A.C. Chen @ ADL 1

MobiShare: Flexible Privacy-Preserving Location Sharing in Mobile Online Social Networks

Wei Wei, Fengyuan Xu, Qun LiThe College of William and Mary

in INFOCOM IEEE 2012

A.C. Chen @ ADL 2

INTRODUCTION

Mobile Online Social Networks (mOSNs)

A.C. Chen @ ADL 3

Mobile Online Social Networks (mOSNs)

• Many existing OSNs have created content and access mechanisms tailored to mobile users

A.C. Chen @ ADL 4

New mOSNs• Some mOSNs are designed specifically to be accessed

by mobile devices such as Foursquare and Gowalla

A.C. Chen @ ADL 5

Privacy Concerns• While the location-based features make mOSNs more

popular, they also raise significant privacy concerns– Because users’ physical locations are now being correlated

with their profiles• All the current mOSNs are under centralized control

– Users’ location privacy will be compromised if the location data collected by the mOSNs are abused, inadvertently leaked, or under the control of hackers

A.C. Chen @ ADL 6

Related Work• SmokeScreen [ACM MobiSys, 2007]

– Flexibly share presence with both friends and strangers while preserving user privacy

• In [HotMobile, 2010] and [Privacy Enhancing Technologies, 2007], locations are shared between established relations in a privacy-preserving way– limits a large class of mobile social applications

A.C. Chen @ ADL 7

The Main Idea of This Paper…• In a mOSN, users should be able to control how their

own location information is accessed by others• The system should work in a way that an adversary

controlling the mOSN cannot obtain users’ location information

A.C. Chen @ ADL 8

MOBISHRE

USERCellular TowerLocation ServerSocial Network Server

A.C. Chen @ ADL 9

MobiShare Architecture

A.C. Chen @ ADL 10

Trust and Threat Model• Assumption:

– Either the social network server or the location server can be compromised, but the adversary cannot control both entities

• Threat Model– Some users may also be malicious seeking to obtain the

location information– The social network server or the location server may

collude with these malicious users

A.C. Chen @ ADL 11

The Cellular Towers are Trusted• The cellular carrier generally knows the owner’s

name and address for each subscribed cell phone– The FCC’s wireless Enhanced 9-1-1 rules [E9-1-1] require

that the cellular carriers can locate the subscribed cell phones with an accuracy of 50 to 300 meters

• We make no attempt to conceal the devices’ locations from the cellular networks

A.C. Chen @ ADL 12

Social Network Server and User

• The social network server manages users’ identity-related information (profiles, friend lists…)– It can be a server of any existing OSN that wants to

provide the location-sharing service• Each user has a unique identifier at the social network

server, a public-private key pair, and a symmetric session key – the session key is sharing with all his social network

friends.

A.C. Chen @ ADL 13

Location server and Cellular Tower

• The location server is an untrusted 3rd-party server storing anonymized location updates of the users– A company may implement the location server so as to

profit from the OSNs or the users– Shares a symmetric secret key with the cellular towers

• Each cellular tower has a unique identifier and generates by itself a symmetric secret key– It also shares its secret key with the location server

A.C. Chen @ ADL 14

SYSTEM DESIGN

Service RegistrationAuthenticationLocation updatesQuerying location

A.C. Chen @ ADL 15

MobiShare System• Registration

– Before using the location-sharing service, each user needs to register for the service at the social network server

• Authentication– Establish an authenticated and secure communication link

between the user and the cellular tower• Location updates• Querying location

– Friends’ case– Strangers’ case

A.C. Chen @ ADL 16

Service Registration• User A shares his public key PubKeyA with the social

network server• User A defines access control setting of dfA and dsA

– threshold distances of sharing with friends and strangers• After registration, the social network server stores an

entry as <IDA,PubKeyA,dfA,dsA> in its subscriber table

A.C. Chen @ ADL 17

Authentication

request(IDA, ts, SigA(IDA,ts))

forward (IDA, ts, SigA(IDA,ts))

(IDA,dfA,dsA)

OK

On the reception of the OK message, the cellular tower stores an entry as <IDA,dfA,dsA> in its `user info` table

Verification

forward (IDA,dfA,dsA) Verification

A.C. Chen @ ADL 18

Location Updates• The cellular tower perform anonymization when a

user upload his location updates to the location server– Pseudonyms + dummy location updates– Each cellular tower periodically generates fake IDs and

saves them in a fake ID pool• the fake IDs can be efficiently generated using a cryptographic

hash function e.g. fake IDi = SHA(fake IDi−1 salt)⊕

A.C. Chen @ ADL 19

Location Updates – Anonymization

sends(IDA,(x,y),SessA(x,y))

update `user info`

pick k fake IDs and choose FIDA

sends mapping (IDA, FIDA, FID1, ..., FIDk−1)

store FIDA in `user info`

update `fake ID`

A.C. Chen @ ADL 20

Location Updates – Anonymization (con.)

update (FIDA,(x,y),SessA(x,y),dfA, dsA ) update

`regionA`update (FIDi,(xi,yi),stri,dfi,dsi )

.

.

.

k-1 dummy updates

update `regioni`

1 real update

The cellular tower sends k location updates to the location server in a random order with random time intervalsfollowing the exponential distribution

A.C. Chen @ ADL 21

Dummies Must Behave Like True Users

• The cellular tower follows the method [Kido et al. 2005] to generates k−1 dummy locations within its coverage– Anonymous communication technique using false position

data (dummies) mixed with true position data

A.C. Chen @ ADL 22

Table View- location

A.C. Chen @ ADL 23

Querying Friends’ Locations

query(IDA,’f’,‘1mi’) forward (IDA,’f’,‘1mi’,

SecKeyLoc(CIDC,seq))

create `FIDlist` by looking up `fake ID`

consists of the fake IDs (real and dummies) of all A’s friends

query(FIDA,’f’,FIDlist,’1mi’,SecKeyLoc(CIDC,seq))

SecKeyc((FIDi,Sessi(xi,yi))…,seq)

accesscontrol

(SecKeyc((FIDi,Sessi(xi,yi))…,seq),mapping entries)

Each mapping entry is ofthe form as (FIDj,IDj)of all of A’s friends

decrypt location entries ((IDi,Sessi(xi,yi)),

(IDj,Sessj(xj,yj))…)

A.C. Chen @ ADL 24

Querying Strangers’ Locations

query(IDA,’s’,‘1mi’) forward (’s’,‘1mi’,

SecKeyLoc(FIDA,CIDC,seq)) forward

(SecKeyc((FIDi,(xi,yi)), (FIDj,(xj,yj))…,seq), FIDlist)

looks up`region`

FIDlist consists of the n nearby fake IDs mixed with the (k − 1)n randomly selected fake IDs

(SecKeyc((FIDi,(xi,yi)), (FIDj,(xj,yj))…,seq), mapping entries)

Each mapping entry is of the form as (FIDj,IDj,dsj)

decrypt location entriesand double check ((IDi,(xi,yi)),

(IDj,(xj,yj))…)

the n nearby fake IDs are mixed with the randomly picks (k−1)n fake IDs from the location update database

A.C. Chen @ ADL 25

EVALUATION

Experiment and Evaluation

A.C. Chen @ ADL 26

Experimental Setup • Cellular tower : emulated by a laptop

– the smartphone communicates with the laptop through Verizon’s 3G data service

• Social network server : deployed on a third-party cloud hosting services provided by JoyentCloud

• Location server : deployed on a 3rd-party cloud hosting services provided Linode

A.C. Chen @ ADL 27

Experimental Setup (cont.)• Client : implemented in java on a MOTOROLA

DROID 2 Global smartphone– the size of this executable is 252KB. – memory footprint of 12MB when running

• Use a data set consisting of 48,014 users and the social network topology among them as a social network sample

A.C. Chen @ ADL 28

Client Interface

A.C. Chen @ ADL 29

Experiment• The anonymity level k is set to be 5• Use 128-bit AES for symmetric key encryption and

decryption• The client is set to update its location every 30

seconds, and query the locations of friends or nearby strangers every 1 minute

A.C. Chen @ ADL 30

Experiment Results• Low overhead of the client

– a client only consumes 1.5% of the battery power, with average CPU utilization of 0.3%

• Low overhead incurred by our scheme on the cellular towers– when there are 1000 connecting users, the cellular tower

service only uses 4.1% of the CPU power and 91MB memory

A.C. Chen @ ADL 31

Conclusion• MobiShare supports the features of location sharing

in real-world mOSNs :– querying locations within a certain range– user-defined access control– no change to the existing OSNs’ architectures, the

adversary cannot link a precise location to an identified user