ArticlePDF Available

Abstract and Figures

We present a decentralized approach that exploits the capability of mobile devices to form wireless personal ad-hoc networks in order to protect the privacy of users who access location-based services. The novelty of our approach is that users do not need to trust any party such as an intermediary server or peers with their locations and identities. We propose efficient algorithms for users to compute a k-anonymous imprecise location and to randomly select one of her peers with uniform probability who forwards the service request on behalf of the user. Our experimental evaluation shows that using our approach a user can enjoy a high quality of service with a high degree of privacy.
Content may be subject to copyright.
“Don’t Trust Anyone”:
Privacy Protection for Location-Based Services
Tanzima Hashem and Lars Kulik
Department of Computer Science and Software Engineering
University of Melbourne, Victoria, 3010, Australia
We present a decentralized approach that exploits the capability of mobile devices to
form wireless personal ad-hoc networks in order to protect the privacy of users who
access location-based services. The novelty of our approach is that users do not need
to trust any party such as an intermediary server or peers with their locations and iden-
tities. We propose efficient algorithms for users to compute a k-anonymous imprecise
location and to randomly select one of her peers with uniform probability who forwards
the service request on behalf of the user. Our experimental evaluation shows that using
our approach a user can enjoy a high quality of service with a high degree of privacy.
Key words:
Anonymity, Location-based Service, Obfuscation, Privacy, Trust.
1. Introduction
The advancement and proliferation of wireless mobile location-aware devices (e.g.,
smartphones, GPS-enabled cars) have enabled services that are based on location infor-
mation, known as location-based services (LBSs). Nowadays, a large range of LBSs are
offered by location-based service providers (LSPs). Access to these services is becom-
ing a central part of our daily life activities: a tourist might require more information
about an unfamiliar place or a woman having a sudden heart attack needs to find the
nearest cardiac hospital. Although, these services make our lives more convenient, their
access also reveals private information. A service request typically reveals the identity
(e.g., IP address or caller ID) of the user but might include other personal information
such as location, time, and the type of the service request. This information enables an
LSP to infer over time a comprehensive user profile with a high degree of precision,
which in turn creates a significant potential for privacy invasions.
Privacy protection has become a major research area, as privacy threats might in-
hibit the growth of LBSs [1]. We propose a decentralized approach to protect user
privacy in LBSs that does not rely on trusting any involved party, neither the involved
peers nor the LSP (even if the LSP coincides with the cellular operator). Our approach
exploits the capability of current mobile devices to form ad-hoc wireless personal area
Preprint submitted to PMC April 20, 2010
networks (WPANs), e.g., using Bluetooth. WPANs allow us to decouple the user who
requires a location service, the query initiator, from the peer who actually forwards
the request to the LSP on the user’s behalf, the query requestor. In an ad-hoc network
of nindividuals, any one of them can act as a query requestor on behalf of the query
initiator and an LSP can only identify the query initiator as one of those npeers.
A major challenge for any decentralized approach that does not rely on the trust
of its peers is the selection of a query requestor with uniform probability, where the
selected query requestor can be more than one hop away from the query initiator. It
ensures that even if the LSP has access to the information that currently ndevices form
an ad-hoc network, the LSP is only able to identify the query initiator with a probability
of 1
n. A simple selection scheme that requests the IPs (or IDs) of nearby users from the
query initiator would assume that the users have to entrust the query initiator with their
IPs. We present a near-uniform random selection algorithm to select a query requestor
from the set of peers. The algorithm (i) does not reveal the peers’ IPs, (ii) copes with
local ad-hoc networks where the query initiator and query requestor are several hops
away, and (iii) works for any spatial distribution of peers.
Hiding solely the identity from an LSP is not sufficient for preserving privacy be-
cause other revealed information may also act as quasi identifiers during a service re-
quest. For example, when a user anonymously, i.e., without disclosing her identity,
accesses a service at night from her home, the revealed location and time together can
identify the user as the resident of this place, from which we can in turn infer her iden-
tity. Therefore, the problem of hiding user location from the LSP has lately received
great attention (e.g., [2, 3, 4, 5]).
In our approach, a user’s actual position is obfuscated using an imprecise location
(a rectangle). The idea is that the more imprecise the information about a user’s posi-
tion, the greater a user’s privacy as it is increasingly difficult to identify where the user
is actually located. If a user requires a location service, she inquires those imprecise
locations from other peers in the local ad-hoc network. For maximal privacy protec-
tion the proposed approach combines obfuscation with k-anonymity [6]: our algorithm
computes the minimum bounding rectangle that includes the user’s rectangle and the
rectangles of k1other peers so that the user’s location becomes indistinguishable
from the location of k1other peers. Then using our random selection algorithm the
user selects a query requestor from her npeers, who are connected to the local ad-hoc
network, to forward her request together with the minimum bounding rectangle to the
LSP, where kn. The request and the routing information are encrypted, i.e., users do
not know what services other users request. Our approach hides the identities as well
as the precise locations of the peers involved in the service request from other peers,
and the replies from the LSP are only known to the query initiator.
In addition, we provide a heuristic algorithm that evaluates proximity queries (e.g.,
what is the nearest restaurant) for imprecise locations with approximate answers.
There exists a number of algorithms (e.g., [3, 7]) that return nearest points of inter-
ests (POIs) for every position in the given imprecise location. However, such large data
sets cause processing and communication overheads. An approximate answer might
occasionally return a POI that is only the second or third closest POI. However, we
assume that a slightly longer travel time is a good compromise in return for greater pri-
vacy. We will show that our approach can maintain both, a high level of service quality
in terms of accuracy and a high degree of privacy.
In summary, our contributions in this paper are as follows:
We propose a near-uniform random selection algorithm to select a query re-
questor for any spatial distribution of users without revealing their identities.
Our experimental analysis show the effectiveness of our algorithm.
We develop a linear-time heuristic algorithm for generating a user’s k-
anonymous imprecise location without revealing exact location. A range experi-
ments demonstrates the performance of our algorithm.
We present an efficient heuristic algorithm for proximity queries given an impre-
cise location and show we can improve the quality of service while maintaining
a high degree of privacy. Our experiments show the efficiency of the algorithm.
In [8] we focused on computing a k-anonymous imprecise location of a user in a
decentralized manner without revealing the locations of peers to anyone. We presented
an incremental algorithm that can select a query requestor with near-uniform random-
ness without knowing users’ IPs if the users are uniformly distributed. In this article, we
enhance our work in three ways: (i) since the users may not be uniformly distributed,
we develop a general random selection algorithm that can work for any spatial distri-
bution of users; (ii) we present an approach that allows a user to enjoy both high quality
of service and privacy for proximity queries; (iii) we present a new set of experimental
analysis to verify the effectiveness of our proposed techniques.
The remainder of the paper is organized as follows. Section 2 reports existing work.
Section 3 and 4 present our algorithms to compute an k-anonymous imprecise location
and randomly select a query requestor with uniform probability, respectively. In Sec-
tion 5, we evaluate our techniques in extensive experiments and show how we can
ensure a high quality of service even for a high level of privacy. Section 6 concludes
the paper with future research directions.
2. Related Work
Spatial cloaking is the most widely used privacy preserving technique for users
accessing LBSs. Besides spatial cloaking, alternative techniques such as cryptography,
using false locations, regulation and policies have also been proposed.
2.1. Spatial Cloaking
Most research on spatial cloaking are based on centralized architecture (e.g., [2, 3,
4, 7, 9, 10]), which assumes that users must trust an intermediary server with their iden-
tities, locations, and queries. Every location-based query is first sent to the intermediary
server, which transforms the user’s exact location to a cloaked area (i.e., rectangle or
circle) and forwards the query to the LSP for that cloaked area. Thus, the user’s iden-
tity and location are not revealed to the LSP. The LSP evaluates the query with respect
to the cloaked area and returns answers to the intermediary server. The intermediary
server filters the answer for the user’s exact location and forwards it to the user.
Different algorithms have been proposed for an intermediary server to transform a
user’s location to a cloaked area using spatial k-anonymity [2] and/or obfuscation [11].
In spatial k-anonymity techniques, a user’s location is indistinguishable from k1
other user locations, and the LSP is not able to identify the user even if it knows all
user locations, e.g., using background knowledge, physical observations or cell phone
signals. An obfuscation technique, on the other hand, degrades the quality of a user’s
location. Interval Cloak [2] has been introduced based on the idea of spatial and tempo-
ral cloaking using quadtrees [12], where a region is recursively divided into quadrants.
The user’s location is “cloaked” to a quadrant that contains at least klocations includ-
ing the user’s location. In [2], the user can also specify a time parameter that is used to
delay cloaking if there are less than k1other nearby locations available. The main
limitation of [2] is that all users need to have the same k-anonymity requirement. The
personalized anonymization model in [9], Clique Cloak, allows each user to have a
different k-anonymity requirement. Clique Cloak finds the minimum bounding area as
a user’s cloaked area that covers kuser locations including that of the user. However,
this algorithm is not scalable for a larger kdue to its high computational overhead.
In [3], a technique called Casper has been proposed to integrate k-anonymity and ob-
fuscation for privacy protection in LBSs. Similar to Interval Cloak,Casper also uses a
quadtree but differs in following respect: a user specifies a required minimum area in
addition to kand Casper considers combining neighboring quadrants of the quadtree
while generating the user’s cloaked area.
There are, however, a number of disadvantages of centralized approaches, such as
a single point of failure, bottlenecks due to communication overhead between mobile
users and the LSP, and privacy threats as these systems store all information in a single
place. To address these limitations, decentralized approaches (e.g., [13, 14, 15, 16])
have been proposed that exploit P2P networks (e.g., Bluetooth, WiFi) and eliminate
the requirement of an intermediary trusted server.
[13] is a decentralized approach, where a user searches for her peers to form a
group. Peers reply back with their exact locations and identities directly or through
other peers. In the developed heuristic algorithm to compute the cloaked area that in-
cludes other k1nearest neighbor locations, it is likely that the user’s location is at
the center region of the cloaked area and the anonymity is not preserved. From the
group a peer is randomly selected to forward the request to the LSP. The type of re-
quested service may be revealed to a hostile user, which could coincide with a randomly
selected peer. In our approach, the random selection algorithm enables a peer to be se-
lected anonymously with uniform probability without exchanging identities or exact
positions, and the service request is only revealed to the LSP.
In [14, 15], the user locations are transformed from a two-dimensional space into
one-dimensional locations using Hilbert space filling curve and the users are sorted into
groups of at least kmembers in order of their one-dimensional locations. The cloaked
area of a user covers the locations of all users in her group. In [14], a distributed anno-
tated B+tree stores user location whereas later in [15], a distributed hash table is used
instead to avoid the bottleneck of the hierarchical structure of the B+tree. In these
approaches, the user’s real identity is not disclosed to the LSP using a pseudonym ser-
vice. Thus, the users rely on the Internet for pseudonym service, whereas our approach
proposes a near-uniform random selection algorithm that does not need a pseudonym
service and works with any ad-hoc network.
In these approaches [13, 14, 15], although the users can hide their identities and
locations from the LSP, they need to trust each other with their identities and locations.
We propose a decentralized solution that does not need to trust an intermediary server
and any other user in the system. In the most recent approach [17], the authors consider
computing a cloaked area in two phases without disclosing users’ locations to anyone.
In the first phase, the user who requires a service forms a group with k1other users
through their proximity information and then in the second phase, the group progres-
sively finds a bounding box as their cloaked area that covers all users’ locations. In
order to compute a bounding box, a hypothetical bounding box is proposed and sent
to all group users to check whether it includes all user locations. If a user location is
not included within the hypothetical bounding box, the user proposes a new extended
bounding box that includes her location. This process continues until all users agree on
the bounding box. The main limitation of this approach is that a user’s precise location
can be easily refined when the difference between the hypothetical bounding box and
the new extended bounding box by the user is small.
2.1.1. Query Processing
Parallel to spatial cloaking algorithms, researchers have also focused on developing
efficient algorithms for finding m-nearest POIs with respect to a rectangular or a circu-
lar area. In Casper [3], Mokbel et al. have developed an algorithm that returns a range
of POIs including the nearest POIs for every point of a rectangle. In [18], Hu and Lee
have developed an algorithm for finding the optimal set of nearest POIs with respect to
every point of a rectangle. In [7] and [19], algorithms have been proposed to evaluate
m-nearest POIs for every point of a circle. All of these algorithms may need to return
a large set of answers and thus incur high processing and communication overheads.
To address this issue, recently an approximation algorithm [20] has been proposed that
reduces the size of the answer set at the cost of high preprocessing overhead. On the
other hand, in this paper we propose an approximation algorithm that does not require
any type of preprocessing to evaluate the query and also reduces the answer set size.
2.2. Other Techniques
Cryptographic approaches [21, 22] allow users to access LBSs without revealing
their locations to the LSP. Although the architecture of both of these approaches elim-
inates an intermediary trusted server, these approaches require an encrypted database.
In [21], encrypted space Hilbert curves are used that may not always preserve the prox-
imity relations of the original space. Therefore, the returned POIs may not be the actual
answers. The approach in [22] uses private information retrieval (PIR) protocols to re-
trieve the approximate and exact nearest POIs without disclosing a user’s location.
Although this approach ensures privacy for both static and continuous queries, it incurs
a high pre-processing overheads compared to spatial cloaking [23]. Moreover, this ap-
proach only supports queries for the nearest POI; the extension to m-nearest POIs is
not straightforward and requires to maintain a separate data storage for every m, which
in turn leads to high computational and storage overheads.
In [16], the user provides a false location and retrieves the nearest POI for the
false location incrementally until the nearest POI with respect to the actual location is
ensured. The privacy region derived in this approach does not consider k-anonymity.
The limitation of this approach could be a high query response time due to multiple
communication overheads. Kido et al.s approach to preserve privacy is based on an
anonymization technique using dummies [24], representing false locations along with
the true locations to the LSP. This system has been criticized that it has a higher prob-
ability of malicious attacks due to the failure of generating realistic dummies and thus
wasting resources in processing dummies [13].
To protect user privacy existing research efforts have also suggested different strate-
gies like regulation [25], and privacy policies [26, 27]. Regulation and privacy policies
are based on trust. Although they can prohibit the misuse of a user’s location, they
might not be able to control malicious attacks to privacy for two reasons: (a) the rules
and regulations may not anticipate the advancement of technology and (b) a hostile
user may not care about privacy policies while disclosing private information.
3. Computation of a k-Anonymous Imprecise Location
The two most important elements characterizing a user are identity and location.
Therefore, all approaches preserving user privacy needs some strategies for hiding a
user’s location. Our approach to privacy-aware LBSs is based on a decentralized ad-
hoc network of mobile users where each user obfuscates her precise location from other
peers. We call this imprecise location a locally cloaked area (LCA). If a user requires
a service from an LSP, the user’s current position is masked by using not only her own
LCA but also the LCAs of k1other peers.
Assume that an ad-hoc network consists of npeers. To ensure k-anonymity an
algorithm has to compute the smallest bounding box that contains the LCA of the
query initiator and k1LCAs of the n1peers (see Section 3.2 if k > n). We call
the minimum bounding box of the union of these kLCAs the globally cloaked area
(GCA) of the query initiator, which provides obfuscation as well as k-anonymity. The
GCA will be sent to the LSP for the query initiator’s service request. As the GCA is
the minimum bounding box, it ensures the highest possible quality of service given the
privacy requirements of the query initiator in terms of k-anonymity and obfuscation.
A na¨
ıve algorithm to compute the GCA is a brute force-based computation (BGC):
we compute the minimum bounding rectangle for every k-subset of LCAs that con-
tains the query initiator’s LCA, and select the rectangle with the smallest area. A BGC
is essentially an exhaustive search and computationally expensive as its time complex-
ity is exponential. Therefore, we develop a greedy algorithm for the computation of
the GCA that trades accuracy, i.e., computes a slightly larger minimum box than the
optimal GCA, in turn for significant savings in computation time. The BGC serves as
a benchmark against which we compare the greedy-based GCA computation (GGC) in
Monte Carlo simulations in terms of accuracy and execution time. We first propose an
algorithm for the computation of the LCA.
3.1. Generating the LCA
A mobile user can specify the desired LCA via three constants: the constant cdeter-
mines the ratio between the width and the length of the LCA, e.g., a long thin rectangle
could hide where a user is located in a street, and the constants c1and c2determine the
minimum and maximum distance of the user’s position from the LCA boundary. If a
Figure 1: (a) The grey area shows the imprecise location of A1that can be computed by A2. It can be smaller
if A1is not restricted in her LCA (left) compared to the case where it is (right). (b) The grey area shows the
imprecise location of A1that can be computed by A2and A3with their combined communication range.
user A1provides her LCA to a peer A2and some part of the LCA lies outside the com-
munication range of user A2, then user A2can easily render a more precise location
of A1. Restricting the position of A1via c1and c2to a smaller rectangle in the LCA
ensures a larger obfuscated area for A1(Figure 1(a)(right)) compared to the case where
the position of A1can be on (or close to) the boundary of the LCA (Figure 1(a)(left)).
Algorithm 1 finds a random rectangle of the specified area representing the LCA.
Algorithm 1: FindLCA
Input : An area ALCA for the LCA, and the position (x, y)of the user.
Output: Returns a rectangle defined by (xmin, xmax , ymin, ymax ).
Let mbe a random number between 1/c to cfor a constant c, and xland ylbe the length1.1
in xand ydirection, respectively;
xl:= pALCA /m,yl:= m·xl;1.2
Let nxbe a random number between xl/c1to xl/c2and nybe a random number1.3
between yl/c1to yl/c2, where c1and c2are constants;
Let l, and ube the distances to the left and up direction from (x, y)position, respectively;1.4
Let land ube random numbers between 0to xlnxand 0to ylny, respectively;1.5
xmin := x(l+nx/2),xmax := x+ (xllnx/2);1.6
ymin := y(u+ny/2),ymax := y+ (yluny/2);1.7
In our approach, a user generates different LCAs using Algorithm 1 for every query
initiator’s LCA request. If a user provides the same LCA to every query initiator, then
a group of peers can collaborate and combine their communication ranges to refine a
user’s more precise location. Figure 1(b) shows an example of such a case; peers A2
and A3appear as query initiators to the user A1and receives the LCA from A1. Then
A2and A3combine their communication ranges to identify A1’s smaller obfuscated
area. On the other hand, since our approach does not require revealing a user’s identity
while providing her LCA, if a user provides different LCAs to the query initiators then
they cannot link the LCAs that refer to the same user. Although different LCAs of a
user need to overlap in order to include the user’s current location, the query initiators
cannot infer that the overlapping LCAs correspond to the same user since LCAs of
different users can also overlap.
3.2. Generating the GCA
The query initiator broadcasts a message requesting LCAs to her 1-hop neighbors
in order to compute her GCA. A message consists of four parts: a unique message
ID, a pseudonym (e.g., an encrypted IP address), the request for the LCAs, and the
maximum hop count, hmax. The pseudonym in the message determines the parent for
the nodes receiving the message. Each peer who receives this message for the first time
(1) decrements hmax by one in the message, (2) stores the message ID and her parents’
pseudonym, and (3) broadcasts the message exchanging her parents’ pseudonym with
her own if hmax is greater than 0. This limited flooding continues until hmax is 0. Then,
the peers compute their LCAs and recursively report back to the previous user using
the stored parents’ pseudonym. This technique does not flood the network as only the
user that can decrypt the pseudonym will relay the message to the next peer. Initially,
the query initiator sets hmax to 1. After receiving the LCAs, if the number of LCAs
does not satisfy the k-anonymity requirement then the query initiator increments hmax
by 1 and repeats the process.
If the query initiator does not find any peer, then there are two options: (1) if an
immediate service is required, the query initiator sets the GCA to the LCA, or (2) the
query initiator waits until more peers are nearby. This approach balances the user’s
desired privacy level against the available time. In an automated system a user could
store a minimum rectangle for her GCA in her privacy profile.
Our approach to compute a GCA is not vulnerable to the reverse engineering attack
that can sometimes originate from a non-uniform distribution of users [14] and identify
the user who needs the service from k1other users whose locations are included in
the user’s GCA. Although the GCAs are different for every user, it is not possible for an
LSP to identify the user who needs the service even with the strong assumption that the
LSP knows the exact user locations. This is because our heuristic algorithm to compute
a user’s GCA considers a set of LCAs instead of exact locations and no party knows
which k1LCAs are considered by the user to compute her GCA.
3.3. The GGC Algorithm
We present a greedy algorithm to compute the GCA for a query initiator j. Assume
that kis the desired anonymity level of jand nis the number of LCAs reported by
the neighbors of j. To compute the GCA, we have to find the smallest rectangle rthat
encloses a k-subset (including j’s LCA) from the nLCAs. The LCA of a user iis
described by (xmini, xmaxi, ymini, ymaxi). If the area of ris smaller than the minimum
GCA size σspecified by user j, the area of rhas to be randomly increased to σ.
Figure 2: A constellation where criterion 3 minimizes the GCA for k= 3.
We have developed a greedy-based GCA computation (GGC) with a time com-
plexity of O(nlog n), where nis the total LCAs available to a user; if the LCAs are
sorted with respect to xmin,xmax ,ymin, and ymax , the time complexity is linear. The
GGC algorithm provides near-optimal results to compute the minimum bounding box.
The algorithm removes at each iteration one rectangle of the nrectangles excluding
the query initiator’s rectangle rjin a greedy manner. Each removal of a rectangle min-
imizes the size of the GCA. The algorithm continues until the number of remaining
LCAs is equal to k. The greedy elimination process weights three different geometric
criteria to minimize the resulting GCA area. In preliminary experiments we found that
none of the criteria alone provides better results for computing a minimum GCA.
Assume that a set Rof nLCAs is known by the query initiator j. The first criterion
eliminates the rectangle whose edge has the greatest distance to the closest edge of the
query initiator’s rectangle rj. More precisely, the metric m1(xmin)for the first criterion
is defined as max1ini6=j(xminjxmini).m1(xmax),m1(ymin ), and m1(ymax)are
defined correspondingly and the rectangle which maximizes any of those 4 values is
eliminated. The metric for the second criterion m2evaluates pairs of rectangles, those
which have the first and second minimum for xmin and ymin, respectively, and the first
and second maximum for xmax and ymax, respectively. We compute the distance for
each pair and eliminate the most outward rectangle that maximizes the distance. The
metric for the third criterion m3is similar to the second one but identifies the maximum
area to be discarded from the current GCA. The idea of the second and third criterion
is to minimize the “overhang” of the outward rectangles.
Algorithm 2: FindGCA
Input : A set Rof LCAs, given by (xmini,xmaxi,ymini,ymaxi), an anonymity level k,
the query initiator j, and weights w1, w2, w3
Output: A rectangle that covers kLCAs including the LCA of the user j
Sort the lists xmini,yminiin increasing order, the lists xmaxi,ymaxiin decreasing order;2.1
while |R|> k do2.2
Calculate m(xmin),m(xmax ),m(ymin), and m(ymax );2.3
Find the maximum from m(xmin),m(xmax ),m(ymin), and m(ymax );2.4
Delete the LCA from Rwhich has the maximum value;2.5
return A minimum rectangle covering the LCAs in Rthat are not eliminated;2.6
Figure 2 shows a case where criterion 3 minimizes the area for k= 3. The dotted
line shows the LCA for the query initiator j. The elimination of two further LCAs using
criterion 1 or 2 lead to a GCA with a size of 40 unit squares, whereas criterion 3 leads
to 36 unit squares. In general, a combination of all 3 criteria leads to the best greedy
choice. Thus, we use all three criteria and assign a weight wr,r∈ {1,2,3}to each
criterion, such that P1r3wr= 1. The combined metric is defined as m(xmin) =
w1·m1(xmin) + w2·m2(xmin ) + w3·m3(xmin). The metrics m(xmax ),m(ymin), and
m(ymax)are defined correspondingly. The GCA is computed in Algorithm 2.
In Algorithm 3 we generate 30 weight combinations for the three criteria and find
the best weight distribution for the minimum GCA. A higher number of combinations
may produce more accurate results at the expense of a greater computation time.
Algorithm 3: Greedy-based GCA Computation
Input : A set Rof LCAs, given by (xmini,xmaxi,ymini,ymaxi), an anonymity level k
Output: A rectangle tr that covers kLCAs including the LCA of the query initiator j
tr ← ∞;3.1
for i0.1to 1step 0.1do3.2
w1i;w2(1 i)/2;w3(1 i)/2;3.3
rFindGCA(R, k, j, w1, w2, w3);3.4
if (Area(r)<Area(tr)) then tr r;3.5
for i0.1to 1step 0.1do3.6
w2i;w1(1 i)/2;w3(1 i)/2;3.7
rFindGCA(R, k, j, w1, w2, w3);3.8
if (Area(r)<Area(tr)) then tr r;3.9
for i0.1to 1step 0.1do3.10
w3i;w1(1 i)/2;w2(1 i)/2;3.11
rFindGCA(R, k, j, w1, w2, w3);3.12
if (Area(r)<Area(tr)) then tr r;3.13
return tr;3.14
3.4. Experimental Evaluation
We evaluate the BGC and the GGC in terms of accuracy and time. For the com-
putation of the GCA we consider that the user computes her GCA as a k-subset out
of 25 LCAs. Higher values of nare difficult to investigate in experiments due to the
exponential computation cost of the BGC. We compare the accuracy of the GGC with
respect to the average deviation from the optimal solution given by the BGC. We run
all experiments shown in this article on a desktop with a Pentium 2.40 GHz CPU and
2 GByte RAM. We generate the GCA from the available nLCAs (given by nusers),
varying kfrom 1 to n, using both algorithms. Then we calculate the deviation of the
GGC-generated GCA against the BGC-generated GCA. We perform 100 runs for these
experiments and measure the average deviation from 100 ×nsamples for each k. Fig-
ure 3 shows that the average error of the GGC increases from 0% to 5% until k= 10,
then again decreases for increasing values of k(Figure 3(left)). We also compute the
histograms and find that the GGC computes the optimal minimum bounding box for
67% of the cases and achieves at most 10% error for 91% of the cases (Figure 3(right)).
Average Deviation in %
Number of Samples in %
Average Deviation in %
Figure 3: Accuracy level (left) and Histogram (right).
Figure 4 shows the average response times for computing the GCA 25 LCAs using
both approaches. Figure 4 shows that GGC is scalable for any value of kout of nas
the response time of the GGC is slightly affected by the anonymity level kfor a given
initial set of LCAs available to the user. On the other hand, we observe in Figure 4 that
the response time for the BGC, can increase significantly (at least 10 times but often
1000 times faster) for middle range of kout of n, as it performs an exhaustive search. It
is expected that the improvement of GGC over BGC with respect to the response time
also increases for larger n. In summary, GGC allows a the user to balance the need for
an optimal GCA against the available time.
Average Response Time in
Degree of Anonymity
Figure 4: Average response time for k-subsets of 25 LCAs.
4. Accessing a Location Service
After masking the location, the next step for a user is to contact an LSP to access an
LBS. To ensure an anonymous service, in a decentralized model the user (the query ini-
tiator) requires a random selection algorithm (RSA) to randomly select any other peer
(the query requestor) that forwards the service request to the LSP without disclosing
the identity of the query initiator. In our previous work [8], we developed a near uni-
form RSA that enables the query initiator to select the query requestor, even from those
that are not in the communication range of the query initiator. Our proposed technique
showed significant improvement in the uniformity among the selection probability of
the participating peers in comparison with a na¨
ıve RSA for the uniform distribution
of users. In this article, we develop a generalized near-uniform RSA that removes the
restriction of the uniform distribution of users. Like the near uniform RSA, the gener-
alized near uniform RSA is also a lightweight algorithm that can work with localized
information, that is, a user only knows the encrypted IP of her neighbors in the com-
munication range. Experimental evaluations show that the selection probability of the
participating peers for generalized near uniform RSA are close to uniform and it out-
performs the na¨
ıve RSA by an order of magnitude for any distribution of users.
4.1. Random Selection of a Query Requestor
A mobile user that requires a location service from an LSP randomly selects her-
self or one of her neighbors as a query requestor. As the user does not know the IP
addresses of her neighbors, a simple broadcast is sent with a hop count of 1requesting
the pseudonyms of her immediate neighbors. A pseudonym is simply an encrypted IP
that is only known to the peer replying to the broadcast of the query initiator. The query
initiator then randomly selects a pseudonym, i.e., determines the query requestor that
should act on her behalf. If the total number of neighbors for the query initiator is N,
then the probability for selecting a mobile user is 1/(N+ 1), which is uniform.
If the query initiator wants to increase the privacy level, the query requestor needs
to be selected from a larger set of peers including those that are not the immediate
neighbors of the query initiator. Since the IP addresses of the other peers are not known
to the query initiator, our na¨
ıve RSA is a recursive approach to selecting a query re-
questor with a hop count greater than 1: the query initiator randomly selects herself or
one of her neighbors with equal probability, and the selected user again locally selects
herself or one of her neighbors with equal probability. The recursive local selection
process continues until the maximum hop count (specified by the query initiator) is
reached and the user selected in the final step becomes the query requestor. However,
this selection strategy leads to a non-uniform global selection probability, which may
be discovered by the LSP so that the query initiator could be possibly identified.
Let dh(A0, A00)be the hop distance between two users A0and A00 , and N(A0)be
the number of peers that are in the communication range of A0, i.e., dh(A0, A00)=1.
If A0is A00 then dh(A0, A00)=0. Let Abe the query initiator. In the na¨
ıve RSA,
the selection probability pt(A0)of a peer A0after step tfor t1can be recursively
computed in the following ways.
p1(A0) = 1
(N(A)+1) if A0:dh(A, A0)1
pt(A0) = X
A00:dh(A0,A00 )1
Peers that are further away from the query initiator are less likely to be selected if in
each step a user is always selected with the same probability as in the na¨
ıve RSA. To
achieve a near-uniform selection process, we have to select peers with different proba-
bilities. Again, the selection probability of peers with the same hop distance from the
query initiator computed with a na¨
ıve RSA are different even for a uniform distribution
of users because they can be selected by different number of neighbors in the same re-
cursive step. Therefore, it is not possible to differentiate the selection probability based
on the hop distance only. Hence, we need the concept of a status of a user, characterized
by the number of neighbors with a shorter or equal hop distance to the query initiator.
The near uniform RSA recursively selects a peer with different selection probabilities
assigned to the participating peers based on the different criteria defined by the hop
distance combined with the status and computes a close approximation of the uniform
selection probability in the global selection process.
If users are not uniformly distributed, the uniformity of the selection probability
of peers are largely affected with different number of neighbors in addition to the hop
distance from the query initiator. In the next section, we present a technique that -
instead of using the status (based on the fixed number of neighbors) - computes the
selection probabilities for participating peers in the local selection process and will
lead to a global selection probability that is close to uniform.
4.2. Generalized Near Uniform Random Selection Algorithm
We develop a recursive random selection algorithm for any distributions of users
that selects a peer at every recursion step, where the participating peers have different
selection probabilities. Different selection probabilities in the local selection process
minimize the difference among the selection probabilities for all participating peers
in the global selection process. Our random selection scheme completes the selection
of the query requestor in two stages. In the first stage, the algorithm determines the
frequencies of getting selected after each recursive step for every peer involved in the
global selection process. In the second stage, the algorithm selects the query requestor
based on those frequencies computed in stage one.
Algorithm 4: Compute Frequency
for receiving each MF< mIDF, cF, hF>do4.1
if MFwith pair < mIDF, hF>is received for the first time then fhF
else fhF
if hF>0then4.5
Broadcast MF< mIDF, cF, hF>to one hop neighbors;4.7
Let ft
i(A)be the frequency of a peer Aat step tof the recursive process and i
represent a unique ID for the selection of a query requestor. The procedure to compute
the frequencies starts with broadcasting a message, MFby the query initiator. MFis
composed of three fields: a unique message ID (mIDF), a count (cF)initialized to 1,
and a hop count (hF)initialized as the maximum hop count. All peers (including the
sender) receiving the message compute ft
ias cF, where t=hFand i=mIDFand
rebroadcast the received message with hFdecremented by 1. We assume that a peer
also receives the message that is broadcasted by herself. If a peer Areceives messages
with the same mIDFand hFmore than once, ft
i(A)is computed as the summation
of cFs from all of these received messages. In this case, before rebroadcasting the
message, the peer Aalso computes the value for cFwith the current ft
i(A)in addition
to decrementing hFby 1. This process continues until hFis 0. Algorithm 4 shows that
how a user participates in computing frequencies for herself and other peers. Based
on these computed frequencies the procedure randomly selects the query requestor to
access the LBS on behalf of the query initiator. Figure 5 shows the frequencies of peers
for steps 1, 2, and 3 for a specific distribution of users, where the query initiator is at
the center of the grid; an empty cell indicates that a user does not exist.
0 0 0 0
0 0 0 0
0 1 1 0 0
0 1 1 0
0 0 0 0 0
0 0 0 0
0 0 0 0
0 1 1 1
3 2 0
3 4 6 2 0
2 3 2 1
3 1 1 1 1
0 0 0 0
1 1 2 1
1 4 4 4
17 12 3
15 21 20 7 3
14 20 13 7
3 7 7 5 5
1 2 2 2
Figure 5: Frequencies of users at step 1 (left), step 2 (middle), and step 3 (right) for a given distribution.
In the second stage, the query initiator initiates the selection process by randomly
selecting a peer from her one hop neighbors including herself and sends a message
containing the encrypted service request to them. To select a peer, the query initiator
broadcasts a message MQto her one hop neighbors querying for their pseudonyms
(e.g., an encrypted IP) and frequencies. Disclosing frequencies to others does not pro-
vide any information that can affect the anonymity of a peer, because peers can have
different numbers of neighbors and no one knows the network structure of the par-
ticipating users. MQis composed of two fields: a message ID (mIDQ)initialized as
mIDFand a hop count (hQ)initialized as the maximum hop count. After receiving
mIDQs and pseudonyms from the responding peers, the query initiator computes the
local selection probability pLfor all peers including herself.
Let Arepresent a selector and A0a peer, where dh(A, A0)1. The maxi-
mum frequency of peers who participate in the A’s selection process is denoted by
MAX(A) = maxA0:dh(A,A0)1ft
i(A0). The local selection probabilities of peers are
computed based on their frequencies; to achieve uniformity in the global selection
probabilities, the peer with a lower frequency should have a higher local selection
probability. Hence MAX(A)
i(A0)represents the weight (or proportion) for local selection
probabilities with which a peer needs to be selected. If the total weight is computed
as SU M(A) = PA0:dh(A,A0)1
i(A0), then the selector Acomputes the local selec-
tion probability of a peer A0as follows:
pL(A0) = 1
The query initiator then selects a peer from the participating users with different
selection probabilities. Afterwards the query initiator sends a message MRinclud-
ing (mIDR)initialized as mIDQ, the encrypted service request and her own public
key using the public key of the LSP as ER, the maximum hop distance hRand the
pseudonym P N of the selected peer in the format <mI DR,ER,hR,P N >. If hRis
greater than 0, then the selected peer decrements hRby one in MR, repeats the selec-
tion process including MQ, and forwards MRto the new selected peer. The process
continues until hRis 0 and a peer discovers herself as the query requestor. Algorithm 5
summarizes the steps for the generalized RSA. Figure 6 shows the selection probabil-
Algorithm 5: Generalized RSA
Each user involved in the selection process computes their frequencies;5.1
Initially Ais the query initiator, hqis the maximum hop count required by the query5.2
initiator, and mIDQis the unique ID for the selection of the query requestor;
while hQ>0do5.3
Abroadcasts MQ< mIDQ, hq>to A0such that dh(A, A0)1;5.4
Each A0replies back fhQ
mIDQto A;
Acomputes pL(A0)s and based on pL(A0)s, Aselects a peer from A0s;5.6
Asends MR<mIDR,E R,hR,P N > to the selected peer;5.7
The peer receiving MRbecomes the current A, and hqand mIDQare updated to5.8
hR1and mIDR, respectively;
ities for the na¨
ıve RSA and the generalized RSA using the same distribution of users.
With this distribution, the ratio of the maximum and minimum selection probability for
the na¨
ıve RSA is 25.50, which is 9.73 times higher than that of the generalized near
uniform RSA.
After the selection of the query requestor, the query requestor communicates with
the LSP on behalf of the query initiator. It sends the message ER to the LSP. The LSP
decrypts the message with its private key and encrypts the requested information using
the public key of the query initiator. Then, the LSP broadcasts the encrypted answer in
the GCA of the query initiator. Although all users in the GCA can receive the message,
only the query initiator can decrypt it. We assume that the query initiator remains in the
GCA as its service request is based on its current location. This ensures it can receive
the requested service.
0.833 0.667 1.222 0.556
0.833 2.611 2.444 2.444
9.085 6.36 1.574
7.225 10.12 9.835 3.63 1.481
6.32 9.217 6.164 3.267
1.134 2.744 2.744 2.249 2.249
0.397 0.873 0.86 0.86
3.465 2.526 2.352 2.178
3.465 5.216 3.312 3.312
4.933 2.913 2.114
5.541 4.793 4.231 3.391 2.604
5.251 4.553 2.854 2.793
3.493 4.008 4.008 3.078 3.078
2.672 3.507 2.178 2.178
Figure 6: Selection probabilities of the na¨
ıve RSA (left) and the generalized near uniform RSA (right).
It is important to note that sharing the frequency computation process among peers
who are involved in a query initiator’s random selection process does not disclose any
information about peers’ identities and locations to others. We know that the frequency
of a peer with respect to a query initiator depends on her distance from the query ini-
tiator and the locations of other peers who participate in the query initiator’s random
selection process. Sometimes there can be more than one query initiator in the system
at the same time. However, the frequencies of a peer with respect to query initiators are
different since different query initiators can have different set of peers involved in their
random selection process. Thus sharing the frequency computation process among the
peers for different query initiators would require revealing additional information of
query initiators (e.g., the distance among the query initiators) to others, which could
violate a user’s privacy. Therefore, we have not considered the option of sharing fre-
quency computations among the peers for different query initiators in our approach.
4.3. Experimental Evaluation
We evaluate the performance of the selection algorithms in terms of uniformity of
the selection probabilities of participating peers while selecting a query requestor. The
higher the uniformity, the more difficult it is for the LSP to identify a query initiator. We
measure the deviation from uniformity as the ratio of the maximum and the minimum
selection probability of the participating peers in the process of selecting a query re-
questor. We analyze the deviation from uniformity of the selection probabilities against
different distribution of users and the privacy level of the query initiator. In our exper-
imental setup, we assume that users are connected in a wireless personal area network
and hence each user can have at most 8 neighbors. When all users have 8 neighbors, we
represent it as 100% density level and the total users involved in the selection process is
Nt= 1 + 8 ×hmax ×(hmax + 1)/2, where hmax is the maximum hop count. For an l%
density level, we randomly remove Nt(100l)/100 users in such a way that none of
the remaining users becomes disconnected from the network. We vary lfrom 100 to 50
in steps of 10 and limit it to 50% density level to avoid disconnected networks. Again,
as the number of users involved in the selection process increases with the increase
of hmax and the number of users represents the anonymity level of the query initiator,
we consider the privacy level as the maximum hop count and vary it from 1 to 10 for
each l. We perform 1000 runs to compute the average deviation from uniformity for
every different pair of land hmax with both na¨
ıve RSA and generalized near uniform
RSA. Removing users randomly in each run for a fixed land hmax results in different
distributions of users in the network. Since the near uniform RSA can only work with
a uniform distribution, we run the experiments for RSA with a 100% density level.
Average Deviation from Uniformity
Maximum Hop Count
Figure 7: Impact of the hop count for na¨
ıve RSA.
Average Deviation from Uniformity
Maximum Hop Count
Figure 8: Impact of the hop count for generalized near uniform RSA.
Figure 7 and Figure 8 show that the deviation from uniformity for na¨
ıve RSA in-
creases significantly faster than that of generalized near uniform RSA with the increase
of hmax for a fixed l. The numbers 100%, 90%, 80%, 70%, 60%, and 50% represent
values for l. For the na¨
ıve approach although the deviation from uniformity decreases
with the decrease of l, still its performance is significantly worse than the generalized
approach (see Figure 7). However, the user using the na¨
ıve scheme in a less dense area
can expect higher uniformity. On the other hand, for our generalized approach the devi-
ation from uniformity first increases for lfrom 100% to 60% density level, then starts
to decrease for lfrom 50% density level. We also extend our experiments for hmax
equals 2 and 3, for lequals 40% and 30%, and determine that the decreasing trend
for the deviation continues. We cannot investigate for the higher values of hmax, as
the network becomes disconnected. We expect that our new proposed scheme to find-
ing an approximation of uniformness should outperform the na¨
ıve approach for any
distribution of users. Experimental results also show that for any distribution of users,
the deviation from uniformity (average of values for lfrom 100% to 50%) increases
from 1.9 to 156.3 for the generalized one and from 8.5 to 34,537,298 for the na¨
ıve one,
where hmax varies from 2 to 10.
Average Deviation from
Maximum Hop Count
Naïve RSA
Near Uniform RSA
Generalized Near Uniform RSA
Figure 9: Impact of the hop count for uniform distribution.
Figure 9 compares the average deviation from uniformity for all selection schemes
where the distribution of users is uniform. The performance of both the generalized
near uniform RSA and the near uniform RSA is significantly better than that of the
ıve RSA and the improvement increases for higher privacy levels. For example, the
improvements of the near uniform RSA and the generalized near uniform RSA is a
factor of 1013 and 1314 compared to the na¨
ıve RSA, respectively, for hmax = 5. The
improvements increase to 94826 and 541353 times for hmax = 8. Again, the average
deviations from uniformity for the near uniform RSA and the generalized near uniform
RSA are {1,1,1.35,1.6}and {1,1.41,1.68,1.82}, respectively, where hmax ranges
from 1 to 4. From hmax = 5 onwards, the generalized near uniform RSA outperforms
the near uniform RSA. For a user who is happy with a lower maximum hop count
(up to hmax = 4), the near uniform RSA might be preferable as long as the users are
uniformly distributed. Otherwise, the generalized near uniform RSA is beneficial.
4.4. The Effect of Mobility
In this section, we discuss the effect of user mobility on our generalized near uni-
form RSA. It is important to note that in practice, many static users with their mobile
devices participate to form a wireless personal area network (WPAN); for example,
users while working with their PDAs at home, office or any other fixed place do not
change their locations for a certain period. On the other hand, there will be also mobile
participants in a WPAN, e.g., a walking user who carries a smartphone participates in
a WPAN. In a highly mobile environment it would be increasingly difficult for the LSP
to determine the users involved in the random selection process and identify the query
initiator. Thus, to ensure a query initiator’s privacy, the generalized near uniform RSA
is less necessary in a more mobile environment.
In the random selection process, the moving peers whose hop distance from the
query initiator become less or equal to the specified maximum hop count after the
frequency computation phase, do not need to participate in the selection phase of the
query requestor. The query initiator does not consider these new peers for her privacy
requirement at the start of the random selection process and excluding the new peers in
the selection phase does not reduce the query initiator’s anonymity level.
In our proposed generalized near uniform RSA, peers who move after the frequency
computation phase or become disconnected do not participate in the selection phase.
Churn or mobility of peers can cause two privacy risks for the query initiator: (i) it
reduces the query initiator’s anonymity level, (ii) it decreases the uniformity in the
selection probabilities. A solution to the first concern is to set the maximum hop count
higher than required so that a larger number of users are involved in the frequency
computation phase. Even if some users move, the rest of the peers are likely to serve
the required anonymity level. In the future, we aim to compute a bound of the maximum
hop count that ensures the existence of at least required number of peers in the query
initiator’s random selection phase considering the degree of user churn or mobility. For
the second concern, our experiments show that the impact of low degree of user churn
or mobility on the uniformity of selection probabilities is negligible.
Average Deviation from
Maximum Hop Count
Naïve RSA
Generalized Near Uniform RSA
with no User Churn or Mobility
Generalized Near Uniform RSA
with 5% User Churn or Mobility
Figure 10: The effect of maximum hop count for 75% density level.
Average Deviation from
Density Level
Naïve RSA
Generalized Near Uniform RSA
with no User Churn or Mobility
Generalized Near Uniform RSA
with 5% User Churn or Mobility
Figure 11: The effect of density level for the maximum hop count 5.
Average Deviation from
User Churn or Mobility
Figure 12: The effect of user churn or mobility on generalized near uniform RSA for the maximum hop count
5 and 75% density level.
To simulate a user churn of x%or x%mobile users, in our experiments we ran-
domly remove x%users who participate in the frequency computation phase so that
those peers cannot participate in the random selection phase. To compute the average
result, we repeat each experiment 1000 times and for each run, the random removal of
x%users results in different distributions. Figures 10 and 11 show the effect of maxi-
mum hop count and density level (i.e., the level of non uniform distribution of users),
respectively, on the average deviation from uniformity for na¨
ıve RSA and generalized
near uniform RSA. In these experiments, for generalized near uniform RSA we con-
sider both no user churn or mobility and 5% user churn or mobility. We observe in
Figures 10 and 11 that although the average deviation from uniformity for generalized
near uniform RSA slightly increases due to user churn or mobility, its performance is
still at least an order of magnitude better than that of na¨
ıve RSA. Note that not only the
number of disconnected or moving peers decreases the uniformity of selection proba-
bilities among the peers, but also the location of disconnected or moving peers has an
impact on the selection probabilities of other peers. Figure 12 also shows that the uni-
formity does not always decrease with the increase of user mobility or churn for a fixed
maximum hop count and density level. We have included no user churn or mobility at
From the above experiments we also observe that for static users or low degree of
user mobility, it is sufficient to run the frequency computation phase once and then use
those frequencies for a number of times when a query requestor needs to be selected
with a near uniform probability. However, in a highly mobile environment a query
initiator needs to run the frequency computation phase each time before selecting a
query requestor to ensure uniformness in the selection probabilities.
4.5. Discussion
Our approach is based on the idea that peers cooperate with each other in a friendly
manner to protect their privacy. Similar to existing peer to peer systems [13, 14, 15], the
participation of all peers is essential to make our approach effective. However, due to
the limited battery capacity of mobile devices, some users may not wish to participate
for others in the random selection algorithm but may take help from others when they
need to send a request anonymously to the LSP. This motivates the following research
question: what is an incentive for peers to participate in the wireless ad-hoc network if
they do not need a service? Existing research [28, 29, 30] designs incentives for peers
to participate in the wireless ad-hoc network. The underlying idea is that a peer earns
credits when they assist others in the network and pay credits when they take assis-
tance from others. The use of digital cash [31] could be integrated in these approaches
to enable a user to pay anonymously for a service. However, privacy-aware incentive
designs are orthogonal to our current research problem and a detailed discussion goes
beyond the scope of this article.
Our approach is tailored for users who live in urban environments, which make
it highly likely to find at least a single other device in communication range (or sev-
eral other devices if we use a multi-hop routing protocol). Both GCA generation and
generalized near uniform random selection algorithms are applicable even if there is a
single nearby device through whom the range of WPAN can be extended to a multihop
distance similar to the case of Bluetooth scatternets [32]. If there are no other devices
in communication range then our approach cannot be used to protect a user’s privacy.
5. Evaluation of Proximity Queries
In this section, we show how a user can balance the desired level of privacy against a
high quality of service (QOS). We consider proximity queries as this type of queries are
commonly requested by users. Proximity queries select the m-nearest relevant points
of interests (POIs) from a user’s location, for example the five nearest pharmacies. In
our approach mobile users requesting LBSs neither disclose their exact locations nor
their identities to an LSP. The LSP, however, knows the precise locations of POIs.
5.1. Estimating the m-Nearest POIs Using Hausdorff Distances
As the user’s location is not known precisely to the LSP, an LSP could simply pro-
vide all answers to the user with respect to every point of the user’s rectangle. This
option, however, is not economically viable (data is valuable to the LSP) nor is it prac-
tical due to the high communication load, because every user could simply specify in
this model a large GCA to achieve a very high level of location privacy. Thus, we as-
sume that the LSP returns a small subset of mPOIs that is nearest to the GCA of the
query initiator, since it does not know the user’s precise location.
In our model the LSP measures proximity using Hausdorff distances. Two point
sets have the Hausdorff distance diff dis the smallest distance such that for every
point in one set there is a point in the other set within distance d. In our case, the LSP
measures the Hausdorff distance between the rectangle representing the GCA and the
exact location (x, y)of the POI. Since the GCA is a rectangle, the Hausdorff distance
is the maximum Euclidean distance from (x, y)to its 4 corner points.
We could simply use the Euclidean distance instead of the Hausdorff distance in our
approach. However, in this case we would lose an important aspects of the Hausdorff
distance: it is even applicable, if the locations of the POIs have to be kept private as
well, i.e., if their location is given by a rectangle (or more generally a set) instead of
a coordinate. Although we assume that POIs are public places, our approach is also
applicable to POIs requiring location privacy.
5.2. Experimental Setup
In our experiments, the level of privacy is determined by the size of the user’s obfus-
cated area, i.e., the GCA. We call the total search area, in which the user is interested
in POIs, the TSA. A user might be interested in French restaurants in walking distance,
for example in a square of 1 km2. To ensure that our comparison is independent from
the absolute size of the search space, a pedestrian might have different requirements
than the driver of a car, we measure the GCA relative to the TSA. The obfuscation
level is defined as the size of the GCA divided by the size of the TSA. If the GCA is
equal to the TSA, the obfuscation level is 100%. Although an obfuscation level of 1%
appears to ask for a low level of privacy, the user is actually requesting a high level of
privacy, as the user’s imprecise location (the GCA) could be a 100 m ×100 m square
in a TSA of 1 km2.
A user with an 100% obfuscation level cannot expect a high accuracy. A small
decrease by 5% or 10% does not affect the QOS significantly. Hence, we decrease the
area of the GCA recursively, halving it in each step, to investigate the impact of its size
on the QOS (i.e., the accuracy). Our experiments evaluate the QOS against the level of
privacy for finding the nearest POI and to determine that how much a user needs to pay
in order to balance the QOS with the desired privacy level. In our current experiments,
we measure the QOS in terms of average relative error and average error in percent.
The relative error is the ratio of the minimum of Euclidean distances of the query
initiator from the m-nearest POIs returned by the LSP and the Euclidean distance of
the query initiator from the actual nearest POI. We also compute the error in percent
from 100 samples: an error occurs in a sample if the m-nearest POIs returned by the
LSP does not contain the actual nearest POI.
The level of payment is determined by the value of m: the user is charged for the
number of nearest POIs requested, even if the user searches only for the nearest POI.
For our experiments we vary mfrom 1 to 5 as m= 5 provides already a high degree
of accuracy. We also vary the total number of POIs from 10 to 100 in steps of 10 for
each obfuscation level. We compute 100 randomly distributed GCA samples for each
obfuscation level. The POIs are randomly distributed in the TSA. We perform 10 runs
for each set of parameters.
We do not consider the anonymity level, i.e., value of k, as a privacy metric in our
experiments because the anonymity level has no impact on the QOS as shown in our
earlier work [8]. GCAs with the same obfuscation level may include different number
of users’ locations for random distribution of users and the computation of m-nearest
POIs by the LSP is independent of the number of users involved in the GCA.
In [8] we have used different measure for QOS, which is the ratio of the Euclidean
distance of the query initiator from the m-closest POIs returned by the LSP and the
Euclidean distance of the query initiator from the actual m-closest POIs. The experi-
ments in [8] show that the QOS increases with a decreasing obfuscation level and with
increasing values of mfor a fixed number of total POIs. We also observe that the QOS
decreases with an increasing number of total POIs. Since the QOS is higher for greater
values of m, we expect that for increasing values of mthe probability to contain the
actual nearest POI among the mPOIs returned by the LSP is higher. Hence, a greater
value of mprovides a user with the option to receive a higher QOS. For example, a
user that agrees to pay a higher price for a 3-nearest POIs, could select the nearest
POI from the returned answer set of 3 POIs by the LSP, using a GPS-enabled mobile
device. In return for a higher price, a user can maintain both, a higher level of privacy
and accuracy. Based on this observation, in our current experiments we modify the
measurement of QOS from our earlier work [8].
5.3. Effect of a Higher Price
A user who wants to sacrifice neither the level of privacy nor the QOS, has the
option to pay more (m-times) for querying the m-nearest POIs. We observe that the
relative error decreases with the decrease of the obfuscation level and also with the
increase of m(Figure 13 and Figure 14). The numbers from 1 to 5 represent the values
for m. The experimental results show that our algorithm based on Hausdorff distances
to compute the nearest POIs shows very good performance to balance a high level of
privacy with low relative error. A user, paying 3 times more than required, can main-
tain a high level of obfuscation (3.13%) with a very small average relative error 1.01
(Figure 13). For a relative error of 1.01, a user needs to travel only 1 meter further, if
the distance of the actual nearest POI from the user’s location is 100 meters. Figure 14
shows that our algorithm can compute the exact answer with high probabilities even
for higher privacy levels. For example, an LSP returns an exact answer more than 95%
times for a user requesting with 3.13% and 12.5% obfuscation levels for mequals 3
and 5, respectively. We have also run the experiment for different total POIs and have
found the similar performance (not shown).
Relative Error
Obfuscation Level
Figure 13: Impact of Obfuscation level on QOS shown as Relative Error for 10 POIs.
Error in Percent
Obfuscation Level
Figure 14: Impact of Obfuscation level on QOS shown as Error in Percent for 10 POIs.
5.4. Effect of Total POIs
We evaluate the impact of the number of total POIs on the QOS that a user receives
from the LSP. Our expectation is that the user needs to pay more to find the nearest POI
from a larger set of POIs for a fixed obfuscation level. In Figure 15 and Figure 16, we
also observe that for obfuscation level 0.78%, a realistic value, the QOS degrades with
the increase of total POIs and the QOS improves with the increase of m. The numbers
from 1 to 5 represent again the values for m. We have found a similar performance for
other obfuscation levels (not shown).
In a real-world scenario, the number of total POIs is generally higher in public
places, where we typically find a higher density of users. For example, the number of
restaurants is usually much higher in the city center compared to the suburbs. Generally,
the number of POIs increases with an increasing number of users. A user within a
sparse area has a larger GCA than a user in a densely populated area for the same
anonymity level. If a user determines the size of the GCA based on the anonymity
level, then the effect of total POIs on the QOS is not significant and the user does not
need to be concerned about the number of total POIs to search from. The user can also
Relative Error
Number of Total POIs
Figure 15: Impact of Total POIs on QOS shown as Relative Error for 0.78% Obfuscation Level.
Error in Percent
Number of Total POIs
Figure 16: Impact of Total POIs on QOS shown as Error in Percent for 0.78% Obfuscation Level.
reduce the number of total POIs to search by sending more selective query to the LSP.
For example, asking for an Italian restaurant instead of a restaurant in general.
These results can also be applied in situations with a highly skewed density of POIs,
where POIs are clustered in certain regions.
5.5. Privacy vs. Price for an Accurate QOS
We also analyze how much a user needs to pay to receive the exact answer from
the LSP for different number of total POIs. Figure 17 (left) shows the level of payment
to maintain different levels of obfuscation for 10, 50, and 100 POIs. Figure 17 (right)
shows the obfuscation level that can be achieved if a user pays 5 and 10 times more
for different numbers of POIs. We show the values for each payment level, where m
ranges from 3 to 10 in Figure 17 (left). For mequal to 1 and 2, the obfuscation level is
very low for a larger set of total POIs. We observe that the obfuscation level increases
faster for smaller numbers of total POIs with the increase of m(Figure 17 (left)). If
a user increases mfrom 3 to 5, she can have an 8, 4, and 4 times larger GCA for 10,
50, and 100 POIs, respectively, and increasing mfrom 5 to 10 will enlarge the GCA
by 64, 8, and 4 times for 10, 50, and 100 POIs, respectively. In addition, we see from
Figure 17 (right) that the decrease of the obfuscation level slows down with the increase
of total POIs for mequals 5 and 10. Hence, the impact of total POIs on the privacy level
is more significant when the number of total POIs increases in the lower range (e.g.,
increasing from 10 to 50 instead of from 50 to 100). A user can enjoy an exact answer
from the LSP maintaining 0.1% obfuscation level (e.g., 312.5m ×312.5m from 10km
×10km total search area) for 100 POIs by paying only 5 times more. However, with
the same level of payment, the user can maintain obfuscation level greater than 0.1%
for a smaller number of total POIs.
Relative Size of the
Obfuscated Area
Level of Payment
10 POIs
50 POIs
100 POIs
Relative Size of the
Obfuscated Area
Number of POIs
Figure 17: Effect of Total POIs.
5.6. Discussion
In summary, we propose a model that balances the requirements for both the LSP
and the mobile users. The LSP does not need to sacrifice its valuable data and can also
reduce traffic overhead. At the same time a user can select among three alternatives:
(1) requesting larger values of mby paying more for a higher QOS and selecting the
nearest POI from the result set, (2) reducing the size of the GCA and/or limiting the
total POIs to search from and thereby sacrificing the privacy in return for a higher QOS,
or (3) sacrificing the QOS for a higher level of privacy.
6. Conclusions and Future Work
We have developed a decentralized approach to protect user privacy during the
access of LBSs using wireless ad-hoc networks. Users do not need to trust any in-
volved party, including their peers, the LSP or the infrastructure provider. We exploit
the wireless advantage that all users in communication range can overhear a message
to anonymize the communication among users. Our approach provides a remarkably
high quality of service in tandem with a high level of privacy for an individual who
anonymously accesses an LBS while providing only an imprecise location.
We have combined both anonymity and obfuscation to compute an imprecise loca-
tion before sending a query to the LSP. We have proposed a greedy algorithm for com-
puting the GCA. The experimental results show that our heuristic approach achieves
good accuracy and provides on an average in 77% of all cases the optimal result. Fur-
thermore, our approach is orders of magnitude faster than the brute force approach.
We have developed a generalized near uniform random selection algorithm that
selects a query requestor from neighbors in larger ad-hoc networks where distance of
the query initiator and query requestor can span several hops. Our algorithm makes no
assumption on the spatial distribution of users, such as a grid-like structure, and can
be used with any decentralized algorithm to safeguard privacy. The experiments show
that the performance of our proposed random selection algorithm is near-optimal, in
contrast to a na¨
ıve technique. Since the information for the requested service to the
LSP is encrypted, no other user is able to discover the service request.
Our proposed algorithm for computing the nearest POIs provides users with an
option to balance their desired levels of privacy and QOS. A user can learn the actual
nearest POI for her desired level of privacy in return for a higher price. The experiments
demonstrate that a user can maintain both a high level of privacy and QOS by paying
more. Our model to determine the nearest POIs is also beneficial in two other ways: (i)
the LSP does not need to reveal its valuable data without an incentive and (ii) replying
with an approximate answer instead of a result set reduces communication overheads.
We plan to extend our technique based on Hausdorff distances for queries where
both of the locations of the query initiator and POIs are not revealed to the LSP. For ex-
ample, if two people are searching for each other, both of them will be concerned about
their privacy. Although our algorithm can deal with several requests from the same (or
different) user(s), it is not optimized for continuous queries. Our future research will
develop a privacy aware decentralized model for continuous location-based queries.
When a user requests LBSs continuously then an LSP is able to learn a user’s location
more precisely by observing the spatial correlations among consecutive cloaked areas.
We will determine possible ways to restrain these privacy threats.
[1] R. R. Muntz, T. Barclay, J. Dozier, C. Faloutsos, A. MacEachren, J. L. Martin, C. Pancake,
M. Satyanarayanan, IT Roadmap to a Geospatial Future, The National Academies Press,
Washington, DC, 2003.
[2] M. Gruteser, D. Grunwald, Anonymous usage of location-based services through spatial
and temporal cloaking, in: MobiSys ’03: Proc. of the 1st Int. Conf. on Mobile Systems,
Applications and Services, 2003, pp. 31–42.
[3] M. F. Mokbel, C.-Y. Chow, W. G. Aref, The new casper: query processing for location
services without compromising privacy, in: VLDB ’06: Proc. of the 32nd Int. Conf. on
Very Large Data Bases, 2006, pp. 763–774.
[4] B. Gedik, L. Liu, Protecting location privacy with personalized k-anonymity: Architecture
and algorithms, IEEE Transactions on Mobile Computing 7 (1) (2008) 1–18.
[5] J. Krumm, A survey of computational location privacy, Personal Ubiquitous Computing
13 (6) (2009) 391–399.
[6] L. Sweeney, k-anonymity: a model for protecting privacy, Int. Journal on Uncertainty,
Fuzziness and Knowledge-based Systems 10 (5) (2002) 557–570.
[7] P. Kalnis, G. Ghinita, K. Mouratidis, D. Papadias, Preventing location-based identity infer-
ence in anonymous spatial queries, IEEE Transactions on Knowledge and Data Engineering
19 (12) (2007) 1719–1733.
[8] T. Hashem, L. Kulik, Safeguarding location privacy in wireless ad-hoc networks., in: Ubi-
comp ’07: Proc. of the 9th Int. Conf. on on Ubiquitous Computing., 2007, pp. 372–390.
[9] B. Gedik, L. Liu, Location privacy in mobile systems: A personalized anonymization
model, in: ICDCS ’05: Proc. of the 25th IEEE Int. Conf. on Distributed Computing Sys-
tems, 2005, pp. 620–629.
[10] C. Bettini, X. Wang, S. Jajodia, Protecting privacy against location-based personal identi-
fication, in: SDM ’05, Proc. of the 2nd VLDB Workshop on Secure Data Management.,
2005, pp. 185–199.
[11] M. Duckham, L. Kulik, A formal model of obfuscation and negotiation for location privacy,
in: Pervasive ’05, Proc. of the 3rd Int. Conf. on Pervasive Computing., 2005, pp. 152–170.
[12] H. Samet, The design and analysis of spatial data structures, Addison-Wesley Longman
Publishing Co., Inc., 1990.
[13] C.-Y. Chow, M. F. Mokbel, X. Liu, A peer-to-peer spatial cloaking algorithm for anony-
mous location-based services, in: GIS ’06: Proc. of the 14th ACM Int. Symp. on Advances
in Geographic Information Systems, 2006, pp. 171–178.
[14] G. Ghinita, P. Kalnis, S. Skiadopoulos, PRIV´
E: Anonymous location-based queries in dis-
tributed mobile systems, in: WWW ’07: Proc. of the 16th Int. Conf. on World Wide Web,
2007, pp. 371–389.
[15] G. Ghinita, P. Kalnis, S. Skiadopoulos, Mobihide: A mobilea peer-to-peer system for
anonymous location-based queries., in: SSTD ’07: Proc. of the 10th Int. Symp. on Ad-
vances in Spatial and Temporal Databases, Vol. 4605, 2007, pp. 221–238.
[16] M. L. Yiu, C. S. Jensen, X. Huang, H. Lu, Spacetwist: Managing the trade-offs among
location privacy, query performance, and query accuracy in mobile services., in: ICDE ’08:
Proc. of the 2008 IEEE 24th Int. Conf. on Data Engineering, 2008, pp. 366–375.
[17] H. Hu, J. Xu, Non-exposure location anonymity, in: ICDE ’09: Proc. of the 2009 IEEE 25th
Int. Conf. on Data Engineering, 2009, pp. 1120–1131.
[18] H. Hu, D. L. Lee, Range nearest-neighbor query, IEEE Transactions on Knowledge and
Data Engineering 18 (1) (2006) 78–91.
[19] J. Xu, X. Tang, H. Hu, J. Du, Privacy-conscious location-based queries in mobile environ-
ments, IEEE Transactions on Parallel and Distributed Systems 99 (1).
[20] C.-Y. Chow, M. F. Mokbel, J. Naps, S. Nath, Approximate evaluation of range nearest
neighbor queries with quality guarantee, in: SSTD ’09: Proc. of the 11th Int. Symp. on
Advances in Spatial and Temporal Databases, 2009, pp. 283–301.
[21] A. Khoshgozaran, C. Shahabi, Blind evaluation of nearest neighbor queries using space
transformation to preserve location privacy, in: SSTD ’07: Proc. of the 9th Int. Symp. on
Advances in Spatial and Temporal Databases, 2007, pp. 239–257.
[22] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, K.-L. Tan, Private queries in location
based services: anonymizers are not necessary, in: SIGMOD ’08: Proc. of the 2008 ACM
SIGMOD Int. Conf. on Management of Data, 2008, pp. 121–132.
[23] G. Ghinita, Private queries and trajectory anonymization: a dual perspective on location
privacy, Transactions on Data Privacy 2 (1) (2009) 3–19.
[24] H. Kido, Y. Yanagisawa, T. Satoh, An anonymous communication technique using dum-
mies for location-based services, in: ICPS ’05: Proc. of the 2nd Int. Conf. on Pervasive
Services, 2005, pp. 88–97.
[25] M. Langheinrich, Privacy by design—principles of privacy-aware ubiquitous systems, in:
Ubicomp ’01: Proc. of the 3rd Int. Conf. on on Ubiquitous Computing., 2001, pp. 273–291.
[26] E. Kaasinen, User needs for location-aware mobile services, Personal and Ubiquitous Com-
puting 70 (1) (2003) 70–79.
[27] A. G¨
orlach, A. Heinemann, W. W. Terpstra, Survey on location privacy in pervasive com-
puting, in: Privacy, Security and Trust within the Context of Pervasive Computing, The
Kluwer Int. Series in Engineering and Computer Science, 2004, pp. 23–34.
[28] J. Crowcroft, R. Gibbens, F. Kelly, S. ¨
Ostring, Modelling incentives for collaboration in
mobile ad hoc networks, Performance Evaluation 57 (4) (2004) 427–439.
[29] E. Huang, J. Crowcroft, I. Wassell, Rethinking incentives for mobile ad hoc networks, in:
PINS ’04: Proc. of the ACM SIGCOMM Workshop on Practice and Theory of Incentives
in Networked Systems, 2004, pp. 191–196.
[30] J. G¨
obel, A. E. Krzesinski, Modelling incentives and protocols for collaboration in mobile
ad hoc networks, in: MSWiM ’08: Proc. of the 11th Int. Symp. on Modeling, Analysis and
Simulation of Wireless and Mobile Systems, 2008, pp. 78–85.
[31] S. Brands, Untraceable off-line cash in wallet with observers, in: CRYPTO ’93: Proc. of
the 13th Annual Int. Cryptology Conf. on Advances in Cryptology, 1994, pp. 302–318.
[32] C.-T. Chang, C.-Y. Chang, J.-P. Sheu, Bluecube: constructing a hypercube parallel comput-
ing and communication environment over bluetooth radio systems, Journal of Parallel and
Distributed Computing 66 (10) (2006) 1243–1258.
... We argue that in moving objects data, there does not exist a fixed set of quasi-identifiers for all moving objects and consequently the concept of k-anonymity cannot be borrowed from relational data as it is. For this reason, most existing work on anonymity of moving objects data has been developed in the context of location-based services [15,17,[23][24][25][26][27][28]. In this context, a trusted server is usually in charge of handling users' requests and passing them to the service providers. ...
... Ardagna et al. [26] assumed that positions of users are always represented as planar circular areas and presented different obfuscation operators, namely radius enlargement, radius reduction, and center shifting, which protect the location privacy of users when used individually or in combination. Hashem and Kulik [27] presented a decentralized approach that decouples the user who requires a location service from the peer who actually forwards the service request to a location-based service provider on behalf of that user. They proposed efficient algorithms for users to compute a k-anonymous imprecise location and to randomly select one of their peers with uniform probability who forwards the service request. ...
... Therefore, all trajectories in c are added back to TR r and tr c is removed from TR l (lines [23][24][25]. Nevertheless, if the size of c is equal to l, c is added to C l and all trajectories within it are removed from TR l (lines [26][27][28][29]. This process continues until TR l is empty (lines 3-30). ...
Full-text available
With the rising prevalence of location-aware devices such as mobile phones, Radio-Frequency Identification (RFID) tags, and Global Positioning Systems (GPSs), the amount of trajectory data is significantly increasing, resulting in various data mining applications. Improper publication of trajectory data may jeopardize the privacy of moving objects, so trajectories ought to be anonymized before making them accessible to the public. Many existing approaches for privacy-preserving publication of trajectory data provide only the same level of privacy protection for all moving objects, whereas different moving objects may require different amounts of privacy protection. In this paper, we address this issue by presenting WINR2D, a novel clustering-based approach for privacy-preserving publication of trajectory data. Being based on the concept of personalized privacy, the aim of WINR2D is to anonymize trajectories to some extent so that an adversary having some background knowledge cannot uniquely identify a specific trajectory, but with a maximum probability inversely proportional to the privacy protection requirement of the moving object that produced it. In doing so, we first assign a privacy level to each trajectory based on the privacy protection requirement of its moving object and then partition all the trajectories into a set of clusters based on a greedy strategy. Each cluster is created such that its size is proportional to the highest privacy level of trajectories within it. Eventually, we anonymize the trajectories of each cluster and generate a set of anonymized trajectories containing generalized and distorted moving points. Our experimental results show that WINR2D achieves a reasonable trade-off between the conflicting goals of data utility and data privacy according to the privacy protection requirements of moving objects.
... The location privacy is a major concern. To solve this problem, several technologies and papers about preserving location privacy have been published, for example (Gahi et al., 2012;Ghinita et al., 2008;Gruteser and Grunwald, 2003;Hashem and Kulik, 2011;Sun et al., 2009;Sweeney, 2002;Teerakanok et al., 2010). ...
... Some papers devised a third party who constructs a cloaking region, which includes k -1 neighbours and actual user. Employing k-anonymity technology (Damiani et al., 2008;Hashem and Kulik, 2011;Sweeney, 2002) can blur the location of a user into a region with a minimum size threshold. Usually, the k-anonymity and l-diversity have been employed in the meanwhile. ...
... And at present, in published related researches, they have not archived the third degree anonymity. They only have preserved identity or location privacy of user (for example, Gahi et al., 2012;Ghinita et al., 2008;Gruteser and Grunwald, 2003;Hashem and Kulik, 2011;Sun et al., 2009;Sweeney, 2002;Teerakanok et al., 2010). Hence, this is the main contribution of our proposed scheme. ...
Full-text available
Individual privacy has been a great concern to users who need the location-based service by networked devices such as smart phones and personal computers. Usually, the provider who can provide a location-based service is regarded as semi-trusted or honest-but-curious. It leads to tremendous harmfulness for users who request this service because the dishonest service provider leaks the users' personal information. To preserve user privacy, we propose a scheme which achieves user privacy information including location, identity, and domain, while the user can still obtain the required service from a service provider. For the sake of less computational time and minimal computer power, only symmetric key cryptography is employed in our system. This scheme is secured by our security analysis, and is feasible through our imitating implementation. Compared with related schemes, our scheme can provide sufficient property to meet our requirements.
... Finally, pseudotrajectories with the minimum similarity distance from service requestor are taken as an ID replacement scheme. The trajectory similarity measurement method in this paper is based on local anonymous area [7]. ...
... Hashem et al. [7] propose a distributed location privacy perserving method. In this method, a mobile user will send its local privacy area, instead of precise location, to the requestor. ...
... The global anonymous area is used to replace the accurate location of the requestor for LBS query. Our trajectory similarity measurement method in this paper is based on user's local anonymous area [7]. ...
Conference Paper
This paper presents a trajectory similarity measurement method based on user's local anonymous area. This method can protect the location privacy among users between each other in an anonymous group. Based on the trajectory similarity and real user's location data, some users' IDs are replaced by others to protect trajectory privacy. This method can resist some background attacks.
... Memon et al. [25] proposed a multimixed region privacy protection method which is dedicated to the mapping service of vehicles on the road network. Hashem and Kulik [26] proposed the use of mobile devices to form personal self-organizing networks. The authors proposed a decentralized method to protect the privacy of visitors' location. ...
Full-text available
At present, with the popularization of intelligent equipment. Almost every smart device has a GPS. Users can use it to obtain convenient services, and third parties can use the data to provide recommendations for users and promote relevant business development. However, due to the large number of location data, there are serious data sparsity problems in the data uploaded by users. At the same time, with great value comes great danger. Once the user’s location information is obtained by the attacker, severe security issues will be caused. In recent years, a lot of researchers have studied the recommendation of point of interests (POIs) and the privacy protection of location. Yet, few of them have explored both together, which induces some drawbacks on the combination of them. This paper combines POI recommendation with a privacy protection mechanism. Besides providing user with POI recommendation service, it also protects the privacy of user’s location. We proposed a POI recommendation model with privacy protection mechanism, termed POI recommendation model for community groups based on privacy protection (CGPP-POI). This model can ensure the recommendation accuracy and reduce the leakage of user location information via taking advantages of the characteristics of location. At the same time, it deals with the problem of poor recommendation performance caused by sparse data. In addition, through the expansion of location, random and other methods are used to protect the user’s real check-in information. First, the data processed at the terminal satisfied local differential privacy. At the same time, we use the data to build a recommendation model. Then, we use a community of user in the model to improve the availability of these disturbed data, explore the relationship between users, and expand check-ins within the community. Finally, we provide the POI recommendations to users. Based on the traditional evaluation criteria, we adopted four metrics, i.e., accuracy, recall rate, coverage rate, and popularity in evaluation part, where intensive experiments conducted on real datasets Gowalla and Brightkite demonstrate that our approach outperforms the baseline methods significantly. 1. Introduction With the advent of 5G techniques, people’s lifestyles have been changed thoroughly. Smartphones have become a ubiquitous part in our daily life, e.g., using smartphone to seek information, shopping online, and performing navigation. Hou et al. [1] pointed out that with the help of smart devices, sharing information has become a normal part of people’s life. Especially during the epidemic, intelligent equipment has a great impact on China, for example, scanning QR codes to report trips and taking online classes. In short, it has accelerated the rapid development of e-commerce industry and internet technology and driven the overall economic development. But the convenient life requires users to provide more information, and the most useful information is GPS location. Location information is a very special data, because it has bonded with people’s routine, e.g., navigation, shopping, and social activity, and thus has strong private attributes. Almost all software and applications require users to provide GPS information if they want to get a better experience. Currently, in order to get recommendation service, users still need to upload their exact GPS data to third parties. According to this location, the third party can provide nearby researched results. The exploration of POI recommendations is still in early stages, while, with the rapid development, people need to get more fresh information in a shorter time. For example, a person’s daily pattern is two dots in a line, which means he/she is only active at home and work place. Suppose that one day he/she needs to go somewhere unfamiliar, searching on the internet for information is necessary. However, it is hard to figure out useful information among such a huge information flow. To solve this problem, recommendation system emerged, aiming at providing users with POI that they might be interested and saving searching time for them. In recent years, recommendation research based on POI has focused on machine learning. Generally, the research on POI falls into the following categories: (1) tensor decomposition; (2) Markov chain model; and (3) neural network model. These POI recommendation algorithms have achieved good results in certain scenarios, but they lack generality. At the same time, they ignore the privacy issues caused by user trajectories. In the work of Xue et al. [2], the authors pointed that the friend relationship has an influence on users’ future behavior, which shows that social information plays a role in the process of recommendation. Concurrently, the paper proposed that when excluding the influence of work location and family information, the influence of social relationship is more apparent. In addition, an attacker can infer a specific user by using friends and some background knowledge. Undoubtedly, social relationships indeed increase the risk of users’ privacy leakage. The development of GPS positioning and network technology not only brings convenience to users’ lives but also increases the risk of users’ location information leakage. Liang et al. [3] demonstrate that the prediction accuracy of tap position inference can be at least 90 percent by utilizing convolutional neural networks. As special information, location can be regarded as both public information and user’s private information. For example, on a map, where every location is public, this information is available, and third parties can use this information and certain statistics to build user profiles. But there is no doubt that a specific user’s trajectory is private. Once leaked, it will cause security and privacy risks to the user. If the leakage happens in the data collection stage, it will cause a huge disaster for both the company and the user, such as the AOL [4] and Netflix [5] data breaches, which cause immeasurable social and economic consequences. For the preceding reasons, we should take into account the particularity of location information. We propose a POI recommendation model based on privacy protection, which explores the relationship between users and the range of check-in. For example, in Figure 1, there are three users, represented by red, yellow, and blue dots. Each user has a certain number of check-ins in a certain period of time. Intuitively, blue users and yellow users are more closely related because they are more likely to be in the same area. As we can see from the figure, each user’s check-in is their exact coordinates. If the same check-in map is obtained by an attacker, the attacker can easily predict where a user will go in the future. But if we expand the scope of a user’s check-in location, the amount of information it contains will be ambiguous. Take the large blue check-in in Figure 1 as an example. Within radius , the check-in scope contains only one check-in. When it was extended to , it had four check-ins. Therefore, if the range is uploaded for service, the probability of an attacker inferring a true check-in will be decreased. Therefore, the user’s real location can be protected. Again, all the check-ins in Figure 1 and where they are located can be considered public information without identifying the user who visited them. This public information is useless to the attacker. But for users, these check-ins can provide them with more options for future utility. In addition, on the establishment of the recommendation model, we hope to enhance the relevance among users by expanding the scope of real check-in, as the blue and yellow users in Figure 1. However, when the scope is extended, as shown in the figure, many check-ins of yellow user and blue user are partitioned into the same range, which increases the connection between blue user and yellow user and adds stronger correlated options to the prediction. It also shows that in complex network, community is a suitable way to solve the relationship between users [6]. In this paper, we build a satisfactory mechanism to provide users with POI recommendations through the user check-in information, while preserving user privacy protection for location information. Experiments show that this model can provide users with good recommendation choices under the privacy protection mechanism. Meanwhile, this model is constructed in a hierarchical way which reduces the amount of computation and effectively reduces the time cost. The innovation points of this paper are as follows: (i)Integrating community detection mechanisms with location network. The community detection model is improved according to the needs of this paper and is adapted to suit the location network. At the same time, it can solve the problem of data sparsity in location recommendation(ii)Instead of the traditional knowledge graph built by all users, the knowledge graph is processed hierarchically. We explore the relationships between users, locations, and check-ins within the community(iii)In the process of recommendation, privacy protection mechanism is considered. To deal with real location coordinates, we apply local differential privacy on it. At the same time, the privacy protection mechanism is also added at the end of the recommendation, protecting the user’s real location and future travel safety.
... In addition to concerns of players privacy (e.g. [23]), also land-owners rights for privacy has gained increased attention as LBG players have been reported to trespass private property and restricted areas while looking for new Pokémon, despite the Niantic's PoI generation systems guidelines to not to add PoIs in private locations [29,42,54]. Notably, as evidenced in the study by Graells et al. [20], Pokémon GO players take advantage of breaks during the day or commuting times to play the game, and according to the findings, typically LBGs are played in places near homes or the workplace suggesting that the exercise and exploration might be centered upon a limited area. ...
Full-text available
Previous studies have reported various potential benefits from playing location-based games (LBGs). These include being outdoors, exercise , decreased sedentary behavior, increased knowledge of surroundings , improved cartographic, geographical and navigation skills, increased social interaction, meeting new people, forming acquaintances and activating people. One of the benefits of LBGs is that compared to other self-help applications and games, they are able to reach demographics who have trouble or are not interested in seeking improvement in their lives. This study focuses on the currently available LBGs (N=60) and identifies how their gameplay supports the observed benefits of playing the games. The found LBGs were sorted into five sub-genres. At the core of the popular LBGs Pokémon GO and Harry Potter: Wizards Unite were three main game mechanics all supporting each other: (1) moving around to find points of interest (PoIs), (2) travelling to PoIs and (3) walking to trigger game-events. Most gameplay were tied to these, as were also the potential benefits of playing the games. These findings highlight the importance of PoIs, their location and their quality, for maximizing the benefits gained from playing LBGs.
... In Location-Based-Service applications, GPS is used to continuously track the node's location. [11][12][13] Differently, in our proposal the use of RFID does not allow continuous tracking. ...
In this paper, we present a BeagleBone-based system to increase the security and safety level of critical environments by tracking people movements. Our solution is privacy aware, as it is possible to know who accessed a zone at a given time, with an uncertainty degree of accountability.
... This characterization was further developed by Crabtree et al. [28] for considering privacy in the age of ubiquitous computing. Research on trust and privacy has further covered domains such as social networking (see e.g., [35,47]), data mining (see e.g., [88]), and mobile services (see e.g., [67]). ...
Full-text available
Smart Meters are a key component of increasing the power efficiency of the Smart Grid. To help manage the grid effectively, these meters are designed to collect information on power consumption and send it to third parties. With Smart Metering, for the first time, these cloud-connected sensing devices are legally mandated to be installed in the homes of millions of people worldwide. Via a multi-staged empirical study that utilized an open-ended questionnaire, focus groups, and a design probe, we examined how people characterize the tension between the utility of Smart Metering and its impact on privacy. Our findings show that people seek to make abstract Smart Metering data accountable by connecting it to their everyday practices. Our insight can inform the design of usable privacy configuration tools that help Smart Metering consumers relate abstract data with the real-world implications of its disclosure.
Location data reveals users’ trajectories, yet it is often shared to enable many location-based services (LBS). In this paper, we propose a privacy-preserving geospatial query system with geo-hashing and somewhat homomorphic encryption. We geo-hash locations using space-filling curves for locality-preserving dimension reduction, which allows the users to specify granularity preference of their location and is agnostic to specific maps or precoded location models. Our system features three homomorphic algorithms to compute geospatial queries on encrypted location data and encrypted privacy preferences. Comparing with previous work, one of our algorithms reduces the multiplicative depth of a basic homomorphic computation approach by more than half, which significantly speeds it up. We then present an optimized prototype and experimentally demonstrates its utility in spatial cloaking.
The deployment of Next Generation networks such as wireless broadband networks and wireless ad hoc networks, has lead to the proliferation of new mobile, pervasive and ubiquitous services, such as online social networks, location based services or cloud computing services. These new network paradigms and services raise serious privacy concerns. This chapter reviews security and privacy issues in Next Generation (NG) networking. Intitially, a general categorization of various popular NG networks and services is presented. Then, the security and privacy threats identified for each category are examined, along with a brief review of the related security requirements and mitigation strategies described in the recent literature.
A user's location is a sensitive data and can reveal private information about the user's health, habit and preferences. Due to privacy concerns, people may hesitate to share their locations and prohibit the growth of location-based services and analysis. The problem of protecting location privacy has been extensively studied in the literature. Sharing location data in sequence enable adversaries to apply privacy attacks by exploiting spatio-temporal constraints in road networks. In this paper, we identify a novel privacy attack that existing solutions cannot overcome for not considering upcoming sensitive locations in advance. We develop a technique to precompute the warning zone, i.e. the refined area where the disclosure of a user's actual location may enable adversaries to identify the user's sensitive locations in the future. Warning zones also enable users to reduce the frequency of not sharing locations for privacy reasons, and thereby improve the accuracy and utility of shared locations while guaranteeing the required level of location privacy of a user. Experiments using real datasets show that our approach significantly outperforms the state-of-the-art technique in terms of privacy, data utility and computational overhead.
Full-text available
Without sufficient nodes cooperating to provide relaying functions, a mobile ad hoc network cannot function properly. Consequently various proposals have been made which provide incentives for individual users of an ad hoc mobile network to cooperate with each other. In this paper we examine this problem and analyse the drawbacks of currently proposed incentive systems. We then argue that there may not be a need for incentive systems at all, especially in the early stages of adoption, where excessive complexity can only hurt the deployment of ad hoc networks. We look at the needs of different customer segments at each stage of the technological adoption cycle and propose that incentive systems should not be used until ad hoc networks enter mainstream markets. Even then, incentive systems should be tailored to the needs of each individual application rather than adopting a generalised approach that may be flawed or too technically demanding to be implemented in reality.
Full-text available
The goal of ubiquitous computing research is refine devices to the where their use is transparent. For many applications with mobile devices, transparent operation requires that the device be location-aware. Unfortunately, the location of an individual can be used to infer highly private information. Hence, these devices must be carefully designed, lest they become a ubiquitous surveillance system. This paper overviews existing location-sensing mobile devices, vectors for a privacy invasion, and proposed solutions. Particular attention is paid to required infrastructure and the accuracy of the location information which can be stolen. Solutions are examined from the perspective of attacks which can be reasonably expected against these systems.
Conference Paper
Full-text available
Modern mobile phones and PDAs are equipped with positioning capabilities (e.g., GPS). Users can access public location-based services (e.g., Google Maps) and ask spatial queries. Although communication is encrypted, privacy and confidentiality remain major concerns, since the queries may disclose the location and identity of the user. Commonly, spatial \(\mathcal{K}\) -anonymity is employed to hide the query initiator among a group of \(\mathcal{K}\) users. However, existing work either fails to guarantee privacy, or exhibits unacceptably long response time. In this paper we propose MobiHide, a Peer-to-Peer system for anonymous location-based queries, which addresses these problems. MobiHide employs the Hilbert space-filling curve to map the 2-D locations of mobile users to 1-D space. The transformed locations are indexed by a Chord-based distributed hash table, which is formed by the mobile devices. The resulting Peer-to-Peer system is used to anonymize a query by mapping it to a random group of \(\mathcal{K}\) users that are consecutive in the 1-D space. Compared to existing state-of-the-art, MobiHide does not provide theoretical anonymity guarantees for skewed query distributions. Nevertheless, it achieves strong anonymity in practice, and it eliminates system hotspots. Our experimental evaluation shows that MobiHide has good load balancing and fault tolerance properties, and is applicable to real-life scenarios with numerous mobile users.
This paper explores a model for the operation of an ad hoc mobile network. The model incorporates incentives for users to act as transit nodes on multi-hop paths and to be rewarded with their own ability to send traffic. The paper explores consequences of the model by means of fluid-level simulations of a network and illustrates the way in which network resources are allocated to users according to their geographical position.
This is a literature survey of computational location privacy, meaning computation-based privacy mechanisms that treat location data as geometric information. This definition includes privacy-preserving algorithms like anonymity and obfuscation as well as privacy-breaking algorithms that exploit the geometric nature of the data. The survey omits non-computational techniques like manually inspecting geotagged photos, and it omits techniques like encryption or access control that treat location data as general symbols. The paper reviews studies of peoples’ attitudes about location privacy, computational threats on leaked location data, and computational countermeasures for mitigating these threats.