Databases Reference
In-Depth Information
knowledge, to restrict the possible user to a small group issuers. This problem
is well-known for the release of data in databases tables [17]. In that case, the
problem is to protect the association between the identity of an individual
and a tuple containing her sensitive data; the attributes whose values could
possibly be used to restrict the candidate identities for a given tuple are called
quasi-identifiers
[7, 5].
This contribution contains a classification of different privacy threats in-
volved in LBS, and a discussion of different protection techniques based on
user anonymity. More specifically, in Section 2, we first provide a general
overview of the general LBS privacy problem, and a classification of different
privacy threats. We then formalize the anonymity approach for privacy pro-
tection in Section 3, and detail a number of protection techniques for different
threats in Section 4, also identifying some interesting research directions. In
Section 5, we report an experimental evaluation of the presented techniques,
and finally conclude with a brief summary and possible future works in Sec-
tion 6.
2 Privacy threats with LBS
In general, there is a privacy threat when an attacker is able to associate the
identity of a user to information that the user considers private. In the case of
LBS, this
sensitive association
can be possibly derived from requests issued to
service providers. More precisely, the identity and the private information of
a single user can be derived from requests issued by a group of users. Figure 1
shows a graphical representation of this general view of privacy threats in
LBS.
In order to infer the sensitive association, the attacker can exploit some
external knowledge
that is not transmitted with the requests. This informa-
tion can be used, for example, to discover the identity of the issuer even if
this information is not explicitly provided in the request or to derive private
information associated with a particular location.
The assumption about the external knowledge that is available to the at-
tacker strongly affects the defense techniques used to protect user's privacy.
More generally, a privacy preserving technique can be provided once the
con-
text assumption
is fixed. This assumption includes the external knowledge
that is possibly available to the attacker and his reasoning abilities.
2.1 The reference scenario
Figure 2 shows our reference scenario that involves three entities:
•
The
User
invokes or subscribes to location-based remote services that are
going to be provided to her mobile device.
