MobiShare: Flexible Privacy- Preserving Location Sharing in Mobile Online Social Networks Wei Wei, Fengyuan Xu, Qun Li The College of William and Mary in INFOCOM IEEE 2012 A.C. Chen @ ADL 1
Feb 25, 2016
A.C. Chen @ ADL 1
MobiShare: Flexible Privacy-Preserving Location Sharing in Mobile Online Social Networks
Wei Wei, Fengyuan Xu, Qun LiThe College of William and Mary
in INFOCOM IEEE 2012
A.C. Chen @ ADL 2
INTRODUCTION
Mobile Online Social Networks (mOSNs)
A.C. Chen @ ADL 3
Mobile Online Social Networks (mOSNs)
• Many existing OSNs have created content and access mechanisms tailored to mobile users
A.C. Chen @ ADL 4
New mOSNs• Some mOSNs are designed specifically to be accessed
by mobile devices such as Foursquare and Gowalla
A.C. Chen @ ADL 5
Privacy Concerns• While the location-based features make mOSNs more
popular, they also raise significant privacy concerns– Because users’ physical locations are now being correlated
with their profiles• All the current mOSNs are under centralized control
– Users’ location privacy will be compromised if the location data collected by the mOSNs are abused, inadvertently leaked, or under the control of hackers
A.C. Chen @ ADL 6
Related Work• SmokeScreen [ACM MobiSys, 2007]
– Flexibly share presence with both friends and strangers while preserving user privacy
• In [HotMobile, 2010] and [Privacy Enhancing Technologies, 2007], locations are shared between established relations in a privacy-preserving way– limits a large class of mobile social applications
A.C. Chen @ ADL 7
The Main Idea of This Paper…• In a mOSN, users should be able to control how their
own location information is accessed by others• The system should work in a way that an adversary
controlling the mOSN cannot obtain users’ location information
A.C. Chen @ ADL 8
MOBISHRE
USERCellular TowerLocation ServerSocial Network Server
A.C. Chen @ ADL 9
MobiShare Architecture
A.C. Chen @ ADL 10
Trust and Threat Model• Assumption:
– Either the social network server or the location server can be compromised, but the adversary cannot control both entities
• Threat Model– Some users may also be malicious seeking to obtain the
location information– The social network server or the location server may
collude with these malicious users
A.C. Chen @ ADL 11
The Cellular Towers are Trusted• The cellular carrier generally knows the owner’s
name and address for each subscribed cell phone– The FCC’s wireless Enhanced 9-1-1 rules [E9-1-1] require
that the cellular carriers can locate the subscribed cell phones with an accuracy of 50 to 300 meters
• We make no attempt to conceal the devices’ locations from the cellular networks
A.C. Chen @ ADL 12
Social Network Server and User
• The social network server manages users’ identity-related information (profiles, friend lists…)– It can be a server of any existing OSN that wants to
provide the location-sharing service• Each user has a unique identifier at the social network
server, a public-private key pair, and a symmetric session key – the session key is sharing with all his social network
friends.
A.C. Chen @ ADL 13
Location server and Cellular Tower
• The location server is an untrusted 3rd-party server storing anonymized location updates of the users– A company may implement the location server so as to
profit from the OSNs or the users– Shares a symmetric secret key with the cellular towers
• Each cellular tower has a unique identifier and generates by itself a symmetric secret key– It also shares its secret key with the location server
A.C. Chen @ ADL 14
SYSTEM DESIGN
Service RegistrationAuthenticationLocation updatesQuerying location
A.C. Chen @ ADL 15
MobiShare System• Registration
– Before using the location-sharing service, each user needs to register for the service at the social network server
• Authentication– Establish an authenticated and secure communication link
between the user and the cellular tower• Location updates• Querying location
– Friends’ case– Strangers’ case
A.C. Chen @ ADL 16
Service Registration• User A shares his public key PubKeyA with the social
network server• User A defines access control setting of dfA and dsA
– threshold distances of sharing with friends and strangers• After registration, the social network server stores an
entry as <IDA,PubKeyA,dfA,dsA> in its subscriber table
A.C. Chen @ ADL 17
Authentication
request(IDA, ts, SigA(IDA,ts))
forward (IDA, ts, SigA(IDA,ts))
(IDA,dfA,dsA)
OK
On the reception of the OK message, the cellular tower stores an entry as <IDA,dfA,dsA> in its `user info` table
Verification
forward (IDA,dfA,dsA) Verification
A.C. Chen @ ADL 18
Location Updates• The cellular tower perform anonymization when a
user upload his location updates to the location server– Pseudonyms + dummy location updates– Each cellular tower periodically generates fake IDs and
saves them in a fake ID pool• the fake IDs can be efficiently generated using a cryptographic
hash function e.g. fake IDi = SHA(fake IDi−1 salt)⊕
A.C. Chen @ ADL 19
Location Updates – Anonymization
sends(IDA,(x,y),SessA(x,y))
update `user info`
pick k fake IDs and choose FIDA
sends mapping (IDA, FIDA, FID1, ..., FIDk−1)
store FIDA in `user info`
update `fake ID`
A.C. Chen @ ADL 20
Location Updates – Anonymization (con.)
update (FIDA,(x,y),SessA(x,y),dfA, dsA ) update
`regionA`update (FIDi,(xi,yi),stri,dfi,dsi )
.
.
.
k-1 dummy updates
update `regioni`
1 real update
The cellular tower sends k location updates to the location server in a random order with random time intervalsfollowing the exponential distribution
A.C. Chen @ ADL 21
Dummies Must Behave Like True Users
• The cellular tower follows the method [Kido et al. 2005] to generates k−1 dummy locations within its coverage– Anonymous communication technique using false position
data (dummies) mixed with true position data
A.C. Chen @ ADL 22
Table View- location
A.C. Chen @ ADL 23
Querying Friends’ Locations
query(IDA,’f’,‘1mi’) forward (IDA,’f’,‘1mi’,
SecKeyLoc(CIDC,seq))
create `FIDlist` by looking up `fake ID`
consists of the fake IDs (real and dummies) of all A’s friends
query(FIDA,’f’,FIDlist,’1mi’,SecKeyLoc(CIDC,seq))
SecKeyc((FIDi,Sessi(xi,yi))…,seq)
accesscontrol
(SecKeyc((FIDi,Sessi(xi,yi))…,seq),mapping entries)
Each mapping entry is ofthe form as (FIDj,IDj)of all of A’s friends
decrypt location entries ((IDi,Sessi(xi,yi)),
(IDj,Sessj(xj,yj))…)
A.C. Chen @ ADL 24
Querying Strangers’ Locations
query(IDA,’s’,‘1mi’) forward (’s’,‘1mi’,
SecKeyLoc(FIDA,CIDC,seq)) forward
(SecKeyc((FIDi,(xi,yi)), (FIDj,(xj,yj))…,seq), FIDlist)
looks up`region`
FIDlist consists of the n nearby fake IDs mixed with the (k − 1)n randomly selected fake IDs
(SecKeyc((FIDi,(xi,yi)), (FIDj,(xj,yj))…,seq), mapping entries)
Each mapping entry is of the form as (FIDj,IDj,dsj)
decrypt location entriesand double check ((IDi,(xi,yi)),
(IDj,(xj,yj))…)
the n nearby fake IDs are mixed with the randomly picks (k−1)n fake IDs from the location update database
A.C. Chen @ ADL 25
EVALUATION
Experiment and Evaluation
A.C. Chen @ ADL 26
Experimental Setup • Cellular tower : emulated by a laptop
– the smartphone communicates with the laptop through Verizon’s 3G data service
• Social network server : deployed on a third-party cloud hosting services provided by JoyentCloud
• Location server : deployed on a 3rd-party cloud hosting services provided Linode
A.C. Chen @ ADL 27
Experimental Setup (cont.)• Client : implemented in java on a MOTOROLA
DROID 2 Global smartphone– the size of this executable is 252KB. – memory footprint of 12MB when running
• Use a data set consisting of 48,014 users and the social network topology among them as a social network sample
A.C. Chen @ ADL 28
Client Interface
A.C. Chen @ ADL 29
Experiment• The anonymity level k is set to be 5• Use 128-bit AES for symmetric key encryption and
decryption• The client is set to update its location every 30
seconds, and query the locations of friends or nearby strangers every 1 minute
A.C. Chen @ ADL 30
Experiment Results• Low overhead of the client
– a client only consumes 1.5% of the battery power, with average CPU utilization of 0.3%
• Low overhead incurred by our scheme on the cellular towers– when there are 1000 connecting users, the cellular tower
service only uses 4.1% of the CPU power and 91MB memory
A.C. Chen @ ADL 31
Conclusion• MobiShare supports the features of location sharing
in real-world mOSNs :– querying locations within a certain range– user-defined access control– no change to the existing OSNs’ architectures, the
adversary cannot link a precise location to an identified user