This Article 
 Bibliographic References 
 Add to: 
Query Profile Obfuscation by Means of Optimal Query Exchange between Users
Sept.-Oct. 2012 (vol. 9 no. 5)
pp. 641-654
David Rebollo-Monedero, Universitat Politècnica de Catalunya, Barcelona
Jordi Forné, Universitat Politècnica de Catalunya, Barcelona
Josep Domingo-Ferrer, Universitat Rovira i Virgili, Tarragona
We address the problem of query profile obfuscation by means of partial query exchanges between two users, in order for their profiles of interest to appear distorted to the information provider (database, search engine, etc.). We illustrate a methodology to reach mutual privacy gain, that is, a situation where both users increase their own privacy protection through collaboration in query exchange. To this end, our approach starts with a mathematical formulation, involving the modeling of the users' apparent profiles as probability distributions over categories of interest, and the measure of their privacy as the corresponding Shannon entropy. The question of which query categories to exchange translates into finding optimization variables representing exchange policies, for various optimization objectives based on those entropies, possibly under exchange traffic constraints.

[1] C. Aguilar-Melchor and Y. Deswarte, "Trustable Relays for Anonymous Communication," Trans. Data Privacy, vol. 2, no. 2, pp. 101-130, 2009.
[2] "AOL Search Data Scandal," , Aug. 2006.
[3] V. Benjumea, J. López, and J.M.T. Linero, "Specification of a Framework for the Anonymous Use of Privileges," Telematics and Informatics, vol. 23, no. 3, pp. 179-195, Aug. 2006.
[4] G. Bianchi, M. Bonola, V. Falletta, F.S. Proto, and S. Teofili, "The SPARTA Pseudonym and Authorization System," Science of Computer Programming, vol. 74, nos. 1/2, pp. 23-33, 2008.
[5] S. Boyd and L. Vandenberghe, Convex Optimization. Cambridge Univ. Press, 2004.
[6] J. Castellà-Roca, A. Viejo, and J. Herrera-Joancomartí, "Preserving User's Privacy in Web Search Engines," Computer Comm., vol. 32, nos. 13/14, pp. 1541-1551, 2009.
[7] N. Chatterjee, A. Potluri, and A. Negi, "A Scalable and Adaptive Clustering Scheme for MANETs," Proc. Fourth Int'l Conf. Distributed Computing Internet Technology (ICDCIT '07), pp. 73-78, Dec. 2007.
[8] D. Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms," Comm. ACM, vol. 24, no. 2, pp. 84-88, 1981.
[9] D. Chaum, "Security without Identification: Transaction Systems to Make Big Brother Obsolete," Comm. ACM, vol. 28, no. 10, pp. 1030-1044, Oct. 1985.
[10] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, "Private Information Retrieval," Proc. 36th Ann. Symp. Foundations of Computer Science (FOCS '95), pp. 41-50, 1995.
[11] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, "Private Information Retrieval," J. ACM, vol. 45, no. 6, pp. 965-981, 1998.
[12] T.M. Cover and J.A. Thomas, Elements of Information Theory, second ed. Wiley, 2006.
[13] C. Cramer, O. Stanze, K. Weniger, and M. Zitterbart, "Demand-Driven Clustering in MANETs," Proc. Int'l Conf. Wireless Networking (ICWN), vol. 1, pp. 81-87, June 2004.
[14] G. Danezis, R. Dingledine, and N. Mathewson, "Mixminion: Design of a Type III Anonymous Remailer Protocol," Proc. Symp. Security Privacy (SP), pp. 2-15, May 2003.
[15] C. Díaz, "Anonymity and Privacy in Electronic Services," PhD dissertation, Katholieke Univ. Leuven, Dec. 2005.
[16] R. Dingledine, "Free Haven's Anonymity Bibliography," www.freehaven.netanonbib/, 2009.
[17] J. Domingo-Ferrer, "Coprivacy: Towards a Theory of Sustainable Privacy," Proc. Int'l Conf. Privacy in Statistical Databases (PSD '10), pp. 258-268, Sept. 2010.
[18] J. Domingo-Ferrer, "Coprivacy: An Introduction to the Theory and Applications of Co-Operative Privacy," Special Issue: Privacy in Statistical Databases, vol. 35, pp. 25-40, 2011.
[19] J. Domingo-Ferrer, M. Bras-Amorós, Q. Wu, and J. Manjón, "User-Private Information Retrieval Based on a Peer-to-Peer Community," Data Knowledge Eng., vol. 68, no. 11, pp. 1237-1252, 2009.
[20] J. Domingo-Ferrer and Ú. González-Nicolás, "Rational Behavior in Peer-to-Peer Profile Obfuscation for Anonymous Keyword Search," Information Science: An Int'l J., vol. 185, no. 1, pp. 191-204, 2012.
[21] J. Domingo-Ferrer, A. Solanas, and J. Castellà-Roca, "$h(k)$ -Private Information Retrieval from Privacy-uncooperative Queryable Databases," Online Information Rev., vol. 33, no. 4, pp. 720-744, 2009.
[22] M. Duckham, K. Mason, J. Stell, and M. Worboys, "A Formal Approach to Imperfection in Geographic Information," Computers Environment and Urban Systems, vol. 25, no. 1, pp. 89-103, 2001.
[23] Y. Elovici, C. Glezer, and B. Shapira, "Enhancing Customer Privacy while Searching for Products and Services on the World Wide Web," Internet Research: Electronic Networking Applications and Policy, vol. 15, no. 4, pp. 378-399, 2005.
[24] Y. Elovici, B. Shapira, and A. Maschiach, "A New Privacy Model for Hiding Group Interests while Accessing the Web," Proc. Workshop Privacy in the Electronic Soc. (WPES '02), pp. 63-70, 2002.
[25] J. Freudiger, M.H. Manshaei, J.-P. Hubaux, and D.C. Parkes, "On Non-Cooperative Location Privacy: A Game-theoretic Analysis," Proc. 16th ACM Conf. Computer and Comm. Security (CCS '09), Nov. 2009.
[26] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan, "Private Queries in Location Based Services: Anonymizers Are Not Necessary," Proc. ACM SIGMOD Int'l Conf. Management of Data (SIGMOD '08), pp. 121-132, June 2008.
[27] "GoogleSharing,", 2012.
[28] D.C. Howe and H. Nissenbaum, "TrackMeNot: Resisting Surveillance in Web Search," Lessons from the Identity Trail: Privacy, Anonymity and Identity in a Networked Soc., Oxford Univ. Press,, 2006.
[29] "I2P Anonymous Network,", 2012.
[30] E.T. Jaynes, "Information Theory and Statistical Mechanics II," Physical Rev., vol. 108, no. 2, pp. 171-190, 1957.
[31] E.T. Jaynes, "On the Rationale of Maximum-Entropy Methods," Proc. IEEE, vol. 70, no. 9, pp. 939-952, Sept. 1982.
[32] H. Kido, Y. Yanagisawa, and T. Satoh, "Protection of Location Privacy Using Dummies for Location-Based Services," Proc. IEEE Int'l Conf. Data Eng. (ICDE), p. 1248, Oct. 2005.
[33] T. Kuflik, B. Shapira, Y. Elovici, and A. Maschiach, "Privacy Preservation Improvement by Learning Optimal Profile Generation Rate," Proc. Ninth Int'l Conf. User Modeling (UM '03), pp. 168-177, 2003.
[34] M. Mejía, N. Pena, J.L. Munoz, and O. Esparza, "A Review for Trust Modelling in Ad Hoc Networks," Internet Research, vol. 19, no. 1, pp. 88-104, 2009.
[35] U. Möller, L. Cottrell, P. Palfrader, and L. Sassaman, "Mixmaster Protocol—Version 2," Internet Eng. Task Force, Internet Draft, , July 2003.
[36] M. Murugesan and C. Clifton, "Providing Privacy through Plausibly Deniable Search," Proc. SIAM Int'l Conf. Data Mining (SDM), 2009.
[37] J. Nash, "Non-Cooperative Games," Annals Math., vol. 54, pp. 289-295, 1951.
[38] J. Newsome, E. Shi, D. Song, and A. Perrig, "The Sybil Attack in Sensor Networks: Analysis and Defenses," Proc. Third Int'l Symp. Information Processing in Sensor Networks (IPSN '04), pp. 259-268, Apr. 2004.
[39] N. Nisan, T. Roughgarden, É. Tardos, and V.V. Vazirani, Algorithmic Game Theory. Cambridge Univ. Press, 2007.
[40] F. Olumofin and I. Goldberg, "Revisiting the Computational Practicality of Private Information Retrieval," Proc. Financial Cryptography Data Security (FI), Feb. 2011.
[41] R. Ostrovsky and W.E. Skeith III, "A Survey of Single-database PIR: Techniques and Applications," Proc. Int'l Conf. Practice, Theory Public-Key Cryptography (PKC), pp. 393-411, Sept. 2007.
[42] J. Parra-Arnau, D. Rebollo-Monedero, and J. Forné, "A Privacy-Preserving Architecture for the Semantic Web Based on Tag Suppression," Proc. Seventh Int'l Conf. Trust, Privacy and Security in Digital Business (TrustBus '10), Aug. 2010.
[43] R. Puzis, D. Yagil, Y. Elovici, and D. Braha, "Collaborative Attack on Internet Users Anonymity," Internet Research, vol. 19, no. 1, pp. 60-77, 2009.
[44] D. Rebollo-Monedero and J. Forné, "Optimal Query Forgery for Private Information Retrieval," IEEE Trans. Information Theory, vol. 56, no. 9, pp. 4631-4642, Sept. 2010.
[45] D. Rebollo-Monedero, J. Forné, A. Solanas, and T. Martínez-Ballesté, "Private Location-Based Information Retrieval through User Collaboration," Computer Comm., vol. 33, no. 6, pp. 762-774, , 2010.
[46] D. Rebollo-Monedero, J. Forné, L. Subirats, A. Solanas, and A. Martínez-Ballesté, "A Collaborative Protocol for Private Retrieval of Location-Based Information," Proc. IADIS Int'l Conf. e-Soc., Feb. 2009.
[47] M.K. Reiter and A.D. Rubin, "Crowds: Anonymity for Web Transactions," ACM Trans. Information System Security, vol. 1, no. 1, pp. 66-92, 1998.
[48] C.E. Shannon, "Communication Theory of Secrecy Systems," Bell System Technical J., vol. 28, pp. 656-715, 1949.
[49] B. Shapira, Y. Elovici, A. Meshiach, and T. Kuflik, "PRAW—The Model for PRivAte Web," J. Am. Assoc. Information Soc. Information Science and Technology, vol. 56, no. 2, pp. 159-172, 2005.
[50] C. Soghoian, "The Problem of Anonymous Vanity Searches," I/S: A J. Law and Policy for the Information Soc. (ISJLP), vol. 3, Jan. 2007.
[51] A. Srinivasan, J. Teitelbaumy, H. Liangz, J. Wuyand, and M. Cardei, "Reputation and Trust-Based Systems for Ad Hoc and Sensor Networks," Algorithms and Protocols for Wireless Ad Hoc and Sensor Networks, John Wiley & Sons, 2007.
[52] "The Tor Project, Tor: Overview," overview.html.en, 2011.
[53] "Torbutton 1.2.5," addon 2275, 2010.
[54] V. Toubiana, "SquiggleSR,", 2007.
[55] A. Viejo and J. Castellà-Roca, "Using Social Networks to Distort Users' Profiles Generated by Web Search Engines," Computer Networks, vol. 54, no. 9, pp. 1343-1357, 2010.

Index Terms:
Privacy,Protocols,IP networks,Histograms,Entropy,Forgery,Optimization,information theory.,Profile obfuscation,private information retrieval,privacy via user collaboration,entropy
David Rebollo-Monedero, Jordi Forné, Josep Domingo-Ferrer, "Query Profile Obfuscation by Means of Optimal Query Exchange between Users," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 5, pp. 641-654, Sept.-Oct. 2012, doi:10.1109/TDSC.2012.16
Usage of this product signifies your acceptance of the Terms of Use.