. Samarati and L. Sweeney. Protecting privacy when disclosing information: kanonymity and its enforcement through generalization and suppression. SRI International, SRI-CSL-98-04, 1998. [21] T. Wang and L. Liu. From data privacy to location privacy. A Chapter in Machine Learning in Cyber Trust: Reliability, Security, Privacy. Springer-Verlag, 2008.

21

[22]

T. Wang and L. Liu. Privacy-aware mobile services over road networks. In VLDB, 2009.

[23] M. Yiu, C. Jensen, X. Huang, H. Lu. Spacetwist: managing the tradeoffs among location privacy, query performance, and query accuracy in mobile services. In ICDE, 2008.

22

Privacy in Location-based Services: A System Architecture Perspective Chi-Yin Chow

Mohamed F. Mokbel

Department of Computer Science and Engineering University of Minnesota {cchow, mokbel}@cs.umn.edu

Introduction Location-based services (LBS, for short) are information and entertainment services that are conveniently accessible by mobile users through GPS-enabled portable devices and mobile networks (e.g., 2G/3G cellular telephone and Wi-Fi networks). Examples of LBS include resource finding (e.g., where is my nearest gas station), route finding (e.g., what is the shortest route from my current location to a shopping mall, social networking (e.g., where are my friends), and location-based gaming (e.g., GPS online game). LBS rely mainly on an implicit assumption that mobile users are willing to reveal their private locations. With untrustworthy LBS providers, the revealed private location information could be abused by adversaries. For example, an adversary may infer a user’s medical record by knowing that she regularly visits a specialized clinic. There are already several life scenarios that took place where personal GPS locations are abused, e.g., see [8, 27, 28]. Unfortunately, the traditional approach of pseudonymity, i.e., using a fake identity, cannot overcome such a privacy threat in LBS, where personal locations can be used as identities. For example, asking about the nearest Pizza restaurant to a personal house using a fake identity will immediately reveal the customer identity as a resident of the house. Recently, there is huge interest to enable privacy-preserving LBS in which users can entertain high quality location-based services without compromising their privacy. In general, two main issues need to be considered: (a) anonymizing personal locations, and (b) obtaining high quality services on top of the anonymized locations. In this article, we will briefly discuss these two main research issues with respect to five different system architectures for privacy-preserving LBS. Then, we will discuss future research directions.

Client-Server Architecture This is a centralized architecture where mobile users directly communicate with the LBS provider. Existing work in this architecture can be classified into three main categories. (1) False dummies [22]. For every location update, a user sends n different locations to the server where only one of them is true while the rest are dummies. Thus, the server cannot know which one of these reported locations is the actual one. The query processor finds an answer set that includes the answer to each location. After the user gets the answer set, she computes the exact answer. (2) False locations [17, 31]. The main idea is that users will send false location(s) to the server. This approach can go as simple as just sending the location of a nearby landmark or a significant object

23

to the user location, in which the database will give the query answer with respect to the chosen landmark [17]. A much better approach, i.e., more accurate, is Space twist [31]. where a user sends a nearest-neighbor query along with a false location to a database server, the database server keeps sending the nearest objects to the false location to the user. The user caches the received objects and terminates the request until the answer derived from the cached objects satisfies the user privacy and accuracy requirements. (3) Space transformation [10, 21]. This approach converts the original location information of data and queries into another space through a third party. The space transformation maintains the spatial relationship among the data and query, in order to provide approximate query answers [21] or exact query answers [10] obtained through private information retrieval.

Trusted Third Party Architecture The main idea of this architecture is to employ a trusted third party, termed location anonymizer, to be placed between mobile users and the LBS provider. The location anonymizer is responsible for blurring user locations into cloaked areas that satisfy user’s personalized privacy requirements [1, 2, 7, 9, 13, 19, 23, 29, 30]. In this case, the user privacy requirements are mostly presented in terms of the K-anonymity model [25, 26], i.e., a cloaked area A contains at least K users making each user indistinguishable among at least K users. Other location anonymization techniques employ this architecture approach for avoiding location tracking for continuous location updates [14, 16] or continuous queries [2, 29, 30]. With the location anonymizer, the trusted third party architecture supports three new query types for privacy-preserving LBS [23], namely, private queries over public data (e.g., a person (private query) asks about nearest gas station (public data)), public queries over private data (e.g., an administrator (public query) asks about the number of mobile users (private data) within a certain area), and private queries over private data (e.g., a person (private query) asks about her nearest buddy (private data)). Since the query processor embedded inside the database server does not know the actual location information of the query and/or data, it can return only an answer set that includes the exact answer to the user regardless of the actual user’s location within the cloaked area. The existing privacy-aware query processing frameworks can deal with rectangular cloaked areas [6, 18, 23, 24] or circular cloaked areas [19] as the query and/or data location information.

Distributed Architecture In this model, mobile users communicate with each other through a fixed communication infrastructure, e.g., base stations [11, 12]. The basic idea of the location anonymization techniques in this architecture is that users collaborate with other peers to maintain a distributed data structure where the stored location information is used by the users to blur their location information into K-anonymous cloaked areas. Then, the query processing could be similar to the one used in the trusted third party architecture where the user sends to the server its query along with a cloaked area that includes the user location.

Mobile Peer-to-Peer Architecture In mobile peer-to-peer networks, there is no fixed communication infrastructure or centralized/distributed servers. Instead, mobile users directly communicate with their peers through multi-hop routing to blur their locations into cloaked areas that satisfy their personalized Kanonymity and/or minimum area privacy requirements [5]. Similar to the distributed model, the

24

proposed peer-to-peer location anonymization technique uses the privacy-preserving query processing framework designed for the trusted third party architecture. After a user finds a cloaked area as her location, she randomly selects a peer within the cloaked area as an agent. The user sends the query along with the cloaked area to the agent, and then the agent communicates with the database server on behalf of the user. When the agent gets an answer set from the database server, the agent forwards the answer set to the user. Finally, the user computes the exact answer from the answer set.

Wireless Sensor Networks Research in wireless sensor networks include two main directions: (a) Dividing the system space into hierarchical levels based on physical units, e.g., sub-rooms, rooms, and floors [15]. If a unit contains at least K users, the algorithm cloaks the subject count by rounding the value to the nearest multiple of K. Otherwise, the algorithm cloaks the location of the physical unit by selecting a suitable space containing at least K users at a higher level. Then, the query processing will be similar to the one used in the trusted third party architecture. (b) Providing an in-network location anonymization algorithm that is suitable for both indoor or outdoor environments regardless of the system’s physical structure [3]. The main idea is to let sensor nodes provide aggregate information about the monitored mobile objects. Then, the database server employs a spatio-temporal histogram that estimates the actual object distribution in the system based on the anonymized location information [3, 4]. The database server uses the estimated object distribution to answer range queries that are used to provide aggregate location monitoring services in wireless sensor networks.

Future Directions Although many research efforts have been focused on privacy-preserving LBS, there still exist many open research issues and challenges in this area that include: Users’ prospective. Existing privacy-preserving LBS frameworks are designed from the technology’s prospective. There is still need to study the location privacy issue from the user’s prospective. For example, how can a casual user define privacy requirements. Is it possible to define privacy levels as low, medium, and strict, and then users would choose among them. How can a user achieve a trade-off between the privacy requirements and the quality of services. How can the user evaluate the privacy risk she has from using a certain LBS. Privacy measures and adversary attacks. There is a need to define a formal privacy measure and adversary attacks of anonymized location information in different environment settings, e.g., the Euclidean space, road network, and wireless sensor networks, and for different privacy-aware query types, e.g., static and continuous queries. Such measures and attacks can be used to evaluate the degree of privacy protection of existing and forthcoming location anonymization techniques in terms of the tradeoff between privacy and system performance. Privacy-aware location-based query types. Existing privacy-preserving LBS frameworks support only private range and nearest-neighbor queries over public or private data. One of the future directions is to extend existing frameworks to support other kinds of location-based queries, e.g., reverse nearest-neighbor queries [20] and aggregate nearest-neighbor queries [32] where the query processor does not know the actual location information about the query and/or data. Road networks environments. Existing location privacy techniques mainly consider the Euclidean space where users can move freely. In reality, most of the object movement is constrained

25

by the underlying road network. Applying existing location privacy techniques directly to the road network environment is not practical as adversaries would have more information about the possible user locations, derived from the knowledge of the underlying road network. Thus, it is important to design new specialized location anonymization and privacy-preserving query processing techniques for road network environments.

References [1] B. Bamba, L. Liu, P. Pesti, and T. Wang. Supporting anonymous location queries in mobile environments with privacygrid. In WWW, 2008. [2] C.-Y. Chow and M. F. Mokbel. Enabling private continuous queries for revealed user locations. In SSTD, 2007. [3] C.-Y. Chow, M. F. Mokbel, and T. He. Tinycasper: A privacy-preserving aggregate location monitoring system in wireless sensor networks (Demonstration). In SIGMOD, 2008. [4] C.-Y. Chow, M. F. Mokbel, and T. He. Aggregate location monitoring for wireless sensor networks: A histogram-based approach. In MDM, 2009. [5] C.-Y. Chow, M. F. Mokbel, and X. Liu. A peer-to-peer spatial cloaking algorithm for anonymous location-based services. In ACM GIS, 2006. [6] C.-Y. Chow, M. F. Mokbel, J. Nap, and S. Nath. Evaluation of range nearest-neighbor queries with quality guarantee. In SSTD, 2009. [7] M. Duckham and L. Kulik. A formal model of obfuscation and negotiation for location privacy. In PERVASIVE, 2005. [8] Foxs News. Man accused of stalking ex-girlfriend with GPS, http://www.foxnews. com/story/0,2933,131487,00.html. September 4, 2004. [9] B. Gedik and L. Liu. Protecting location privacy with personalized k-anonymity: Architecture and algorithms. TMC, 7(1):1–18, 2008. [10] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan. Private queries in location based services: Anonymizers are not necessary. In SIGMOD, 2008. [11] G. Ghinita, P. Kalnis, and S. Skiadopoulos. Priv´e: Anonymous location-based queries in distributed mobile systems. In WWW, 2007. [12] G. Ghinita, P. Kalnis, and S. Skiadopoulos. Mobihide : A mobile peer-to-peer system for anonymous location-based queries. In SSTD, 2007. [13] M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In MOBISYS, 2003. [14] M. Gruteser and X. Liu. Protecting privacy in continuous location-tracking applications. IEEE Security and Privacy, 2(2):28–34, 2004.

26

[15] M. Gruteser, G. Schelle, A. Jain, R. Han, and D. Grunwald. Privacy-aware location sensor networks. In HOTOS, 2003. [16] B. Hoh, M. Gruteser, R. Herring, J. Ban, D. Work, J.-C. Herrera, A. M. Bayen, M. Annavaram, and Q. Jacobson. Virtual trip lines for distributed privacy-preserving traffic monitoring. In MOBISYS, 2008. [17] J. I. Hong and J. A. Landay. An architecture for privacy-sensitive ubiquitous computing. In MOBISYS, 2004. [18] H. Hu and D. L. Lee. Range nearest-neighbor query. TKDE, 18(1):78–91, 2006. [19] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias. Preventing location-based identity inference in anonymous spatial queries. TKDE, 19(12):1719–1733, 2007. [20] J. M. Kang, M. F. Mokbel, S. Shekhar, T. Xia, and D. Zhang. Continuous evaluation of monochromatic and bichromatic reverse nearest neighbors. In ICDE, 2007. [21] A. Khoshgozaran and C. Shahabi. Blind evaluation of nearest neighbor queries using space transformation to preserve location privacy. In SSTD, 2007. [22] H. Kido, Y. Yanagisawa, and T. Satoh. An anonymous communication technique using dummies for location-based services. In ICPS, 2005. [23] M. F. Mokbel, C.-Y. Chow, and W. G. Aref. The new casper: Query procesing for location services without compromising privacy. In VLDB, 2006. [24] M. F. Mokbel, C.-Y. Chow, and W. G. Aref. The new casper: A privacy-aware location-based database server (Demonstration). In ICDE, 2007. [25] P. Samarati. Protecting respondents’ identities in microdata release. TKDE, 13(6), 2001. [26] L. Sweeney. k-anonymity: A model for protecting privacy. IJUFKS, 10(5):557–570, 2002. [27] USA Today. Authorities: GPS system used to stalk woman, http://www.usatoday. com/tech/news/2002-12-30-gps-stalker$\_$x.htm. December 30, 2002. [28] J. Voelcker. Stalked by satellite: An alarming rise in GPS-enabled harassment. IEEE Spectrum, 47(7):15–16, 2006. [29] T. Xu and Y. Cai. Location anonymity in continuous location-based services. In ACM GIS, 2007. [30] T. Xu and Y. Cai. Exploring historical location data for anonymity preservation in locationbased services. In INFOCOM, 2008. [31] M. L. Yiu, C. Jensen, X. Huang, and H. Lu. Spacetwist: Managing the trade-offs among location privacy, query performance, and query accuracy in mobile services. In ICDE, 2008. [32] M. L. Yiu, N. Mamoulis, and D. Papadias. Aggregate nearest neighbor queries in road networks. TKDE, 17(6), 2005.

27

Foot-Driven Computing: Our First Glimpse of Location Privacy Issues Frank Stajano University of Cambridge Computer Laboratory Ubiquitous computing has been a fashionable research theme for the past twenty years, so much so that many research groups have felt the urge to give it a different name (pervasive computing, calm computing, ambient intelligence etc etc) in order to claim that they were doing something new or at least slightly different from everyone else. One of these many alternate names has been “context-aware computing”, to suggest systems and devices that would sense the “context” of a situation and behave accordingly: for example, a mobile phone might sense that its owner is “in a meeting” and automatically switch from ringtone to vibration mode. I have been professionally involved in ubiquitous computing research since 1992 [14, Chapter 2], when I joined the ORL (Olivetti Research Ltd) laboratory in Cambridge, UK, and I have long been somewhat sceptical of the vague semantics generally attributed to the term “context” in the above usage. When we cut out the fog of more or less useful abstractions introduced by the middleware layer, we find that in a majority of practical cases “context” essentially boils down to location; therefore, “Location-driven computing” or “Location-based services” are names I find more descriptive and concrete. At ORL we also jokingly used to say “foot-driven computing”, not referring to any hypothetical pedals but to the practice of influencing the behaviour of computer systems just by walking around as opposed to doing so by typing at a keyboard. One of the ORL inventions that had the greatest impact on the worldwide research scene was the Active Badge [16], the first indoor location system: there is an image of an Active Badge in Weiser’s [19] classic Scientific American article. A small infrared-emitting name tag worn by personnel, the Active Badge told the system the position of its wearer and enabled mobility features such as rerouting of phone and video calls, “teleporting” (moving one’s desktop to the nearest workstation, without disrupting the running applications) and, last but not least, simply allowing researchers to find their colleagues within the three floors of our building. The Active Badge (1989), adopted and deployed by such pioneering research institutions as Xerox PARC (which soon hired the badge’s inventor Roy Want) and MIT Media Lab, not to mention our own University of Cambridge Computer Laboratory, gave us a glimpse of the possibilities opened by the foot-driven-computing paradigm. More importantly from a research perspective, it also raised plenty of questions, particularly on privacy, to which our daily interaction with the system allowed us to respond with experience-driven practi-

28

cal answers, such as enforcing reciprocity (“you are allowed to see my location only if I am allowed to see yours, and I get notified that you are monitoring me whenever you do”). Social conventions naturally developed around the use of the badge, including the nuance between leaving it on one’s desk face down (which turned it off and meant “I have left or I don’t want to be tracked”) and leaving it on the desk face up (which to the system looked indistinguishable from when the wearer actually was in the office, and meant “I don’t want to be tracked but I don’t want the system to be aware of that”). With only slight technological adjustments, similar location privacy issues now directly affect hundreds of millions of users worldwide. All the press and television reporters who visited our laboratory throughout the Nineties and were quick to throw up their hands in horror at the privacy invasion that the Active Badge represented are now carrying a mobile phone in their pocket, which allows their location to be tracked not just within one building but across the city, the country and the globe. The merit of the Active Badge was to grant us a window of a few years in which to think seriously about those issues before they became truly pervasive and universal. Did we make good use of that head start? We certainly did—witness Jackson’s [9] early work on user-definable access control for Active Badge sightings and Beresford and Stajano’s [3] work (actually conducted on the Active Bat [17], the higher-resolution successor of the Badge) that introduced the mix zone concept and a quantitative criterion for measuring location privacy. A mix zone is an area in which no spatial monitoring takes place. (We don’t just want to disallow spatial monitoring completely or we’d have to give up all benefits of location-based services. But designating specific zones as non-monitorable is an acceptable compromise.) Each tag is known to the system through a pseudonym and, whenever a tag enters a mix zone, it changes to a different pseudonym. If the mix zone was originally empty, then changing to a new pseudonym offers no protection because a hostile observer can clearly deduce that the new pseudonym coming out of the mix zone belongs to the lone tag that had previously entered it. If, however, the mix zone was not empty, then, when a tag comes out of the mix zone with a new pseudonym, the hostile observer doesn’t know for sure which of the tags that previously entered it has now changed into this new pseudonym. The mix zone technique thus offers unlinkability between the observable segments of the location trace of the tag. A quantitative measure of the amount of location privacy thus gained is obtained by computing the entropy of the population of the mix zone. The logarithm of the size of the population would be a simpler first-order estimate, but we use the entropy to take into account also what the observer knows about the movements of the tags that have entered the zone. Elsewhere, Gruteser and Grunwald [8] introduced the techniques of spatial and temporal cloaking. Later, Buttyán et al. [5] applied the mix zone technique to protect location privacy in vehicular networks. Was all that enough? Perhaps not, judging from the lack of location privacy safeguards in, say, today’s mobile phone systems. But we eventually also learnt that, despite what good-spirited researchers might think and despite what people might say in your face if you ask them, the general public doesn’t actually put a very high value on privacy in general [1] and on location privacy in particular [6], at least until something really bad happens to them personally. To some of us it is absolutely evident that protecting location privacy is a desirable goal, and one that we have a moral duty to pursue as responsible architects of the technologies that will affect billions of citizens of our world whether they like it or not. The ability to track individuals wherever they go, and even more so the ability to data-mine such location history retrospectively on a global scale, can be misused as an Orwellian tool of blackmail, surveillance and political

29

oppression. In the inspiring words of Phil Zimmermann [21], whom I often quote on this subject, When making public policy decisions about new technologies for the government, I think one should ask oneself which technologies would best strengthen the hand of a police state. Then, do not allow the government to deploy those technologies. This is simply a matter of good civic hygiene. But I am well aware that these privacy-oriented values are not universally shared and that a full debate on motivations would exceed the scope of this brief note. Still, I feel that researchers who concentrate only on the technical aspects and completely dodge the debate on values are myopic and irresponsible. Mobile phones are only one of many ways through which the location of an individual can be tracked: anyone wishing to protect location privacy must look at a much wider picture. In the modern electronic society we all leave behind what Alan Westin [20] presciently defined as “data shadow” way back in 1967. Most of our purchasing and travel transactions are recorded in backend databases [7]. The owners of such databases often have an economic incentive to take active measures to link individual transactions back to the same person, for example by offering loyalty cards, in order to be able to engage in price discrimination [13]. Governments, who also deploy other pervasive location-monitoring tools such as CCTV cameras that recognize car numberplates (or even faces, in a not-too-distant future), are keen to centralize and cross-link their own databases, often under the excuse of the fight against terrorism [2]. Whenever our laptop establishes a wi-fi connection with an access point, it leaves some traces, at many levels in the protocol stack, of having visited that location. The same happens with Bluetooth connections [10] and of course with every kind of wireless technology, of which mobile phones are just a special case. There has been widespread debate on privacy issues raised by RFID tags [11] and location privacy is among them. As first pointed out by Weis et al. [18], the “constellation” of tags of objects carried or worn by a person is likely to have enough of an invariant “core” that a person can be re-identified from one day to the next (e.g. you might be wearing the same glasses and wristwatch and overcoat as you did yesterday, even if you changed your shirt, socks and so forth). In summary, location privacy is a hard unsolved research problem and one that applies to a variety of modern systems. What matters most is not so much the specific technology used to acquire the location information (mobile phones, loyalty cards, CCTV cameras, wi-fi laptops, bluetooth gadgets, RFID tags or whatever) as the back-end databases that store all the sightings. The underlying problem is “denied oblivion” [15], the fact that storage is so cheap that there is no incentive ever to delete any data. Technological safeguards on their own will be insufficient to protect individuals from abuse and will have to be complemented by regulatory and societal protections. From the technical viewpoint, however, since the potential for abuse is already so great, anyone offering a new location-based service or technology would do well to think about its undesirable side effects and how to minimize them at the design stage. It’s the moral equivalent of “when you design this new vehicle, don’t just go ahead blindly but please think about how much it will pollute”. Unfortunately the location privacy problem is made harder by the misalignment of incentives of the players involved: those who could do the most to solve it are those who are least affected by the problem and the least concerned about it. Location privacy, though pervasive, multi-faceted and unsolved, is certainly not the only security concern in location-based computing, though. We can only mention them in passing, but

30

secure positioning and secure position attestation are two other significant classes of location security problems. The former consists of “I want to determine where I am, despite the presence of active attackers who might send me fake signals instead of the ones I expect from my references” [12], as might be of interest to the navigation system of a ship in pirate-infested waters or, in a totally different context, to a region-coded video player that does not trust its owner. The latter problem can instead be described as “I want you to prove to me that you really are where you say you are”, a subcase of which is “I want you to prove to me that you are within x metres of this point” [4]. Both have a variety of practical applications and, in the grand scheme of things, they may be easier to tackle than location privacy, given that they don’t suffer from the same problem of misalignment of incentives.

References [1] A. Acquisti and J. Grossklags. Privacy and rationality in individual decision making. IEEE Security & Privacy, 3(1):26–33, 2005. [2] R. Anderson, I. Brown, T. Dowty, W. Heath, P. Inglesant, and A. Sasse. Database state. Technical Report, The Joseph Rowntree Reform Trust, 2009. [3] A. Beresford and F. Stajano. Location privacy in pervasive computing. IEEE Pervasive Computing, 2(1):46–55, January, 2003. [4] S. Brands and D. Chaum. Distance-bounding protocols. In EUROCRYPT 93, LNCS 765, pages 344–359, 1993. [5] L. Buttyán, T. Holczer, and I. Vajda. On the effectiveness of changing pseudonyms to provide location privacy in VANETs. In ESAS 2007, LNCS 4572, pages 129–141, 2007. [6] G. Danezis, S. Lewis, and R. Anderson. How much is location privacy worth? In WEIS, 2005. [7] S. Garfinkel. Database nation. O’Reilly, 2000. [8] M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In MobiSys 2003, pages 31–42, 2003. [9] I. W. Jackson. Who goes here? Confidentiality of location through anonymity. Ph.D. thesis, University of Cambridge, February, 1998. [10] M. Jakobsson and S. Wetzel. Security weaknesses in bluetooth. In CT-RSA, LNCS 2020, pages 176–191, 2001. [11] A. Juels. RFID Security and privacy: a research survey. IEEE Journal on Selected Areas in Communication, 24(2), February, 2006. [12] M. G. Kuhn. An asymmetric security mechanism for navigation signals. In IH 2004, LNCS 3200, pages 239–252, 2004. [13] A. M. Odlyzko. Privacy, economics, and price discrimination on the Internet. In ICEC 2003, pages 355–366, 2003.

31

[14] F. Stajano. Security for ubiquitous computing. Wiley, 2002. [15] F. Stajano. Will your digital butlers betray you? In WPES 2004, pages 37–38, 2004. [16] R. Want, A. Hopper, V. Falcao, and J. Gibbons. The Active Badge location system. ACM Transactions on Information Systems, 10(1):91–102, January, 1992. [17] A. Ward, A. Jones, and A. Hopper. A new location technique for the Active Office. IEEE Personal Communications, 4(5):42–47, October, 1997. [18] S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels. Security and privacy aspects of low-cost radio frequency identification systems. In Security in Pervasive Computing 2003, LNCS 2802, pages 201–212, 2003. [19] M. Weiser. The computer for the twenty-first century. Scientific American, 265(3):94–104, September, 1991. [20] A. Westin. Privacy and freedom. Atheneum, 1967. [21] P. R. Zimmermann. Testimony of Philip R. Zimmermann to the Subcommittee on Science, Technology, and Space of the US Senate Committee on Commerce, Science, and Transportation, 1996.

32

join today!

SIGSPATIAL & ACM www.sigspatial.org

www.acm.org

The ACM Special Interest Group on Spatial Information (SIGSPATIAL) addresses issues related to the acquisition, management, and processing of spatially-related information with a focus on algorithmic, geometric, and visual considerations. The scope includes, but is not limited to, geographic information systems (GIS). The Association for Computing Machinery (ACM) is an educational and scientific computing society which works to advance computing as a science and a profession. Benefits include subscriptions to Communications of the ACM, MemberNet, TechNews and CareerNews, plus full access to the Guide to Computing Literature, full and unlimited access to thousands of online courses and books, discounts on conferences and the option to subscribe to the ACM Digital Library.

❑ SIGSPATIAL (ACM Member). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 15 ❑ SIGSPATIAL (ACM Student Member & Non-ACM Student Member). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 6 ❑ SIGSPATIAL (Non-ACM Member). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 15 ❑ ACM Professional Membership ($99) & SIGSPATIAL ($15) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $114 ❑ ACM Professional Membership ($99) & SIGSPATIAL ($15) & ACM Digital Library ($99) . . . . . . . . . . . . . . . . . . . . . . . $213 ❑ ACM Student Membership ($19) & SIGSPATIAL ($6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 25 ❑ Expedited Air for Communications of the ACM (outside N. America) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ 39

payment information Name __________________________________________________

Credit Card Type:

ACM Member # __________________________________________

Credit Card # ______________________________________________

Mailing Address __________________________________________

Exp. Date _________________________________________________

_______________________________________________________

Signature_________________________________________________

City/State/Province _______________________________________ ZIP/Postal Code/Country___________________________________ Email __________________________________________________ Fax ____________________________________________________ Mailing List Restriction ACM occasionally makes its mailing list available to computer-related organizations, educational institutions and sister societies. All email addresses remain strictly confidential. Check one of the following if you wish to restrict the use of your name: ❏ ACM announcements only ❏ ACM and other sister society announcements ❏ ACM subscription and renewal notices only

❏ AMEX

❏ VISA

❏ MC

Make check or money order payable to ACM, Inc ACM accepts U.S. dollars or equivalent in foreign currency. Prices include surface delivery charge. Expedited Air Service, which is a partial air freight delivery service, is available outside North America. Contact ACM for more information.

Questions? Contact: ACM Headquarters 2 Penn Plaza, Suite 701 New York, NY 10121-0701 voice: 212-626-0500 fax: 212-944-1318 email: [email protected]

Remit to: ACM General Post Office P.O. Box 30777 New York, NY 10087-0777 SIGAPP29

www.acm.org/joinsigs Advancing Computing as a Science & Profession

Suggest Documents

The SIGSPATIAL Special - acm sigspatial

The SIGSPATIAL Special - acm sigspatial
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
The SIGSPATIAL Special

The SIGSPATIAL Special
Read more
16th ACM SIGSPATIAL International Conference on Advanc

16th ACM SIGSPATIAL International Conference on Advanc
Read more
ACM SIGSPATIAL Workshop on Artificial Intelligence and Deep

ACM SIGSPATIAL Workshop on Artificial Intelligence and Deep
Read more
From Farm to Fork: How Spatial-Temporal Data can ... - sigspatial

From Farm to Fork: How Spatial-Temporal Data can ... - sigspatial
Read more
From Farm to Fork: How Spatial-Temporal Data can ... - sigspatial

From Farm to Fork: How Spatial-Temporal Data can ... - sigspatial
Read more
SPECIAL APPLICATIONS SPECIAL APPLICATIONS

SPECIAL APPLICATIONS SPECIAL APPLICATIONS
Read more
LUNCH SPECIAL LUNCH SPECIAL

LUNCH SPECIAL LUNCH SPECIAL
Read more
SPECIAL OFFERS SPECIAL OFFERS

SPECIAL OFFERS SPECIAL OFFERS
Read more
Special Issue Special Issue

Special Issue Special Issue
Read more
SPECIAL OFFERS SPECIAL OFFERS

SPECIAL OFFERS SPECIAL OFFERS
Read more
the special osprey: impact on special operations ... - The Air University

the special osprey: impact on special operations ... - The Air University
Read more
How Special Is the Special Relationship? Using the ... - CiteSeerX

How Special Is the Special Relationship? Using the ... - CiteSeerX
Read more
SPECIAL

SPECIAL
Read more
Special

Special
Read more
The Special Needs - Drive4Rebecca

The Special Needs - Drive4Rebecca
Read more