A Privacy Preserving Method Using Privacy

3 downloads 0 Views 405KB Size Report
Apr 1, 2012 - cell-phone or a wireless network provider). – Service ... Chow [6] defines that the three key things to protect are: the user's .... incurs longer response time. However, this ... to triangulate a location, their method protects against.
Mobile Netw Appl (2013) 18:728–737 DOI 10.1007/s11036-012-0362-6

A Privacy Preserving Method Using Privacy Enhancing Techniques for Location Based Services William J. Buchanan · Zbigniew Kwecka · Elias Ekonomou

Published online: 1 April 2012 © Springer Science+Business Media, LLC 2012

Abstract The move towards service-oriented architectures and the increasing usage of mobile devices to access such services are two of the major changes in modern computing. Information about the user, their location and their trajectory can provide additional context information to a service, leading to useful applications such as directing a user to the nearest bus stop and displaying which buses are due to arrive in the next minutes. While this type of information can be useful, when the offered services are trusted, it also introduces privacy issues relating to gathering of location information for non-trusted applications like locationbased marketing or user behaviour profiling. Users can limit their location information provided to a service but these controls are simple, making it important for the user to understand how their location information is being used by services. This paper reviews some of the methods currently being proposed to reduce the impact of location tracking on user privacy, and presents a novel encryption method for preserving the location and trajectory path of a user using Privacy-Enhancing Technologies. Keywords security · location tracking · privacy enhancing methods

W. J. Buchanan (B) · Z. Kwecka · E. Ekonomou Edinburgh Napier University, Edinburgh, Scotland, UK e-mail: [email protected] Z. Kwecka e-mail: [email protected] E. Ekonomou e-mail: [email protected]

1 Introduction The growth of mobile computing continues, and an increasing range of devices is being used to access services. One of the major growth areas is the integration of location tracking methods with service provision. While this can be used by a wide range of applications, such as for asset [20] and bus tracking, there is a considerable risk that network providers and service providers can use location tracking to follow users, especially for their current location, their trajectory and their historical movements. There are therefore issues related to privacy, and the rights of non-trusted parties to track user activities. Gruteser [16] defines Locationbased Services (LBSs) as typically having three main entities (Fig. 1): – – –

The user and mobile device. A provider of positioning technology (typically a cell-phone or a wireless network provider). Service providers.

Chow [6] outlines a wide range of LBSs including information and entertainment services like resource finding, route finding, social networking, and locationbased gaming that are easily accessed from mobile devices. While many LBS providers act on the user’s behalf, it is likely that some might abuse their privilege and sell the user’s location information or push marketing material to them. The level of privacy applied often relates to the requirement of the user at a given time. For instance, a service engineer might be willing to be tracked, within working hours, so that the closest engineer can be found within a geographical spread. However, outside working hours, they may only be willing to have their location identified within a broader

Mobile Netw Appl (2013) 18:728–737

Fig. 1 Location infrastructure

geographical area. Tang [35] outlines that there is often a trade-off between the access to location-aware services and privacy, and that a reduction in the precision of the location can actually make a service unusable. For example if a user is looking for the nearest bus stop within a city centre, and the system tries to blur their current position, it might direct the user to a further than the nearest bus stop.These LBS requests can be sporadic or continuous, where sporadic requests are often more difficult to associate with specific users than continuous ones. Along the concepts of sporadic and continuous requests, privacy-preserving methods often use a spatial network, which is made up through a network of spatial elements. A spatial network is often seen as an inverse of normal maps, and creates a graph where the spaces between buildings, such as roads, are mapped as edges, and the intersection between them are defined as nodes. Two key terms in preserving the anonymity of location data are: k-anonymity; and ldiversity. For a k-anonymized dataset, there is protection of released user information so that the person cannot be distinguished from at least k-1 individuals who are also contained in the data. With l-diversity each equivalence class has, at least, well-represented values for each sensitive attribute. Gkoulalas-Divanis [14] outline that most approaches can be defined in three major categories: – – –

729

anonymity is m-invariance in database privacy, which limits the risk of privacy disclosure in re-publication, as location services often require multiple postings of location information in order to provide a continuous flow of information. For example this is typical in services for public transport, such as for bus transport updates, which might continually poll for the location of the user in order to provide updated information on local bus routes. This paper aims to outline some key issues related to the technology used within the tracking of the mobile devices and in the methods that users can utilise to reduce the threat of non-trusted service providers using their location information.

2 Methods to overcome tracking Chow [6] defines that the three key things to protect are: the user’s identity; position; and path (trajectory). The following sections discus the main techniques currently being proposed to reduce the risk of a user’s location being used from non-trusted sources. 2.1 Grid-based cloaking Grid-based cloaking involves blurring the actual location of a user without preventing access to location services. A typical method is known as obfuscation (or cloaking) and protects the location by first forwarding it to a LBS provider which gives a coarse user location instead of the actual user location (Fig. 2). Gruteser [17], for example, uses a centralized location broker service for a middleware infrastructure. The broker varies the resolution of location information with spatial or temporal dimensions in order to preserve the anonymity of a user for a given area. With their estimate for the spatial resolution on automotive traffic counts and cartographic material, they generate a median reso-

Historical k-anonymity; where the user has been in the past Location k-anonymity; where the user currently is Trajectory k-anonymity; where the user is going

Jungho [38], for example, defines a model were users send their service queries, and their location, to an LBS server, and use a cloaking algorithm for privacy protection in LBSs. Their model supports both kanonymity and l-diversity, and their minimum cloaking region becomes l buildings (l-diversity) and k users (k-anonymity), built on a grid structure for storing buildings and users. Another evolving technique within

Fig. 2 Grid blurring

730

Mobile Netw Appl (2013) 18:728–737

lution of 125m. Mokbel [29] re-iterates the need for the Location Anonymizer where the user’s location is converted into a spatial region so that the actual user location may be defined anywhere within the spatial region, and there are k other users within the spatial region, giving k-anonymous for each user. Truong [36] define that many systems obfuscate the user’s position within number of cells, but it is often difficult to change the cell size for individual privacy requirements, giving a one-size fits-all cell size. Their system uses a flexiblegrid, where users can vary the size of their cells. It then uses a memorizing algorithm in a trusted middleware infrastructure [37], where it disguises the location with an anonymization area, and send this to the service provider. A key drawback of grid systems is the areas that overlap the anonymization areas, as they can be used to guess the users current location. To overcome this, their algorithm tries to decrease the number of overlapped areas. In a similar approach, [30] presents the Casper framework where users do not reveal their location. It uses: –



A location anonymizer, which tries to obfuscate the exact location information using cloaked spatial regions which are set by the user’s privacy requirements. A privacy-aware query processor, which is a location-based database server and cloaks spatial areas so that the exact location is not provided.

Chow [7] focuses on a new version of Casper designed to overcome the problems of many existing location anonymization algorithms which try to blur the current location with cloaked rectilinear areas by adding three new privacy-aware query types. A key contribution is that it shares query processing over a wide range of continuous queries. With CacheCloak [28], a trusted anonymizing server tries to predict future paths based on historical data and then submits intersecting predicted paths at the same time to the LBS. With this, the system makes sure that each of the new predicted paths intersects with other users’ paths. In this way it is not possible to track an individual user’s path over a given time interval. The users can then retrieve the cached query responses for the new locations from the trusted server. If there are no cached responses, a new prediction will be generated. Baik [21] uses a path perturbation algorithm to cross paths in areas where at least two users meet, which increases the opportunity that a non-trusted entity would confuse the paths for these users. Chow [5] suggests that many methods do not separate location privacy from query privacy, and proposes a mechanism which ensures privacy for both,

for spaces with a large number of continuous queries. For this, they have extended the cloaking algorithms for both sporadic and continuous queries with spatial cloaking on an on-demand basis. This overcomes the problem of cloaking every single location query. Dewri [11] also uses cloaking regions and then hides the actual user among a set of other users (providing k-anonymity). For this, it is important that each of the cloaked regions should guarantee that the types of queries issued by users within the region are mutually diverse enough (query l-diversity). Their contribution is to overcome a problem caused in the association of queries to users when the service depends on continuous location updates. Successive cloaking regions for a user may be k-anonymous and query l-diverse, but still be prone to correlation attacks. For this, they have provided a formal analysis of the privacy risks involved in a continuous location-based service, and show how continuous queries can invalidate the privacy guarantees provided by k-anonymity and l-diversity, by applying the principle of m-invariance in database privacy.

2.2 Identifying context Damiani [10] criticizes the geometric methods used in grid-based blurring as they can actually reveal location information when the untrusted party knows the geographical context. This is a particular problem in semantic locations, and they overcome this with personalized cloaking of semantic locations. Ghinita [12] defines that a typical approach to preserve location privacy is to generate a cloaking region (CR) that encloses the user position. However, if locations are continuously reported, a non-trusted entity can correlate CRs from multiple timestamps to accurately pinpoint the user position within a CR. Pingley [31] overcomes the requirement for a trusted third party (anonymizer), and identify that location services often depend on the degree of privacy protection and the context (such as the number of users in a physical space). To reduce the problem of gaining information from the queries they propose CAP (Context-Aware Privacypreserving) which is integrated with Google Maps to prove their system. Gkoulalas [15] uses user requests on trajectory data in LBSs to determine the underlying user movement. This involves the reconstruction of the movement based on a number of independent location updates. It thus pinpoints routes where user privacy could be a risk, and this is used to convert requests into an anonymous form, using a spatial database engine.

Mobile Netw Appl (2013) 18:728–737

2.3 Ad-hoc clustering An alternative to the grid approach is to create adhoc groups where trusted nodes provide the request on behalf of the node aiming to hide its location. Chow [8] uses a peer-to-peer (P2P) spatial cloaking algorithm, where mobile users form a grouping, typically within a single-hop (as multi-hop system may have security issues within ad-hoc networks). This is defined as a spatial cloaked area. As with ad-hoc routing, there are two modes: on-demand (where requests are made as required), and proactive mode (where a network infrastructure is created for the ad-hoc node connections). They have shown that the on-demand method provides a lower communication cost and better quality of services than the proactive mode, but the on-demand incurs longer response time. However, this might not be the case for large ad-hoc networks, where a great deal of broadcast traffic can be generated. Magkos [27] also uses wireless ad-hoc networks to hide the originating host and their proposal can be used for both sporadic and continuous LBS queries. It only trusts the nodes within the ad-hoc network, and treats all other hosts as a threat (so that even the cellular network provider is seen as a non-trusted source), and it also provides multiple, and frequently changing, pseudonyms for devices to use. The messages for location queries are sent amongst the mobile nodes, who then forward it to the LBS provider through the cellular operator.

2.4 Neighboring node Another alternative to grids is Nearest Neighor (NN) queries, which provide a one-way transformation to map the location of objects into another space, and then resolve the query blindly into the transformed space. With the novel NN query method, Khoshgozaran [23] criticise the generalized privacy metrics of kanonymity and cloaked region size measures, and define two new location privacy metrics: u-anonymity and a-anonymity. Wei [25] have since extended this by defining a location cloaking mechanism, based on spatial networks, which does not reveal the location information and propose two new query algorithms: PSNN; and PSRQ, which are used to answer nearest neighbour queries and range queries on a spatial network. Song [39] proposes AnonTwist which extends Space-Twist [41] to provide k-anonymity. It focuses on making sure that there are k users in a privacy area for the SpaceTwist algorithm (which is known as “twisted space”). For this, it uses a user density map (using a Quadtree) to estimate the number of users in the spatial

731

area, and a mechanism to keep track of the number of users within the twisted space. 2.5 Private information retrieval (PIR) protocols Chinita [13] propose an alternative to cloaking regions with a hybrid, two-step approach, ensuring the privacy of location queries. Initially, the location is generalized to coarse-grained Cloaking Region (CR) and next a PIR protocol is used to get the query to submit to the LBS. Yan [34] classify location services and use a hierarchical key distribution method to support them, where hierarchical encryption is used to secure the location information with these keys, and then to distribute them only to those members in a circle of trust. 2.6 Anonymity-based mechanisms IEEE 802.1x wireless networks pose fewer risks than mobile phone networks, as there is less integration of location-based services. However, there is still a range of “details” that can be used to track a device using the MAC layer, the IP layer, and so on. Thus, the anonymity-based mechanisms for IEEE 802.1x networks focus on reducing the possibility of mapping a unique device identifier, such as its MAC or IP address, to its location. Gruteser [18], for example, has defined a methodology for identifying, assessing, and comparing location privacy risks for location tracking. Later, the method was enhanced through frequent disposal of a client’s interface identifier [19]. While it is still possible to triangulate a location, their method protects against the tracking of user movements over time.

3 Novel privacy preserving method The novel protocol developed in this paper is based on extending the PE (Private Equality) primitive. Three modifications to this primitive are required in order to facilitate the service request process. The scenario involves the user identifying interesting things by something that can be hashed by both parties, e.g. the name of a pub or he ID of a bus stop can be hashed by the user and the service provider. If they can both obtain the same hash signature of the object(s) of interest, then they can privately obtain information about this object. If there is a path that a user takes on a grid, and they want to learn something about every square in the path, it is possible to use PE to find out whether there is information about the squares in the path. The squares in the path are defined as m and the total number of

732

Mobile Netw Appl (2013) 18:728–737

squares is n. Then the user only wants to pay for the squares that exist in the location provider database. Once the user finds out how many of the m squares exist in the provider’s database, they will only then pay for these and continue the PE protocol to download only the ones with the content.



3.1 Privacy-enhancing technologies (PET) PET is the common name for a range of different technologies to protect sensitive personal data within information systems [24]. Such technologies find use in all types of information systems. The discussion in [24] deals with typical scenarios where the owner of the data has an incentive, such as required legislative compliance, to provide privacy to the users. Although not exciting to the academic community, a number of conventional privacy controls are utilized to satisfy the current legislative requirements, and they are valid solutions to the privacy concerns. Since they have been tried and tested over the years, they are compliant with the security standards that dictate data processing in many organisations. In [24] the following types of conventional PETs have been identified: –

General PET controls. This are the controls that can be implemented with technologies similar to those used in data security. Effectively, privacy is treated as the highest level of security defined in the security policy, and is implemented in firewall controls that do protect privacy. This type of PETs is further split into: –





Data minimisation; analogically to the principal of least privilege in security, a minimal access to data should be given to any requestors. If the requestor needs to know whether a given user is an adult, a yes or no response would answer this question sufficiently, without the need to provide the requestor with the age of the data subject or the date of birth. Authentication and authorisation; these should really be treated as prerequisites for any system that carries data that is not publicly available. Without these functions, other provisions, e.g. the data minimisation mentioned above, could not be deployed. Quality-Enhancing Technology, part of the requirements for the fair information processing [9] and the Data Protection Act is ensuring the correctness of the data. This can be done by improving the data collection mechanism, as well as allowing the data subjects to view and correct the data about them.





Separation of data. This control splits the database into two or more domains, where the data carrying personally identifiable information, such as name and address is stored in the identity domain, and the other personal data is stored in another domain against a pseudo-identity that was derived from the real identity. These domains are linked by identity protector software allowing only privileged users to restore relationship between the data-records in the different domains. Consequently, with this control applied, the personal data can be analysed without revealing the identity of the data-subject to the analyst. Privacy management systems. This type of controls is the least mature of the conventional methods presented in this section. It introduces software that ensures automated enforcement of the privacy policy. Such software intercepts any transactions that involve personal data and tests these against the privacy regulations. The privacy regulations include the privacy policy and the privacy preferences of the data-subjects that the transaction concerns. Anonymization. This is a similar approach to the separation of data, the difference is that the pseudoidentities cannot be linked back to the real identities of the data-subjects, nor the identity of the data-subject can be inferred from the anonymized data. Thus, the process of anonymization transforms personal data into data that can be freely processed without privacy controls.

When discussing PETs and privacy-preserving operations on data it is important to note the distinction between Private Data-Mining and PIR. Both are well researched subjects, however, Private Data-Mining is normally used to obtain anonymized, statistical data rather than retrieval of individual records as it is the case with PIR. While some techniques used in private data-mining can be modified and reused in information retrieval and vice-versa, these two primitives are dissimilar in objectives. In the field of statistical data mining, researchers have developed a number of techniques that permit operations on a subset, or cross-section, of a dataset. In [2] Agrawal and Srikant suggest a technique based on perturbations. The larger the perturbations, the greater the level of privacy in the system, but such technique can result in a loss of information. However, Agrawal and Yu in [1] show that this is a natural trade-off between accuracy and privacy, which can be seen on the example of other data-mining techniques, such as adding noise that is then approximately removed from the output [22]. An interesting approach is based on k-anonymity models

Mobile Netw Appl (2013) 18:728–737

733

Fig. 3 Loweringprocessing time phase A—preparation

[33] that ensure any attempts to link a given record to the data-subjects they describe result in at least k different identities being returned. Thus, contrary to the security where any leak of information may be unacceptable [26], privacy can be achieved by hiding data-subject in a larger group of individuals. Finally, a system that does not loose precision can be achieved by employing primitives from the area of MPC (MultiParty Computation). In order for such schemes to be feasible they need to make use of an extra party in the protocol—a semi-honest party trusted not to collude

Fig. 4 Loweringprocessing time phase B—searching

with other participants—otherwise the computational complexity of the protocol is to high [22]. 3.2 Lowering processing time There is a clear need to minimise the processing time required for each run of the protocol in large databases, such as those of ISPs and mobile telephony providers. Theoretically, in order to maintain the privacy of devices, the sender needs to process all the records in the database per enquiry. This is the only way to preserve

734

the privacy of an interesting device and the correctness of the PE scheme can be proven under the rules of MPC [3]. Thus, if the location platform would use PE primitive without modifications, the system would not be capable of processing any urgent requests due to the run time required per enquiry, and this would be a major drawback. A possible mitigation for this could be to limit the numbers of records that are processed and sent by the sender per enquiry. This would also greatly improve the communicational complexity that has not been verified to this point. The privacy of the device should be protected, but if the probability of the sender guessing the ID of the interesting record is for Fig. 5 Lowering processing time phase C—retrieval

Mobile Netw Appl (2013) 18:728–737

example 1:1000 and not 1:n, for n being the size of the dataset, and the location service provider has no other information that could help infer the identity of the user, then this research argues that the privacy of the user is preserved. It was mentioned that PE has almost constant processing time for enquiries with increasing number of interesting records. However, if the number of records retrieved per enquiry is lower than the size of the dataset, it would be ideal if a constant level of privacy was provided to each user. In data mining fields there are already k-anonymity models that ensure that any privacy-protected statistical data record links to at least k different identities [33]. Consequently, provid-

Mobile Netw Appl (2013) 18:728–737 Fig. 6 Processflow of the protocol incorporating the dilution factor

735

736

ing controlled level of privacy to the data-subjects. Relating to the concept of dilution, the number of records requested per each interesting record can be defined as the dilution factor—o. This factor could be changed before each protocol run in order to allow users to dynamically choose the appropriate level of protection for the given request, such as having a high number of records for areas where there is high sensitivity, and lesser numbers of areas where there is a lesser need. The proposed improved PE protocol operates by creating a single encrypted table of identities allowing the users to match the identities of their locations against this table privately, using PE primitive. As the outcome of the private match operation, the chooser would familiarise encrypted IDs of the interesting records. Then to perform a match the chooser would select (o1) records at random per each interesting record from the encrypted table of IDs. The double encrypted IDs of the selected records would be communicated to the sender and remaining operations of the PE protocol would be run only on the selected records. Thus, the total number of requested records would be a product of the number of interesting records and the dilution factor, (mo). The described technique would introduce the potential for a few different data controllers to collaborate and possibly identify the records of interest by checking for overlaps (intersection) of the requests made by the users to the location service providers. The description of the improved protocol follows in Figs. 3, 4 and 5. In this improved protocol the initial processing depends on the size of the dataset—n, but it needs to be performed only once in a given period of time, e.g. once per month, or per year. However, the remaining operations are run on limited dataset. Figure 6 illustrates the processes taking place in this PE protocol.

4 Conclusions Wang [40] defines that there are unique considerations with location privacy, and that there are still many unsolved challenges in implementing privacy in LBS. This is also re-iterated by Rohunen [32] who define that these must be solved before the full benefits can be gained. For this, they define the key areas as privacy parameters; data disclosure control algorithms and information architectures. As was seen in the Grid section, there is still some work to be done on the precision of the location information, especially around the type of service required. Burghardt [4] highlights that there is a good deal of confusion in the field, and that it is difficult to identify the best methods that

Mobile Netw Appl (2013) 18:728–737

users would want. In their tests, they found that some of the simpler methods of privacy preservation did not give the required level of security, and that many users are actually more concerned about the privacy of others, than of themselves. One thing is certain; the implementation of LBSs will increase as the number of applications of the technology increases, thus it is likely that users will have to become more educated on the services they trust. It is likely, though, that for many users the usage of a trusted middleware system seems the best way to be able to filter the users requests, and for it to make decision based on the context of the query to define whether the user’s location is blurred or not. The novel algorithm presented in this paper has significant improvements in computation speeds over the existing related methods, but does not strictly protect the current location, and only the further path. It is possible, though, to ask for k different starting points/locations for your path (thus k different grids), and then only obtain information for the path that the user intends to take.

References 1. Aggarwal CC, Yu PS (2008) On static and dynamic methods for condensation-based privacy-preserving data mining. ACM Trans Database Syst 33:2:1–2:39 2. Agrawa R, Srikant R (2000) Privacy-preserving data mining. SIGMOD Rec 29:439–450 3. Asonov D, Freytag J-C (2003) Almost optimal private information retrieval. In: Proceedings of the 2nd international conference on privacy enhancing technologies, PET’02. Springer, Berlin/Heidelberg, pp 209–223 4. Burghardt T, Buchmann E, Müller J, Böhm K (2009) Understanding user preferences and awareness: privacy mechanisms in location-based services. In: Meersman R, Dillon T, Herrero P (eds) On the move to meaningful internet systems: OTM 2009. Lecture notes in computer science, vol 5870. Springer, Berlin/Heidelberg, pp 304–321 5. Chow C-Y, Mokbel M (2007) Enabling private continuous queries for revealed user locations. In: Papadias D, Zhang D, Kollios G (eds) Advances in spatial and temporal databases. Lecture notes in computer science, vol 4605. Springer, Berlin/Heidelberg, pp 258–275 6. Chow C-Y, Mokbel M (2009) Privacy in location-based services: a system architecture perspective. SIGSPATIAL Special 1:23–27 7. Chow C-Y, Mokbel MF, Aref WG (2009) Casper*: query processing for location services without compromising privacy. ACM Trans Database Syst 34:24:1–24:48 8. Chow C-Y, Mokbel MF, Liu X (2006) A peer-to-peer spatial cloaking algorithm for anonymous location-based service. In: Proceedings of the 14th annual ACM international symposium on advances in geographic information systems, GIS ’06. ACM, New York, NY, USA, pp 171–178 9. Privacy Rights Clearinghouse (1997) A review of the fair information principles: the foundation of privacy public policy

Mobile Netw Appl (2013) 18:728–737 10. Damiani ML, Bertino E, Silvestri C (2010) The probe framework for the personalized cloaking of private locations. Trans Data Privacy 3:123–148 11. Dewri R, Ray I, Whitley D (2010) Query m-invariance: Preventing query disclosures in continuous location-based services. In: Eleventh international conference on mobile data management (MDM), pp 95–104 12. Ghinita G, Damiani ML, Silvestri C, Bertino E (2009) Preventing velocity-based linkage attacks in location-aware applications. In: Proceedings of the 17th ACM SIGSPATIAL international conference on advances in geographic information systems, GIS ’09. ACM, New York, NY, USA, pp 246–255 13. Ghinita G, Kalnis P, Kantarcioglu M, Bertino E (2009) A hybrid technique for private location-based queries with database protection. In: Mamoulis N, Seidl T, Pedersen T, Torp K, Assent I (eds) Advances in spatial and temporal databases. Lecture notes in computer science, vol 5644. Springer, Berlin/Heidelberg, pp 98–116 14. Gkoulalas-Divanis A, Kalnis P, Verykios VS (2010) Providing k-anonymity in location based services. SIGKDD Explor Newsl 12:3–10 15. Gkoulalas-Divanis A, Verykios VS, Bozanis P (2009) A network aware privacy model for online requests in trajectory data. Data Knowl Eng 68(4):431–452 16. Gruteser M, Liu X (2004) Protecting privacy, in continuous location-tracking applications. IEEE Secur Priv 2(2):28–34 17. Marco Gruteser and Dirk Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking. In: Proceedings of the 1st international conference on mobile systems, applications and services, MobiSys ’03. ACM, New York, NY, USA, pp 31–42 18. Gruteser M, Grunwald D (2004) A methodological assessment of location privacy risks in wireless hotspot networks. In: Security in pervasive computing, volume 2802 of lecture notes in computer science. Springer, Berlin/Heidelberg, pp 113–142 19. Marco Gruteser and Dirk Grunwald. Enhancing location privacy in wireless lan through disposable interface identifiers: a quantitative analysis. Mob Netw Appl 10:315–325 20. Hazas M, Scott J, Krumm J (2004) Location-aware computing comes of age. Computer 37(2):95–97 21. Hoh B, Gruteser M (2005) Protecting location privacy through path confusion. In: First international conference on security and privacy for emerging areas in communications networks, SecureComm 2005, pp 194–205 22. Kantarcioglu M, Vaidya J (2002) An architecture for privacypreserving mining of client information. In: Proceedings of the IEEE international conference on privacy, security and data mining - volume 14, CRPIT ’14, Darlinghurst, Australia, 2002. Australian Computer Society, Inc., pp 37–42 23. Khoshgozaran A, Shahabi C (2007) Blind evaluation of nearest neighbor queries using space transformation to preserve location privacy. In: Proceedings of the 10th international conference on advances in spatial and temporal databases, SSTD’07. Springer, Berlin/Heidelberg, pp 239–257 24. Koorn R, Gils HV, Hart JT, Overbeek P, Tellegen R (2004) Privacy-enhancing technologies white paper for decisionmakers 25. Wei-Shinn K, Chen Y, Zimmermann R (2009) Privacy protected spatial query processing for advanced location based services. Wirel Pers Commun 51:53–65. doi:10.1007/s11277008-9608-9 26. Lampson BW (1973) A note on the confinement problem. Commun ACM 16:613–615

737 27. Magkos E, Kotzanikolaou P, Sioutas S, Oikonomou K (2010) A distributed privacy-preserving scheme for location-based queries. In: IEEE international symposium on a world of wireless mobile and multimedia networks (WoWMoM), pp 1–6 28. Meyerowitz J, Choudhury RR (2009) Hiding stars with fireworks: location privacy through camouflage. In: Proceedings of the 15th annual international conference on mobile computing and networking, MobiCom ’09. ACM, New York, NY, USA, pp 345–356 29. Mokbel MF (2006) Towards privacy-aware location-based database servers. In: 22nd international conference on data engineering workshops, p 93 30. Mokbel MF, Chow C-Y, Aref WG (2006) The new casper: query processing for location services without compromising privacy. In: Proceedings of the 32nd international conference on very large data bases, VLDB ’06, VLDB Endowment, pp 763–774 31. Pingley A, Yu W, Zhang N, Fu X, Zhao W (2009) Cap: A context-aware privacy protection system for location-based services. In: ICDCS ’09. 29th IEEE international conference on distributed computing systems, pp 49–57 32. Rohunen A, Markkula J (2010) Approaches to privacy protection in location-based services. In: Zavoral F, Yaghob J, Pichappan P, El-Qawasmeh E (eds) Networked digital technologies. Communications in computer and information science, vol 87. Springer, Berlin/Heidelberg, pp 402–409 33. Samarati P (2001) Protecting respondents’ identities in microdata release. IEEE Trans on Knowl and Data Eng 13:1010– 1027 34. Sun Y, La Porta TF, Kermani P (2009) A flexible privacyenhanced location-based services system framework and practice. IEEE Trans Mob Comput 8(3):304 –321 35. Tang KP, Keyani P, Fogarty J, Hong JI (2006) Putting people in their place: an anonymous and privacy-sensitive approach to collecting sensed data in location-based applications. In: Proceedings of the SIGCHI conference on human factors in computing systems, CHI ’06. ACM, New York, NY, USA, pp 93–102 36. Truong A, Truong Q, Dang T (2010) An adaptive gridbased approach to location privacy preservation. In: Nguyen N, Katarzyniak R, Chen S-M (eds) Advances in intelligent information and database systems. Studies in computational intelligence, vol 283. Springer, Berlin/Heidelberg, pp 133–144 37. Truong QC, Truong AT, Dang TK (2009) Privacy preserving through a memorizing algorithm in location-based services. In: Proceedings of the 7th international conference on advances in mobile computing and multimedia, MoMM ’09. ACM, New York, NY, USA, pp 146–153 38. Um J, Kim H, Choi Y, Chang J (2009) A new grid-based cloaking algorithm for privacy protection in location-based services. In: HPCC ’09. 11th IEEE international conference on high performance computing and communications, pp 362–368 39. Wang S, Wang XS (2009) Anontwist: nearest neighbor querying with both location privacy and k-anonymity for mobile users. In: MDM ’09. Tenth international conference on mobile data management: systems, services and middleware, pp 443–448 40. Wang T, Liu L (2009) From data privacy to location privacy, pp 217–246 41. Yiu ML, Jensen CS, Huang X, Lu H (2008) Spacetwist: managing the trade-offs among location privacy, query performance, and query accuracy in mobile services. In: International conference on data engineering, pp 366–375