One of the privacy threats recognized in the use of LBS is represented by an adversary having information about the presence of individuals in certain locations, and using this information together with an (anonymous) LBS request to re-identify the issuer of the request associating her to the requested service. Several papers have proposed techniques to prevent this, assuming that the use of the service is considered sensitive. In this paper we investigate the more general case in which the adversary is also able to recognize traces of LBS requests by the same anonymous user, so that the identification of the issuer of one request can lead to the disclosure of the same user being in other possibly sensitive locations at different times or using sensitive services. Using the notion of "historical k-anonymity", this paper provides the first formalization of this class of privacy threats. Through extensive experiments based on realistic simulations, and runs of an optimal algorithm, we show some negative results for the defenses based on spatial generalization against these attacks under very conservative assumptions. Under more realistic location knowledge assumptions, we propose two defense algorithms, based on a strategy of changing and reusing of pseudo-identifiers, whose correctness is formally proved. Our experiments show that, among all the proposed algorithms, the ProvidentHider algorithm is particularly effective in protecting privacy for reasonably long sequences of requests.
ProvidentHider: an algorithm to preserve historical k-anonymity in LBS / S. Mascetti, C. Bettini, X.S. Wang, D. Freni, S. Jajodia - In: Proceedings [of the] tenth international conference on mobile data management : Systems, Services and Middleware, MDM 2009 18-20 May, 2009, Taipei, TaiwanLos Alamitos : IEEE Computer Society, 2009. - ISBN 9781424441532. - pp. 172-181 (( Intervento presentato al 10. convegno International Conference on Mobile Data Management tenutosi a Taipei, Taiwan nel 2009 [10.1109/MDM.2009.28].
ProvidentHider: an algorithm to preserve historical k-anonymity in LBS
S. MascettiPrimo
;C. BettiniSecondo
;D. FreniPenultimo
;
2009
Abstract
One of the privacy threats recognized in the use of LBS is represented by an adversary having information about the presence of individuals in certain locations, and using this information together with an (anonymous) LBS request to re-identify the issuer of the request associating her to the requested service. Several papers have proposed techniques to prevent this, assuming that the use of the service is considered sensitive. In this paper we investigate the more general case in which the adversary is also able to recognize traces of LBS requests by the same anonymous user, so that the identification of the issuer of one request can lead to the disclosure of the same user being in other possibly sensitive locations at different times or using sensitive services. Using the notion of "historical k-anonymity", this paper provides the first formalization of this class of privacy threats. Through extensive experiments based on realistic simulations, and runs of an optimal algorithm, we show some negative results for the defenses based on spatial generalization against these attacks under very conservative assumptions. Under more realistic location knowledge assumptions, we propose two defense algorithms, based on a strategy of changing and reusing of pseudo-identifiers, whose correctness is formally proved. Our experiments show that, among all the proposed algorithms, the ProvidentHider algorithm is particularly effective in protecting privacy for reasonably long sequences of requests.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
