Nsjlcuwdbcc: added content into spatial cloaking
'''Spatial cloaking''' is a [[privacy]] mechanism that is used to satisfy specific privacy requirements by blurring users’ exact locations into cloaked regions.<ref name=":1">Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":10">Liquid error: wrong number of arguments (1 for 2)</ref> This technique is usually integrated into applications in various environments to minimize the disclosure of [[private information]] when users request [[location-based service]]. Since the [[database server]] does not receive the accurate location information, a set including the satisfying solution would be sent back to the user.<ref name=":1" /> Common privacy requirements include K-anonymity, maximum area, and minimum area.<ref name=":12"></ref>
== Background ==
With the emergence and popularity of [[Location-based service|location-based services]], people are getting more personalized services, such as getting the names and locations of nearby restaurants and gas stations. This usually requires users to send their private locations either directly or indirectly to the service provider. One user's location information could be shared more than 5000 times in two weeks.<ref name=":4">Liquid error: wrong number of arguments (1 for 2)</ref><ref>Liquid error: wrong number of arguments (1 for 2)</ref> Therefore, this convenience also exposes users’ privacy to certain risks, since the attackers may illegally identify the users’ locations and even further exploit their personal information.<ref name=":22">Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":82">Liquid error: wrong number of arguments (1 for 2)</ref> Continuously tracking users' location has not only been identified as a technical issue, but also a privacy concern as well.<ref name=":5"></ref> It has been realized that [[Quasi-identifier|Quasi-identifiers]], which refer to a set of information attributes, can be used to reidentify the user when linked with some external information.<ref name=":82" /> For example, the social security number could be used to identify a specific user by adversaries,<ref name=":82" /> and the combined disclosure of birth date, zip code, and gender can uniquely identify a user. <ref name=":5" /> Thus, multiple solutions have been proposed to preserve and enhance users’ privacy when using location-based services. Among all the proposed mechanisms, spatial cloaking is one of the those which have been widely accepted and revised, thus having been integrated into many practical applications.
== Location privacy ==
Location privacy is usually considered falling into the category of [[information privacy]], though there is little consensus on the definition of location privacy,<ref name=":4" /> and there are usually three aspects of location information: identity, location(spatial information), and time(temporal information).<ref name=":10" /><ref name=":4" /> Identity usually refers to a user's name, email address, or any characteristics which makes a user distinguishable. For example, Pokemon Go requires a consistent user identities, since users are required to log in.<ref name=":4" /> Spatial information is considered as the main approach of determining a location.<ref name=":4" /> Temporal information can be separated into real-time and non-real time, and is usually described as a time stamp with a location<ref name=":4" /> If a link is established between them, then the location privacy is considered violated.<ref name=":10" /> Accessing personal location data has been raised as a severe privacy concern, even with personal permission.<ref name=":4" /> Therefore, privacy-aware management of location information has been identified as an important challenge, which is designed to provide privacy protection against abuse of location information.<ref name=":5" /> The overall idea of preserving location privacy is to introduce enough noise and quantization to reduce the chances of successful attacks.<ref name=":9">Liquid error: wrong number of arguments (1 for 2)</ref>
In recent years, researchers have been making a connection between social aspects and technological aspects regarding location information. For example, if co-location information is considered as the data which potential attackers would get and take into consideration, the possibility of revealing a user's privacy information increase by more than 50%. Also, by a constant report of a user’s location information, a movement profile could be constructed for this specific user based on statistical analysis, and a large amount of information could be exploited and generated from this profile such as user’s office location, medical records, financial status and political views.<ref name=":02">Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":82" /><ref name=":42">Liquid error: wrong number of arguments (1 for 2)</ref> Therefore, more and more research has taken account of the social influence in their algorithm, since this socially-networked information are accessible to the public and might be used by potential attackers.
== History ==
Realizing the threats of disclosing private information in the process of data transportation, many models have been explored and investigated to meet users' requirements for location privacy.<ref name=":12" />
The secure-multi-party model is constructed based on the idea of sharing accurate information among n parties. Each party has access to a certain segment of the accurate information and at the same time being prevented from acquiring the other shares of the information.<ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":12" /> However, the computation problem is introduced in the process, since a large amount of data processing is required to satisfy the requirement.<ref name=":12" />
The minimal information sharing model is introduced to use cryptographic techniques to perform join and intersection operations. However, the inflexibility of this model to fit into other queries makes it hard to be satisfying to most practical applications.<ref name=":12" />
The untrusted third-party model is adopted in peer-to-peer environments. <ref name=":12" />
The most most popular model right now is the trusted third-party model. Some of the practical applications have already adopted the idea of a trusted third party into their service in order to provide privacy preserving service to its users. For example, Anonymizer is integrated into various websites, which could provide anonymous surfing service to its users.<ref name=":12" />Also, when purchasing through PayPal, users are not required to provide his or her credit card information.<ref name=":12" /> Therefore, by introducing a trusted-third-party, users’ private information is not directly exposed to the service providers.<ref name=":12" />
== Approaches for preserving location information ==
The promising approach of preserving location privacy is to report data on users' behavior and at the same time protect identity and location privacy.<ref name=":10" /> Several approaches have been investigated to enhance the performances of location-preserving techniques, such as location perturbation and the report of landmark objects.<ref name=":12" />
=== Location perturbation ===
The idea of location perturbation is to replace the exact location information with a coarser grained spatial range, and thus uncertainty would be introduced when the adversaries try to match the user to either a known location identity or external observation of location identity.<ref name=":5" /> This is usually satisfied by using spatial cloaking, temporal cloaking or location [[obfuscation]].<ref name=":12" /> Spatial and temporal cloaking refers to the inaccurate or imprecise location and time reported to the service providers, instead of the exact information.<ref name=":22" /><ref name=":9" /> For example, location privacy could be enhanced by increasing the time between location reports, since higher report frequencies makes reidentification more possible to happen through data mining.<ref name=":9" /><ref name=":3">Liquid error: wrong number of arguments (1 for 2)</ref> There are other cases when the report of location information is delayed until the visit of K users are identifies in that region.<ref name=":10" />
However, this approach could affect the service reported by the service providers since the data they received are not accurate. The accuracy and timelessness issues are usually discussed in this approach. Also, some attacks have been recognized to attacks on some mechanisms based on the idea of cloaking and break user privacy.<ref name=":22" />
=== Landmark objects ===
In most of the methods based on the idea of [[landmark]] objects, a certain landmark or a significant object is reported to the service provider, instead of a region.<ref name=":12" />
=== Avoid location tracking ===
In order to avoid location tracking, usually less or no location information would be reported to the service provider.<ref name=":12" /> For example, when requesting weather, a zip code instead of a tracked location would be accurate enough for the service received.<ref name=":9" />
== Environment ==
=== Centralized scheme ===
A centralized scheme is constructed based on a central location anonymizer (anonymizing server) and is considered as an intermediate between the user and service provider.<ref name=":6">Liquid error: wrong number of arguments (1 for 2)</ref> Generally, the responsibilities of a location anonymizer include tracking users' exact location,<ref name=":6" /> blurring user specific location information into cloaked areas and communicate with service provider.<ref name=":1" /><ref name=":02" /> For example, one of the methods to achieve this is by replacing the correct network addresses with [[Fake IDs|fake-IDs]] before the information are forward to the service provider.<ref name=":82" /> Sometimes user identity is hided, while still allowing the service provider to authenticate the user and possibly charge the user for the service.<ref name=":82" /> These steps are usually achieved through spatial cloaking or path confusion. Except in some cases where the correct location information are sent for high service quality, the correct location information or temporal information are usually modified to preserve user privacy.<ref name=":32"></ref>
Serving as an intermediate between the user and location-based server, location anonymizer generally conducts the following activities:<ref name=":12" /><ref name=":82" />
* Receiving users’ exact location information and private profile
* Blurring the location into cloaked areas based on the specific privacy requirements
* In most of the times, removing user identities from the location information
* Reporting the cloaked area to the service provider and receiving a list of solutions, which is referred to as candidate list, from the service provider which satisfies user’s requests
* Deciding the most appropriate solution based on the user’s exact location and returning the accurate solution information back to the user ( Some location anonymizer may not adopt this step)
The location anonymizer could also be considered as a trusted-third party<ref name=":02" />, since it is trusted by the user with the accurate location information and private profile stored in the location anonymizer.<ref name=":6" /> However, this could also expose users’ privacy into great risks at the same time. First, since the anonymizer keeps tracking users' information and has access to the users’ exact location and profile information, it is usually the target of most attackers and thus under greater risks<ref name=":02" /><ref name=":6" /> Second, the extent to which users trust the location anonymizers could be essential. If a fully-trusted third party is integrated into the algorithm, user location information would be constantly reported to the location anonymizer<ref name=":02" />, which may cause privacy issues if the anonymizer is compromised. Third, the location anonymizer may lead to a performance bottleneck when large amount of requests are presented and required to be cloaked.<ref name=":6" /> This is because the location anoymizer is responsible for maintaining the number of users in a region in order to provide an acceptable level of service quality.<ref name=":6" />
=== '''Distributed scheme( decentralized scheme)''' ===
In a distributed environment, users anonymize their location information through fixed communication infrastructures, such as base stations. Usually, a certification server is introduced in a distributed scheme where users are registered. Before participating in this system, users are required to obtain a certificate which means that they are trusted. Therefore, every time after user request a location-based service and before the exact location information is forward to the server, the auxiliary users registered in this system collaborate to hide the exact location of the user. The number of auxiliary users involved in cloaking this region is based on K-anonymity, which is usually set be the specific user. <ref name=":2">Liquid error: wrong number of arguments (1 for 2)</ref>In the case where there are not enough users nearby, S-proximity is usually adopted to generate a great number of paired user identities and location information in order for the true user indistinguishable in the specific area.<ref name=":32" />The other profile and location information sent to the service provider are sometimes also referred to as dummies.<ref name=":12" />
However, the complexity of the data structure which is used to anonymize the location could result in difficulties when applying this mechanism into highly dynamic location-based mobile applications.<ref name=":2" /> Also, the issued of large computation and communication is posed to the system.<ref name=":6" />
=== '''Peer-to-peer environment''' ===
A [[peer-to-peer]] (P2P) environment relies on the direct communication and information exchange between device in a community where users could only communicate through P2P [[Multi-hop routing|multi-hop]] [[routing]] without fixed communication infrastructures.<ref name=":1" /> The aim of the P2P environment is to extend the scope of cellular coverage in a sparse environment.<ref name=":52">Liquid error: wrong number of arguments (1 for 2)</ref> In this environment, peers have to trust each other and work together, since their location information would be reported to each other when a cloaked area is constructed to achieve the desired K-anonymity during the requesting for location-based services.<ref name=":02" /><ref name=":1" />
Researchers have been discussing some privacy requirements and security requirements which would make the privacy-preserving techniques appropriate for the peer-to-peer environment. For example, [[authentication]] and [[authorization]] are required to secure and identify the user and thus making authorized users distinguishable from unauthorized users. [[Confidentiality]] and integrity make sure that only those who are authorized have access to the data transmitted between peers, and the transmitted information cannot be modified.<ref name=":52" />
Some of the drawbacks identified in a peer-to-peer environment are the communication costs, not enough users and threats of potentially malicious users hiding in the community.<ref name=":10" />
=== '''Mobile environments''' ===
[[Mobile device|Mobile devices]] have been considered as an important tool for communication, and [[mobile computing]] has thus become a research interest in recent years.<ref name=":32" /> From online purchase to online banking, mobile devices have frequently been connected to service providers for carrying out online activities, and at the same time sending and receiving information.<ref name=":32" /> In [[mobile]] devices, [[Global Positioning System]](GPS) is the most commonly used component to provide location information.<ref name=":10" /> Besides that, [[GSM|Global System for Mobile Communications]](GSM) and [[Wi-Fi|WiFi]] signals could also help with estimating locations.<ref name=":10" /> There are generally two types of privacy concerns in mobile environments, data privacy and contextual privacy. Usually, location privacy and identity privacy are included in the discussion of contextual privacy in a mobile environment.<ref name=":32" />While the data transferred between various mobile devices is discussed under [[data privacy]].<ref name=":32" /> In the process of requesting location-based services and exchanging location data, both the quality of data transferred and the safety of information exchanged could be potentially exposed to malicious people.
== Privacy requirements ==
No matter what the specific privacy-preserving solution is integrated to cloak a specific region in which the service requester stays. It is usually constructed from several angles in order to better satisfy different privacy requirements. These standards are either adjusted by the users himself or herself setting the parameters on their devices or are decided by the application designers.<ref name=":12" />Some of the privacy parameters include K-anonymity, entropy, minimum area, and maximum area.<ref name=":12" />Generally, stricter privacy requirements correspond to larger K-anonymity, minimum area size, and maximum area size.<ref name=":12" />
=== '''K-anonymity''' ===
The concept of [[K-anonymity]] was first introduced in relational [[data privacy]] to guarantee the usefulness of data and the privacy of users, when data holders want to release their data.<ref name=":5" /><ref></ref><ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref>Liquid error: wrong number of arguments (1 for 2)</ref> K-anonymity usually refers to the requirement that the information of the user in a region should be indistinguishable from a minimum of <math>k-1
</math>people, with k being any real number.<ref name=":12" /><ref name=":02" /><ref name=":9" /><ref name=":4" /><ref name=":6" /> Thus, the disclosed location scope would be expected to keep expanding until k users could be identified in the region and these k people form an anonymity set.<ref name=":9" /><ref name=":6" /> Usually, the higher the K-anonymity, the restricter the requirements, the higher the level of anonymity.<ref name=":82" /> If K-anonymity is satisfied, then the possibility of identifying the exact user would be around <math>1/k</math> which subjects to different algorithms, and therefore the location privacy would be effectively preserved. Usually, if the cloaking region is designed to be larger when the algorithm is constructed, the chances of identifying the exact service requester would be much lower even thought the exact location of the user if exposed to the service providers,<ref name=":82" /> let alone the attackers' abilities to run complex [[machine learning]] or advanced analysis techniques.
Some approaches have also been discussed to introduce more ambiguity to the system, such as historical K-anonymity, p-sensitivity, [[l-diversity]].<ref name=":4" /> The idea of historical K-anonymity is introduced to guarantee the moving objects by making sure that there are at least <math>k-1
</math> users who share the same historical requests, which requires the anonymizer to not only track the current movement of the user, but also the sequence location of the user.<ref name=":82" /><ref name=":12" /><ref name=":4" /><ref name=":6" /> Therefore, even user's historical location points are disclosed, the adversaries could not distinguish the specific user from a group of potential users.<ref name=":82" /> P-sensitivity is used to ensure that the key attribute such as the identity information has at least <math>p</math>different values within <math>k</math>users.<ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":4" /> And l-diversity aims to guarantee the user is unidentifiable from l different physical locations. <ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":4" />
However, setting a large K value could also requires additional spatial and temporal cloaking, and this leads to a low resolution of information, which in turn could lead to a degraded quality of service.<ref name=":5" />
=== '''Minimum area size''' ===
Minimum area size refers to the smallest region expanded from the exact location point which satisfies the specific privacy requirements.<ref name=":12" /> Usually, the higher the privacy requirements, the bigger the area is required to increase the complicity of distinguishing the exact location of users. Also, the idea of minimum area is particularly important in dense areas when K-anonymity might not be efficient to provide the guaranteed privacy-preserving performance. For example, if the requestor is in a shopping mall which has a promising discount, there might be a great number of people around him or her, and thus this could be considered a very dense environment. Under such a situation, a large K-anonymity such as L=100 would only correspond to a small region, since it does not require a large area to include 100 people near the user. This might result in an inefficient cloaked area since the area where the user could potentially reside is smaller compared with the situation of a same level of K-anonymity, yet people are more scattered from each other.<ref name=":12" />
=== '''Maximum area size''' ===
Since there has been a tradeoff relationship between quality of service and privacy requirements in most location-based services,<ref name=":12" /><ref name=":4" /><ref name=":5" /> sometimes a maximum area size is also required. This is because a large cloaked area might introduce too much inaccuracy to the service received by the user, since increasing the reported cloaked area also increases the potential satisfying results to the users’ request.<ref name=":12" /> These solutions would match the specific requirements of the user, yet not necessarily accessible to the users’ exact location.
== Applications ==
The cloaked region generated by the method of spatial cloaking could fit into multiple environments, such as snapshot location, continuous location, spatial networks, and wireless sensor networks.<ref name=":12" /> Sometimes, the algorithms which generate a cloaked area are designed to fit into various frameworks without changing the original coordinate. In fact, with the specification of the algorithms and well-establishment of most generally adopted mechanisms, more privacy-preserving techniques are designed specifically for the desired environment since it would better fit into different privacy requirements.
=== '''Geosocial applications''' ===
[[Geosocial networking|Geosocial]] applications are generally designed to provide a social interaction based on location information. Some of the services include collaborative network services and games, discount coupons, local friend recommendation for dining and shopping, and social rendezvous.<ref name=":9" /> For example, Motion Based allows users to share exercise path with others.<ref name=":9" /> [[Foursquare City Guide|Foursquare]] was one of the earliest location-based applications to allow location sharing among friends.<ref name=":4" /> And [[SCVNGR]] was a location-based platforms where users could earn points by going to places.<ref name=":22" />
Despite the privacy requirements such as K-anonymity, maximum area size, and minimum area size, there are other requirements regarding the privacy preserved in geosocial applications. For example, location and user unlinkability require that the service provider should not be able to identify the user who conducts the same request twice or the correspondence between a given cloaked area and its real-time location. Also, the location data privacy requires that the service provider should not have access to the content of data in a specific location. For example, LoX is particularly designed to satisfy these privacy requirements of geosocial applications.
=== Location-based services ===
With the popularity and development of [[Global Positioning System|global positioning system]] (GPS), [[Location-based service|location-based information services]] has been in high growth in recent years.<ref name=":4" /> It has already been developed and deployed in both academia and practical sphere.<ref name=":5" /> Many practical applications have integrated the idea and techniques of location-based services,<ref>Liquid error: wrong number of arguments (1 for 2)</ref> such as mobile social networks, finding places of interest(POI), augmented reality(AR) games,<ref name=":4" /> awareness of location-based advertising, transportation service,<ref name=":02" /><ref name=":1" /> location tracking and location-aware services.<ref name=":32" /> These services usually require the report of users' location information, analyze based on their algorithms and makes use of a database to come up with optimum solution, and then report it back to the requesting user. Usually, the location-based services are requested either through snapshot queries or continuous queries.<ref name=":12" /> Snapshot queries generally require the report of an exact location at a specific time, such as “where is the nearest gas station?” while continuous queries need the tracking of location during a period of time, such as “constantly reporting the nearby gas stations”.<ref name=":12" />
With the advancement of global positioning systems and the development of wireless communication which are introduced in the extensive use of location-based applications, great risks have been placed on user privacy.<ref name=":5" /> In fact, both the service providers and users are under the risks of being attacked and information being abused.<ref name=":5" /><ref>Liquid error: wrong number of arguments (1 for 2)</ref> It has been reported that some GPS devices have been used to exploit personal information and stalk personal locations.<ref name=":12" /> Sometimes, only reporting location information would already indicate a lot of private information.<ref name=":12" /><ref name=":82" /> One of the attacks specific to location-based services is the space or time correlated inference attacks, in which the visited location is correlated with the specific time, and this could lead to the disclosure of private life and private business.<ref name=":5" /><ref>Liquid error: wrong number of arguments (1 for 2)</ref>
Some of the popular location-based services include:<ref name=":82" /><ref name=":10" /><ref name=":32" />
* Location-aware emergency service
* Location-based advertisement
* Live traffic report
* Location-based store finders
* Map and navigation system
'''Continuous location-based service'''
Continuous location-based services require the continuous report of location information to the service providers.<ref name=":42" /> During the process of requesting a continuous location-based services, pressure has been recognized on privacy leakage issues. Since the consecutive cloaked areas are reported, with the advancing technological performances, a correlation could be generated between the blurred areas.<ref name=":02" /> Therefore, many types of research have been conducted addressing the location privacy issues in continuous location-based services.<ref name=":42" />
'''Snapshot location-based services'''
While snapshot location generally refers to the linear relation between the specific location point and a point in the temporal coordinate.
Some mechanisms have been proposed to either address the privacy-preserving issues in both of the two environments simultaneously or concentrate to fulfill each privacy requirement respectively. For example, a privacy grid called a dynamic grid system is proposed to fit into both snapshot and continuous location-based service environments.
== Other privacy mechanisms ==
The existing privacy solutions generally fall into two categories: data privacy and context privacy.<ref name=":32" /> Besides addressing the issues in location privacy, these mechanisms might be applied to other scenarios. For example, mechanisms such as cryptography, anonymity, obfuscation and caching[[User:Nsjlcuwdbcc/sandbox#cite note-:1-2|<sup>[2]</sup>]]<nowiki/>have been proposed, discussed, and tested in order to better preserve user privacy. These mechanisms usually try to solve location piracy issues from different angles and thus fit into different situations.
* [[Cryptography]]
* [[Anonymity]]
* [[Obfuscation]]
* [[Caching]]
* [[Pseudonym|Pseudonymous]] technique
== Concerns ==
Even though the effectiveness of spatial cloaking has been widely accepted and the idea of spatial cloaking has been integrated into multiple designs, there are still some concerns towards it. First, the two schemes of spatial cloaking both have their limitations. For example, in the centralized scheme, although users' other private information including identity has been cloaked, the location itself would be able to release sensitive information,<ref name=":6" /> especially when a specific user requests service for multiple times with the same pseudonym.<ref name=":82" /> In a decentralized scheme, there are issues with large commutation and not enough peers in a region.
Second, the ability of attackers requires a deeper consideration and investigation according to the advancement of technology such as machine learning and its connection with social relations, particularly the share of information online.
Third, the credibility of a trusted third party has also been identified as one of the issues. There is a great number of software published on app markets every day and some of them are not undergone a strict examination. Software bugs, configuration errors at the trusted-third party and malicious administrators could expose user private data under great risks.<ref name=":22" /> Based on a study from 2010, two-thirds of all the trusted-third-party applications in [[Android (operating system)|Android]] market are considered to be suspicious towards sensitive information.<ref name=":32" />
Fourth, location privacy has been recognized as a personalized requirement and is sensitive to various contexts.<ref name=":5" /> Customizing privacy parameters has been exploring in recent years, since different people have different expectations on the amount of privacy preserved and sometimes the default settings do not fully satisfy user needs.<ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":4" /> Considering that there is usually a trade-off relation between privacy and personalization and personalization usually leads to better service,<ref name=":82" /><ref name=":4" /><ref name=":5" /> people would have different preferences. I the cases where users can change the default configurations, accepting the default instead of customizing seems a more popular choice.<ref name=":4" /><ref>Liquid error: wrong number of arguments (1 for 2)</ref> Also, people's attitude towards disclosing their location information could change based on the service's usefulness, privacy safeguards, and the disclosed quantity etc.<ref name=":9" /> In most situations, people are weighing the price of privacy sharing and the benefits they received.<ref name=":4" />
Fifth, there are many protection mechanism proposed in literature yet few of them have been practically integrated into commercial applications.<ref name=":0"></ref> Since there are little analysis regarding the implementation of location privacy preserving mechanisms, there is still a large gap between theory and privacy.<ref name=":4" />
Therefore, many possible solutions have been proposed in recent years in order to enhance the ability to preserve location privacy and personalize the privacy request for users.
=== Attack ===
During the process of exchanging data, the three main parties -- the user, the server, and the networks -- can be attacked by adversaries.<ref name=":4" /><ref name=":32" /> The knowledge hold by adversaries which could be used to carry out location attacks includes observed location information, precise location information and context knowledge.<ref name=":4" /> The techniques of machine learning and big data have also led to an emerging trends in location privacy,<ref name=":4" /> and the popularity of smart devices has lead to the increasing number of attacks.<ref name=":32" /> Some of the adopted approaches include virus, Trojan applications, and a number of [[Cyberattack|cyber-attacks]].<ref name=":32" />
* '''Man-in-the-middle attack'''
[[Man-in-the-middle attack|Man-in-the-middle]] attack usually occurs in the mobile environment which assumes that all the information going through the transferring process from user to the service provider could be under attacks and might be manipulated further by attackers to reveal more personal information.<ref name=":32" />
* '''Cross-service attack'''
Cross-servicing attacks usually take place when users are using poorly protected wireless connectivity, especially in public places.<ref name=":32" />
* '''Video-based attack'''
Video-based attacks are more popular in mobile devices usually due to the use of Bluetooth, camera and video capacities, since there are malicious software applications secretly recording users’ behavior data and reporting that information to a remote device. Stealthy Video Capture is one of the intentionally designed applications which spies an unconscious user and further report the information.<ref name=":32" />
* '''Sensor sniffing attack'''
Sensor sniffing attacks usually refer to the cases where intentionally designed applications are installed on a device. Under this situation, even adversaries would not have physical contact with the mobile device, users’ personal information would still under risks of being disclosed.<ref name=":32" />
* '''Context linking attack'''
In a localization attack, contextual knowledge is combined with observed location information to receive a precise location. The contextual knowledge can also be combined with precise location information to carry out an identity attack.<ref name=":4" />
* '''Machine/deep learning attack'''
Integrating learning algorithms and other deep learning methods are posing huge challenge to the protection of location privacy, along with the massive amount of data online.<ref name=":4" /> For example, current deep learning methods are able to come up with predictions regarding the geolocations based on personal photos from social networks, and performs types of objection detection based on their ability to analyze millions of photos and videos.<ref name=":4" /><ref> IEEE Computer Society|website=www.computer.org|access-date=2019-04-24}}</ref><ref> Request PDF|website=ResearchGate|language=en|access-date=2019-04-24}}</ref>
<br />
== Regulations and policies ==
Policy approaches have also been discussed in recent years which intend to revise relevant guidelines or propose new regulations in order to better manage location-based service applications. The current technology state does not have a sufficiently aligned policies and legal environment, and there are efforts from both academia and industry trying to address this issue.<ref name=":4" /> Two uniformly accepted and well- established requirements are the users' awareness of location privacy policies in a specific service and their consents of sending their private location to a service provider.<ref name=":6" /> Besides these two approaches, researchers have also been focusing on guarding the app markets, since an insecure app market would expose unaware users to a number of privacy risks. For example, there has been identified a number of malware in the Android app market, which are designed to carry cyber attacks on Android devices.<ref name=":32" /> Without effective and clear guidelines to regulate location information, it would generate both ethical and lawful problems. Therefore, many guidelines have been discussed recently years, to regulate the use of location information.
==== '''European data protection guideline''' ====
European data protection guideline was recently revised to include and specify the privacy of an individual’s data and personally identifiable information (PIIs). These adjustments intend to make a safe yet effective service environment. Specifically, location privacy is enhanced by making sure that users are fully aware and consented on the location information which would be sent to the service providers. Another important adjustment is that a complete responsibility would be given to the service providers when users’ private information is being processed.<ref name=":32" />
==== European Union's Derivative ====
The European Union's ''Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data'' specifies that the limited data transfer to non-EU countries which are with "an adequate level of privacy protection".<ref name=":7">Liquid error: wrong number of arguments (1 for 2)</ref> The notion of ''explicit consent'' is also introduced in the Directive, which stated that except for legal and contractual purpose, personal data may only be processed if the user has unambiguously given his or her consent.<ref name=":7" />
[[Privacy and Electronic Communications Directive 2002|European Union's ''Directive 2002/58/EC on privacy and electronic communication'']] explicitly defines location information, user consent requirements and corporate disposal requirement which helps to regulate and protect European citizens' location privacy.<ref name=":0" /> Under the situation when data are unsinkable to the user, the legal frameworks such as the EU Derivative has no restriction on collection of anonymous data.<ref name=":7" />
==== '''The electronic communications privacy act of 1986''' ====
The electronic communications privacy act discusses the legal framework of privacy protection and gives standards of law enforcement access to electronic records and communications.<ref>Liquid error: wrong number of arguments (1 for 2)</ref> It is also very influential in deciding electronic surveillance issues.<ref name=":62">Liquid error: wrong number of arguments (1 for 2)</ref>
==== '''Global system for mobile communication association (GSMA)''' ====
[[GSMA]] published a new privacy guideline and some mobile companies in Europe have signed it and started to implement it so that users would have a better understanding of the information recorded and analyzed during location-based services. Also, GSMA has recommended the operating companies to inform its customers about people who have access to users’ private information.<ref name=":32" />
<br />
== Cases ==
=== '''Corporate examples''' ===
==== '''Google''' ====
It has been stated that [[Google]] does not meet the [[European Union]]’s data privacy law and thus increasing attention has been placed on the advocation of guidelines and policies regarding data privacy.<ref name=":32" />
==== '''Facebook''' ====
It has been arguing that less than a week after [[Facebook]] uses its “Places” feature, the content of that location information has been exploited by thieves and are used to conduct a home invasion.<ref name=":22" />
=== Court cases ===
==== '''United States v. Knotts case''' ====
In this case, the police used a beeper to keep track of the suspect’s vehicle. After using the deeper alone to track the suspect, the officers secured a search warrant and confirmed that the suspect was producing illicit drugs in the van. The suspect tried to suppress the evidence based on the tracking device used during the monitoring process, but this was denied by the court. The court concluded that “A person traveling in an automobile on a public thouroughfare[] has no reasonable expectation of privacy in his movement from one place to another.”<ref name=":72">Liquid error: wrong number of arguments (1 for 2)</ref> Nevertheless, the court reserved the discussion of whether twenty-four-hour surveillance would constitute a search.<ref name=":72" /><ref name=":62" />
However, the cases using [[Global Positioning System|GPS]] and other tracking devices are different with this case, since GPS tracking can be conducted without human interaction, while the beeper is considered as a method to increase police's sensory perception through maintaining visual contact of the suspect.<ref name=":72" /> Police presence is required when using beepers yet is not needed when using GPS to conduct surveillance. Therefore, law enforcement agents are required to secure a warrant before the GPS tracking devices are used to obtain vehicles’ location information.<ref name=":62" />
<br />
=== Practical applications ===
Even though many privacy preserving mechanisms have not been integrated into common use due to effectiveness, efficiency, and practicality, some location-based service providers have started to address privacy issues in their applications.<ref name=":4" /> For example, [[Twitter]] enables its users to customize location accuracy.<ref name=":4" /> Locations posted in Glympse will automatically expire.<ref name=":4" /> And SocialRadar allows its users to choose to be anonymous or invisible when using this application.<ref name=":4" />
== Popular culture ==
* In [[George Orwell]]'s novel [[Nineteen Eighty-Four|1984]], a world where everyone is being watched is depicted, practically at all time and places.<ref name=":5" />
* Brønnøysund Register Center([https://www.brreg.no/ https://www.brreg.no]) in Norway provides a free public register service, where people can register and specify that they do not want to receive direct marketing, or sale phone cells or mails.<ref>Liquid error: wrong number of arguments (1 for 2)</ref>
<br />
== See also ==
* [[obfuscation]]
* [[location-based service]]
* [[Public-key cryptography|Public key cryptography]]
* [[Spoofing attack]]
* [[Mobile phone tracking]]
* [[Ubiquitous computing]]
* [[Cloaking device]]
== References ==
<references group="" responsive="1"></references>
== Background ==
With the emergence and popularity of [[Location-based service|location-based services]], people are getting more personalized services, such as getting the names and locations of nearby restaurants and gas stations. This usually requires users to send their private locations either directly or indirectly to the service provider. One user's location information could be shared more than 5000 times in two weeks.<ref name=":4">Liquid error: wrong number of arguments (1 for 2)</ref><ref>Liquid error: wrong number of arguments (1 for 2)</ref> Therefore, this convenience also exposes users’ privacy to certain risks, since the attackers may illegally identify the users’ locations and even further exploit their personal information.<ref name=":22">Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":82">Liquid error: wrong number of arguments (1 for 2)</ref> Continuously tracking users' location has not only been identified as a technical issue, but also a privacy concern as well.<ref name=":5"></ref> It has been realized that [[Quasi-identifier|Quasi-identifiers]], which refer to a set of information attributes, can be used to reidentify the user when linked with some external information.<ref name=":82" /> For example, the social security number could be used to identify a specific user by adversaries,<ref name=":82" /> and the combined disclosure of birth date, zip code, and gender can uniquely identify a user. <ref name=":5" /> Thus, multiple solutions have been proposed to preserve and enhance users’ privacy when using location-based services. Among all the proposed mechanisms, spatial cloaking is one of the those which have been widely accepted and revised, thus having been integrated into many practical applications.
== Location privacy ==
Location privacy is usually considered falling into the category of [[information privacy]], though there is little consensus on the definition of location privacy,<ref name=":4" /> and there are usually three aspects of location information: identity, location(spatial information), and time(temporal information).<ref name=":10" /><ref name=":4" /> Identity usually refers to a user's name, email address, or any characteristics which makes a user distinguishable. For example, Pokemon Go requires a consistent user identities, since users are required to log in.<ref name=":4" /> Spatial information is considered as the main approach of determining a location.<ref name=":4" /> Temporal information can be separated into real-time and non-real time, and is usually described as a time stamp with a location<ref name=":4" /> If a link is established between them, then the location privacy is considered violated.<ref name=":10" /> Accessing personal location data has been raised as a severe privacy concern, even with personal permission.<ref name=":4" /> Therefore, privacy-aware management of location information has been identified as an important challenge, which is designed to provide privacy protection against abuse of location information.<ref name=":5" /> The overall idea of preserving location privacy is to introduce enough noise and quantization to reduce the chances of successful attacks.<ref name=":9">Liquid error: wrong number of arguments (1 for 2)</ref>
In recent years, researchers have been making a connection between social aspects and technological aspects regarding location information. For example, if co-location information is considered as the data which potential attackers would get and take into consideration, the possibility of revealing a user's privacy information increase by more than 50%. Also, by a constant report of a user’s location information, a movement profile could be constructed for this specific user based on statistical analysis, and a large amount of information could be exploited and generated from this profile such as user’s office location, medical records, financial status and political views.<ref name=":02">Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":82" /><ref name=":42">Liquid error: wrong number of arguments (1 for 2)</ref> Therefore, more and more research has taken account of the social influence in their algorithm, since this socially-networked information are accessible to the public and might be used by potential attackers.
== History ==
Realizing the threats of disclosing private information in the process of data transportation, many models have been explored and investigated to meet users' requirements for location privacy.<ref name=":12" />
The secure-multi-party model is constructed based on the idea of sharing accurate information among n parties. Each party has access to a certain segment of the accurate information and at the same time being prevented from acquiring the other shares of the information.<ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":12" /> However, the computation problem is introduced in the process, since a large amount of data processing is required to satisfy the requirement.<ref name=":12" />
The minimal information sharing model is introduced to use cryptographic techniques to perform join and intersection operations. However, the inflexibility of this model to fit into other queries makes it hard to be satisfying to most practical applications.<ref name=":12" />
The untrusted third-party model is adopted in peer-to-peer environments. <ref name=":12" />
The most most popular model right now is the trusted third-party model. Some of the practical applications have already adopted the idea of a trusted third party into their service in order to provide privacy preserving service to its users. For example, Anonymizer is integrated into various websites, which could provide anonymous surfing service to its users.<ref name=":12" />Also, when purchasing through PayPal, users are not required to provide his or her credit card information.<ref name=":12" /> Therefore, by introducing a trusted-third-party, users’ private information is not directly exposed to the service providers.<ref name=":12" />
== Approaches for preserving location information ==
The promising approach of preserving location privacy is to report data on users' behavior and at the same time protect identity and location privacy.<ref name=":10" /> Several approaches have been investigated to enhance the performances of location-preserving techniques, such as location perturbation and the report of landmark objects.<ref name=":12" />
=== Location perturbation ===
The idea of location perturbation is to replace the exact location information with a coarser grained spatial range, and thus uncertainty would be introduced when the adversaries try to match the user to either a known location identity or external observation of location identity.<ref name=":5" /> This is usually satisfied by using spatial cloaking, temporal cloaking or location [[obfuscation]].<ref name=":12" /> Spatial and temporal cloaking refers to the inaccurate or imprecise location and time reported to the service providers, instead of the exact information.<ref name=":22" /><ref name=":9" /> For example, location privacy could be enhanced by increasing the time between location reports, since higher report frequencies makes reidentification more possible to happen through data mining.<ref name=":9" /><ref name=":3">Liquid error: wrong number of arguments (1 for 2)</ref> There are other cases when the report of location information is delayed until the visit of K users are identifies in that region.<ref name=":10" />
However, this approach could affect the service reported by the service providers since the data they received are not accurate. The accuracy and timelessness issues are usually discussed in this approach. Also, some attacks have been recognized to attacks on some mechanisms based on the idea of cloaking and break user privacy.<ref name=":22" />
=== Landmark objects ===
In most of the methods based on the idea of [[landmark]] objects, a certain landmark or a significant object is reported to the service provider, instead of a region.<ref name=":12" />
=== Avoid location tracking ===
In order to avoid location tracking, usually less or no location information would be reported to the service provider.<ref name=":12" /> For example, when requesting weather, a zip code instead of a tracked location would be accurate enough for the service received.<ref name=":9" />
== Environment ==
=== Centralized scheme ===
A centralized scheme is constructed based on a central location anonymizer (anonymizing server) and is considered as an intermediate between the user and service provider.<ref name=":6">Liquid error: wrong number of arguments (1 for 2)</ref> Generally, the responsibilities of a location anonymizer include tracking users' exact location,<ref name=":6" /> blurring user specific location information into cloaked areas and communicate with service provider.<ref name=":1" /><ref name=":02" /> For example, one of the methods to achieve this is by replacing the correct network addresses with [[Fake IDs|fake-IDs]] before the information are forward to the service provider.<ref name=":82" /> Sometimes user identity is hided, while still allowing the service provider to authenticate the user and possibly charge the user for the service.<ref name=":82" /> These steps are usually achieved through spatial cloaking or path confusion. Except in some cases where the correct location information are sent for high service quality, the correct location information or temporal information are usually modified to preserve user privacy.<ref name=":32"></ref>
Serving as an intermediate between the user and location-based server, location anonymizer generally conducts the following activities:<ref name=":12" /><ref name=":82" />
* Receiving users’ exact location information and private profile
* Blurring the location into cloaked areas based on the specific privacy requirements
* In most of the times, removing user identities from the location information
* Reporting the cloaked area to the service provider and receiving a list of solutions, which is referred to as candidate list, from the service provider which satisfies user’s requests
* Deciding the most appropriate solution based on the user’s exact location and returning the accurate solution information back to the user ( Some location anonymizer may not adopt this step)
The location anonymizer could also be considered as a trusted-third party<ref name=":02" />, since it is trusted by the user with the accurate location information and private profile stored in the location anonymizer.<ref name=":6" /> However, this could also expose users’ privacy into great risks at the same time. First, since the anonymizer keeps tracking users' information and has access to the users’ exact location and profile information, it is usually the target of most attackers and thus under greater risks<ref name=":02" /><ref name=":6" /> Second, the extent to which users trust the location anonymizers could be essential. If a fully-trusted third party is integrated into the algorithm, user location information would be constantly reported to the location anonymizer<ref name=":02" />, which may cause privacy issues if the anonymizer is compromised. Third, the location anonymizer may lead to a performance bottleneck when large amount of requests are presented and required to be cloaked.<ref name=":6" /> This is because the location anoymizer is responsible for maintaining the number of users in a region in order to provide an acceptable level of service quality.<ref name=":6" />
=== '''Distributed scheme( decentralized scheme)''' ===
In a distributed environment, users anonymize their location information through fixed communication infrastructures, such as base stations. Usually, a certification server is introduced in a distributed scheme where users are registered. Before participating in this system, users are required to obtain a certificate which means that they are trusted. Therefore, every time after user request a location-based service and before the exact location information is forward to the server, the auxiliary users registered in this system collaborate to hide the exact location of the user. The number of auxiliary users involved in cloaking this region is based on K-anonymity, which is usually set be the specific user. <ref name=":2">Liquid error: wrong number of arguments (1 for 2)</ref>In the case where there are not enough users nearby, S-proximity is usually adopted to generate a great number of paired user identities and location information in order for the true user indistinguishable in the specific area.<ref name=":32" />The other profile and location information sent to the service provider are sometimes also referred to as dummies.<ref name=":12" />
However, the complexity of the data structure which is used to anonymize the location could result in difficulties when applying this mechanism into highly dynamic location-based mobile applications.<ref name=":2" /> Also, the issued of large computation and communication is posed to the system.<ref name=":6" />
=== '''Peer-to-peer environment''' ===
A [[peer-to-peer]] (P2P) environment relies on the direct communication and information exchange between device in a community where users could only communicate through P2P [[Multi-hop routing|multi-hop]] [[routing]] without fixed communication infrastructures.<ref name=":1" /> The aim of the P2P environment is to extend the scope of cellular coverage in a sparse environment.<ref name=":52">Liquid error: wrong number of arguments (1 for 2)</ref> In this environment, peers have to trust each other and work together, since their location information would be reported to each other when a cloaked area is constructed to achieve the desired K-anonymity during the requesting for location-based services.<ref name=":02" /><ref name=":1" />
Researchers have been discussing some privacy requirements and security requirements which would make the privacy-preserving techniques appropriate for the peer-to-peer environment. For example, [[authentication]] and [[authorization]] are required to secure and identify the user and thus making authorized users distinguishable from unauthorized users. [[Confidentiality]] and integrity make sure that only those who are authorized have access to the data transmitted between peers, and the transmitted information cannot be modified.<ref name=":52" />
Some of the drawbacks identified in a peer-to-peer environment are the communication costs, not enough users and threats of potentially malicious users hiding in the community.<ref name=":10" />
=== '''Mobile environments''' ===
[[Mobile device|Mobile devices]] have been considered as an important tool for communication, and [[mobile computing]] has thus become a research interest in recent years.<ref name=":32" /> From online purchase to online banking, mobile devices have frequently been connected to service providers for carrying out online activities, and at the same time sending and receiving information.<ref name=":32" /> In [[mobile]] devices, [[Global Positioning System]](GPS) is the most commonly used component to provide location information.<ref name=":10" /> Besides that, [[GSM|Global System for Mobile Communications]](GSM) and [[Wi-Fi|WiFi]] signals could also help with estimating locations.<ref name=":10" /> There are generally two types of privacy concerns in mobile environments, data privacy and contextual privacy. Usually, location privacy and identity privacy are included in the discussion of contextual privacy in a mobile environment.<ref name=":32" />While the data transferred between various mobile devices is discussed under [[data privacy]].<ref name=":32" /> In the process of requesting location-based services and exchanging location data, both the quality of data transferred and the safety of information exchanged could be potentially exposed to malicious people.
== Privacy requirements ==
No matter what the specific privacy-preserving solution is integrated to cloak a specific region in which the service requester stays. It is usually constructed from several angles in order to better satisfy different privacy requirements. These standards are either adjusted by the users himself or herself setting the parameters on their devices or are decided by the application designers.<ref name=":12" />Some of the privacy parameters include K-anonymity, entropy, minimum area, and maximum area.<ref name=":12" />Generally, stricter privacy requirements correspond to larger K-anonymity, minimum area size, and maximum area size.<ref name=":12" />
=== '''K-anonymity''' ===
The concept of [[K-anonymity]] was first introduced in relational [[data privacy]] to guarantee the usefulness of data and the privacy of users, when data holders want to release their data.<ref name=":5" /><ref></ref><ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref>Liquid error: wrong number of arguments (1 for 2)</ref> K-anonymity usually refers to the requirement that the information of the user in a region should be indistinguishable from a minimum of <math>k-1
</math>people, with k being any real number.<ref name=":12" /><ref name=":02" /><ref name=":9" /><ref name=":4" /><ref name=":6" /> Thus, the disclosed location scope would be expected to keep expanding until k users could be identified in the region and these k people form an anonymity set.<ref name=":9" /><ref name=":6" /> Usually, the higher the K-anonymity, the restricter the requirements, the higher the level of anonymity.<ref name=":82" /> If K-anonymity is satisfied, then the possibility of identifying the exact user would be around <math>1/k</math> which subjects to different algorithms, and therefore the location privacy would be effectively preserved. Usually, if the cloaking region is designed to be larger when the algorithm is constructed, the chances of identifying the exact service requester would be much lower even thought the exact location of the user if exposed to the service providers,<ref name=":82" /> let alone the attackers' abilities to run complex [[machine learning]] or advanced analysis techniques.
Some approaches have also been discussed to introduce more ambiguity to the system, such as historical K-anonymity, p-sensitivity, [[l-diversity]].<ref name=":4" /> The idea of historical K-anonymity is introduced to guarantee the moving objects by making sure that there are at least <math>k-1
</math> users who share the same historical requests, which requires the anonymizer to not only track the current movement of the user, but also the sequence location of the user.<ref name=":82" /><ref name=":12" /><ref name=":4" /><ref name=":6" /> Therefore, even user's historical location points are disclosed, the adversaries could not distinguish the specific user from a group of potential users.<ref name=":82" /> P-sensitivity is used to ensure that the key attribute such as the identity information has at least <math>p</math>different values within <math>k</math>users.<ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":4" /> And l-diversity aims to guarantee the user is unidentifiable from l different physical locations. <ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":4" />
However, setting a large K value could also requires additional spatial and temporal cloaking, and this leads to a low resolution of information, which in turn could lead to a degraded quality of service.<ref name=":5" />
=== '''Minimum area size''' ===
Minimum area size refers to the smallest region expanded from the exact location point which satisfies the specific privacy requirements.<ref name=":12" /> Usually, the higher the privacy requirements, the bigger the area is required to increase the complicity of distinguishing the exact location of users. Also, the idea of minimum area is particularly important in dense areas when K-anonymity might not be efficient to provide the guaranteed privacy-preserving performance. For example, if the requestor is in a shopping mall which has a promising discount, there might be a great number of people around him or her, and thus this could be considered a very dense environment. Under such a situation, a large K-anonymity such as L=100 would only correspond to a small region, since it does not require a large area to include 100 people near the user. This might result in an inefficient cloaked area since the area where the user could potentially reside is smaller compared with the situation of a same level of K-anonymity, yet people are more scattered from each other.<ref name=":12" />
=== '''Maximum area size''' ===
Since there has been a tradeoff relationship between quality of service and privacy requirements in most location-based services,<ref name=":12" /><ref name=":4" /><ref name=":5" /> sometimes a maximum area size is also required. This is because a large cloaked area might introduce too much inaccuracy to the service received by the user, since increasing the reported cloaked area also increases the potential satisfying results to the users’ request.<ref name=":12" /> These solutions would match the specific requirements of the user, yet not necessarily accessible to the users’ exact location.
== Applications ==
The cloaked region generated by the method of spatial cloaking could fit into multiple environments, such as snapshot location, continuous location, spatial networks, and wireless sensor networks.<ref name=":12" /> Sometimes, the algorithms which generate a cloaked area are designed to fit into various frameworks without changing the original coordinate. In fact, with the specification of the algorithms and well-establishment of most generally adopted mechanisms, more privacy-preserving techniques are designed specifically for the desired environment since it would better fit into different privacy requirements.
=== '''Geosocial applications''' ===
[[Geosocial networking|Geosocial]] applications are generally designed to provide a social interaction based on location information. Some of the services include collaborative network services and games, discount coupons, local friend recommendation for dining and shopping, and social rendezvous.<ref name=":9" /> For example, Motion Based allows users to share exercise path with others.<ref name=":9" /> [[Foursquare City Guide|Foursquare]] was one of the earliest location-based applications to allow location sharing among friends.<ref name=":4" /> And [[SCVNGR]] was a location-based platforms where users could earn points by going to places.<ref name=":22" />
Despite the privacy requirements such as K-anonymity, maximum area size, and minimum area size, there are other requirements regarding the privacy preserved in geosocial applications. For example, location and user unlinkability require that the service provider should not be able to identify the user who conducts the same request twice or the correspondence between a given cloaked area and its real-time location. Also, the location data privacy requires that the service provider should not have access to the content of data in a specific location. For example, LoX is particularly designed to satisfy these privacy requirements of geosocial applications.
=== Location-based services ===
With the popularity and development of [[Global Positioning System|global positioning system]] (GPS), [[Location-based service|location-based information services]] has been in high growth in recent years.<ref name=":4" /> It has already been developed and deployed in both academia and practical sphere.<ref name=":5" /> Many practical applications have integrated the idea and techniques of location-based services,<ref>Liquid error: wrong number of arguments (1 for 2)</ref> such as mobile social networks, finding places of interest(POI), augmented reality(AR) games,<ref name=":4" /> awareness of location-based advertising, transportation service,<ref name=":02" /><ref name=":1" /> location tracking and location-aware services.<ref name=":32" /> These services usually require the report of users' location information, analyze based on their algorithms and makes use of a database to come up with optimum solution, and then report it back to the requesting user. Usually, the location-based services are requested either through snapshot queries or continuous queries.<ref name=":12" /> Snapshot queries generally require the report of an exact location at a specific time, such as “where is the nearest gas station?” while continuous queries need the tracking of location during a period of time, such as “constantly reporting the nearby gas stations”.<ref name=":12" />
With the advancement of global positioning systems and the development of wireless communication which are introduced in the extensive use of location-based applications, great risks have been placed on user privacy.<ref name=":5" /> In fact, both the service providers and users are under the risks of being attacked and information being abused.<ref name=":5" /><ref>Liquid error: wrong number of arguments (1 for 2)</ref> It has been reported that some GPS devices have been used to exploit personal information and stalk personal locations.<ref name=":12" /> Sometimes, only reporting location information would already indicate a lot of private information.<ref name=":12" /><ref name=":82" /> One of the attacks specific to location-based services is the space or time correlated inference attacks, in which the visited location is correlated with the specific time, and this could lead to the disclosure of private life and private business.<ref name=":5" /><ref>Liquid error: wrong number of arguments (1 for 2)</ref>
Some of the popular location-based services include:<ref name=":82" /><ref name=":10" /><ref name=":32" />
* Location-aware emergency service
* Location-based advertisement
* Live traffic report
* Location-based store finders
* Map and navigation system
'''Continuous location-based service'''
Continuous location-based services require the continuous report of location information to the service providers.<ref name=":42" /> During the process of requesting a continuous location-based services, pressure has been recognized on privacy leakage issues. Since the consecutive cloaked areas are reported, with the advancing technological performances, a correlation could be generated between the blurred areas.<ref name=":02" /> Therefore, many types of research have been conducted addressing the location privacy issues in continuous location-based services.<ref name=":42" />
'''Snapshot location-based services'''
While snapshot location generally refers to the linear relation between the specific location point and a point in the temporal coordinate.
Some mechanisms have been proposed to either address the privacy-preserving issues in both of the two environments simultaneously or concentrate to fulfill each privacy requirement respectively. For example, a privacy grid called a dynamic grid system is proposed to fit into both snapshot and continuous location-based service environments.
== Other privacy mechanisms ==
The existing privacy solutions generally fall into two categories: data privacy and context privacy.<ref name=":32" /> Besides addressing the issues in location privacy, these mechanisms might be applied to other scenarios. For example, mechanisms such as cryptography, anonymity, obfuscation and caching[[User:Nsjlcuwdbcc/sandbox#cite note-:1-2|<sup>[2]</sup>]]<nowiki/>have been proposed, discussed, and tested in order to better preserve user privacy. These mechanisms usually try to solve location piracy issues from different angles and thus fit into different situations.
* [[Cryptography]]
* [[Anonymity]]
* [[Obfuscation]]
* [[Caching]]
* [[Pseudonym|Pseudonymous]] technique
== Concerns ==
Even though the effectiveness of spatial cloaking has been widely accepted and the idea of spatial cloaking has been integrated into multiple designs, there are still some concerns towards it. First, the two schemes of spatial cloaking both have their limitations. For example, in the centralized scheme, although users' other private information including identity has been cloaked, the location itself would be able to release sensitive information,<ref name=":6" /> especially when a specific user requests service for multiple times with the same pseudonym.<ref name=":82" /> In a decentralized scheme, there are issues with large commutation and not enough peers in a region.
Second, the ability of attackers requires a deeper consideration and investigation according to the advancement of technology such as machine learning and its connection with social relations, particularly the share of information online.
Third, the credibility of a trusted third party has also been identified as one of the issues. There is a great number of software published on app markets every day and some of them are not undergone a strict examination. Software bugs, configuration errors at the trusted-third party and malicious administrators could expose user private data under great risks.<ref name=":22" /> Based on a study from 2010, two-thirds of all the trusted-third-party applications in [[Android (operating system)|Android]] market are considered to be suspicious towards sensitive information.<ref name=":32" />
Fourth, location privacy has been recognized as a personalized requirement and is sensitive to various contexts.<ref name=":5" /> Customizing privacy parameters has been exploring in recent years, since different people have different expectations on the amount of privacy preserved and sometimes the default settings do not fully satisfy user needs.<ref>Liquid error: wrong number of arguments (1 for 2)</ref><ref name=":4" /> Considering that there is usually a trade-off relation between privacy and personalization and personalization usually leads to better service,<ref name=":82" /><ref name=":4" /><ref name=":5" /> people would have different preferences. I the cases where users can change the default configurations, accepting the default instead of customizing seems a more popular choice.<ref name=":4" /><ref>Liquid error: wrong number of arguments (1 for 2)</ref> Also, people's attitude towards disclosing their location information could change based on the service's usefulness, privacy safeguards, and the disclosed quantity etc.<ref name=":9" /> In most situations, people are weighing the price of privacy sharing and the benefits they received.<ref name=":4" />
Fifth, there are many protection mechanism proposed in literature yet few of them have been practically integrated into commercial applications.<ref name=":0"></ref> Since there are little analysis regarding the implementation of location privacy preserving mechanisms, there is still a large gap between theory and privacy.<ref name=":4" />
Therefore, many possible solutions have been proposed in recent years in order to enhance the ability to preserve location privacy and personalize the privacy request for users.
=== Attack ===
During the process of exchanging data, the three main parties -- the user, the server, and the networks -- can be attacked by adversaries.<ref name=":4" /><ref name=":32" /> The knowledge hold by adversaries which could be used to carry out location attacks includes observed location information, precise location information and context knowledge.<ref name=":4" /> The techniques of machine learning and big data have also led to an emerging trends in location privacy,<ref name=":4" /> and the popularity of smart devices has lead to the increasing number of attacks.<ref name=":32" /> Some of the adopted approaches include virus, Trojan applications, and a number of [[Cyberattack|cyber-attacks]].<ref name=":32" />
* '''Man-in-the-middle attack'''
[[Man-in-the-middle attack|Man-in-the-middle]] attack usually occurs in the mobile environment which assumes that all the information going through the transferring process from user to the service provider could be under attacks and might be manipulated further by attackers to reveal more personal information.<ref name=":32" />
* '''Cross-service attack'''
Cross-servicing attacks usually take place when users are using poorly protected wireless connectivity, especially in public places.<ref name=":32" />
* '''Video-based attack'''
Video-based attacks are more popular in mobile devices usually due to the use of Bluetooth, camera and video capacities, since there are malicious software applications secretly recording users’ behavior data and reporting that information to a remote device. Stealthy Video Capture is one of the intentionally designed applications which spies an unconscious user and further report the information.<ref name=":32" />
* '''Sensor sniffing attack'''
Sensor sniffing attacks usually refer to the cases where intentionally designed applications are installed on a device. Under this situation, even adversaries would not have physical contact with the mobile device, users’ personal information would still under risks of being disclosed.<ref name=":32" />
* '''Context linking attack'''
In a localization attack, contextual knowledge is combined with observed location information to receive a precise location. The contextual knowledge can also be combined with precise location information to carry out an identity attack.<ref name=":4" />
* '''Machine/deep learning attack'''
Integrating learning algorithms and other deep learning methods are posing huge challenge to the protection of location privacy, along with the massive amount of data online.<ref name=":4" /> For example, current deep learning methods are able to come up with predictions regarding the geolocations based on personal photos from social networks, and performs types of objection detection based on their ability to analyze millions of photos and videos.<ref name=":4" /><ref> IEEE Computer Society|website=www.computer.org|access-date=2019-04-24}}</ref><ref> Request PDF|website=ResearchGate|language=en|access-date=2019-04-24}}</ref>
<br />
== Regulations and policies ==
Policy approaches have also been discussed in recent years which intend to revise relevant guidelines or propose new regulations in order to better manage location-based service applications. The current technology state does not have a sufficiently aligned policies and legal environment, and there are efforts from both academia and industry trying to address this issue.<ref name=":4" /> Two uniformly accepted and well- established requirements are the users' awareness of location privacy policies in a specific service and their consents of sending their private location to a service provider.<ref name=":6" /> Besides these two approaches, researchers have also been focusing on guarding the app markets, since an insecure app market would expose unaware users to a number of privacy risks. For example, there has been identified a number of malware in the Android app market, which are designed to carry cyber attacks on Android devices.<ref name=":32" /> Without effective and clear guidelines to regulate location information, it would generate both ethical and lawful problems. Therefore, many guidelines have been discussed recently years, to regulate the use of location information.
==== '''European data protection guideline''' ====
European data protection guideline was recently revised to include and specify the privacy of an individual’s data and personally identifiable information (PIIs). These adjustments intend to make a safe yet effective service environment. Specifically, location privacy is enhanced by making sure that users are fully aware and consented on the location information which would be sent to the service providers. Another important adjustment is that a complete responsibility would be given to the service providers when users’ private information is being processed.<ref name=":32" />
==== European Union's Derivative ====
The European Union's ''Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data'' specifies that the limited data transfer to non-EU countries which are with "an adequate level of privacy protection".<ref name=":7">Liquid error: wrong number of arguments (1 for 2)</ref> The notion of ''explicit consent'' is also introduced in the Directive, which stated that except for legal and contractual purpose, personal data may only be processed if the user has unambiguously given his or her consent.<ref name=":7" />
[[Privacy and Electronic Communications Directive 2002|European Union's ''Directive 2002/58/EC on privacy and electronic communication'']] explicitly defines location information, user consent requirements and corporate disposal requirement which helps to regulate and protect European citizens' location privacy.<ref name=":0" /> Under the situation when data are unsinkable to the user, the legal frameworks such as the EU Derivative has no restriction on collection of anonymous data.<ref name=":7" />
==== '''The electronic communications privacy act of 1986''' ====
The electronic communications privacy act discusses the legal framework of privacy protection and gives standards of law enforcement access to electronic records and communications.<ref>Liquid error: wrong number of arguments (1 for 2)</ref> It is also very influential in deciding electronic surveillance issues.<ref name=":62">Liquid error: wrong number of arguments (1 for 2)</ref>
==== '''Global system for mobile communication association (GSMA)''' ====
[[GSMA]] published a new privacy guideline and some mobile companies in Europe have signed it and started to implement it so that users would have a better understanding of the information recorded and analyzed during location-based services. Also, GSMA has recommended the operating companies to inform its customers about people who have access to users’ private information.<ref name=":32" />
<br />
== Cases ==
=== '''Corporate examples''' ===
==== '''Google''' ====
It has been stated that [[Google]] does not meet the [[European Union]]’s data privacy law and thus increasing attention has been placed on the advocation of guidelines and policies regarding data privacy.<ref name=":32" />
==== '''Facebook''' ====
It has been arguing that less than a week after [[Facebook]] uses its “Places” feature, the content of that location information has been exploited by thieves and are used to conduct a home invasion.<ref name=":22" />
=== Court cases ===
==== '''United States v. Knotts case''' ====
In this case, the police used a beeper to keep track of the suspect’s vehicle. After using the deeper alone to track the suspect, the officers secured a search warrant and confirmed that the suspect was producing illicit drugs in the van. The suspect tried to suppress the evidence based on the tracking device used during the monitoring process, but this was denied by the court. The court concluded that “A person traveling in an automobile on a public thouroughfare[] has no reasonable expectation of privacy in his movement from one place to another.”<ref name=":72">Liquid error: wrong number of arguments (1 for 2)</ref> Nevertheless, the court reserved the discussion of whether twenty-four-hour surveillance would constitute a search.<ref name=":72" /><ref name=":62" />
However, the cases using [[Global Positioning System|GPS]] and other tracking devices are different with this case, since GPS tracking can be conducted without human interaction, while the beeper is considered as a method to increase police's sensory perception through maintaining visual contact of the suspect.<ref name=":72" /> Police presence is required when using beepers yet is not needed when using GPS to conduct surveillance. Therefore, law enforcement agents are required to secure a warrant before the GPS tracking devices are used to obtain vehicles’ location information.<ref name=":62" />
<br />
=== Practical applications ===
Even though many privacy preserving mechanisms have not been integrated into common use due to effectiveness, efficiency, and practicality, some location-based service providers have started to address privacy issues in their applications.<ref name=":4" /> For example, [[Twitter]] enables its users to customize location accuracy.<ref name=":4" /> Locations posted in Glympse will automatically expire.<ref name=":4" /> And SocialRadar allows its users to choose to be anonymous or invisible when using this application.<ref name=":4" />
== Popular culture ==
* In [[George Orwell]]'s novel [[Nineteen Eighty-Four|1984]], a world where everyone is being watched is depicted, practically at all time and places.<ref name=":5" />
* Brønnøysund Register Center([https://www.brreg.no/ https://www.brreg.no]) in Norway provides a free public register service, where people can register and specify that they do not want to receive direct marketing, or sale phone cells or mails.<ref>Liquid error: wrong number of arguments (1 for 2)</ref>
<br />
== See also ==
* [[obfuscation]]
* [[location-based service]]
* [[Public-key cryptography|Public key cryptography]]
* [[Spoofing attack]]
* [[Mobile phone tracking]]
* [[Ubiquitous computing]]
* [[Cloaking device]]
== References ==
<references group="" responsive="1"></references>
from Wikipedia - New pages [en] http://bit.ly/2Vseo5Q
via IFTTT
No comments:
Post a Comment