Anonymous Communication Technique using Dummies for Locationbased Services

1
Anonymous Communication Technique using Dummies
for Location-based Services

• Hidetoshi Kido1, Yutaka Yanagisawa2, Tetsuji
  Satoh1,2
• 1) Osaka University, Japan
• 2) NTT Corporation, Japan

2
Background
Background Our goal and approach Dummy generation
algorithms Evaluations of anonymity Conclusions

• We can use highly accurate positioning devices
  such as GPS.
• Various types of location-based services (LBS)
  are currently provided.
• e.g. Restaurant search, Road navigation
• Protecting location privacy is crucial.
• Persons position data are significant personal
  data.

GPS receiver
3
Location-based Service (LBS)
1. User device obtains position data as shown in
red area by GPS and sends it to service provider.
Service provider handles the position data of
users.
Users can get necessary data of their position
from service providers.
Restaurant Search
A user
Position data
A Service provider
A query
Reply messages
DB
Restaurants
2. Service provider retrieves restaurant
information from database using received position
data.
3. Service provider replies with information to
user.
Serious invasion of users privacy!
4
Location Privacy Invasion
Service provider
Hospital Search
Hospitals
Caches
Service provider can continuously grasp user
location in detail.
Home
Finding - User route - Hospital visited by user
Position data allows invasion of user privacy.
5
Goal and Approach
Background Our goal and approach Dummy generation
algorithms Evaluations of anonymity Conclusions

• Our goal
• Protection of user location privacy in
  location-based services
• Our approach
• Anonymous communication technique using false
  position data (dummies) mixed with true position
  data

6
Our Anonymous Communication Technique for LBS
2. Device sends dummies with true position data
to a service provider.
4. Service provider sends all retrieved
information to user.
Each user sends several dummies with true
position data.
Restaurant Search
User
Position data
Service provider
A query
Restaurants
DB
Reply messages
3. Service provider retrieves restaurant
information from database using all received
position data.
5. User only selects necessary data using true
position data.
1. User device obtains position data and
generates dummies.
Service provider cannot distinguish true
position data from all received data.
7
Features and Issues
True position Dummies

• Features
• Dummies can be generated at any position.
• Dummies move in various directions.
• Issues
• Realistic dummy movements
• Dummies should not be distinguished from true
  position data.
• Reduction of communication costs
• Dummies should not interfere with LBS
  communication.

Based on dummies, observers cant easily trace
true position.
Dummy generation
Dummy generation algorithms
Cost reduction technique
8
Dummy Generation Algorithms
Background Our goal and approach Dummy generation
algorithms Evaluations of anonymity Conclusions

• Dummy generation
• Dummies must behave like true users.
• Focus on velocity of moving users.
• Ex. People walk at less than 4 km/h.
• Our proposed algorithms
• Moving in Neighborhoods (MN)
• Moving in Limited Neighborhoods (MLN)

These algorithms allow dummies to behave like
true position data.
9
Moving in Neighborhoods (MN)
Area limitation where dummies can move
- Future position of a dummy is decided using its
previous position.
1. Ranges of dummy movement are decided.
Dummies
2. Dummies are generated within the ranges.
Moving in Neighborhoods

• A quite simple algorithm
• Dummies tend to move randomly

10
Moving in Limited Neighborhoods (MLN)
Limitation of number of dummies included in a
region

• Future position of a dummy is decided using its
  previous position.
• Maximum number of users included in a region is
  limited.

True position Dummies
Dummies are generated in a region where few users
are
More users than other regions
Moving in Limited Neighborhoods

• More complicated algorithm than MN
• Dummies move more uniformly.

11
Example of Movements
Normal
with MN algorithm
Dummies camouflage their true position data.
Time
12
Evaluations of Anonymity
Background Our goal and approach Dummy generation
algorithms Evaluations of anonymity Conclusions

• Anonymity Set
• How is location anonymity enhanced?
• Two requirements
• Indicators based-on Anonymity Set
• Experiments

Ubiquity
Congestion
F
P, Shift(P)
13
Enhanced Anonymity Set
A set of subjects i information about
position related to A
a set of possible subjects Pfitzmann 2000
Anonymity Set
Set of all subjects determined by position
information
Extended
AS(i) set of subjects determined by i
Formalization
Users
Scale 1
When the number of subjects is large, anonymity
is high.

• We define the following two functions
• ASF(i) returns regions specified by i.
• ASP(i) returns persons specified by i.

Information i Im in the region where an arrow
points.
Information i Im in the blue regions.
ASF(i) 9
ASP(i) 3
ASF(i) 16
14
Ubiquity
Ubiquity
For every user
All position data exist only in a part of an
area.
All position data exist widelyin an entire area.

• Users stay in an entire area.
• Observers must check many regions to find
  specific users
• An indicator F
• Scale of all regions where users are

F ASF(i) i (multiple regions)
F 13/16
F 2/16
()
High Ubiquity
Low Ubiquity
15
Congestion
Congestion
For local users
Low Congestion

• Large number of users are in a region.
• It is difficult to distinguish one user from many
  users in the same region.
• Indicator P

1
1
4
P ASP(i) i (a specific region)
P Number of users in a specific region
P5
High Congestion
Extended for moving users
16
Shift(P)
True position Dummies

• A difference of P in each region from time t to
  t1
• While dummies are generated unnaturally, Shift(P)
  is high.

0
6
1
2
Shift(P) is high.
1
3
Dummies seem to move unnaturally.
Time t
Time t 1
A matrix of Shift(P)
Relationships between Shift(P) and dummy
generation
While Shift(P) in each region is low, location
anonymity is enhanced.
17
Experiments

• Simulation system implementation
• Settings
• Number of dummies 0 10
• Number of regions 8x8, 10x10, and 12x12
• Dummy generation algorithms Random, MN, and MLN
• Trajectory data for evaluations
• 39 trajectories of rickshaws working in Nara

Our simulation system
Rickshaws
Sample trajectory
18
Relationship between Location Anonymity and
Ubiquity F
Observers can easily trace user movement.
Location anonymity is high enough to protect the
location privacy of the user.
F 80
F 50
F 10
Users in a region
F gt 80 high location anonymity
19
Comparison of Number of Dummies and Ubiquity F
Ubiquity F ()
To enhance location anonymity at degree of F gt
80() regions 64(8x8) three dummies
regions 100(10x10) four dummies regions
144(12x12) six dummies
Number of dummies
20
Comparison of Dummy Generation Algorithms and
Shift(P)
Number of dummies 3 Number of regions 10x10
0.1
1.6
0.2
3.8
Shift(P) 0 (best) 1,2
(good) 3,4,5 6 or more (bad)
8.9
27.9
47.9
52.3
46.1
48.1
63.1
Unit
Random
MN
MLN
When Shift(P) in each region is low, location
anonymity is enhanced.
Enhancement of location anonymity MN gt MLN
gtgtRandom
21
Cost Reduction Techniques

• Communication costs
• Requiring message cost (S)
• Answering message cost (R)

Users send position data which consists of sets
of X and Y.
True position data Dummies
Point of true data
Return address
Dummies
Previous
S (u,(Xr,Yr),(X1,Y1),(X2,Y2))
Y1
Yr
(sets of X), (sets of Y)
New
S (u,(Xr, X1,X2),(Yr,Y1,Y2))
Y2
Service provider believes that total
combinations of Xs and Ys are position data.
Xr
X1
X2
Previous technique
New technique
22
Cost Comparisons for Requiring Messages
Even if the number of position data is 10,000,
the message size is less than one Kbyte.
23
Conclusions
Background Our goal and approach Dummy generation
algorithms Evaluations of anonymity Conclusions

• We proposed an anonymous communication technique
  for location-based services.
• Findings
• Our technique protects location privacy of LBS
  users.
• Our technique can be applied in practical LBS.
• Future work
• Improvement of dummy generation algorithms for
  natural movement.

24
(No Transcript)
25
Accuracy Reduction Technique

• Accuracy reduction technique
• Previous technique
• Accuracy of position data is reduced.
• Problems
• Accuracy of service data is also reduced.
• The chain of position data creates a rough
  trajectory.

The true position Dummies
Accuracy reduction
26
Strategy of Cost Reduction

• Communication costs
• A requiring message cost (S)
• An answer message cost (R)
• Strategies
• S changing the construction of position data.
• R reducing the cost of service data.

27
Answer Message (1/2)

• Elements of an answer message R
• Point (Lx)
• Service data (Dx)
• R consists of sets of (Lx,Dx).
• Elements of a service data D
• Name (namex)
• Attributes (URLx, addressx)

R ((Lr,Dr),(L1,D1),(L2,D2))
D ((name1,URL1,address1), (name2,URL2,address2),
)
Because the amount of Dx is very larger than that
of Lx, we tried to reduce costs using service
data (Dx).
28
Answer Message (2/2)
Decided by users

• Range limitation
• An accuracy of position data increases.
• Category limitation
• Many services have information of categories.
• A service provider lets users to decide
  categories.
• Setting keywords
• A service provider lets users to decide keywords.
• Removal of unnecessary data
• A service provider lets users to decide
  unnecessary entry.

29
Evaluations of costs

• Contents
• Measurements of cost of answer message
• Service data for experiments (Dx)
• A database of GeoLink Kyoto
• Average of data per one spot121.964 Bytes
• Procedure
• We create pseudo position data using SQL to query
  the database.

30
GeoLink Kyoto Service
Set keywords
Set categories
Range of position data
31
Cost Comparisons for Answer Messages
no limit radius 1/2 category limit keyword remove
URL
Sending data total (Kbytes)
Communication costs decreases when limiting
services.
Number of dummies