This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Achieving Guaranteed Anonymity in GPS Traces via Uncertainty-Aware Path Cloaking
August 2010 (vol. 9 no. 8)
pp. 1089-1107
Baik Hoh, Nokia Research Center, Palo Alto
Marco Gruteser, Rutgers University, North Brunswick
Hui Xiong, Rutgers University, Newark
Ansaf Alrabady, General Motors, Livonia
The integration of Global Positioning System (GPS) receivers and sensors into mobile devices has enabled collaborative sensing applications, which monitor the dynamics of environments through opportunistic collection of data from many users' devices. One example that motivates this paper is a probe-vehicle-based automotive traffic monitoring system, which estimates traffic congestion from GPS velocity measurements reported from many drivers. This paper considers the problem of achieving guaranteed anonymity in a locational data set that includes location traces from many users, while maintaining high data accuracy. We consider two methods to reidentify anonymous location traces, target tracking, and home identification, and observe that known privacy algorithms cannot achieve high application accuracy requirements or fail to provide privacy guarantees for drivers in low-density areas. To overcome these challenges, we derive a novel time-to-confusion criterion to characterize privacy in a locational data set and propose a disclosure control algorithm (called uncertainty-aware path cloaking algorithm) that selectively reveals GPS samples to limit the maximum time-to-confusion for all vehicles. Through trace-driven simulations using real GPS traces from 312 vehicles, we demonstrate that this algorithm effectively limits tracking risks, in particular, by eliminating tracking outliers. It also achieves significant data accuracy improvements compared to known algorithms. We then present two enhancements to the algorithm. First, it also addresses the home identification risk by reducing location information revealed at the start and end of trips. Second, it also considers heading information reported by users in the tracking model. This version can thus protect users who are moving in dense areas but in a different direction from the majority.

[1] TIER, http://tier.cs.berkeley.edu/wikihome, 2010.
[2] Chronology of Data Breaches, http://www.privacyrights.org/archrondatabreaches.htm , 2010.
[3] Urban Atmospheres, http:/www.urban-atmospheres.net, 2010.
[4] Path Intelligence, http:/www.pathintelligence.com, 2010.
[5] INRIX, http:/www.inrix.com, 2006.
[6] Intellione, http:/www.intellione.com, 2006.
[7] Participatory Urbanism, http://www.urban-atmospheres.net/ParticipatoryUrbanism index.html, 2008.
[8] R. Agrawal and R. Srikant, "Privacy-Preserving Data Mining," Proc. ACM SIGMOD, pp. 439-450, May 2000.
[9] M. Allen, L. Girod, R. Newton, S. Madden, D.T. Blumstein, and D. Estrin, "VoxNet: An Interactive, Rapidly-Deployable Acoustic Monitoring Platform," Proc. Int'l Conf. Information Processing in Sensor Networks (IPSN '08), pp. 371-382, 2008.
[10] M. Barbaro and T. ZellerJr., "A Face Is Exposed for AOL Searcher No. 4417749," http://www.nytimes.com/2006/08/09/technology 09aol.html, 2010.
[11] A. Beresford and F. Stajano, "Mix Zones: User Privacy in Location-Aware Services," Proc. IEEE Int'l Workshop Pervasive Computing and Comm. Security (PerSec '04), 2004.
[12] C. Bettini, S. Mascetti, X.S. Wang, and S. Jajodia, "Anonymity in Location-Based Services: Towards a General Framework," Proc. Int'l Conf. Mobile Data Management (MDM '08), pp. 69-76, 2007.
[13] R. Cayford and T. Johnson, "Operational Parameters Affecting Use of Anonymous Cell Phone Tracking for Generating Traffic Information," Proc. Inst. Transportation Studies for the 82nd TRB Ann. Meeting, vol. 1, no. 3, pp. 03-3865, Jan. 2003.
[14] D. Chaum, "Untraceable Electronic, Mail Return Addresses, and Digital Pseudonyms," Comm. ACM, vol. 24, no. 2, pp. 84-90, 1981.
[15] T.M. Cover and J.A. Thomas, Elements of Information Theory. Wiley Interscience, 1991.
[16] L. Cranor, M. Langheinrich, M. Marchiori, and J. Reagle, "The Platform for Privacy Preferences 1.0 (P3P1.0) Specification," W3C Recommendation, Apr. 2002.
[17] X. Dai, M. Ferman, and R. Roesser, "A Simulation Evaluation of a Real-Time Traffic Information System Using Probe Vehicles," Proc. IEEE Int'l Conf. Intelligent Transportation Systems, pp. 475-480, 2003.
[18] A. Gal and V. Atluri, "An Authorization Model for Temporal Data," Proc. Seventh ACM Conf. Computer and Comm. Security (CCS), pp. 144-153, 2000.
[19] B. Gedik and L. Liu, "Location Privacy in Mobile Systems: A Personalized Anonymization Model," Proc. 25th IEEE Int'l Conf. Distributed Computing Systems (ICDCS '05), pp. 620-629, 2005.
[20] M. Gruteser and D. Grunwald, "Anonymous Usage of Location-Based Services through Spatial and Temporal Cloaking," Proc. ACM Int'l Conf. Mobile Systems, Applications and Services (MobiSys '03), 2003.
[21] M. Gruteser and B. Hoh, "On the Anonymity of Periodic Location Samples," Proc. Second Int'l Conf. Security in Pervasive Computing, 2005.
[22] B. Hoh and M. Gruteser, "Protecting Location Privacy through Path Confusion," Proc. IEEE/Create-Net Int'l Conf. Security and Privacy for Emerging Areas in Comm. Networks (SecureComm), Sept. 2005.
[23] B. Hoh, M. Gruteser, R. Herring, J. Ban, D. Work, J.-C. Herrera, A. Bayen, M. Annavaram, and Q. Jacobson, "Virtual Trip Lines for Distributed Privacy-Preserving Traffic Monitoring," Proc. ACM Int'l Conf. Mobile Systems, Applications and Services (MobiSys '08), 2008.
[24] B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady, "Enhancing Security and Privacy in Traffic-Monitoring Systems," IEEE Pervasive Computing, vol. 5, no. 4, pp. 38-46, Oct. 2006.
[25] B. Hoh, M. Gruteser, H. Xiong, and A. Alrabady, "Preserving Privacy in GPS Traces via Uncertainty-Aware Path Cloaking," Proc. ACM Conf. Computer and Comm. Security (CCS '07), Oct. 2007.
[26] B. Hull, V. Bychkovsky, Y. Zhang, K. Chen, M. Goraczko, A.K. Miu, E. Shih, H. Balakrishnan, and S. Madden, "CarTel: A Distributed Mobile Sensor Computing System," Proc. Fourth ACM Conf. Embedded Networked Sensor Systems (SenSys '06), Nov. 2006.
[27] T. Jiang, H. Wang, and Y.-C. Hu, "Preserving Location Privacy in Wireless LANs," Proc. Fifth ACM Int'l Conf. Mobile Systems, Applications and Services (MobiSys '07), 2007.
[28] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias, "Preventing Location-Based Identity Inference in Anonymous Spatial Queries," IEEE Trans. Knowledge and Data Eng., vol. 19, no. 12, pp. 1719-1733, Dec. 2007.
[29] A. Kapadia, N. Triandopoulos, C. Cornelius, D. Peebles, and D. Kotz, "AnonySense: Opportunistic and Privacy-Preserving Context Collection," Proc. Sixth Int'l Conf. Pervasive Computing (Pervasive '08), May 2008.
[30] H. Kargupta, S. Datta, Q. Wang, and K. Sivakumar, "Random Data Perturbation Techniques and Privacy Preserving Data Mining," Proc. IEEE Int'l Conf. Data Mining (ICDM '03), 2003.
[31] A. Krause, E. Horvitz, A. Kansal, and F. Zhao, "Toward Community Sensing," Proc. ACM/IEEE Int'l Conf. Information Processing in Sensor Networks (IPSN '08), Apr. 2008.
[32] J. Krumm, "Inference Attacks on Location Tracks," Proc. Fifth Int'l Conf. Pervasive Computing (Pervasive '07), May 2007.
[33] M. Li, K. Sampigethaya, L. Huang, and R. Poovendran, "Swing & Swap: User-Centric Approaches Towards Maximizing Location Privacy," Proc. Fifth ACM Workshop Privacy in the Electronic Soc. (WPES '06), pp. 19-28, 2006.
[34] M.F. Mokbel, C.-Y. Chow, and W.G. Aref, "The New Casper: Query Processing for Location Services without Compromising Privacy," Proc. 32nd Int'l Conf. Very Large Data Bases (VLDB '06), VLDB Endowment, pp. 763-774, 2006.
[35] A. Narayanan and V. Shmatikov, "Robust De-Anonymization of Large Datasets," Proc. IEEE Symp. Security and Privacy, pp. 111-125, 2008, doi:10.1109/SP.2008.33.
[36] P. Samarati and L. Sweeney, "Protecting Privacy When Disclosing Information: K-Anonymity and Its Enforcement through Generalization and Suppression," Proc. IEEE Symp. Research in Security and Privacy, 1998.
[37] A. Serjantov and G. Danezis, "Towards an Information Theoretic Metric for Anonymity," Proc. Second Workshop Privacy Enhancing Technologies, 2002.
[38] E. Snekkenes, "Concepts for Personal Location Privacy Policies," Proc. Third ACM Conf. Electronic Commerce (EC '01), pp. 48-57, 2001.
[39] K.P. Tang, P. Keyani, J. Fogarty, and J.I. Hong, "Putting People in Their Place: An Anonymous and Privacy-Sensitive Approach to Collecting Sensed Data in Location-Based Applications," Proc. Conf. Human Factors in Computing Systems, pp. 93-102, 2006.
[40] M. Terrovitis and N. Mamoulis, "Privacy Preservation in the Publication of Trajectories," Proc. Ninth Int'l Conf. Mobile Data Management (MDM '08), pp. 65-72, 2008.
[41] T. Xu and Y. Cai, "Exploring Historical Location Data for Anonymity Preservation in Location-Based Services," Proc. IEEE INFOCOM, pp. 547-555, 2008.
[42] J. Yoon, B. Noble, and M. Liu, "Surface Street Traffic Estimation," Proc. Fifth Int'l Conf. Mobile Systems, Applications and Services (MobiSys '07), pp. 220-232, 2007.
[43] M. Youssef, V. Atluri, and N.R. Adam, "Preserving Mobile Customer Privacy: An Access Control System for Moving Objects and Customer Profiles," Proc. Sixth Int'l Conf. Mobile Data Management (MDM '05), pp. 67-76, 2005.

Index Terms:
Privacy, GPS, traffic monitoring, uncertainty, anonymity, cloaking.
Citation:
Baik Hoh, Marco Gruteser, Hui Xiong, Ansaf Alrabady, "Achieving Guaranteed Anonymity in GPS Traces via Uncertainty-Aware Path Cloaking," IEEE Transactions on Mobile Computing, vol. 9, no. 8, pp. 1089-1107, Aug. 2010, doi:10.1109/TMC.2010.62
Usage of this product signifies your acceptance of the Terms of Use.