1 Realtime Location Privacy Via Mobility Prediction Creating Confusion at Crossroads Joseph Meyerowitz Romit Roy Choudhury Undergraduate Senior,Asst. Professor ECE and Physics,Dept. of ECE and CS Duke UniversityDuke University

2 Context Better localization technology + Pervasive wireless connectivity = Location-based pervasive applications

3 Location-Based Apps For Example:  GeoLife shows grocery list on phone when near WalMart  Micro-Blog allows querying people at a desired region  Location-based ad: Phone gets coupon at Starbucks  … Location expresses context of user  Facilitating content delivery Location is the IP address Its as if for content

4 Double-Edged Sword While location drives this new class of applications, it also violates user’s privacy Sharper the location, richer the app, deeper the violation

5 While location drives this new class of applications, it also violates user’s privacy Sharper the location, richer the app, deeper the violation Moreover, range of apps are PUSH based. Require continuous location information Phone detected at Starbucks, PUSH a coffee coupon Phone located on highway, query traffic congestion Double-Edged Sword

6 Location Privacy Problem: Research: Continuous location exposure a serious threat to privacy Continuous location exposure a serious threat to privacy Preserve privacy without sacrificing the quality of continuous loc. based apps Preserve privacy without sacrificing the quality of continuous loc. based apps

7 Just Call Yourself ``Freddy” Pseudonymns  Effective only when infrequent location exposure  Else, spatio-temporal patterns enough to deanonymize … think breadcrumbs Romit’s Office John LeslieJack Susan Alex

8 Add Noise K-anonymity  Convert location to a space-time bounding box  Ensure K users in the box  Location Apps reply to boxed region Issues  Poor quality of location  Degrades in sparse regions  Not real-time You Bounding Box K=4

9 Confuse Via Mixing Path intersections is an opportunity for privacy  If users intersect in space-time, cannot say who is who later Issues  Users may not be collocated in space and time  Mixing still possible at the expense of delay

10 Existing solutions seem to suggest: Privacy and Quality of Localization (QoL) is a zero sum game Need to sacrifice one to gain the other

11 Our Goal Break away from this tradeoff Target: Spatial accuracy Real-time updates Privacy guarantees Even in sparse populations We design: CacheCloak

12 CacheCloak Intuition Exploit mobility prediction to create future path intersections User’s paths are like crossroads of breadcrumbs App knows precise locations, but doesn’t know the user

13 CacheCloak Assume trusted privacy provider  Reveal location to CacheCloak  CacheCloak exposes anonymized location to Loc. App CacheCloak Loc. App1 Loc. App2 Loc. App3 Loc. App4

14 CacheCloak Design User A drives down path P1  P1 is a sequence of locations  CacheCloak has cached response for each location User A takes a new turn (no cached response)  CacheCloak predicts mobility  Deliberately intersects predicted path with another path P2  Exposes predicted path to application Application replies to queries for entire path CacheCloak always knows user’s current location  Forwards cached responses for that precise location

15 CacheCloak Design Adversary confused  New path intersects paths P1 and P2 (crossroads)  Not clear where the user came from or turned onto Example …

16 Example

17 Benefits Real-time  Response ready when user arrives at predicted location High QoL  Responses can be specific to location  Overhead on the wired backbone (caching helps) Entropy guarantees  Entropy increases at traffic intersections  In low regions, desired entropy possible via false branching Sparse population  Can be handled with dummy users

18 Quantifying Privacy City converted into grid of small sqaures (pixels)  Users are located at a pixel at a given time Each pixel associated with 8x8 matrix  Element (x, y) = probability that user enters x and exits y Probabilities diffuse  At intersections  Over time Privacy = entropy x y pixel

19 Diffusion Probability of user’s presence diffuses  Diffusion gradient computed based on history  i.e., what fraction of users take right turn at this intersection Time t 1 Time t 2 Time t 3 Road Intersection

20 Evaluation Trace based simulation  VanetMobiSim + US Census Bureau trace data  Durham map with traffic lights, speed limits, etc.  Vehicles follow Google map paths  Performs collision avoidance 6km x 6km 10m x 10m pixel 1000 cars 6km x 6km 10m x 10m pixel 1000 cars

21 Results High average entropy  Quite insensitive to user density (good for sparse regions)  Minimum entropy reasonably high

22 Results Per-user entropy  Increases quickly over time  No user starves of location privacy

23 Issues and Limitations CacheCloak overhead  Application replies to lots of queries  However, overhead on wired infrastructure  Caching reduces this overhead significantly CacheCloak assumes same, indistinguishable query  Different queries can deanonymize  Need more work Per-user privacy guarantee not yet supported  Adaptive branching & dummy users

24 Closing Thoughts Two nodes may intersect in space but not in time Mixing not possible, without sacrificing timeliness Mobility prediction creates space-time intersections Enables virtual mixing in future

25 Closing Thoughts CacheCloak Implements the prediction and caching function Significant entropy attained even under sparse population Spatio-temporal accuracy remains uncompromised

26 Final Take Away Chasing a car is easier on highways … Much harder in Manhattan crossroads CacheCloak tries to turn a highway into a virtual Manhattan … Well, sort of …

27 Thank You For more related work, visit:

28 Emerging trends in content distribution Content delivered to a location / context  As opposed to a destination address Thus, “location” is a key driver of content delivery IP address : Internet = Location : CDN New wave of applications

29 Emerging trends in content distribution Content delivered to a location / context  As opposed to a destination address Thus, “location” is a key driver of content delivery IP address : Internet = Location : CDN New wave of applications

30 Example

31 Location Privacy Problem: Continuous location exposure deprives user of her privacy. Continuous location exposure deprives user of her privacy.

32 Location Frequency Some location apps are reactive / infrequent  E.g., List Greek restaurants around me now (PULL) But, many emerging apps are proactive  E.g., Phone detected at Starbucks, PUSH a coffee coupon

33 Location Frequency Some location apps are reactive / infrequent  E.g., List Greek restaurants around me now (PULL) But, many emerging apps are proactive  E.g., Phone detected at Starbucks, PUSH a coffee coupon Opportunity for Big Bro to track you over space and time Proactive apps require continuous location Proactive apps require continuous location

34 Categorizing Apps Some location apps are reactive  You ask, App answers  E.g., Pull all Greek restaurants around your location But, many emerging apps are proactive  E.g., Phone detected at Starbucks, PUSH a coffee coupon

35 Categorizing Apps Some location apps are reactive  You ask, App answers  E.g., Pull all Greek restaurants around your location But, many emerging apps are proactive  E.g., Phone detected at Starbucks, PUSH a coffee coupon Proactive apps require continuous location Proactive apps require continuous location