1 / 59

Putting People in their Places

Putting People in their Places. An Anonymous and Privacy-Sensitive Approach to Collecting Sensed Data in Location-Based Applications. Karen P. Tang Pedram Keyani, James Fogarty, Jason I. Hong Human-Computer Interaction Institute Carnegie Mellon University. Location-Aware Computing Is Here.

loki
Download Presentation

Putting People in their Places

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Putting People in their Places An Anonymous and Privacy-Sensitive Approach to Collecting Sensed Data in Location-Based Applications Karen P. Tang Pedram Keyani, James Fogarty, Jason I. Hong Human-Computer Interaction Institute Carnegie Mellon University

  2. Location-Aware Computing Is Here • In-car navigation system • PDAs, phones, laptops: WiFi & GSM

  3. Types of Location-Aware Apps • Person-centric • “What restaurants are near me?” • “Where are my friends?” • “What’s happening around me?”

  4. Privacy treated as a tradeoff Disclosure Fidelity Anonymity & Privacy Specific Location Query: “Where are the closest restaurants near me?”

  5. Privacy treated as a tradeoff Disclosure Fidelity Anonymity & Privacy Specific Location Query: “Where are the closest restaurants near me?” More Anonymous Location Query: “Where are all the restaurants in Montreal?”

  6. Types of Location-Aware Apps • Person-centric • “What restaurants are near me?” • “Where are my friends?” • “What’s happening around me?” • Location-centric • “What’s happening at the mall?” • “How busy is the restaurant?” • “What’s happening on highway 5?”

  7. zipdash.com Zipdash: a Location-Centric App • Commercial (acquired by Google) • How it works: • Runs on GPS-enabled phones • Continuously disclose GPS • Server infers traffic congestion • View traffic information on phone

  8. Zipdash: How it works • Each car reports GPS data • Server collects all GPS reports

  9. Zipdash: Privacy Threat • Each car reports GPS data • Server collects all GPS reports • Can you trust the server? • Data is leaked … • Someone is eavesdropping … Car A 8:00AM 45.587ºN, 73.921ºW 8:05AM 45.527ºN, 73.822ºW 8:10AM 45.594ºN, 73.838ºW 8:15AM 45.594ºN, 73.871ºW

  10. Zipdash: Privacy Threat • Observation: consistent routes • Start/End is “Work” or “Home” Car A 8:00AM 45.587ºN, 73.921ºW 8:05AM 45.527ºN, 73.822ºW 8:10AM 45.594ºN, 73.838ºW 8:15AM 45.594ºN, 73.871ºW

  11. Zipdash: Privacy Threat • Observation: consistent routes • Start/End is “Work” or “Home” • Malicious Server Threat: • Hijack GPS log for each car • Infer start of route as “Home” • Lookup via consumer database Car A 8:00AM 45.587ºN, 73.921ºW 8:05AM 45.527ºN, 73.822ºW 8:10AM 45.594ºN, 73.838ºW 8:15AM 45.594ºN, 73.871ºW “Home”

  12. Zipdash: Privacy Threat • Observation: consistent routes • Start/End is “Work” or “Home” • Malicious Server Threat: • Hijack GPS log for each car • Infer start of route as “Home” • Lookup via consumer database • Result: Your “Home” and your identity are revealed Car A 8:00AM 45.587ºN, 73.921ºW 8:05AM 45.527ºN, 73.822ºW 8:10AM 45.594ºN, 73.838ºW 8:15AM 45.594ºN, 73.871ºW “Home”

  13. Zipdash: Use Fidelity Tradeoff ? • Car calculates actual GPS • Car reports “blurred” GPS Car A 8:00AM 45.587ºN, 73.921ºW 8:05AM 45.527ºN, 73.822ºW 8:10AM 45.594ºN, 73.838ºW 8:15AM 45.594ºN, 73.871ºW Car A 8:00AM in Montreal, QC 8:05AM in Montreal, QC 8:10AM in Montreal, QC 8:15AM in Montreal, QC

  14. Zipdash: Use Fidelity Tradeoff ? • Car calculates actual GPS • Car reports “blurred” GPS • Application loses usefulness • Fidelity tradeoff lessens utility Car A 8:00AM 45.587ºN, 73.921ºW 8:05AM 45.527ºN, 73.822ºW 8:10AM 45.594ºN, 73.838ºW 8:15AM 45.594ºN, 73.871ºW Car A 8:00AM in Montreal, QC 8:05AM in Montreal, QC 8:10AM in Montreal, QC 8:15AM in Montreal, QC

  15. Limits of Fidelity Tradeoff • Fidelity tradeoff doesn’t work for Zipdash

  16. A New Approach to Privacy • Fidelity tradeoff doesn’t work for Zipdash • Location-centric applications need a better way to protect users’ privacy “Hitchhiking”

  17. Overview • Motivation & Limits of Fidelity Tradeoff • Hitchhiking • Example Applications • Privacy Analysis & Hitchhiking principles • Client computation • Location of interest approval • Sensing physical identifiers • Conclusion

  18. Overview • Motivation & Limits of Fidelity Tradeoff • Hitchhiking • Example Applications • Privacy Analysis & Hitchhiking principles • Client computation • Location of interest approval • Sensing physical identifiers • Conclusion

  19. Hitchhiking: Definition • Client-focused, software-based approach to privacy-sensitive, location-centric apps • on commodity devices and networks • Key: location is the entity of interest • Ensure complete user anonymity & no new privacy threats, even with malicious server

  20. Hitchhiking: Definition • Client-focused, software-based approach to privacy-sensitive, location-centric apps • on commodity devices and networks • Key: Location is the entity of interest • Ensure complete user anonymity & no new privacy threats, even with malicious server

  21. Hitchhiking Approach to Zipdash • “Bridge” = location of interest • Only report GPS when on bridge

  22. Hitchhiking Approach to Zipdash • “Bridge” = location of interest • Only report when on bridge • Prevent malicious server threat • No start/end pattern • Every report from the same areas • No lookups are possible Car A 8:05AM 45.527ºN, 73.822ºW Car B 8:06AM 45.633ºN, 73.862ºW Car C 8:07AM 45.549ºN, 73.792ºW B A C

  23. Hitchhiking Example: Bus Location of interest: Bus route • “Is my bus running late?” • Detection of on/off the bus • When on the bus: • Device senses location • Device models on/off bus • Device anonymously reports bus location to server • Server shares bus info [Patterson, 2003]

  24. Hitchhiking Example: Coffee shop Location of interest: Coffee shop • “Is Starbucks busy now?” • When in the coffee shop: • Device senses WiFi location • Device senses other devices • Device anonymously reports device count & WiFi info • Server infers shop’s busyness

  25. Location of interest: Meeting Room “Can I use that room now?” When in the meeting room: Device senses WiFi location Device anonymously reports WiFi data to server Server infers room availability Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B Hitchhiking Example: Meeting Room

  26. Research Contribution • Hitchhiking is: • … a privacy-sensitive approach • … applicable to location-centric apps • … provides complete user anonymity while • maintaining application’s full utility • By using Hitchhiking principles, we can build interesting sensor-based location applications without sacrificing the user’s privacy

  27. Overview • Motivation & Limits of Fidelity Tradeoff • Hitchhiking • Example Applications • Privacy Analysis & Hitchhiking principles • Client computation • Location of interest approval • Sensing physical identifiers • Conclusion

  28. Overview • Motivation & Limits of Fidelity Tradeoff • Hitchhiking • Example Applications • Privacy Analysis & Hitchhiking principles • Client computation • Location of interest approval • Sensing physical identifiers • Conclusion

  29. Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B Meeting Room Availability • “Is that meeting room available right now?”

  30. Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B Standard Approach: Always Track • Most common approach for current systems • Privacy Threat from Malicious Server: • Most people spend bulk of time in an office • Correlate location trails to a specific person

  31. Hitchhiking Solution • Define meeting rooms as locations of interest • Privacy defense: Client computation • Compute location on the device • Only report while at this location Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B

  32. Hitchhiking Solution • Define meeting rooms as locations of interest • Privacy defense: Client computation • Compute location on the device • Only report while at this location Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B

  33. Client location computation • Prior work: Place Lab [LaMarca et al, 2005; Schilit, 2003] • Client-based approach alone is not enough • Hitchhiking thoroughly investigates these other privacy threats and extends prior work to address them

  34. Overview • Motivation & Limits of Fidelity Tradeoff • Hitchhiking • Example Applications • Privacy Analysis & Hitchhiking principles • Client computation • Location of interest approval • Sensing physical identifiers • Conclusion

  35. Threat: Location Spoofing • Privacy Threat from Malicious Server: • Add fake locations of interest (e.g. your office) Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B

  36. Threat: Location Spoofing • Privacy Threat from Malicious Server: • Add fake locations of interest (e.g. your office) • Mislabel a fake location of interest • Enables tracking of potential private places Meeting Room C Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B

  37. Hitchhiking Solution • Make threat apparent to the user • Privacy defense: Location of interest approval • In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose your info? Meeting Room C Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B

  38. Hitchhiking Solution • Make threat apparent to the user • Privacy defense: Location of interest approval • In Office 4: “You appear to be in a location that another user has indicated is Meeting Room C. Do you want to disclose information from your current location?” Meeting Room C Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 Meeting Room A Meeting Room B

  39. Overview • Motivation & Limits of Fidelity Tradeoff • Hitchhiking • Example Applications • Privacy Analysis & Hitchhiking principles • Client computation • Location of interest approval • Sensing physical identifiers • Conclusion

  40. Threat: Link identifiers to a person • Privacy Threat from Malicious Server: • Attach unique identifiers to locations of interest • Craft identifiers to each individual • People-specific reports for each location of interest Meeting Room B B: John B: Mary Malicious Server

  41. Hitchhiking Solution • Privacy defense: Sensed physical identifiers • Use device to sense surrounding identifiers • Ensures every device sees the same identifiers • Anonymizes reports from devices 00-0C-F1-5C-04-A8 Meeting Room B 00-0C-F1-5C-04-A8 00-0C-F1-5C-04-A8 Hitchhiking Server

  42. Hitchhiking: Putting it Together • Device reports after detecting “Meeting Room B”: • If first time, device prompts for disclosure approval • Device anonymously reports sensed WiFi to server • Server only knows someone is in Meeting Room B • No person-specific location trail for any users Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 Office 6 Office 7 Office 8 00-0C-F1-5C-04-A8 Meeting Room A Meeting Room B

  43. Related issues • Other issues surrounding Hitchhiking: • Query Anonymity • Live Reports vs. Offline Collection • Transport Layer Attack • Denial-of-Service Attack • Timing-Based Attack • Defenses for these threats exist…

  44. Overview • Motivation & Limits of Fidelity Tradeoff • Hitchhiking • Example Applications • Privacy Analysis & Hitchhiking principles • Client computation • Location of interest approval • Sensing physical identifiers • Conclusion

  45. Conclusion: Hitchhiking Highlights • It is a client-focused, software-based approach to privacy-sensitivelocation-centric apps • It works on existing devices & networks • It uses location constraints & anonymity

  46. Conclusion: Hitchhiking Highlights • Hitchhiking is an extreme architecture: • Assumes a system with minimum trust • Systems with implicit trust can relax principles • Provides application developers a way to build useful location apps while avoiding well-known privacy risks

  47. Thank you! • Questions and comments? • Karen P. Tang • kptang@cs.cmu.edu • Human-Computer Interaction Institute • Carnegie Mellon University • Acknowledgements: • This is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. NBCHD030010, by an AT&T Labs fellowship, and by the National Science Foundation under grants IIS-0121560 and IIS-032531. We also thank contributors to Place Lab, jpcap, libpcap, and JDesktop Integration Components, which were utilized in this work.

  48. Potential Questions Slides • K-anonymity • Mixed Zones • Query Anonymity • Live Reports vs. Offline Collection • Transport Layer Attack • Denial-of-Service Attacks • Timing-based Attacks

  49. K-Anonymity • Server obscures client’s location by including client + k-1 others • However: • Requires a trusted middleware server • Not applicable to location-centric applications supported by Hitchhiking • k-1 others may not be in the meeting room

  50. Mixed Zones • Client gets new ID when entering location • However: Requires trusted middleware server • Server keeps tab of all used IDs • Server provides new IDs to clients

More Related