Trajectory and Policy Aware Sender Anonymity in Location Based Services

TL;DR

This paper introduces a novel privacy guarantee called TP-aware sender k-anonymity for location-based services, addressing trajectory-aware and policy-aware attackers, and provides an efficient approximation algorithm for large logs.

Contribution

It defines the first privacy model against TP-aware attackers and develops a scalable approximation algorithm for optimal anonymization.

Findings

TP-aware anonymization is NP-complete, unlike trajectory-unaware variants.

A PTIME l-approximation algorithm is proposed for trajectories of length l.

The algorithm scales to logs with up to 2 million users.

Abstract

We consider Location-based Service (LBS) settings, where a LBS provider logs the requests sent by mobile device users over a period of time and later wants to publish/share these logs. Log sharing can be extremely valuable for advertising, data mining research and network management, but it poses a serious threat to the privacy of LBS users. Sender anonymity solutions prevent a malicious attacker from inferring the interests of LBS users by associating them with their service requests after gaining access to the anonymized logs. With the fast-increasing adoption of smartphones and the concern that historic user trajectories are becoming more accessible, it becomes necessary for any sender anonymity solution to protect against attackers that are trajectory-aware (i.e. have access to historic user trajectories) as well as policy-aware (i.e they know the log anonymization policy). We call such attackers TP-aware. This paper introduces a first privacy guarantee against TP-aware attackers, called TP-aware sender k-anonymity. It turns out that there are many possible TP-aware anonymizations for the same LBS log, each with a different utility to the consumer of the anonymized log. The problem of finding the optimal TP-aware anonymization is investigated. We show that trajectory-awareness renders the problem computationally harder than the trajectory-unaware variants found in the literature (NP-complete in the size of the log, versus PTIME). We describe a PTIME l-approximation algorithm for trajectories of length l and empirically show that it scales to large LBS logs (up to 2 million users).