It is a well-known fact that the progress of personal communication devices leads to serious concerns about privacy in general, and location privacy in particular. As a response to these issues, a number of Location-Privacy Protection Mechanisms (LPPMs) have been proposed during the last decade. However, their assessment and comparison remains problematic because of the absence of a systematic method to quantify them. In particular, the assumptions about the attacker’s model tend to be incomplete, with the risk of a possibly wrong estimation of the users ’ location privacy. In this paper, we address these issues by providing a formal framework for the analysis of LPPMs; it captures, in particular, the prior information that might be available to the attacker, and various attacks that he can perform. The privacy of users and the success of the adversary in his location-inference attacks are two sides of the same coin. We revise location privacy by giving a simple, yet comprehensive, model to formulate all types of location-information disclosure attacks. Thus, by formalizing the adversary’s performance, we propose and justify the right metric to quantify location privacy. We clarify the difference between three aspects of the adversary’s inference attacks, namely their accuracy, certainty, and correctness. We show that correctness determines the privacy of users. In other words, the expected estimation error of the adversary is the metric of users ’ location privacy. We rely on well-established statistical methods to formalize and implement the attacks in a tool: the Location-Privacy Meter that measures the location privacy of mobile users, given various LPPMs. In addition to evaluating some example LPPMs, by using our tool, we assess the appropriateness of some popular metrics for location privacy: entropy and k-anonymity. The results show a lack of satisfactory correlation between these two metrics and the success of the adversary in inferring the users’ actual locations.

Abstract. In modern mobile networks, users increasingly share their location with third-parties in return for location-based services. In this way, users obtain services customized to their location. Yet, such communications leak location information about users. Even if users make use of pseudonyms, the operators of location-based services may be able to identify them and thus affect their privacy. In this paper, we provide an analysis of the erosion of privacy caused by the use of location-based services. To do so, we experiment with real mobility traces and measure the dynamics of user privacy. This paper thus details and quantifies the privacy risks induced by the use of location-based services. 1

There is a rich collection of literature that aims at protecting the privacy of users querying location-based services. One of the most popular location privacy techniques consists in cloaking users ’ locations such that k users appear as potential senders of a query, thus achieving k-anonymity. This paper analyzes the effectiveness of k-anonymity approaches for protecting location privacy in the presence of various types of adversaries. The unraveling of the scheme unfolds the inconsistency between its components, mainly the cloaking mechanism and the k-anonymity metric. We show that constructing cloaking regions based on the users ’ locations does not reliably relate to location privacy, and argue that this technique may even be detrimental to users ’ location privacy. The uncovered flaws imply that existing k-anonymity scheme is a tattered cloak for protecting location privacy.

Mobile users expose their location to potentially untrusted entities by using location-based services. Based on the frequency of location exposure in these applications, we divide them into two main types: Continuous and Sporadic. These two location exposure types lead to different threats. For example, in the continuous case, the adversary can track users over time and space, whereas in the sporadic case, his focus is more on localizing users at certain points in time. We propose a systematic way to quantify users’ location privacy by modeling both the location-based applications and the location-privacy preserving mechanisms (LPPMs), and by considering a well-defined adversary model. This framework enables us to customize the LPPMs to the employed location-based application, in order to provide higher location privacy for the users. In this paper, we formalize localization attacks for the case of sporadic location exposure, using Bayesian inference for Hidden Markov Processes. We also quantify user location privacy with respect to the adversaries with two different forms of background knowledge: Those who only know the geographical distribution of users over the considered regions, and those who also know how users move between the regions (i.e., their mobility pattern). Using the Location-Privacy Meter tool, we examine the effectiveness of the following techniques in increasing the expected error of the adversary in the localization attack: Location obfuscation and fake location injection mechanisms for anonymous traces.

Location-aware smart phones support various location-based services (LBSs): users query the LBS server and learn on the fly about their surroundings. However, such queries give away private information, enabling the LBS to identify and track users. We address this problem by proposing the first, to the best of our knowledge, usercollaborative privacy preserving approach for LBSs. Our solution, MobiCrowd, is simple to implement, it does not require changing the LBS server architecture, and it does not assume third party privacy-protection servers; still, MobiCrowd significantly improves user location-privacy. The gain stems from the collaboration of MobiCrowd-ready mobile devices: they keep their context information in a buffer, until it expires, and they pass it to other users seeking such information. Essentially, the LBS does not need to be contacted unless all the collaborative peers in the vicinity lack the sought information. Hence, the user can remain hidden from the server, unless it absolutely needs to expose herself through a query. Our results show that MobiCrowd hides a high fraction of location-based queries, thus significantly enhancing user location-privacy. To study the effects of various parameters, such as the collaboration level and contact rate between mobile users, we develop an epidemic model. Our simulations with real mobility datasets corroborate our model-based findings. Finally, our implementation of MobiCrowd on Nokia platforms indicates that it is lightweight and the collaboration cost is negligible.

Abstract—Location-aware smartphones support various location-based services (LBSs): users query the LBS server and learn on the fly about their surroundings. However, such queries give away private information, enabling the LBS to track users. We address this problem by proposing the first user-collaborative privacy-preserving approach for LBSs. Our solution does not require changing the LBS server architecture, and it does not assume third party servers; still, it significantly improves users’ location privacy. The gain stems from the collaboration of mobile devices: they keep their context information in a buffer and pass it to others seeking such information. Thus, a user remains hidden from the server, unless all the collaborative peers in the vicinity lack the sought information. We evaluate our scheme against Bayesian localization attacks, which allow for strong adversaries who can incorporate prior knowledge in their attacks. We develop a novel epidemic model to capture the, possibly time-dependent, dynamics of information propagation among users. Used in the Bayesian inference framework, this model helps analyze the effects of various parameters, such as the users ’ querying rate and the lifetime of context information, on users’ location privacy. The results show that our scheme hides a high fraction of location-based queries, thus significantly enhancing users ’ location privacy. Our simulations with real mobility traces corroborate our model-based findings. Finally, our implementation on mobile platforms indicates that it is lightweight and the collaboration cost is negligible.

Abstract. Location Based Services (LBSs) introduce several privacy issues, the most relevant ones being: (i) how to anonymize a user; (ii) how to specify the level of anonymity; and, (iii) how to guarantee to a given user the same level of desired anonymity for all of his requests. Anonymizing the user within k potential users is a common solution to (i). A recent work [28] highlighted how specifying a practical value of k could be a difficult choice for the user, hence introducing a feeling based model: a user defines the desired level of anonymity specifying a given area (e.g. a shopping mall). The proposal sets the level of anonymity (ii) as the popularity of the area—popularity being measured via the entropy of the footprints of the visitors in that area. To keep the privacy level constant (iii), the proposal conceals the user requests always within an area of the same popularity—independently from the current user’s position. The main contribution of this work is to highlight the importance of the time when providing privacy in LBSs. Further, we show how applying our considerations user privacy can be violated in the related model, but also in a relaxed one. We support our claim with both analysis and a practical counter-example.

Abstract—The ubiquity of the various cheap embedded sensors on mobile devices, for example cameras, microphones, accelerometers, and so on, is enabling the emergence of participatory sensing applications. While participatory sensing can benefit the individuals and communities greatly, the collection and analysis of the participators ’ location and trajectory data may jeopardize their privacy. However, the existing proposals mostly focus on participators’ location privacy, and few are done on participators ’ trajectory privacy. The effective analysis on trajectories that contain spatial-temporal history information will reveal participators ’ whereabouts and the relevant personal privacy. In this paper, we propose a trajectory privacy-preserving framework, named TrPF, for participatory sensing. Based on the framework, we improve the theoretical mix-zones model with considering the time factor from the perspective of graph theory. Finally, we analyze the threat models with different background knowledge and evaluate the effectiveness of our proposal on the basis of information entropy, and then compare the performance of our proposal with previous trajectory privacy protections. The analysis and simulation results prove that our proposal can protect participators ’ trajectories privacy effectively with lower information loss and costs than what is afforded by the other proposals. Index Terms—Participatory sensing, trajectory privacy-preserving framework, trajectory mix-zones graph model, information loss, entropy.

It is well known that many technologies have downsides that are initially overlooked or underestimated: engines and heating systems lead to exhaustion of fossil resources and climate change, road traffic kills people by the thousands, etc. Information technology is no exception as it has notably paved the way to an unprecedented assault on privacy. Privacy was already identified as a major issue as early as the last decade of the nineteenth century, with the emergence of photography. Today the pervasiveness of digital systems has brought the concern to a completely different level. In particular, the total number of cellular phones now in operation already exceeds six billion, with a growing proportion being smart phones. This means that virtually everyone can be tracked by their cellular operator and by a growing number of location-based service (LBS) providers. This thesis revolves around the crucial topic of location privacy. It presents an analytical framework for the location privacy of LBS users. In such a setting, users share their location data and complementary application-dependent information with an LBS provider. However, users should be concerned about possible third-party observers who track their shared locations and therefore violate their privacy. This work relies on privacy enhancing technologies

Modern mobile devices are fast, programmable and feature localization and wireless capabil-ities. These technological advances notably facilitate mobile access to Internet, development of mobile applications and sharing of personal information, such as location information. Cell phone users can for example share their whereabouts with friends on online social networks. Following this trend, the field of ubiquitous computing foresees communication networks com-posed of increasingly inter-connected wireless devices offering new ways to collect and share information in the future. It also becomes harder to control the spread of personal information. Privacy is a critical challenge of ubiquitous computing as sharing personal information exposes users ’ private lives. Traditional techniques to protect privacy in wired networks may be inadequate in mobile networks because users are mobile, have short-lived encounters and their communications can be easily eavesdropped upon. These characteristics introduce new privacy threats related to location information: a malicious entity can track users ’ whereabouts and learn aspects of users ’ private lives that may not be apparent at first. In this dissertation, we focus on three