A distributed privacy-preserving scheme for location-based queries

Abstract

In this paper we deal with security and historical privacy in Location Based Service (LBS) applications where users submit accurate location samples to an LBS provider. Specifically we propose a distributed scheme that establishes access control while protecting the privacy of a user in both sporadic and continuous LBS queries. Our solution employs a hybrid network architecture where LBS users: (a) are able to communicate with an LBS provider through a network (e.g., cellular) operator, and (b) they are also able to create wireless ad-hoc networks with other peers in order to obtain privacy against an adversary that performs traffic analysis. Our threat model considers the network operator, the LBS provider and other peers, as potential privacy adversaries. For historical privacy we adopt the generic approach of using multiple pseudonyms that are changed frequently. In order to establish untraceability against traffic analysis attacks, a message is not sent directly to the cellular operator, but it is distributed among mobile neighbors who act like mixes and re-encrypt a message before sending it to the LBS provider via the cellular operator. As an extension, we also discuss how to aggregate independent data from different mobile peers before sending them to the LBS provider. This approach may be suitable in applications where aggregate location data are useful (e.g., traffic monitoring and control)