Databases Reference
In-Depth Information
21
Privacy Protection through Anonymity in
Location-based Services
Claudio Bettini
1
, Sergio Mascetti
1
, and X. Sean Wang
2
1
DICo, University of Milan, Italy
bettini@dico.unimi.it, mascetti@dico.unimi.it
2
Department of Computer Science, University of Vermont, VT
xywang@emba.uvm.edu
Summary.
The adoption of location-based services (LBS) brings new privacy
threats to users. The user location information revealed in LBS requests may be
used by attackers to associate sensitive information of the user with her identity.
This contribution focuses on privacy protection through anonymity, i.e., keeping
individual users indistinguishable in a large group of people that may have issued
the same request. The contribution identifies different privacy threats to LBS users,
discusses techniques for protecting user privacy under different threats, and gives a
performance evaluation of the mentioned protection methods.
1 Introduction
Location-based services (LBS) have recently attracted much interest from
both industry and research. Currently, the most popular commercial service
is probably car navigation, but many other services are being offered and more
are being experimented, as less expensive location aware devices are reaching
the market. Consciously or unconsciously, many users are ready to give up one
more piece of their private information in order to access the new services.
Many other users, however, are concerned with releasing their exact location
as part of the service request or with releasing the information of having used
a particular service. To safeguard user privacy while rendering useful services
is a critical issue on the growth path of the emerging LBS.
An obvious defense against privacy threats is to eliminate from the re-
quest any data that can directly reveal the issuer's identity, possibly using a
pseudonym whenever this is required (e.g., for billing through a third party).
Unfortunately, simply dropping the issuer's personal identification data
may not be sucient to anonymize the request. For example, the location
and time information in the request may be used, with the help of external
The work was partially supported by the Italian MIUR InterLink project
N.II04C0EC1D, and the US NSF grants IIS-0430402 & IIS-0430165.
