Preserving Anonymity of Recurrent Location-based Queries

Daniele Riboni, Linda Pareschi, Claudio BettiniDICo - University of Milan

riboni,pareschi,bettini@dico.unimi.it

Sushil JajodiaCSIS - George Mason University

jajodia@gmu.edu

Abstract—The anonymization of location based queriesthrough the generalization of spatio-temporal information hasbeen proposed as a privacy preserving technique. We show thatthe presence of multiple concurrent requests, the repetition ofsimilar requests by the same issuers, and the distribution ofdifferent service parameters in the requests can significantlyaffect the level of privacy obtained by current anonymity-based techniques. We provide a formal model of the privacythreat, and we propose an incremental defense technique basedon a combination of anonymity and obfuscation. We showthe effectiveness of this technique by means of an extensiveexperimental evaluation.

I. INTRODUCTION

Location based services (LBS) are Internet services thatprovide information or enable communication based on thelocation of users and/or resources at specific times. They areoften designed to answer spatio-temporal nearest-neighboror range queries issued from mobile devices, taking as oneof the parameters the current location as identified throughpositioning technologies like GPS, cell tower triangulation,or WiFi positioning. Several commercial LBS like assistedcar navigation, friend-finder, and proximity marketing arecurrently available. The success and popularity of theseservices will partly depend upon the privacy preservingtechnologies that will be designed and offered to finalusers. Indeed, compared with privacy issues in databasepublication, the spatio-temporal information contained ineach user request, and the recurrence of requests in time,forces the consideration of new privacy threats and thedesign of specific defense techniques.

The general privacy threat consists in the acquisition byan adversary of the association between an individual’sidentity and her private information. In some cases, locationat a specific time, as included in a request, is consideredprivate; in other cases the service invoked or the specificparameters are considered private, and location and timemay be used by the adversary to re-identify the issuer. Theactual threats do not depend only on the nature of privateinformation; a careful specification of the adversary model interms of which requests he may acquire, and which externalknowledge he may have access to, is a precondition to theidentification of the privacy threats, and to the design ofdefense techniques. In this paper we illustrate a privacythreat in LBS due to the ability of the adversary to acquire

requests issued by multiple users, in the same time granule aswell as in different time granules. An example is illustratedin Section II along with the specification of the adversarymodel. In particular, we show that even if each requesthas been anonymized with state of the art techniques, theadversary can still associate private information with specificindividuals with a high probability. The attack is based onthe observation that users tend to issue LBS requests withparameters influenced by their personal profile, includingpersonal data like nationality, age, gender, and more im-portantly their interests. While profile data can evolve intime, it is a rather slow process and this is reflected inthe persistence of the same or similar service parametersin a subset of the requests issued at different times by eachuser. We illustrate a specific method an adversary can useto update, upon observing the requests issued at each timegranule, his knowledge about the probability of each user tobe associated to certain service parameters. This knowledgerefinement, coupled with the ability of an adversary torestrict the set of potential issuers of each request based onlocation information as used in previous work [1], [2], [3],leads to a dangerous privacy threat not previously recognizedin the literature.

Related work can be divided in two main streams.Obfuscation-based defenses aim at obfuscating the privateinformation in each request so that even if the issuer isidentified, the adversary cannot recognize the specific privatevalues associated with the original issuer’s request. Thesetechniques have been mostly applied in the case locationand time are considered private, as in [4]. Anonymity-baseddefenses aim at preserving the anonymity of the issuers sothat an adversary is not able to associate private informationpresent in the requests with a specific individual. Thedefenses transform the so-called quasi-identifier informationin requests so that the issuer becomes indistinguishable ina sufficiently large group of users (called anonymity set).Usually, service parameters are considered the data to beprotected, and location information is considered a quasi-identifier, since the adversary may obtain information fromexternal sources about the presence of a specific individual inthe location from which the request was issued. A commontechnique is the generalization of the location to an area inorder to include at least k potential issuers that become partof the anonymity set, enforcing k-anonymity. Most proposed

techniques have considered anonymization of requests inisolation, i.e., ignoring the possibility of the adversary tocorrelate requests at different times [1], [2], [3], [5], as wellas requests by different users. Only a few approaches con-sider the threats involved in dynamically acquiring requests(often called historical attacks), as we do in this paper; thethreats involved in the recognition of traces of requests bythe same (anonymous) issuer have been considered in [6],[7], [8], [9] and defenses have been proposed. Traces aresupposed to be recognized by comparing pseudo-identifiersin requests or by spatio-temporal reasoning. Our work differsin two aspects: a) the threat we consider occurs even ifno trace is recognized, b) we consider the effects on thecomposition of anonymity sets due to concurrent requestsby multiple users with the same request parameters. Toour knowledge this last aspect has been ignored in allprevious work in LBS privacy except in a preliminary workof ours [10], and in a more recent paper [11], and hasclose relationship with the diversity problem identified indatabase publication [12]. Finally, we should mention thattechniques based on private information retrieval have alsobeen proposed for LBS [13] and they may be appliedboth for obfuscation and anonymity, since exchanged datais encrypted; however, their practical applicability seemslimited both in terms of supported queries, and in termsof computational costs.

The contributions of this paper can be summarized asfollows: (i) We formalize a previously unrecognized privacythreat in LBS due to correlation between concurrent requestby multiple users, as well as to incremental refinementof adversarial knowledge along the service history; (ii)We propose a novel defense technique protecting from theidentified threat; (iii) We present an experimental evaluationin a profile-based proximity marketing scenario.

In Section II we formalize the adversary model and illus-trate the threat with an example. In Section III we formallydefine the adversarial inference method. In Section IV wepropose a defense technique that is experimentally evaluatedin Section V. Section VI concludes the paper.

II. ADVERSARY’S MODEL AND MOTIVATING EXAMPLEAs in several related works, our reference scenario in-

cludes a trusted server (LTS) which is aware of the actuallocation of users. This assumption is not far from reality,since most of us rely on a mobile operator for mobilecommunications, that is aware of our approximate position.The LTS acts as a proxy, by filtering and generalizing eachuser’s request before it is forwarded to the service provider(SP) which is considered untrusted. Each service requestr is logically divided into three parts: IDdata, STdata,and SSdata, containing user identification data, locationand time of request, and service parameters, respectively.We refer to the set of possible values of SSdata as Θ ={ϑ1, . . . , ϑn}, and we assume that Θ can be represented

Dan

Eric

A1 A2

BeaSSdata=�1

Carl

SSdata=�2Alice

SSdata=�1Frank

SSdata=�3

Ian

Joe

HalGina

(a) Scenario in time granule 1 (TG1)

A4A3

Alice

SSdata=�1

Carl

SSdata=�2

Dan

Eric

IanBeaSSdata=�1

Hal

Gina

Joe

Frank

(b) Scenario in time granule 2 (TG2)

Figure 1. Motivating example

as a taxonomy. The LTS transforms each request r into arequest r′, by dropping IDdata and generalizing the valueof STdata, and possibly of SSdata too. The adversary’smodel considered in this paper is based on the followingcontext assumptions:◦ The generalization algorithm adopted by the LTS is

publicly known;◦ We assume that the LTS works at a given time granular-

ity, so that at each time-granule a group of generalizedrequests is forwarded to the SP. We assume that onlyone request per time granule can be issued by each user.

◦ The adversary may obtain the generalized requests issuedin one or more time granules. We refer to this contextassumption as CMH (Multiple-issuer Historical case).

◦ The adversary may observe or obtain from externalsources the position of specific individuals at giventimes. As in related work, we make a worst case assump-tion CST that considers complete location knowledgeabout potential issuers.

◦ Correlation of requests at different time granules canonly be done by analyzing SSdata. In principle, tracesof requests made by the same individual can also berecognized on the basis of spatio-temporal reasoningor pseudo-identifiers included in requests. However, al-gorithms to deal with this case have been previouslyproposed [9], and can be seamlessly integrated with theone proposed in this paper.

Note that in this work we assume that the adversary hasno specific prior knowledge about the association betweenindividuals and sensitive service parameters (e.g., “Aliceis interested in vegetarian restaurants”). Hence, his priorknowledge is modeled according to the following definition.

Definition 1 (PRIOR KNOWLEDGE). The prior knowledge ofthe adversary is a function Kpri : U → Υ in which U is the

set of users, Υ = {(p1, . . . , pn)|∑

1≤i≤n

pi = 1} (0 ≤ pi ≤ 1)

is the set of possible probability distributions of values onthe sensitive attribute SSdata, and for all users in U , Υ ={( 1

n, . . . , 1

n)}.

After observing generalized requests issued at time gran-ule TG (and possibly also in time granules preceding TG)the adversary may compute his posterior knowledge, whichis modeled according to the following definition.

Definition 2 (POSTERIOR KNOWLEDGE). The posteriorknowledge of the adversary is a function Kpos : U ×T G →Υ in which U is the set of users, T G is a set of time granules,and Υ = {(p1, . . . , pn)|

∑

1≤i≤n

pi = 1} (0 ≤ pi ≤ 1) is

the set of possible probability distributions of values onthe sensitive attribute SSdata computed after observing therequests issued in TG and in previous time granules.

Note that the above definition is very general. An infer-ence method to actually compute the posterior knowledgeKpos is presented in Section III. On the basis of Kpos,the goal of the adversary is to reconstruct the associationbetween a user u and the sensitive service parameter ϑincluded in her request issued at TG. For instance, byobserving that, according to Kpos(u, TG), the probability ofϑ for u is considerably higher than the one for other users inU , the adversary may conclude that u issued a request havingprivate value ϑ. Various profile-based proximity services areprone to this kind of privacy threats. The following exampleconsiders the case of a proximity marketing service.

Example 1. Consider a proximity marketing service thatproactively provides location-aware advertisements aboutsales on items belonging to a set of interest categories.Each registered user periodically communicates her currentlocation to the service provider in order to receive adver-tisements. However, since the service provider is untrusted,users communicate to the service only part of their interestcategories, while they do not report the ones involvingsensitive information such as health status, religious beliefs,and political affiliations. However, advertisements regardingthe latter categories can be obtained on-demand by issuinganonymous queries in which the user’s location is general-ized by the LTS, and containing the category of interest (avalue in {ϑ1, ϑ2, . . . , ϑ12}).

Suppose that during TG1 a user Alice issues a requestfor sales regarding items of category ϑ1. By joining loca-tion information in requests issued at TG1 with the onecommunicated by its users, the adversary identifies twoanonymity sets A1 and A2 (corresponding to users depictedin Figure 1(a)), both having cardinality 5. In our example,two of the three requests issued from users in A1 (includingAlice) ask for ϑ1 and one for ϑ2. Hence, the adversary caninfer that the probability that Alice issued a request for ϑ1

is 25 , while it is15 for ϑ2. Next, suppose that the adversary

can observe also requests issued at TG2, including theone issued by Alice for ϑ1. Once again, the adversary canrecognize two anonymity sets A3 and A4 of cardinality 5,corresponding to the users depicted in Figure 1(b). Duringthe lapse of time between TG1 and TG2 users have changedtheir positions. With regard to Alice’s anonymity set A4, theadversary can observe that the set of requests issued byusers in A4 is composed of a single request having privatevalue ϑ1. Consequently, the adversary can notice that thepresence of Alice in a given anonymity set is correlated witha frequency of the private value ϑ1 that is higher than theaverage frequency of the same value in the whole set ofrequests. Hence, he can conclude that probably Alice issuedrequests for ϑ1.

III. DERIVING POSTERIOR KNOWLEDGEIn this section we formally model the derivation of

posterior knowledge in the historical multiple-issuers case.The following notation is necessary:◦ AC(r

′) is the anonymity set of potential issuers of re-quest r′ identified on the basis of r′ and of context C. Forinstance, if r′ is the request issued by Alice during TG1(Example 1), AC(r′) = {Alice, Bea, Carl, Dan, Eric}.

◦ R(A) = {r′1, . . . , r′n} is the set of generalized re-

quests issued by users in anonymity set A; in particular,∀r′1, r

′2 ∈ R(A) : r

′1.STdata = r

′2.STdata. For

instance, if A is the anonymity set identified above (i.e.,A = AC(r

′)), R(A) is the set composed of requestsissued by Alice, Bea and Carl during TG1.

◦ Θ(R) = {ϑ1, . . . , ϑl} is the set of values of SSdataincluded in the set R of generalized requests. For in-stance, if R is the set of requests identified above (i.e.,R = R(A)), Θ(R) = {ϑ1, ϑ2}.

◦ mϑ,R is the number of requests in R which include theSSdata ϑ; this value is called the multiplicity of ϑ in R.For instance, if R = R(A) as above, the multiplicity ofϑ1 in R is mϑ1,R = 2.

◦ Given posterior knowledge Kpos(u, TG) =(p1, . . . , pn), we denote by K(i)pos(u, TG) theprobability associated to the i-th sensitivevalue, i.e., K(i)pos(u, TG) = pi. Similarly, givenKpri(u) = (p1, . . . , pn), K(i)pri(u) = pi.

Intuitively, the probability that a user u issued one of therequests at time TGn with parameter ϑ is influenced bythe frequency of observation of the same parameter in therequests in R(A) for each anonymity set A including u atTG1, . . . , TGn. The higher is the frequency, the more it isprobable that u issued a request with parameter ϑ. However,in most cases the cardinality of R(A) is smaller than thecardinality of A, since service users do not continuouslyissue requests. Therefore, when the adversary computes his

posterior knowledge based on requests issued in a givenTG, he must consider the possibility that the user did notissue requests in TG. The following definition models theadversary’s inference method under C̃ = CMH+ST .

Definition 3 (INFERENCE METHOD). Given the context C̃,an ordered set of time granules T G = {TG1, . . . , TGm},a set of requests R issued at TGm, a user u ∈ U , theset Θ = {ϑ1, . . . , ϑn} of SSdata, the inference method toderive the posterior knowledge at TGn under C̃ consists inthe computation of: Kpos(u, TGm) = (p1, . . . , pn), wherefor each i ∈ {1, . . . , n}:

pi =

{K

(i)pos(u, TGm−1) if @r ∈ R : u ∈ AC̃(r)

βi + (1 − α) · K(i)pos(u, TGm−1) otherwise

where K(i)pos(u, TG0) = K(i)pri(u), βi =mϑi,R(A)

|A|,

α =|R(A)|

|A|, and A is the anonymity set the user u

belongs to (if such anonymity set exists).

Intuitively, if user u does not belong to any anonymityset at TGm (first case in the formula of Definition 3), theadversary does not acquire any new information about u.Hence, his posterior knowledge regarding u at TGm doesnot change with respect to the one at TGm−1. In particular,if u never belonged to an anonymity set throughout T G,the adversary’s posterior knowledge corresponds to his priorknowledge K(i)pri(u). On the contrary (second case), if ubelongs to an anonymity set A she is the potential issuer ofa request r ∈ R(A). The actual probability that u issued onerequest in R(A) is α ∈ [0, 1]; hence, we call this parameterthe learning rate of the adversary. Given a sensitive value ϑi,the parameter βi accounts for the probability that u issueda request at TGm having that sensitive value (first addendin the formula). The second addend (1 − α) accounts forthe probability that u did not issue a request at TGm; underthis hypothesis, the posterior knowledge K(i)pos(u, TGm−1)at TGm−1 is taken into account.

Proposition 1. Kpos(u, TGm) computed by the inferencemethod illustrated in Definition 3 is a probability distri-bution. It follows that the inference method illustrated inDefinition 3 computes the adversary’s posterior knowledge.

Example 2. Continuing Example 1, we show how the adver-sary computes his posterior knowledge about the associationof user Alice and sensitive value ϑ1 after observing requestsissued at TG1 and TG2. Recall that the cardinality of theset Θ of SSdata is 12. At the first time granule TG1, foreach user the adversary’s prior knowledge Kpri is modeledby the uniform distribution ( 112 , . . . ,

112 ). Hence, according

to Definition 3, K1pos(Alice, TG1) ' 0.43. After observingrequests issued at time granule TG2, the adversary’s pos-terior knowledge is K1pos(Alice, TG2) ' 0.54. Hence, afterTG2 the value that associates Alice to ϑ1 is considerably

Algorithm 1: HMID algorithmInput: k - minimum k-anonymity level; C̃ - attack context; Pi - list

of potential issuers at TGi; Ri - requests issued at TGi;tc1, . . . , tcL - t-closeness levels for each level ofgeneralization of SSdata; MaxST - max level ofgeneralization admitted for STdata.

Output: R′i - set of anonymized requests.HMID( C̃, Pi,Ri, k, tc1, . . . , tcL, MaxST)1begin2

R′i := ∅3Pi := HilbertOrdering(Pi , location)4repeat5

forall level j = 1, . . . , L of generalization of SSdata do6int n := k7Aj = first n users in Pi8while MBR(Aj) ≤ MaxST and9t-cl(R(Aj ), j,Ri) ≥ tcj and Pi 6= ∅ do

n := n + k10Aj = first n users in Pi11

QoSj := QoS(Aj , R(Aj), j)12if no Aj exists that satisfies tcj then13

A := group users until: MBR(A) > MaxST or14A = PiRi := Ri \ R(A) ; Pi := Pi \ A15

else16j := level of generalization s.t. QoSj is maximum17Pi := Pi \ Aj18R(Aj ) := Anonymize(Aj , R(Aj ))19R(A

j) := Obfuscate(R(A

j), j)20

R′i := R′i ∪ R(Aj )21until Ri = ∅ or Pi = ∅22return R′i23

end24t- cl(R, j,Ri)1begin2

D := PDF(R, SSdata)3D′ := PDF(Ri, SSdata)4return KL(D, D′)5

end6

higher than the value for the other users belonging to thesame anonymity set as Alice (0.54 vs 0.27).

IV. DEFENSE TECHNIQUE

In order to measure the success of privacy attacks, aswell as of defenses against them, it is necessary to definethe criteria by which the adversary can choose the SSdata ϑto be associated with a user u. If the adversary chooses thecorrect value, the attack is successful. For the sake of thispaper we adopt a criterion γ, which consists in comparingωn(ϑi, u) = K

(i)pos(u, TGn) at time granule TGn with the

average value ωn(ϑi, U) =∑

u∈U K(i)pos(u,TGn)

|U | computed attime granule TGn in the considered population of serviceusers U . Experimental evidence (reported in Section V)shows that this attack criterion is very effective. However,our defense technique can be also applied to different

criteria. We call confidence Ωn the function:

Ωn(ϑi, u) =

{0 if ωn(ϑi, U) = 0ωn(ϑi,u)ωn(ϑi,U)

otherwise

According to criterion γ, the value ϑ chosen by the adversaryis the one having maximum confidence:

Ωn(ϑ, u) = maxϑi∈Θ

{Ωn(ϑi, u)}.

HMID: defending with anonymity and obfuscation: Asfor any other defense technique, the objective of our tech-nique, called historical multiple-issuers defense (HMID), isto guarantee the necessary level of privacy while maximizingthe usefulness of the data. To this aim, HMID adopts bothanonymity (obtained by generalizing STdata) and obfusca-tion (obtained by generalizing SSdata). Its specific goal is tofind the combination of the generalization levels for STdataand SSdata that maximizes the data quality while enforcingthe required privacy level.

For the sake of LBS requests, data quality can be naturallymeasured as a function of the generalization level of user’slocation and of request parameters in anonymized requests.However, different applications may have different require-ments that determine their actual quality of service (QoS).For instance, some services need very precise locationinformation, while being quite tolerant with respect to thegeneralization of service parameters. On the other hand, forother services accurate users’ location is not strictly required,while service parameters are the most prominent data. HMIDcopes with this aspect by supporting the definition of anykind of function LQoS to determine the QoS resulting fromrequests generalization.

The privacy leak (pl) determined by an attack at a giventime granule can be measured as the percentage of users thatare correctly associated with their SSdata by an adversarybased on context C̃ and criterion γ. Hence, we define thelevel of privacy Lp as: (1−pl). The desired level of privacyis guaranteed by enforcing k-anonymity coupled with avariant of the t-closeness technique originally proposed byLi et al. [14] for privacy protection of microdata releasedfrom databases. K-anonymity ensures that, based on C̃, theissuer of each generalized request r is indistinguishable inan anonymity set A of at least k potential issuers. However,as shown in Example 1, k-anonymity is insufficient whenthe adversary may observe multiple requests issued in thesame time granule. Indeed, in that case he may derive theassociation between a user and a request based on theSSdata in that request, and on the distribution of SSdatain the history of requests originated from the anonymitysets including that user. Hence, considering the whole setof requests issued in a time granule, our t-closeness variantaims at counteracting this kind of adversarial inferenceby smoothing the differences among the distribution ofSSdata in requests originated from the different anonymity

sets. In particular, for each anonymity set A we ensurethat the distance between the distribution of SSdata inrequests originating from A and the distribution of SSdatain the whole set of requests issued during the same timegranule is below a threshold t. Given a privacy thresholdh (0 < h < 1), the value of t sufficient to guaranteeLp ≥ h is experimentally estimated; in general, a differentvalue of t must be used for each SSdata generalization level.We measure the difference between the two distributionsusing the well known Kullback-Leibler (KL) divergence. Ifan anonymity set satisfies k-anonymity but does not fulfillour t-closeness variant, HMID adds more potential issuersto it (by further generalization of request location), untilthe required level of t-closeness is reached; if that levelcannot be enforced, requests originating from that anonymityset are discarded, and their issuers are informed. In mostcases the number L of levels in the hierarchy of SSdatais quite limited. Hence, HMID tries all the possible levelsof SSdata generalization, coupled with the finest-grainedgeneralization of STdata that satisfy both k-anonymity andour t-closeness variant, in order to find the combinationof SSdata and STdata generalization levels that maximizesLQoS . As in most related works, for efficiency reasonswe adopt a heuristic algorithm in order to group users inanonymity sets. In particular, as proposed in [15] we adopta strategy based on the Hilbert [16] space-filling curve. TheHilbert space-filling curve is a function that maps a point in amulti-dimensional space into an integer; with this technique,two points that are close in the multi-dimensional spaceare also close, with high probability, in the one-dimensionalspace obtained by the Hilbert transformation. As it can beevinced from its pseudo-code (reported in Algorithm 1), thecomplexity of HMID is O(L · |U |

2

k). Since the dominant

factor is U , an optimization consists in partitioning – basedon location – the whole set U of users into a number ofsmaller subsets, and in applying HMID independently toevery such set considering the set of requests originatingfrom it.

Algorithm: For each time granule TGi, based on thesets Ri of requests and Pi of potential issuers, the algorithmreturns a set of anonymized requests R′i.

At first (line 4), the algorithm orders users in Pi accordingto their index obtained from the application of the Hilbertspace filling curve on their current location. Then (lines 6to 12), for each level j of possible SSdata generalization,a growing set Aj of users is grouped according to theHilbert ordering until the minimum generalization levelof STdata (computed as the minimum bounding rectangleincluding every user in Aj) satisfying both k-anonymityand t-closeness is reached. The corresponding level QoSjof QoS is then computed.

If it does not exist an SSdata generalization level sat-isfying both k-anonymity and t-closeness (lines 13 to 15),requests are discarded and their potential issuers are removed

Figure 2. A snapshot of pedestrians’ and drivers’ positions

from Pi. Otherwise (lines 17 to 21), the generalization levelj of SSdata maximizing the QoS is chosen. The SSdata inrequests originating from anonymity set Aj are generalizedat level j, while STdata in the same requests are generalizedby the minimum bounding rectangle including the locationof every user in Aj . Original requests originating from Ajare removed from Ri, and the corresponding generalizedrequests are included in R′i. The algorithm continues untilno other request remains in Ri.

V. EXPERIMENTAL EVALUATION

In this section we experimentally evaluate our defensetechnique in terms of enforced level of privacy and achieveddata quality.

Experimental setup: Experiments were performed onsynthetic data obtained using the moving object generatordescribed in [17]. The simulation models a population of50,000 persons moving in the San Francisco area, from arandom starting point to a random destination, during a timeperiod of 200 minutes (each one corresponding to a singletime granule TGm). A snapshot showing the position of partof the users in a time granule is shown in Figure 2. Thedimension of the considered area is about 100km2, withan average density of 500 persons per km2. This densitywas the highest we could obtain with the used generator tomodel 200 time granules. Note that this density is lowerthan the real one in a urban area; when considering ahigher density, we expect the resulting generalized areasto be proportionally smaller than the ones obtained in ourexperiments. Persons are equally divided into pedestrians(that move at an average speed of 4 km/h) and people usingpublic transportation (average speed of 20 km/h), and updatetheir location at the LTS every one minute.

The population is further divided into a group of activeusers of the proximity marketing service (i.e., users issuing

Figure 3. k-anonymity: privacy leak

at least one anonymous query during the length of oursimulation; 20% of the whole population), and a groupof idle users. Each active user is randomly associatedwith one of the 12 possible SSdata contemplated in ourmotivating example; each request contains the SSdata ofits issuer. We have performed the experiments under 3different conditions: i) low frequency of requests (Freq.1:each active user has a probability ranging from 25% to0.016% of issuing a request at a given time granule), ii)medium frequency of requests (Freq.2: from 75% to 6%),and iii) high frequency of requests (Freq.3: from 100% to12.5%). In the following we compare HMID with differentdefense techniques from adversary’s posterior knowledgeacquired under context C̃ based on requests issued at timegranules T G = {TG1, . . . , TG200}. The goal of defensetechniques is to keep the Lp higher than 0.8 (i.e., at eachtime granule the adversary has less that 20% probability ofcorrectly identifying the SSdata of a user).

We measure by means of the parameter LQoS the level ofQoS deriving from the transformations of service requestsintroduced by the defense techniques. To estimate the QoSwe consider the information loss ILSS and ILST (havingvalues from 0 to 1) deriving from SSdata and STdatageneralization, respectively. Formally, LQoS = (1−ILSS) ·(1 − ILST ). In particular, in a first set of experimentswe measure ILSS adopting the information loss metricsintroduced in [18]; we measure ILST by a function linearlygrowing from 0 (perimeter of the generalized location is 0)to 1 (perimeter greater or equal to 6Km). We call this metricLQoS1 .

Defense based on k-anonymity: In the first set ofexperiments we evaluated the application of a standardk-anonymity technique to protect against attacks under C̃.In this experiment, we adopt the Hilbert ordering to arrangeusers in anonymity sets. We have performed the experimentswith different values of k. Results are shown in Figure 3 andTable I, and show that this technique is not well-suited to

k 20 40 80 160 320 640Area (Km2 ) 0.03 0.08 0.19 0.44 0.97 2.05

Perimeter (m) 620 1001 1579 2439 3694 5456

Table Ik-ANONYMITY: LOCATION GENERALIZATION

Figure 4. Comparison based on QoS (LQoS1 )

Freq.1 Perimeter (Km) Area (Km2) % non-gen. % gen.1-lev. % gen.2-lev.k-an. 5,48 2,06 100% 0% 0%

t-cl. 5,26 2,00 100% 0% 0%HMID 3,57 1,09 39% 38% 23%

Freq.2 Perimeter (Km) Area (Km2) % non-gen. % gen.1-lev. % gen.2-lev.k-an. 5,72 2,23 100% 0% 0%

t-cl. 5,35 2,10 100% 0% 0%HMID 2,96 0,86 32% 26% 42%

Freq.3 Perimeter (Km) Area (Km2) % non-gen. % gen.1-lev. % gen.2-lev.k-an. 6,16 2,57 100% 0% 0%

t-cl. 5,55 2,24 100% 0% 0%HMID 2,30 0,58 18% 24% 58%

Comparison in terms of: request frequency; perimeter and area ofgeneralized location; % of requests with generalized SSdata.

Table IIGENERALIZATION (HMID WITH LQoS1 ).

the considered attack (Definition 3). Indeed, the minimum krequired to keep the privacy leak below 0.2 (k=640) leads togeneralized areas too wide to guarantee a satisfactory qualityof service (2.2 km2, with an average perimeter of 5.7 km; seealso Figure 4). The privacy leak grows considerably whenusing smaller levels of k. For instance, in order to keepthe average generalized location area below 1 km2 a valueof k ≤ 320 must be chosen; this value corresponds to aprivacy leak greater than 0.3.

Defense based on k-anonymity and t-closeness: Thistechnique is similar to HMID, with the only difference thatobfuscation of SSdata is not allowed. In these experimentsthe level of t sufficient to guarantee the required privacy level(Lp ≥ 0.8) is empirically estimated, and a minimum level ofanonymity k = 20 is chosen. Experimental results (Figure 4,label t-closeness) show that, given the same privacy level,this technique slightly outperforms the baseline k-anonymitytechnique in terms of LQoS1 .

Figure 5. Comparison based on QoS (LQoS2 )

HMID technique: In the last set of experiments weevaluated the HMID technique. We empirically chose thelevels of t-closeness for three levels of SSdata obfuscation:non-generalized SSdata, generalized one level (from 12to 6 SSdata), and generalized two levels (from 12 to 3SSdata). The chosen t-closeness levels were sufficient toguarantee Lp > 0.8. Experimental results (Figure 4) showthat HMID outperforms the other ones in terms of QoS whileenforcing the same level of privacy Lp. A deeper analysisof the results is shown in Table II. In particular, HMIDleads to smaller average perimeters and areas with respectto the other techniques. The percentage of requests withgeneralized SSdata depends on the frequency of requests.

In order to evaluate the robustness of HMID with respectto different QoS metrics we performed a further set ofexperiments using different functions for ILSS and ILST .In particular, in this set of experiments we assigned aproportionally growing information loss to growing levelsof SSdata generalization. Hence, ILSS is 0 if the serviceparameter is not generalized; ILSS is 13 if it is generalizedone level; it is 23 if it is generalized two levels. With regardto ILST , we set no information loss if the perimeter ofthe generalized location is less than 2Km; information lossgrows logarithmically from 0 to 1 until the perimeter is upto 6Km; it is 1 for perimeters larger than 6Km. We call thecombination of these metrics LQoS2 . Experimental resultsare reported in Figure 5 and Table III, and show that HMIDis robust with respect to different QoS metrics (possibly de-termined by the specific requirements of different services).

VI. CONCLUSION AND FUTURE WORKIn this paper we addressed privacy issues for recurrent

location-based queries. We showed that if an adversary mayobserve multiple concurrent requests, and similar requestsare issued several times by the same issuers, the distri-bution of different service parameters in the requests can

Freq.1 Perimeter (Km) Area (Km2 ) % non-gen. % gen.1-lev. % gen.2-lev.k-an. 5,25 1,90 100% 0% 0%

t-cl. 5,28 2,02 100% 0% 0%HMID 3,88 1,18 48% 36% 16%

Freq.2 Perimeter (Km) Area (Km2 ) % non-gen. % gen.1-lev. % gen.2-lev.k-an. 5,72 2,23 100% 0% 0%

t-cl. 5,33 2,07 100% 0% 0%HMID 3,03 0,86 34% 24% 42%

Freq.3 Perimeter (Km) Area (Km2 ) % non-gen. % gen.1-lev. % gen.2-lev.k-an. 6,16 2,57 100% 0% 0%

t-cl. 5,63 2,30 100% 0% 0%HMID 2,71 0,74 25% 27% 47%

Table IIIGENERALIZATION (HMID WITH LQoS2 ).

significantly affect the level of privacy obtained by currentanonymity-based techniques. We formalized this kind ofprivacy threats, we proposed a defense technique based on acombination of anonymity and obfuscation, and we showedthat this technique outperforms ones based on k-anonymityand on a variant of t-closeness in terms of quality of servicewhile enforcing the required privacy level.

Future research directions include the extension of our for-mal model and defense techniques to other possible contextassumptions; in particular, the ability of an adversary to havespecific prior knowledge about the association among classesof users and sensitive request parameters. On the other side,the worst case assumption of the adversary having accessto complete location information may be relaxed to morerealistic cases.

ACKNOWLEDGMENTS

This work has been partially supported by the ItalianMinistry of University and Research under grant PRIN-2007F9437X (project ANONIMO), and by the NationalScience Foundation (NSF) under grant N. CNS-0716567.

REFERENCES

[1] M. Gruteser and D. Grunwald, “Anonymous usage oflocation-based services through spatial and temporal cloak-ing.” in Proc. of the 1st International Conference on MobileSystems, Applications and Services. The USENIX Associa-tion, 2003.

[2] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias,“Preventing location-based identity inference in anonymousspatial queries,” IEEE Transactions on Knowledge and DataEngineering, vol. 19, no. 12, pp. 1719–1733, 2007.

[3] B. Gedik and L. Liu, “Protecting location privacy with per-sonalized k-anonymity: Architecture and algorithms,” IEEETransactions on Mobile Computing, vol. 7, no. 1, pp. 1–18,2008.

[4] M. L. Yiu, C. S. Jensen, X. Huang, and H. Lu, “SpaceTwist:Managing the Trade-Offs Among Location Privacy, QueryPerformance, and Query Accuracy in Mobile Services,” inProceedings of the 24th International Conference on DataEngineering (ICDE ’08), 2008, pp. 366–375.

[5] D. Riboni, L. Pareschi, and C. Bettini, “Shadow attackson users’ anonymity in pervasive computing environments,”Pervasive and Mobile Computing, vol. 4, no. 6, pp. 819–835,2008.

[6] A. R. Beresford and F. Stajano, “Location privacy in pervasivecomputing,” IEEE Pervasive Computing, vol. 2, no. 1, pp. 46–55, 2003.

[7] C. Bettini, X. S. Wang, and S. Jajodia, “Protecting privacyagainst location-based personal identification.” in Proc. ofthe 2nd workshop on Secure Data Management (SDM), ser.LNCS, vol. 3674. Springer, 2005, pp. 185–199.

[8] T. Xu and Y. Cai, “Location anonymity in continuouslocation-based services,” in Proc. of ACM International Sym-posium on Advances in Geographic Information Systems.ACM Press, 2007.

[9] S. Mascetti, C. Bettini, X. S. Wang, D. Freni, and S. Jajodia,“ProvidentHider: an Algorithm to Preserve Historical k-Anonymity in LBS,” in Proceedings of the 10th InternationalConference on Mobile Data Management (MDM ’09). IEEEComputer Society, 2009.

[10] C. Bettini, S. Jajodia, and L. Pareschi, “ Anonymity andDiversity in LBS: a Preliminary Investigation,” in Proc. of the5th Int. Conf. on Pervasive Computing and Communication(PerCom). IEEE Computer Society, 2007.

[11] F. Liu and K. Hua, “Query l-diversity in location-basedservices,” in To appear in the Proc. of the First InternationalWorkshop on Mobile Urban Sensing (MobiUS). IEEEComputer Society, 2009.

[12] A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkita-subramaniam, “l-Diversity: Privacy Beyond k-Anonymity,” inProceedings of ICDE 2006. IEEE Computer Society, 2006.

[13] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L.Tan, “Private queries in location based services: Anonymizersare not necessary,” in Proc. of SIGMOD. ACM Press, 2008.

[14] N. Li, T. Li, and S. Venkatasubramanian, “t-closeness: Privacybeyond k-anonymity and l-diversity.” in ICDE. IEEE, 2007,pp. 106–115.

[15] G. Ghinita, P. Kalnis, and S. Skiadopoulos, “PRIVE: anony-mous location-based queries in distributed mobile systems,”in Proceedings of the 16th International Conference on WorldWide Web. ACM, 2007, pp. 371–380.

[16] A. R. Butz, “Alternative Algorithm for Hilbert’s Space-FillingCurve,” IEEE Trans. Comput., vol. 20, no. 4, pp. 424–426,1971.

[17] T. Brinkhoff, “A Framework for Generating Network-BasedMoving Objects,” GeoInformatica, vol. 6, no. 2, pp. 153–180,2002.

[18] X. Xiao and Y. Tao, “Personalized privacy preservation,”in SIGMOD ’06: Proceedings of the 2006 ACM SIGMODinternational conference on Management of data. New York,NY, USA: ACM Press, 2006, pp. 229–240.