Putting People in their Putting People in their Places Places An Anonymous and Privacy- Sensitive Approach to Collecting Sensed Data in Location-Based Applications Karen P. Tang Pedram Keyani, James Fogarty, Jason I. Hong Human-Computer Interaction Institute Carnegie Mellon University
Putting People in their Places An Anonymous and Privacy-Sensitive Approach to Collecting Sensed Data in Location-Based Applications Karen P. Tang Pedram.
Dec 20, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Putting People in their Putting People in their PlacesPlacesAn Anonymous and Privacy-Sensitive Approach to Collecting Sensed Data in Location-Based ApplicationsKaren P. Tang Pedram Keyani, James Fogarty, Jason I. HongHuman-Computer Interaction InstituteCarnegie Mellon University
22
Location-Aware Computing Is Here
In-car navigation systemPDAs, phones, laptops: WiFi & GSM
33
Types of Location-Aware Apps
Person-centric“What restaurants are near me?”“Where are my friends?”“What’s happening around me?”
44
Privacy treated as a tradeoffAnonymity & Privacy
DisclosureFidelity
Specific Location Query:
“Where are the closest restaurants
near me?”
55
Privacy treated as a tradeoffAnonymity & Privacy
DisclosureFidelity
Specific Location Query:
“Where are the closest restaurants
near me?”
More Anonymous Location Query:
“Where are all the restaurants
in Montreal?”
66
Types of Location-Aware Apps
Person-centric“What restaurants are near me?”“Where are my friends?”“What’s happening around me?”
Location-centric“What’s happening at the mall?”“How busy is the restaurant?”“What’s happening on highway 5?”
77
Zipdash: a Location-Centric App
Commercial (acquired by Google)How it works:
Runs on GPS-enabled phonesContinuously disclose GPSServer infers traffic congestionView traffic information on phone
zipdash.com
88
Zipdash: How it works
Each car reports GPS data
Server collects all GPS reports
99
Zipdash: Privacy Threat
Each car reports GPS data
Server collects all GPS reports
Can you trust the server?Data is leaked …Someone is eavesdropping …
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
1010
Zipdash: Privacy Threat
Observation: consistent routes
Start/End is “Work” or “Home”
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
1111
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Zipdash: Privacy Threat
Observation: consistent routes
Start/End is “Work” or “Home”
Malicious Server Threat:Hijack GPS log for each carInfer start of route as “Home”Lookup via consumer database
“Home”
1212
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
Zipdash: Privacy Threat
Observation: consistent routes
Start/End is “Work” or “Home”
Malicious Server Threat:Hijack GPS log for each carInfer start of route as “Home”Lookup via consumer database
Result: Your “Home” and your identity are revealed“Home”
1313
Zipdash: Use Fidelity Tradeoff ?
Car calculates actual GPSCar reports “blurred” GPS
Car A
8:00AM in Montreal, QC
8:05AM in Montreal, QC
8:10AM in Montreal, QC
8:15AM in Montreal, QC
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
1414
Zipdash: Use Fidelity Tradeoff ?
Car calculates actual GPSCar reports “blurred” GPS
Application loses usefulnessFidelity tradeoff lessens utility
Car A
8:00AM in Montreal, QC
8:05AM in Montreal, QC
8:10AM in Montreal, QC
8:15AM in Montreal, QC
Car A
8:00AM 45.587ºN, 73.921ºW
8:05AM 45.527ºN, 73.822ºW
8:10AM 45.594ºN, 73.838ºW
8:15AM 45.594ºN, 73.871ºW
1515
Limits of Fidelity Tradeoff
Fidelity tradeoff doesn’t work for Zipdash
1616
A New Approach to Privacy
Fidelity tradeoff doesn’t work for Zipdash
Location-centric applications need a better way to protect users’ privacy
“Hitchhiking”
1717
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
1818
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
1919
Client-focused, software-based approach to privacy-sensitive, location-centric apps on commodity devices and networks
Key: location is the entity of interest
Ensure complete user anonymity & no new privacy threats, even with malicious server
Hitchhiking: Definition
2020
Client-focused, software-based approach to privacy-sensitive, location-centric apps on commodity devices and networks
Key: Location is the entity of interest
Ensure complete user anonymity & no new privacy threats, even with malicious server
Hitchhiking: Definition
2121
Hitchhiking Approach to Zipdash
“Bridge” = location of interestOnly report GPS when on bridge
2222
Car A
8:05AM 45.527ºN, 73.822ºW
Car B
8:06AM 45.633ºN, 73.862ºW
Car C
8:07AM 45.549ºN, 73.792ºW
Hitchhiking Approach to Zipdash
“Bridge” = location of interestOnly report when on bridge
Prevent malicious server threat
No start/end patternEvery report from the same areasNo lookups are possible
A
B
C
2323
“Is my bus running late?”
Detection of on/off the bus
When on the bus: Device senses location Device models on/off busDevice anonymously
reports bus location to server
Server shares bus info
Hitchhiking Example: Bus
Location of interest: Bus route
[Patterson, 2003]
2424
Hitchhiking Example: Coffee shop
“Is Starbucks busy now?”
When in the coffee shop: Device senses WiFi locationDevice senses other devicesDevice anonymously reports
device count & WiFi infoServer infers shop’s
busyness
Location of interest:Coffee shop
2525
Hitchhiking Example: Meeting Room
Location of interest:Meeting Room
“Can I use that room now?”
When in the meeting room: Device senses WiFi locationDevice anonymously
reports WiFi data to server
Server infers room availability
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
2626
Research Contribution
Hitchhiking is: … a privacy-sensitive approach
… applicable to location-centric apps… provides complete user anonymity
while maintaining application’s full utility
By using Hitchhiking principles, we can build interesting sensor-based location applications without sacrificing the user’s privacy
2727
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
2828
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
2929
Meeting Room Availability
“Is that meeting room available right now?”
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
3030
Standard Approach: Always Track
Most common approach for current systemsPrivacy Threat from Malicious Server:
Most people spend bulk of time in an officeCorrelate location trails to a specific person
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
3131
Hitchhiking Solution
Define meeting rooms as locations of interestPrivacy defense: Client computation
Compute location on the deviceOnly report while at this location
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
3232
Hitchhiking Solution
Define meeting rooms as locations of interestPrivacy defense: Client computation
Compute location on the deviceOnly report while at this location
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
3333
Client location computation
Prior work: Place Lab [LaMarca et al, 2005; Schilit, 2003]
Client-based approach alone is not enough
Hitchhiking thoroughly investigates these other privacy threats and extends prior work to address them
3434
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
3535
Threat: Location Spoofing
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Privacy Threat from Malicious Server:Add fake locations of interest (e.g. your office)
3636
Threat: Location Spoofing
Privacy Threat from Malicious Server:Add fake locations of interest (e.g. your office)Mislabel a fake location of interestEnables tracking of potential private places
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Meeting Room C
3737
Hitchhiking Solution
Make threat apparent to the userPrivacy defense: Location of interest approval
In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose your info?
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Meeting Room C
3838
Hitchhiking SolutionMake threat apparent to the userPrivacy defense: Location of interest approval
In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose information from your current location?”
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room A
Meeting
Room B
Meeting Room C
3939
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
4040
Threat: Link identifiers to a person
Privacy Threat from Malicious Server:Attach unique identifiers to locations of interestCraft identifiers to each individualPeople-specific reports for each location of interest
MaliciousServer
MeetingRoom B
B: John
B: Mary
4141
Hitchhiking Solution
Privacy defense: Sensed physical identifiersUse device to sense surrounding identifiersEnsures every device sees the same identifiers Anonymizes reports from devices
HitchhikingServer
MeetingRoom B
00-0C-F1-5C-04-A8
00-0C-F1-5C-04-A8
00-0C-F1-5C-04-A8
4242
Hitchhiking: Putting it Together
Device reports after detecting “Meeting Room B”:If first time, device prompts for disclosure approvalDevice anonymously reports sensed WiFi to server
Server only knows someone is in Meeting Room BNo person-specific location trail for any users
Office 1 Office 2 Office 3 Office 4 Office 5 Office 6
Office 6 Office 7 Office 8
Meeting
Room B
Meeting
Room A
00-0C-F1-5C-04-A8
4343
Related issues
Other issues surrounding Hitchhiking:Query AnonymityLive Reports vs. Offline CollectionTransport Layer AttackDenial-of-Service AttackTiming-Based Attack
Defenses for these threats exist…
4444
Overview
Motivation & Limits of Fidelity TradeoffHitchhikingExample ApplicationsPrivacy Analysis & Hitchhiking principles
Client computationLocation of interest approvalSensing physical identifiers
Conclusion
4545
Conclusion: Hitchhiking Highlights
It is a client-focused, software-based approach to privacy-sensitive location-centric apps
It works on existing devices & networks
It uses location constraints & anonymity
4646
Conclusion: Hitchhiking Highlights
Hitchhiking is an extreme architecture: Assumes a system with minimum
trust
Systems with implicit trust can relax principles
Provides application developers a way to build useful location apps while avoiding well-known privacy risks
4747
Thank you! Questions and comments?
Karen P. [email protected] Interaction InstituteCarnegie Mellon University
Acknowledgements: This is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. NBCHD030010, by an AT&T Labs fellowship, and by the National Science Foundation under grants IIS-0121560 and IIS-032531. We also thank contributors to Place Lab, jpcap, libpcap, and JDesktop Integration Components, which were utilized in this work.
4848
Potential Questions Slides
K-anonymityMixed ZonesQuery AnonymityLive Reports vs. Offline CollectionTransport Layer AttackDenial-of-Service AttacksTiming-based Attacks
4949
K-Anonymity
Server obscures client’s location by including client + k-1 others
However: Requires a trusted middleware serverNot applicable to location-centric applications supported by Hitchhiking
k-1 others may not be in the meeting room
5050
Mixed Zones
Client gets new ID when entering location
However: Requires trusted middleware server
Server keeps tab of all used IDsServer provides new IDs to clients
5151
Query Anonymity
Hitchhiking: Anonymizes location’s reportDoesn’t anonymize queries about a location
Problem: What if you ask about a location?
If you’ve already been there before: Used sensed identifiers to ask server
5252
Query Anonymity
Hitchhiking: Anonymizes location’s reportDoesn’t anonymize queries about a location
Problem: What if you ask about a location?
If you haven’t been there before: Mask queries Cached, local model
5353
Live Reports vs Offline Collection
Live reports not a Hitchhiking requirement
Hitchhiking doesn’t assume connectivity
Alternative: local cache, upload later
However, might need to change appReal-time availabilityTemporal models of availability
5454
Transport Layer Attacks
Problem: Phone networks: providers know your locationWiFi networks: provider could log MAC address
Reality: People trust their network providers
5555
Transport Layer Attacks
Problem: Phone networks: providers know your locationWiFi networks: provider could log MAC address
Reality: People trust their network providers
Hitchhiking: Give app developers same level of trust Does not introduce any new privacy threats by allowing apps to collect sensed data
5656
Denial-of-Service Attacks
What if: server flooded with bad reports
Standard approach: Give everyone an unique ID Ban the ID that sends fraudulent data
Doesn’t allow for anonymity
5757
Denial-of-Service Attacks
What if: server flooded with bad reports
More anonymous approaches:Note IP address which reports
Unlikely to report from many places in short time
Seed database with false dataInsert non-existent MAC address in identifier list
Ban reports that include false identifiers
5858
Timing-Based Attacks
Hitchhiking: Content cannot lead to tracking
Can we infer from consecutive reports?2 reports received around same time for same location of interestUse reports from 2 close locations of interest
5959
Timing-Based Attacks
Hitchhiking: Content cannot lead to tracking
Can we infer from consecutive reports?2 reports received around same time for same location of interestUse reports from 2 close locations of interest
Solution: Limit frequency of reportsNot just for an application but for all reportsE.g. report 1x/10 min for any app = sparse
Related Documents
