In this paper, we present a new privacy-aware query processing framework Capser * in which mobile and stationary users can obtain snapshot and/or continuous location-based services without revealing their private location information. In particular, we propose a privacy-aware query processor embedded inside a location-based database server to deal with snapshot and continuous queries based on the knowledge of the user’s cloaked location rather than the exact location. Our proposed privacy-aware query processor is completely independent of how we compute the user’s cloaked location. In other words, any existing location anonymization algorithms that blur the user’s private location into cloaked rectilinear areas can be employed to protect the user’s location privacy. We first propose a privacy-aware query processor that not only supports three new privacy-aware query types, but it also achieves a trade-off between query processing cost and answer optimality. Then, to improve system scalability of processing continuous privacy-aware queries, we propose a shared execution paradigm that shares query processing among a large number of continuous queries. The proposed scalable paradigm can be tuned through two parameters to trade off between system scalability and answer optimality. Experimental results show that our query processor achieves high quality snapshot and continuous location-based services while

The field of peer-to-peer reputation systems has exploded in the last few years. Our goal is to organize existing ideas and work to facilitate system design. We present a taxonomy of reputation system components, their properties, and discuss how user behavior and technical constraints can conflict. In our discussion, we describe research that exemplifies compromises made to deliver a useable, implementable system. Ó 2005 Elsevier B.V. All rights reserved.

Privacy preserving data mining (PPDM) refers to the area of data mining that seeks to safeguard sensitive information from unsolicited or unsanctioned disclosure. Most traditional data mining techniques analyze and model the dataset statistically, in aggregation, while privacy preservation is primarily concerned with protecting against

The increasing availability of location-aware mobile devices has given rise to a flurry of location-based services (LBS). Due to the nature of spatial queries, an LBS needs the user position in order to process her requests. On the other hand, revealing exact user locations to a (potentially untrusted) LBS may pinpoint their identities and breach their privacy. To address this issue, spatial anonymity techniques obfuscate user locations, forwarding to the LBS a sufficiently large region instead. Existing methods explicitly target processing in the Euclidean space, and do not apply when proximity to the users is defined according to network distance (e.g., driving time through the roads of a city). In this paper, we propose a framework for anonymous query processing in road networks. We design location obfuscation techniques that (i) provide anonymous LBS access to the users, and (ii) allow efficient query processing at the LBS side. Our techniques exploit existing network database infrastructure, requiring no specialized storage schemes or functionalities. We experimentally compare alternative designs in real road networks and demonstrate the effectiveness of our techniques.

Ambient intelligence (AmI) environments continuously monitor surrounding individuals ’ context (e.g., location, activity, etc.) to make existing applications smarter, i.e., make decision without requiring user interaction. Such AmI smartness ability is tightly coupled to quantity and quality of the available (past and present) context. However, context is often linked to an individual (e.g., location of a given person) and as such falls under privacy directives. The goal of this paper is to enable the difficult wedding of privacy (automatically fulfilling users ’ privacy whishes) and smartness in the AmI. Interestingly, privacy requirements in the AmI are different from traditional environments, where systems usually manage durable data (e.g., medical or banking information), collected and updated trustfully either by the donor herself, her doctor, or an employee of her bank. Therefore, proper information disclosure to third parties constitutes a major privacy concern in the traditional studies. On the contrary, AmI is based on autonomous and invisible data collection with weak durability requirements (from donors ’ point of view), which puts regulation of context data life-cycle on the hot seat. More precisely, we propose to bind Life-Cycle Policies (LCP) to context data regulating its progressive degradation. This paper makes the following contributions. (i) It introduces the Life Cycle Policy (LCP) model to regulate the content of context databases; (ii) it investigates the problem of correctness of the LCP model when used to implant one-way degradation (i.e., ensure that degraded information can no more be recovered from the current database content); (iii) it implants LCP on top of a traditional DBMS, to provide a practical understanding of the model and show the feasibility of the proposed techniques. Finally, it presents new challenges linked to our approach and concludes the paper. We are convinced that providing LCP on autonomous systems paves the way to new privacy solutions.

In this paper, we describe data support in an information system to support contextual, online negotiation of privacy contracts for e-commerce on the Semantic Web. Context is important to the user as one user rule about any single private data item may not fit all situations. For privacy negotiation, we introduce a usage concept consisting of a triple of P3P-defined elements (purpose, recipient, retention) upon which both users and businesses can usefully negotiate. Further we propose a negotiation terminology model to support subdivision of complex user rules into sub-preferences and business ’ data requests into smaller sub-requests. We also exploit the disjoint data set types in the P3P schema for fast determination of whether negotiation may be useful. We utilize an ontological representation of the P3P data schema in a novel approach to finding relevant substitute data for counteroffers within a negotiation session. A prototype Web system is running.

Ambient Intelligence (AmI) environments continuously monitor individuals ’ context such as locations, activities, et cetera. The purpose of this is to make existing applications smarter, so they can make decisions without requiring user interaction. Such AmI smartness ability is tightly coupled to quantity and quality of the available context. Keeping in mind that there is a chance that their privacy is violated, it is not likely that people are willing to accept an environment in which many actions and the behavior of people are sensed to make a smart AmI possible. The goal of our research is to make a compromise between privacy and smartness in the AmI, by introducing policies in which donors can regulate the life cycle of their context data. We believe that, by giving the full control on their privacy to the donors of the context, will help the Ambient Intelligence being accepted by the public. In this thesis, we propose to bind user specific Life-Cycle Policies (LCP) to context data regulating its progressive degradation. We investigate the problem of correctness of the LCP model when used to implant one-way degradation (ensuring that degraded information can no longer be recovered from the current database content). Finally, we show the feasibility of the proposed techniques by implementing a prototype on top of a traditional relational

Ambient Intelligence imposes many challenges in protecting people’s privacy. Storing privacy-sensitive data during for permanently will inevitably result in privacy violations. Limited retention techniques might prove useful in order to limit the risks of unwanted and irreversible disclosure of privacy-sensitive data. To overcome the rigidness of simple limited retention policies, Life-Cycle policies more precisely describe when and how data could be first degraded and finally be destroyed. This allows users themselves to determine an adequate compromise between privacy and data retention. However, implementing and enforcing these policies is a difficult problem. Traditional databases are not designed or optimized for deleting data. In this report, we recall the formerly introduced life cycle policy model and the already developed techniques for handling a single collective policy for all data in a relational database management system. We identify the problems raised by loosening this single policy constraint and propose preliminary techniques for concurrently handling multiple policies in one data store. The main technical consequence for the storage structure is, that when allowing multiple policies, the degradation order of tuples will not always be equal to the insert order anymore. Apart from the technical aspects, we show that personalizing the policies introduces some inference breaches which have to be further investigated. To make such an investigation possible, we introduce a metric for privacy, which enables the possibility to compare the provided amount of privacy with the amount of privacy required by the policy. 1

Privacy-preserving data mining (PPDM) refers to the area of data mining that seeks to safeguard sensitive information from unsolicited or unsanctioned disclosure. Most traditional data mining techniques analyze