Page 1
Putting People in their Putting People in their PlacesPlacesAn Anonymous and Privacy-Sensitive Approach to Collecting Sensed Data in Location-Based ApplicationsKaren P. Tang Pedram Keyani, James Fogarty, Jason I. HongHuman-Computer Interaction InstituteCarnegie Mellon University
Page 2
22
Location-Aware Computing Is Here
In-car navigation systemPDAs, phones, laptops: WiFi & GSM
Page 3
33
Types of Location-Aware Apps
Person-centric“What restaurants are near me?”“Where are my friends?”“What’s happening around me?”
Page 4
44
Privacy treated as a tradeoffAnonymity & Privacy
DisclosureFidelity
Specific Location Query:
“Where are the closest restaurants
near me?”
Page 5
55
Privacy treated as a tradeoffAnonymity & Privacy
DisclosureFidelity
Specific Location Query:
“Where are the closest restaurants
near me?”
More Anonymous Location Query:
“Where are all the restaurants
in Montreal?”
Page 6
66
Types of Location-Aware Apps
Person-centric“What restaurants are near me?”“Where are my friends?”“What’s happening around me?”
Location-centric“What’s happening at the mall?”“How busy is the restaurant?”“What’s happening on highway 5?”
Page 7
77
Zipdash: a Location-Centric App
Commercial (acquired by Google)How it works:
Runs on GPS-enabled phonesContinuously disclose GPSServer infers traffic congestionView traffic information on phone
zipdash.com
Page 8
88
Zipdash: How it works
Each car reports GPS data
Server collects all GPS reports
Page 9
99
Zipdash: Privacy Threat
Each car reports GPS data
Server collects all GPS reports
Can you trust the server?Data is leaked …Someone is eavesdropping …
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Page 10
1010
Zipdash: Privacy Threat
Observation: consistent routes
Start/End is “Work” or “Home”
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Page 11
1111
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Zipdash: Privacy Threat
Observation: consistent routes
Start/End is “Work” or “Home”
Malicious Server Threat:Hijack GPS log for each carInfer start of route as “Home”Lookup via consumer database
“Home”
Page 12
1212
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Zipdash: Privacy Threat
Observation: consistent routes
Start/End is “Work” or “Home”
Malicious Server Threat:Hijack GPS log for each carInfer start of route as “Home”Lookup via consumer database
Result: Your “Home” and your identity are revealed“Home”
Page 13
1313
Zipdash: Use Fidelity Tradeoff ?
Car calculates actual GPSCar reports “blurred” GPS
Car A
8:00AM in Montreal, QC
8:05AM in Montreal, QC
8:10AM in Montreal, QC
8:15AM in Montreal, QC
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Page 14
1414
Zipdash: Use Fidelity Tradeoff ?
Car calculates actual GPSCar reports “blurred” GPS
Application loses usefulnessFidelity tradeoff lessens utility
Car A
8:00AM in Montreal, QC
8:05AM in Montreal, QC
8:10AM in Montreal, QC
8:15AM in Montreal, QC
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Page 15
1515
Limits of Fidelity Tradeoff
Fidelity tradeoff doesn’t work for Zipdash
Page 16
1616
A New Approach to Privacy
Fidelity tradeoff doesn’t work for Zipdash
Location-centric applications need a better way to protect users’ privacy
“Hitchhiking”
Page 17
1717
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
Page 18
1818
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
Page 19
1919
Client-focused, software-based approach to privacy-sensitive, location-centric apps on commodity devices and networks
Key: location is the entity of interest
Ensure complete user anonymity & no new privacy threats, even with malicious server
Hitchhiking: Definition
Page 20
2020
Client-focused, software-based approach to privacy-sensitive, location-centric apps on commodity devices and networks
Key: Location is the entity of interest
Ensure complete user anonymity & no new privacy threats, even with malicious server
Hitchhiking: Definition
Page 21
2121
Hitchhiking Approach to Zipdash
“Bridge” = location of interestOnly report GPS when on bridge
Page 22
2222
Car A
8:05AM 45.527ºN, 73.822ºW
Car B
8:06AM 45.633ºN, 73.862ºW
Car C
8:07AM 45.549ºN, 73.792ºW
Hitchhiking Approach to Zipdash
“Bridge” = location of interestOnly report when on bridge
Prevent malicious server threat
No start/end patternEvery report from the same areasNo lookups are possible
A
B
C
Page 23
2323
“Is my bus running late?”
Detection of on/off the bus
When on the bus: Device senses location Device models on/off busDevice anonymously
reports bus location to server
Server shares bus info
Hitchhiking Example: Bus
Location of interest: Bus route
[Patterson, 2003]
Page 24
2424
Hitchhiking Example: Coffee shop
“Is Starbucks busy now?”
When in the coffee shop: Device senses WiFi locationDevice senses other devicesDevice anonymously reports
device count & WiFi infoServer infers shop’s
busyness
Location of interest:Coffee shop
Page 25
2525
Hitchhiking Example: Meeting Room
Location of interest:Meeting Room
“Can I use that room now?”
When in the meeting room: Device senses WiFi locationDevice anonymously
reports WiFi data to server
Server infers room availability
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Page 26
2626
Research Contribution
Hitchhiking is: … a privacy-sensitive approach
… applicable to location-centric apps… provides complete user anonymity
while maintaining application’s full utility
By using Hitchhiking principles, we can build interesting sensor-based location applications without sacrificing the user’s privacy
Page 27
2727
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
Page 28
2828
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
Page 29
2929
Meeting Room Availability
“Is that meeting room available right now?”
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Page 30
3030
Standard Approach: Always Track
Most common approach for current systemsPrivacy Threat from Malicious Server:
Most people spend bulk of time in an officeCorrelate location trails to a specific person
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Page 31
3131
Hitchhiking Solution
Define meeting rooms as locations of interestPrivacy defense: Client computation
Compute location on the deviceOnly report while at this location
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Page 32
3232
Hitchhiking Solution
Define meeting rooms as locations of interestPrivacy defense: Client computation
Compute location on the deviceOnly report while at this location
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Page 33
3333
Client location computation
Prior work: Place Lab [LaMarca et al, 2005; Schilit, 2003]
Client-based approach alone is not enough
Hitchhiking thoroughly investigates these other privacy threats and extends prior work to address them
Page 34
3434
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
Page 35
3535
Threat: Location Spoofing
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Privacy Threat from Malicious Server:Add fake locations of interest (e.g. your office)
Page 36
3636
Threat: Location Spoofing
Privacy Threat from Malicious Server:Add fake locations of interest (e.g. your office)Mislabel a fake location of interestEnables tracking of potential private places
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Meeting Room C
Page 37
3737
Hitchhiking Solution
Make threat apparent to the userPrivacy defense: Location of interest approval
In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose your info?
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Meeting Room C
Page 38
3838
Hitchhiking SolutionMake threat apparent to the userPrivacy defense: Location of interest approval
In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose information from your current location?”
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Meeting Room C
Page 39
3939
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
Page 40
4040
Threat: Link identifiers to a person
Privacy Threat from Malicious Server:Attach unique identifiers to locations of interestCraft identifiers to each individualPeople-specific reports for each location of interest
MaliciousServer
MeetingRoom B
B: John
B: Mary
Page 41
4141
Hitchhiking Solution
Privacy defense: Sensed physical identifiersUse device to sense surrounding identifiersEnsures every device sees the same identifiers Anonymizes reports from devices
HitchhikingServer
MeetingRoom B
00-0C-F1-5C-04-A8
00-0C-F1-5C-04-A8
00-0C-F1-5C-04-A8
Page 42
4242
Hitchhiking: Putting it Together
Device reports after detecting “Meeting Room B”:If first time, device prompts for disclosure approvalDevice anonymously reports sensed WiFi to server
Server only knows someone is in Meeting Room BNo person-specific location trail for any users
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room B
Meeting
Room A
00-0C-F1-5C-04-A8
Page 43
4343
Related issues
Other issues surrounding Hitchhiking:Query AnonymityLive Reports vs. Offline CollectionTransport Layer AttackDenial-of-Service AttackTiming-Based Attack
Defenses for these threats exist…
Page 44
4444
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
Page 45
4545
Conclusion: Hitchhiking Highlights
It is a client-focused, software-based approach to privacy-sensitive location-centric apps
It works on existing devices & networks
It uses location constraints & anonymity
Page 46
4646
Conclusion: Hitchhiking Highlights
Hitchhiking is an extreme architecture: Assumes a system with minimum
trust
Systems with implicit trust can relax principles
Provides application developers a way to build useful location apps while avoiding well-known privacy risks
Page 47
4747
Thank you! Questions and comments?
Karen P. [email protected] Interaction InstituteCarnegie Mellon University
Acknowledgements: This is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. NBCHD030010, by an AT&T Labs fellowship, and by the National Science Foundation under grants IIS-0121560 and IIS-032531. We also thank contributors to Place Lab, jpcap, libpcap, and JDesktop Integration Components, which were utilized in this work.
Page 48
4848
Potential Questions Slides
K-anonymityMixed ZonesQuery AnonymityLive Reports vs. Offline CollectionTransport Layer AttackDenial-of-Service AttacksTiming-based Attacks
Page 49
4949
K-Anonymity
Server obscures client’s location by including client + k-1 others
However: Requires a trusted middleware serverNot applicable to location-centric applications supported by Hitchhiking
k-1 others may not be in the meeting room
Page 50
5050
Mixed Zones
Client gets new ID when entering location
However: Requires trusted middleware server
Server keeps tab of all used IDsServer provides new IDs to clients
Page 51
5151
Query Anonymity
Hitchhiking: Anonymizes location’s reportDoesn’t anonymize queries about a location
Problem: What if you ask about a location?
If you’ve already been there before: Used sensed identifiers to ask server
Page 52
5252
Query Anonymity
Hitchhiking: Anonymizes location’s reportDoesn’t anonymize queries about a location
Problem: What if you ask about a location?
If you haven’t been there before: Mask queries Cached, local model
Page 53
5353
Live Reports vs Offline Collection
Live reports not a Hitchhiking requirement
Hitchhiking doesn’t assume connectivity
Alternative: local cache, upload later
However, might need to change appReal-time availabilityTemporal models of availability
Page 54
5454
Transport Layer Attacks
Problem: Phone networks: providers know your locationWiFi networks: provider could log MAC address
Reality: People trust their network providers
Page 55
5555
Transport Layer Attacks
Problem: Phone networks: providers know your locationWiFi networks: provider could log MAC address
Reality: People trust their network providers
Hitchhiking: Give app developers same level of trust Does not introduce any new privacy threats by allowing apps to collect sensed data
Page 56
5656
Denial-of-Service Attacks
What if: server flooded with bad reports
Standard approach: Give everyone an unique ID Ban the ID that sends fraudulent data
Doesn’t allow for anonymity
Page 57
5757
Denial-of-Service Attacks
What if: server flooded with bad reports
More anonymous approaches:Note IP address which reports
Unlikely to report from many places in short time
Seed database with false dataInsert non-existent MAC address in identifier list
Ban reports that include false identifiers
Page 58
5858
Timing-Based Attacks
Hitchhiking: Content cannot lead to tracking
Can we infer from consecutive reports?2 reports received around same time for same location of interestUse reports from 2 close locations of interest
Page 59
5959
Timing-Based Attacks
Hitchhiking: Content cannot lead to tracking
Can we infer from consecutive reports?2 reports received around same time for same location of interestUse reports from 2 close locations of interest
Solution: Limit frequency of reportsNot just for an application but for all reportsE.g. report 1x/10 min for any app = sparse