Recent Advances in Information SecurityView this Special Issue
Privacy-Preserving Location-Based Query Using Location Indexes and Parallel Searching in Distributed Networks
An efficient location-based query algorithm of protecting the privacy of the user in the distributed networks is given. This algorithm utilizes the location indexes of the users and multiple parallel threads to search and select quickly all the candidate anonymous sets with more users and their location information with more uniform distribution to accelerate the execution of the temporal-spatial anonymous operations, and it allows the users to configure their custom-made privacy-preserving location query requests. The simulated experiment results show that the proposed algorithm can offer simultaneously the location query services for more users and improve the performance of the anonymous server and satisfy the anonymous location requests of the users.
Recently, with the development of the mobile wireless communication location technology, the location-based service is emerged. The location information of the users is made of their identifiers and temporal and spatial information . Another important problem related to the location information services is to preserve the location privacy of the user . Using the anonymity on the location-based services  is a direct and effective method to prevent the quasi identifiers of the users. Gruteser et al.  introduced the k-anonymity model to investigate the problem of preserving the location privacy of the users. Kido et al.  used the dummies to study the anonymous communication technique for the location-based services.
One of the key issues for the privacy-preserving location-based services in the distributed networks is to balance the quality of query services and the privacy protection of the users. In this paper, we will propose an efficient privacy-preserving location-based query algorithm using parallel searching to improve the efficiency of the anonymous server, which not only can protect the location privacy of the user but also obtain the location query services. The remainder of this paper is organized as follows. In Section 2, we give the related work about the privacy-preserving location-based techniques. In Section 3, we propose an efficient privacy-preserving location-based query algorithm using location indexes and parallel searching in the distributed networks. Section 4 reports the simulated experimental results. Section 5 concludes the paper.
2. Related Work
By applying the personalized k-anonymity model, Gedik and Liu  proposed the architecture and the algorithms to protect the location privacy of the user. Chow et al.  proposed a distributed k-anonymity model and a peer-to-peer spatial cloaking algorithm for the anonymous location-based services. Ghinita et al.  investigated the anonymous location-based query method in the distributed mobile systems. By using the distributed hash table to select the anonymous set of the users, Ghinita et al.  implemented the anonymous location-based query services in the mobile P2P system. Zhong and Hengartner  used the secure multiparty computation protocol to design a distributed k-anonymity protocol for protecting the location privacy. By using the obfuscation method and vague location information of the user, Duckham and Kulik  presented a privacy-preserving location query algorithm. Mokbel  proposed a location-obfuscation method which allows the server to record the real identifier of the user but decreases the precision of the location information to protect the location privacy. By introducing the trusted third party, Mokbel et al.  proposed a location service query method without compromising privacy.
By using the space transformation, Khoshgozaran and Shahabi  gave a blind evaluation of the nearest neighbor query to protect the location privacy. Ghinita et al.  studied the private query method in the location-based services by partitioning the space into several areas and mapping these areas into the points in Hilbert curve. Pietro and Viejo  developed a probabilistic and scalable protocol which guarantees the location privacy of the sensors replying to the query. Raj et al.  proposed a realistic semiglobal eavesdropping attack model and showed its effectiveness in compromising an existing source-location preserving technique and designed a new protocol which preserves -angle anonymity by adapting the conventional function of data mules. Zhao et al.  developed the optimal solutions to some special cases through dynamic programming and several heuristics for the general case to the location privacy-preserving problem. Pingley et al.  implemented a context-aware privacy-preserving location-based services system with integrated protection for both data privacy and communication anonymity and integrated it with Google Maps. Tan  proposed a conditional privacy-preserving authentication and access control scheme for the pervasive computing environments, in which the registration servers and authentication servers do not need to maintain any sensitive verification tables. Xi et al.  showed that the privacy-preserving shortest path routing problem can be solved with the private information retrieval techniques without disclosing the origin or the destination.
By introducing local suppression to trajectory data anonymization to enhance the resulting data utility, Chen et al.  obtained a -privacy model on trajectory data without paying extra utility and computation cost and proposed an anonymization framework that is independent of the underlying data utility metrics and is suitable for different trajectory data mining workloads. Based on extending the private equality primitive, Buchanan et al.  presented a novel encryption method for preserving the location and trajectory path of a user by privacy-enhancing technologies, which has significant improvement in the computation speed. Cicek et al.  grouped the points of interest to create obfuscation areas around sensitive locations and used the map anonymization as a model to anonymize the trajectories and proposed a new privacy metric -confidentiality that ensures location diversity by bounding the probability of a user visiting a sensitive location with the input parameters. Li and Jung  proposed a fine-grained privacy-preserving location query protocol (PLQL) to solve the privacy issues in existing LBS applications and provide various location-based queries. The protocol PLQL can implement semifunctional encryption by novel distance computation and comparison protocol and support multilevel access control. Dewri and Thurimella  proposed a user-centric location-based service architecture, that the users can observe the impact of location inaccuracy on the service accuracy, and constructed a local search application and demonstrated how the meaningful information can be exchanged between the user and the service provider to allow the inference of contours depicting the change in the query results across a geographic area.
3. Privacy-Preserving Location-Based Services System and Algorithm
3.1. Anonymous Location Query Services System
The privacy-preserving location-based services system in the distributed networks includes mobile users, communication services providers CS, and location service providers LS, in which the independent trusted third party will provide the anonymous servers AS , which is described in Figure 1.
The anonymous location-based query process is as follows.
Step 1. The users acquire their locations () via the communication services provider, where and are the two-dimensional location coordinates of the users, respectively, and represents the location precision.
Step 2. The users send the service request information to the anonymous server, where Uid is the identifier of the user, is the current location information of the user, profile represents the configuration file of the users, and denote the minimum and maximum requirements for anonymous areas, and are the temporal and spatial anonymous requests, respectively, is the service time demand, Pre represents the set to the anonymity priority or services priority, and Cont is the content of the query.
Step 3. The anonymous server receives the request from the user, generates the anonymous sets, and sends the information to the location service server, where is the anonymous area and is the th anonymous identifier of the user and represents the content of the th request from the user, .
Step 4. The location service server receives the requests of the user and returns the processed results to the anonymous server, and the anonymous server sends the transformed ID result to the user.
3.2. Privacy-Preserving Location Query Algorithm
Assume that the users want to request location-based query services and the ith anonymous request is . If the users are evenly distributed in the space range, the probability that their request information can be guessed will be and the probability that the actual locations of the users can be guessed will be , respectively. We know the more the users in the space range, the more the anonymous requests and the larger the generated anonymous area, the better the anonymous effect. But the computational cost to search the anonymous space will increase, and the quality of obtained location-based services may be relatively poor. The multiple searching threads are executed in parallel to accelerate the generation of the candidate anonymous set for each request queue and compute the density of the user for all the candidate anonymous sets and the distribution of the users in the anonymous sets , where is the number of the users in the th quadrant among the four partitioned quadrants, .
When the location anonymous server has received the request from the user, it searches the location indexes in B-tree and inserts the location information into the request queue. If it is necessary to establish a new request queue, the location indexes will be updated. The multiple threads search in parallel and select quickly the anonymous areas in the request queues. The anonymous server handles the selected anonymous areas and provides the appropriate location services for the users.
To establish the bidirectional indexes, each element in the request queues is arranged into the form (). The performance of the anonymous server is directly affected by the number of the request queues on the anonymous server. We assume that there are location query requests and request queues on the anonymous server; the location query requests are evenly distributed in the range with area and the maximum anonymous radius , and the number of the request queues is . B-tree is used to construct the location indexes with the directions and on the anonymous server. The two main algorithms running on the anonymous server are the Request Enqueue Algorithm and Anonymous Set Generation Algorithm, which are described as follows.
Algorithm 1. Request Enqueue Algorithm.
Begin(1)The request is received and it is expanded to , .(2)B-tree indexes with the condition along the direction is searched.(2.1)If the searching in the direction is unsuccessful, the request is inserted into the queue, the indexes in the direction are updated, and the indexes in the direction are added.(2.2)If the searching in the direction is successful, B-tree index with the condition along the direction is searched.(2.2.1)If the searching in the direction is unsuccessful, the current request is inserted into the request queue and the indexes in the direction are updated.(2.2.2)If the searching in the direction is successful, the current request is inserted into the request queue in the chronological order.
Algorithm 2. Anonymous Set Generation Algorithm.
Begin(1)The temporal-spatial queue is constructed, which each element in links a request queue.(2)The Request Enqueue Algorithm is executed to generate a new request queue , and this request queue is inserted into queue in the chronological order, where and represent the space and time respectively.(3)Each element in queue is searched, and multiple threads are generated according to the condition , where is the time when the element in queue wants to generate the request queue, is the current time of the running system, and is the threshold. Each request queue is assigned to a thread.(4)Multiple threads are run in parallel, and each thread is responsible for the following operations.(4.1)If the number of the elements in the request queue is smaller than , the elements which satisfy the condition are searched and those elements with priority pre are deleted to form request queue set . When is not empty, the density of the user is queried by the communication service provider, anonymous area and radius with the minimum anonymous request are computed, and the anonymous request set is generated by the radius and the centroid of all elements in set . The ID disturbing algorithm is executed to disturb the ID of the user and the anonymous request set is submitted to the location services server.(4.2)If the number of the elements in the request queue is larger than , threads are generated, where is the number of elements in the request queue. Each thread executes the following operations.(4.2.1)If the three points , and in the anonymous range are located in a straight line, the coordinate of the center in the anonymous request set is ; if not, the center of the circum of the triangle with coordinates , and is the center in the anonymous request set.(4.2.2)If , a candidate anonymous area with circle center and radius is generated.(4.2.3)Number of the elements in the circle is computed, and the farthest point from the circle center and its distance are recorded. If , then report failure.(4.2.4)If the number of the elements which satisfy the anonymous request is also smaller than , then report failure.(4.2.5)If and then , if and then , if and then , and if and then , .(4.2.6)If each element within the circle satisfies the anonymous request, then is computed. If goes beyond the threshold, the radius of the circle is reduced until is in the threshold. Finally, the new radius is obtained.(4.2.7)The anonymous area , the set including all the request elements in this area and number of the elements in set are returned, and the density of the users in the anonymous set is computed.(4.3)The ID disturbing algorithm is executed to disturb the ID of the user, set is submitted to the location service server, and queue is renewed by the elements which are not in set and the location indexes are updated.
We used a multicore computer to simulate the anonymous server and the PC computers to simulate the users to request concurrently the location services. Redhat 5.1 and MySQL 5.5 are run on the anonymous server, respectively, and Ubuntu 10.04 is run on the clients. The presented algorithms are implemented by Java programming with JDK7.0 and socket communication.
The Thomas Brinkhoff road network data generator is applied to produce the location service requests, and the OldenBurg urban communication network information is used as the input data of the road network data generator. The anonymous server deals with the location query and the anonymous requests from the users. The value of pre is set to service priority. The values of the relative experimental parameters are listed in Table 1.
We first test that the waiting time of the user and the average anonymous value of are how to impact the ratio of the temporal-spatial anonymity. The obtained simulation experimental result is given in Figure 2.
From Figure 2, we can see that the longer the waiting time of the user, the higher the ratio of the temporal-spatial anonymity and the smaller the average anonymous request, the higher the ratio of the temporal-spatial anonymity.
The result in Figure 3 shows that the larger the anonymous space request, the higher the ratio of the temporal-spatial anonymity and the ratio of the temporal-spatial anonymity changes significantly along with the increase of the anonymous space request. This illustrates that the different anonymous space requests will affect remarkably the ratio of the temporal-spatial anonymity.
The required processing time and the anonymous area about our algorithm and the Bottom_up algorithm  are shown in Figures 4 and 5, respectively, where the minimum anonymous range partitioned some small square areas with a length of 300 m of a side and 3 users are initially contained within the minimum anonymous range.
We can see form Figure 4 that the required processing time for the Bottom_up algorithm is much less than the required time for our algorithm. This is because our algorithm wants to process more location service requests than the Bottom_up algorithm in order to achieve better privacy-preserving effect.
The results in Figure 5 show that along with the increase of the value of , the anonymous area for the Bottom_up algorithm is increased, but the anonymous area for our algorithm is relatively stable; when the value of is larger than 5.5, the anonymous area for our algorithm is smaller and the quality of the anonymous location service is better; in other words, the degree of privacy protection for our algorithm is higher.
Figure 6 gives the size of the processed anonymous data, in which our algorithm and the Bottom_up algorithm are executed in 20 minutes.
We can see from Figure 6 that, if there are adequate location service requests, our presented algorithm executes multiple parallel threads to search quickly the candidate anonymous sets and it can process more location service requests than the Bottom_up algorithm. That is to say, our algorithm can offer simultaneously services for more users.
The main contribution of this paper is to establish the location request queues according to the location indexes of the users such that the size of searching information can be remarkably reduced when the anonymous operations are executed and the selection of the anonymous sets on the anonymous server can be speeded up by executing multiple threads to search in parallel the candidate anonymous sets. The presented efficient privacy-preserving location-based query algorithm can obtain better location information services. The next work is to integrate the anonymous locations and the trajectory services into cartographic information and history data to develop the trajectory privacy-preserving method in the distributed networks.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
This paper is supported by Guangxi Natural Science Foundation under Grant no. 2011GXNSFA018152.
J. P. Baugh and J. Guo, “Location privacy in mobile computing environments,” in Ubiquitous Intelligence and Computing, J. Ma, H. Jin, L. T. Yang, and J. J. P. Tsai, Eds., vol. 4159 of Lecture Notes in Computer Science, pp. 936–945, Springer, Berlin, Germany, 2006.View at: Publisher Site | Google Scholar
M. Gruteser and D. Grunwald, “Anonymous usage of location-based services through spatial and temporal cloaking,” in Proceedings of the 1st International Conference on Mobile Systems, Applications, and Services, pp. 31–42, San Francisco, Calif, USA, May 2003.View at: Google Scholar
B. Gedik and L. Liu, “Protecting location privacy with personalized k-anonymity: architecture and algorithms,” IEEE Transactions on Mobile Computing, vol. 27, no. 1, pp. 1–18, 2008.View at: Google Scholar
C.-Y. Chow, M. F. Mokbel, and X. Liu, “A peer-to-peer spatial cloaking algorithm for anonymous location-based service,” in Proceedings of the 14th Annual ACM International Symposium on Advances in Geographic Information Systems (ACM-GIS '06), pp. 171–178, Arlington, Va, USA, November 2006.View at: Publisher Site | Google Scholar
G. Ghinita, P. Kalnis, and S. Skiadopoulos, “MobiHide: a mobilea peer-to-peer system for anonymous location-based queries,” in Advances in Spatial and Temporal Databases, vol. 4605 of Lecture Notes in Computer Science, pp. 221–238, Springer, Berlin, Germany, 2007.View at: Publisher Site | Google Scholar
M. Duckham and L. Kulik, “A formal model of obfuscation and negotiation for location privacy,” in Proceedings of the 3rd International Conference on Pervasive Computing, pp. 152–170, Munich, Germany, May 2005.View at: Google Scholar
M. F. Mokbel, C. Y. Chow, and W. G. Aref, “The new casper: query processing for location services without compromising privacy,” in Proceedings of the of the 32nd International Conference on Very Large Data Bases, pp. 763–774, Seoul, Republic of Korea, September 2006.View at: Google Scholar
A. Khoshgozaran and C. Shahabi, “Blind evaluation of nearest neighbor queries using space transformation to preserve location privacy,” in Advances in Spatial and Temporal Databases, vol. 4605 of Lecture Notes in Computer Science, pp. 239–257, Springer, Berlin, Germany, 2007.View at: Publisher Site | Google Scholar
G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan, “Private queries in location based services: anonymizers are not necessary,” in Proceedings of the ACM SIGMOD International Conference on Management of Data, pp. 121–132, Vancouver, Canada, June 2008.View at: Publisher Site | Google Scholar
A. Pingley, W. Yu, N. Zhang, X. Fu, and W. Zhao, “A context-aware scheme for privacy-preserving location-based services,” Computer Networks, vol. 56, no. 11, pp. 2551–2568, 2012.View at: Google Scholar
Z. Tan, “A lightweight conditional privacy-preserving authentication and access control scheme for pervasive computing environments,” Journal of Network and Computer Applications, vol. 35, no. 6, pp. 1839–1846, 2012.View at: Google Scholar
X. Y. Li and T. Jung, “Search me if you can: privacy- preserving location query service,” in Proceedings of the 32nd IEEE International Conference on Computer Communications (IEEE INFOCOM '13), pp. 2760–2768, Turin, Italy, April 2013.View at: Google Scholar
R. Dewri and R. Thurimella, “Exploiting service similarity for privacy in location-based search queries,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 374–383.View at: Google Scholar