Table of Contents Author Guidelines Submit a Manuscript
Mobile Information Systems
Volume 2016, Article ID 6182769, 9 pages
http://dx.doi.org/10.1155/2016/6182769
Research Article

A Privacy-Preserving Location-Based System for Continuous Spatial Queries

Information Communication Engineering, Wonkwang University, Iksan-shi, Republic of Korea

Received 21 June 2016; Accepted 25 September 2016

Academic Editor: Chang Xu

Copyright © 2016 Doohee Song and Kwangjin Park. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

-anonymization generated a cloaked region (CR) that was -anonymous; that is, the query issuer was indistinguishable from other users (nearest neighbors) within the CR. This reduced the probability of the query issuer’s location being exposed to untrusted parties (). However, location cloaking is vulnerable to query tracking attacks, wherein the adversary can infer the query issuer by comparing the two regions in continuous LBS queries. This paper proposes a novel location cloaking method to resist this attack. The target systems of the proposed method are road networks where the mobile clients’ trajectories are fixed (the road network is preknown and fixed, instead of the trajectories), such as subways, railways, and highways. The proposed method, called adaptive-fixed -anonymization (), takes this issue into account and generates smaller CRs without compromising the privacy of the query issuer’s location. Our results show that the proposed method outperforms previous location cloaking methods.

1. Introduction

With the growth of location-based services (LBS) in mobile computing, many businesses are interested in analyzing user location data to better understand patterns and relationships. For example, social marketing relying on social network services takes the form of coupons or advertising directed at customers based on their current locations. In general, mobile clients must expose their exact location information to an LBS provider before receiving their desired services. The location of a mobile client can be obtained via a variety of outdoor and indoor positioning technologies (e.g., Global Positioning System and Wi-Fi). LBS include services to identify the location of a person or object, such as the nearest point of interest (POI) or the whereabouts of a friend or employee. Typical LBS applications include road navigation and vehicle tracking services [14]. As LBS have become more numerous and diverse, user privacy violations have become more commonplace. Unfortunately, laws and regulations regarding LBS and location privacy have tended to become less rigorous. This paper proposes a technical approach for location data protection in LBS. For example, when a user sends a continuous -anonymity query, the number of clients may change the expected user. Thus, a user’s ID will be exposed by the service provider. In other words, the service provider can store the information from user’s query contents and cloaked regions (CRs) from client. Therefore, we propose a novel algorithm to protect users’ query contents and CRs (trajectory). In this scheme, if random were to travel in opposite directions from the user, the CRs would increase, at which point a service provider may search many POIs.

Much research has been done on protecting a user’s location. Yi et al. [5] introduced a method for protecting various categories of data. The first categories were information access control, mix-zone, and -anonymity. To function, this method required an anonymization server; a trusted server, such as middleware, that functioned as an intermediary between the client and the LBS server; and every client to be stored in the anonymization server.

The secondary categories were dummy location, geographic data transformation, and private information retrieval (PIR). Within these categories, the anonymization server could be exposed to an adversary. Therefore, a user had to make a dummy to protect his or her position using the dummy technique. Alternatively, the PIR technique required more than one server ().

We propose protecting users’ locations using a -anonymity technique. The -anonymity functions as follows.

Location cloaking blurs a user’s location into a CR that satisfies the privacy parameter (the -anonymity metric) specified by the user at query time. Location cloaking has attracted a tremendous amount of research as a solution to protect user privacy in LBS. Previous location cloaking methods perform -anonymization (i.e., identification of -anonymous users) at the moment that a user issues a query with -anonymity [611].

Figure 1 illustrates an example of 4-anonymization. The anonymization server, a trusted third party that functions as an intermediary between the client and the LBS server, identifies a CR that satisfies the 4-anonymity requirement. This enables the query issuer to have the query result without disclosing his or her exact location to the LBS server. -anonymization generates a CR that is -anonymous; that is, the query issuer is indistinguishable from other users (nearest neighbors) within the CR. This reduces the probability of the query issuer’s location being exposed to untrusted parties to . However, location cloaking is vulnerable to query tracking attacks, and a query issuer is not safe when launching continuous LBS queries. For example, if a client issues two queries at times   and with corresponding CRs, it is easy for an adversary to compare these two regions to find the query issuer [1215].

Figure 1: An example of -anonymization ().

This paper proposes a novel location cloaking method called that resists query tracking attacks. This proposed method can generate minimized CRs while protecting the location and trajectory privacy of the query issuer.

The contributions of this paper are as follows.(i)A systematic model prevents both the query contents and CRs (trajectory) from being exposed to continuous spatial queries, because the query issuer is indistinguishable from .(ii)The proposal of an effective anonymization method, , can reduce CRs within and resist query tracking attacks (refer to Section 4). Previous location cloaking methods [15, 16] perform -anonymization at each moment, whereas the proposed method prevents a query’s trajectory from .(iii)The demonstration of the performance of the proposed method is presented in a variety of settings.

The rest of the paper is organized as follows. Section 2 reviews existing works on location anonymity. Section 3 introduces the problem statement, and Section 4 presents the system model and algorithms for the proposed method. In Section 5, the results of the experiment are presented. Finally, Section 6 concludes the paper.

The terms frequently used in this paper are defined in Definition of Terms Section.

2. Related Work

2.1. Issues Related to Location Privacy Protection

Today’s mobile devices, typically smartphones, enable users to gain access to various LBS that provide dynamic content based on the user’s location. In LBS, the transmission and sharing of user location data are necessary, and such data can be analyzed by third parties for various purposes. For example, one can infer sensitive private information about a person’s health conditions or lifestyle by analyzing his or her whereabouts, length of stay, and movement patterns. Analyzing user locations along with other personal information such as credit card details allows for the creation of more sophisticated and precise user information, which also gives rise to privacy and safety concerns. Hence, businesses and government organizations have made numerous efforts to protect location privacy. However, mandatory controls and regulatory standards that determine the priority between protection of location privacy and development of LBS and other location-based technologies are still lacking; therefore, there are currently no clear and objective criteria regarding this issue [1720].

2.2. Research Trends

Among various techniques that aim to protect the privacy of LBS users, a dummy is created when the mobile user queries the LBS, during which he or she sends many random locations to the LBS provider to obfuscate his or her location. However, the dummy is not derived from real clients. Thus, we cannot compare our method with the dummy method [21].

Private information retrieval (PIR) allows a user to retrieve a record from servers. To do so, PIR needs more than one server (). Therefore, this technique cannot be compared with our technique [2224].

Location cloaking based on -anonymity predominates and a great deal of research has been conducted on this technique [615, 2530].

Figure 1 presents an example of 4-anonymization. In this example, the minimum CR that satisfies the 4-anonymity requirement is outlined by a red rectangle (the CR contains 4-anonymous clients , , , and ). One problem this presents is that the size of the CR can increase when all clients are kept in the CR after they are selected. To address this problem, a method that forms a CR with clients that are nearest to the query issuer at a given time has been suggested. However, this method is vulnerable to query tracking attacks. It is very likely that the initial CR members other than the query issuer are updated in continuous queries. The adversary can easily guess the authentic query issuer by monitoring the CRs at different time points, and the one that constantly remains in the CRs is the query issuer (e.g., ).

Solutions have been proposed to resolve this problem. In [7], clients are found in proximity to the query issuer and a temporary CR is set that is twice as large as the initially calculated CR. In this method, the anonymization server must calculate the movement paths of all the clients, which increases the computational cost. Additionally, the accuracy of query results might be low due to the use of a movement probability matrix.

3. Problem Statement

This section presents the definitions for the proposed method. Previous location anonymization methods have experienced location privacy threats related to continuous queries, as depicted in Figure 2. method proposed in this paper is designed to solve this problem. The terms and variables frequently used in the proposed method are summarized in Definition of Terms Section.

Figure 2: A -anonymization problem related to continuous spatial queries.

Definition 1. A given set of clients, , includes (). That is, (: candidate set of close to a querier).

Definition 2. and (refer to Definition of Terms Section).
The criteria for selecting A- are as follows: (1) denotes the number of clients that are searched by () and, (2) among members, those with the smallest distance between the origin and the destination are chosen as members ().

Definition 3. Under fixed-, . is greater than or equal to 1 and less than or equal to (refer to Definition of Terms Section).

Definition 4. A set of clients, , includes and ( must be greater than and can include all the clients except ).

In Figure 1, . In Figure 2, when and , Algorithm 1 computes that member other than is ; that is, .

Algorithm 1: Query issuer’s query request.

Figure 2 depicts the problem in which the location of the querying client can be exposed in continuous queries with -anonymity. Figure 1 shows 4-anonymization at time , and Figures 2(a) and 2(b) present 4-anonymization at and , respectively (CRs are represented by a rectangle). This example indicates that the location of as well as its trajectory can be disclosed over time. When the CR is increased to reduce the probability of revealing a query issuer’s location, it may be necessary for the LBS server to send more objects corresponding to the increased CR to the query issuer, which increases the communication and computational costs.

Alternatively, lowering of the -anonymity requirement decreases the size of the CR but increases the probability of exposing a query issuer’s location to third parties. The proposed method assumes a road network environment where the client movement trajectories are fixed (e.g., subway, railway, and highway networks). Suppose that the clients nearest to the query issuer are selected as fixed CR members in such an environment. If clients that move in directions opposite to a query issuer are bounded in a CR along with the query issuer, the size of the CR increases dramatically over time.

4. Protection of User Location and Trajectory Privacy

4.1. System Model

In Figure 1, issues a query with 4-anonymity (i.e., ). The anonymizer (Algorithm 2), a location anonymization server in a LBS system that knows the locations of clients and generates blurred locations for them, checks the locations of all clients and generates a minimum CR that contains 4 clients including (see the solid rectangle in Figure 1).

Algorithm 2: Anonymizer’s query processing.

The anonymization server then sends queries with CRs to the LBS server that stores information about the queried objects.

In the proposed method, the query issuer first determines the destination, (nonfixed () + fixed ()), and (the number of clients for selecting members). The query issuer then issues a nearest-neighbor query (). The anonymizer checks the current locations and the destinations of the clients. As increases, the computational cost increases, but the size of the CRs decreases.

When moves from the origin to the destination, the clients are sorted so that those nearest to are listed first (). Subsequently, the top clients in the sorted list are selected as members ( is given by the query issuer). This procedure is represented in Algorithm 1.

4.2. Adaptive-Fixed -Anonymization

In Figure 3(a), ’s nearest neighbors are , , and when . At , the client nearest to is , the second nearest is , and the third nearest is . Thus, the sorted order of member clients is . Figures 3(b) and 3(c) show that the movement of clients will cause changes in the distance between members and . Suppose that the time period between the moment that a client issues a query and the moment that the client arrives at the destination is . is divided by (), and the distances of () to are calculated at every second. In Figures 3(a)–3(c), the movement of is depicted, and the sorted order of members is changed to according to the updated distance, . members are and when . And Figure 4 shows that members are , , , and, when .

Figure 3: An example of adaptive-fixed 2-anonymization ().
Figure 4: An example of adaptive-fixed 4-anonymization ().

In Figures 4(a)–4(c), the movement of is depicted, and the sorted order of members is changed to according to the updated area, . The proposed method selects and based on the query issuer’s request. To decrease the amount of information to be transmitted while preserving location privacy, the anonymizer generates a minimum bounding rectangle (MBR) that includes the CRs.

5. Performance Evaluation

Figure 5 shows the possible directions of movement of a client. Initially, a query issuer can move in one of eight different directions ( through ). After , moves to . It is assumed that can move in the directions at a angle from the current direction of movement. Here, the client moved in a set direction. This assumption was made to obscure a client’s movement pattern because, if a client was moving back and forth repeatedly, there might be a discernible location.

Figure 5: Directions of movement of a mobile client.
5.1. Experimental Settings

This section evaluates the performance of the proposed method in comparison with that of the existing AMV method. The experiments were carried out using a computer with a 2.9 GHz processor, 4 GB memory, and Microsoft visual C++ 6.0. It was assumed that LBS clients are moving and that they are evenly distributed throughout the grid cells. The dataset comprised simulated uniform data. The length of a single grid cell was assumed to be 1 meter (m), and time () was in seconds. Our proposed method was compared with all fixed [16] and nonfixed [15] methods. We assumed the service provider and anonymization server in our experimental environment [15]. Table 1 describes the parameter settings for the experiments.

Table 1: Experimental environment.
5.2. Experiment Results

Figure 6 shows how the sizes of the CRs associated with fixed anonymous clients () change over time. When , is 2. The fixed- method determines which five clients are nearest to the query issuer (). A- method generates a CR for the query issuer when and (in which case a reconfiguration is needed). Compared to the AMV method, the sizes of the CRs created by A- method are 12% lower. The proposed A- method can generate smaller CRs than the AMV method because A- selects optimal clients by monitoring members’ movements and updating the distances of moving clients to the query issuer .

Figure 6: The sizes of the CRs over time.

Figure 7 shows the sizes of the CRs, which change in connection with changes in . Here, is 5. At , the sizes of the CRs created by the proposed A- method increase as increases. This is because member clients that have the same destination as the query issuer must be searched, increasing the initial computational cost. However, the expansion ratios of the CRs gradually decrease over time.

Figure 7: The sizes of the CRs with regard to changes in .

Figure 8 shows the sizes of the CRs with regard to changes in (the number of fixed anonymous clients). When , can be 2, 3, or 4. The fixed- method selects the five clients nearest to the query issuer as members. A- method generates the CRs for the query issuer with and .

Figure 8: The sizes of the CRs with regard to changes in .

Figure 9 shows the sizes of the CRs, which vary according to the velocity () of the clients’ movement. It is assumed that the clients’ speeds are 1 m, 3 m, and 5 m per second. The CRs created by the proposed A- method when are smaller than those created when by 29.9%, and they are smaller than those created when by 42.7%. That is, the size of the CR increases as increases.

Figure 9: The sizes of the CRs with regard to changes in velocity ().

Figure 10 presents the number of queried objects, which changes according to changes in . As shown in Figure 8, the sizes of the CRs increase as increases. This implies that the search area for the query issuer increases as increases, which, in turn, increases the number of objects to be searched.

Figure 10: The numbers of queried objects with regard to changes in .

Figure 11 presents the sizes of the CRs in connection with changes in the number of LBS clients. The sizes of the CRs decrease as the number of clients increases. This is because LBS clients become more densely populated in a grid map.

Figure 11: The sizes of the CRs with regard to the number of clients.

Figure 12 shows how (the anonymity degree) changes under the three different anonymization methods over time. At , both the AMV and A- methods have the same (). is fixed at 20, and is fixed at 5. As time passes, the anonymity level gradually decreases, except for under the fixed- method. drops to nearly 1 under the AMV method, and decreases to 4 as increases under A- method.

Figure 12: Changes in over time.

Figure 13 presents the probability of protecting a query issuer’s location at different time points . As described in Figure 12, decreases over time in the AMV and A- methods and is unable to meet the requested anonymity metric of 10. This increases the probability of revealing a query issuer’s location to third parties.

Figure 13: The accuracies of the -anonymization methods over time.

6. Conclusion

This paper stated a drawback of existing -anonymous location cloaking methods that can occur in continuous LBS queries and proposed A- method, which is effective in preventing this problem. The proposed A- method determines based on the query issuer’s request, increasing the query issuer’s satisfaction and decreasing the workload in the anonymization server. The proposed method can achieve smaller CRs than existing location anonymization methods while preserving -anonymity.

In the future, the movement information of mobile LBS clients will be analyzed, and the proposed A- method will be further refined to query requests for time and conditions. Additionally, algorithms to reduce errors that occur in the process of a movement information analysis will be studied.

Definition of Terms

CR:A cloaked region
: client
:The query issuer (the querying client)
:The anonymity metric specified by the client; number of anonymous clients satisfying the -anonymity metric ()
:The number of anonymous clients that are fixed in the initial -anonymization process
:The number of nonfixed anonymous clients ()
:Total query processing time
Fixed-K:The method in which all the -anonymous clients are fixed since the initial -anonymization process
:The method in which only clients are fixed since the initial -anonymization process
AMV:The method in which -anonymous clients are not fixed in -anonymization.

Competing Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This paper was supported by Wonkwang University in 2016.

References

  1. K. Park and P. Valduriez, “A hierarchical grid index (HGI), spatial queries in wireless data broadcasting,” Distributed and Parallel Databases, vol. 31, no. 3, pp. 413–446, 2013. View at Publisher · View at Google Scholar · View at Scopus
  2. Y. Li, R. Chen, J. Xu, Q. Huang, H. Hu, and B. Choi, “Geo-social K-cover group queries for collaborative spatial computing,” IEEE Transactions on Knowledge and Data Engineering, vol. 27, no. 10, pp. 2729–2742, 2015. View at Publisher · View at Google Scholar · View at Scopus
  3. K. Park, “An efficient scalable spatial data search for location-aware mobile services,” Information Science and Engineering, vol. 31, no. 1, pp. 165–178, 2015. View at Google Scholar
  4. D. Song and K. Park, “A partial index for distributed broadcasting in wireless mobile networks,” Information Sciences, vol. 348, no. 20, pp. 142–152, 2016. View at Publisher · View at Google Scholar
  5. X. Yi, R. Paulet, E. Bertino, and V. Varadharajan, “Practical k nearest neighbor queries with location privacy,” in Proceedings of the 30th IEEE International Conference on Data Engineering (ICDE '14), pp. 640–651, IEEE, Chicago, Ill, USA, April 2014. View at Publisher · View at Google Scholar · View at Scopus
  6. B. Bamba, L. Liu, P. Pesti, and T. Wang, “Supporting anonymous location queries in mobile environments with PrivacyGrid,” in Proceedings of the International Conference on World Wide Web (WWW '08), pp. 237–246, Beijing, China, April 2008. View at Publisher · View at Google Scholar
  7. B. Gedik and L. Liu, “A customizable k-anonymity model for protecting location privacy,” in Proceedings of the International Conference on Distributed Computing Systems (ICDCS '05), pp. 620–629, June 2005.
  8. B. Gedik and L. Liu, “Protecting location privacy with personalized k-anonymity: architecture and algorithms,” IEEE Transactions on Mobile Computing, vol. 7, no. 1, pp. 1–18, 2008. View at Publisher · View at Google Scholar · View at Scopus
  9. P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias, “Preventing location-based identity inference in anonymous spatial queries,” IEEE Transactions on Knowledge and Data Engineering, vol. 19, no. 12, pp. 1719–1733, 2007. View at Publisher · View at Google Scholar · View at Scopus
  10. M. F. Mokbel, C.-Y. Chow, and W. G. Aref, “The new casper: query processing for location services without compromising privacy,” in Proceedings of the International Conference on Very Large Data Bases, pp. 763–774, August 2006.
  11. T. Xu and Y. Cai, “Exploring historical location data for anonymity preservation in location-based services,” in Proceedings of the IEEE International Conference on INFOCOM, pp. 547–555, April 2008.
  12. L. Yao, C. Lin, G. Liu, F. Deng, and G. Wu, “Location anonymity based on fake queries in continuous location-based services,” in Proceedings of the 7th International Conference on Availability, Reliability and Security (ARES '12), pp. 375–382, Prague, Czech Republic, August 2012. View at Publisher · View at Google Scholar · View at Scopus
  13. T. Xu and Y. Cai, “Location anonymity in continuous location-based services,” in Proceedings of the 15th ACM International Symposium on Advances in Geographic Information Systems (GIS '07), pp. 300–307, November 2007. View at Publisher · View at Google Scholar · View at Scopus
  14. C.-Y. Chow and M. F. Mokbel, “Enabling private continuous queries for revealed user locations,” in Proceedings of the International Conference on Spatial Temporal Databases, pp. 258–273, July 2007.
  15. D. Song, J. Sim, K. Park, and M. Song, “A privacy-preserving continuous location monitoring system for location-based services,” International Journal of Distributed Sensor Networks, vol. 2015, Article ID 815613, 10 pages, 2015. View at Publisher · View at Google Scholar · View at Scopus
  16. H. Kim, Y. Kim, and J. Chang, “A grid-based cloaking area creation scheme for continuous LBS queries in distributed systems,” Journal of Convergence, vol. 4, no. 1, pp. 23–30, 2013. View at Google Scholar
  17. S. Gambs, M.-O. Killijian, and M. N. del Prado Cortez, “De-anonymization attack on geolocated data,” Journal of Computer and System Sciences, vol. 80, no. 8, pp. 1597–1614, 2014. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  18. H. Liu, H. Darabi, P. Banerjee, and J. Liu, “Survey of wireless indoor positioning techniques and systems,” IEEE Transactions on Systems, Man and Cybernetics, Part C: Applications and Reviews, vol. 37, no. 6, pp. 1067–1080, 2007. View at Publisher · View at Google Scholar · View at Scopus
  19. L. Petrou, G. Larkou, C. Laoudias, D. Zeinalipour-Yazti, and C. G. Panayiotou, “Demonstration abstract: crowdsourced indoor localization and navigation with anyplace,” in Proceedings of the 13th International Symposium on Information Processing in Sensor Networks (IPSN '14), pp. 331–332, IEEE, Berlin, Germany, April 2014. View at Publisher · View at Google Scholar · View at Scopus
  20. R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Hippocratic databases,” in Proceedings of the International Conference on Very Large Data Bases, pp. 143–154, August 2002.
  21. H. Kido, Y. Yanagisawa, and T. Satoh, “An anonymous communication technique using dummies for location-based services,” in Proceedings of the 2nd International Conference on Pervasive Services (ICPS '05), pp. 88–97, July 2005. View at Publisher · View at Google Scholar · View at Scopus
  22. B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private information retrieval,” in Proceedings of the 1995 IEEE 36th Annual Symposium on Foundations of Computer Science, pp. 41–50, Milwaukee, Wis, USA, October 1995. View at Scopus
  23. R. Paulet, M. G. Kaosar, X. Yi, and E. Bertino, “Privacy-preserving and content-protecting location based queries,” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 5, pp. 1200–1210, 2014. View at Publisher · View at Google Scholar · View at Scopus
  24. G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan, “Private queries in location based services: anonymizers are not necessary,” in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD '08), pp. 121–132, June 2008. View at Publisher · View at Google Scholar · View at Scopus
  25. B. Palanisamy and L. Liu, “MobiMix: Protecting location privacy with mix-zones over road networks,” in Proceedings of the 2011 IEEE 27th International Conference on Data Engineering (ICDE '11), pp. 494–505, Hannover, Germany, April 2011. View at Publisher · View at Google Scholar · View at Scopus
  26. R. Schlegel, C.-Y. Chow, Q. Huang, and D. S. Wong, “User-defined privacy grid system for continuous location-based services,” IEEE Transactions on Mobile Computing, vol. 14, no. 10, pp. 2158–2172, 2015. View at Publisher · View at Google Scholar · View at Scopus
  27. Y. Elmehdwi, B. K. Samanthula, and W. Jiang, “Secure k-nearest neighbor query over encrypted data in outsourced environments,” in Proceedings of the 30th IEEE International Conference on Data Engineering (ICDE '14), pp. 664–675, April 2014. View at Publisher · View at Google Scholar · View at Scopus
  28. S. Wang, X. Ding, R. H. Deng, and F. Bao, “Private information retrieval using trusted hardware,” in Proceedings of the International Conference on Computer Security, pp. 49–64, September 2006.
  29. B. Yao, F. Li, and X. Xiao, “Secure nearest neighbor revisited,” in Proceedings of the 29th International Conference on Data Engineering (ICDE '13), pp. 733–744, Brisbane, Australia, April 2013. View at Publisher · View at Google Scholar · View at Scopus
  30. M. L. Yiu, C. Jensen, X. Huang, and H. Lu, “SpaceTwist: managing the trade-offs among location privacy, query performance, and query accuracy in mobile services,” in Proceedings of the IEEE 24th International Conference on Data Engineering (ICDE '08), pp. 366–375, Cancun, Mexico, April 2008. View at Publisher · View at Google Scholar · View at Scopus