User:Hanson9527/sandbox

= Location Privacy = Location Privacy is highly related to consumers' location information. It is usually an important part in LBS(like Foursquare, Gowalla) concerning the transmission and sharing of user location data. Although LBS has long been providing benefits and convenience to consumers, it inevitably brings about a disclosure of users' detailed personal attributes which may reveal users' interests or their health information.

In some literature, location privacy is defined as a kind of specific personal privacy which is directly connected to users location information and other sensitive personal states inferred from it. From above, location privacy is mainly composed of two parts:the accurate positioning and the inference from side channels.

As a consequence, it is both urgent and necessary to introduce practical location privacy preserving techniques.

General Situation
At present,as smart phones and social networks are gaining increasing popularity today, the mobile Internet manifests a new trend which is often termed ‘SoLoMo’, namely, the combination of social, local and mobile. Not only social sites like Facebook, Twitter and Microblog are offering location based services, but conventional information service like ‘search for surrounding dining room’ is also featured by social elements. Location data is of great value among all these social applications, and it can be categorized into three classes according to different purposes.
 * In the first classification, location data is treated as input information when requesting for services such as finding the nearest bank.
 * In the second classification, location data refers to data that users are willing to share with others, one of this application scenarios is check-ins.
 * In the third classification, location data is considered as the cost of certain free services.

Y.-A.Montjoye et al. studied fifteen months of human mobility data for one and a half million individuals and found that human mobility traces are highly unique. In their research, four spatio-temporal points are enough to uniquely identify 95% of the individuals. In other circumstances, a variety of risks will spring up once the location data is misused. For example, attackers may induce users’ interests, habits or health information by counting up their check-ins; users’ address may also be obtained through searching the location data generated at night. Besides, advertising agencies can push location-aware advertisements to consumers if they get access to their location data in time. To sum up, the disclosure of location data is capable of bring potential harm to consumers, especially in this big data era. Therefore, how to ensure consumers’ location data privacy has become a necessary and urgent problem at this moment.

Challenges

 * First of all, preserving location privacy is often personalized requirement which means different consumers expect different demands. Even the same user may wish diverse levels for location privacy preserving on different occasions.
 * Secondly, Location privacy and location information availability is actually in contradiction due to the fact that service provider needs to know exactly where the consumer is if he demands a higher QoS. Thus, An appropriate balance is needed between the location privacy protection strategy and location information availability[1].

Countermeasures
Privacy preserving techniques adopted in LBS must take comsumers' personal requirements and the overall QoS into cosideration.In short, location privacy preserving techniques have to focus on these key problems below:  Classification of privacy preserving techniques in LBS :
 * 1) How to accurately measure the risk of the disclosure of consumers' privacy;
 * 2) How to choose an efficient privacy protection mechanism in order to preserve users' privacy comprehensively;
 * 3) How to make a balance between the preserving level,the QoS and the cost of resource.
 * 1) Policy-based privacy preserving technique(such as P3P);
 * 2) Fuzzification-based privacy preserving technique(such as Pseudonym, Dummy, K-anonymity，Cloaking Granularity);
 * 3) Encryption-based privacy preserving technique(such as PIR, HilCloak);
 * Pseudonym decouples the mapping between the user identity and the location so that an untrusted server only receives the location without the user identity . However, such a technique is limited to those location based services that do not require the user’s identity. In particular, the lack of user identity makes the billing of these services impossible.
 * Dummy generates fake user locations(called dummies) and mixes them together with the genuine user location into the request [3]. However, by monitoring long-term movement patterns of the user, the server may distinguish the genuine location from dummies.
 * Cloaking Granularity is aimed at reducing the granularity of location information in terms of space and time. It requires the area of cloaked region to be larger than a user’s specified threshold.

Front-end Techniques
1. 2PASS : The Spatio-temporal granularity techniques allow user to define the location granularity area which he is exposed. While previous works only focus on minimizing the anonymity area by satisfying the privacy metrics, but they did not consider the query content. For example as a nearest neighbor query, a user wants to search the nearest restaurant from his location, a simple and direct method is to generate a region with granularity metrics of T which is covering the user's location, and send query request to the service provider for the anonymity region. Then Service Provider will return all detailed content for all possible nearest neighbor objects in the cloaked region to the user, and the user will decide the final resulted objects based on his genuine location. There is two deficiencies for this method, the first is that the processing time of the service provider might be too many possible nearest neighbor objects in the cloaked region and the service provider needs to check all possible objects; the second is the result return time might be too long due to the fact that the detailed content along with the objects sent by the service provider might be too long, that to increase the data transmission overhead. To overcome this problem, a 2PASS framework by adopting the Voronoi cell is proposed, as shown in Fig.2. Given a set of n objects, a Voronoi diagram divides the space into n partitions. Each partition is called a Voronoi cell and corresponds to one object, as shown in Fig.3. As shown in the Fig.4, a mobile user wants to request a location-based service (e.g., finding the nearest restaurant) from the LBS server. The traditional location cloaking approaches protect location privacy as follows: Before requesting the service, the user should invoke location cloaking, which obtains for this user a cloaked region that satisfies the privacy metric (step ➀ ). so location cloaking generates a random cloaked region that encloses the user’s genuine location and whose area is no less than a user-specified threshold τ. The user then attaches this region instead of the accurate location, in the service request (step ➁ ). Upon receiving this request, the server processes it and returns the resulted objects (step ➂ ). Fig.4 also shows how 2PASS differs from traditional cloaking approaches. In 2PASS, the cloaked region is not blindly generated without knowing the dataset; rather, 2PASS is aware of the spatial locations of the objects and directly requests contents of result objects from the server instead of sending out an explicit cloaked region. To achieve this, 2PASS works in two phases. In the first phase (steps ➊➋ ), the client requests from the server a WAG of its neighborhood area, where the weight of a vertex is the area of the corresponding Voronoi cell. In the second phase (steps ➌➍ ), the client selects objects from this WAG (e.g., two restaurants Mille’s and Maxim’s) and requests them for their complete contents (e.g., map, customer reviews, and reservation status).

Without additional information, the server can only know that the client is in the (implicit) cloaked region implied by these requested objects. In this sense, the client controls the objects to be returned and minimizes their number and hence the total bandwidth usage while still satisfying the privacy requirement. The core component of 2PASS is a lightweight WAG-tree index from which the client can compute out the objects to request from the server. The framework can be also extended to support kNN queries and other location based services with various objectives. 2. ICliqueCloak : For fuzzification-based privacy preserving, to address the location privacy issue, location k-anonymity and cloaking granularity are two commonly used privacy metrics. While the location k-anonymity protects the user identity out of k users, it may not be able to prevent the location disclosure (e.g., a cloaked region covering k users in populated areas could be very small). On the other hand, the cloaking granularity prevents the location disclosure but cannot defend against attacks for user identifies in the cases where user locations are publicly known and there is only one user in the cloaked region, as shown in Fig.5.

By considering the scenario where different location-based query requests are continuously issued by mobile users while they are moving. They show that most of the existing k-anonymity location cloaking algorithms are concerned with snapshot user locations only and cannot effectively prevent location-dependent attacks when users’ locations are continuously updated. Therefore, adopting both the location k-anonymity and cloaking granularity as privacy metrics, they propose a new incremental clique-based cloaking algorithm, called ICliqueCloak, to defend against location-dependent attacks. The main idea is to incrementally maintain maximal cliques needed for location cloaking in an undirected graph that takes into consideration the effect of continuous location updates.

3. Multi-level Grid Scheme : Grid-and-hashing paradigm as shown in Fig.6 imposes a uniform grid G that partitions the space into cells. Note that the placement of G is a secret shared by users in the same group and is unknown to the service provider. For each user u of (ux, uy), his or her cell is indexed by (Gx(ux), Gy(uy)). The user then encodes this index using a one-way hashing function Γ and sends the hash value Γ((Gx(ux), Gy(uy))) to the service provider. We call this hash value the signature of u with regard to grid G, denoted by G(u). To detect the proximity of two users, the service provider simply tests the equality of their uploaded signatures. To prevent reverse engineering of the cell and false positive results, Γ should be implemented by a keyed cryptographic (collision-free) hash function, such as SHA-256. The key is distributed among users in the same group and is dynamically changing (by rehashing) against a service provider’s inference. While there is some issues with grid-and-hashing paradigm is that it might come up with the 'false negative' detection result due to the grid division is pre-defined, that two users are actually in proximity, but because they were putted into different cells, the signatures they uploaded is different.To enhance the grid-and-hashing paradigm by increasing detection accuracy while preserving wireless bandwidth, their multilevel grid scheme offers continuous proximity detection. Firstly, The proposed scheme can eliminate false-positive cases by setting an appropriate grid size. To minimize false negative detection, we propose grid overlay with a set of independent grids—and study the optimal placement of these grids, as shown in Fig.7. The optimal grid overlay is created by shifting the first grid G in both diagonals for every 1/k of the cell length. Secondly, The continuous monitoring involves user signature update and service provider query reevaluation. A naive approach is that the user updates any signature of the grid overlay whenever it changes. Obviously, this approach is extremely costly, because the overlay might contain dozens of grids and thus lead to frequent signature updates. To capture this, we designed a multilevel grid overlay hierarchy, as shown in Fig.8. This bottom level of grid overlay is used for in-proximity pairs, while all upper levels are used for non-proximity pairs.

The key advantage of this scheme over existing works is that users can dynamically trade accuracy for communication cost (or vice versa) in a quantitative manner by adding (or removing) grids. This advantage is particularly critical in mobile environments, where bandwidth and battery conditions can change drastically. Using this scheme, they also devise a client-side location update scheme and server-side update handling procedure for continuous proximity detection, to reduce location updates when users are far from their friends. 4. Zero-knowledge Indexing Algorithm : As cryptography-based zero-privacy disclosure techniques, query processing that preserves both the query privacy at the client and the data privacy at the server is a new research problem. It has many practical applications, especially when the queries are about the sensitive attributes of records. However, most existing studies, including those originating from data outsourcing, address the data privacy and query privacy separately. Although secure multiparty computation (SMC) is a suitable computing paradigm for this problem, it has significant computation and communication overheads, thus unable to scale up to large datasets. Fortunately, recent advances in cryptography bring us two relevant tools — conditional oblivious transfer and homomorphic encryption. Integrating database indexing techniques with these tools in the context of private-search on key-value stores is first used to present an oblivious index traversal framework, in which the server cannot trace the index traversal path of a query during evaluation, as shown in Fig.9. The framework is generic and can support a wide range of query types with a suitable homomorphic encryption algorithm in place. Based on this framework, we devise secure protocols for classic key-search queries on indexes including the indexing, pruning, and pre-computing. Our approach is verified by both security analysis and performance study to reduce the previous linear level of time and communication complexity to the log level, to make the dual direction privacy preserving possible.

==Summary Of Current Techniques ==