Database Reference
In-Depth Information
we distinguish three main goals:
identity privacy
,
location privacy
,and
seman-
tic location privacy
. In what follows we survey representative location PETs
addressing these goals.
Identity Privacy
Identity privacy techniques are conceived to forestall the reidentification of
seemingly anonymous users based on position information. For example, con-
sider the case in which an LBS is offered to the members of a community poten-
tially subject to discrimination, for example, the gay community, and assumes
users will interact with the system through pseudo-identifiers. Unfortunately,
simply stripping off users' identifiers is not sufficient to ensure anonymity,
because the service provider can draw identities from trajectory information; for
example, if a user requests the service from a certain place early in the morning,
it is likely that such a place is his or her home and thus the user can be easily
reidentified through a white pages service. We refer the reader to the literature
for a survey of identity privacy techniques and limit ourselves to consider one
of the most popular paradigms, that is,
location k-anonymity
.
Given a population of users, location
k
-anonymity postulates the following
requirement: that the user's position disclosed to the service provider must be
indistinguishable from the position of at least
k
−
1 other users. In practice, the
exact user's position must be replaced by a coarser position, normally called
cloaked region
, large enough to contain the position of
k
1 other users located
nearby at the time the online service is requested. Accordingly, the service
provider cannot identify the requester of the service based exclusively on the
position information. This situation is exemplified in Figure
2.7
.For
k
=
10, the
position of the single individual is replaced by a larger region (i.e., a cloaked
region) containing 10 persons. If the online service is requested from this region,
the maximum probability of identifying the requester is 1/10. Another promi-
nent feature of this privacy mechanism is that it typically requires a dedicated
trusted middleware, the
location anonymizer
, between the clients and the service
provider. The role of the location anonymizer is to collect the position of all the
clients, intercept the individual's requests, replace the user's identifier with a
pseudo-identifier, and, finally, replace the true position with the dynamically
generated cloaked region.
One representative solution of this class is the Casper system (Figure
2.8
).
Casper consists of the location anonymizer and the
privacy-aware query proces-
sor
, a software component that runs on the server and resolves users' requests
with respect to a position that is not a point, as usual, but a region, and returns a
set of candidate answers.
A common criticism to location
k
-anonymity is that it is difficult to gauge
which size of
k
is minimally necessary or sufficient. The higher the value of
k
, the higher the level of protection but also the loss of position accuracy, that
−
