Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011.

Published byEdwin Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011."— Presentation transcript:

1 Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011

2 2

3 3 The contextual information attached to a trace tells much about our habits, interests, activities, and relationships A location trace is not only a set of positions on a map

4 4 envisioningdevelopment.net/map

5 5

6 6 Distort location information before exposing it to others Location-Privacy Protection

7 7 originallow accuracylow precision Pictures from Krumm 2007 Location-Privacy Protection Anonymization (pseudonymization) –Replacing actual username with a random identity Location Obfuscation –Hiding location, Adding noise, Reducing precision How to evaluate/compare various protection mechanisms? Which metric to use? A common formal framework is MISSING

8 Location Privacy: A Probabilistic Framework

9 9 Reconstructed Traces Attack KC Attacker Knowledge Construction riri rjrj P ij Users’ Mobility Profiles MC Transition Matrices uNuN u1u1 uNuN u1u1 Past Traces (vectors of noisy/missing events) … Location-Privacy Preserving Mechanism u1u1 u2u2 uNuN … 1234 T Users Timeline: Actual Traces (vectors of actual events) 1 … 1234 T Nyms Timeline: Observed Traces (vectors of observed events) 2 N LPPM ObfuscationAnonymization

10 10 Location-Privacy Preserving Mechanism LPPM Alice Location-Obfuscation Function: Hiding, Reducing Precision, Adding Noise, Location Generalization,… A Probabilistic Mapping of a Location to a Set of Locations

11 11 Location-Privacy Preserving Mechanism Anonymization Function: Replace Real Usernames with Random Pseudonyms (e.g., integer 1…N) LPPM Alice Charlie Bob 3 2 1 A Random Permutation of Usernames

12 12 Location-Privacy Preserving Mechanism AnonymizationLocation Obfuscation (for user u) Observed trace of user u, with pseudonym u’ Actual trace of user u Spatiotemporal Event:

13 13 Adversary Model ObservationKnowledge Anonymized and Obfuscated Traces Users’ mobility profiles PDF anonymization PDF obfuscation LPPM

14 14 Learning Users’ Mobility Profiles ((adversary knowledge construction)) KC riri rjrj P ij Users’ Profiles MC Transition Matrices uNuN u1u1 uNuN u1u1 Past Traces (vectors of noisy/missing past events) … From prior knowledge, the Attacker creates a Mobility Profile for each user Mobility Profile: Markov Chain on the set of locations Task: Estimate MC transition probabilities P u

15 15 Example – Simple Knowledge Construction Day –1001271420… Day –9913201925… … Day –112131219… Time8am9am10am11am… Prior Knowledge for (this example: 100 Training Traces) 71319 12⅓⅓⅓ Alice Mobility Profile for Alice How to consider noisy/partial traces? e.g., knowing only the user’s location in the morning (her workplace), and her location in the evening (her home)

16 16 Learning Users’ Mobility Profiles ((adversary knowledge construction)) KC riri rjrj P ij Users’ Profiles MC Transition Matrices uNuN u1u1 uNuN u1u1 Past Traces (vectors of noisy/missing past events) … From prior knowledge, the Attacker creates a Mobility Profile for each user Mobility Profile: Markov Chain on the set of locations Task: Estimate MC transition probabilities P u Our Solution: Using Monte-Carlo method: Gibbs Sampling to estimate the probability distribution of the users’ mobility profiles

17 17 Adversary Model ObservationKnowledge Anonymized and Obfuscated Traces Users’ mobility profiles PDF anonymization PDF obfuscation LPPM Inference Attack Examples Localization Attack : “Where was Alice at 8pm?” What is the probability distribution over the locations for user ‘Alice’ at time ‘8pm’? Tracking Attack : “Where did Alice go yesterday?” What is the most probable trace (trajectory) for user ‘Alice’ for time period ‘yesterday’? Meeting Disclosure Attack : “How many times did Alice and Bob meet?” Aggregate Presence Disclosure : “How many users were present at restaurant x, at 9pm?”

18 18 Inference Attacks Our Solution: Decoupling De-anonymization from De-obfuscation Computationally infeasible:  (anonymization permutation) can take N! values

19 19 De-anonymization 1 - Compute the likelihood of observing trace ‘i’ from user ‘u’, for all ‘i’ and ‘u’, using HMP: Forward-Backward algorithm. O(R 2 N 2 T) 2 - Compute the most likely assignment using a Maximum Weight Assignment algorithm (e.g., Hungarian algorithm). O(N 4 ) u1u1 u2u2 uNuN … Users 1 … Nyms 2 N

20 20 De-obfuscation Given the most likely assignment  *, the localization probability can be computed using Hidden Markov Model: the Forward-Backward algorithm. O(R 2 T) Tracking Attack Given the most likely assignment  *, the most likely trace for each user can be computed using Viterbi algorithm. O(R 2 T) Localization Attack

21 Location-Privacy Metric

22 22 Assessment of Inference Attacks In an inference attack, the adversary estimates the true value of some random variable ‘X’ (e.g., location of a user at a given time instant) Three properties of the estimation’s performance: How focused is the estimate on a single value? The Entropy of the estimated random variable How accurate is the estimate? Confidence level and confidence interval How close is the estimate to the true value (the real outcome)? Let x c (unknown to the adversary) be the actual value of X

23 23 Location-Privacy Metric The true outcome of a random variable is what users want to hide from the adversary Hence, incorrectness of the adversary’s inference attack is the metric that defines the privacy of users Location-Privacy of user ‘u’ at time ‘t’ with respect to the localization attack = Incorrectness of the adversary (the expected estimation error):

24 Location-Privacy Meter A Tool to Quantify Location Privacy http://lca.epfl.ch/projects/quantifyingprivacy

25 25 Location-Privacy Meter (LPM) You provide the tool with –Some traces to learn the users’ mobility profiles –The PDF associated with the protection mechanism –Some traces to run the tool on LPM provides you with –Location privacy of users with respect to various attacks: Localization, Tracking, Meeting Disclosure, Aggregate Presence Disclosure,…

26 26 LPM: An Example CRAWDAD dataset N = 20 users R = 40 regions T = 96 time instants Protection mechanism: –Anonymization –Location Obfuscation Hiding location Precision reduction (dropping low-order bits from the x, y coordinates of the location)

27 27 LPM: Results – Localization Attack No obfuscation

28 28 Assessment of other Metrics EntropyK-anonymity

29 29 Conclusion A unified formal framework to describe and evaluate a variety of location-privacy preserving mechanisms with respect to various inference attacks Modeling LPPM evaluation as an estimation problem –Throw attacks at the LPPM The right Metric: Expected Estimation Error An object-oriented tool (Location-Privacy Meter) to evaluate/compare location-privacy preserving mechanisms http://people.epfl.ch/reza.shokri

30 30

31 31 Hidden Markov Model OiOi {11,12,13}{6,7,8}{14,15,16}{18,19,20}… 11 13 12 6 8 7 14 16 15 18 20 19 P Alice (11  6)P Alice (6  14) P LPPM (6  {6,7,8}) P Alice (11) Alice

Download ppt "Quantifying Location Privacy Reza Shokri George Theodorakopoulos Jean-Yves Le Boudec Jean-Pierre Hubaux May 2011."

Similar presentations

Bayesian Belief Propagation

Bayesian Belief Propagation
Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.
Review bootstrap and permutation

Review bootstrap and permutation
On the Optimal Placement of Mix Zones Julien Freudiger, Reza Shokri and Jean-Pierre Hubaux PETS, 2009.

On the Optimal Placement of Mix Zones Julien Freudiger, Reza Shokri and Jean-Pierre Hubaux PETS, 2009.
Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,

Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,
The Role of History and Prediction in Data Privacy Kristen LeFevre University of Michigan May 13, 2009.

The Role of History and Prediction in Data Privacy Kristen LeFevre University of Michigan May 13, 2009.
Probabilistic models Haixu Tang School of Informatics.

Probabilistic models Haixu Tang School of Informatics.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Sampling: Final and Initial Sample Size Determination

Sampling: Final and Initial Sample Size Determination
Quantifying Location Privacy: The Case of Sporadic Location Exposure Reza Shokri George Theodorakopoulos George Danezis Jean-Pierre Hubaux Jean-Yves Le.

Quantifying Location Privacy: The Case of Sporadic Location Exposure Reza Shokri George Theodorakopoulos George Danezis Jean-Pierre Hubaux Jean-Yves Le.
Hidden Markov Models Theory By Johan Walters (SR 2003)

Hidden Markov Models Theory By Johan Walters (SR 2003)
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
1 A Distortion-based Metric for Location Privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009 Reza Shokri.

1 A Distortion-based Metric for Location Privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009 Reza Shokri.
… Hidden Markov Models Markov assumption: Transition model:

… Hidden Markov Models Markov assumption: Transition model:
HMM-BASED PATTERN DETECTION. Outline  Markov Process  Hidden Markov Models Elements Basic Problems Evaluation Optimization Training Implementation 2-D.

HMM-BASED PATTERN DETECTION. Outline  Markov Process  Hidden Markov Models Elements Basic Problems Evaluation Optimization Training Implementation 2-D.
Privacy-MaxEnt: Integrating Background Knowledge in Privacy Quantification Wenliang (Kevin) Du, Zhouxuan Teng, and Zutao Zhu. Department of Electrical.

Privacy-MaxEnt: Integrating Background Knowledge in Privacy Quantification Wenliang (Kevin) Du, Zhouxuan Teng, and Zutao Zhu. Department of Electrical.
Mutual Information Mathematical Biology Seminar 23.5.2005.

Mutual Information Mathematical Biology Seminar
Lecture 5: Learning models using EM

Lecture 5: Learning models using EM
1 Preserving Privacy in Collaborative Filtering through Distributed Aggregation of Offline Profiles The 3rd ACM Conference on Recommender Systems, New.

1 Preserving Privacy in Collaborative Filtering through Distributed Aggregation of Offline Profiles The 3rd ACM Conference on Recommender Systems, New.
. PGM: Tirgul 10 Parameter Learning and Priors. 2 Why learning? Knowledge acquisition bottleneck u Knowledge acquisition is an expensive process u Often.

. PGM: Tirgul 10 Parameter Learning and Priors. 2 Why learning? Knowledge acquisition bottleneck u Knowledge acquisition is an expensive process u Often.

Similar presentations

Ads by Google