User:Nsjlcuwdbcc/spatial cloaking

Spatial cloaking is a privacy mechanism that is used to hide location information in location-based services by cloaking users’ exact locations to meet various privacy requirements, such as entropy, K-anonymity, and minimum area. With the development of technology, people are getting more customized services and personalized solution to their requests. However, this convenience also exposes users’ privacy to certain risks, since the attackers may illegally identify the users’ locations and even further exploit their personal information. Thus, multiple solutions have been proposed to preserve and enhance users’ privacy when using location-based services. Among all the proposed mechanisms, spatial cloaking is one of the those which have been widely accepted and revised, thus having been integrated into many practical applications.

Background
With the emergence and popularity of location-based services, people are getting more personalized services, such as getting the names and locations of nearby restaurants and gas stations. This usually requires users to send their private locations either directly to the service provider or to a trusted third party. During the process of sending location information and receiving the requested service, users' location information could be targeted by possible attackers which could potentially reveal users' identity, location, and more private information. It has is realized that Quasi-identifiers which refer to a set of information attributes can be used to reidentify the user when linked with some external information. For example, the social security number could be used to identify a specific user by adversaries. Multiple privacy-preserving solutions have been proposed and in order to make sure the effectiveness of these ideas, some widely accepted privacy requirements have to be satisfied, such as K-anonymity, entropy, and minimum area. Different approaches have been identified in recent years to address these requirements respectively. For example, spatial cloaking is usually integrated to satisfy K-anonymity[1].

Location privacy
Location privacy is usually considered falling into the category of information privacy and it refers to the location or time of a specific user respectively or the paired point of location and time. Since there are usually reasons for why people appear in a specific location point at a given time, analyzing user's location data and their co-location record would reveal a great amount of information regarding users' privacy, such as their weekly schedules, business status and even possible living areas.

In recent years, researchers have been making a connection between social aspects and technological aspects regarding location information. For example, if co-location information is considered as the data which potential attackers would get and take into consideration, the possibility of revealing a user's privacy information increase by more than 50%. Also, by a constant report of a user’s location information, a movement profile could be constructed for this specific user based on statistical analysis, and a large amount of information could be exploited and generated from this profile such as user’s office location, medical records, financial status and political views. Therefore, more and more research has taken account of the social influence in their algorithm, since this socially-networked information are accessible to the public and might be used by potential attackers.

History
Realizing that the number of threats to private user information has grown over the years, researchers have been exploring effective diagrams to secure data, minimize exposure of private information, and optimize service' effectiveness and accurateness requested by users. Under the requirement of maximizing privacy preservation, secure-multi-party communication was proposed. This model is constructed based on sharing accurate information among n parties. Each party has access to a certain segment of the accurate information, while at the same time it is prevented from the other shares of the information. However, the computation problem is introduced in the process, since a large amount of data processing is required to satisfy the requirement. Also, the minimal information sharing model is introduced, which uses cryptographic techniques to perform join and intersection operations. However, the inability of this model to fit into other queries makes it hard to be appropriate for most practical applications. The untrusted third-party model is introduced in peer-to-peer environments.

The most popular model right now is the trusted third-party model which could be considered as a bridge between the user and service provider. Some of the practical applications have already adopted the idea of a trusted third party into their service in order to provide privacy preserving service to its users. For example, Anonymizer is integrated into various websites, which could provide anonymous surfing service to its users. Also, when purchasing through PayPal, users are not required to provide his or her credit card information. Therefore, by introducing a trusted-third-party, users’ private information is not directly exposed to the service providers.

Approaches for preserving location information
Several approaches have been investigated to enhance the performances of location-preserving techniques, such as location perturbation and the report of landmark objects.

Location perturbation
The idea of location perturbation is to cloak the users’ location area into a blurred region in which the exact location is inaccessible by the service providers. This is usually satisfied by using spatial cloaking, temporal cloaking or location obfuscation. Spatial and temporal cloaking refers to the inaccurate or imprecise location and time reported to the service providers, instead of the exact information. For example, location privacy could be enhanced by increasing the time between location reports, since higher report frequencies makes makes reidentification more possible to happen through data mining.

However, this approach could affect the service reported by the service provides since the data they received are not accurate. The accuracy and timelessness issues are usually discussed in this approach. Also, some attacks have been recognized to attacks on some mechanisms based on the idea of cloaking and break user privacy.

Landmark objects
In most of the methods based on the idea of landmark objects, a certain landmark or a significant object is reported to the service provider, instead of a region.

Avoid location tracking
Since adversaries could exploit a great amount of personal information from location information, one of the approaches towards privacy enhancing is to prevent the tracking of location. Therefore, no or less location information would be reported to the adversaries since technically speaking the location information does not exist in the memory of any devices. For example, when requesting weather, a zip code instead of a tracked location would be accurate enough for the service received.

Centralized scheme
A centralized scheme is constructed based on a central location anonymizer which makes the private location information except for location inaccessible to service providers. For example, one of the methods to achieve this is by replacing the correct network addresses with fake-IDs before the information are forward to the service provider. Sometimes user identity is hided, while still allowing the service provider to authenticate the user and possibly charge the user for the service. These steps are usually achieved through spatial cloaking or path confusion. Except in some cases where the correct location information are sent for high service quality, the correct location information or temporal information are usually modified to preserve user privacy. The main responsibility and challenge of a location anonymizer are to keep tracking the exact location information and blur this information into a cloaked area when the user is requesting location-based services.

Serving as an intermediate between the user and location-based server, location anonymizer generally conducts the following activities:


 * Receiving users’ exact location information and private profile


 * Blurring the location into cloaked areas based on the specific privacy requirements
 * In most of the times, removing user identities from the location information
 * Reporting the cloaked area to the service provider and receiving a list of solutions, which is referred to as candidate list, from the service provider which satisfies user’s requests
 * Deciding the most appropriate solution based on the user’s exact location and returning the accurate solution information back to the user ( Some location anonymizer may not adopt this step)

The location anonymizer could also be considered as a trusted-third party, since it is trusted by the user with the accurate location information and private profile. However, this could also expose users’ privacy into great risks at the same time. First, since the anonymizer keeps tracking users' information and has access to the users’ exact location and profile information, it is usually the target of most attackers and thus under greater risks Second, the extent to which users trust the location anonymizers could be essential. If a fully-trusted third party is integrated into the algorithm, user location information would be constantly reported to the location anonymizer, which may cause privacy issues if the anonymizer if compromised.

Decentralized scheme
A decentralized scheme usually requires peer communication when cloaking the exact location information[1]. This means that nearby users' information would also be collected to confuse the attacker about where the specific user's location. In the cases where there are not enough users nearby, S-proximity is usually adopted to generate a great number of paired user identities and location information in order for the true user indistinguishable in the specific area. The other profile and location information sent to the service provider are sometimes also referred to as dummies.

Privacy requirements
No matter what the specific privacy-preserving solution is integrated to cloak a specific region in which the service requester stays. It is usually constructed from several angles in order to better satisfy different privacy requirements. These standards are either adjusted by the users himself or herself setting the parameters on their devices or are decided by the application designers. Some of the privacy parameters include K-anonymity, entropy, minimum area, and maximum area. Generally, stricter privacy requirements correspond to larger K-anonymity, minimum area size, and maximum area size.

K-anonymity
K-anonymity usually refers to the requirement that the information of the user in a region should be indistinguishable from a minimum of $$k-1 $$people, with k being any real number. Thus, the disclosed location scope would be expected to keep expanding until k users could be identified in the region and these k people form an anonymity set. Usually, the higher the K-anonymity, the restricter the requirements, the higher the level of anonymity. There are two widely used schemes trying to satisfy K-anonymity: centralized scheme and decentralized scheme. If K-anonymity is satisfied, then the possibility of identifying the exact user would be around $$1/k$$ which subjects to different algorithms, and therefore the location privacy would be effectively preserved. Usually, if the cloaking region is designed to be larger when the algorithm is constructed, the chances of identifying the exact service requester would be much lower even thought the exact location of the user if exposed to the service providers, let alone the attackers' abilities to run complex machine learning or advanced analysis techniques.

Some approaches have also been discussed to introduce more ambiguity to prevent the identification of exact user, such as defining “historical K-anonymity”. The idea of historical K-anonymity is introduced to make sure that there are at least $$k-1 $$ users who share the same historical requests, which requires the anonymizer to not only track the current movement of the user, but also the sequence location of the user. Therefore, even user's historical location points are disclosed, the adversaries could not distinguish the specific user from a group of potential users.

Minimum area size
Minimum area size refers to the smallest region expanded from the exact location point which satisfies the specific privacy requirements. Usually, the higher the privacy requirements, the bigger the area is required to increase the complicity of distinguishing the exact location of users. Also, the idea of minimum area is particularly important in dense areas when K-anonymity might not be efficient to provide the guaranteed privacy-preserving performance. For example, if the requestor is in a shopping mall which has a promising discount, there might be a great number of people around him or her, and thus this could be considered a very dense environment. Under such a situation, a large K-anonymity such as L=100 would only correspond to a small region, since it does not require a large area to include 100 people near the user. This might result in an inefficient cloaked area since the area where the user could potentially reside is smaller compared with the situation of a same level of K-anonymity, yet people are more scattered from each other.

Maximum area size
Since there has been a tradeoff relationship between quality of service and privacy requirements in most location-based services, sometimes a maximum area size is also required. This is because a large cloaked area might introduce too much inaccuracy to the service received by the user, since increasing the reported cloaked area also increases the potential satisfying results to the users’ request. These solutions would match the specific requirements of the user, yet not necessarily accessible to the users’ exact location.

CliqueCloak
CliqueCloak is an algorithm usually used during the cloaking process and before user location information is sent to the service providers. The main idea of CliqueCloak is to send user location information later in time or reorder the sequence of nearby location information in order to confuse the service providers, making it hard for the exact location or requesting time of a specific user revealed by the information sent.

Casper
Casper is a framework designed to preserve users’ private location information while at the same time maintain the accuracy and effectiveness of the service. It includes a location anonymizer and privacy-aware query processor and could fit into traditional algorithms.

Practical applications
A lot of real-life applications such as mobile social networks, navigation and finding the place of interest have been adjusting and advancing their problem-solving abilities in order to provide more personalized solutions, extend their servicing audience and satisfy users increasing requirements.

Location-based services
With the popularity and development of several positioning techniques such as global positioning system (GPS) and positioning through Wifi access points, location-based service has been growing and advancing in recent years. More and more applications have integrated the idea and techniques of location-based services to provide more personalized services, such as the identification of places of interest, awareness of location-based advertising, traffic information, location tracking and location-aware services. These services usually require the report of users' location information, analyze based on their algorithms and makes use of a database to come up with optimum solution, and then report it back to the requesting user. Usually, the location-based services are requested either through snapshot queries or continuous queries. Snapshot queries generally require the report of an exact location at a specific time, such as “where is the nearest gas station?” while continuous queries need the tracking of location during a period of time, such as “constantly reporting the nearby gas stations”.

With the amount of location information reported, several attacks could be conducted during the requesting and receiving process which would place great risks on users’ privacy. It has been reported that some GPS devices have been used to exploit personal information and stalk personal locations. Sometimes, only reporting location information would already indicate a lot of private information.

Some of the popular location-based services include:


 * Location-aware emergency service
 * Location-based advertisement
 * Live traffic report
 * Location-based store finders
 * Map and navigation system

Types of information involved
The types of private information included in location-based services and spatial cloaking are usually user identity, spatial information, and temporal information. A more in-depth category would further specify temporal information into real-time and non-real time.


 * Identity, which represents the unique privacy profile of each user
 * Spatial information, which refers to either a continuous change of location within a period of time or a specific location point corresponding to each point in the time coordinate
 * Temporal information could be specified into real-time and non-real time information relative to the current time point

Environments
The cloaked region generated by the method of spatial cloaking could fit into multiple environments, such as snapshot location, continuous location, spatial networks, and wireless sensor networks. Sometimes, the algorithms which generate a cloaked area are designed to fit into various frameworks without changing the original coordinate. In fact, with the specification of the algorithms and well-establishment of most generally adopted mechanisms, more privacy-preserving techniques are designed specifically for the desired environment since it would better fit into different privacy requirements.

Geosocial applications
Geosocial applications are generally designed to provide a social interaction based on location information. Some of the services include collaborative network services and games, discount coupons, local friend recommendation for dining and shopping, and social rendezvous. For example, Motion Based allows users to share exercise path with others. SCVNGR was a location-based platforms where users could earn points by going to places.

Despite the privacy requirements such as K-anonymity, maximum area size, and minimum area size, there are other requirements regarding the privacy preserved in geosocial applications. For example, location and user unlinkability require that the service provider should not be able to identify the user who conducts the same request twice or the correspondence between a given cloaked area and its real-time location. Also, the location data privacy requires that the service provider should not have access to the content of data in a specific location. For example, LoX is particularly designed to satisfy these privacy requirements of geosocial applications.

Continuous location-based service and snapshot location-based services
Continuous location-based services require the continuous report of location information to the service providers. During the process of requesting a continuous location-based services, pressure has been recognized on privacy leakage issues. Since the consecutive cloaked areas are reported, with the advancing technological performances, a correlation could be generated between the blurred areas. Therefore, many types of research have been conducted addressing the location privacy issues in continuous location-based services.

While snapshot location generally refers to the linear relation between the specific location point and a point in the temporal coordinate.

Some mechanisms have been proposed to either address the privacy-preserving issues in both of the two environments simultaneously or concentrate to fulfill each privacy requirement respectively. For example, a privacy grid called a dynamic grid system is proposed to fit into both snapshot and continuous location-based service environments.

Peer-to-peer environment
Peer-to-peer environments rely on the direct communication between device users in a region without an access point or base station. The aim of the P-2-P environment is to extend the scope of cellular coverage in a sparse environment. In some of the situations such as the decentralized scheme described above, peers have to trust each other, since their location information would be reported to each other when a cloaked area is constructed to achieve the desired K-anonymity during the requesting for location-based services. Researchers have been discussing some privacy requirements and security requirements which would make the privacy-preserving techniques appropriate for the peer-to-peer environment. For example, authentication and authorization are required to secure and identify the user and thus making authorized users distinguishable from unauthorized users. Confidentiality and integrity make sure that only those who are authorized have access to the data transmitted between peers, and the transmitted information cannot be modified.

Mobile environments
There are generally two types of privacy under great concern in the mobile environments, data privacy and contextual privacy. Usually, location privacy, and identity privacy are included in the discussion of contextual privacy in a mobile environment. While the data transferred between various mobile devices is discussed under data privacy. During the process of requesting location-based services, sending location information and receiving the services, both the quality of data transferred and the safety of information exchanged could be potentially exposed to malicious people.

Some of the popular attacks in mobile environments include:


 * Man-in-the-middle attack

Man-in-the-middle attack usually occurs in the mobile environment which assumes that all the information going through the transferring process from user to the service provider could be under attacks and might be manipulated further by attackers to reveal more personal information.


 * Cross-service attack

Cross-servicing attacks usually take place when users are using poorly protected wireless connectivity, especially in public places.


 * Video-based attack

Video-based attacks are more popular in mobile devices usually due to the use of Bluetooth, camera and video capacities, since there are malicious software applications secretly recording users’ behavior data and reporting that information to a remote device. Stealthy Video Capture is one of the intentionally designed applications which spies an unconscious user and further report the information.


 * Sensor sniffing attack

Sensor sniffing attacks usually refer to the cases where intentionally designed applications are installed on a device. Under this situation, even adversaries would not have physical contact with the mobile device, users’ personal information would still under risks of being disclosed.

Other privacy mechanisms
The existing privacy solutions generally fall into two categories: data privacy and context privacy. Besides addressing the issues in location privacy, these mechanisms might be applied to other scenarios. For example, mechanisms such as cryptography, anonymity, obfuscation and caching[2] have been proposed, discussed, and tested in order to better preserve user privacy. These mechanisms usually try to solve location piracy issues from different angles and thus fit into different situations.


 * Cryptography
 * Anonymity
 * Obfuscation
 * Caching
 * Pseudonymous technique

Opportunity
Generally, integrating spatial cloaking into various algorithms helps with user's location privacy enhancement, since it cloaks users' private location while at the same time preserves the effectiveness and responses of the location-based service they request.

Concerns
Even though the effectiveness of spatial cloaking has been widely accepted and the idea of spatial cloaking has been integrated into multiple designs, there are still some concerns towards it. First, the two schemes of spatial cloaking both have their limitations. For example, in the centralized scheme, although users' other private information including identity has been cloaked, the location itself would be able to release sensitive information, especially when a specific user requests service for multiple times with the same pseudonym. In a decentralized scheme, there are issues with large commutation and not enough peers in a region.

Second, the ability of attackers requires a deeper consideration and investigation according to the advancement of technology such as machine learning and its connection with social relations, particularly the share of information online.

Third, the credibility of a trusted third party has also been identified as one of the issues. There is a great number of software published on app markets every day and some of them are not undergone a strict examination. Software bugs, configuration errors at the trusted-third party and malicious administrators could expose user private data under great risks. Based on a study from 2010, two-thirds of all the trusted-third-party applications in Android market are considered to be suspicious towards sensitive information.

Fourth, people have been arguing about setting the cloaked information by themselves, since different people have different expectations on the amount of privacy preserved. Considering that there is usually a trade-off relation between privacy and personalization and personalization usually leads to better service, people would have a different preference. Also, people's attitude towards disclosing their location information could change based on the service's usefulness, privacy safeguards, and the disclosed quantity etc.

Therefore, many possible solutions have been proposed in recent years in order to enhance the ability to preserve location privacy and personalize the privacy request for users.

Attack
During the process of exchanging data, both users’ information and service providers’ information may subject to attacks by adversaries. Along with the advancement of technology, such as the development of machine learning and the popularity of smart devices, the attacks against mobile devices are correspondingly increasing. Some of the existing approaches adopted by adversaries include virus, Trojan applications, and a number of cyber-attacks. A large amount of information could be inferred from the location information such as the high visiting frequency could be used to predict users’ movement. If adversaries intentionally attack the service provider and get access to the location information, users private information might be exploited and misused. Therefore, the overall idea of preserving location privacy is to introduce enough noise and quantization to reduce the chances of successful attacks.

Recently, researchers have been discussing the influence of social issues on privacy disclosure. For example, the amount of co-location would increase the successful attacks rate on privacy y 50%. Also, the emerging trends of integrating techniques of machine learning is also a challenge for present spatial cloaking solutions. Explicit correlations could be potentially exploited by well-advancing adversaries, and thus a higher quality is demanded in the existing privacy-preserving mechanisms.

Regulations and policies
Policy approaches have also been discussed in recent years which intend to revise relevant guidelines or propose new regulations in order to better manage location-based service applications. Two uniformly accepted and well- established requirements are the users' awareness of location privacy policies in a specific service and their consents of sending their private location to a service provider. For example, a Connecticut car rental company fined its customer for speeding based on the three occasions it identified on the GPS tracking system on the van. Even though there is warning in the car that additional fees would result from speeding, the customer successfully sued the company for not explicating explaining the use of a location-tracking system. Besides these two approaches, researchers have also been focusing on guarding the app markets, since an insecure app market would expose unaware users to a number of privacy risks. For example, there has been identified a number of malware in the Android app market, which are designed to carry cyber attacks on Android devices. Without effective and clear guidelines to regulate location information, it would generate both ethical and lawful problems. Therefore, many guidelines have been discussed recently years, to regulate the use of location information.

European data protection guideline
European data protection guideline was recently revised to include and specify the privacy of an individual’s data and personally identifiable information (PIIs). These adjustments intend to make a safe yet effective service environment. Specifically, location privacy is enhanced by making sure that users are fully aware and consented on the location information which would be sent to the service providers. Another important adjustment is that a complete responsibility would be given to the service providers when users’ private information is being processed.

The electronic communications privacy act of 1986
The electronic communications privacy act discusses the legal framework of privacy protection and gives standards of law enforcement access to electronic records and communications. It is also very influential in deciding electronic surveillance issues.

Global System for Mobile Communication Association (GSMA)
GSMA published a new privacy guideline and some mobile companies in Europe have signed it and started to implement it so that users would have a better understanding of the information recorded and analyzed during location-based services. Also, GSMA has recommended the operating companies to inform its customers about people who have access to users’ private information.

MIT’s Cricket
The Cricket location system is constructed under two architectures- an active mobile architecture and a passive mobile architecture- which demonstrates sufficient ability to track a moving device. In the active environment, fixed receivers can gather the location position periodically; while in the passive environment, fixed beacons could make the device track itself. This system is designed to avoid privacy leakage due to the introducing of a third party by computing their location information indoors.

Privacy observant location system
This system avoids the risks of using a third party by computing its location based on WiFi and cell tower signal strength. Since it does not involve the service from a third party, the privacy would be better preserved.

United States v. Knotts case
In this case, the police used a beeper to keep track of the suspect’s vehicle. After using the deeper alone to track the suspect, the officers secured a search warrant and confirmed that the suspect was producing illicit drugs in the van. The suspect tried to suppress the evidence based on the tracking device used during the monitoring process, but this was denied by the court. The court concluded that “A person traveling in an automobile on a public thouroughfare[] has no reasonable expectation of privacy in his movement from one place to another.” Nevertheless, the court reserved the discussion of whether twenty-four-hour surveillance would constitute a search.

However, the cases using GPS and other tracking devices are different with this case, since GPS tracking can be conducted without human interaction, while the beeper is considered as a method to increase police's sensory perception through maintaining visual contact of the suspect. Police presence is required when using beepers yet is not needed when using GPS to conduct surveillance. Therefore, law enforcement agents are required to secure a warrant before the GPS tracking devices are used to obtain vehicles’ location information.

Google
It has been stated that Google does not meet the European Union’s data privacy law and thus increasing attention has been placed on the advocation of guidelines and policies regarding data privacy.

Facebook
It has been arguing that less than a week after Facebook uses its “Places” feature, the content of that location information has been exploited by thieves and are used to conduct a home invasion.