mobishare : flexible privacy-preserving location sharing in mobile online social networks

Download MobiShare : Flexible Privacy-Preserving  Location Sharing in  Mobile  Online Social Networks

If you can't read please download the document

Post on 25-Feb-2016




8 download

Embed Size (px)


MobiShare : Flexible Privacy-Preserving Location Sharing in Mobile Online Social Networks. Wei Wei, Fengyuan Xu, Qun Li The College of William and Mary in INFOCOM IEEE 2012. Introduction. Mobile Online Social Networks ( mOSNs ). Mobile Online Social Networks ( mOSNs ). - PowerPoint PPT Presentation



MobiShare: Flexible Privacy-Preserving Location Sharing in Mobile Online Social NetworksWei Wei, Fengyuan Xu, Qun LiThe College of William and Maryin INFOCOM IEEE 2012A.C. Chen @ ADL1IntroductionMobile Online Social Networks (mOSNs)A.C. Chen @ ADL2Mobile Online Social Networks (mOSNs)Many existing OSNs have created content and access mechanisms tailored to mobile users

A.C. Chen @ ADL3Location sharing is a fundamental component of mobile online social networks (mOSNs)

3New mOSNsSome mOSNs are designed specifically to be accessed by mobile devices such as Foursquare and Gowalla

A.C. Chen @ ADL4(ACLU):???4Privacy ConcernsWhile the location-based features make mOSNs more popular, they also raise significant privacy concernsBecause users physical locations are now being correlated with their profilesAll the current mOSNs are under centralized control Users location privacy will be compromised if the location data collected by the mOSNs are abused, inadvertently leaked, or under the control of hackersA.C. Chen @ ADL5To protect users location privacy, the system should work in a way that an adversary controlling the mOSN cannot obtain users location informationUnfortunately, no scheme proposed so far meets these requirements

5Related WorkSmokeScreen [ACM MobiSys, 2007]Flexibly share presence with both friends and strangers while preserving user privacy In [HotMobile, 2010] and [Privacy Enhancing Technologies, 2007], locations are shared between established relations in a privacy-preserving waylimits a large class of mobile social applicationsA.C. Chen @ ADL6The Main Idea of This PaperIn a mOSN, users should be able to control how their own location information is accessed by othersThe system should work in a way that an adversary controlling the mOSN cannot obtain users location information

A.C. Chen @ ADL7an untrusted third-party location server stores users anonymized locationupdates mixed with dummy location updates. A users location information is not leaked to the malicious users who are unauthorized to access his locations either, even if these malicious userscollude with the social network server or the location server7MobiShREUSERCellular TowerLocation ServerSocial Network ServerA.C. Chen @ ADL8MobiShare Architecture

A.C. Chen @ ADL9SNS: Manages users identity-related information (profiles, friend lists) can be a server of any existing OSN that wants to provide the location-sharing serviceLS: Untrusted 3rd-party server that stores the anonymized location updates of the users

9Trust and Threat ModelAssumption: Either the social network server or the location server can be compromised, but the adversary cannot control both entitiesThreat ModelSome users may also be malicious seeking to obtain the location informationThe social network server or the location server may collude with these malicious usersA.C. Chen @ ADL10Either the social network server or the location server can be compromised and controlled by an adversary seeking to link users identities to their locations

an employee of the social network company mayregister for the location-sharing service, and collude with theserver to extract other users location information.10The Cellular Towers are TrustedThe cellular carrier generally knows the owners name and address for each subscribed cell phoneThe FCCs wireless Enhanced 9-1-1 rules [E9-1-1] require that the cellular carriers can locate the subscribed cell phones with an accuracy of 50 to 300 metersWe make no attempt to conceal the devices locations from the cellular networksA.C. Chen @ ADL11FCC()91111Social Network Server and UserThe social network server manages users identity-related information (profiles, friend lists)It can be a server of any existing OSN that wants to provide the location-sharing serviceEach user has a unique identifier at the social network server, a public-private key pair, and a symmetric session key the session key is sharing with all his social network friends.

A.C. Chen @ ADL12For example, A company may implement the location server so as to profit from the OSNs or the users

12Location server and Cellular Tower The location server is an untrusted 3rd-party server storing anonymized location updates of the usersA company may implement the location server so as to profit from the OSNs or the usersShares a symmetric secret key with the cellular towersEach cellular tower has a unique identifier and generates by itself a symmetric secret keyIt also shares its secret key with the location server

A.C. Chen @ ADL13Some privacy advocacy organization, like the Electronic Frontier Foundation (EFF), can provide the location server to help protect user privacy

The servers and the cellular towers are connected by high-speed secure linksThe social network server cannot identify the communicating cellular towers by observing the IP addresses in the connections

13system DesignService RegistrationAuthenticationLocation updatesQuerying locationA.C. Chen @ ADL14MobiShare SystemRegistrationBefore using the location-sharing service, each user needs to register for the service at the social network serverAuthenticationEstablish an authenticated and secure communication link between the user and the cellular towerLocation updatesQuerying locationFriends caseStrangers case A.C. Chen @ ADL15Service RegistrationUser A shares his public key PubKeyA with the social network serverUser A defines access control setting of dfA and dsAthreshold distances of sharing with friends and strangersAfter registration, the social network server stores an entry as in its subscriber table

A.C. Chen @ ADL16


request(IDA, ts, SigA(IDA,ts)) forward (IDA, ts, SigA(IDA,ts)) (IDA,dfA,dsA) OK

On the reception of the OK message, the cellular tower stores an entry as in its `user info` tableVerificationforward (IDA,dfA,dsA) VerificationA.C. Chen @ ADL17To let the cellular tower authenticate As identity

After this an authenticated and secure communication link is established between A and the cellular tower, and As identity is attached to this link.

17Location UpdatesThe cellular tower perform anonymization when a user upload his location updates to the location serverPseudonyms + dummy location updatesEach cellular tower periodically generates fake IDs and saves them in a fake ID poolthe fake IDs can be efficiently generated using a cryptographic hash function e.g. fake IDi = SHA(fake IDi1salt)A.C. Chen @ ADL18fake IDi = SHA(fake IDi1salt)18Location Updates Anonymization

sends(IDA,(x,y),SessA(x,y)) update `user info`pick k fake IDs and choose FIDAsends mapping (IDA, FIDA, FID1, ..., FIDk1) store FIDA in `user info` update `fake ID`

A.C. Chen @ ADL19social network server stores an entry as 19Location Updates Anonymization (con.)

update (FIDA,(x,y),SessA(x,y),dfA, dsA ) update `regionA`update (FIDi,(xi,yi),stri,dfi,dsi ) ...k-1 dummy updatesupdate `regioni`1 real update

The cellular tower sends k location updates to the location server in a random order with random time intervalsfollowing the exponential distributionA.C. Chen @ ADL20the cellular tower follows the method proposed by Kido et al. [6] and generates k 1 dummy locationsFIDi is one of the k fake IDs from the fake ID poolstri is a random string imitating the encrypted locationdfi and dsi are the threshold distances of a random user whose information is stored in the cellular towers user info table20Dummies Must Behave Like True UsersThe cellular tower follows the method [Kido et al. 2005] to generates k1 dummy locations within its coverageAnonymous communication technique using false position data (dummies) mixed with true position dataA.C. Chen @ ADL21Kido et al : Protection of user location privacy in location-based services21

Table View

A.C. Chen @ ADL22- locationEvaluationExperiment and EvaluationA.C. Chen @ ADL25Experimental Setup Cellular tower : emulated by a laptop the smartphone communicates with the laptop through Verizons 3G data serviceSocial network server : deployed on a third-party cloud hosting services provided by JoyentCloudLocation server : deployed on a 3rd-party cloud hosting services provided LinodeA.C. Chen @ ADL26Experimental Setup (cont.)Client : implemented in java on a MOTOROLA DROID 2 Global smartphonethe size of this executable is 252KB. memory footprint of 12MB when runningUse a data set consisting of 48,014 users and the social network topology among them as a social network sample

A.C. Chen @ ADL27Client Interface

A.C. Chen @ ADL28ExperimentThe anonymity level k is set to be 5Use 128-bit AES for symmetric key encryption and decryptionThe client is set to update its location every 30 seconds, and query the locations of friends or nearby strangers every 1 minuteA.C. Chen @ ADL29Experiment ResultsLow overhead of the clienta client only consumes 1.5% of the battery power, with average CPU utilization of 0.3%Low overhead incurred by our scheme on the cellular towerswhen there are 1000 connecting users, the cellular tower service only uses 4.1% of the CPU power and 91MB memory

A.C. Chen @ ADL30ConclusionMobiShare supports the features of location sharing in real-world mOSNs :querying locations within a certain rangeuser-defined access controlno change to the existing OSNs architectures, the adversary cannot link a precise location to an identified userA.C. Chen @ ADL31


View more >