1. Anonymizing User Location and Profile Information for Privacy-aware Mobile Services Masanori Mano, Yoshiharu Ishikawa Nagoya University 11/2/2010 1

2. Outline 1.Background & Motivation 2.Related Work 3.System Framework 4.Matching Degree 5.Algorithm 6.Experimental Evaluation 7.Conclusions and Future work 11/2/20102

3. BACKGROUND & MOTIVATION 11/2/20103

4. Location-Based Services (LBSs) 11/2/20104 Where is the nearest café? Location- based Services Positioning Technologies Mobile Communication Database Technologies

5. Profile-Based LBSs LBSs typically utilize user locations and map information –Finding nearby restaurants –Presenting a map around the user –Computing the best route to the destination Use of user profiles (users property) can improve the quality of service –Property- and location-based services –Application areas Mobile shopping Mobile advertisements 11/2/20105

6. Example: Mobile Advertisements Provides local ads to mobile users –Example: Announcement of time-limited sales of nearby shops Use of user profiles –Properties: age, sex, address, marital status, etc. –Send selected ads to appropriate person Example: {sex: F, age: 28, has_kids: yes} –Cosmetics for women: good –Computers: maybe –Cosmetics for men: bad –Toys for kids: good 11/2/20106 Alice

7. Example: Mobile Advertisements 11/2/20107 Alice came to a shopping mall Alice Mobile Ads Provider Shopping Mall

8. Example: Mobile Advertisements 11/2/20108 Alice wanted ads Mobile Ads Provider Alice Shopping Mall

9. Example: Mobile Advertisements 11/2/20109 Anonymizer construct a cloaked region and send property Mobile Ads Provider Cloaked Region Request with (sex: F, age: 28, …)

10. Example: Mobile Advertisements 11/2/201010 Ads provider returns selected ads for Alice Mobile Ads Provider Alice

11. Example: Mobile Advertisements 11/2/201011 But, Alice is the only female within the region Cloaked Region Security Camera Mobile Ads Provider

12. Example: Mobile Advertisements 11/2/201012 Identify Adversary Get information If an adversary obtains information, he can detect target user Security Camera Mobile Ads Provider

13. Example 11/2/201013 In this anonymization, the adversary cant identify the user Cant Identify Security Camera Adversary Mobile Ads Provider

14. RELATED WORK 11/2/201014

15. Related Work (1) Techniques for location anonymity are classified into two extreme types [Ling Liu, 2009] –Anonymous location services: Only consider user locations –Identity-driven location services: Also consider user identities Our method lies between the two extremes, but considers user properties –Another dimension 11/2/201015 AnonymousPartial IdentityIdentity-driven Use of User PropertiesOur Approach No User Properties

16. Related Work (2) k-anonymity is the most popular approach in the proposals for location anonymity –Users location is indistinguishable from locations of at least other k -1 users Our approach is also based on the concept of k-anonymity –Extended by considering user properties 11/2/201016

17. Related Work (3) Various approaches to anonymous location services Casper [Mokbel+06]: The anonymizer utilize a grid-based pyramid data structure like quad-tree PrivacyGrid [Bamba+08]: Computes cloaked region by dynamic cell expansion XStar [Wang+09]: Intended for the problem for automobiles on road networks 11/2/201017

18. SYSTEM FRAMEWORK 11/2/201018

19. System Architecture (1) There is a service called Matchmaker between users and ads providers Roles of Matchmaker –Maintains user & ad profiles –Matchmaking: Recommend good ads for a given ads request –Anonymization of locations and user properties 11/2/201019 User Ads Provider Ad Matchmaker

20. System Architecture (2) Matchmaker is a trusted third-party server Given an ad request, Matchmaker sends anonymized request to ads providers –Use of the users profile/location and ad profiles –Even if some providers are untrusted, the users privacy is protected 11/2/201020 User Ads provider Matchmaker raw data trusted route anonymized data

21. User Profile Represents the users properties – k : minimum population A cloaked region should contain at least k users – l : minimum length Minimum length of each side of a cloaked region (square) – s : distance threshold The user wants ads within this distance –Additional attributes (e.g., age and sex) Value ranges are specified ID kls agesex u13402020-25M-M u24301010-29F-* k users l s 11/2/201021

22. Advertisement Profile Represents properties of each advertisement An advertisement that satisfies the following conditions should be sent –The ad area overlaps with the users requesting area –Other properties (age and sex) match (overlap) the users properties IDad areaagesex a1(100, 200, 400, 500)[20, 29]M a2(500, 500, 700, 700) [60, ] * Ad1 Ad2 s 11/2/201022

23. MATCHING DEGREE 11/2/201023

24. Motivation: Bad Anonymization The cloaked region contains aged/young and male/female users –The properties of the region is vague The ads provider has a cosmetic ad for female The ads provider may have a question: Is it valuable to send the ad? 11/2/201024 Ads provider ? Age: young to aged Sex: * (all)

25. Motivating Example: Good Anonymization Good anonymization would be that the users in the cloaked region have similar properties to the target user –Matching degree is introduced as a similarity 11/2/201025 Bad AnonymizationGood Anonymization different sexdifferent agesimilar sex and age

26. Matching Degree A matching degree is computed as the overlapped area of attribute values –Range: [0, 1] –Treated as if it were a probability value 11/2/201026 Attribute Values of Target User Overlapped Area Attribute Values of Other User Matching Degree for Spatial Attributes Matching Degree for Interval Attributes

27. Matching Degree 11/2/201027 nameage Alice21-30 Bob21-25 Dave61-80 Target user is Bob Compared user is Alice match = 1.0 Target user is Alice Compared user is Bob match = 0.5 Target user is Dave Compared user is Alice match = 0.0 Attribute of target user

28. ANONYMIZATION ALGORITHM 11/2/201028

29. Anonymity Conditions The cloaked region contains the target user The region contains at least k – 1 other users The length of each side of the region is longer than l The matching degrees between the target user and k - 1 users are more than a certain threshold value 11/2/201029 target user l k-1 users

30. Anonymization Process 1.Consider a rectangular region centered target user 2.Randomly select one user as a seed from the users within the region 3.Compute a rectangle around the seed 4.If the rectangle contains at least k users with good matching degrees, anonymization is completed Q A B C D E F 11/2/201030

31. Anonymization Example 11/2/201031 Alice Alice required ad –k = 3 –Threshold for matching degree = 0.5 Joe Kent Dave Mary Mike

32. Anonymization Example 11/2/201032 Alice 1.0 0.5 0.0 0.2 Alice is young woman –match = 1.0 Mary is also young woman –match = 1.0 Kent is young man –match = 0.5 Joe is aged man –match = 0.0 Dave and Mike are middle age men – match = 0.2 1.0 Joe Dave Kent Mary Mike

33. Anonymization Example 11/2/201033 Alice 1.0 0.5 0.0 0.2 A region centered Alice contains Kent and Mike We assume that Kent is selected as the seed user 1.0 Joe Dave Kent Mary Mike

34. Anonymization Example 11/2/201034 Alice 1.0 0.5 0.0 0.2 Compute region around Kent Check whether anonymization is appropriate 1.0 Joe Dave Kent Mary Mike

35. Anonymization Example 11/2/201035 Alice 1.0 0.5 0.0 0.2 Cloaked region contains three users with good matching degrees We cant detect target user –Alice, Kent and Mary are young person It is good anonymization target user is young person 1.0 Joe Dave Kent Mary Mike

36. EXPERIMENTAL EVALUATION 11/2/201036

37. Experimental Evaluation CPU 2.8GHz RAM 512MB Linux Evaluation on synthetic data Experimental Settings 11/2/201037 PropertyValue Target area[(0.0, 0.0), (100.0, 100.0)] No. User1000 k[5, 10] l[2.0, 10.0] s[0.1, 5.0] No. of Profile Attributes 2 Attribute Value[0, 1], [0, 2], [0, 3], [0, 4], [1, 2], [1, 3], [1, 4], [2, 3], [2, 4], [3, 4] (randomly)

38. Threshold Values and Success Rates Matchmaker specifies a threshold value of matching degree –Find out an appropriate threshold Success rate is sensitive to population –Need to change threshold flexibly 11/2/201038 Containing more than or equal to k users with good matching degree (i.e. threshold) is successful anonymization

39. Computation Time We compare computation times of two approaches –Compute matching degrees –Does not compute matching degrees Only consider the number of users Computing of matching degrees takes more than twice times –Well try to improve algorithms of computing matching degrees 11/2/201039

40. CONCLUSIONS & FUTURE WORK 11/2/201040

41. Conclusions and Future work Conclusions –Proposed an approach to anonymization for LBSs –Utilizing user profiles to specify users properties and anonymization preferences –Property-aware anonymization using matching degrees Future work –More experimental evaluation –Improving algorithm 11/2/201041

42. Thank you 11/2/201042