LBS and Privacy Issues - Richard MO
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
• How is your location determined ?
• • • • •
→ Cell-tower based identification (100m accuracy) → GPS (20m accuracy) → Wifi triangulation (200m accuracy) → IP address approximation → User-provided information
12
An alternative approach to k-Anonymity for LBS • What is k-Anonymity?
Attributes have to be suppressed or be generalized until each row is identical with k-1 other rows. We then talk about k-Anonymity, given attributes the probability of finding the right person is lower than 1/k.
21
An alternative approach to k-Anonymity for LBS •
22
An alternative approach to k-Anonymity for LBS
23
An alternative approach to k-Anonymity for LBS • It is a greedy algorithm as it chooses the expansion with maximum cost as it might end up covering other issuers and thus reducing future costs.
• More and more users are getting aware of privacy issues
9
10
Privacy issues
• Assume now that the end server is untrusted, then how to get the information you want and still ensure anonymity? • In the next part, an alternative approach to kAnonymity will be introduced to improve privacy protection on LBS.
15
An alternative approach to k-Anonymity for LBS
• Definition 2 (k-anonymity requirement). Every combination of values of quasi-identifiers must indistinctly match with those of at least k individuals. • Definition 3 (k-anonymity). Let P be a relation and QI be the quasi-identifier associated with it. P is said to satisfy k-anonymity iff each sequence of values in P[QI] occurs at least k times in P[QI].
3
Location-Based Services
• What is a Location-Based Service?
→Application or website that provide services or information based on the user’s location Very useful to find your way, a restaurant nearby
4
Location-Based Services
• LBS are rapidly expanding in both variety and number • Examples of LBS :
Navigation → MapQuest, Google Maps Local search for events or stores → Yelp Friend-finders and social networking → Loopt Link your location to activities → Facebook, Twitter
14
An alternative approach to k-Anonymity for LBS • We define relations
▫ AQ(location, query) – anonymized query ▫ UL(user,location) – user location
• Definition 1 (LBS k-anonymity).
7
Privacy issues
• Information about the user’s locations and whereabouts is stored or combined with other information to create a more detailed profile of the user for advertising or other purposes.
Relation AQ is LBS k-anonymous iff for every query in AQ there exist at least k users in UL whose locations match the query’s location. Formally: ∀q ∈ AQ, |{u ∈ UL|q.location covers u.location}| ≥ k.
13
An alternative approach to k-Anonymity for LBS • We consider a general anonymization architecture consisting of mobile users, a LBS, and an anonymizer. • We consider that the someone has access to the queries at the LBS side, making it untrusted.
• Aggregated location data can be dangerous and expose too much of a person’s habits
8
Privacy issues
• Location can also be unknowingly disclosed
Example : Geotagging of photos
ห้องสมุดไป่ตู้
5
Location-Based Services
• Growth explained by the increased use of location-enabled devices such as smartphones and tablets.
6
Location-Based Services
19
An alternative approach to k-Anonymity for LBS
• Definition 4 (LBS (k,T)-anonymity). Relation AQ is LBS (k,T)-anonymous iff for any submitted query qi at time ti, issued by user ui, there exist at least k−1 other queries in any time window of size at least that includes ti. Formally:
• In our case, the relation is AQ and the QI is the location. Definition 2 is verified, 3 is not.
17
An alternative approach to k-Anonymity for LBS
• For Definition 3 to be verified, there should be k queries with the same cloaked location for every existing location in AQ. • Why LBS k-Anonymity is not enough: Example: If A issues a query, it is cloaked to include at least k other users’s locations. But if attacker B knows a query was made by A and only one anonymized query was made matching A’s location. B can associate this query to A.
1
Location-Based Services and Privacy Issues
Richard MO 1120349189
2
Presentation plan
• Location-Based Services • Privacy Issues • An alternative approach to K-Anonymity for LBS
18
An alternative approach to k-Anonymity for LBS • Alternative approach: ensuring every query issuing user’s location is covered by at least k queries in AQ. • Greater complexity • We consider the attacked does not know the exact time of the query and include a time field in AQ.
16
An alternative approach to k-Anonymity for LBS • A quasi-identifier is a combination of a relation’s attributes that can be used to uniquely identify at least one individual with the help of other externally available datasets
∀t1∀t2(t1 ≤ ti ≤ t2) ∧ (t2 − t1 + 1 ≥ T) ⇒ |{q ∈ AQ[t1,t2]|q.location covers ui.location}| ≥ k.
20
An alternative approach to K-Anonymity for LBS
• Optimization problem spanning over both spatial and temporal dimensions.
11
An alternative approach to k-Anonymity for LBS • What is k-Anonymity?
Let us assume we want to publicly release a database without compromising privacy. To ensure privacy protection, removing real identifiers is not enough. Day of birth + Gender + Zip code can uniquely identify 87% of US citizens available in public databases
• • • • •
→ Cell-tower based identification (100m accuracy) → GPS (20m accuracy) → Wifi triangulation (200m accuracy) → IP address approximation → User-provided information
12
An alternative approach to k-Anonymity for LBS • What is k-Anonymity?
Attributes have to be suppressed or be generalized until each row is identical with k-1 other rows. We then talk about k-Anonymity, given attributes the probability of finding the right person is lower than 1/k.
21
An alternative approach to k-Anonymity for LBS •
22
An alternative approach to k-Anonymity for LBS
23
An alternative approach to k-Anonymity for LBS • It is a greedy algorithm as it chooses the expansion with maximum cost as it might end up covering other issuers and thus reducing future costs.
• More and more users are getting aware of privacy issues
9
10
Privacy issues
• Assume now that the end server is untrusted, then how to get the information you want and still ensure anonymity? • In the next part, an alternative approach to kAnonymity will be introduced to improve privacy protection on LBS.
15
An alternative approach to k-Anonymity for LBS
• Definition 2 (k-anonymity requirement). Every combination of values of quasi-identifiers must indistinctly match with those of at least k individuals. • Definition 3 (k-anonymity). Let P be a relation and QI be the quasi-identifier associated with it. P is said to satisfy k-anonymity iff each sequence of values in P[QI] occurs at least k times in P[QI].
3
Location-Based Services
• What is a Location-Based Service?
→Application or website that provide services or information based on the user’s location Very useful to find your way, a restaurant nearby
4
Location-Based Services
• LBS are rapidly expanding in both variety and number • Examples of LBS :
Navigation → MapQuest, Google Maps Local search for events or stores → Yelp Friend-finders and social networking → Loopt Link your location to activities → Facebook, Twitter
14
An alternative approach to k-Anonymity for LBS • We define relations
▫ AQ(location, query) – anonymized query ▫ UL(user,location) – user location
• Definition 1 (LBS k-anonymity).
7
Privacy issues
• Information about the user’s locations and whereabouts is stored or combined with other information to create a more detailed profile of the user for advertising or other purposes.
Relation AQ is LBS k-anonymous iff for every query in AQ there exist at least k users in UL whose locations match the query’s location. Formally: ∀q ∈ AQ, |{u ∈ UL|q.location covers u.location}| ≥ k.
13
An alternative approach to k-Anonymity for LBS • We consider a general anonymization architecture consisting of mobile users, a LBS, and an anonymizer. • We consider that the someone has access to the queries at the LBS side, making it untrusted.
• Aggregated location data can be dangerous and expose too much of a person’s habits
8
Privacy issues
• Location can also be unknowingly disclosed
Example : Geotagging of photos
ห้องสมุดไป่ตู้
5
Location-Based Services
• Growth explained by the increased use of location-enabled devices such as smartphones and tablets.
6
Location-Based Services
19
An alternative approach to k-Anonymity for LBS
• Definition 4 (LBS (k,T)-anonymity). Relation AQ is LBS (k,T)-anonymous iff for any submitted query qi at time ti, issued by user ui, there exist at least k−1 other queries in any time window of size at least that includes ti. Formally:
• In our case, the relation is AQ and the QI is the location. Definition 2 is verified, 3 is not.
17
An alternative approach to k-Anonymity for LBS
• For Definition 3 to be verified, there should be k queries with the same cloaked location for every existing location in AQ. • Why LBS k-Anonymity is not enough: Example: If A issues a query, it is cloaked to include at least k other users’s locations. But if attacker B knows a query was made by A and only one anonymized query was made matching A’s location. B can associate this query to A.
1
Location-Based Services and Privacy Issues
Richard MO 1120349189
2
Presentation plan
• Location-Based Services • Privacy Issues • An alternative approach to K-Anonymity for LBS
18
An alternative approach to k-Anonymity for LBS • Alternative approach: ensuring every query issuing user’s location is covered by at least k queries in AQ. • Greater complexity • We consider the attacked does not know the exact time of the query and include a time field in AQ.
16
An alternative approach to k-Anonymity for LBS • A quasi-identifier is a combination of a relation’s attributes that can be used to uniquely identify at least one individual with the help of other externally available datasets
∀t1∀t2(t1 ≤ ti ≤ t2) ∧ (t2 − t1 + 1 ≥ T) ⇒ |{q ∈ AQ[t1,t2]|q.location covers ui.location}| ≥ k.
20
An alternative approach to K-Anonymity for LBS
• Optimization problem spanning over both spatial and temporal dimensions.
11
An alternative approach to k-Anonymity for LBS • What is k-Anonymity?
Let us assume we want to publicly release a database without compromising privacy. To ensure privacy protection, removing real identifiers is not enough. Day of birth + Gender + Zip code can uniquely identify 87% of US citizens available in public databases