A User-Centric Analysis of Location Privacy - FreiDok - Albert ...

freidok.uni.freiburg.de

A User-Centric Analysis of Location Privacy - FreiDok - Albert ...

Sharing Location Information with

Trusted Peers

A User-Centric Analysis of Location Privacy

Klaus Rechert

Lehrstuhl für Kommunikationssysteme

Institut für Informatik

Dissertation zur Erlangung des Doktorgrades der Technischen Fakultät der

Albert-Ludwigs-Universität Freiburg im Breisgau

Mai 2013


Dissertation zur Erlangung des Doktorgrades der Technischen Fakultät der Albert-

Ludwigs-Universität Freiburg im Breisgau.

Dekan: Prof. Dr. Yiannos Manoli

Vorgelegt von: Klaus Rechert

Lehrstuhl für Kommunikationssysteme

Institut für Informatik

Herrmann-Herder-Str. 10

79104 Freiburg i.Br.

klaus.rechert@rz.uni-freiburg.de

Erstgutachter: Prof. Dr. Gerhard Schneider

Zweitgutachter: Prof. Dr. Dr. h.c. Günter Müller

Tag der mündlichen Prüfung: 19 Nov. 2013


Acknowledgments / Danksagung

Mein besonderer Dank gilt Prof. Dr. Gerhard Schneider für die Aufnahme als

Doktorand am Lehrstuhl und damit verbunden das in mich gesetzte Vertrauen.

Ich habe die Zeit als Doktorand am Lehrstuhl sehr genossen und bin äußerst

dankbar sowohl für die stetige wissenschaftliche als auch für die Freiheiten in der

Gestaltung meiner Arbeit sowie den gesamten institutionellen Rahmen mit dem

ein solches Unterfangen erst möglich wurde.

Ebenso geht mein Dank an die gesamte Arbeitsgruppe am Lehrstuhl, die im

Wesentlichen durch kritische Diskussionen und Motivation, sowie mit einem

äußerst angenehmen Arbeitsklima zum Gelingen dieser Arbeit beigetragen hat.

Insbesondere gilt mein Dank Dirk von Suchodoletz, Konrad Meier, Dennis Wehrle,

Richard Zahoransky, die sich immer wieder für neue Experimente und Projekte

begeistern ließen, welche für mich alleine schon zeitlich aussichtslos gewesen

wären. Dies gilt auch für die zahlreichen Studenten, die mich bei der Sammlung

von Daten sowie diversen praktischen Implementierungen tatkräftig unterstützt

haben.

Ganz herzlich möchte ich mich bei Prof. Isao Echizen und Sven Wohlgemuth

für die wunderbare Zeit in Tokyo bedanken, die kritischen Fragen und

Diskussionen, sowie für die wissenschaftliche Förderung die ich dort erfahren

durfte.

Zuletzt möchte ich mich bei Sandra Zipfel für ihre Geduld während der

Erstellung dieses Werkes sowie den erheblichen Zeitaufwand für das Gegenlesen

dieser Arbeit bedanken. Ebenso geht mein Dank an meine Familie und Freunde,

die mich während der langen Bearbeitungszeit immer unterstützt und ermutigt

haben.


Abstract

Ubiquitous and affordable mobile communication along with a new generation of smart

mobile devices has given rise to a large variety of location-based applications. Location

information has therefore become very useful, but also a valuable tradable good. The

exploitation of mobile location information, in particular an individual’s real-time context

information, also poses new challenges to the user’s privacy. This thesis investigates the

effects of location disclosure on an individual’s privacy from a user’s perspective for

today’s mobile communication scenarios.

Based on the analysis of mobile communication scenarios, potential observers, their

(trust-)relationship with the user and the nature of location disclosure are characterized.

Location data is either explicitly and consciously disclosed by users or generated and

collected due to technical requirements, for instance by using mobile communication

infrastructure (GSM, 3G, WiFi, etc.). Semi-trusted communication peers are involved

in both cases since in our scenarios, communication is voluntary and the identities of

all peers are known to some extent. Furthermore, a single location disclosure action

usually encloses several distinct observers. Even though location information is shared

with partially trusted peers, the resulting privacy risks are still considerable. Through

observing and evaluating a user’s movement, his or her preferences and other possibly

sensitive information become visible, which were not intended to be shared (exposure).

Location data is collected and stored for different reasons (e.g. security, regulation or law

enforcement) which poses risk of data abuse (e.g. theft, data breach) or data is passed

on to (untrusted) third parties in an aggregated or anonymized way. However, the

methodology and quality of privacy enhancing technologies are unknown to the user,

and thus, the user bears an unforeseeable risk of re-identification.

To further investigate the impact of location disclosures on an individual’s location

privacy, a different adversary model is required. This thesis proposes a user-centric

observer model, which takes into account semi-trusted peers, especially social contacts.

Based on the resulting ubiquitous observer model, a user-centric privacy model can be

derived. A user-centric model should enable users to evaluate the privacy impact of

location data autonomously, and thereby, enable them to make informed decisions, e.g. to

choose the right privacy protection mechanism. We use the ubiquitous observer model

and the proposed user-centric privacy model to analyze location privacy in the context of

the identified communication scenarios. For these, we propose requirements, tools and

methods to protect the user’s privacy when sharing location information with partially

trusted peers.

I


Zusammenfassung

Die breite Verfügbarkeit kostengünstiger, mobiler Kommunikationsmöglichkeiten und die

gleichzeitige technische Weiterentwicklung von mobilen Endgeräten, den sogenannten

Smartphones, bereitete die Grundlage für eine Vielfalt neuartiger standortbezogener

Dienste. Die hierfür notwendigen Ortsdaten haben sich damit nicht nur zu einem sehr

nützlichen, sondern auch zu einem wertvollen, marktfähigen Datum entwickelt. Die

kommerzielle Nutzung von Ortsdaten, und damit verbunden die Verarbeitung kontextbezogener

Informationen in Echtzeit, stellen aber auch neue Herausforderungen für

die Privatsphäre des Anwenders dar. Ausgehend von gegenwärtig typischen mobilen

Kommunikationsszenarien untersucht die vorliegende Arbeit die damit verbundenen

Auswirkungen auf die Privatsphäre des Einzelnen.

In den untersuchten Szenarien werden Ortsinformationen entweder explizit und

bewusst durch den Nutzer weitergeben, z.B. bei der Nutzung eines speziellen Dienstes,

oder aufgrund von technischen Anforderungen erzeugt und gesammelt, z.B. durch

die Nutzung von Mobilfunk (GSM, 3G, WiFi, etc.). In beiden Fällen kennen und vertrauen

sich die beteiligten Kommunikationspartner zu einem gewissen Grad, da in

der Regel die Kommunikation freiwillig stattfindet und die Identitäten aller Kommunikationspartner

zumindest nicht gänzlich unbekannt sind. Hinzu kommt, dass an

einem typischen mobilen Kommunikationsvorgang in der Regel mehrere verschiedene

Beobachter beteiligt sind. Obwohl Ortsinformationen in gegenseitigem Einverständnis

geteilt werden, sind die hierdurch möglicherweise entstehenden Risiken bezüglich der

Privatsphäre des Einzelnen dennoch beachtlich. Durch das Beobachten und Auswerten

individueller Bewegungsmuster werden Gewohnheiten und andere, möglicherweise sensible

Lebensumstände sichtbar, welche eigentlich nicht bekannt werden sollten. Mit einer

langfristigen Speicherung von Daten ist auch immer ein Missbrauchsrisiko verbunden.

Gesammelte Daten werden aber auch (anonymisiert) an unbekannte Dritte übermittelt.

Dem Betroffenen sind dabei weder Methodik noch Qualität der Anonymisierung bekannt,

sodass beispielsweise ein latentes Risiko der Identifikation des Nutzers besteht.

Für weiterführende Untersuchungen von Ortsinformationen und ihre Auswirkung

auf die Privatsphäre ist die Entwicklung eines neuen Angreifermodells notwendig,

welches explizit bekannte Kommunikationspartner und insbesondere auch soziale Kontakte

als mögliche Beobachter von Bewegungsdaten einbezieht. Ausgehend von einem

solchen Beobachtermodell kann ein benutzerzentriertes Modell zur Bewertung der Privatsphäre

in einem mobilen Kommunikationskontext abgeleitet werden. Dieses soll es dem

Nutzer ermöglichen, die Auswirkungen seiner Datenpreisgabe autonom auszuwerten

und damit eine fundierte Grundlage für weitere Schritte zum Schutz seiner Privatsphäre

zu erhalten. Auf Basis der entwickelten Modelle werden einzelne Szenarien genauer

untersucht und hierfür Mittel und Methoden zum besseren Schutz der ortsbezogenen

Privatsphäre vorgeschlagen.

III


Contents

1 Introduction 1

2 Location Privacy 7

2.1 Abstract Definitions of Location Privacy . . . . . . . . . . . . . . . . 8

2.2 Location Data and Location Context . . . . . . . . . . . . . . . . . . 10

2.3 Mobile Communication Scenarios . . . . . . . . . . . . . . . . . . . 11

2.3.1 Communication with Mobile Infrastructure . . . . . . . . . . 13

2.3.2 Communication with Services Providers . . . . . . . . . . . 15

2.3.3 Communication with Trusted Social Peers . . . . . . . . . . 17

2.4 Classification of Location Disclosure . . . . . . . . . . . . . . . . . . 19

2.5 Privacy Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.5.1 Long-term Observation and Data Retention . . . . . . . . . . 21

2.5.2 Unstable Trust Relations . . . . . . . . . . . . . . . . . . . . 23

2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3 Overview on Location Privacy Protection 25

3.1 Privacy Protection Methods . . . . . . . . . . . . . . . . . . . . . . . 25

3.1.1 Regulation by Law . . . . . . . . . . . . . . . . . . . . . . . . 25

3.1.2 Privacy Policies . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.1.3 Anonymity and Pseudonymity . . . . . . . . . . . . . . . . . 29

3.1.4 Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4 User-Centric Location Privacy Model 39

4.1 Location Privacy Models & Metrics . . . . . . . . . . . . . . . . . . . 40

4.2 Modeling an Ubiquitous Observer . . . . . . . . . . . . . . . . . . . 42

4.2.1 Inaccuracy, Errors and Observation Correctness . . . . . . . 45

4.3 User-Centric Location Privacy Model . . . . . . . . . . . . . . . . . . 47

V


4.3.1 Quantification of an Observer’s Information(-Gain) . . . . . 48

4.3.2 Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.3.3 Sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.3.4 Interpersonal Relationship & Trust . . . . . . . . . . . . . . . 60

4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4.4.1 Relation to Anonymity Metrics . . . . . . . . . . . . . . . . . 62

4.4.2 Relation to Obfuscation and Uncertainty Metrics . . . . . . . 62

4.4.3 Relation to Probabilistic Metrics . . . . . . . . . . . . . . . . 63

4.4.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5 Location Privacy Using Mobile Communication Infrastructure 67

5.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

5.2 Locating Mobile Phones . . . . . . . . . . . . . . . . . . . . . . . . . 71

5.3 Privacy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

5.4 Case Study – GSM Network . . . . . . . . . . . . . . . . . . . . . . . 76

5.4.1 Observation Accuracy in Cellular Networks . . . . . . . . . 76

5.4.2 Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

5.5 User-Centric Privacy Improvements . . . . . . . . . . . . . . . . . . 79

5.5.1 Active Location Determination . . . . . . . . . . . . . . . . . 79

5.5.2 Passive Location Determination . . . . . . . . . . . . . . . . 80

5.6 Evaluation of User-Centric Privacy Improvements . . . . . . . . . . 82

5.6.1 Mobile Network . . . . . . . . . . . . . . . . . . . . . . . . . 82

5.6.2 Mobile Station . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

5.6.3 Testbed Serving Mobile Location Center . . . . . . . . . . . . 83

5.6.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 86

5.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

6 Location Privacy Using Location-based Services 89

6.1 Privacy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

6.2 Case Study – Mobile Tourist Information System . . . . . . . . . . . 94

6.3 Requirements Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 95

6.3.1 Technical Platform . . . . . . . . . . . . . . . . . . . . . . . . 96

6.3.2 Content Development and Maintenance . . . . . . . . . . . . 99

6.3.3 Requirements and Architecture . . . . . . . . . . . . . . . . . 100

VI


6.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

6.4.1 Platform Abstraction . . . . . . . . . . . . . . . . . . . . . . . 102

6.4.2 Scripting Engine . . . . . . . . . . . . . . . . . . . . . . . . . 104

6.4.3 Content Organization and Storage . . . . . . . . . . . . . . . 105

6.4.4 Rendering and Multimedia . . . . . . . . . . . . . . . . . . . 106

6.4.5 Using Map- and Position Data . . . . . . . . . . . . . . . . . 106

6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

7 Privacy-aware Location Sharing 111

7.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

7.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

7.3 Spontaneous, Privacy-aware Location Sharing . . . . . . . . . . . . 114

7.3.1 Access Control Using Group Cryptography . . . . . . . . . . 115

7.3.2 Implementation Example . . . . . . . . . . . . . . . . . . . . 118

7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

8 Location Sharing with Socially Connected Peers 121

8.1 Identification of Possible Places . . . . . . . . . . . . . . . . . . . . . 121

8.2 Identification of Plausible Locations . . . . . . . . . . . . . . . . . . 123

8.3 Measuring Location Sensitivity . . . . . . . . . . . . . . . . . . . . . 126

8.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

8.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

9 Conclusion 131

10 References 137

Appendix 152

A Implementation Details 153

A.1 MobIS Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

A.1.1 Feldberg Ranger (2007 – 2008) . . . . . . . . . . . . . . . . . . 159

A.1.2 NABU Biosphäre (2009 – 2010) . . . . . . . . . . . . . . . . . 160

A.2 GSM Air-Interface Logging Device . . . . . . . . . . . . . . . . . . . 161

A.3 Sensitivity Evaluation Scenarios . . . . . . . . . . . . . . . . . . . . . 168

VII


VIII


CHAPTER 1

Introduction

The amazing popularity of social networks and the technical progress of information

technology (IT) systems have recently led to the concept of a post-privacy society.

In a post-privacy age, one should accept that the traditional sense of privacy

might indeed become an out-dated concept no longer suitable for modern-day

social interaction. Currently, over 900 million social network service users voluntarily

disclose large amounts of private and sensitive data to so-called virtual

friends. In doing so, they also bestow this information to the service provider and

possibly other third parties. Alike, information technology and communication

systems are now an integrated part of our daily life. To participate in an IT dominated

world, it seems perfectly natural that (crucial) services, but also security

and safety rely on the individuals’ data and their willingness to contribute. With

this in mind, the post-privacy society hypothesis seems to be accurate, at least in

part.

One quite important observation is that with the steady development of information

and communication systems of the past centuries, a binary assessment of

privacy(-protection) became impossible. This means that in order to participate

in many of today’s activities, one has to disclose a certain amount of personal

data. Privacy, especially from a user’s perspective, and an assessment thereof

have evolved into a pure probabilistic task. A second important observation is

that personal information has become a tradable good, i.e. users provide personal

information in exchange for (free) services. The revenue generated out of such

data is used to finance the (free) service. However, under certain circumstances

(e.g. data breach), disclosed personal data may cause harm to the user. Hence, the

user should ask himself if the shared personal data is worth the service he or she

receives.

1


New Ubiquity – New Privacy Challenges

The introduction and widespread adoption of mobile computing and mobile

communication lead to new privacy challenges. Until now, privacy-sensitive

places and activities have usually been obvious to individuals. By law, people

are notified of the presence of surveillance cameras. People are able to choose

where to shop, how to pay or whether and when they use certain IT systems

and services. Therefore, people usually should be intuitively aware of when

and with whom they share personal data, as well as what data they are sharing.

Smartphones first merged many IT activities into a single and very personal

mobile device. The mobility and ubiquitous infrastructure required to support

the services smartphones provide introduced a new privacy issue: location privacy.

When using location-aware services, location data is usually disclosed to

multiple observers. For instance, a friend-finder application shares location information

with the intended recipient (friend) as well as the service provider and

mobile communication infrastructure. Recently developed mobile communication

technology introduced a new type of hidden location disclosure. In order

to maintain network connection (i.e. being able to receive incoming calls and

messages), the subscriber’s location is known to the backing infrastructure. This

is a common technical requirement of mobile communication systems. However,

users are unaware of when and what information is transferred to the mobile

communication service provider. All these observers on different layers may reuse

collected location information and movement profiles for other services. Live

traffic data or location information can be used for revenues-creating activities

such as advertisement or consumer research. It is required by law or contract

that data passed on to untrusted and unknown third parties has to somehow be

made anonymous, but the personal data owners are generally not aware of how

their privacy is ensured, i.e. which kind of privacy-enhancing technology is applied.

Consequently, a probability of de-anonymization and following associated

privacy risks remain.

This thesis focuses on location data and location privacy. Location data resulting

from personal communication tools is quite interesting to study since its

format and inner structure are simple and easy to understand. In contrast to more

complex data structures (e.g. health records, x-ray images, financial information),

any provenance data or other similar protective measures are difficult to apply.

For instance, audio, video or still images can be protected by embedding invisible

2


watermarks to trace disclosure paths. With such a small datum, these measures

are difficult or impossible to apply since simple attributes of this datum can be

easily extracted and copied (the datum usually consists of two floating point

numbers plus observation time). However, even simple data structures such as

geo-coordinates are able to transport a significant amount of private information.

Therefore, it is difficult for an individual to judge the content and its value as

well as the sensitivity of a single location datum. In order to protect the user’s

interests, he or she should be able to make informed choices. Due to the datum’s

uniform and consistent structure, it seems an ideal candidate for computational

privacy quantification and qualification, allowing users to evaluate the trade-off

between the benefit of sharing location information versus the risk of negative

consequences due to privacy loss.

User-Centric Privacy

This thesis takes a user-centric approach when developing and evaluating privacyenhancing

methods. A huge amount of work has already been dedicated to

protecting a user from unknown and hostile adversaries. Location privacy, especially

regarding an individual’s identity protection, has been the subject of much

research. However, recent developments have introduced the concept of "virtual

friends" and other partially trusted entities. People usually know their communication

peers and maintain either a commercial/contractual or social relationship

with them. As a result, anonymity is no longer an appropriate privacy measure

when communicating with partly trusted peers.

Location obfuscation techniques (i.e. deliberately decreasing the accuracy of

location information) were proposed as a privacy-enhancing method (e.g. by

Duckham and Kulik (2005); Gruteser and Grunwald (2003)). In the communication

scenarios under research in this thesis, location obfuscation might not always

be applicable nor provide the desired privacy protection. This is due to two reasons:

first, the user may not be able to control the location determination process,

i.e. the user’s location is determined by the surrounding mobile communication

infrastructure without user interference; or location obfuscation might be possible

but location can still be inferred from other background knowledge (i.e. good

knowledge of map and landscape features) that is gained through communication

with social contacts.

3


Location information further contributes to new commercial opportunities,

creating new services and commercial enterprises that are based on data of the

masses. For instance, a data broker may offer anonymized or aggregated movement

data to a local bakery, uncovering the fact that neighborhood residents

choose to buy their bread at a baker in another area. Similarly, a city’s tourist

office may have access to data disclosing the visitors’ country or hometown. In

both cases, such information is valuable and supports improvement of products or

marketing activities. While gathering such information without leveraging mobile

technology would be time-consuming and costly, previously only affordable for

larger institutions or companies, mobile technology now makes such information

potentially lucrative for small businesses as well.

Ubiquitously available location information is also able to contribute to individual

and societal safety and security. For instance, mobile telephony can help

locate mobile phone subscribers in cases of an emergency. This technology may

turn out to be also a valuable search and rescue (SAR) tool. Buried victims (or at

least their phone) can be located (L. Chen, Loschonsky, & Reindl, 2010) or relief

supplies can be directed to displaced people after a natural disaster (Bengtsson,

Lu, Thorson, Garfield, & von Schreeb, 2011). Furthermore, location information

gathered through mobile telephony networks is now a standard tool for crime

prosecution, used to fight terror and organized crime.

In a nutshell, mobile communication technology is both boon and bane. Mobile

communication provides great utility for each subscriber as well as society

while offering new opportunities for business and science. However, this technology

poses new challenges to the user’s privacy. Furthermore, since communication

is usually directed to known and partially trusted peers, anonymity or "hiding

within the masses" is not a realistic option. Therefore, a holistic, user-centric view

on location privacy is required which includes several types of observers distinguished

by their background knowledge and mutual trust relation. In order to

encourage the development and usage of useful mobile and location-aware applications

and encourage users to contribute their location data in certain situations,

a dedicated and user-centric location privacy model must be developed. This may

also help users make informed decisions on the disclosure of private information,

e.g. choosing the right privacy protection method and/or monitor and manage

privacy risks.

4


Thesis’ Goals and Contributions †

The goals of this thesis are both research of user-centric privacy and development

of protective measures using the example of location information.

As a first step, today’s communication scenarios are analyzed (Chapter 2) and

a ubiquitous observer model is developed (Chapter 4). Based on this observer

model, the potential impact of disclosing location information regarding a specific

observer is modeled (Rechert, 2010b; Rechert, Wohlgemuth, Echizen, & Sonehara,

2011).

A major problem of location privacy from a user’s perspective are hidden

location disclosures coupled with the general requirement to generate and disclose

location information when using mobile communication networks. In order to

support a user in understanding the privacy loss attributed to location disclosure

in such communication relations, a formal model to assess location privacy in

mobile telephony networks is proposed in Chapter 5 (Rechert, Meier, Greschbach,

Wehrle, & von Suchodoletz, 2011; Rechert et al., 2013). Based on these findings,

user-imposed countermeasures are proposed and evaluated in a testbed dedicated

to mobile telephony (Meier, Wehrle, Rechert, & von Suchodoletz, 2011). Finally,

the effects of the proposed countermeasures are discussed in the context of safety

and security (Rechert, Meier, Wehrle, & von Suchodoletz, 2011), as well as in a

legal context (Rechert, Zahoransky, Meier, Wehrle, & von Suchodoletz, 2012).

As a further result from the analysis of today’s communication scenarios,

structural and architectural issues of today’s mobile landscape are discussed

(Andrienko et al., 2013). Based on this Chapter 6 presents a user-centric architecture

and implementation of a mobile information platform (Rechert, 2010a, 2009).

In Chapter 7 user-centric measures in interaction with trusted groups for location

sharing are proposed (Welke & Rechert, 2009).

Finally, location privacy in a communication relation to trusted peers is analyzed

in Chapter 8. Since anonymity is not an available option, the potential

information content of a specific location disclosure needs to be taken into account

(Rechert & Greschbach, 2012), especially the sensitivity of location observation

(Rechert, 2013).


Parts of this thesis are based on previously published scientific articles which have been

revised and improved to form a comprehensive narration. Contributions from other authors

are marked in the respective chapters.

5


CHAPTER 2

Location Privacy

While the concept of privacy has a long history (see Langheinrich (2001) for a

general overview of the history of privacy), one influential article on privacy by

Warren and Brandeis (1890) was motivated by an emerging new technology:

"Instantaneous photographs and newspaper enterprise have invaded

the sacred precincts of private and domestic life [...]" (Warren & Brandeis,

1890).

The authors recognized that this new technology made people publicly observable.

Not only immediate eyewitnesses, but a larger public audience was thereafter

able to observe one’s action and moreover, the technology was able to preserve

such observations for an almost infinite amount of time. Warren and Brandeis

(1890) established the modern privacy discussion driven by the development of

new technologies with the formative quote on privacy "as right to be let alone."

The second influential technology with significant impact on privacy laws

and regulation as well as on the public perception of privacy was the rise of

telephony networks and communication technology. Similar to photography and

film, this technology enabled third parties to invade an individual’s privacy, e.g.

by wiretapping a conversation, without being physically present and without

being noticed. Hence, the subjects of such surveillance are usually not aware of

being watched or listened to. Wicker (2011) provides an in-deep discussion on

the history of U.S. law on privacy in the context of telephony networks.

The invention of computerized information systems and the networked communication

between these systems allowed for the concentration and accumulation

of data in an unprecedented manner, thus giving rise to the notion of

"information privacy." One result of this technological process is today’s most

7


elevant privacy legislation: the U.S. Privacy Act of 1974 and the E.U. Directive

95/46/EC of 1995.

2.1 Abstract Definitions of Location Privacy

In a similar fashion, nowadays a new technology has the potential to challenge

or endanger an individual’s privacy. Mobile computing and communication has

introduced a new aspect of private information and the necessity of protection

thereof. The widespread availability of mobile devices equipped with several

sensors suitable for all kinds of position determination and their immediate mobile

usage resulted in the idea of location privacy. Since location privacy shares certain

characteristics with the aforementioned information privacy problem, location

privacy can be considered a specialized subset of information privacy.

Providing a proper definition of location privacy has proven to be a difficult

task. Many definitions were published, all emphasizing different specific aspects.

For instance, Beresford and Stajano (2003) defined location privacy as

"[...] the ability to prevent other parties from learning one’s current or

past location." 1 (Beresford & Stajano, 2003)

This definition highlights two different features of location privacy: First, individuals

should be able to control or prevent access and disclosure of their location

information. Thus, users should be able to decide whether they want to share

their location information with others or implement measures to prevent other

parties from detecting their location information. Second, Berenford’s and Stajano’s

definition also emphasizes the distinction between an individual’s current

location and location history. While an individual’s current location information

might be used to locate or track him or her, a location history is able to reveal

personal preferences, social contacts and other personal information.

However, Berenford’s and Stajano’s definition of location privacy has its

limitations. Their definition focuses on controlling the communication of location

information "to other parties", which they do not define. For instance, when in

direct communication with known communication peers, the location information

that is passed on might be based on personal trust. The notion of "location" also

remains undefined. Location information may range from a precise geographic

coordinate to an imprecise and/or abstract location description such as "I’m in

1

Emphasis added.

8


Paris" or "I’m close to the Eiffel Tower." This means information content varies,

and thus its impact on a user’s privacy.

A similar problem statement was published by Schilit, Hong, and Gruteser

(2003) as:

"[...] the challenge with wireless location privacy is making it easy to

share the right information with the right people or service at the right time

and, conversely, being able to opt out at will." 2 (Schilit et al., 2003)

This statement recognizes that releasing location information has a different

impact depending on recipient and time, but emphasizes user control.

A similar definition, first defined by Westin (Westin, 1967) and modified to

incorporate location information by Duckham and Kulik (2006), describes location

privacy as

"[...] a special type of information privacy which concerns the claim

of individuals to determine for themselves when, how, and to what

extent location information about them is communicated to others." 2

(Duckham & Kulik, 2006)

This definition also emphasizes the aspect of user control over his or her location

data. In contrast to Berenford’s and Stajano’s definition, control aspects are more

fine-grained. The user or a user’s privacy policy should decide whether or not a

location datum should be disclosed to a certain communication peer. Furthermore,

the "extent" of the information to disclose is emphasized. The user should be able

to evaluate and control the information value of a certain datum he or she wishes

to disclose.

All definitions demonstrate the conflict between location privacy and the

individual utility of sharing location information. According to these definitions,

an individual’s location privacy is unharmed as long as location information is

not disclosed. However, location-based services may provide useful and valuable

services. By using location-based services, the user’s utility gain may potentially

outweigh any privacy loss. Abstract definitions lack the guidelines needed for a

single individual to evaluate the trade-offs between the utility of location-based

services and his or her privacy loss. Each definition requires more formal specifications

such as the "extent of location information." Therefore, if an individual is

concerned about his or her location privacy, several open questions remain: Which

2

Emphasis added.

9


computational privacy enhancing technology is suitable for a specific setting? By

means of which criteria should a user choose a location privacy policy? How

can one communicate with trusted or semi-trusted peers and manage a certain

(location) privacy level? And finally, what kind of personal information is actually

disclosed through the sharing of location information?

2.2 Location Data and Location Context

Location sharing usually involves the disclosure of location data as coordinates

related to a sphere or map. Depending on the source and type, such information

might be error-prone, with position accuracy decreasing from a single point

to a larger area. Furthermore, location information is usually connected to a

timestamp, either implicitly or explicitly.

There are several location determination methods available. This thesis focuses

on the general characteristics of popular methods and discusses these in

an exemplary fashion. For further discussion of location information, location

determination methods can be divided into three general classes as proposed by

Schilit et al. (2003):

1. Client Centric

Location is determined by the user’s device and calculated via the user’s

device sensors. A popular example is GPS, a Global Navigation Satellite

System (GNSS), which has proven successful and is both generally accepted

and widely deployed in consumer markets.

2. Network Centric

Location is determined by external infrastructure being able to observe the

user. The location determination result may be passed on to the located

client. A real world example is active GSM position determination. 3

3. Hybrid Solutions

This type of location determination requires co-operation between a client

device and its external infrastructure. For instance, a client collects data from

the device’s sensors and sends them to an external service to carry out the

necessary calculations and/or to combine sensor data with infrastructure

observations. One current popular example are client-measurements on

3

Discussed in more detail in Chapter 5.

10


the surrounding mobile communication infrastructure, e.g. using received

the signal strength (RSS) database of nearby GSM stations and/or name of

WiFi access points. This database is then queried to get a (first) approximate

location. 4 Such databases are usually built on user-generated data and have

recently led to privacy concerns (Arthur, 2011; Kravets, 2011).

Another example of a hybrid positioning solution is A-GPS, which leverages

external infrastructure to speed up GPS positioning, especially providing

an initial position (cold start), which can take up to 12.5 minutes (Hofmann-

Wellenhof, Lichtenegger, & Wasle, 2008).

The effects on the user privacy vary depending on the type of location determination

method. For instance, the accuracy of GPS location determination

using a consumer device (Smartphone) might range from 1 to 50 meters; location

determination utilizing a GSM/3G infrastructure might have an error range of

50-250 meters (G. Sun, Chen, Guo, & Liu, 2005). Using signal-fingerprints (e.g.

RSS) of surrounding mobile communication infrastructure yields to similar accuracy

as GSM-based positioning (Vossiek et al., 2003). Furthermore, using network

centric or hybrid solutions, the user always shares his or her location information

with third parties, whereas, when using a pure client centric approach, no information

is disclosed through location determination. Hence, client-based location

determination techniques improve the user’s location privacy by definition.

A spatio-temporal error of an observation could be introduced deliberately.

Network centric and partly hybrid approaches reduce the user’s ability to introduce

a spatio-temporal error since the time component of a location measurement

is known to the network. Finally, the relationship between the provider whose services

require location data and the entity providing location information greatly

impacts the user’s privacy. For instance, by using cellular mobile telephony, both

location determination and service provision is offered by the same entity, leaving

little options for the user to take control over his or her location data disclosure

and the resultant location privacy.

2.3 Mobile Communication Scenarios

Location information has recently become a popular but also valuable communication

item. Ubiquitous and affordable mobile communication combined with a

4

E.g. collaborative OpenCellID database, http://opencellid.org, (3/1/2013).

11


new generation of so-called Smartphones gave rise to a large variety of locationbased

applications. However, exploitation of mobile location information also

brings new challenges to the users’ privacy, especially due to its architectural

design.

Partially trusted communication peers

Infrastructure Services

Mobile Information Services

E.g. Maps, Tourist Guides, ...

(2) (3)

Mobile Communication Network

E.g. WLAN, GSM/3G

Social Network Services

E.g. Friend Finder

(1)

Users &

Social Peers

(4)

Figure 2.1: Today’s typical mobile communication scenarios: (1) (technical) communication

of location data to keep mobile network attachment, (2) communication with

location-based services, (3) usage of social networks and related applications, (4) direct

user-to-user interaction.

There are various occasions and motives for location disclosure. In a first, one

can distinguish between partially trusted communication peers and untrusted

parties. The primary focus of this thesis is on the communication relationship

between partially trusted peers. Partially trusted communication peers are known

(at least to some extent) to the user. When a user makes use of mobile communication

infrastructure, provides location information to location-based services (LBS)

or shares location information within a group of socially connected peers, one can

assume that there is at least a minimal amount of trust involved. Communication

with each peer is voluntary and a privacy policy between peers usually exists. In

relationship to commercially active peers, a privacy policy is usually explicit and

based on laws and provisions. The privacy policy between social contacts can be

assumed to be an implicit agreement based on social relationship. In contrast, one

can consider untrusted peers to either be attackers exploiting technical vulnerabilities

in order to observe or track a user or unknown and untrusted recipients of

user-data.

12


Four of today’s common mobile communication scenarios are analyzed further

in terms of location privacy (see Fig. 2.1). First, in order to be able to use mobile

infrastructure, a communication relationship between infrastructure provider and

mobile subscriber has to be established. This starts by the user sending his or

her subscriber credentials and the network then transmits control messages in

order to maintain the user’s network attachment (1). Second, users exchange

location information with mobile and location-based services (2). Thereafter,

location information exchange takes place through social network services (SNS),

which is increasingly gaining popularity (3). While the SNS providers share

similar characteristics with mobile information service providers, location sharing

between individuals through these networks poses new research challenges (4).

2.3.1 Communication with Mobile Infrastructure

In order to provide mobile services, communication between a user (i.e. the

user’s mobile device) and the corresponding communication infrastructure is

required. Mobile communication services are the basic ingredient for mobile

communication (e.g. phone calls, text messaging) between users (social layer)

or between users and networked services (service layer). Only in combination

with mobile communication, interactive location-based services become possible.

The user’s utility is both being able to communicate from almost any place,

and making use of context-aware services, as well as in being able to receive

information in any place, e.g. receiving a phone-call without being at the office.

However, mobile network infrastructure requires the subscribers’ whereabouts

in order to function properly. Therefore, the location information of individual

subscribers is generated continuously or frequently in an automated way. While

communication infrastructure is usually considered a partially-trusted entity,

i.e. subscriber and provider agree on a service contract and privacy policy, the

generation of location data is unnoticed by the user. Users are not aware of the

quality or quantity of the data collected. Such movement patterns are valuable for

scientific research (Gonzalez, Hidalgo, & Barabasi, 2008) but also for commercial

purposes and location-based advertising (Krumm, 2010).

A further threat is a commercial reuse of collected data in an anonymized

way by the service provider (Fig. 2.2). For instance, a mobile telephony provider

offers commercial services based on location data generated through interaction

of mobile phones and network infrastructure. The company offers anonymized

13


Partially trusted communication peers

Untrusted / unknown peers

Infrastructure Services

Users &

Social Peers

Mobile Information Services

E.g. Maps, Tourist Guides, ...

Location information is submitted

by mobile subscriber to maintain

network attachment

Mobile Communication Network

E.g. WLAN, GSM/3G

Social Network Services

E.g. Friend Finder

Location information is used

and may be stored by the

network provider. Users are not

aware of amount and extent

Location information

created by using mobile

infrastructure

Location Processing

and

Anonymization Unit

User Mobility Profiles

E.g. Traffic Monitoring,

Consumer Research, Advertising

Figure 2.2: Communication with mobile communication infrastructure. Primary information

flow between subscriber and infrastructure (depicted green) and secondary, potentially

hidden information flow to untrusted peers (depicted red).

movement profiles, e.g. for traffic monitoring. 5 As a base to generate mobility

patterns, e.g. GSM mobility management protocol messages are evaluated. 6

These messages’ purpose is to keep network attachment. A very specific characteristic

of these protocol messages is their invisibility to the user. The mobile

subscribers’ unique identification number (IMSI) is encrypted. The encryption

keys are changed every 24 hours. 7

Given its commercial value, location information might be passed on to third

parties in an anonymized and/or aggregated way. In this case, users are usually

neither aware of the extent of their information disclosure nor how the collected

data is used and by whom. Furthermore, there is always the possibility of obtaining

surreptitious and precise location if necessary.

5

6

7

A1 Traffic Data Stream: Bewegungsdaten im Mobilfunknetz als Datenquelle für

Marketing, Forschung und Planung, Pressemitteilung vom 17.12.2009, http://www

.mobilkomaustria.at/de/presse/20091217a, (1/4/2010).

"[...] nur Daten erfasst, die für die Ermittlung der Verkehrssituation von Interesse sind (etwa

Events wie IMSI Attach, Update Location, Zelleninfo bzw. Geokoordinaten oder Handover)"

http://www.a1.net/business/a1traffictechnologie, (1/4/2010).

"[...] im so genannten ’Anonymisation Module’ kryptografisch anhand eines symmetrischen

Algorithmus (128 Bit nach AES - Advanced Encryption Standard) verschlüsselt, sodass

keine Rückrechnung auf die Identität eines Handybesitzers möglich ist. Die Schlüssel

werden jeden Tag um 0.00 Uhr neu generiert." http://www.a1.net/business/

a1traffictechnologie, (1/4/2010).

14


Even though activists have started challenging mobile infrastructure providers

either not to store location information if not needed for basic operation or to hand

over stored data to the user, the actual value and the corresponding privacy risk

posed by the collected data is difficult for a subscriber to assess. 8 Furthermore,

recent studies showed that anonymization offers little or no privacy protection in

mobile communication scenarios (cf. Zang and Bolot (2011)). Attempts to mask

one’s identity by constantly changing random pseudonyms offer little protection.

For instance, if one person could have already been traced up to a certain point

via his or her old identity, then only a group of potential identities has to be

monitored after having exchanged pseudonyms, i.e. with those who remain in

the relevant region. However, once each individual has started pursuing his or

her daily routine, individual and characteristic patterns will be unveiled.

This combination of an ubiquitous infrastructure, personal device and continuous

(hidden) location determination poses new challenges on the user’s location

privacy. The user cannot recognize the collection of location data nor can he or

she monitor her or his usage when using mobile communications. Following

the classic definition of location privacy, privacy with regards to the user’s location

and movement pattern is almost impossible to achieve when using mobile

communication services.

2.3.2 Communication with Services Providers

One of today’s most common communication scenarios is using location-based

services (cf. Fig. 2.3). In the context of location sharing, two types of services

can be observed. On the one hand, location-based services, where a user sends

location information as a parameter of a service request to a service provider,

which is also intended to be the final recipient. On the other hand, social network

services are designed to exchange information with a set of user-defined virtual

friends. In this case, the social contact is the intended recipient of the user’s

whereabouts.

Mobile Information Systems

This category of location disclosure usually involves

informed users who consciously disclose their location data. A common

8

Heise Online News, http://www.heise.de/newsticker/meldung/

Verbraucherschuetzer-empfehlen-Auskunft-von-Mobilfunkern-einzuholen

-1659627.html, (8/6/2012).

15


case today is when users exchange their whereabouts with location-based services

for tailored and context-sensitive information, e.g. searching for special

places (restaurants, accommodation, shopping opportunities, etc.) or looking for

directions and guidance based on their current location, e.g. car or pedestrian

navigation or tourist guides. In both cases, the user’s utility gains result from the

reduced search-space, as the service provider is automatically aware of the user’s

location and possibly his or her personal preferences.

Location-based services can be characterized by how location information is

transmitted (cf. Kulik (2009)). Reactive- or pull-services require dedicated queries

issued by the user (i.e. snapshot-queries). For instance, such services provide

information on nearby restaurants. A second class of services, or so-called pushservices,

require continuous location transmission or periodic location updates.

Such services are able to provide context information in a pro-active manner. In

any case, the user is aware of his or her location disclosure. By standards of

Westin’s privacy definition, the user is in control of what, when and partly to

what extent information is disclosed to the service provider. Regarding location

information and location privacy protection, two issues remain unresolved: First,

users may not be aware of the amount of personal information contained in their

location data and how much a certain service provider has already accumulated.

Second, location data may be passed on to unknown and untrusted parties,

possibly for advertising or similar commercial purposes. Even though such data

may be anonymized and/or aggregated before being commercialized, the user is

unaware of the method used, and thus, the privacy protection level applied to his

or her data.

Social Network Services (SNS) Social network services provide a platform for

exchanging information between groups of virtual "friends". Users connect to

SNSs in order to update their status or whereabouts, post and distribute messages

to a group of virtual friends, query the status of virtual friends or to make use of

the service in order to stay connected with specific social peers through individual

messages. For individuals, SNSs provide convenient services such as executing

the user’s privacy and access policies but also taking care of distributing information

and reducing the user’s communication costs. Furthermore, an SNS user

may gain extra utility by location sharing with a group of people as, for instance,

it may ease coordination.

16


Partially trusted communication peers

Untrusted / unknown peers

Infrastructure Services

Mobile Information Services

E.g. Maps, Tourist Guides, ...

Location information is

exchanged for context aware

data

Mobile Communication Network

E.g. WLAN, GSM/3G

Mobile Information

E.g. Friend Finder

Location information is

exchanged within social user

groups

Location information

created by using mobile

services

Location information

created by using mobile

infrastructure

Location Processing

and

Anonymization Unit

Users &

Social Peers

User Mobility Profiles

E.g. Traffic Monitoring,

Consumer Research, Advertising

Figure 2.3: Mobile communication with services. When sharing location information with

services, location data might be observed and re-used by mobile infrastructure providers

and location-based service providers.

By standards of the aforementioned privacy definitions, it is difficult for a

user to assess who is actually a recipient of the information disclosed. Similar to

location-based services, SNSs are usually free and make heavy use of targeted

advertisements. While in the case of location-based services there is a direct

trade-off between the user’s location data and the provider delivering tailored,

context-aware information, regarding SNSs, the provider is not the intended

recipient of user data. The SNS provider acts as a kind of trusted peer, trusted by

users to enforce access and privacy policies, e.g. which of the user’s virtual friends

is able to access certain information artifacts. This is why SNS users approve a

service agreement as well as an additional privacy policy between the user and

provider. While the resulting primary privacy issue is technically quite similar to

location-based services, the difference with SNSs is that users might not be fully

aware of the extent of information they have disclosed to the service provider

itself because the user’s focus is more on fostering the relationship with virtual

friends, often creating subsets and privacy/access policies accordingly.

2.3.3 Communication with Trusted Social Peers

The most complex communication scenario in terms of location privacy is sharing

location information with trusted social peers. In such cases, direct communication

between two users or a user and a group of trusted peers is intended.

17


Communication relations with trusted peers may include text (e.g. GSM-based

SMS), voice or data communication.

In order to be able to communicate in a mobile scenario, the mobile communication

infrastructure must be aware of the user’s approximate location. In some

cases, an SNS may actually be used to distribute location information to the final

recipient. Thus, all privacy concerns of both scenarios above also apply for this

scenario. However, direct communication between socially trusted peers poses

new challenges in terms of location privacy. By disclosing location information

voluntarily to a (semi-)trusted communication peer, the user’s privacy seems to be

unharmed with respect to Westin’s definition of location privacy, which requires

individuals to determine when, how and to what extent private information is

released. 9

Partially trusted communication peers

Untrusted / unknown peers

Infrastructure Services

Mobile Information Services

E.g. Maps, Tourist Guides, ...

Mobile Communication Network

E.g. WLAN, GSM/3G

Social Network Services

E.g. Friend Finder

Location information

created by using social

network services

Location information

created by using mobile

infrastructure

Location Processing

and

Anonymization Unit

Users &

Social Peers

Direct user to user

communication

User Mobility Profiles

E.g. Traffic Monitoring,

Consumer Research, Advertising

Trust relation between social peers may change over time

Figure 2.4: Communication with social peers. Primary information flow between users

(green) and secondary information flow between subscriber and infrastructure (yellow)

and potentially hidden information flow to untrusted peers (depicted red).

Location data is able to transport much more information than simply the fact

of a user being at a specific location. Collected over a certain period of time, location

data is able to describe what a user has done and what he or she will probably

do. Hence, it is difficult to assess the extent of an individual’s location disclosure.

A single location observation might have a different impact on the user’s privacy,

depending on time and place but especially on the observer. An observer might be

9

If we assume that the user is aware of the privacy implications using mobile communication

infrastructures and/or a SNSs or has mitigated the resulting privacy risks.

18


able to draw exact conclusions about the user’s state and intention if the observer

has good background knowledge of the user, such as friends or spouses. Hence, a

definition of location privacy and privacy protection mechanisms are required for

communication with (semi-)trusted peers. For instance, SNS users have become

observers with almost unlimited memory capacity and may gain access to tools

for aggregation and evaluation of available data. Privacy policies between users

are usually implicit and based on mutual trust and social relationships. Social

relations, however, (and therefore the underlying trust assumption) are not stable

over time and observers in SNSs have access to a large number of possibly related

contacts as well as access to other information sources, and thus, more options to

observe the user’s actions in parallel. Therefore, the user’s options to enhance his

or her location privacy are limited further (cf. Fig. 2.4).

2.4 Classification of Location Disclosure

Based on the aforementioned mobile communication scenarios, the following

categories of location disclosure can be identified:

1. Location data is explicitly and consciously disclosed by users

When disclosing one’s whereabouts to service providers or social peers,

these peers are considered semi-trusted, as they are usually known to some

extent by the user. There is usually a privacy policy involved, either explicitly

with a service provider or implicitly, based on mutual trust between

social peers.

2. Location data generated and/or collected implicitly

Location data is generated and collected without explicit user action due

to technical necessities (e.g. by using mobile communication infrastructure

(GSM, CDMA, 3G, etc.)). Furthermore, this type of mobile communication

infrastructure usually provides ubiquitous network coverage, and thus,

complete coverage of a subscriber’s mobility.

For instance, Gruteser and Grunwald (2004) already discussed implicit

location disclosure within WiFi networks and through geolocation of IP

addresses. While in principle other parties are able to observe location

information in this scenario, this information only becomes available when

actively communicating and is restricted to the coverage-area of a certain

WiFi network provider or specific web-sites.

19


3. Location data is passed on to third parties

While all information is shared with trusted or semi-trusted peers in a voluntary

way, location information might also be passed on to unknown third

parties. In the case of commercial service providers, users and providers

usually agreed on a privacy policy regarding the potential use of personal

data. Hence, users are usually aware of the fact that their data is reused for

commercial purposes; however, they are usually not aware of by whom, how

and to what extent their data is used. Even though the data is anonymized

or aggregated, users are not aware and most importantly cannot judge the

quality of their privacy protection.

2.5 Privacy Risks

There is no doubt that such data is highly interesting for commercial and scientific

applications. However, using location data may conflict with user privacy

since specific location information or movement history might reveal the user’s

identity. If a user’s identity is partially known, observing his or her movement

and evaluating his or her current location reveals the user’s preferences and other

possibly sensitive information. Such sensitive location-related data may contain

places a user visits regularly or has special interest in, at which times as well as

the routes a user frequents. Combined with location data of other individuals,

even social relations become visible.

Several researchers have identified general privacy risks posed by location

disclosure and location data in general. For instance, Gruteser and Grunwald

(2004) argue that public disclosure of location information may result in "spam"

and/or allow others to learn about a user’s personal preferences or political views.

Furthermore, commonly cited negative effects due to failures to protect location

privacy include a decrease in "personal wellbeing and safety" (e.g. through

stalking) and "intrusive inferences", when personal preferences, political views

etc. could be inferred from an individual’s movement pattern (cf. Duckham and

Kulik (2006), Schilit et al. (2003)).

Furthermore, Gruteser and Grunwald (2004) present a methodology for assessing

location privacy risks based on three main criteria:

1. Locating (Method of location determination)

The privacy risks resulting from locating can be further refined based on

20


the amount of user choice, on the spatial area covered by a certain location

sensing technology, and finally the resolution and accuracy of location

information.

2. Identifying (Protection of personal identity)

The authors note that locating is not independent of user identification if

location information can be correlated with external knowledge. In a formal

way, the authors describe this correlation as "restricted space identification",

i.e. if a spatial region belongs exclusively to a certain individual and this

fact is known, an adversary can discover the identity of the individual based

on this location information. Furthermore, external observation and linking

such knowledge to anonymous messages can also reveal an individual’s

identity (Ma, Yau, Yip, & Rao, 2010).

3. Data Collectors (Who has access to location data)

This criterion describes who has access to location data. Regarding privacy

risks, the "dispersion" (spatio-temporal observation capabilities for instance

through cooperation and sharing between LBS providers) has great impact

on how much data is accumulated about a single individual. Finally, the

authors describe the trust relationship between an individual and a data

collector as a factor for risk assessment. The authors assume that a legally

binding privacy contract with a reputable company results in a higher level

of trust compared to an unknown LBS provider.

Although the above-mentioned criteria were designed mostly based on the

assumption of untrusted service providers and usually anonymous or pseudonymous

usage of services, the general methodology and certain criteria are still

useful to assess privacy risks in scenarios with trusted and semi-trusted peers.

However, additional criteria are necessary in order for it to be a trusted and semitrusted

case: data retention time or, in other words, the length of an individual’s

recorded movement history and the mutual trust relation.

2.5.1 Long-term Observation and Data Retention

Long-term observations or data retention of location data pose specific, location

related privacy risks. With accumulation of location data, typically more information

on a single individual is available. However, when disclosing location data to

trusted or semi-trusted peers, it can be assumed that such data is not disclosed to

21


the public. In contrast, when communicating with untrusted peers, data is usually

anonymized before it leaves the user’s device. Therefore, due to the availability

of user data, several privacy risks appear (cf. Fig. 2.5).

Partially trusted communication peers

Services

Infrastructure

REUSE

Untrusted / unknown

peers

Location

Processing

and

Anonymization Unit

ABUSE

Users & Social Peers

EXPOSURE

User Mobility

Profiles

Traffic Monitoring,

Consumer Research,

Advertising

Theft of Data

Data Breach

Personal

Preferences

Social Relations

Figure 2.5: Privacy Risks of Location Disclosure to Semi-Trusted Peers

Reuse Collected or observed location data can be reused (e.g. monetized and

sold) for different services. If such data is passed on to third parties, the data

is usually aggregated or anonymized and users are not aware of the technique

used, and thus, bear a risk of re-identification (which they cannot assess). Furthermore,

neither the final data consumer nor the intended use of the location

data are known. Collected location data can become a quasi-identifier, similar to a

fingerprint (Bettini, Wang, & Jajodia, 2005). Hence, by using external knowledge,

the identity of a specific user can be determined. Golle and Partridge (2009)

studied the effects of disclosing U.S. census work and home location-based data

on a user’s privacy. On a block-level resolution, the combination of home and

workplace can identify a single individual and based on census tracts (similar to

ZIP codes), identification can be narrowed down to about 20 possible candidates.

A technology combining different sources of observations was shown by Ma et al.

(2010) as well as Zang and Bolot (2011).

Abuse The user’s privacy is threatened by the collection and therefore possible

abuse or theft of location data. Due either to technical necessities or through the

use of location-based applications, location information is generated continuously.

22


This data might be stored for different reasons (e.g. for technical network monitoring

and improvement, regulation and law enforcement requirements, etc.)

and for an unknown period of time. For instance, a social application may store

user data for an infinite amount of time, data that was originally intended to be

shared in a small community of trusted social contacts. The abuse of such data

could potentially be harmful to an individual’s reputation. A different example of

the privacy threats accompanying data retention is the recent raid of the German

law enforcement in Dresden. Almost a million data records (including location

information) of mobile telephony subscribers were released on questionable legal

basis (Sächsischer Datenschutzbeauftragter, 2011). Hence, the location privacy of

several thousand subscribers was put at risk without any of these suspects being

accused of an offense.

Exposure A further risk arises when people share their location with social

contacts. Such exposure might lead to undesirable social effects, like disclosing

personal preferences but also uncovering seemingly hidden social relations. By

observing and evaluating a user’s movement, his preferences and other possibly

sensitive information might be revealed. Such sensitive location-related data

contains places a user visits frequently or at certain times and thus has special

interest in. Combined with the location data of other individuals, social relations

become visible. Furthermore, people are not always aware of with whom they

share personal data and it is difficult to estimate the background knowledge

of their communication peers. For instance, Acquisti and Gross (2006) showed

in a study that even privacy-concerned SNS users have problems judging the

visibility of the information they publish. A user’s exposure does not always

require direct disclosure of sensitive personal information. For instance, sensitive

information originally has been shared in a different communication context and

to a dedicated recipient. However, this information is stored (e.g. by an SNS

provider), and thus, poses a potential privacy risk.

2.5.2 Unstable Trust Relations

When sharing private data with trusted peers, a user usually assesses the social

trust relationship of a certain information recipient. Even though a specific

recipient may be considered trustworthy enough to share information in a certain

context today, this assessment might be different at some point in the future. Social

23


elationships are not stable over time and the same applies for the underlying trustassumption.

Furthermore, by making use of SNSs, the user’s social peers gain a

perfect and unlimited memory. Thus, a user risks future negative consequences

despite a careful assessment of information disclosure today. In order to define a

user-centric location privacy metric, the trust relation between individuals is a

crucial component in a privacy relationship with trusted peers.

2.6 Summary

Location privacy protection is multifaceted, especially from a user’s perspective.

Newly emerging mobile communication scenarios with mostly non-anonymous

information exchange and partially trusted peers require a different, novel adversary

model. New types of location determination methods and location disclosure

practices demand a user-centric location privacy model.

Despite the seemingly uncomplicated nature and the small size of the data

in question (i.e. when measured in bytes), it is very difficult to assess privacy

implications of a location disclosure. Hence, it is quite easy to underestimate the

impact of disclosure on such a small datum since it is difficult to assess its actual

information content, given a specific scenario. Even worse, in some scenarios,

service providers and location-based services may pass location data to unknown

and untrusted third parties. While user data is usually anonymized to comply

with privacy policies and privacy regulation, it becomes even more difficult to

assess the privacy risks posed by disclosure of location data since neither the

privacy enhancing technology and its effectiveness nor the recipient are known. In

order to protect or improve the user’s location privacy, different types of location

disclosures in today’s communication scenarios have to be analyzed. A better

understanding of the impact of location information on an individual’s privacy as

well as scenario-specific methods for privacy protection are required. Therefore,

the following chapters adress the issues raised. To begin with, Chapter 3 gives an

overview of current privacy protection methods and their limitations.

24


CHAPTER 3

Overview on Location Privacy

Protection

Research surrounding location privacy, including privacy protection and privacyenhancing

methods, has a long history. This chapter examines traditional methods

for location privacy-enhancing technologies which originally arose as a result of

the identification of crucial location privacy elements: location data and the risks

for an individual’s privacy due to location disclosure.

3.1 Privacy Protection Methods

Location privacy protection methods have been researched intensively. Based on

an early survey conducted by Duckham and Kulik (2006), four general categories

of privacy protection methods can be identified: (1) regulation, (2) privacy policies,

(3) anonymity and pseudonymity, and finally, (4) obfuscation.

3.1.1 Regulation by Law

Increasing amounts of stored information and the expanding possibilities of

automated data processing (i.e. by using computer systems) have given rise to

numerous privacy regulations. Especially protection of personal information has

gained the legislator’s attention.

Privacy regulations and laws are enacted to protect an individual’s privacy.

An influential piece of privacy regulation is represented by the U.S. Privacy Act

of 1974 (U.S. Department of Justice, Office of Privacy and Civil Liberties, 2010)

"that attempts to regulate the collection, maintenance, use and dissemination of

personal information by federal executive branch agencies," also known as the

25


"Code of Fair Information Practices." However, the U.S. Privacy Act only pertains

to the regulation of governmental data and the data of individuals in relation

to governmental agencies. Privacy regulation in commercial environments and

the private sector are not covered. Several sector-specific regulations have been

enacted, but a comprehensive privacy framework covering all aspects of user

privacy does not exist.

In contrast, the European Directive 95/46/EC (European Parlament & European

Council, 1995) and E.U. Directive 2002/58/EC (European Parlament &

European Council, 2002) aimed for a more general approach. Directive 95/46/EC

generally laid the regulatory framework regarding personal information. The latter

directive was influenced by recent technical developments in modern communication

systems and particularly addresses the explicit need to regulate technical

traffic data and location information. Storage and processing of location data is

covered both by Article 6 (Traffic data) and Article 9 (Location data other than

traffic data) of Directive 2002/58/EC and only allows location data processing

by subscribers to a public communication network either if the data is made

anonymous or with explicit consent of the user.

According to Duckham and Kulik (2006), privacy regulations can be summarized

by five common principles of fair information practice:

1. Notice and Transparency: users are aware of data collection, especially by

whom and for what purpose;

2. Consent and Use-Limitation: users must consent to collection of their data

and may restrict data usage for certain purposes;

3. Access and Participation: allows users to request information on stored data

as well as its removal;

4. Integrity and Security: these complementarily protect personal data from

collecting organizations;

5. Enforcement and Accountability: holds collecting organizations accountable

for any failure to comply with one of the above-mentioned principles.

May (2008) came to a similar conclusion in a comparative study on privacy law in

U.S., E.U. and Australian law.

Laws and regulations can achieve the basic protection of a user’s personal

data. However, laws and regulations are bound to local jurisdiction and mobile

26


applications are usually not bound to certain areas (especially service providers

often act globally), the user might need to enforce his or her rights in a jurisdiction

outside of his or her home country. This would be both more difficult and more

expensive compared to enforcing privacy regulation in the local jurisdiction.

Furthermore, it is difficult for an individual to control whether data collectors

abide the relevant laws. As a result, an individual delegates privacy protection

to various local governmental agencies which are then entitled to enforce the

relevant laws and regulations. With respect to the given definitions of location

privacy, the user has no control over his or her data, and therefore, a limited level

of privacy protection. Moreover, location privacy has yet to be fully addressed.

Location information is only fully protected if it is counted as personal data.

However, as explained previously, anonymized location data may still reveal the

information that could lead to an individual’s identity.

3.1.2 Privacy Policies

Laws and regulations regarding an individual’s privacy allow for the commercial

use of personal information if the user has given his consent in exchange for

service provision. A service user must be clearly informed of how data is used in

order for her or him to consent to its use. A privacy policy usually provides such a

framework, describing more fine-grained rules and obligations regarding the use

of personal information. For instance, using location information may be limited

to certain services or restricted to certain areas and times. Each provider with

services where location data accumulates should commit itself to the contractual

use of this data. When communicating with service providers, there are various

technical ways to describe a privacy policy for location data.

In the following, prominent examples are presented; Coi and Olmedilla (2008)

provide a comprehensive overview and comparison of current privacy policy

languages.

GEOPriv The Internet Engineering Task Force’s (IETF) proposed GEOPriv standard

describes a protocol that is meant "to facilitate the protection of privacy

pursuant to Privacy Rules set by the user/owner of the target," or rule maker (Cuellar,

Morris, Mulligan, Peterson, & Polk, 2004). In order to create such rules, the rule

maker requires two important pieces of information: the location recipient’s (LR)

identity and a judgement of whether the counterpart is likely to follow the rules.

27


The so-called location objects (LO) are central to the GEOPriv standard. LOs

encapsulate location data together with a set of usage rules that determine how

that data can be used. This allows an individual to express personal location

privacy preferences for any location observation. Furthermore, LOs can be made

tamper-proof and GEOPriv supports the use of LO with pseudonyms.

The GEOPriv standard, however, is restricted to a machine-readable description

of regulations and location information rules. The enforcement or control

of the agreed privacy policy requires a different approach based on the degree

of trust between the rule maker (user) and the LR. The current status of the

standard’s development is available at the working group’s website. 1

W3C P3P & Appel Another framework approach for expressing privacy preferences

between service users and service providers was developed by the World

Wide Web Consortium (W3C): the "platform for privacy preferences project"

(P3P) (World Wide Web Consortium, 2006). P3P supports service providers in

publishing their privacy policy in a machine-readable format in order for it to

be processed automatically, e.g. by Web browsers. The proposed standard provides

a schema that describes "uses, recipients, data categories and other privacy

disclosures," thus enabling individuals to make informed decisions regarding

different service offers. Originally, P3P was supposed to inform Web users about

the privacy policy practices of websites and did not address location data and

location privacy explicitly. However, Duckham and Kulik (2006) note that since

the P3P language is based on XML, it can easily be extended for other domains

and purposes.

Currently, the P3P work is suspended due to "insufficient support from current

browser implementers." 2 However, P3P is used as basis for recent privacy-related

projects such as the PRIME Project. 3 Along the same lines, Langheinrich (2002)

described a system architecture for "privacy awareness for ubiquitous computing

environments" (pawS) which makes use of the P3P language to describe and

track privacy policies for location data. The enterprise privacy authorization

language (EPAL) is similar to the P3P language, but is specifically designed to

1

2

3

GEOPriv Working Group, http://datatracker.ietf.org/wg/geopriv/charter/,

(10/15/2011).

P3P project site, http://www.w3.org/P3P/, (17/11/2011).

PRIME - Privacy and Identity Management for Europe, https://prime-project.eu,

(17/11/2011).

28


formalize enterprise privacy policies, while P3P was designed to provide a global

terminology for describing "privacy promises" (Ashley, Hada, Karjoth, Powers, &

Schunter, 2003).

APPEL (A P3P Preference Exchange Language) provides a language description,

allowing the user to express his or her preconditions and other needs concerning

privacy (Cranor, Langheinrich, & Marchiori, 2002). Both systems automatically

allow users and service providers to negotiate the acceptability of a

machine-readable privacy policy. Although the system allows for a systematic

collection and description of relevant aspects of privacy, none of the protocols

guarantee adherence to the described obligations.

Both user control and effective enforcement of privacy "rights" are difficult.

When a user agrees to a privacy policy as a method of individual privacy protection,

the user in turn loses control of his data as well. For instance, when

data is passed on to a third party, it is not possible for the user to control further

data usage. One proposed method in order to allow data protection audits and

thus to prove a potential data breach is to embed watermarks into data. These

watermarks contain information about both parties: data owner and data recipient

and allow for the reconstruction of the disclosure chain of any data record.

Such reconstructions may result from a security audit, for instance by a data

protection officer. If data records are found at a site which does not have the

rights to these records, the last "lawful" data owner can be found and the potential

unlawful disclosure of data determined. Wohlgemuth, Echizen, Sonehara, and

Müller (2010) proposed a protocol based on public key encryption and showed

the method’s feasibility applied in the domain of health records. While there are

established methods for creating and embedding watermarks in images, attaching

provenance information to location information is by far more difficult due to

the small size of the datum. Schrittwieser, Kieseberg, Echizen, Wohlgemuth, and

Sonehara (2011) proposed preliminary ideas but the effectiveness and robustness

of their approach has yet to be proven in practice.

3.1.3 Anonymity and Pseudonymity

Perfect privacy protection in a communication relationship can only be gained

if location data cannot be linked to an individual service user. If the user is able

to use a service anonymously, his or her location privacy should in principle be

preserved. In order to unify definitions and language concerning anonymity, un-

29


linkability, unobservability and pseudonymity, Pfitzmann and Köhntopp (2001) 4

proposed a terminology describing the properties of these terms and their relationship

to each other.

Pfitzmann and Hansen (2010) define anonymity in a setting of a set of senders

and a set of recipients using a communication network to transmit messages

(Fig. 3.1). An attacker (adversary) is characterized as being able to observe and/or

control parts of the communication network with the objective of identifying

senders and the respective recipients of those observed messages. In such a

setting, anonymity is defined as:

"Anonymity of a subject means that the subject is not identifiable

within a set of subjects, the anonymity set." (Pfitzmann & Hansen,

2010)

Figure 3.1: Generic anonymity setting by Pfitzmann and Hansen (2010).

A similar definition is given from an attacker’s view:

"Anonymity of a subject from an attacker’s perspective means that the

attacker cannot sufficiently identify the subject within a set of subjects,

the anonymity set." (Pfitzmann & Hansen, 2010)

The setting depicted in Fig. 3.1 can be seen as a generalization of a setting in

which a set of mobile users disclose location information to location-based services

(Fig. 3.2). In such a setting, sent messages consist of location information,

transferred from users to publicly available providers of location-based services.

Therefore, from a user’s perspective, the goal is to achieve sender-anonymity so

that the sender is anonymous in the set of potential senders or anonymity set.

4

Original version; Extended and revised version available online: (Pfitzmann & Hansen, 2010).

30


Furthermore, Pfitzmann and Hansen (2010) emphasize the term "sufficient identification,"

which indicates the possibility of a threshold, where anonymity in a

certain scenario or context begins and includes a general ability to quantify and

qualify anonymity.

Location Based Services

Infrastructure Services

Anonymization

Service

Mobile Communication Network

E.g. WLAN, GSM/3G

Users &

Social Peers

Anonymity Set

Figure 3.2: Anonymity setting sharing location data

Sweeney (2002) proposed a concept based on anonymity for privacy protection

called k-anonymity. In order to be able to share personal data (e.g. by banks or

hospitals), data records should be released in such a way that it is guaranteed for

each record to relate to at least k individuals. Hence, the chance of an attacker

trying to identify an individual within this set is 1 k

. Usually, this is achieved by

removing or generalizing certain attributes of a record, e.g. the combination of

ZIP code and date of birth, which, joined with publicly available data, can be

linked to individuals. Such attributes are referred to as quasi-identifiers.

In order to achieve anonymity in the context of location privacy, two different

problem sets need to be addressed. First, location data itself might contain information

on a single individual. For instance, repeatedly visiting the same place at

certain times could lead to disclosure of a user’s home or workplace. If such data

is linked with external information, it is possible to identify a single individual

31


(quasi-identifier). Bettini et al. (2005) define a location-based quasi-identifier as

a specific spatio-temporal pattern "specified by a sequence of spatio-temporal

constraints." Second, the term anonymity needs to be qualified in the context

of location information as full anonymity is difficult to achieve when disclosing

whereabouts. Thus, in terms of Pfitzmann and Hansen (2010), a threshold is

required to qualify sufficient anonymization in a specific location privacy setting.

Gruteser and Grunwald (2003) extended the k-anonymity concept, originally

developed for database applications, to location-based services. In order to improve

an individual’s location privacy, the location datum must be generalized

until the anonymity set contains at least k − 1 other individuals. This anonymization

method is suitable for location-based services where agents do not trust the

service provider and where services do not rely on real time position dissemination

or on an exact spatial resolution. Queries have to be collected and processed.

Potentially, the anonymization service must wait until a user-defined anonymity

threshold is reached. The factor k implies the level of location privacy: the higher

the level of k, the higher the assumed level of privacy. However, due to the

algorithm’s construction, a higher level of k naturally decreases the temporal and

spatial accuracy. Furthermore, Gruteser and Grunwald (2003) implemented their

system in a way such that k is a global, commonly shared factor, ignoring individual

preferences on anonymity. Consequently, users cannot choose a trade-off

between quality of service and individual privacy. Gedik and Liu (2008) further

developed the concept of k-anonymity to cope with critics of earlier work on this

matter. Most importantly, their system design is motivated by the observation

that "location privacy demands personalization." This means, each client is able to

define the minimum level of anonymity and the minimum temporal and spatial

accuracy when using the system. However, similar to the approach of Gruteser

and Grunwald (2003), their system design also relies on a trusted third party who

implements a so-called "message perturbation machine" to perform anonymization

on the user’s messages. A similar approach is proposed by Mokbel, Chow,

and Aref (2006), where users define minimal privacy requirements represented

through the value k (k-anonymity requirement) and the spatial area defining their

minimally acceptable location accuracy.

All these concepts assume trust in possibly unknown third party institutions.

Apart from the incentives of a service provider or an institution to offer such

anonymization services and to be exposed to potential legal risks at the same time,

32


the question of risks and dangers for the user arises. Anonymization services normally

operate as a kind of proxy that receives inquiries, anonymizes data and then

forwards the query to the actual service provider. This way, the anonymization

service becomes a single point of failure and the target of possible attacks. In order

to avoid single weak points, distributed peer-to-peer-based approaches have been

developed for k-anonymity (e.g. Ghinita, Kalnis, and Skiadopoulos (2007) and

Hashem and Kulik (2007)). This method, however, needs a sufficient amount of

suitable, cooperative and, if necessary, trustworthy users nearby. Especially in

an environment with specialized services, it may be difficult to find a suitable

number of equally minded users, suitable for the anonymity set, i.e. sharing

preferences for the same services and being close-by. Ardagna, Cremonini, and

Gianini (2009) introduced a scenario with a semi-trusted mobile network provider

and proposed a multi-path approach to achieving k-anonymity for the sender

of a message. Their approach relies on a hybrid network infrastructure where

subscribers can form ad-hoc networks. However, such an approach only protects

the connection between the sender and final recipient (e.g. LBS-provider).

While anonymity might be useful in some settings, Pfitzmann and Hansen

(2010) note that full anonymity may prevent two-way communication. More

specifically, certain types of location-based services are available without knowing

a user’s identity. However, the possession of personal information may provide a

higher quality of personalized services. For example, context information may

contain both location information and personal preferences determined through

usage history. A sort of identifier is required for some services and may be

beneficial for others. But instead of using a user’s real name, the social security

number or similar pseudonyms could be used, as defined by Pfitzmann and Hansen

(2010):

"A subject is pseudonymous if a pseudonym is used as identifier

instead of one of its real names. [...] A pseudonym is an identifier of a

subject other than one of the subject’s real names."

However, simply substituting a personal identifier (e.g. the user’s name) by

a pseudonym is usually not sufficient. An attacker could observe the user’s

movement pattern and consequently infer the user’s preferences and real identity.

In this case, a pseudonym becomes a quasi-identifier. In order to avoid this,

Beresford and Stajano (2003) proposed a so called "mix-zone," where agents are

33


able to exchange their given pseudonyms, and thus, hinder an attacker from

accumulating a longer movement history.

A different approach to anonymity originating from statistical privacy (i.e.

privacy-conscious data release) is synthetic data generation (Rubin, 1993). Instead

of releasing original data, a statistical model is built and synthetic points are

derived and released instead of the original data-set. Machanavajjhala, Kifer,

Abowd, Gehrke, and Vilhuber (2008) applied this technique to location data in

order to anonymize commuting patterns.

3.1.4 Obfuscation

Anonymity and pseudonymity are not suitable solutions for services which require

identification (Langheinrich, 2001). But in situations in which users communicate

with trusted social contacts, an anonymity approach might not be adequate.

In such situations, users could improve their location privacy by decreasing the

spatial and temporal accuracy of their transmitted location (Duckham & Kulik,

2005). With approaches that focus on a spatio-temporal concealment of location

data, potential restrictions in service quality are accepted in exchange for privacy

improvements (Mascetti & Bettini, 2007).

Obfuscation as a method to improve a user’s location privacy is technically

similar to (k-)anonymity methods; both methods generalize the location datum

to be disclosed. However, the attacker model and the goal of so-called spatiotemporal

cloaking is different from anonymity and pseudonymity strategies.

In anonymity and pseudonymity scenarios the attacker’s goal is to identify an

individual out of a set of generalized (w.r.t. quasi-identifiers) location data and the

attacker’s problem with obfuscated location data (w.r.t. spatio-temporal cloaking)

is in determining the individual’s actual location out of a set of possible locations

within the obfuscation domain. More precisely, Hutter, Stephan, and Ullmann

(2004) introduced the "need-to-know" principle, which means only as much

information should be disclosed in order for the service provider to make available

the requested service. This allows the user to hinder an attacker from drawing

conclusions regarding his or her exact location, preferences or current context.

While some obfuscation techniques require user interaction, i.e. defining

minimal spatial accuracy for a certain service offers, it is of utmost importance

that location determination and disclosure are under the user’s control when

34


applying these techniques. For instance, in a scenario with network assisted

positioning, spatial and especially temporal degradation are difficult to achieve.

Duckham and Kulik (2005) identified three different types of information

imperfection: inaccuracy, imprecision and vagueness. All three (and the combinations

thereof) can form a theoretical base for obfuscation methods. While

inaccuracy may potentially provide false information (i.e. lying), imprecision

and vagueness refer to a "lack of specificity in information", which means that

the user often reports a spatial area or a descriptive location as being somewhere

"close." So-called cloaked areas may be generated either by reporting a spatial

area instead of a single point or reporting multiple points to the service provider.

In both cases, the attacker has the probabilistic problem of choosing the user’s

actual position given a probability distribution. "Silence" and data minimization

can also be special cases of obfuscation techniques. Examples of inaccuracy, more

precisely "white lying," are presented by Bagüés, Zeidler, Valdivielso, and Matias

(2007) as well as Chow and Golle (2009).

Obfuscation methods were also applied to user-trajectories (recorded pathways

of users). For example Hoh and Gruteser (2005) 5 mixed user paths when two

users meet in order to increase the observer’s or adversary’s uncertainty. The goal

of these methods, however, is closely related to anonymity approaches, which

is removing quasi-identifiers from user-tracks. By crossing and exchanging user

tracks, an attacker is unable to identify frequently visited places, and therefore,

reduces the probability of re-identification.

Ardagna, Cremonini, De Capitani di Vimercati, and Samarati (2011) proposed

a theoretical framework for obfuscation and define three basic obfuscation operators:

enlarge, shift and reduce; and their composition semantics. Damiani, Bertino,

and Silvestri (2009) further extended location obfuscation by including map semantics

in the location generalization process. In an offline phase, an obfuscation

map is calculated based on the user’s privacy profile which contains a set of

user-specific sensitive map features. The user is required to select sensitive map

features and assign sensitivity values to them (i.e. privacy profiles). The area in

question is then broadened until it satisfies the user’s privacy profile.

5

further extended in Hoh, Gruteser, Xiong, and Alrabady (2010)

35


3.2 Summary

The sections above discussed computational and non-computational privacyenhancing

methods by picking representative examples of certain concepts and

technologies.

The first two methods are related to political/regulatory and contractual law

research and both methods do not provide direct control to the user. A user

does not have tools and techniques to control and evaluate the information value

of the data released nor the ability to actively impose compliance on his or her

communication peers. With laws and regulation, an individual gains a basic

privacy protection. In order to achieve further protection, more sophisticated

and fine-grained methods are required. The other methods described provide

computational techniques for enhancing a user’s location privacy. Anonymity

and pseudonymity methods aim to protect an agent’s identity when communicating

with generally untrusted service providers. However, these methods are

not suitable in scenarios with trusted or semi-trusted peers or when regulation

requires an identity for service operation.

Generalization algorithms seek to balance two conflicting goals: a) increasing

the user’s privacy by maximizing the number of potential users contained in

the released region, provided that a sufficient number of trustworthy agents are

available, and b) increasing the quality of service by minimizing the released

region and query delays (Mascetti & Bettini, 2007; Kalnis, Ghinita, Mouratidis, &

Papadias, 2007). In order for a user to understand the trade-off between service

quality and privacy loss, obfuscation approaches require a privacy metric (e.g.,

Ardagna et al. (2011); Damiani et al. (2009); Rechert, Wohlgemuth, et al. (2011)).

For methods requiring trusted third parties (e.g. k-anonymity services (Gedik

& Liu, 2008) or spatial generalization (Hoh et al., 2010)), certain privacy risks

result from possible data retention (cf. Section 2.5). Users are confronted with

questions of data security, regardless of whether a privacy abuse results from

carelessness or from technical deficiencies. Also, a central service has at least the

same access to data as a singular service provider would have. If the service is

used for anonymization of several LBS services, a more complete spatio-temporal

movement profile can be created. The user does not have any influence on storage

time of his or her data nor can he or she prohibit forwarding or usage by third

parties. Even without the requirement of a trusted third party, the aforementioned

computational privacy enhancing techniques rely on very specific setups. General

36


implementations usable with popular location-based services are difficult since

service providers usually define how data is transmitted (i.e. the need to send a

single coordinate instead of a spatial area). Obfuscation methods are limited to

services, accepting spatial areas as input, instead of time/point location information.

Whether the service provider has an incentive to support privacy-enhancing

techniques, for instance obfuscation, remains open for discussion.

Most concepts concentrate on a single adversary type. In a scenario with

mobile communication, such an assumption is too limited and oversimplified.

For instance, in depicted communication scenarios, at least three different types of

adversaries have to be taken into account. Although various privacy-enhancing

technologies have been proposed, many questions remain regarding the most

appropriate technology for different communication situations and, most importantly,

which information is disclosed through the application of these different

techniques. In particular, the quantification of location privacy is an open issue,

especially in the context of continuous or long-term location disclosure scenarios

(Krumm, 2009; Kulik, 2009).

This being said, a user-centric approach is required, one that simultaneously

takes several adversaries into account. Since there is a diverse set of potential

attackers, such a user-centric privacy model needs to capture both aspects of

location privacy: personal identification and protection against the identification

of personal preferences. The goal of the proposed model is to be technically

neutral such that it can be applied to different, and especially mixed, scenarios

involving different attackers and different recipients of location information.

37


CHAPTER 4

User-Centric Location Privacy

Model

In order for location-based services to be privacy-aware, users need to be able

to identify and evaluate sensitive data – ideally before disclosure. Consolvo et

al. (2005) conducted a study to determine if, when and to what extent people are

willing to disclose location data. The study showed, inter alia, that participants

were willing to share their whereabouts during working hours but not during

their free time. Thus, it seems that users highly value sophisticated control over

their privacy in order to avoid potentially negative consequences of personal data

abuse (e.g. stalking, spam, advertisement). However, Acquisti and Gross (2006)

showed in a different study that even the users aware of privacy risks still have

difficulties in estimating the extent and consequences of personal information

disclosure, i.e. they were not aware of which groups of people they had given

access to their private data. For instance, in a survey by Patil, Norcie, Kapadia,

and Lee (2012) it was found that more than 25% participants of the study regretted

at least once having revealed their location.

From a user-centric perspective, two properties of location privacy are especially

important: first, different places might be evaluated differently by an

individual, depending on when and with whom the communication takes place;

and second, the expected movement(-model) and background knowledge matters.

The latter describes the user’s expectation of how the knowledge already

held by other communication partners will influence the (future) effectiveness of

privacy-enhancing technologies. This implies that a user’s ultimate goal regarding

location privacy is to control and to minimize exposure, disclosing only as little

39


information as possible while simultaneously achieving the maximum utility of

location-based services.

In order to assess expected privacy risks in terms of the extent of potential

exposure, a user-centric privacy model is proposed that raises user-awareness of

possible privacy-loss due to the information content of the disclosed datum. A

user-centric model is required to enable users to evaluate their subjective privacy

level autonomously and thereby enable them to make informed decisions, e.g.

choose a privacy protection mechanism before location information is disclosed.

4.1 Location Privacy Models & Metrics

Privacy models and privacy metrics are an important research field in mobile

communication and location-based services because they provide the framework

for evaluating a privacy protection method. One way to characterize location

privacy metrics is to compare the underlying adversary model.

A common adversary model is the identification and reconstruction of a single

individual’s trajectories from generalized, e.g. anonymized, location data. Once

these traces have been reconstructed, the adversary might identify the individual,

i.e. through his work- or home place determination and/or incorporating external

knowledge (e.g. Hoh et al. (2010); Ma et al. (2010)). As a result, Shokri, Freudiger,

Jadliwala, and Hubaux (2009) define a location privacy metric as an instrument

that measures the (in-)ability of an adversary to correctly track a mobile user

over space and time. Based on the same adversary model, a common metric to

measure privacy is k-anonymity (Sweeney, 2002; Gruteser & Grunwald, 2003). A

single variable can determine a user’s privacy level of being indistinguishable

from k − 1 other agents. However, this metric may be misleading if all k users

are situated within a region with few plausible positions. l-diversity and road

segment s-diversity address this issue by only taking the plausible positions into

account (Liu, 2009).

A different way of protecting a user’s location privacy is to draw on the adversary’s

uncertainty of assigning a new observation to the trace of a specific

individual, e.g. by assigning probabilities to movement patterns, and thus, compensate

changed pseudonyms (e.g. introduced due to mix-networks (Beresford &

Stajano, 2003)). Díaz, Seys, Claessens, and Preneel (2003) introduced a measure

of entropy to quantify the degree of anonymity in mix-networks. The time-toconfusion

metric is similar in that it measures the maximal amount of tracking

40


time until the adversary cannot determine an individual’s next position with

satisfactory certainty (Hoh et al., 2010).

In order to measure and ultimately to achieve a desired anonymity level, global

knowledge of other nearby agent’s state is required. Thus, the aforementioned

privacy metrics require full insight into the set of all users to determine the level of

privacy for a single user within this set, and therefore, an anonymity assessment

cannot be achieved autonomously by the user. Furthermore, the aforementioned

measures are based on the assumption that the user needs full anonymity. Hence,

such measures are not suitable for communication with trusted or semi-trusted

peers, social contacts, or in ubiquitous communication networks which require a

confirmed identity of the user. Moreover, these metrics do not cover the sensitivity

of a location at a given time as pointed out by Shokri et al. (2009) nor are they able

to fully protect specific movement patterns (Bettini et al., 2005).

Shokri, Theodorakopoulos, Le Boudec, and Hubaux (2011) and Shokri, Theodorakopoulos,

Danezis, Hubaux, and Le Boudec (2011) measured location privacy as

the adversary’s expected location estimation error. The adversary’s correctness of

assigning an observation to the user’s real location determines the user’s privacy.

This implies that the user is always able to generalize his or her location datum.

However, in communication scenarios with semi-trusted communication peers,

the privacy metric’s value to an individual is limited from a user’s perspective.

This is because most location disclosures are voluntary, non-anonymous, and

therefore, presumably correct, at least to a certain extent.

With a different approach Freudiger, Shokri, and Hubaux (2012) aim to quantify

privacy risks resulting from using location-based services. To achieve this,

they focus on location-based quasi-identifiers (e.g. formally introduced by Bettini

et al. (2005)), more specifically on the deduction of work-home pairs. They correctly

analyze the risks of de-anoymization posed by quasi-identifiers, however,

their metric (defined as the probability of identifying work- and/or home-place)

focuses on achieving full anonymity.

For a user-centric location privacy model, location privacy has to be seen from

a different angle. In the communication scenarios targeted in this thesis, the user

is usually not able to hide or become anonymous. However, it is still possible to

model an observer’s expected knowledge gain and, in a second step, to protect

his or her privacy through informed decisions on when, how and to what extent

disclosing location information, e.g. by an evaluation of the location information

41


in context of specific observers. In order to create a user-centric privacy model

and protection measures, in a first step, a novel adversary model is required

since the aforementioned models describing a hostile and unknown adversary

are generally not adequate for today’s new mobile communication scenarios.

4.2 Modeling an Ubiquitous Observer

With regard to the mobile communication scenarios identified in Chapter 2, all

communication peers are considered partially trusted. However, once data has

been exchanged, any information revealed usually cannot be revoked by the user.

Even with explicit (legal contract) or implicit (social contract) privacy policies,

significant privacy risks remain (cf. Section 2.5). Hence, all partially trusted peers

can be considered, with regards to location privacy and aforementioned mobile

communication scenarios, as observing adversaries and in the following they are

referred to as observers. From a user’s perspective, there is no irrefutable knowledge

of the observing entity’s capabilities, especially regarding how disclosed or

observed location data is used and what kinds of conclusion the observer is able to

draw. In general, the user’s knowledge is limited to information of technical and

architectural characteristics of the mobile communication system employed and a

general estimation of the location determination abilities, limited by technical or

physical factors. Furthermore, it is assumed that the user is able to subjectively

estimate the mutual trust between each communication peer, and thus, is able

to estimate the observer’s background knowledge. Furthermore, the user is able

to monitor his or her location disclosures by logging the exposure to a service,

network or person and has knowledge of the surrounding landscape, i.e. semantic

map knowledge. Based on these assumptions, the ubiquitous observer model

is limited to information an observer may have collected during a defined observation

period. In the following section, location information is referred to as

observation o t .

Definition 1 (Location Observation). Location observations o t = (c, ε) t ∈ O are

tuples of a geographic coordinate c ∈ C and an observation error estimate ε ∈ E of

this coordinate. The choice of the geographic coordinate system (C), respectively

E, and their concrete representation are not important in this context. The index t

is a timestamp describing when the location observation was made. A function

loc : O → C extracts location information from the tuple, with the coordinate

42


c = loc(o t ) describing the actual transmitted location. err : O → E returns the

error estimate. □

Definition 2 (Observation Error). For the purposes of this work, ε is defined as

the estimated spatio-temporal error of an observation as ε = (∆d, ∆t), whereas ∆d

describes the spatial or radial error and ∆t the temporal error of an observation.

Let C ∗ c,ε ⊂ C be the subset of coordinates defined by an observation o t . Based

on map data, a spatial area is defined by the anchor coordinate c and err(o t ).

Then, the set

P L(o t ) := {P rob(c = c user ) > 0|c ∈ C ∗ c,ε}

describes all possible locations, i.e. locations with a positive probability of being

the user’s real location (c user ).

The function numLoc(o t ) := |P L(o t )| determines the number of possible

locations. □

Definition 3 (Observer’s Memory / Observation History). An observer â has a

memory O = {o t0 , . . . , o tm } of observations of the user’s movement history based

on time-stamped location observations o t , with o tm being the latest observation

made.

An observation context O ctx

m+1,m+l = {o t m+1

, ..., o tm+l } is a set of consecutive

new location observations subject to a privacy evaluation. In contrast to the

observer’s memory (observation history), the observation context is temporally

and/or spatially restricted. □

In the scenarios described in Chapter 2, the user’s utility is assumed to be positive

when communicating with a single peer (observer) â since communication is

voluntary. Otherwise, a rational agent would always refrain from communicating

with observer â. A similar assumption is made for the observing communication

peers’ utility (Uâ(o t ) ≥ 0) with regards to a user’s location information. In this

context, it is assumed that there are no costs associated with user observations and

the observer’s utility is only related to knowledge of the user’s whereabouts, such

as when mobile infrastructure reduces search costs. Hence, we assume a utility

gain if an observer gains knowledge of the user’s location since this information

can be used to provide new (commercial) services or may be used as a knowledge

base for future network improvements and infrastructure planning. Furthermore,

it is necessary to separate the user’s utility when disclosing information and the

user’s level of privacy, as the utility of location information naturally conflicts

43


with location privacy. In order to benefit from location-aware services, it is essential

to disclose one’s location which then may lead to a user’s privacy loss. In

other words, the observer’s utility is negatively correlated with the user’s privacy

level in a communication relationship with observer â.

Definition 4 (Privacy Relation). The user’s privacy level in relation to the observer’s

utility Uâ, denoted as P user ∈ [0, ∞), with P user = 0 as the maximally

achievable privacy level, is defined as

Uâ(O) ≃ −P user (O). □ (4.1)

For instance, if the user does not disclose any location information, the user’s

privacy is maximized, but the observer’s utility is zero w.r.t. information on the

user’s whereabouts. There may only be a utility gain if the observer extends its

knowledge, e.g. knowledge of the user’s preferences or of his or her (periodic)

behavior.

The trade-off between the user’s or the application’s utility and the "costs" in

terms of privacy loss has been analyzed for several settings (e.g. Rastogi, Suciu,

and Hong (2007); Kifer and Gehrke (2006)). For instance, correlating privacy and

utility has already been proposed by Brickell and Shmatikov (2008) in a database

and data-mining setting, in particular, measuring the tradeoff between privacy

and utility. More specifically, the so-called "direct comparison" approach assumes

that a utility gain in a data set corresponds to an equivalent privacy loss at the

user’s site. This approach has been heavily criticized by Li and Li (2009) since they

correctly argue that utility in general is an aggregate concept, while privacy is an

individual concept, especially in a data-mining context, where information about

a large number of individuals contributes to the aggregate utility of a compound

data-set. Hence, one might underestimate an individual’s privacy loss since the

resulting averaged or aggregated utility of a data set is compared to the privacy of

a single individual. The worst case privacy loss among all individuals subsumes

the actual privacy impact of the released data set.

Both the observer’s and the user’s utility is an individual measure, making it

difficult to model in a generic way. Since the user’s utility is also influenced by a

range of subjective factors and personal preferences, a more objective measure

for a user-centric privacy model is required. In our settings, however, the utility

gain is not directly measured since the goals and capabilities of the observer

are usually unknown to the user. We only assume that if (new) information is

44


passed to an observer, its utility may rise. This way, a worst case assumption

of privacy loss is made, given that the information content of an observation is

measurable. Thus, the analysis of mobile communication scenarios focuses on the

information content of a location observation (in the following denoted as Iâ(o t )),

and therefore, on the resulting influence on the user’s location privacy. Thus, from

a user’s perspective, his or her location privacy is reduced if new (and therefore

possibly valuable) information is disclosed. Consequently, if certain information

is already known by a specific observer â, an increase of the opponent’s utility is

unlikely.

Accordingly, Iâ(O ′ ) ≥ Iâ(O), with O ′ := O∪o t , iff. a new observation o t reveals

previously unknown information to the observer â. Hence, the user’s privacy

with respect to observer â can only decrease by disclosing additional information:

P user (O ′ ) ≤ P user (O). By calculating the observer’s potential information gain

through the user’s location disclosure, a user-centric computational location

privacy model can be derived.

4.2.1 Inaccuracy, Errors and Observation Correctness

Until now, a strictly positive utility function for the user has been assumed. Based

on that, a user would not voluntarily engage in one of the specified mobile

communication scenarios if they negatively affected him/her. If we assume the

observer has a perfect memory, an increase of the user’s privacy level is only

possible if the user is intentionally lying about his or her location, the mobile

device is separated from its owner, or the user’s location does not equate to the

observed location, i.e. reduced accuracy or false information. In order to analyze

the identified communication scenarios, an accidental separation of owner and

device is not considered, while an intentional separation could be considered as

non-truthful location disclosure.

By providing false information, however, the observer’s knowledge base

would degrade and false information would likely lead to false conclusions. By

providing false location information, the user’s utility may decrease as well. For

instance, in the case of location-based services, a decrease in the user’s utility

might be caused by a low quality of service. When communicating with social

contacts, lying may lead to negative social consequences. In a survey, participants

were asked why they regret sharing their location over a social location sharing

system (Patil et al., 2012). 21% chose "being caught lying". Thus, it is assumed in

45


this thesis that location observations reflect the true positions of the user, unless

noted otherwise.

In contrast to sending false positions, location data may be inaccurate and

error-prone. In this case, the user’s observed location is relatively accurate with

respect to the user’s real location and/or the timestamp is unreliable (∆t). Inaccurate

location information can be the result of two separate causes. First, position

determination technology is inaccurate, i.e. a GPS consumer device suffers from a

systemic positioning error. The free GPS Standard Position Service guarantees

only accuracy below 13 m horizontally and 22 m vertically in 95% (Hofmann-

Wellenhof et al., 2008, p. 317). Second, users may deliberately send inaccurate

location information. In contrast to sending false information, only the accuracy of

location observation is reduced. Negative consequences (especially social ones as

mentioned previously) usually do not follow from inaccurate location information

since even if the user deliberately generalizes location observations, he or she is

still within the given area.

Hence, the observer’s information value as well as the user’s privacy depend

on the nature and magnitude of the error estimate ε:

1. With more accurate information, more information might possibly be disclosed,

and thus, err(o ′ ) < err(o) ⇒ Iâ(o ′ t) ≥ Iâ(o t ), whereas the actual

information gain is dependent on landscape and application characteristics.

2. The error value ε for a given location sample is evaluated differently depending

on the observer and the kind of observation. If the observer determines

the location by direct observation (here denoted as oâ), such as through a

WiFi/GSM/3G infrastructure, then the observer knows the size and distribution

of the expected error for the observed location sample. But more

importantly, the observer is able to choose time and frequency of location

observations, i.e. for external observations ∆t is always zero.

If location information is given by the user (o usr ), the observer has neither

information about quality nor about the magnitude of the error ε of the

observed sample. The user might have altered the spatial and/or temporal

accuracy of the location information before submission.

In general, it can be assumed that the expected error err(oâ) ≤ err(o usr ),

and therefore, Iâ(oâ) ≥ Iâ(o usr ) since a robust error estimation reduces the

46


observer’s uncertainty, and thus, increases the potential information gain

for the same given error ε.

Depending on the type of service as well as the location determination technology,

the user may have options to technically influence the value of ε. In general,

however, location-based applications, services or protocols define the format of

the location datum. Possible formats range from exact coordinate tuples (latitude,

longitude) to plain text messages (e.g. Twitter messages, GSM text messages).

Furthermore, there is usually no explicit error estimate transmitted by the user.

However, the privacy model’s purpose is to evaluate the potential privacy loss

ideally before disclosing location information. Based on the discussion above,

the value of ε should be chosen by the user in a way such that err(o t ) is within

the technical/physical limits and the user is able to reach any location within

err(o t ) in a reasonable timespan (i.e. he or she cannot be "caught lying"). If the

user chooses ε too large, the location privacy model may underestimate the user’s

location privacy and vice-versa.

4.3 User-Centric Location Privacy Model

Measuring the user’s privacy level, and thereby the observer’s utility, poses

new challenges and difficulties. For instance, privacy levels may result from

different observation contexts or communication scenarios, making them difficult

to compare between different observers. Instead, the privacy level change caused

by a set of observations Om+1,m+l ctx is measured. Since this set of observations

results from the same communication context, the information gain of different

observers becomes comparable.

The change of the user’s privacy level due to new location observations

Om+1,m+l ctx made by observer â, who has a location record O about the user, is

described as:

∆P user (O, O ctx

m+1,m+l ) := P user(O ∪ O ctx

m+1,m+l ) − P user(O). (4.2)

According to the adversary model requirements with Iâ(O ∪ O ctx

m+1,m+l ) ≥ I â(O)

and Iâ ≃ −P user , with P user = 0 as the maximally achievable privacy level, it

follows that ∆P user (O, O ctx

m+1,m+l ) ≥ 0. Thus, for every positive ∆P user, the user’s

privacy decreases.

Since it is difficult to calculate or measure the user’s privacy loss directly, the

focus is on the observer’s information gain and the question of which information

47


a single location observation (or a set thereof) is able to transport. By analyzing the

potential information content of an observation context, two distinct components

can be identified:

1. A location observation context may contribute to a user model, where an

observer gains knowledge of the user’s regular behavior and preferences (e.g.

his or her neighborhood, occupation, leisure activities or social contacts),

depending on (a) duration, (b) density and (c) quality of (a set of) observation(s).

Using this knowledge, an observer could predict the user’s next

move (e.g. through a Markov model).

2. A location observation context describes a user being at loc(o t ) at time t with

inaccuracy (uncertainty) of err(o t ). Therefore, the initial information gain of

an observer is the knowledge of the user’s current location. We assume that

communication happens between trusted peers, meaning an honest user

discloses his (real) location information voluntarily for a certain purpose.

Thus, the user’s location privacy seems unharmed. However, location data

may also unintentionally disclose other information. By using location

information in combination with background knowledge, an observer could

derive sensitive information about the user’s current context (e.g. his or her

current activity or intention at an observed place).

4.3.1 Quantification of an Observer’s Information(-Gain)

The user-centric privacy model derived from the proposed opponent model is

based on the observer’s (opponent’s) information gain which then needs to be

quantified to model the user’s privacy loss.

Using entropy (Shannon, 2001) has already been proposed for different settings,

e.g. to quantify the theoretical degree of anonymity. For instance, Clauß (2006)

used entropy to quantify anonymity and "linkability" of users when disclosing

personally identifiable information. Further, Díaz et al. (2003) as well as Serjantov

and Danezis (2003) made use of entropy to model privacy in mix-networks. A

similar approach was conducted by Moe (2009) in an ad-hoc network setting using

conditional entropy. In both settings, a network with N users was researched. In

such a setting, the attacker’s problem is to link an intercepted message to one of

the N users, where each message originates from user i with probability p i . The

48


entropy of the above system then can be calculated as

H(X) = −

N∑

p i log 2 (p i ).

i=1

Previous authors have interpreted the resulting entropy value as the amount

of additional information (measured in bits of information) required to identify

a single user. Alternatively, the entropy value is described as the remaining

uncertainty of the original sender’s identity. In general, it is assumed that the

attacker has no specific a-priori knowledge. This means, every user is equally

likely to be the sender, and thus, the discrete random variable X forms a uniform

distribution. Consequently, H(X) = H max = log 2 (N) is the maximally achievable

anonymity. In general, Díaz et al. (2003) quantified the user’s anonymity as

d = 1 − H max − H(X)

H max

.

Hence, any deviation from a uniform distribution results in knowledge gain for

the attacker.

Moe (2009) extended this model with attackers gaining control over certain

nodes in an ad-hoc network. Therefore, if an attacker has access to networkinternal

information, the additional knowledge of the attacker has to be taken

into account. In order to combine the information gained from a local view with

the information obtained from a global view, Shannon’s conditional entropy has

been used. The conditional entropy of Y given X was defined by Shannon (2001)

as "the average of the entropy Y for each value of X, weighted according to the

probability of getting that particular x j ." Formally, conditional entropy is defined

as

H(Y |X) = − ∑ i,j

P rob(y i , x j ) log 2 P rob(y i |x j ),

which can be rewritten as

H(Y |X) = − ∑ j

P rob(x j ) ∑ i

P rob(y i |x j ) log 2 P rob(y i |x j )

since the joint probability P rob(y i , x j ) can be rewritten as P rob(x j )P rob(y i |x j ).

Hence, with new information, the uncertainty must decrease (H(Y |X) ≤ H(Y )).

Entropy has also been used in the context of location privacy. Shokri, Theodorakopoulos,

Le Boudec, and Hubaux (2011) used an entropy-based benchmark

metric to compare and justify their proposed correctness metric. In a setting with

49


an adversary aiming to correctly track the user’s whereabouts, they modeled the

location privacy entropy level as − ∑ r P rob u,t(r) log 2 P rob u,t (r), using a probability

distribution of an adversary assigning location r to user u at time t. In a similar

setting, Voulodimos and Patrikakis (2009) quantified user privacy positioning as

− log 2 ( S GP S

A

) (i.e. H max), where A is a map area serviced by an LBS service and

S GP S is the area defined by the user’s GPS location and spatial-error.

Kamiyama, Ngoc, Echizen, and Yoshiura (2010) adapted the MIX anonymity

scheme and used entropy to quantify information disclosure through social network

services. The proposed measurement quantifies the privacy loss caused by

the disclosure of multiple (sensitive) attributes and their respective probability

distribution.

This thesis proposes a user-centric privacy model based on an observer’s information

gain through location observations. In order to quantify the observer’s

information gain by means of entropy, the user must identify appropriate probability

distributions to characterize valuable and/or sensitive information within

his or her location data, released to a specific observer.

4.3.2 Knowledge

The knowledge component of the user-centric privacy model covers aspects of

long-term observations. That is, new observations are evaluated in the context of

a presently available observation history O. More specifically, new observations

may contribute to a user-model, based on the observation history O. Furthermore,

this model also captures duration, length and accuracy of location observations of

a specific observing entity â.

Definition 5 (Knowledge). Based on the adversary’s utility function, we require

that ∆K(O, Om+1,m+l ctx ) = K(O ∪ Octx

m+1,m+l

) − K(O) ≥ 0. If no new information

is released, ∆K = 0, and thus, no privacy loss is experienced by the user. □

Since a user cannot change the knowledge an observer already has, the user

may evaluate the level of completeness of an observer’s knowledge base and

the potential information gain (and the respective privacy loss) due to disclosing

a further location observation. In order to make use of entropy as a measure,

a model capturing the user’s privacy preferences of the observer’s knowledge

needs to be defined.

50


4.3.2.1 Example: Knowledge Gain on User Mobility Model

The user’s privacy is threatened, for instance, by discovering his or her routine

behavior and preferences, i.e. his or her movement pattern. For every new observation,

a knowledge gain requires an observer to learn a new element of a user’s

profile, i.e. uncovering a new characteristic location or updating its weight (i.e.

ranking). Additionally, by evaluating previous observations O, the probability

distribution of previously observed locations may be refined.

In a study of movement patterns of mobile phone users, Gonzalez et al. (2008)

found a characteristically strong tendency of humans to return to places they

have visited before. Moreover, the probability of returning to a specified location

depends on the number of location samples for that location. A rough estimate

can be denoted as

P rob(l k ) ∼ k −1

where k is the rank of the location l based on the number of observations, describing

a Zipf-like distribution.

In a similar study on mobility patterns, it was shown that the number of

significant places is limited (≈ 8-15). A user spends about 85% of his or her time at

these places. However, there is a long tail area with several hundred places which

have been visited less then 1%, but cover about 15% of the user’s total observation

time (Bayir, Demirbas, & Eagle, 2009). In a study by Benisch, Kelley, Sadeh, and

Cranor (2010), about half of the participants visited 9 or fewer distinct locations,

89% visited less than 14, with an overall maximum of 27 and a minimum of 3.

Furthermore, their user study showed a significant drop of the time spent at

locations ranked second, third, etc..

For the proposed privacy model, we concentrate on the top L popular places,

as these places are likely to be revisited, and therefore, are considered significant

places in a user’s routine. If we assume the generic observer’s a-priori knowledge

of the observed location sample, o t is limited to a probability distribution describing

human mobility patterns and the accumulated knowledge so far. Then we can

model the adversaries’ knowledge(-gain) as the reduced uncertainty as a result

from assigning the observed location information to a top L place.

Modeling Uncertainty in the Context of Frequently Visited Places In the following,

we consider a location l ∈ C ∗ to be an arbitrarily shaped area in C and

51


denote the spatial inclusion of a precise coordinate c ∈ C as the area l by writing

c ∼ = l.

In order to comply with the characteristics of human mobility patterns as

described above, we define the probability of an observed location sample as o t

belonging to one of the top L locations (l i , i ∈ {1, . . . , L}) as p li := P rob(loc(o t ) ∼ =

l i ) = τ i where τ ∈ (0, 1] is chosen in such a way that ( ∑ L

i=1 p )

l i + γ = 1 with

γ ∈ [0, 1) representing the summed probability of o t belonging to one of the many

seldomly visited (i.e. non-characteristic) places.

Classification of a New Observation

Assuming the observer â has already

discovered the top k locations of the user, due to the previously observed user

locations in O, we distinguish between two cases:

(A) o t belongs to a frequently visited location already known to the observer

(∃i ∈ {1, . . . , k} : loc(o t ) ∼ = l i ),

(B) the observer is not able to unambiguously assign the location observation

to an already detected top k location.

For case (B), we measure privacy as the uncertainty (i.e. entropy) of assigning

o t to one of the remaining unknown top L locations, assuming â has already

discovered k locations. The conditional probability of assigning o t is defined

as p k l i

:= P rob(loc(o t ) ∼ = l i |Y k ), with the discrete random variable Y k denoting

the probability of loc(o t ) being at one of the frequently visited locations l k+1 ...l L

which are not yet known to the observer.

We denote p sk := ∑ k

i=1 p l i

as the summed probability of the k top locations

known to the observer and accordingly p su := ∑ L

i=k+1 p l i

as the summed probability

for the unknown top locations. Given that o t does not belong to one of the

k known places, the probability for the remaining places l k+1 . . . l L changes to

p k l i

= p li · (1 + p sk

p su

), which yields the following calculation:

H k â,L,γ (O, o t) = −(

L∑

i=k+1

p k l i

log 2 p k l i

) − γ log 2 γ ,

where γ denotes the summed probability of location samples which do not belong

to the top L locations.

The overall uncertainty level of the adversary assigning an observation o t to a

frequently visited location is the weighted sum of both possible cases, either o t

52


can be assigned to an already known place or o t may belong to a yet unknown

place

Ĥ k â,L,γ (O, o t) = p (A) · H (A)

â,L (O, o t) + p (B) · H k â,L,γ (O, o t) ,

where p (A) = p sk is the probability of case (A) and p (B) = 1 − p (A) the probability

of case (B). In case (A), no information about new frequently visited places is

revealed (which is denoted as H (A)

â,L (O, o t) = 0). By merging both equations of

the two cases, the overall uncertainty of an adversary for assigning o t to a yet

unknown top location can be expressed as

(

)

L∑

Ĥâ,L,γ k (O, o t) = (1 − p sk ) · −( p k l i

log 2 p k l i

) − γ log 2 γ . (4.3)

i=k+1

If we assume that the observer’s baseline knowledge of an arbitrarily chosen

user corresponds to generic human mobility patterns, then Ĥk â,L,γ (O, o t) expresses

the observer’s general uncertainty of assigning a new observation o t to a yet

unknown place, incorporating already accumulated knowledge based on previous

observations O, and hence, describing the weighted average of possible entropies

available, i.e. conditional entropy (Diaz, Troncoso, & Danezis, 2007).

Uncertainty of a location observation

Uncertainty of a location observation

1

L=15, γ=0.15

L=12, γ=0.15

L=8, γ=0.15

0.35

L=15, γ=0.15

L=12, γ=0.15

L=8, γ=0.15

0.3

0.8

0.25

Entropy

0.6

0.4

Knowledge Gain

0.2

0.15

0.1

0.2

0.05

0

0 2 4 6 8 10 12 14 16

0

0 2 4 6 8 10 12 14 16

top-N locations

top-N locations

(a) Absolute (normalized) values

(b) Knowledge gain

Figure 4.1: Uncertainty values Ĥk â,L,γ

are calculated with L = 8, L = 12, L = 15 and

γ = 0.15.

Disclosure or detection of any significant place decreases the user’s privacy by

roughly the same level, independent of the relative importance or rank of the place

(cf. Fig. 4.1). Only for the two to three most important places, privacy loss is higher.

In a user study, Benisch et al. (2010) found similar patterns: study participants

were intuitively more willing to share the second most visited location than their

most favorite place. The authors of the study explained this behavior with the

53


fact that the second most visited place is usually a public place (e.g. workplace,

university, etc.). Also Zang and Bolot (2011) have studied the impact of the

user’s top N with regards to the anonymity set size. Their study emphasizes the

importance of the top-3 locations since the anonymity set size of top-3 locations

know is 2, even with ZIP code location granularity.

The proposed observer model, and accordingly, the privacy model showed

that the user’s privacy loss is roughly the same for all further detected clusters.

This result reflects the importance of lower ranked clusters with regards to the

completeness of a user’s profile. Since lower ranked clusters are harder to detect,

the ability to uncover such a place reflects the density and/or the length of

observation by an adversary, and thus, the extent of the user’s exposure.

The chosen mobility model is very simple and does not cover all situations.

When observing an already known location (case (A)), the knowledge gain based

on this model is zero. A location observation may still contain new information,

e.g. shifts of preferences or improved location accuracy. However, even with

this simple model, location privacy can be modeled in the grey area beyond full

anonymity.

4.3.2.2 Example: Uncertainty of a Location Observation

Until now we have assumed a simple binary decision as to whether a location

sample belongs to a regularly visited place (i.e. cluster) or not, hence, ε ∼ = 0 and a

function C O (l) = |{o ∈ O | loc(o) ∼ = l}|, counting the number of times a user was

observed at a given location l ∈ C ∗ , making it possible to rank the places by their

popularity (l 1 , l 2 , . . . l L , with C O (l i ) ≥ C O (l i+1 ) – which means that l 1 is the most

frequently visited location). This results in the second problem of an observing

adversary: to select the user’s real location out of a set of possible locations within

an area defined by the estimated spatial error.

The user’s location privacy can be quantified as the observer’s uncertainty of

the user’s real location. If we assume the observer has no specific background

knowledge of an individual user, every location is either equally likely, or the

probability of each location depends on a specific spatial error model.

For simplicity, we assume for now that all possible locations are equally

likely. Hence, the opponent’s uncertainty can be described as H location

â

(o t ) =

log 2 (numLoc(o t )). This logarithmic measurement (entropy) also reflects the natural

intuition of location privacy: if numLoc(o t ) is already low, any further im-

54


provement of the observation accuracy, i.e. a smaller err(o t ), will reduce the

observer’s uncertainty significantly, and thus, will lead to higher privacy loss.

Hence, ∆Hâ

location captures the effect of improved location observation, i.e. reduced

err(o t ) on a user’s location privacy.

4.3.2.3 Example: Measuring Deviation of Movement Patterns

People’s preferences are not static, and hence, neither are their preferences regarding

frequently visited places. For instance, people change their employer (or

workplace) and/or move from time to time. Such changes in regular behavior

cause private information to be disclosed, and thus, may harm the user’s privacy.

In modeling these changes, the observation horizon can be limited by discarding

information older than a certain amount of time.

If o t can be assigned to a known location l i ∈ L, then ∆Hâ

model = 0, as

by definition no information about new frequently visited places is revealed.

However, the weight of the already determined frequently visited places may

change as a result of new observations.

In order to model changes in the frequency of the user’s top locations and

a user’s regular behavior, we measure the change in distribution made by a set

of new observations O ctx . The observer’s a priori knowledge is the distribution

of time spent at all known locations, and hence, their relative importance to the

user. An observer gains extra knowledge if the distribution of time spent changes,

i.e. the user’s preferences have changed. For every detected location we assume

that the true probability q(O, l i ) := C O(l i )

|O|

is the relative observed importance of

location l i derived from the previous observations in O. Thus, the information

gain is the difference between the observed distribution before and after the

disclosure of additional data. One simple method to measure the information

gain is the relative entropy using KL-divergence (Kullback & Leibler, 1951)

H Change

â

(O, O ctx

m+1,m+l ) = − k∑

i=1

q(O, l i ) log 2

q(O, l i )

q((O ∪ O ctx

m+1,m+l ), l i)

, (4.4)

where q((O ∪ O ctx

m+1,m+l ), l i) describes the new probability distribution after a new

observation context O ctx

m+1,m+l .

4.3.3 Sensitivity

The second component threatening the user’s privacy with regards to his current

location is the sensitivity (S) of an observation o t . Due to diverse preferences, it is

55


difficult to capture the individual subjective sensitivity generically. A potentially

objective measure of location sensitivity is the level of the expected exposure

caused by disclosing location information with a given accuracy to a specific

observer at a given time and date. In particular, the user is exposing himself by

allowing or providing location observations. In daily life, such behavior may

provide new, possibly sensitive knowledge for any observer. However, in a

crowded shopping or business district during business hours, the user’s exposure

is quite limited. Even with appropriate knowledge of his or her current location,

the user is hard to spot, and therefore, it is difficult to observe his or her current

activities or guess the user’s intention. The number and diversity of possible and

plausible places where a user could be, is too large to draw exact conclusions.

4.3.3.1 Landscape Characteristics & Expected Observer Knowledge

A single location observation might have a different impact on the user’s privacy,

depending on time and place, but also on the observer. The observer might be

able to draw exact conclusions about the user’s state and intention if the observer

has good background knowledge of the user (e.g. spouse and friends) and of

the specific characteristics of the user’s surrounding landscape. In general, the

user is unable to determine the observer’s real goals (as well as the observer’s

ability to succeed). However, the user has a subjective feeling about the sensitivity

of his or her activities with regards to a specific observer and his or her current

context. For instance, if the observer is the user’s employer, sensitive locations,

and thus, potentially sensitive activities during working hours would include

locations where the user is unable to plausibly explain the relation to his or her

professional activities. These locations would not be considered sensitive when

determined by another observer. Thus, the sensitivity value should model the

observer’s expected information gain with regards to specific, subjective, time

and observer dependent sensitive attributes contained in the current observation

set.

Based on a similar assumption, Cranshaw, Toch, Hong, Kittur, and Sadeh

(2010) developed an entropy-based approach for analyzing the social context of a

geographic region. The proposed model assigns a high entropy to a place with

a wide range of observed visitors at that location and a low entropy value if the

place was only visited by a few people. Based on this location diversity measure,

a user-study was conducted on presence sharing preferences. Toch et al. (2010)

56


found that people are more comfortable sharing their location at places visited

by a large number and a diverse group of people as opposed to places highly

frequented, but by a homogeneous group. While such knowledge contributes

to the user’s awareness of location privacy and improves the user’s ability to

disclose location information in an informed way, this approach requires a certain

amount of empirically based data.

Damiani et al. (2009) also proposed a sensitivity metric quantifying the sensitivity

of a spatial region, defined as the probability of a user within such an

area being at a sensitive place, e.g. hospital or religious building. The user is

required to select sensitive map attributes and has to assign sensitivity values to

each attribute. However, the metric does not incorporate the expected knowledge

of the observer, i.e. its capabilities to reduce map features and to refine their

probability distribution. The underlying privacy metric in this case is based on

an expected probability density function of the user’s location combined with

the sensitive map features found within a specific region. Thus, Damiani et al.

expressed sensitivity as the adversary’s conditional probability of the user being

located within an area marked with sensitive attributes.

From a user’s perspective, plausible deniability is measured by the number

of different places and features the user is able to explain in context of a specific

observer. Furthermore, estimating the adversary’s probability density function is

generally difficult. Based on the derived user-centric privacy relation (Definition

4), the sensitivity of a location observation is the potential information contained in

disclosed location information. By taking into account time, date and surrounding

landscape, the observer may adapt the probability distribution of all estimated

user locations, and thus, gain further knowledge. The evaluation of location

observations with a similar (possibly obfuscated) error-value ε may then result in

completely different sensitivity values. Hence, the sensitivity of an observation

(context) for a given set of user-defined sensitive attributes depends on how much

new information an observer may gain on the user’s current context compared to

a neutral landscape. In a second step, a specific observer may be able to derive

the user’s current activity, i.e. the reason for visiting location loc(o t ).

57


Definition 6 (Plausible Locations). Due to the spatio-temporal error ε ∈ E, an

observation o t describes only an area in C where the user might be located. The

size of this area can be further refined by the maximum velocity at which a user

can move. Furthermore, any place c ∈ P L(o t ) may bear semantic attributes describing

a special function, e.g. certain type of shop, residential or public building.

We introduce a probability distribution Q(â, t) among these semantic attributes

describing the user’s belief of the observer’s knowledge and/or describing subjective

sensitive attributes in context of observer â and time/date t. Then the

set

P L Q(â,t) (o t ) := {P rob(c = c user |Q(â, t)) > 0|c ∈ P L(o t )}

describes all plausible locations, given a probability distribution Q(â, t) on semantic

map attributes applied on locations in P L(o t ).

The function numLoc Q(â,t) (o t ) := |P L Q(â,t) (o t )| determines the number of

plausible locations. □

While numLoc() is a static measurement (i.e. the surrounding geographic

features are considered static, at least in the short-run), numLoc Q(â,t) () is time

dependent because the importance of specific attributes changes, for example,

based on the time of the day, the day of the week, the season, etc.. Thus,

numLoc Q(â,t) (o t ) ≤ numLoc(o t ).

Definition 7 (Location Sensitivity ). Let C(o t ) be the discrete probability distribution

describing the probability of a user being at location c ∈ P L(o t ) and C Q(â,t) (o t )

describing the refined probability distribution of the user being at c ∈ P L Q(â,t) (o t ).

Location sensitivity Sâ(o t ) is the potential information gain between the distributions

in C(o t ) and C Q(â,t) (o t ) assuming a probability distribution Q w.r.t.

observer â and time/date t. Thus, sensitivity measure S describes the observer’s

information gain of the user’s current activity with regards to a specific semantic

feature-model (based on the observer’s background knowledge). □

In other words, S describes how much easier it is for an observer to derive the

user’s real-life activity for a given (set of) new location observation(s) combined

with the assumed background knowledge and surroundings of the user. The

static location sensitivity can then be calculated as the information gain between

probability distributions of both possible and plausible locations. The sensitivity

component reflects the specific impact of the user’s current location context versus

a neutral landscape in the context of a specific observer and observation time. With

58


a growing spatio-temporal error in a dense and diverse landscape, the number of

possible locations where a user could be increases, and so does the adversary’s

uncertainty of the user’s action. In Chapter 8 an example implementation based

on real map data is presented.

4.3.3.2 Incorporating Movement

A static sensitivity measurement only captures isolated observations. In most

cases, people move and submit their location continuously or frequently. Therefore,

the sensitivity evaluation requires dynamic, time-dependent components in

order to evaluate an observation context. For instance, the observer only knows

the published positions, but not the exact route in between. The observer may use

a routing algorithm to determine the route a user could likely have taken. If there

is only a single route, the observer gains perfect knowledge of it. Consequently,

the user’s privacy increases with the amount of ambiguity of possible routes and

the observer’s uncertainty regarding visited locations in between consecutive

location observations.

Definition 8 (Dynamic Location Sensitivity). We extend the static definition by

including the time frame between consecutive location observations of O ctx

m+1,m+l

extending

P L Q(â,t) (O ctx

m+1,m+l ) := {P rob(c = cuser |Q(â, t)) > 0|c ∈ P L(O ctx

m+1,m+l )}

by calculating reachable locations in between consecutive location observations.

A function numReach(Om+1,m+l ctx ) := |P L(Octx

m+1,m+l

)| calculating the number

of all possible locations in the reachable area between two consecutive location

disclosures and a given (minimum / maximum) velocity. Respectively,

numReach Q(â,t) calculates all plausible, reachable locations. □

Figure 4.2(a) illustrates a possible implementation of numReach(), i.e. calculating

all plausible, reachable positions between two consecutive location disclosures.

In this example, the assumed potential travel speed was held static. This

restriction can be lifted by using a more sophisticated route-planning algorithm

combined with further external information. Figure 4.2(b) shows a possible implementation

of numReach Q(â,t) () using a model of reachable places marked as

publicly accessible points of interest (POI) combined with the possible duration

of stay.

59


(a)

(b)

Figure 4.2: (a) Reachable area between two published locations (4 min 56 sec). The

radiuses indicate the duration of stay that allows the final goal to be reached in time. The

red line shows the actual route the user took. (b) The marked areas indicate any possibly

reachable places using a map feature model; the radius indicates the possible length of stay

(Greschbach, 2010).

4.3.4 Interpersonal Relationship & Trust

For a given (set of) observation(s), the contribution to a user’s mobility model

as well as the descriptive power of an observation with regards to the user’s

current context has been modeled. Finally, both components, knowledge and

sensitivity, need to be combined within a single measure. The level of mutual

trust (denoted as α) between a specific observer and user has been chosen as the

weighting factor. For the communication scenarios under research, it is assumed

that the level of background knowledge is based on the estimated mutual trust

between an observer and the user as well as their social context and personal

relationship. If the user trusts a peer with whom he or she communicates to a

certain extent, we assume that he or she has previously disclosed (or is willing to

disclose) a certain amount of personal information, possibly through a different

communication channel. An alternative interpretation of α is the weighting of the

relevance between movement history and importance of the current location.

While communicating with social peers, the sensitivity of an observation

context is more important because personally trusted social contacts already have

a good knowledge of the user’s preferences (e.g. frequently visited places) from

sources other than the mobile or online networking applications. Hence, the

current location’s sensitivity might cause the individual to become more exposed.

60


Some observations might trigger uncomfortable questions since these peers are

able to infer subjectively sensitive places by using their background knowledge.

In contrast, when communicating with less trusted observers, e.g. locationbased

services without (or with pseudonymous) registration, the protection of

the user’s daily routines is more important because there is usually little or no

knowledge of the user’s personal background. By disclosing regular patterns, the

user’s preferences or social contacts may be uncovered. A single location sample

observed without knowledge of the observed individual’s context, though, has

only little or no information value regarding the user’s preferences or habits.

The value of α can either be predefined via classification of the listener class â

or can be applied as a user-parameter.

Definition 9 (Loss of Location Privacy). The privacy loss ∆P user with regards to

an observer â, a set of m past location observations O of this observer and new

location samples O ctx is

∆P user (O, O ctx

m+1,m+l ) = (1 − α â)∆Kâ(O, O ctx

m+1,m+l ) + α âSâ(O ctx

m+1,m+l ) , (4.5)

which is the weighted knowledge gain of the user’s preferences ∆Kâ and the

location sensitivity Sâ. □

The two main components (K and S) measure the impact of location observations,

balanced by the variable α. However, S and K are usually not completely

independent. For instance, the sensitivity value for places already contained in

the model K should be usually low or zero. If a place is known to an observer

and the observer has additional background knowledge (i.e. high α-value), both

the place’s relevance as well as its semantic meaning should also be known to the

observer.

4.4 Discussion

With the definition of a user-centric location privacy model, a first step has been

made in analyzing mobile communication scenarios, especially regarding mobile

communication between partially trusted peers. In order to identify the limits

and shortcomings, but also the advantages of the proposed model, the relation to

other location privacy models needs to be discussed.

61


4.4.1 Relation to Anonymity Metrics

"An anonymity delta (regarding a subject’s anonymity) from an attacker’s

perspective specifies the difference between the subject’s

anonymity taking into account the attacker’s observations (i.e. the

attacker’s a-posteriori knowledge) and the subject’s anonymity given

the attacker’s a-priori knowledge only." (Pfitzmann & Hansen, 2010)

In the case of a full anonymity scenario, we assume no trust exists between

the user and the observer. Therefore, we expect no background knowledge of

the user as regards the observer and choose α = 0 accordingly. This implies

that only the knowledge level w.r.t. the user model K matters for the privacy (or

anonymity) level. By definition, K captures the length, density and quality of

the adversary’s observations. In the case of an anonymity metric, it describes the

length of observation of a single pseudonym and the level of knowledge about

the user gained through observation. Thus, for any ∆K > 0, the probability of

being anonymous decreases. For instance, a simple user-centric estimation of the

anonymity level could be calculated based on the results by Golle and Partridge

(2009). More specifically, Zang and Bolot (2011) researched the size of anonymity

sets with regards to the user’s top-N places by analyzing call data records of a U.S.

mobile telephony provider. Inspired by the k-anonymity metric, they empirically

determined the value of k if the user’s top-N locations are known, compared

with different observation granularity (cell-sector, cell-id, ZIP, City, etc.). If all

top-3 locations are known, the median anonymity set at a U.S. ZIP code location

granularity is of size 2. Even with a city-level granularity, the median size is 24.

Also noteworthy is the drop in the anonymity set size between top-1 to top-2

known locations. If only the top location is known, the median size at cell level is

of about 1000 members. With the top-2 location known, the median value drops

to 9 members within the anonymity set. Furthermore, the study found a drop

in the anonymity set size if any additional social information is known to the

observer. With a quasi-identifier of knowing the top-2 locations, the size of the

anonymity set dropped by 50% when adding social background information.

4.4.2 Relation to Obfuscation and Uncertainty Metrics

The sensitivity component is related to obfuscation-based privacy metrics. It covers

both the observation error (i.e. obfuscation) and the probability distribution

62


of potential whereabouts in the area enclosed within the spatial error. Additionally,

the sensitivity component captures the effects of adjusting the probability

distribution based on time, date, and landscape, but also on expected observer

knowledge.

For instance, Ardagna et al. (2011) defined location privacy in an obfuscation

scenario as (1 − R i ), whereas R i (or so-called relevance) is defined as the ratio

between an optimal measurement and the actual measured radius around an estimated

position (i.e. measurement-error or deliberately obfuscated position). Thus,

by applying this metric to the identified communication scenarios, e.g. a mobile

telephony scenario with observing infrastructure, the user’s location privacy is

determined by the technical and physical characteristics of location determination

methods instead of focusing on the user’s, or user device’s, interaction with the

network infrastructure.

Such measurements are less useful in scenarios where background knowledge

of any kind is involved. Background knowledge might consist of good general

map knowledge and/or detailed background knowledge of the user (i.e. the

friends and families). In both cases, a relevance metric does not reflect a user’s

location privacy level completely because the potential exposure of the user might

be different depending on the map structure of a similar relevance measure.

Furthermore, the same privacy (respectively relevance) level might be evaluated

differently with respect to time and different observers.

4.4.3 Relation to Probabilistic Metrics

Shokri, Theodorakopoulos, Le Boudec, and Hubaux (2011) determined the user’s

location privacy as the adversary’s correctness of an attack. Formally, they define

location privacy as LP = ∑ a ′ h o(a ′ )∆(a, a ′ ), where ∆(a, a ′ ) is the distance

between actual traces a and assumed traces a ′ and h o (a ′ ) is the probability of

the adversary inverting the user’s location privacy-enhancing mechanisms, i.e.

calculating a ′ based on the given observation and background knowledge. In the

case of a non-anonymous setting, where the observer gathers location information

about a user directly (e.g. a mobile telephony scenario), ∆(a, a ′ ) is zero by

definition (assuming inaccuracy due to technical limitations is negligible). Hence,

in such a setting the user’s location privacy is assumed to be zero.

While the correctness of an adversary is difficult to measure from a user’s

perspective, the intuition of a user-centric metric is quite similar. The user could

63


measure how close, or correct, an adversary model may become based on the

information provided by the user.

4.4.4 Limitations

Due to the specific settings of a user-centric perspective, the proposed privacy

model is unable to provide any absolute privacy guarantees. A user-centric

approach is unable to determine the real impact of the data disclosed to a specific

adversary, respectively observer, due to the unavailable knowledge of the

observer’s capabilities and intentions.

A second limitation is the uncertain impact of time on the user’s privacy,

especially concerning evaluating sensitivity. Neither interpersonal relationships,

and thus, mutual trust, nor background knowledge of the user are stable over

time. If an additional time-component τ is introduced and a future evaluation

time is described,

∆Pâ τ (O, Octx n,m) = (1 − αâ τ )∆Kτ â (O, Octx n,m) + αâ τ Sτ â (Octx n,m), (4.6)

with τ being an arbitrary point in time in the future,

• the time projection may either cause a decline or a rise in α. In the first case,

α may decline if, for instance, the interpersonal relationship cools down.

This implies the user’s background information becomes less relevant over

time since, due to diminishing mutual trust, knowledge of the user’s current

habits is less known or even unknown. In the second case, both α and the

knowledge of the user’s mobility pattern rise over time. For instance, due to

constant interaction between agents, knowledge of the user is transferred.

• it is even more difficult to assess the sensitivity value at a future point in

time. Even though the sensitivity value is time-sensitive, the main problem

for the user is to model his or her privacy preferences for the future. For

instance, the political or social climate may change and the documented

visit of a certain place may have a different impact at a future point in time.

This is especially relevant due to the importance and popularity of SNSs.

In such a setting, any disclosed information may remain (virtually forever)

accessible.

64


4.5 Summary

Based on a novel observer (adversary) model, it is possible to develop a usercentric

location privacy model. In contrast to traditional adversary models in the

location privacy domain, the ubiquitous observer model avoids defining dedicated

adversary attacks since they are difficult to model from a user’s perspective.

Instead, the model enables the user to define a conceptual model that captures his

or her location sharing preferences; for instance, regarding the personal mobility

pattern when communicating with less trusted or less known observers, or regarding

the sensitivity of certain locations. Furthermore, the proposed user-centric

location privacy model is able to emulate other location privacy models, and thus,

is also applicable, for instance, in a non-trusted and anonymous setting.

The user’s location privacy could be modeled based on the uncertainty of an

observer: (a) to generate a detailed profile of his or her regular behavior, (b) to

pinpoint a specific place (i.e. address) based on a set of observations and (c) to

observe changes in his or her daily routine. The proposed privacy model allows

an individual to judge his or her location privacy in the context of a user-centric

privacy policy, describing the knowledge model and information to be protected.

Furthermore, individual communication peers can be judged separately.

The following chapters both address the proposed communication scenarios

by applying the proposed privacy model as well as present its implications

for this privacy protection mechanism. Based on a user-centric privacy model,

four mobile communication scenarios are further analyzed in order to provide

target-oriented and effective privacy-enhancing measures. Starting with an ubiquitous

mobile communication infrastructure in Chapter 5, the focus of user-centric

privacy protection is both on transparency of location disclosure as well as on

counteractive measures. In a second step, the role of services and their providers

regarding location privacy needs to be analyzed. While there might be a privacy

policy between a user and his or her mobile communication service provider, it

is difficult for a user to evaluate the extent of information shared and to exercise

control of his or her location disclosure. Architectural and design aspects

of location-based services and SNSs need to be analyzed and adapted in order

for the user to gain more control over his or her location disclosures. Chapter

6 proposes design aspects for location-based services and Chapter 7 proposes a

solution for spontaneous location sharing between semi-trusted peers. Finally,

the privacy impact of location sharing in the context of trusted peers needs to be

65


addressed. The goal is to improve a user’s privacy sensitivity and to encourage a

more sensible communication culture regarding disclosure of private information.

Chapter 8 will analyze the aspects of location disclosure to trusted peers.

66


CHAPTER 5

Location Privacy Using Mobile

Communication Infrastructure

This chapter analyzes the first communication scenario introduced in Chapter 2,

Communication with Mobile Infrastructure, and it’s implication on a subscriber’s

location privacy. In a second step, privacy-enhancing technologies for this specific

scenario are introduced.

Wireless digital telephone networks have become a core communication infrastructure

within the past years. GSM and its successors have significantly

changed the communication landscape both in developed and, soon thereafter, in

developing market economies. Today, these networks by far outnumber landline

connections. 1 With over three billion subscribers world wide, mobile telephony

networks are a significant driving force behind economic growth and introduce

new services, such as mobile learning, exchange of market information and micro

payments. Hence, mobile telephony and data networks have become a crucial

part of today’s communication infrastructure.

Due to the technical needs of telecommunication services, location data is

generated when using mobile communication services. This applies more or

less restrictedly to any kind of mobile network, e.g. WiFi, bluetooth or DECT. A

matter of peculiar interest are technologies employing ubiquitous infrastructure

because these technologies provide both comprehensive mobile service coverage,

but also make individual movement patterns observable. Moreover, mobile

communication infrastructure contributes to security and safety. The mobile

telephony network and its physical characteristics help to locate mobile phone

1

Subscriber numbers for Germany (German Federal Network Agency (Bundesnetzagentur),

2010)

67


users in cases of emergency 2 and may be a valuable tool for search and rescue

(SAR) (L. Chen et al., 2010). For instance, Bengtsson et al. (2011) analyzed postdisaster

population displacement using SIM card movements in order to improve

the allocation of relief supplies. Location information gathered through mobile

telephony networks is now a standard tool for crime prosecution and is proposed

by the EC Data Retention Directive to reduce the risk of terror and organized crime

(European Parliament, 2006). Additionally, commercial services are based on the

availability of live mobility patterns of larger groups (e.g. for traffic monitoring 3

or location-aware advertising (Krumm, 2010)). This brings about the dilemma of

network subscribers’ location information potentially being passed on to third

parties. Usually, subscribers are neither aware of the extent of their information

disclosure, nor of how collected data is used and by whom. Merely carrying a

switched-on mobile phone may lead to vast amounts of location data exposure.

Law enforcement and commercial agencies exploiting movement patterns

have two options for utilizing location determination of mobile telephony networks:

an active and a passive method. While active positioning yields immediate

and more accurate results (e.g. through U-TDOA (3rd Generation Partnership

Project (3GPP), 2002)), there are additional costs involved (e.g. network utilization),

and thus, an incentive and dedicated target is required. Hence, active GSM

positioning methods are not suitable for location tracking of masses, but a valuable

and quite accurate tool for tracking individuals. For instance, the police of North

Rhine-Westphalia issued over 225,700 (active) location determination attempts of

2644 different subjects in 778 preliminary proceedings in 2010 (Ministerium für

Inneres und Kommunales NRW, 2011). Germany’s federal police forces initiated

440.783 so-called silent text messages. 4 On the other hand, passive location determination

techniques automatically generate any information required during

normal communication with the subscriber’s mobile station, thereby incurring no

additional costs. We concentrate on the latter method, as the privacy of all mobile

subscribers is affected simply by interpreting and possibly exploiting standard

network traffic.

2

3

4

FCC Enhanced 911 Wireless Service, http://www.fcc.gov/pshs/services/911

-services/enhanced911, (18/9/2011).

For instance Vodafone Germany, http://www.vodafone.com/content/index/press/

local_press_releases/germany/2008/tomtom_and_vodafone.html, (1/8/2012).

Letter of the Federal Ministry of the Interior by request of a parliamentarian,

http://www.andrej-hunko.de/start/downloads/doc_download/185-stille

-sms-bei-bundesbehoerden, (12/15/2011).

68


We make use of the ubiquitous observer model in order to analyze the tradeoff

between the additional utility of mobile telephony infrastructure being able to

locate subscribers and the individual’s location privacy. Based on these results,

measures are proposed that improve an individual’s location privacy through

a user-controllable GSM software stack. In order to analyze and evaluate the

effects of a specific subscriber-provider interaction, a dedicated test environment

is presented using GSM mobile telephony networks as a case study. The resulting

testbed is based on real-life hardware and open-source software in order to create

a realistic and clearly defined environment which includes all aspects of the

air interface in mobile telephony networks, and thus, is capable of controlling

subscriber-provider interaction in an easily interpretable and fully controlled

environment.

5.1 Related Work

Stoll (1995) analyzed privacy aspects of early GSM and UTMS networks. The

author points out several security measures implemented in GSM networks such

as temporary subscriber identity (TMSI), subscriber authentication and data confidentiality

through encryption of the radio path, but the author emphasizes two

unresolved privacy issues. First, user data is generated and collected in great

detail in several network components, including the Home Location Register

(HLR), but especially in the Visiting Location Register (VLR) and Mobile Switching

Center (MSC). Secondly, the network is able to locate any subscriber. In order

to overcome the identified shortcomings, Stoll (1995) proposed a decentralization

of the mobile infrastructure and emphasized giving control of subscriber-related

data to their owner. With regards to a wider security investigation, Lee, Hwang,

and Yang (1999) discussed location privacy as an explicit goal of the GSM security

features. Concerning location privacy, one crucial point is roaming. TMSI

was introduced for location privacy protection on the radio path. Since paging

requests are sent unencrypted, eavesdroppers cannot gain information on real

subscriber identification numbers (IMSI). Within this protection scheme, Lee et al.

(1999) described three potential privacy problems: (1) IMSIs are sent unencrypted

through the wired network; (2) if a VLR loses/flushes its database, the subscriber

is paged by using the real IMSI; and (3) if the old VLR is not available or reachable

anymore and the real IMSI is sent for a location update to the new VLR. Lee et al.

(1999) dealt with location privacy in GSM networks only on the protocol layer in

69


the relation between mobile station, VLR and HLR. However, location data as a

possible quasi-identifier is not recognized as a privacy threat in this context.

A study of privacy leaks in mobile telephony networks was conducted by

Mulliner (2010). Focused on mobile internet access, the author analyzed HTTP

headers in order to determine whether certain websites were accessed by a mobile

phone’s browser. By using the infrastructure provider’s WAP or HTTP proxy,

the analysis showed that sensitive information such as the MSISDN (i.e. the

subscriber’s phone number) and other subscriber information, for instance information

on pay-as-you-go contracts, were added as extra HTTP headers.

Ardagna et al. (2009) introduced a scenario with a semi-trusted (mobile) network

provider and proposed a multi-path communication approach to achieve

k-anonymity for the sender of a message. Their approach relies on a hybrid

network infrastructure, where subscribers are able to form ad-hoc networks.

However, such an approach only protects the relationship between sender and

final recipient (e.g. LBS-provider).

Recent analysis of mobile phone call data records (CDR) showed that even

sporadic and anonymous location data with coarse spatial resolution contain

sensitive information that could possibly lead to an individual’s identification

(Gonzalez et al., 2008; Bayir et al., 2009; Zang & Bolot, 2011; Isaacman et al., 2010).

Similar studies were conducted on tourist movement patterns in New York and

Rome (Girardin et al., 2008; Girardin, Vaccari, Gerber, Biderman, & Ratti, 2009).

Sohn et al. (2006) analyzed GSM data to determine a user’s movement mode

based on radio signal fingerprints. The authors were able to distinguish between

tourists who were walking, driving or remaining stationary with a success rate of

about 85%. De Mulder, Danezis, Batina, and Preneel (2008) conducted a study on

the ability to re-identify individual mobile phone subscribers based on available

cell data. In this study, the authors evaluated a Markovian model and a model

based on the sequence of cell IDs. They reported a success rate of about 80 % for

the latter method.

Since the infrastructure provider is considered as (partially-)trusted entity (e.g.

due to a contract between subscriber and provider), location privacy issues in

such situations have been widely neglected. Judging from the aforementioned

studies, one could conclude that using a mobile communication network (e.g.

GSM) is a potential threat to a user’s privacy. From a user’s perspective, the

main question to ask oneself is how much privacy risk is incurred by mobile

70


communication networks, i.e. how much knowledge of movement patterns does

a network provider have, especially when the user does not actively use a handset.

The subsequent question then is: which of the available networks (respectively

its configuration) pose the least threat to the user’s privacy? Finally, which

user-centric technical measures are required in order to improve the individual’s

location privacy in context of mobile communication?

5.2 Locating Mobile Phones

Figure 5.1: A simplified structural overview of a GSM network.

As an example of mobile telephony networks, we discuss the widely deployed

GSM infrastructure, as its successors UMTS (3G) and LTE (4G) have a significantly

smaller installation base and share most of its principal characteristics. A typical

GSM network is structured into cells, each served by a single base transceiver

station (BTS) (Fig. 5.1). Larger cell-compounds are called location areas (LA). In

an idle state, no dedicated channel is assigned to the subscriber’s device (mobile

station – MS). In this state, it only listens to the common control channel (CCCH)

and the broadcast control channel (BCCH), but otherwise remains in standby

mode in order to save energy (3rd Generation Partnership Project (3GPP), 2010c,

2010a). Through system information messages on the BCCH, the MS periodically

receives a list of neighboring cells from the serving BTS and performs signal

strength measurements on these base stations. This way, the MS selects a BTS

71


with a good signal strength, thus maintaining network attachment. In order to

establish a connection with the MS in the case of an incoming connection request,

the network has to know if the MS is still available and in which LA it is currently

located. A location update procedure was introduced to cope with subscriber

mobility.

Either periodically or when changing the LA, a location update (LU) is triggered

(cf. Fig. 5.2). Through this procedure, the phone initiates active communication

with the network infrastructure, sending a so-called “measurement report”

to the base station. This report consists of the received signal strength of up

to six of the strongest neighboring cells as well as that of the serving BTS. The

network determines the time lapse between periodic location updates, which

varies between infrastructure providers. Section 5.4.2 provides an overview of

the LU configuration of four German GSM infrastructure providers, based on

experimental results. Additionally, the infrastructure’s radio subsystem measures

the distance between phones and the serving cell in order to compensate for the

signal’s propagation delay between the MS and BTS. The timing advance (TA)

is represented as an 8-bit value which is used to split the cell radius into virtual

rings. In the case of GSM, these rings have a size of roughly 550 m in diameter.

The serving infrastructure regularly updates the TA of the mobile phones in its

network (3rd Generation Partnership Project (3GPP), 2009b).

Figure 5.2: Location update procedure.

Due to regulatory requirements, but also in the background of growing commercial

interests, locating mobile phones have gained attention both in the re-

72


search community and in industry. There is a variety of ways to determine a

mobile station’s location from the viewpoint of the network infrastructure, e.g. by

Cell Origin with TA and Uplink Time Difference of Arrival (U-TDOA) for GSM

(3rd Generation Partnership Project (3GPP), 2009a). 5 While the latter method

requires sophisticated network infrastructure, Cell Origin and TA are available in

any network setup. These methods work without special mobile station requirements

and are able to achieve a positioning accuracy of up to 50 m in urban areas

in case of TDOA (G. Sun et al., 2005; Drane, Macnaughtan, & Scott, 1998; Vossiek

et al., 2003).

Another (non-standard) method to determine the location of an MS employs

received signal strength measurement results. Usually based on databases derived

from signal propagation models used during the planning phase of the

infrastructure, this data can be prepared as a lookup-table of signal measurements

which can be used to determine the MS’s location. Based on the cell, TA and

received signal strength indication (RSSI) of the serving cell as well as the six

neighboring cells, Zimmermann et al. (2004) achieved positioning accuracy of

below 80 m in 67% of carried out positioning attempts and 200 m in 95% in an

urban scenario. With a similar method but more generic setup, Haeb-Umbach and

Peschke (2007) report positioning accuracy of 124 m in 67%. Similarly, M. Chen

et al. (2006) adapted ideas of so-called fingerprinting algorithms to the GSM

domain. These techniques were originally developed for positioning using WiFi

infrastructure (Kjaergaard, 2007) In a recent study using RSSI in combination with

map information and movement prediction, Anisetti, Ardagna, Bellandi, Damiani,

and Reale (2011) achieved less than 19 m in 50% and less than 64 m in 95% of all

measurements.

When the mobile phone is in idle mode, network-assisted positioning is not

possible. In order to obtain an MS’s position, the network either has to wait for

the next active period of the MS (e.g. phone call, LU) or has to trigger MS activity.

This can be achieved by transmitting a so-called silent text message which forces an

active communication without raising the user’s awareness or without the user

being notified. The network must first page the cell phone in order to establish an

active communication. The MS responds to the paging, then reports the functions

it is capable of (classmark change), followed by the authentication procedure,

the activation of encryption, and the TMSI reallocation. The communication

5

Location determination options for UTRAN (3rd Generation Partnership Project (3GPP), 2010b)

73


Figure 5.3: Flow chart of an active GSM positioning via a silent text message.

usually ends with the channel release and no data transmitted. Figure 5.3 shows

a flow chart of such a procedure in a German network. The procedure may be

used by law enforcement authorities or by location-based services utilizing GSM

positioning.

5.3 Privacy Analysis

When using ubiquitous mobile communication infrastructure, two different kinds

of location disclosure have to be taken into account. First, one can assume that

if the user starts a communication / interaction through or with the network

actively, he or she is disclosing (location-)information voluntarily and consciously.

In theory, the subscriber is able to control his location disclosure. Thereafter,

periodic location updates and other communication with the network happen

without the user’s consent. With today’s available mobile phones, it is not possible

74


for an individual network subscriber to observe and possibly ignore a network’s

paging request (this could also be a so-called silent text message). In both cases,

the user is not aware of the amount and accuracy of location data collected. In

general, neither the information disclosed nor the information’s impact on the

user’s privacy are easily perceived by the user. Thus, the user’s privacy is threatened

because of various necessities to generate, collect and reuse more frequent

location data whenever using mobile communication (cf. Fig. 5.4). The user’s

mobile station gathers and transmits location data (via LU) without notification

or (explicit) consent. The final location estimation is computed by the service

provider, whereas the user is not aware of its level of accuracy.

Partially trusted communication peers

Untrusted / unknown peers

Infrastructure Services

Users &

Social Peers

Mobile Information Services

E.g. Maps, Tourist Guides, ...

Location information is submitted

by mobile subscriber to maintain

network attachment

Mobile Communication Network

E.g. WLAN, GSM/3G

Social Network Services

E.g. Friend Finder

Location information is used

and may be stored by the

network provider. Users are not

aware of amount and extent

Location information

created by using mobile

infrastructure

Location Processing

and

Anonymization Unit

User Mobility Profiles

E.g. Traffic Monitoring,

Consumer Research, Advertising

Figure 5.4: Assessing the potential amount of location information, created due to standard

network protocol communication.

There are limited options for individual subscribers to protect their location

privacy in a mobile telephony scenario because once a mobile device is activated,

it is theoretically possible to determine its location, but this is difficult to observe

and even more difficult to prevent or to obfuscate. Thus, the first step to improve

user privacy is to improve the ability of the user to observe potential location

determinations carried out by the infrastructure. This data serves as a base for

further analysis by using the user-centric privacy model proposed in Chapter

4 to assess the information’s value. Finally, user-centric measures are required

to reduce observation accuracy (e.g. making use of obfuscation techniques) and

providing less location information (or less frequently).

75


5.4 Case Study – GSM Network

In contrast to previous work which concentrates on call data records, this thesis’

focus is on uncovering the side effects of using a mobile handset, especially

on location updates, since these are scheduled periodically and configuration

between network providers differs significantly.

Currently, the typical information available for the user regarding the network

infrastructure’s configuration is usually limited to the operator’s name, signal

strength of the serving cell and type of protocol used (e.g. GSM, 3G, etc.). In

order to analyze the user’s exposure, a logger device has been developed to

record any communication between the GSM infrastructure and a mobile phone.

The device was carried by test persons. Meanwhile, the phone was kept in

a passive/idle mode, i.e. phone calls were neither made nor received. The

logging device was built by using a mobile phone that captures raw network data,

e.g. measurement reports sent to the base station. A small mobile ARM-based

appliance was attached to the phone recording the data read from the phone’s

debugging interface. Additionally, a GPS device was added to tag the recordings

with a time stamp and the user’s location. Further technical details can be found

in Appendix A.2.

5.4.1 Observation Accuracy in Cellular Networks

However, with the aforementioned setup, only the user’s measurement data and

network interaction can be observed. Location information observed by mobile

communication infrastructure is error-prone. Depending on the communication

infrastructure used, users can make assumptions of the physical limitations of

the involved technology and thus may estimate a best-case value for ε. In order

to model the infrastructure’s potential knowledge regarding the user’s location,

a random spatial error was added to the recorded GPS position. Throughout

this study, a spatial error of 250 m was assumed, based on the results of the

aforementioned studies (cf. Zimmermann et al. (2004); Haeb-Umbach and Peschke

(2007)).

In order to get a robust reflection of a user’s regular behavior, frequently

visited places were extracted. Thereafter, a clustering approach was used in order

to obtain an abstract yet efficient representation. Several studies (e.g. Hoh et al.

(2010); Ashbrook and Starner (2003); Krumm (2007)) demonstrated that clustering

76


is an effective tool for identifying a user’s most significant places. This case study

implemented a simple cluster algorithm based on radius and gap filters. 6

5.4.2 Data Analysis

The first notable observation is the broad variance in network configuration.

While one provider requires a client to initiate an LU every hour, another one

requires updates only every 12 hours. Two other providers demand four and

six hourly LU intervals. From a user-centric perspective, location updates are

especially interesting due to their regularity but also because these events happen

without a user noticing.

A dataset was created by a test person carrying the logger device for about 17

days, equipped with a SIM-card of a German provider which requires location updates

hourly. Roughly 18.000 GPS points and 312 location updates were recorded.

The reason for the number of location updates being lower than anticipated is

twofold: the first and the last day were not complete and there were also signal

losses and user operation errors such as empty batteries. However, this should

correspond with real-life mobile phone usage.

During analysis, ten clusters were identified based on GPS data and eight

based on GSM data with hourly location updates. The remaining two clusters

extracted from GPS data could not be detected using GSM data. Besides the

short evaluation period and the limited spatial resolution of GSM positioning, the

difference in clusters is also due to the short amount of time spent at the remaining

two places (i.e. less than an hour). Fig. 5.5 shows the resulting frequently visited

places extracted from the recorded GPS and GSM (24 LU / day) data. While

the results show some minor differences, both methods reveal the same general

pattern. Especially proportions and ranking of the most significant places were

preserved.

In a second experiment, a public GSM network requesting location updates

every six hours was observed during an equal test period, however only three

clusters could be identified. Fig. 5.6 shows the temporal development of the

discovery of frequently visited places using GPS and GSM, dependent on the

location sample frequency. After about 10 days, the number of clusters remained

stable, independent of the method used. Similar results were found in a study

6

The spatio-temporal clustering algorithm was implemented by Max Ferchner as part of his

masters thesis (Fechner, 2010).

77


(a)

(b)

Figure 5.5: Clusters generated by a 17 days GPS trace (a) and (b) 17 days of hourly

location updates (GSM) with an estimated spatial error of 250 m. The radius of each cluster

denotes its significance for the user (i.e. relative time spent).

on mobile phone call data records (Zang & Bolot, 2007). Zang and Bolot found a

plateau in user mobility profiles after about 14 days. They argue that adding more

data beyond 14 days does not improve modeling user mobility behavior. Further,

equation 4.3 was used to compare the privacy loss caused by the providers’

location update configuration. For that, it was assumed that the user’s daily

routine is described by 12 (L = 12) frequently re-visited places and about 15% of

the total observed time, the user is not at one of these significant places (γ = 0.15).

In a further shorter trail with 12-hour location update interval, only a single

cluster could be determined within eight days. One reason were disadvantageous

time points at 7:30 AM and 7:30 PM. However, the network chooses time points.

For this configuration, a long-term trail is pending. Due to long-distance traveling,

offline phases and time periods without reception and random shifts in the

time point of location updates are to be expected. Therefore, for a long-term

observation, it seems likely that a few (two to three) additional clusters should be

detected.

78


The probability of detecting a cluster where a user spends a large amount of

time is more likely and thus this cluster is expected to be uncovered first. The

privacy measurement also implicitly captures the observed location samples’

distribution. If the distribution of location samples is concentrated in certain time

spans, less clusters should be discovered. The same applies for evenly distributed

but sparse samples (e.g. every 12 hours).

12

GPS

GSM 24 LU/d

GSM 4 LU/d

Frequently visited places

2.5

H k GPS

H k GSM 24 LU/d

H k GSM 4 LU/d

10

2

# detected locations

8

6

4

H k

1.5

1

0.5

2

0

2 4 6 8 10 12 14 16

0

2 4 6 8 10 12 14 16

Observation Days

Observation Days

(a)

(b)

Figure 5.6: Temporal development of extracting location clusters from daily datasets of

GPS data and GSM location updates. Uncertainty values Ĥk â,L,γ

are calculated with

L = 12, γ = 0.15.

5.5 User-Centric Privacy Improvements

Based on the aforementioned analysis in public GSM networks, several enhancements

will be suggested to improve the user’s privacy in mobile communication

networks. According to Westin’s privacy definition, subscribers need to know

when, how and to what extent location information is generated and disclosed

(Westin, 1967). In a second step, methods to control the accuracy and time of

location disclosure are proposed.

5.5.1 Active Location Determination

A fully user-controlled mobile device requires software interfaces with a network

stack controlling and exposing signaling attempts (e.g. by detecting silent text

messages). However, such a signaling attempt does not provide information for

the purpose of paging the mobile station. Hence, it is difficult for a subscriber

79


to decide whether the paging attempt is legitimate (i.e. incoming call or text

message) or a (hidden) location determination attempt was triggered. Only after

the device has reacted to the signaling, the originator and the purpose of the

paging become visible. However, by answering to the signaling, the mobile phone

is becoming active (i.e. sending network packages), and therefore, a location

measurement unit is able to determine the MS’s position (e.g. through TDOA).

While active positioning requires a dedicated target and incurs certain costs,

concealing the mobile station’s location is also possible with some effort. Due to

the use of a full software network stack, lower network layers could be decoupled

from the mobile phone. By leveraging a second communication channel, the user

and his or her mobile station can be at a different place than the device running

the physical layer and antenna, communicating directly with the mobile network

infrastructure. This makes it impossible to forge the location of an individual

SIM-card.

5.5.2 Passive Location Determination

Based on the aforementioned analysis, several enhancements could improve the

user’s privacy in mobile communication networks. First, one can observe that

a simple quantitative privacy policy as offered by network providers, stating

only the length of possible data storage, is neither meaningful nor helpful for a

subscriber’s location privacy. Especially the density of periodic location samples

has a significant impact on the provider’s possible knowledge base and thus on

the user’s present and future privacy risks. Therefore, subscribers also need to

know when, how and to what extent (accuracy) location information is generated.

With such knowledge, the user’s awareness of his or her privacy loss is raised. In

a second step, the user should be able to control location dissemination by making

informed decisions.

Observation Frequency

A privacy-aware mobile device requires software interfaces with the network

stack that controls and exposes signaling attempts (e.g. by detecting silent text

messages), and provides access to measurement results as well as the occurrence

of location updates. With the development of the OsmocomBB 7 GSM baseband

implementation, first steps towards a privacy aware phone have been made. The

7

Open Source GSM Baseband implementation, http://bb.osmocom.org, (19/6/2011).

80


mobile station would be able to inform the user of the location data that has been

sent to the service provider. Especially the density of periodic location samples

makes a significant difference on the provider’s possible knowledge base and thus

on the user’s present and future privacy risks. Such a monitor feature enables

the user to select a mobile telephony provider that requests location updates

less frequently. By doing so, an observing adversary has less information about

frequently visited places. Thus, the potential privacy loss is limited since the

number of detected significant places k depends on the length and frequency of

observations. For instance, a user with 12 significant locations has a privacy gain

of about 31.5% by choosing a network provider with 4 LU / day (Ĥ3 â,12,0.15 = 0.497)

instead of a network provider with 24 LU / day (Ĥ8 â,12,0.15 = 0.182).

Observation Accuracy

A second step to improve a user’s location privacy is to reduce the observer’s

observation accuracy (i.e. obfuscation). One way to blur the exact location is

to send empty or significantly reduced measurement reports. Normally, these

measurement reports include signal strength measurements of the surrounding

BTS that support handover decision-making during active connections. Since

a location update only requires a very brief interchange with the network, a

handover between different cells is highly unlikely. Thus, sending measurements

of neighboring stations is not always technically required. By reducing the number

of transmitted measurements, the accuracy of the network’s estimated position

is significantly decreased. In the best-case scenario (if no or false measurements

were transmitted), the accuracy is decreased to the cell of origin, combined with

the timing advance parameter. In order to further decrease the accuracy of the

estimated position, the MS may send with a slight timing offset. Such offsets have

a direct impact on the timing advance calculation of the BTS. Consequently, this

leads to an incorrect distance estimation between MS and BTS. It is also possible

to report a wrong MS transmission power to the network. This influences any

conclusions drawn by the network based on the received signal strength of the MS.

The combination of manipulating measurement results, timing advancements and

reported transmission power allows for concealment of the MS’s actual position

to a certain extent. The rough location of the MS is still available through the

coverage area of the serving BTS.

81


5.6 Evaluation of User-Centric Privacy Improvements

In order to evaluate the effects of the aforementioned user-centric privacy improvements,

a full mobile telephony network testbed is required. 8 Different

scenarios can be tested without interfering with public network infrastructure.

The testbed consists of three basic components: the Mobile Network, the Testbed

Serving Mobile Location Center (TB-SMLC) and a set of Mobile Stations. Fig. 5.7

provides a schematic overview of the testbed’s structure. When combined, these

components allow us to analyze all aspects of communication between the network

and mobile station in a realistic scenario. Since the testbed implements a

standard GSM network, it can be further extended with standard GSM network

components, for instance by the addition of any commercially available mobile

station (denoted as MS x in Figure 5.7). In contrast to a software simulation, such

a setup supports direct interaction with the network infrastructure as a subscriber

and provides immediate feedback on status and network events. If complete control

over all components in the network is achieved, the subscriber’s MS behavior

as well as its effects on the infrastructure can be evaluated. A detailed description

of the hardware components and the software implementation is given in earlier

work (Meier et al., 2011).

5.6.1 Mobile Network

The mobile network component is currently composed of two BTSs, both controlled

by the Base Station Controller (BSC). The BTS provides the air interface

and communicates with the MS. A setup with two BTSs enables staging handover

scenarios in the testbed. The Mobile Switching Center (MSC) is responsible for

transfer of calls. BSC and MSC are implemented as software and are currently

deployed as a single component.

A logging component was added to the testbed to capture communication of

the mobile telephony infrastructure during normal operation. For the purposes

of this study, the logging component stores measurement reports containing the

following information: a timestamp, both uplink and downlink signal strength

8

The conceptual and general development of the GSM testbed is based an cooperative work

with K. Meier and D. Wehrle. The technical implementation of the testbed was done by K.

Meier and D. Wehrle. The adaption for location privacy research was done by the author of

the thesis. The results of the generic testbed setup were published in a joint technical article

(Meier et al., 2011).

82


Mobile Network

MSC / BSC

MS 1

BTS 1

MS 2

MS Controller

BTS 2

MS n

TB-SMLC

Serving Mobile Location Center

MS X

Mobile Stations

Figure 5.7: Structural architecture of the testbed replicating all main components of a

GSM mobile telephony network (Meier et al., 2011).

and quality, the number of known neighbor cells, list of ARFCNs 9 as well as

downlink received signal strength for each neighbor cell.

5.6.2 Mobile Station

For computer-controlled mobile stations, the mobile telephone Motorola C123

is used as hardware. The original telephone’s firmware is replaced by a custom

firmware. This combination allows complete control of the mobile station’s

behavior. Layer 1 of the GSM stack runs directly to the mobile station. Layers 2

and 3 are implemented via the MS Controller. Complete control over the mobile

station allows for manipulation of any data before it is sent to the network. It is

therefore possible to manipulate measurement results, influence timing advance

and report erroneous transmission power to the network.

5.6.3 Testbed Serving Mobile Location Center

In a common GSM network, the Serving Mobile Location Center (SMLC) is

connected to the BSC and is responsible for locating an MS in the network. It

manages the resources needed to localize a target and calculates the final position

9

Absolute Radio Frequency Channel Number. The ARFCN specifies a pair of uplink and

downlink frequency within the GSM spectrum.

83


and estimated error. The SMLC accumulates the measurements from multiple

Location Measurement Units (LMU), which are usually located at the BTS (Tayal,

2005).

For the chosen scenario, however, a dedicated LMU is not necessary since

the required measurement reports are generated during normal operation. The

localization at the TB-SMLC is performed by an area-based probability algorithm

based on measurement reports received from the mobile station. A pre-recorded

database for the lookup algorithm is required and initialized during a training

phase. Every time a mobile phone is active (i.e. in dedicated mode), for instance

when performing a location update or sending and receiving text messages,

network events and corresponding measurement reports are captured.

For the training phase, a person equipped with a GPS logging device and a

mobile phone walked continually within the area covered by the testbed. While

walking, an MS in dedicated mode generated measurement reports. In a postprocessing

step, the measurement reports were correlated with GPS traces and

assigned to map tiles. For our experiments, the tile size was set to 8.52 m x 6 m.

This results in 6200 tiles for the covered testbed area. In total, 171.654 measurements

were recorded and analyzed. 10

120

measurement count

µ=-87.5; σ=5

Number of Measurements

100

80

60

40

20

0

-110 -100 -90 -80 -70

Received Signal Strength (dBm)

(a)

(b)

Figure 5.8: (a) Histogram of observed RSS of a stationary MS measuring a single BTS

versus scaled Gaussian distribution with µ =-87.5 and σ =5. (b) Coverage and signal

strength of a single testbed-BTS. The location of the BTS is marked as "X" in the picture

(R. M. Zahoransky, 2011).

10

The development and implementation of the measurement-result-based localization as well as

the measurements were conducted by R. Zahoransky as a part of his masters thesis (R. M. Zahoransky,

2011).

84


The probability distribution of the received signal strength for every receivable

BTS is estimated, assuming a Gaussian distribution. Fig. 5.8(a) shows a histogram

of observed RSS values of a stationary MS. Signal strengths from different BTSs are

assumed to be independent. The mean is computed by converting the dBm values

to a linear scale (mW), removing outliers, calculating the average and finally

converting the measurements back to dBm values. The variance was chosen to

5 dBm.

Usually, the network provides a list of neighboring cells to be monitored in

order to support a communication handover between two BTSs. In our testbed

setup, only one additional BTS is located on the campus, leading to limited

localization possibilities. We coped with this shortcoming by extending the

neighbor list, adding additional public GSM cells received on the campus. Finally,

out of these measurements a signal strength map is interpolated using Voronoiinterpolation

(Lewis, Pighin, & Anjyo, 2010). The resulting signal propagation

map for a single BTS is shown in figure 5.8(b). In order to locate a phone, the

corresponding measurement entries are used from a pre-recorded GSM signal

map.

An area-based probability algorithm (ABP − α) is used for location lookup

(Elnahrawy, Li, & Martin, 2004; Youssef, Agrawala, & Udaya Shankar, 2003).

This group of algorithms returns a set of most likely map-tiles, matching the

actual and predetermined fingerprints controlled by a confidence value α. The

summed probability of the resulting set of tiles matches the required confidence

value. Hence, the α-value controls the trade-off between positioning accuracy

and methodical precision.

Given a received signal fingerprint vector (RSS), the probability of being at

tile l x,y is calculated using Bayes’ rule

P (l x,y |RSS) = P (RSS|l x,y) · P (l x,y )

, (5.1)

P (RSS)

with P (RSS|l x,y ) computed as multiplication over the probability distribution

of the received signal strength of BT S i as P (RSS|l x,y ) = ∏ ∫

i∈1...n N

RSS

i ∩

N x,y

i

dRSS , and Ni

RSS as the derived Gaussian distribution of the MS’s received

signal strength of BT S i . A priori P (l x,y ) is considered to be equally distributed,

even though map information could be included. The probability of the fingerprint

vector RSS being measured within the GSM-map is calculated as P (RSS) =


P (RSS|l x,y ) · P (l x,y ) . Equation 5.1 yields the probability of being at tile

x∈X,y∈Y

85


l x,y given the fingerprint vector RSS. Since we want to return an area with a

given confidence-value α, the algorithm outputs top probability locations l x,y

until they sum up to α.

5.6.4 Experimental Results

Given the ability to control the mobile station’s behavior, it is possible to evaluate

the influence of reported data on resulting localization within the TB-SMLC.

Computer-controlled mobile stations are able to conceal the actual location by

using recorded measurement reports from a different location. Tests proved that

the resulting location calculated by the network is identical to the calculated

location of the original transmission.

By reducing the number of reported neighbor measurements, the positioning

accuracy of the TB-SMLC can be influenced. Fig. 5.9 shows the difference between

reporting a full set of neighbor information in comparison to reduced sets. Less

reported measurements result in a less accurate localization. For the experiments

α = 0.75 was chosen, resulting in a 75% probability of the MS being within the

marked area. Without sending any measurement reports (MRs) to the SMLC

H location = 12.61 assuming that each map-tile is equally likely, whereas numLoc()

simply returns the number of tile within the covered area. Sending two MRs

decreases H location to 7.8, four MRs lead to a value of 5.37. Finally, six MRs leading

to a value of 2.38. Generating a full set of neighbors with random values, results in

a random localization. The probability of such random measurements appearing

in the GSM map should be very low.

5.7 Discussion

The proposed method allows individuals to gain control over their location privacy,

at least to a certain extent. With the constraint of keeping network attachment,

the user is able to control his or her location within the coverage of the

serving cell or close-by cells.

If observation accuracy is at cell-level, the user may gain extra flexibility regarding

plausible deniability since more "plausible" locations could be selected.

The actual privacy gain depends on the result (and implementation) of determining

possible locations, i.e. using maps or databases to identify possible locations

and the probability distribution of these places. Due to limitations of the proposed

86


(a) (b) (c)

Figure 5.9: Comparison of localization results with different numbers of measurement

reports. The marked areas depict possible whereabouts of the mobile station. Fig. (a) shows

the localization with a minimum set of one measurement, (b) shows a reduced set of four

measurements and (c) shows the result of a full set of six measurements. (R. Zahoransky et

al., 2012)

methods, such measures are unsuitable for some instances, e.g. in situations in

which a user claims to have been in city A but actually has been in city B.

When it comes to the conflict of location privacy and the additional utility provided

by ubiquitous mobile networks for an individual’s safety and security, the

limits of user control may be different. By reducing the accuracy of location determination,

but especially by providing information leading to false positioning, the

extra utility in emergency situations will probably be reduced. However, in such

a situation, the network still has (more costly) methods of locating an individual

subscriber (e.g. active positioning methods like TDOA). The proposed measures

neither disrupt the infrastructure’s functionality nor endanger the individual’s

safety and security directly.

While the technical functionality of mobile communication is not significantly

impaired by the proposed privacy improvements, the individual’s and possibly

society’s added value of mobile communication infrastructure for security and

safety might be affected. In case of an emergency, the network infrastructure

provides a false user position. Thus, privacy improvements are a trade-off between

an individual’s privacy and possible improvements in society’s security

and safety. This conflict poses new research questions, e.g. how location data can

be kept and reused in a transparent and privacy-preserving way.

87


5.8 Summary

In contrast to other personal electronic devices, mobile phones are hardly ever

switched off and usually not shared between persons. This offers some unique

options for (unobserved) user tracking. Even though the recorded evaluated data

set is small, the available data show the possible effects of frequently generated

and disseminated location data on the user’s location privacy. Furthermore, the

comparison of the different network configurations found during our case study

in commercial public mobile telephony networks demonstrates the difficulty for

subscribers to estimate the extent of location disclosure resulting from carrying

a mobile phone. Depending on the chosen network provider, the impact on

the individual’s privacy differs significantly and is independent of the user’s

behavior. Although a privacy policy or legal regulations quantify the length

of data retention, an individual’s privacy depends heavily on the density and

quality of collected location information. However, such information is usually

not available to subscribers.

If the user was able to control the device’s network stack, his or her privacy

in relation to a ubiquitous observer could be improved. This would allow for a

reduction in the observer’s privacy-sensitive knowledge without compromising

the utility of mobile communication services. Furthermore, improving the transparency

of network exposure would allow a subscriber to observe the location

dissemination, thus becoming more sensitive to location privacy in mobile communication

networks. Having user-centric methods to observe location disclosure

and methods for location obfuscation, the foundation for use-centric privacy protection

mechanisms is laid out. As a next step, a user-centric privacy metric has

to be adopted and implemented on mobile handsets. Based on a privacy metric,

individuals should be able to make more informed decisions regarding the extent

to which they want to contribute their location information for the public good.

88


CHAPTER 6

Location Privacy Using

Location-based Services

The second privacy threatening mobile communication scenario identified in

Chapter 2 describes Communication with Service Providers. Mobile information

systems and location-based services are not a novel concept. With the availability

of Global Navigation Satellite Systems (GNSS) – most notably the U.S. operated

Global Positioning System (GPS) – and successes in miniaturization and mobilization

of computing, the provisioning of context and location sensitive information

became possible and affordable in consumer markets. GPS car navigation has

become one of the most popular mobile information system. Based on the user’s

current location, an individually customized itinerary is calculated and updated if

necessary. Passively operating radio systems pick up broadcasted satellite signals

and use signal-time differences of arrival in order to determine the user’s current

location through triangulation (cf. Hofmann-Wellenhof et al. (2008)). Such kind of

location determination does not pose any privacy threats to the users of the mobile

information system since, due to the passively operating technology, an external

determination of the device’s location is not possible. Furthermore, tailoring of

context aware information was also carried out on the user’s mobile device, for

instance based on stored map data.

The availability of new powerful mobile devices in combination with comprehensive

and affordable mobile broadband communication gave rise to a new generation

of improved mobile information services, and thus, posing new challenges

for policy makers and communicators. Nowadays, instantaneous information

can be delivered in a context-aware and personalized manner. However, personal

information, such as current location and personal preferences, are prerequisite

89


for tailored data delivery. In contrast to the aforementioned car navigation example,

potentially sensitive information needs to be disclosed to the service provider.

By using this new generation of mobile services, personal data is disclosed in an

unprecedented manner.

One of the new mobile map- and navigation-applications reflects the development

of the next generation mobile information services exemplarily. For

instance, Google Mobile Maps 1 offers world-wide maps, routing and other useful

location-aware information. In contrast to aforementioned (car-)navigation

solutions, modeling of the user’s context is not conducted solely on the user’s

device anymore. Due to approximative location determination based on mobile

telephony infrastructure and assisted GPS, sensor data is sent to external services

and external information sources are used to improve (i.e. speed-up) the

determination of the user’s current location. At the same time, the data needed

to calculate and display the requested information is not stored on the device

anymore. It is only downloaded to the user’s device on demand. Therefore,

the user’s location has to be transmitted to the service provider periodically. By

aggregating the location information of many users, such data could improve

or enable new kinds of services. For instance, Google Mobile Maps uses user

contributed data (with the user’s consent) to determine and visualize the current

traffic situation (cf. Fig. 6.1).

The remainder of this chapter analyzes privacy issues associated with today’s

location-based services.

6.1 Privacy Analysis

In the case of location-based services, privacy-preserving methods such as anonymity

and, where appropriate, obfuscation of location information seem to

be suitable privacy-enhancing methods. However, certain aspects of the aforementioned

concepts assume trust in a potentially unknown institution. A central

service often has at least access to the same user-data that a single service

provider can have. More formally, a trusted third party’s (TTP) observation history

can be seen as the union of all potential LBSs a user has exchanged data

with (O T T P = O LBS1 ∪ ... ∪ O LBSn ), and hence, O T T P contains at least as much

information as a single LBS provider could get without using a trusted server

1

Google Mobile Maps, http://www.google.com/mobile/maps/, (1/4/2012).

90


(a)

(b)

Figure 6.1: Map displaying the current traffic situation. (b) Exchanging location information

between social peers. (Image source: Google.com)

for privacy enhancing techniques. If a TTP service is pseudonymously used

for anonymization of several location-based services, a much more complete

spatio-temporal movement profile can arise as would be the case with shared

usage of independent offers of location-based services. This increases not only the

risk of re-identification, but also identification of personal preferences and social

relations.

In contrast to mobile communication infrastructure, users usually do not provide

their real identity when using location-based services. In case of pseudonymous

usage of LBS, re-identification through so-called location-based quasi-identifiers

in context of location privacy are an immanent privacy threat (Bettini et

al., 2005). Location-based quasi-identifiers (e.g. work/home pairs (Golle & Partridge,

2009)) can be generated even from episodic location data (Freudiger et al.,

2012). Thus, from a user’s perspective, the same privacy issues arise when using

a trusted middleware to enforce privacy: firstly, the user is neither fully aware of

the real protection offered by the algorithms and measures imposed, and secondly,

from a user-centric perspective, a service offer by a privacy enhancing TTP is similar

(w.r.t. privacy risks laid out in Chapter 2) to a generic location-based service

offer. For these reasons, a different approach to improving location privacy when

using location-based services is proposed. If a user is required to trust a service

provider to some extent, this trust should be limited to a very specific context.

Thus, a service offer should be as specific as possible. This limits the location

91


information revealed by the user to a very specific context, e.g. restricted to a

spatial area or to specific user preferences or activities. In order to further reduce

the observers’ information gain, partially offline usage of a service is desirable. To

achieve this, one must take a closer look at today’s location-based service models

and the corresponding mobile platforms.

3rd Party Re-Use of

Location Data

2:30

APP

APP

ASPs

Mobile Platform

MPSP

Application CPU

Baseband CPU

MNO

E911

Law

Enforcment

Figure 6.2: Basic building blocks of a modern mobile location aware device.

Owing to the architecture of today’s mobile device platforms, a second (location-

)privacy problem can be identified. Smartphones contain different software- and

hardware-layers which are controlled by different external parties. The basic

building block of each phone is the baseband-processor. This CPU usually runs a

specific real-time operating system designed to perform network specific tasks. In

general, the system interacts with and is usually controlled by a mobile network

operator (MNO). For generic software and user interaction, a modern mobile

device contains an additional application CPU. This CPU has limited interaction

options with the baseband CPU. For example, this CPU can initiate a call, and

therefore, connect over a serial line or similar to the baseband CPU. However,

for security reasons, there is no direct interaction between both systems such

as through shared memory, APIs or similar. The application CPU usually runs

92


the mobile platform, a mixture of a generic mobile operating system and specific

extensions for mobile services. The mobile platform is controlled by mobile

platform service providers (MPSP). Finally, various application service providers

(ASPs) offer applications (so-called Apps) running on top of the mobile platform,

i.e. using its APIs and interfaces to interact with the user and the user’s device.

Figure 6.2 shows the individual building blocks and possible data-flows of today’s

mobile devices.

From a location-privacy perspective, the MPSP is the most privileged and

powerful actor in this setting since this entity controls most of the phone’s location

related functionality. For instance, the mobile platform enforces the user’s privacy

policies for every installed application. Recently, it has been revealed that MPSPs

exploited this privileged position to support their own business models. For

instance, in June 2011 activists researched Apple’s iPhone and discovered that the

device generates and stores its user’s location history. Mobile telephony cell-IDs

and WiFi hotspots were tracked and correlated with GPS coordinates and finally

transmitted to Apple-servers (Bilton, 2011). Such data is usually used to improve

device positioning through alternative database-based location determination

techniques in situations where GNSS-based techniques do not work or do not

deliver instant results. While Apps may disclose sensitive information (Grace,

Zhou, Jiang, & Sadeghi, 2012; Hornyack, Han, Jung, Schechter, & Wetherall, 2011;

Enck et al., 2010; Federal Trade Commission, 2012; Smith, 2010), the extent of

disclosure depends on the usage-pattern of the App and the user’s privacy policy

enforced by the mobile platform (i.e. MPSP). MNOs also have access to the user’s

location (cf. discussion of the previous chapter), however, MNOs usually operate

locally (i.e. within a national jurisdiction), and thus, can be regulated w.r.t. usage

of location data. While in theory MPSPs may also be subject to regulation, their

business model is not locally restricted and currently remains mostly unregulated.

MPSP could choose a company location with favorable privacy regulation since

no physical interaction with the enduser is required. Consequently, today we can

observe a shift of data-flows from highly regulated realms of MNOs to opaque

and powerful MPSPs.

To improve the user’s privacy situation, the privileged position of MPSP has

to be tackled (Andrienko et al., 2013). The remainder of this chapter proposes

design requirements for user-driven location-aware services with the goal of

enabling potential providers to create specific and self-contained location-based

93


service offers, which can be used without continuously transferring exact location

information directly to the provider.

6.2 Case Study – Mobile Tourist Information System

The study of user-driven and user-centric mobile information services is based

on a tourism use-case. Developing a tourism application provides interesting

insights into usage and practical implications of a privacy-aware service design.

For instance, providers of mobile tourism are confronted with a diverse user community.

Usually the targeted service users are not locals, and thus, mobile services

may be subject to (international) roaming fees. More importantly, however, due

to the rapid technical progress of mobile devices, service providers may face a

new technology every two or three seasons. High demands on infrastructure

and/or technical expertise for developing and deploying such services are further

obstacles for the provisioning of specialized location-based service offers.

Location-based services, especially tourist or museum guides, have a long

history and are one of the most common context-aware applications so far. Cyberguide

(Abowd et al., 1997) and GUIDE (Cheverst, Davies, Mitchell, Friday, &

Efstratiou, 2000) started at the end of the last century, when they developed and

evaluated location-based tourist guides. Since then, certain aspects have been researched

intensively, such as position and location determination in- and outdoors

(G. Sun et al., 2005; Vossiek et al., 2003), general requirements for developing

mobile applications (Dunlop & Brewster, 2002) and usability and application

design (Ciavarella & Paternò, 2004).

Especially tourism as one of the fields researched early on, mobile and locationbased

services seemed to be very promising for a wider commercial breakthrough.

However, it has proven to be very difficult to establish successful solutions in this

area. One reason was that many technical solutions did not match the visitors’

needs (cf. Brown and Chalmers (2003)). But what is at least of the same importance

are the needs of potential service providers, especially in non-technophile communities,

like culture and tourism. Economou, Gavalas, Kenteris, and Tsekouras

(2008) analyzed development kits and authoring tools for efficiently developing

mobile services in the culture and tourist domain. The authors emphasize the

importance of effective and easy-to-use tools, but also the need for a portable and

partly offline usable solution.

94


Wicker (2012) also covered the emerging field of mobile (cellular) communication

in combination with location-based services and the re-use of location

data (e.g. location-based advertisement). The author provides guidelines for

developing anonymous location-based services and advertisement. For that the

author assumes the user to have full control over his or her device and the datapaths

involved when using location-based services. While in principle these are

desirable goals, in the privacy discussion above it was shown that in today’s

mobile world, the user’s smartphone is under control by different entities, with

different (partly conflicting) interests.

Nowadays, there is no lack of frameworks for developing location basedservices.

Economou et al. (2008) divide these frameworks into three categories:

(client-)application-based, client/server-based and hybrid approaches. For potential

service providers with only basic programming skills and/or limited budget,

however, most of the existing frameworks demand high standards of technical

expertise, and therefore, form serious obstacles for them.

The primary goal of user-driven location-based services is to foster a decentralized

and diverse landscape of location-based service offerings and simultaneously

provide a fully controllable mobile platform for end-users. Consequently, the

number of external observers can be limited to single highly specialized services

and local service providers. By providing partly offline services and on-demand

content synchronization, disclosing of the user’s real-time location is not required

and live updates are only performed for coarse locations and whole areas. The

user’s privacy is improved by disclosing context-specifically as little location

information as possible and simultaneously keeping the utility and usability of

location-based services high.

6.3 Requirements Analysis

In order to develop user-driven location-based services, a portable and easyto-use

framework for mobile applications and content maintenance is required.

With these goals, two basic building blocks for a privacy aware mobile platform

can be identified. First, a sustainable technical platform as a portable runtime

environment for location-based applications is needed. Second, an environment

for developing and maintaining applications and its content is necessary.

95


6.3.1 Technical Platform

Location-based services depend on suitable mobile devices with some essential

technical features such as (autonomous) position determination, decent battery

time and low weight, but also a display technology suitable for outdoor usage and

finally network communication features. Normally, the Smartphones available

today satisfy these needs. While technical equipment of mobile devices has

become more and more uniform, there is a tough competition regarding operating

systems and software platforms. The development of this market is incredibly

fast and hardly predictable. 2 Just a few years ago, Symbian dominated the market

by a large margin (47% market share) and iOS and Android-based Smartphones

were each around or less then 10% market share. 3 Only a few quarters later,

the market has changed significantly. Symbian-based Smartphones have lost

significant market share, whereas Android-based devices have taken the leading

position and iOS has doubled its market share. Both are currently dominating the

mobile market.

Hence, for small service providers it is crucial to choose a platform-independent

solution in order to protect investments in development and content. For

the development of platform-independent mobile services, today, there are generally

several options available: a Web-based approach, incorporating today’s

omnipresent Web-browsers to abstract the technical platform and content. A

second solution is a dedicated runtime environment which is portable between

different operating systems and mobile devices. Hybrid solutions try to balance

deployment and development costs as well as portability, but also reduce

dependency on network infrastructure (Kenteris, Gavalas, & Economou, 2009).

6.3.1.1 Server- / Web-based Solutions

Since the introduction of the mobile network connectivity, one of the major goals

was to make the World Wide Web available on mobile devices. In the beginning,

limiting factors were the lack of wireless broadband connections, but also slow

hardware, small displays and an ill-conceived usability model. Originally, the

development focus was on simplification and feature reduction. The Wireless

2

3

Gartner Research, Mobile OS Market Study (4Q/2011),

http://www.gartner.com/it/page.jsp?id=1924314, (4/23/2012).

Gartner Research, Smartphone Sales (Q4/2008),

http://www.gartner.com/it/page.jsp?id=910112, (4/23/2011).

96


Application Protocol (WAP) 4 was one of these attempts, but has never met the

publishers’ and the users’ expectations. With the current generation of mobile

devices, a lot of technical restrictions are gone. As memory and computing capacity

aren’t limiting factors anymore, modern mobile Web browsers came closer to

their desktop ancestors. Today’s challenges are usability aspects, dedicated access

to various location determination techniques and especially (location) privacy

protection. Therefore, Web-based solutions seem to be a suitable candidate to

provide location-based services. Such an approach makes use of well-established

and standardized Web-technologies to render content on mobile terminals. As

no additional software installation is usually required on mobile devices, it enables

developers to create LBS applications easily and to provide vast amounts of

content with little or no deployment costs.

One example of a pure Web-based mobile service is a mobile guide through

the botanical garden of Freiburg (Zhou, 2008). Solutions such as these do not

need to store anything on the visitor’s mobile device. All data are kept and maintained

on a central server. Therefore, any visitor has access to the same up-to-date

content. Furthermore, the system is able to deliver context-specific and tailored

content based on the visitor’s actions, usage history and preferences (Zhou &

Rechert, 2008). Moreover, Web-based solutions offer seamless integration and

accessibility to other, either related or nearby services. Since Web-based solutions

usually resemble the classic client-server approach, usually a permanent network

connection is required. Although such services work well in closed areas like campuses

or museums with area-wide WiFi infrastructure, their usage is quite limited

due to the high demand for uninterruptible network coverage. Although small

areas can be easily covered with WiFi infrastructure, GSM/3G data connections

impose difficulties on a Web-based approach. High bandwidth and low latency

connections are not always available outside of metropolitan areas and may be

associated with significant costs, especially for foreign visitors on roaming mode.

With respect to location determination, Web-based LBS applications rely either on

network-aided positioning or incorporating client-based positioning techniques

(e.g. GNSS, compass, gyroscope, etc.). However, due to security restrictions,

Web-based applications usually do not have direct access to the user’s device

hardware, thus additional software (e.g. browser plug-in) may be required in

order to fully exploit the available sensor-features of the user’s device. To avoid

4

OMA Wireless Application Protocol (WAP),

http://www.openmobilealliance.org/Technical/wapindex.aspx, (4/30/2011).

97


additional software installation and due to the rising demand for location information,

appropriate and secure interfaces are becoming standardized through the

W3C’s Geolocation API. 5

The development of HTML 5, which remains in draft form and has not been

uniformly implemented, promises to remove some shortcomings for Web-based

services. 6 Beside the standard Geolocation API, the integration of audio- and

video-streams as well as generic drawing primitives (canvas) are also part of the

proposed standard. Off-line usage of sites is explicitly intended. In the long run,

HTML 5 might be a veritable alternative for providing mobile location-based

services. Regarding location privacy, Web-based solutions have two significant

shortcomings. First, due to the technical design (client-server architecture), the

offline usage of services is limited. Second, the geolocation API is limited, both

in terms of privacy enhancing techniques and user APIs to ease location aware

development. Moreover, the continuous transmission of one’s whereabouts may

pose a significant privacy threat for the user (Krumm, 2009). Similarly, the use

of traditional Web technologies, such as cookies, allows for service providers to

track users across location-based service boundaries and thereby supports the

aggregation of movement patterns together with other preferences (e.g. from

datasource like online-shopping, etc.).

6.3.1.2 Specialized Client-based and Hybrid-Runtime Environments

An alternative approach to achieve platform independence is using a specialized

client-based runtime environment. A runtime is able to render data of a given

format, and thus, allows separation of content and platform. In general, the

advantage of specialized runtime environments is that they usually do not require

a permanent network connection even though they offer such connections on

demand. All tasks, such as user modeling or content selection and organization,

can be performed on the device itself. Network connection or data transfer are

then optional features.

A classic approach to creating portable mobile applications is using the Java

Micro Edition (J2ME), a dedicated Java implementation for mobile usage. 7 J2ME

5

6

7

W3C Geolocation API Specification, W3C Candidate Recommendation 07 Sep. 2010,

http://www.w3.org/TR/geolocation-API/, (5/6/2011).

cf. HTML5, W3C Working Draft 25. May 2011, http://www.w3.org/TR/html5/,

(5/6/2011).

Java Micro Edition, http://java.sun.com/javame/, (1/30/2010).

98


offers platform independence due to its virtual machine abstraction and allows

development of mobile applications in the popular Java language. These applications,

so-called MIDlets, run on any device providing the J2ME runtime. In

addition, device and vendor specific extensions may be available. There is no

lack of mobile developing frameworks and runtime engines based on J2ME (cf.

Kenteris et al. (2009)). Also Google’s (Java-based) Android platform certainly

belongs to the most popular runtime environments today.

In general, mobile applications using client-based runtimes have the advantage

of not depending on a network connection to run, i.e. providing locationbased

services. However, connecting to external servers or content repositories is

still possible if required. In a nutshell, these examples show typical difficulties of

specialized runtime engines:

• Limited Expressiveness

Simple and easy-to-use frameworks usually provide only limited expressiveness.

Therefore, only applications and services with simple user interfaces

and user-interaction options can be build, since the frameworks are based

on simple abstract descriptions, e.g. XML (e.g. Kenteris et al. (2009)) or

similar.

• High Complexity

A generic, more expressive programming environment increases development

complexity as well as the required programming skills, and thus, may

pose a high entrance hurdle due to high initial investments. This growing

complexity makes it difficult to have a seamless integration with other

service offers due to higher coordination efforts (e.g. API negotiations etc.).

• Availability of Dedicated Tools and Methods for Mobile Application Development

Most of the available runtime environments today were developed with

different goals in mind. Dedicated support and specialized tools for creating

mobile applications (e.g. support the user with rendering map data, geocoordinate

projection etc.) are unavailable.

6.3.2 Content Development and Maintenance

The technical platform is only one necessary base-layer for running mobile applications

and accessing location-aware services. The other crucial aspect of

creating mobile information systems is developing a service concept, the mobile

99


application and especially location-aware content. The development process

can be divided into two phases. First, a concept, the user interface, possible

user-interactions and workflows need to be developed. This should result in a

technical and organizational framework for providing and presenting content in a

context-aware manner. In the second phase, content is created and enriched with

location-based contextual metadata. Through an organizational separation of

content and presentation, maintenance of content could be done by the providing

institution itself (e.g. through a traditional content management system) or could

be delegated to third party contractors. Hence, decentralized structures could

be created by different independent content providers delivering unique and

specialized knowledge, and therefore, increasing attractiveness and acceptance of

mobile services.

6.3.3 Requirements and Architecture

The aforementioned runtime environments offer different distinct features, complexity

and expressiveness to create a technical foundation for location-based

services. Today’s minimal requirements are the integration of textual and multimedia

content (audio/video), but also the possibility of creating and integrating

small individual applications, such as a bounty hunt or similar interactive content.

If mobile services should get the same strong stimulus like the WWW in the

late nineties, some of its success terms have to be combined with current research

on mobile services. The WWW’s decentralized structure and its low entry hurdles

made it possible for diverse individuals and institutions to create and publish

content and create valuable new services. Especially a standardized technical

platform encouraged development even for small niches and gave incentives

for experiments. Also, the seamless linkage of many different sources was a

major success factor. From the aforementioned approaches and their distinct

shortcomings, a list of design criteria for a runtime environment for mobile

services can be derived, with the constraint that the resulting runtime should

be suitable especially for small scale projects and experiments. Based on the

discussion above, the following non-functional requirements for design and

architecture of the framework are derived:

NFR-I. Device & Platform Independence

Today, the range of suitable portable devices for LBS is enormous: from

the classical GPS enabled Smartphones to the next generation tablets and

100


similar mobile devices with different operating systems and system models.

However, there is no standard mobile device platform for the LBS applications

available. Therefore, an LBS application should be able to run on a

wide variety of devices and should sustain the rapid technical advances in

this area.

NFR-II. Low demands on technical expertise

In order to enable a wide range of potential service providers to design and

maintain LBS applications, the demands on technical expertise should be as

low as possible. Institutions running LBS should be able to update content

as well as develop and improve application features on their own. A further

goal is to encourage researchers, students and individuals to contribute with

fresh ideas and concepts, i.e. rapid prototyping.

NFR-III. Low demands on infrastructure

Even though prices for mobile Internet connection are falling quickly and

network coverage has improved significantly, we do not require mobile

terminals to be connected to a network all the time.

For privacy and cost reasons, a dependency on a central server-based system

seems too restrictive. Furthermore, even with good network coverage, an

uninterrupted mobile network connection is usually not guaranteed. In

certain hotspots with larger crowds (e.g. busy train stations, live events)

and during peak times, reliable Internet connection might not be available.

The same applies for rural areas, e.g. for hiking guides. Therefore, each

deployed application or service should be able to run in an offline mode

and still provide the user with similar or same service quality.

NFR-IV. Content deployment and reusability

Due to significant advances of mobile device technology, the reuse and/or

universal use of content and associated applications are important issues,

especially for small providers. Content and application should be decoupled

from the mobile terminal and should run as platform-independently as

possible. Thereby, collaborative structures can be established with several

providers creating and deploying applications for their region. Even more

importantly, small providers are encouraged to experiment with mobile

applications since their investments in development are (at least partially)

protected due to platform-independent reuse of application and content.

101


NFR-V. Comprehensive set of location-based functionality

The framework should enable and support users in developing mobile applications,

e.g. using different kinds of map-data and location data, especially

enable users to integrate rich media with location data and user-context.

Depending on technical skills or goals, the framework should offer a wide

range of presentation options, from simple templates to interactive games.

NFR-VI. Privacy-aware design

The user’s exposure (i.e. disclosure of location data) should be minimized

to a specific observer. First, through offline usage and area-wide content

synchronization, the spatio-temporal error of the service provider’s observation

is large. Second, in contrast to today’s popular platforms, the user

remains in full control of the location determination techniques available.

NFR-VII. Modular and extensible design

The platform should be designed in a way such that the integration of new

features is possible without any redesign and/or reimplementation. Further,

existing code (i.e. already available libraries) and its functionality should be

usable within the mobile platform.

6.4 Implementation

While the primary use case is a tourist guide application neither architectural

design nor the actual implementation restricts the application field or potential

service offers. Fig. 6.3 provides a general overview of the mobile terminal’s layout

consisting of two core components: a set of different location-based applications

and a common mobile runtime.

6.4.1 Platform Abstraction

In order to create an open and portable runtime-framework, an Open Source

software stack has been compiled. This allows for creating a flexible hardwareabstraction

layer on top of current mobile platform options. A complete list of

software components and libraries used can be found in Appendix A.1.

The platform abstraction layer consists of two different sub-layers: a common

layer for system-calls and unification of common features on a wide variety of

102


2:30

Application

Content

Meta-Data

Application

Content

Meta-Data

Application

Content

Meta-Data

Application

Content

Meta-Data

Application

Content

Meta-Data

APP

APP

Script Engine

Mobile Platform

Storage & DB

Rendering

& Multimedia

Maps &

Navigation

User Model

& Privacy

Application CPU

OS & Hardware Abstraction Layer

Baseband CPU

GPS WiFi GSM / 3G

Figure 6.3: General architecture of the proposed mobile platform.

mobile devices (e.g. sound, video, sensors, etc.). This way, it is possible to develop

a uniform platform for a wide range of mobile devices.

First, interaction with different types of the devices’ operation system needs

to be unified. So-called system-calls on POSIX-compatible platforms are used by

user-space software to interact with the operating system. 8 Non-POSIX compliant

operation systems (e.g. various Windows, Symbian etc.) require a POSIX compatibility

layer. CeGCC 9 (WindowsCE) and the PIPS 10 in combination with the Open

C/C++ layer (Symbian) 11 are just two examples of POSIX-compatibility layers

providing such functionality. They allow developers to easily use well-established

Open Source libraries on all platforms. This way, a common codebase is available

for all device- and operating-system platforms.

The remaining abstraction of device and operating system features is achieved

by using the Simple Direct Media Layer library (SDL) 12 which offers uniform in-

8

9

10

11

12

POSIX.1-2008,

http://pubs.opengroup.org/onlinepubs/9699919799/,

(12/20/2010).

CeGCC a Windows Mobile Cross Compiler and POSIX layer,

http://cegcc.sourceforge.net, (12/20/2010).

PIPS Is POSIX on Symbian,

http://www.developer.nokia.com/Community/Wiki/P.I.P.S/, (1/30/2010).

Symbian S60 Open C/C++ Layer,

http://www.forum.nokia.com/main/resources/technologies/openc_cpp/,

(12/20/2010).

Simple Direct Media Layer (SDL), http://www.libsdl.org, (12/20/2010).

103


terfaces for audio, video, threads, locking primitives, and timers on a variety of

systems.

With these two abstraction layers in place, most of today’s available mobile

platforms ranging from Windows Mobile to Symbian Smartphones, from Linux

embedded devices to Apple’s iOS gadgets can be covered. Currently, the only

device-dependent code is accessing the hardware interface for reading low-level

data from GPS, WiFi or GSM hardware, due to the lack of uniform interfaces and

the relatively new type of hardware.

6.4.2 Scripting Engine

On top of the software stack, a script interpreter engine has been developed which

builds the foundation for platform independent LBS applications with a focus

on an easy-to-learn and easy-to-use script language. The script language chosen

and implemented is based on the ECMA-262 standard 13 , which also forms the

base of such popular script languages as Adobe’s ActionScript or the standard for

Web-based client-side scripting: JavaScript.

Beside the basic language features, such as arithmetic operations and string

manipulation, a comprehensive set of custom classes designed specifically for the

domain of LBS applications have been developed. These classes allow users to

handle LBS specific issues, such as geo-coordinate transformation and projection,

positioning, and proximity detection. New classes can be implemented and

registered. Appendix A.1 provides a full list of available classes for creating

location-aware applications.

In order to deploy a location-based application, a container with at least a

main.mbs file in the top-level folder is required. The script engine is able to

compile the source code either on-the-fly or interprets precompiled byte-code. For

(commercial) deployment, all script files are precompiled and packaged together

as a single container including associated resources (e.g. map data, images, videoand

audio-file). Listing 6.1 shows a simple example of script application.

13

Standard ECMA-262 ECMAScript Language Specification,

http://www.ecma-international.org/publications/standards/Ecma-262

.htm, (12/20/2010).

104


Listing 6.1: Minimal example of a MobIS script application.

1 include

2

3 // initialize a new layer

4 // root(-layer) is a built-in environment variable.

5 main = new MobisLayer(root);

6

7 // some nice background image

8 main.place(new MobisImage("bg.png"));

9

10 // an active button

11 // registers onClick callback for exit() function

12 var button = new MobisActionButton("b1.png", "exit");

13

14 // place button

15 main.place(button, 10, 180);

16

17 // button callback

18 function exit()

19 {

20 root.exit();

21 }

6.4.3 Content Organization and Storage

The MobisSql class is an easy-to-use front-end for the popular and powerful

SQLite3 library. 14 Apart from most of the standard SQL features, it also offers

spatial indexing via R-Trees. 15 Due to its self-contained single file database format,

it is possible to create and fill a database on a desktop computer and use it on an

arbitrary mobile device later on. Furthermore, the database can be attached and

managed by various tools, such as content management systems and database

tools. Listing 6.2 shows a simple script using the SQL database back-end.

14

15

SQLite 3, http://www.sqlite.org, (1/30/2011).

SQLite3 remarks, http://www.sqlite.org/omitted.html, (1/30/2011).

105


Listing 6.2: Example: Usage of built-in database

1 sqldb = new MobisSql("content/db.s3db")

2

3 stmt = "SELECT * FROM mytable WHERE item=’a’";

4 result = sqldb.query(stmt);

5

6 var row;

7 while(row = sqldb.getNextRow(result))

8 {

9 DEBUG(row["item"]);

10 }

6.4.4 Rendering and Multimedia

A simple graphical rendering engine was developed in order to enable developers

to design the user interface with ease. The MobisLayer class provides a set of

simple drawing tools, such as drawing lines and fills (through MobisShape). Instances

of the MobisImage class allow the placement of PNG and JPEG images on

layers and MobisButton instances facilitate the placement of scriptable interactive

areas. Layers can be made draggable and visible or invisible on demand. LBS

applications, such as tourist guides, also have a high demand on multimedia

capabilities. The MobisVideo class offers audio and video playback through decoding

libraries such as FFmpeg 16 respectively libav 17 . An example of embedded

audio/video is given in listing 6.3.

6.4.5 Using Map- and Position Data

Several convenience classes offer easy-to-use interfaces for handling map-data.

Currently, the focus is on free map-data from the OpenStreetmap (OSM) project 18

as the data is freely usable 19 , offers good coverage of most regions (but especially

Europe) and provides different sources of map data (e.g. XML-based data and

pre-rendered map-tiles). Alternatively, users are able to use their own map-files

16

17

18

19

FFmpeg, http://www.ffmpeg.org, (12/20/2010).

libav, http://libav.org, (12/20/2010).

The OpenStreetmap Project, http://openstreetmap.com, (1/30/2011).

Creative Commons CC-BY-SA,

http://creativecommons.org/licenses/by-sa/3.0/, (12/20/2010).

106


Listing 6.3: Video class

1 // initiate generic multimedia class

2 var video = new MobisVideo();

3

4 // maximum volume

5 video.setVolume(100);

6

7 var video_layer = new MobisLayer();

8 video_layer.place(video);

9 video_layer.setVisible(1);

10

11 video.play("test.ogv");

(e.g. JPEG World File 20 ) either to show simplified maps for certain user groups

(e.g. children) or to provide map overlays with historic map-data.

The MobisMap class is designed to hide mapping and projection complexity

from users. Together with the map handling class, the MobIS framework provides

classes for drawing and placing layers on the map either by pixel coordinates or

geographic coordinates (MobisMapPane).

Location is expressed internally as WGS84 coordinates (European Organization

for the Safety of Air Navigation, 1998). By means of the MobisProjection class,

a front-end for the PROJ.4 library 21 , WGS84 coordinates can be transformed to

various common projections like Mercator, UTM or Gauss-Krueger.

Based on SQLite’s spatial index implementation, the framework provides

an efficient proximity detection and handling class (MobisPoi), based both on

distance and scope. The distance-based system is needed to define events such as

sounds or alerts, while the scope-based proximity detection is usually used for

changing views, opening a network connection to update data or switch between

available services. Listing 6.4 shows a simple application connecting a grip of

map-tiles (contained in mapdir) and ESRI world file to the device’s GPS position.

20

21

cf. http://www.kralidis.ca/gis/worldfile.htm (9/1/2012).

PROJ.4 - Cartographic Projections Library, http://trac.osgeo.org/proj/,

(12/20/2010).

107


Listing 6.4: Example usage of mapping features

1

2 // use mapping class with JPEG World File format

3 var map = new MobisMap(root, mapfile, mapdir, jgw);

4 map.setScale(1.0,1.0);

5 map.setDragable(1);

6 map.setVisible(1);

7

8 // move to predefined position

9 map.moveTo(48.0, 7.95666);

10

11 // map movement follows gps position

12 gps.registerMap(map);

6.5 Summary

Based on the aforementioned success terms, a user-centric framework for creating

and running mobile services has been designed and implemented. The framework

is now usable for a wide range of developers with only little to medium programming

skills levels. It is useful for rapid prototyping in a research domain, but also

for realizing proof-of-concept services by non-technical service developers. As

a result, two commercial applications have been developed and deployed: The

first application (cf. Appendix A.1.1 for more details) focused on a commercial

launch of mobile information systems for a dedicated hiking trail, and therefore,

focused on stability and generic usability aspects both regarding end users and

service providers. In contrast, the second service offer deployed, focused on

the framework’s usability, enabling service providers to develop, operate, and

maintain a mobile information system. Appendix A.1.2 provides more details on

the results achieved. Both cases showed that the framework enables institutions

without significant technical background to develop a unique service offer for

their target audience.

Furthermore, we have learned from both public projects about the needs of

conceptual developers and about their targeted end users. By means of their

feedback, the framework has made great steps to be as easy-to-use as current

Web-site creating tools. The combination of enriched, location-aware data to-

108


gether with a portable and platform independent presentation layer provides new

opportunities for dedicated and specialized service offers.

From a privacy perspective, the framework creates the opportunity for small

and specialized service offers. By covering only small areas and/or specific user

preferences, only a limited view of the user’s habits is released. Due to a dedicated

offline mode, the user’s location privacy improves since only coarsely grained

(e.g. city-wide) data-updates are required. In contrast to approaches levering

trusted third parties to hide an individual in the masses, the proposed user-centric

approach aims at the reduction of the observer’s capabilities. The proposed

architecture does not only allow for the development of location-based services,

but also the creation of social applications, in particular special purpose vehicles

to share private information. The next chapter discusses additional requirements

for privacy-aware location sharing.

109


110


CHAPTER 7

Privacy-aware Location Sharing

The rise of mobile telephony and mobile internet has introduced new communication

and information exchange possibilities between users and social groups.

This chapter addresses mobile communication with social network services which

provide a platform for sharing, amongst others, location information, thereby

allowing pre-approved users (so-called virtual friends) to see publicized location

information. 1 In contrast to location-based services, communication with

social peers is characterized by a special social relationship based on mutual trust.

Users maintain individual personal relationships, and thus, know the people with

whom they are communicating and trust these people to a certain extent or in a

specific context. However, the service provider is explicitly trusted to enforce the

user’s privacy policy, i.e. to enforce access rights to the user’s location information

(Fig. 7.1).

Examples of SNSs with location sharing applications are manifold. They

range from finding and meeting old and new friends (so-called friend finder) 2 to

communication and coordination of special groups (e.g. during a holiday stay,

city trip etc.) families or other social contacts. 3 In these cases, privacy protection

measures, such as anonymization and obfuscation, do not seem useful at all, since

the transportation of certain information (in our example location information) is

1

2

3

This chapter is based on joint work with Kosta Welke. Results of this cooperation were

published as (Welke & Rechert, 2009). Kosta Welke’s work focused on group cryptography

and implementation issues. Klaus Rechert’s work focused on the general concept, definition of

requirements, privacy analysis and applying the concept to location sharing to open, general

purpose communication infrastructure.

E.g., Find My Friends, https://itunes.apple.com/us/app/find-my-friends/

id466122094, (12/1/2012).

E.g., foursquare, http://foursquare.com, (12/1/2012); Google Latitude, http://www

.google.com/latitude/, (12/1/2012).

111


intended and thus, privacy concerns between social groups seem secondary for

now. Privacy concerns in relation to trusted peers are discussed in Chapter 8.

Partially trusted communication peers

Untrusted / unknown peers

Infrastructure Services

Mobile Information Services

E.g. Maps, Tourist Guides, ...

Location information is

exchanged for context aware

data

Mobile Communication Network

E.g. WLAN, GSM/3G

Mobile Information

E.g. Friend Finder

Location information is

exchanged within social user

groups

Location information

created by using mobile

services

Location information

created by using mobile

infrastructure

Location Processing

and

Anonymization Unit

Users &

Social Peers

User Mobility Profiles

E.g. Traffic Monitoring,

Consumer Research, Advertising

Figure 7.1: Location information exchanged between users is shared with the SNS. This

location information may be re-used for commercial activities.

Location sharing services usually rely on a (central) service provider for coordination

and message transportation. These services manage access and privacy

policies for individual users as well as help reduce communication costs when

sending messages to groups of people. This is especially the case if asynchronous

messaging is required, meaning the message has to be stored and forwarded if

the intended recipient is not available. The service providers, however, then are

able to observe any location information by any user. This data may be stored,

processed and re-used by the provider, even though service providers were never

intended to be the recipients of user location information. In addition, service

providers are not only able to observe explicit social relationships between users

(e.g. by observing messages sent within a group), but are also able to observe

implicit or potential relationships, for instance, by clustering location information

and data-mine these for common patterns. Therefore, for a privacy preserving

location sharing service, it is not only necessary to reduce or eliminate the

provider’s information gain, but also to enable users to control access to their

location information. Efficient communication management between a user and

his or her social peer group is a basic requirement, especially considering the

specific characteristics of mobile communication (e.g. users may lose network

connection, and thus, are unable to receive synchronous messages from time to

time).

112


As an example, a use-case has been chosen where users share location information

with groups of their social contacts. However, in order to study the impact

of access control in social groups, we have selected a setting with highly volatile

groups. The trust relationship between the group’s members is assumed to be

of temporary nature. A practical domain for such a setting would be travelers

coordinating their leisure time of a volatile group of colleagues. During their

holiday, groups may grow (by meeting new persons) or shrink (group members

leave). However, the close relationship (i.e. trust) may only be justified during

travel. When returning home, there are no more reasons to further share their

location with this group.

7.1 Related Work

The privacy-aware location sharing problem has been addressed already with

various goals and requirements. For instance, SmokeScreen (Cox, Dalton, & Marupadi,

2007) is a presence sharing platform where individuals can organize their

social contacts in different trusted groups, such that they control the dissemination

level of their information disclosure. Each so called clique has an associated

symmetric key to protect the group’s communication. This approach requires

users to trust a dedicated server providing key distribution infrastructure and

information broker services.

Y. Sun, Liu, Kermani, and La Porta (2005) describe an encrypted group-based

architecture that enhances the users’ location privacy. They focus on efficient

key distribution which requires dedicated infrastructure. Thus, communication

between users is clearly visible to at least parts of their infrastructure.

A different approach is taken by Zhong, Goldberg, and Hengartner (2007)

where one can only identify a friend’s location if and only if the friend is near-by.

They propose protocols based on homomorphic encryption in order to decide

if coordinates are within a defined perimeter. Their proposed protocols do not

necessarily depend on a third party server or dedicated infrastructure. But due to

the direct one-to-one communication, the messaging and computational overhead

grows at least linearly with the number of friends.

113


7.2 Requirements

The aforementioned use-case example requires different design decisions. As all

arrangements made are temporary, agility and setup costs matter. Furthermore,

communication and coordination costs need to be addressed.

NFR-I. User-centric design

The user is able to publish his or her location without direct interaction

with other group members. Furthermore, the user is able to stop publishing

location information and/or leave the group without direct interaction

with other users or services.

NFR-II. Efficient access control

The group is assumed to be highly volatile in its size, i.e. group members

enter and leave on a regular basis, and therefore, spontaneous group

coordination is vital, especially enforcing access-rules efficiently.

NFR-III. Efficient group mobile messaging

Since in the proposed setting a centralized provider dispatching location

updates to group members and enforcing access rules is not available,

diverse methods for messaging are required. The use of mobile devices,

messaging and computational overhead is crucial. Therefore, the infrastructure

dispatching messages to dedicated recipients will reduce the

number of messages on the sender’s side.

NFR-IV. Anonymous infrastructure

Given that location data is considered sensitive, such data should not

leak to non-trusted third parties, e.g. to the messaging and coordinating

infrastructure.

7.3 Spontaneous, Privacy-aware Location Sharing

Based on the these requirements, a simple prototypical implementation of a basic

location sharing application has been implemented. The application allows a

user to efficiently share location information with a group of trusted peers using

publicly available network infrastructure in a privacy-preserving manner.

The most basic question when implementing a user-centric location sharing

application is how to realize message publishing efficiently. One possibility is

114


through peer-to-peer networks. The lack of a dedicated server infrastructure

usually leads to higher communication and coordination costs and clients need

to connect to other clients directly, which often is impossible if both of them are

behind a router performing network address translation. This is a common case

in today’s GPRS or 3G mobile networks.

In order to meet requirements on efficient group mobile messaging (NFR-III)

and anonymous infrastructure (NFR-IV), the network should be publicly accessible,

i.e. any user can use it to publish messages. Secondly, the network should be

publicly observable, meaning any user can observe any published messages, e.g.

without prior registration or similar setup requirements. To support a user-centric

design (NFR-I) and to communicate efficiently, a user needs some way of choosing

intended recipients when sending a message, and a way of choosing a group of

recipients (NFR-II).

7.3.1 Access Control Using Group Cryptography

Firstly, all communication has to remain private, even if messages are delivered

to non-intended recipients. Therefore, an efficient way to distribute encrypted

messages is necessary. Asymmetric cryptography provides secure one-to-one

communication. While public keys may be distributed in a group, each potential

sender uses the public key of each other group member to encrypt its dedicated

message. The sender then has to send each encrypted message separately.

A symmetric group key can be shared among all group members to reduce

the cost of sending a single message. Any communication within the group is

encrypted with this group key. As long as the group size remains stable, only a

single encrypted location information has to be sent. Each group member is able

to decrypt the message with the pre-shared key. Adding users to the group is

rather simple: the group key is sent to the new agent. However, removing agents

has linear cost, since a new key must be sent to every remaining agent in a secure

way (e.g. using asymmetric key cryptography).

In order to reduce the cost of removing agents, a key tree structure was

proposed by Wong, Gouda, and Lam (2000). The shared group key represents a

root of the tree, while the leaf nodes are agent-specific keys. Intermediate nodes

represent keys known by a subgroup of agents.

It is assumed that any agent has a private key with a corresponding public

key and manages a set of trusted peer agents A (i.e. virtual friends). Before an

115


agent can be added to another agent’s set of trusted communication peers, both

agents have to exchange their public keys through a secure channel first. The

initiating agent also defines a public meeting point P A , where he or she will

publish messages for all members in A. For every trusted group A, the agent

maintains a tree K A where every node k ∈ K A in the tree represents a key. The

root of the tree is called group key g A . The leaves of the tree representing keys

are only known to the agent and a single member in A. If necessary, intermediate

keys are used to distribute new keys to a subset of group members. Every key

consists of a non-negative integer id, a value, which is the actual key, a parent,

and a set of children. For simplicity, a binary tree is used, so that every node has

at most two children.

Upon initialization, the tree consists of a group key with no leaves and has

depth 1. If agent b is a member of agent a’s trusted group A, he or she maintains

a set SA b of keys. The agent does not need to maintain structural information

about the keys. He or she adds new keys and replaces existing keys based on the

messages he or she has received. For instance, 〈m〉 k

→ A indicates that a message

m is encrypted by key k, which is then sent to agent(s) in A. To add a new user,

the user’s key node is inserted into the tree. If the tree is full, a new group key is

generated and the current group key is appended as a child node. The depth of

the tree is increased by one. In order to achieve forward secrecy, all pre-existing

nodes on the path between the new member’s leaf node and the group key need to

be exchanged. If these keys are not exchanged, the new member could reconstruct

old group keys that were encrypted with this key, and thus, might decrypt old

location information.

For instance, the shared secret between the channel owner and the new user is

represented by node 3 (cf. Figure 7.2). Since the current key tree with root 2 is full,

a new channel key 5 is inserted. The previous channel key 2 is hashed into key 2 ′ .

This is realized by sending two messages:

• 〈hash key 2, new group key 5〉 2

→ A

• 〈new key 4, new group key 5〉 3

→ 3

An agent a removes a peer b from its trusted group A to prevent b from

observing future communication within group A. To achieve this, all keys agent b

knows are exchanged. These are all keys in agent a’s key tree K A on the path from

agent b’s leaf node to the root node. Furthermore, all children of these keys are

116


exchanged so that a future compromise of one node does not lead to compromised

communication of the past. Each new key has the same parent and children as

the old key, with the exception of agent b’s leaf node parent. The new keys are

broadcasted to the group, each key being encrypted by both its children in the

key tree.

(a)

(b)

Figure 7.2: Adding a new user (denoted as 3). The boxes (leafs of the tree) symbolize

asymmetric keys of individual users. The round intermediate nodes symbolize shared

symmetric keys for individual sub-trees of K A . Figure (a) shows the key tree before adding

user 3. Figure (b) shows the resulting tree after inserting user 3.

(a)

(b)

Figure 7.3: Example removing a user from the group of trusted peers (user 1 is leaving).

Figure (a) shows the original key tree of the group. Figure (b) shows the resulting tree after

user 1 has left.

Whenever keys in A are changed, the new keys must be sent to the desired

recipients. For every child l of a changed key k, key k is encrypted by l and

broadcasted. Thereby, all authorized peers are able to reconstruct the new group

117


key. In this case, agent 1 should be excluded from the group. Figure 7.3 shows the

key tree before and after agent 1 has left. To establish a new shared group key, the

following messages need to be sent:

• 〈replace key 2 ′ , new key 6〉 0

→ 0

• 〈replace key 5, new group key 7〉 6

→ A

• 〈replace key 5, new group key 7〉 4 ′ → A

7.3.2 Implementation Example: IRC

For a prototype implementation, well-established network protocols and group

communication infrastructure have been evaluated. The main criteria were the

broad availability of publicly usable infrastructure (NFR-II), spontaneous usage

(e.g. no requirement for registration) and efficient implementation. Also the

underlying network should be fault tolerant such that it is able to deal with

temporary loss of a client’s network connection gracefully (NFR-III).

A suitable candidate is the Internet Relay Chat (IRC) (Oikarinen & Reed,

1993), which is a well established and understood protocol. It scales well with

the number of users, has a low message overhead and is designed to work well

in low bandwidth networks. Most importantly, the IRC protocol enables an

agent to broadcast a message simply by transmitting it once and broadcasted

to all listeners. Furthermore, by being a network of interconnected servers, IRC

networks are resilient against individual server failures. If one server fails, the

same channel is still accessible on the other server of the network. Also the vast

amount of publicly accessible IRC servers is an important argument for choosing

IRC as the underlying network protocol.

As the chosen network has no dedicated method for transmitting binary data,

encrypted messages have to be encoded as base64-strings. In order to deal with

the limited line length of IRC servers, messages are split after a certain length,

depending on the IRC server’s configuration. Therefore, we wrap the encoded

string message into a simple envelope consisting of printable characters not

contained in base64-encoding.

’[’ + base64( ) + ’]’

The message header contains a cryptographic signature as well as the necessary

information in order to decrypt the payload. For the prototype, only two crypto-

118


graphic algorithms are supported: Salsa20 (Bernstein, 2005) as a symmetric cipher

and RSA (Kaliski & Staddon, 1998) for asymmetric cryptography. The prototype

supports the following message types:

• key_message: notifies a listening agent to update its set of keys for this

channel. It consists of the key’s ID to be replaced, the ID of the new key and

the new symmetric key.

• groupkey_message: notifies a listening agent to promote the key with the

contained ID as the new group key.

• content: describes the generic content message. It contains a content type,

followed by the actual content (e.g. GPS position).

When joining the IRC network, the user must choose a pseudonym. In the

prototype, a pseudonym is automatically generated using the user’s public key.

The user establishes a broadcast channel P A in which he or she can broadcast his

or her location information. Group members join P A to be able to receive these

broadcasts. For simplicity, the first 15 bytes of a hexadecimal representation of the

SHA-1 hash of his or her public key are used as an auto-generated pseudonym.

The ASCII character a is prepended, as the pseudonym cannot start with a number.

The user also joins the newly created broadcast channel. For simplicity, we chose

the initiating user’s nickname, prepended by the ASCII # character as the name

of the newly founded broadcast channel.

IRC servers typically have no means to broadcast messages to offline users. To

reliably send messages containing keys to all group members, a specific URL is

used as the IRC channel topic. The channel topic remains stable and available as

long as the channel is in use (i.e. as long as at least a single user remains associated

with the channel). For this purpose, services such as Pastebin 4 are quite useful:

any user can leave an arbitrary text message, which is then accessible through

a unique URL. These services are publicly accessible and publicly observable.

Furthermore, each new set of key messages contains an unencrypted reference to

its preceding message. This way, the user can read all such messages even after

an arbitrary period of time and is able to reconstruct the group’s key tree. If a

user (re-)joins its peers’ broadcast channels that he or she is a member of, the user

checks the channel topic for key-message updates and retrieves them if necessary.

4

Pastebin, http://pastebin.com, (12/1/2012)

119


Due to the decentralized setting, the privacy gain is associated with messaging

and coordination overhead. For this prototype, it is the number of necessary

encryptions required and the messaging overhead to distribute a single datum

to a listener group. Before the user can broadcast to the group of n peers, he

or she must first build the key tree and distribute the keys. This costs about

n log n messages and encryptions. In order to send m messages to a group of

n peers, the total cost of building the group and sending n messages, thus, is

(n log n + m)(c E + c M ) (Wong et al., 2000; Balenson, McGrew, & Sherman, 1998) if

encrypting and signing a message costs c E and sending a single message costs

c M .

7.4 Summary

Motivated by privacy concerns, a simple, single-purpose application has been

implemented. Its design showed that there is no need for a dedicated service

provider. In order to support SNS-like location sharing between socially connected

peers, anonymous infrastructure is used to protect the user’s privacy. By using

public observable and open communication infrastructure the user is required to

protect the messages sent, and thus, may intuitively make use of cryptography.

Furthermore, the user is able to switch communication infrastructure and channels

if necessary. No registration or similar setup procedures are required, neither for

the initiator nor for its listeners. Due to the chosen construction, the users remain

highly agile since they have not committed to a single service provider.

The prototypical example demonstrates that a privacy aware, user-centric

location sharing service can be implemented based on existing infrastructure

and with reasonable programming effort. If this or a similar implementation is

integrated into a more comprehensive mobile platform (e.g. the platform proposed

in Chap. 6), the entry hurdle for an individual to set up a decentralized

location publishing platform is quite low. Using a special purpose application in

combination with flexible communication channels is not that efficient and does

not scale as specialized and dedicated mobile services (and apps). For certain

setups, however, and with (location) privacy in mind, one can conclude that using

generic, general purpose infrastructure in combination with a single purpose

application is the better choice, despite higher communication and coordination

costs. If one wants to share private information, control over all aspects of location

disclosure is indispensable.

120


CHAPTER 8

Location Sharing with Socially

Connected Peers

When sharing location information with trusted, i.e. socially connected peers,

the information content of a location datum may have a different impact on

the user’s location privacy compared to less known and less trusted service

providers. In contrast to the knowledge about the user’s regular behavior, and

thus, some of his or her personal preferences, which an observer could extract

from frequently visited places, an individual disclosing location information

to socially connected peers has to evaluate the sensitivity of his or her location

disclosures. Depending on time and date, the characteristics of the enclosed

area and most importantly the actual observing peer, the information contained,

and therefore, the sensitivity of an observation context differs. Furthermore,

the analysis of mobile communication scenarios revealed that usually several

different observers are involved, and thus, a comprehensive and generic privacy

policy seems inadequate. This chapter therefore discusses an alternative approach

implementation and its evaluation of a user-centric location privacy measure

based on the sensitivity of location observations.

8.1 Identification of Possible Places

In order to estimate an observer’s expected knowledge gain, in a first, step all

possible places within err(o t ) have to be identified. The set of possible places P L(o t )

reflects the baseline knowledge of a generic observer of public and semantically

neutral map data. Any location physically accessible within err(o t ) is considered

as a possible location of the observed user. Furthermore, we assume that

121


numLoc(o t ) ≥ 1 since if an observation is made, there has to be at least a single

possible position of the user. Technical glitches leading to unusual observations

are neglected in this context.

(a) Possible places based on postal addresses.

(b) Possible places based on road segment

s-diversity segmentation.

Figure 8.1:

(Hailperin, 2011).

Distribution and number of possible locations using OSM map-data

The determination of possible places is based on the evaluation of map data,

more specifically, by identifying semantic map features representing possible userwhereabouts.

A quite obvious map feature are postal addresses, which results

in a simple calculation of possible places by assuming that each distinct address

corresponds to a single possible place. Fig. 8.1(a) exemplarily illustrates possible

places based on postal addresses marked as red Xs and the spatial distribution

of these places. While this method seems to be a reasonable and effective way

to determine possible places, the resulting number and distribution of places

does not always yield in usable and realistic results. For instance, this approach

might work well in a residential area, however, outside city limits with little or

no construction, such a method underestimates the number of potential userwhereabouts.

Another potential map feature are streets and ways. Since all locations should

be accessible, streets and ways are a good heuristic for potential user-whereabouts.

Although every potential location on a street could be considered as a possible

location, the number of possible locations would be huge and overestimating the

landscape characteristics. Therefore, not every location is interesting since one

can assume that an observer does not gain any additional knowledge knowing

an individual is 5 m further up or down the street. Since the problem is closely

related to the problem of plausible deniability, the concept of road segments, in

122


particular road segment s-diversity (Wang & Liu, 2009), can be used to estimate

the number of possible places. Fig. 8.1(b) illustrates number and distribution

of possible places based on road segments. Similarly to the street addresses

approach, road segments result in different distributions and density of places

depending on the covered area. Unlike addresses, however, the highest density

of possible places is in a different area of the map (cf. Fig. 8.1(b)). Further, using

road segments yields in a lower number of possible places since segments of

densely populated and densely built streets are counted only once. However, by

this approach, special way types, for instance ways in parks, outside city limits,

hiking trails etc. are taken into account to represent possible user-whereabouts.

To improve the estimation of possible places P L(o t ), both approaches could be

combined by clustering all places within δ min to a single possible place.

8.2 Identification of Plausible Locations

Taking only the number of possible locations into account is not sufficient for the

communication scenario under research. The number, distribution, and especially

the nature of the identified possible locations matter as well. For instance, if a

person is in an area with a high density of diverse location types, an observer’s

uncertainty is high regarding the user’s motivation visiting the observed area.

However, an observer is able to utilize public knowledge and its private background

knowledge, possibly obtained through different communication channels,

and is therefore able to reduce or refine the number of potential user-whereabouts.

To model a specific observer’s potential information gain, the set of possible places

has to be reduced both due to a specific time/date constellation, e.g. office-hours,

night-life, etc., but also due to the expected background knowledge of the observer,

e.g. preferences and regular behavior of the user. Hence, plausible locations could

either be described as "accessible" POIs, i.e. places known to be accessible at

observation time, or certain types of places expected by the user to be plausible

for a certain observer w.r.t. to a certain context (time/date/user-activity).

Plausible locations can be described and identified based on semantic attributes,

for instance, OpenStreet Map (OSM) map-data. The OSM data provides

semantic information as nodes linking descriptive tags to a geographic reference.

Such POIs are used to describe specific entities 1 , like university buildings, hospi-

1

http://wiki.openstreetmap.org/wiki/Map_Features

123


Figure 8.2: Statistical classification of map tiles w.r.t. to land use. (Muthers, 2009).

tals, ATMs and pubs. Based on these semantic attributes, Muthers (2009) showed

that statistical classification of spatial areas based on semantic map attributes is

possible (cf. Fig. 8.2). Thus, OSM map-data is a valuable option, in particular for

user-centric location privacy reasoning, due to the semantically enriched mapdata,

but also due to the complete and unrestricted availability of raw data, e.g.

as parsable XML file on a user’s device.

With regards to location privacy, Fig. 8.3 shows a sample trace of about 19 minutes

traveling 8.24 km through the city. 2 The trace started in a business/industrial

area, went through a residential area (around 150 sec. – 250 sec. and from 500 sec.)

before entering the city center (around 750 sec. – 1000 sec.). While the number of

reachable possible locations remains roughly at the same level, the number of semantically

tagged locations (denoted as points of interest (POI)) in the city center

increases significantly. As expected, in the city center, the user’s location privacy

should improve with the diversity of places found in reach. Furthermore, with a

larger number and diverse types of people nearby, a user’s (subjective) privacy

feeling increases (Toch et al., 2010). As a further example of the same trace, the

expected person density has been estimated. For each OSM landuse-tag attribute,

a non-empirical estimation of expected person density was made (Greschbach,

2010). For instance, residential areas were assigned a high value for every time

2

The data collection and visualization was conducted by Benjamin Greschbach as part of his

Diploma thesis (Greschbach, 2010).

124


Figure 8.3: A user trace of 1160 seconds, traveling 8.24 km showing the number of possible

locations and reachable plausible locations (POIs) within one minute (Greschbach, 2010).

Figure 8.4: Day-time dependent expected person density for a user trace of 1160 seconds,

traveling 8.24 km. Calculation based on area classification based on OpenStreetmap data

(Greschbach, 2010).

of day; for commercial and industrial areas a high value seems justified during

business hours, but otherwise a low value seems appropriate. Based on these

assumptions, Fig. 8.4 visualizes the expected person density. During the day, there

is little variation, basically due to the fact that the trace never left city boundaries.

However, at night, there is a noticeable drop while crossing a business/industrial

area (0 – 150 sec. and 250 sec. – 350 sec.).

The aforementioned datasets suggest that a sensitivity measurement of location

observations can be build on OSM semantic attributes. These attributes

are suitable for modeling sensitivity either based on time and date or based on

the attributes’ type and distribution, which allow for modeling an observer’s

background knowledge and expectations. The remaining challenge is then to

formalize a user’s location privacy in relation to trusted peers and based on

available (semantic) map information to be able to measure the sensitivity of a

location observation. Hence, as a first step to define a user-centric privacy policy

in relation to known and trusted communication peers, a description of the user’s

plausible (alternative explainable) whereabouts in the context of observer â is

required.

125


8.3 Measuring Location Sensitivity

A sensitivity model reflects the information gain of an observer knowing the user’s

current (approximative) location and the time- and date-dependent characteristics

of the surrounding landscape. In a second step, an observer is able to draw

conclusions about the user’s current activity based on the user’s most likely

whereabouts and additional background knowledge accumulated so far.

We assume the probability distribution of all possible places to be static in

the short run, i.e. C(o t ) depends on the map characteristics and in particular on

the error-distribution of err(o t ). In contrast, the probability distribution of plausible

places depends on observation-time/date and expected sensitive attributes,

which make user-whereabouts plausible or implausible with regards to a specific

observer â at time t. Therefore, Q(â, t) describes a user’s privacy profile w.r.t. to

observer â and time t by assigning a positive probability to each semantic attribute

considered plausible in that context. In a second step, for all semantic attributes

with a positive probability, all places c ∈ P L(o t ) are examined and the probability

distribution C Q(â,t) (o t ) is constructed over the user’s plausible whereabouts: by

using Definition 6, with P L Q(â,t) (o t ) := {P rob(c = c user |Q(â, t)) > 0|c ∈ P L(o t )},

we select all places c with at least one attribute rendering c a plausible place. For

simplicity, we assume that C Q(â,t) (o t ) forms a uniform distribution over all selected

plausible places, i.e. no distinction is made neither on the type of plausible

attributes nor the number of matching attributes for a single place c. Both options

can be used for further refinement and to fine-control a user’s privacy policy.

The difference between the probability distribution of possible places (C(o t ))

and the resulting probability distribution of plausible places (C Q(â,t) (o t )) is then

calculated. JS-divergence (Burbea & Rao, 1982) has been chosen instead of KLdivergence

to cope with places with zero probability of C and C Q(â,t) (Li & Li, 2009),

with Sâ(o t ) = JS(C(o t ), C Q(â,t) (o t )) = H( 1 2 C(o t) + 1 2 C Q(â,t)(o t )) − ( 1 2 H(C(o t)) +

1

2 H(C Q(â,t)(o t ))).

One could argue that taking into account the number and distribution of

plausible places should be sufficient, i.e. H(C Q(â,t) (o t )) analogous to H location

â

(o t )

which models observation accuracy as part of an observer’s knowledge model. In

relation to trusted peers, however, the impact of the observation error (err(o t ))

may be different. With a growing observation error, the number of possible places

increases as well. This may lead to negative consequences. First, the quality

of service is affected, and thus, the size of err(o t ) may be restricted for certain

126


applications, e.g. due to a restriction of parallel requests, which is, however, a

typical tradeoff between utility and privacy. Secondly and more importantly,

deliberately increasing err(o t ) when communicating with social peers may be

considered as mistrust, leading in some cases to uncomfortable questions, and

thus, resulting in the very opposite of a privacy enhancement. Hence, the location

sensitivity measures the relative expected knowledge gain of a specific observer

â.

8.4 Evaluation

To evaluate the effect of an increasing spatial observation error, i.e. inaccuracy

due to employing a location obfuscation technique, three different area types

were chosen: A typical city center of a medium sized town with a large number

of diverse semantic map attributes, e.g. various types of shops and a number of

different public buildings, such as university, schools and touristic attractions

like museums or ancient churches. Another chosen area covers a mixed commercial

business area, including industrial manufacturing, e.g. typical work

places, but also large shopping malls. Finally, a smaller village nearby was chosen,

representing mostly a general residential area with few commercial or public

buildings.

To model Q(â, t), four different scenarios were defined, modeling different

circumstances at different times:

• the first scenario describes places associated with a user’s professional life,

including places, e.g., offices, shops, businesses and public buildings, etc.;

• the second class reflecting a user’s leisure time includes places such as

restaurants, bars, sport centers, etc.;

• the Saturday scenario reflects typical activities at a weekend, e.g. cultural

activities, touristic attractions and restaurants, but also practical activities

like weekly shopping, etc.;

• the Sunday scenario is similar to the Saturday scenario without commercial

activities;

127


ε (m) day night sat sun

50 8 1 8 2

100 11 3 13 4

200 31 11 47 22

300 60 30 99 58

(a) City

ε (m) day night sat sun

50 1 1 1 1

100 2 1 2 1

200 6 1 5 1

300 7 1 6 1

(b) Industrial Area

ε (m) day night sat sun

50 1 1 1 1

100 1 1 1 1

200 3 1 3 1

300 7 2 8 3

(c) Village

Figure 8.5: Number of plausible places found for the chosen scenarios. 4

Details on attributes selected for individual scenarios can be found in Appendix

A.3. 3

Fig. 8.5 shows the number of plausible places found for each of the aforementioned

scenarios. Figures 8.6(a) - 8.8(a) compare the development of possible and

plausible places in each area with increasing error size. Furthermore, Fig. 8.6(b) -

8.8(b) show the number of plausible places found in each area for various cloaking

sizes and the resulting sensitivity value using JS-divergence and a uniform

probability distribution.

As expected, the city center has the most and the industrial area has the least

plausible places for each error value and scenario chosen. For all observation

errors in both scenarios night and Sunday, there is only a single plausible place

(by definition) in the industrial area, even though the number of possible places

increases with growing observation error. These numbers reflect the intuitive

privacy feeling of such rather deserted places outside typical business hours.

The increasing sensitivity values with growing observation error, however, seem

counterintuitive at first sight. The values indicate that there is no privacy gain

(i.e. no place to hide). In contrast, by reducing the observation accuracy location

observations may become implausible and thus may raise suspicion. Similar, but

less pronounced observations can be made for the village area. In contrast, in the

city center the sensitivity values drop with a growing spatial error.

Some situations, however, are not properly represented using the proposed

sensitivity measure. In the case of numLoc() = numLoc Q(â,t) (o t ) = 1 the sensitivity

value is zero by definition since the observer cannot refine its location

observation. This part however, is mostly reflected in the observer’s knowledge

3

4

Part of the aforementioned scenarios and their technical description based on semantic OSM

attributes have been developed in cooperation with V. Hailperin as part of his Bachelor’s

thesis.

Number and selection of plausible places are based on OSM map-data and determined

using "swingout", an OSM parser implemented by V. Hailperin as part of his bachelor thesis

(Hailperin, 2011).

128


model, i.e. captured through the general observation accuracy. A further limitation

of a user-centric, sensitivity-based approach is the uncertain impact of

time on the user’s privacy. Neither interpersonal relationships, and thus, mutual

trust, nor background knowledge of the user are stable over time. Hence,

even by carefully assessing the actual sensitivity of a location information, the

future impact of the disclosed information remains uncertain. Though, a careful

assessment of semantic map features and observing entities still provides insights

into potential privacy issues and may raise user-awareness of privacy risks when

sharing location information with virtual friends.

(a) Possible and plausible places with growing

spatial error.

(b) Sensitivity values with growing spatial error.

Figure 8.6: City Center

(a) Possible and plausible places with growing

spatial error.

(b) Sensitivity values with growing spatial error.

Figure 8.7: Village

129


(a) Possible and plausible places with growing

spatial error.

(b) Sensitivity values with growing spatial error.

Figure 8.8: Industrial Area

8.5 Summary

A closer look at the privacy impact of sharing location data with socially connected

communication is required. A user’s virtual friends have an unlimited and perfect

memory 5 of all past communication events paired with background knowledge

and possible various tools to process their location data. Even when communicating

with friends, one might require location-privacy in various forms. Sometimes

the user is able to opt-out location disclosure without any social disadvantages.

However, if location disclosure is expected, reducing accuracy or frequency of

location information might be adequate. Still, the privacy improvement – if at all –

is unclear in most cases.

Since the observer’s goals and its knowledge of the user, as well as its capabilities

to utilize this knowledge, are unknown, a user-centric privacy model requires

a different angle of view. By identifying potential observers and making implicit

assumption on oberserver knowledge explicit, a first step towards a user-centric

privacy policy for communication scenarios with trusted peers has been made. By

assessing the potential sensitivity of location information w.r.t. user- and contextspecific

semantic attributes, the user becomes able to make informed decisions on

suitable privacy enhancing methods before location disclosure.

5

For instance, by using a social network as location sharing platform.

130


CHAPTER 9

Conclusion

The notion of privacy usually changes as new technologies are introduced. In this

context, the recent adaptation of ubiquitous mobile communication combined

with the steady development of IT technology also requires a further refinement of

the definition of privacy, particularly location privacy. Location privacy has been

the subject of research from the beginning of mobile communication protocols

and real-life deployments of mobile communication infrastructure, but most of

this research has focused on protecting the user’s privacy by making him or her

anonymous. More specifically, techniques have been developed supporting users

to become invisible "in the crowd."

Recent research, however, shows that anonymous location data publishing is

quite difficult to achieve – if at all (de Montjoye, Hidalgo, Verleysen, & Blondel,

2013). Furthermore, analysis of today’s mobile communication scenarios with

regards to location privacy reveals that an anonymity approach is not always

a suitable concept since communication peers often know each other and have

already developed a trust relationship. Even though in some situations an individual’s

identity is not explicitly disclosed, location observation clusters and

movement trajectories may have already formed quasi-identifiers, even with short

observation periods.

Cloaking and obfuscating location information have been proposed as alternatives

to protect or improve an individual’s location privacy. Similarly to

anonymity, these methods usually employ an attacker(-model) trying to identify

a single individual out of a set of observed location samples or movement trajectories.

Based on these technologies, several system architectures, prototypes and

tools have been developed. In practice, however, these systems have had little

relevance yet, similar to their anonymity counterparts. This is in part due to the

131


design of mobile platforms and service availability today, but at least of equal

importance is that the concept of location privacy and its potential risks seem to

be difficult to assess, especially if more than a single observer is involved, as it is

common in today’s real-life communication patterns.

To mitigate privacy risks and especially to protect consumers in scenarios

with asymmetric information distribution, society protects individuals by means

of passing laws and regulations against unfair businesses. Borderless mobile

communication however, indicates that regulation and privacy protection through

legal regulation is difficult to achieve. The ability of users and society in general

to know the actual value of location data and be aware of potential consequences

is a precondition to regulation. While crafting laws and regulations is out of reach

for IT professionals, they are able to develop metrics and tools to guide regulatory

approaches. Thus, in order to push for proper and effective regulation, there is

a need for research to focus on (user-centric) qualification and quantification of

location privacy. While users (subscribers) are already entitled to receive a full

copy of their personal data stored by any commercial entity, tools and metrics are

required to estimate the data’s implications on an individual.

This thesis places the user and his or her various communication partners

in the limelight. The user might correctly ask why he or she should trust some

external privacy-enhancing technology provider, e.g. an anonymization server, or

why he or she should trust nearby agents more than communication peers with

pre-existing contractual or social relations. Furthermore, it is desirable to evaluate

the potential privacy impact of location data before disclosing it to anyone. This

would allow for informed decisions, on when, how and to whom location data is

disclosed.

In a first step, typical mobile communication patterns have been analyzed and

typical observer-types have been identified. These led to further analysis with

regards to the trust relationship between users and identified observer types. Four

typical scenarios were selected for further investigation, all of them involving

at least a single trusted communication relationship. Since the trust relationship

between an individual user and his or her communication peers is non-uniform,

and thus, is in general not comparable, each scenario, and consequently, each

associated observer type has to be tackled individually.

Furthermore, location privacy beyond various versions of anonymity is difficult

to qualify and quantify. This thesis tackles the problem by focusing on

132


the information content of a location observation context. Either it contains new

information describing the user’s preferences, behavior, social relations etc., and

thus, might be able to predict a user’s next actions and/or a location observation

describes a user’s current real-life activity. Location information can be seen as the

potential source of individual (observer) and aggregated (society) utility. However,

such information is simultaneously the cause of the mobile user’s privacy

loss. This leads to a user-centric location privacy model, covering the aspects of

location information in the context of an observer’s previous observations as well

as the mutual trust relationship and the respective background knowledge to be

expected. The model describes an abstract framework to be applied on dedicated

privacy protection goals for different observer types.

The analysis of the communication scenarios and the proposed privacy model

has led to a practical approach that enhances the user’s location privacy. In the

first place, the user must have a better understanding of implicit location disclosures

which are technically required to keep network attachment. Such behavior

is a common prerequisite for mobile communication technologies. Thus, the

ubiquitous infrastructure that is capable of seamless (hidden) observation forms a

unique threat to the user’s location privacy. The privacy impact of implicit location

disclosures has been analyzed by the example of GSM telephony networks.

The analysis showed that different configuration of the network protocols made

a significant difference to the user’s location privacy. Furthermore, it has been

shown that there is still quite some potential in current mobile phone protocols

to enhance the user’s location privacy, without losing the individual nor societal

benefits of ubiquitous mobile communication networks, especially regarding the

additional benefits to safety and security. User-controlled mobile devices and

protocol implementation make it possible to increase transparency regarding the

mobile device’s behavior and its interaction with the backing infrastructure. In

the long run, a better understanding and increased user-sensitivity with respect

to privacy issues should lead to a more explicit trade-off between privacy on the

one side and potential network costs and quality of service on the other, and thus,

hopefully spur competition with respect to the subscriber’s location privacy.

Quite obviously, regulation and privacy laws are difficult to negotiate and

enforce in a borderless and international setting, most probably leading to a

painfully lengthy process, especially compared to the speed at which technology is

progressing. Therefore, the users need to take charge of their own fate, take control

133


over their mobile device, more specifically its location determination and location

communication features. Today’s mobile platforms and their operators seem to

be the most privileged and technically powerful entities in the communication

scenarios analyzed under this study. Currently, mobile platform service providers

form an oligopoly, not only acting as middleman between the user and locationbased

service providers, i.e. controlling access to location information of so-called

apps. MSPS are also using their privileged role to create various services based

on user-data (e.g. live traffic data, WiFi/cell-based location determination) and

generate revenues from advertising on their mobile platform. In order to improve

the user’s ability to control his or her device, an open mobile platform architecture

has been proposed. To increase the user’s privacy, but also to foster a more

diverse landscape of mobile service offers, a technology- and vendor-independent

mobile platform is required. Based on a tourist-guide case study, a modular and

platform-independent implementation has been presented, solely built on a set of

Open Source libraries. This example demonstrates that a comprehensive mobile

platform for specialized domains can be developed with reasonable effort. The

same applies for potential businesses providing location-based services. The

proposed framework reduces or removes the technical and organizational entry

hurdles, and thus, opens mobile services to small non-technical entities.

If the user has control over his or her location data, voluntary location disclosure

poses new, challenging research questions. If sensitive data is disclosed to

a (set of) dedicated communication peer(s), only the intended recipients should

receive the data. By using encryption, an exclusive user-to-user communication

channel can be established. When exchanging private or sensitive information

with groups, especially with the goal of spontaneous coordination, a user-friendly

application of encryption in combination with messaging infrastructure and protocols

is required. In a prototypical implementation, a group encryption protocol

has been applied on publicly accessible and publicly observable infrastructure

to enable spontaneous and privacy-sensitive location sharing. By means of the

proposed architecture, user-control over information recipients has been implemented

with a simple, easy-to-implement, single-purpose application.

Finally, a closer look at the privacy impact of sharing location data with

socially connected communication is essential. A user’s virtual friends have an

unlimited and perfect memory of all past communication events, e.g. by using

social networks or similar technologies, paired with background knowledge and

134


possibly various tools to data-mine their collected information. Even with friends

one might require (location-)privacy in various forms. Sometimes the user is able

to opt-out on location disclosure technologies without any (social) disadvantages.

If location disclosure is expected or required, reducing accuracy or frequency of

location information might be adequate, e.g. through spatio-temporal location

obfuscation methods. In general, however, the privacy improvement (if at all)

is unclear. Depending on the observer, time/date and landscape, the user’s

exposure may vary. Hence, for effective obfuscation, a location sensitivity metric

is required to guide the obfuscation process properly. Furthermore, both trust and

anticipated background knowledge vary over time, requiring a more thorough

assessment of location disclosure technologies.

The effectiveness of the proposed model and the user’s increasing awareness

of his or her location privacy are closely related and influence each other. By

using the proposed model, users are required to model their privacy needs, e.g.

by reasoning about important features of one’s mobility or by modeling sensitive

places with respect to an observer’s background knowledge. The model’s feedback,

combined with additional external feedback, allows users to improve their

sense for potentially sensitive data as well as to gain knowledge of their observing

(either trusted or untrusted) entities. As awareness improves, more accurate models

will be developed. In contrast to traditional adversary and privacy models,

the user-centric approach actually takes into account the user’s needs, but is able

to influence the user’s behavior and privacy in the long run. To achieve that, an

open and user-controlled mobile platform is required as well. As discussed in

previous chapters, user-centric design and implementation are feasible and able to

improve the user’s location privacy and/or raise awareness through transparent

location disclosure.

135


136


CHAPTER 10

References

3rd Generation Partnership Project (3GPP). (2002, 06). TS 45.811 Technical

Specification Group GSM/EDGE Radio Access Network; Feasibility Study

on Uplink TDOA in GSM and GPRS (Release 6) [Technical standard].

http://www.3gpp.org/FTP/Specs/html-info/45811.htm.

3rd Generation Partnership Project (3GPP). (2009a, 11). TS 43.059 Technical

Specification Group GSM/EDGE Radio Access Network; Functional stage 2

description of Location Services (LCS) in GERAN (Release 9) [Technical standard].

http://www.3gpp.org/ftp/Specs/html-info/43059.htm.

3rd Generation Partnership Project (3GPP). (2009b, 11). TS 45.010 Technical Specification

Group GSM/EDGE Radio Access Network; Radio subsystem synchronization

(Release 9) [Technical standard]. http://www.3gpp.org/

ftp/Specs/html-info/45010.htm.

3rd Generation Partnership Project (3GPP). (2010a, 9). TS 24.008 Technical Specification

Group Core Network and Terminals; Mobile radio interface Layer 3

specification; Core network protocols; Stage 3 (Release 10) [Technical standard].

http://www.3gpp.org/ftp/Specs/html-info/24008.htm.

3rd Generation Partnership Project (3GPP). (2010b, 9). TS 25.305 Technical Specification

Group Radio Access Network; Stage 2 functional specification of User

Equipment (UE) positioning in UTRAN (Release 10) [Technical standard].

http://www.3gpp.org/ftp/Specs/html-info/25305.htm.

3rd Generation Partnership Project (3GPP). (2010c, 9). TS 45.008 Technical Specification

Group GSM/EDGE Radio Access Network; Radio subsystem link

control (Release 9) [Technical standard]. http://www.3gpp.org/ftp/

Specs/html-info/45008.htm.

137


Abowd, G. D., Atkeson, C. G., Hong, J., Long, S., Kooper, R., & Pinkerton, M.

(1997). Cyberguide: a mobile context-aware tour guide. Wirel. Netw., 3(5),

421 – 433.

Acquisti, A., & Gross, R. (2006). Imagined Communities: Awareness, Information

Sharing, and Privacy on the Facebook. In Privacy enhancing technologies (Vol.

4258, pp. 36 – 58). Springer Berlin / Heidelberg.

Andrienko, G., Gkoulalas-Divanis, A., Gruteser, M., Kopp, C., Liebig, T., &

Rechert, K. (2013). Report from Dagstuhl: The Liberation of Mobile Location

Data and its Implications for Privacy Research. ACM Mobile Computing and

Communications Review. (Invited article. Authors in alphabetical order. To

apear.)

Anisetti, M., Ardagna, C., Bellandi, V., Damiani, E., & Reale, S. (2011). Map-Based

Location and Tracking in Multipath Outdoor Mobile Networks. Wireless

Communications, IEEE Transactions on, 10(3), 814 – 824.

Ardagna, C., Cremonini, M., De Capitani di Vimercati, S., & Samarati, P. (2011).

An Obfuscation-Based Approach for Protecting Location Privacy. Dependable

and Secure Computing, IEEE Transactions on, 8(1), 13 – 27.

Ardagna, C., Cremonini, M., & Gianini, G. (2009). Landscape-aware locationprivacy

protection in location-based services. Journal of Systems Architecture,

55(4), 243 – 254.

Arthur, C. (2011). iPhone keeps record of everywhere you go. The

Guardian. (http://www.guardian.co.uk/technology/2011/apr/

20/iphone-tracking-prompts-privacy-fears)

Ashbrook, D., & Starner, T. (2003). Using GPS to learn significant locations and

predict movement across multiple users. Personal Ubiquitous Comput., 7, 275

– 286.

Ashley, P., Hada, S., Karjoth, G., Powers, C., & Schunter, M. (2003). Enterprise

Privacy Authorization Language (EPAL 1.2). W3C Member Submission

10 November 2003, http://www.w3.org/Submission/2003/

SUBM-EPAL-20031110/ (11/17/2011).

Bagüés, S. A., Zeidler, A., Valdivielso, C. F., & Matias, I. R. (2007). Disappearing

for a while - using white lies in pervasive computing. In Proceedings of the

2007 ACM workshop on Privacy in electronic society (pp. 80 – 83). New York,

NY, USA: ACM.

138


Balenson, D., McGrew, D., & Sherman, A. (1998). Key management for large

dynamic groups: One-way function trees and amortized initialization. Advanced

Security Research Journal, 28.

Bayir, M., Demirbas, M., & Eagle, N. (2009). Discovering spatiotemporal mobility

profiles of cellphone users. In World of Wireless, Mobile and Multimedia

Networks & Workshops, 2009. WoWMoM 2009. IEEE International Symposium

on a (pp. 1 – 9).

Bengtsson, L., Lu, X., Thorson, A., Garfield, R., & von Schreeb, J. (2011, 08).

Improved Response to Disasters and Outbreaks by Tracking Population

Movements with Mobile Phone Network Data: A Post-Earthquake Geospatial

Study in Haiti. PLoS Med, 8(8), e1001083.

Benisch, M., Kelley, P., Sadeh, N., & Cranor, L. (2010). Capturing location-privacy

preferences: quantifying accuracy and user-burden tradeoffs. Personal and

Ubiquitous Computing, 1 – 16.

Beresford, A. R., & Stajano, F. (2003). Location Privacy in Pervasive Computing.

IEEE Pervasive Computing, 2(1), 46 – 55.

Bernstein, D. (2005). Salsa20. eSTREAM–ECRYPT Stream Cipher Project, Report,

25.

Bettini, C., Wang, X. S., & Jajodia, S. (2005). Protecting privacy against locationbased

personal identification. In W. Jonker & M. Petkovic (Eds.), Secure Data

Management (pp. 185 – 199). Springer Berlin / Heidelberg.

Bilton, N. (2011). 3G Apple iOS Devices Are Storing Users’ Location Data. The New

York Times, Published: April 20, 2011.

Brickell, J., & Shmatikov, V. (2008). The cost of privacy: destruction of datamining

utility in anonymized data publishing. In Proceedings of the 14th

ACM SIGKDD international conference on Knowledge discovery and data mining

(pp. 70 – 78). New York, NY, USA: ACM.

Brown, B., & Chalmers, M. (2003). Tourism and mobile technology. In Proceedings

of the eighth conference on European Conference on Computer Supported

Cooperative Work (pp. 335 – 354). Norwell, MA, USA: Kluwer Academic

Publishers.

Burbea, J., & Rao, C. (1982). Entropy differential metric, distance and divergence

measures in probability spaces: A unified approach. Journal of Multivariate

Analysis, 12(4), 575 – 596.

139


Chen, L., Loschonsky, M., & Reindl, L. M. (2010). Characterization of delay spread

for mobile radio communications under collapsed buildings. In IEEE 21st

International Symposium on Personal Indoor and Mobile Radio Communications

(PIMRC) (pp. 329 – 334).

Chen, M., Sohn, T., Chmelev, D., Haehnel, D., Hightower, J., Hughes, J., . . . Varshavsky,

A. (2006). Practical Metropolitan-Scale Positioning for GSM Phones.

In P. Dourish & A. Friday (Eds.), UbiComp 2006: Ubiquitous Computing (Vol.

4206, pp. 225 – 242). Springer Berlin / Heidelberg.

Cheverst, K., Davies, N., Mitchell, K., Friday, A., & Efstratiou, C. (2000). Developing

a context-aware electronic tourist guide: some issues and experiences.

In CHI ’00: Proceedings of the SIGCHI conference on Human factors in computing

systems (pp. 17 – 24). New York, NY, USA: ACM.

Chow, R., & Golle, P. (2009). Faking contextual data for fun, profit, and privacy.

In Proceedings of the 8th ACM workshop on Privacy in the electronic society (pp.

105 – 108). New York, NY, USA: ACM.

Ciavarella, C., & Paternò, F. (2004). The design of a handheld, location-aware

guide for indoor environments. Personal Ubiquitous Comput., 8(2), 82 – 91.

Clauß, S. (2006). A Framework for Quantification of Linkability Within a Privacy-

Enhancing Identity Management System. In G. Müller (Ed.), Emerging Trends

in Information and Communication Security (Vol. 3995, pp. 191 – 205). Springer

Berlin / Heidelberg.

Coi, J. L. D., & Olmedilla, D. (2008). A Review of Trust Management, Security

and Privacy Policy Languages. In E. Fernández-Medina, M. Malek, &

J. Hernando (Eds.), Secrypt (pp. 483 – 490). INSTICC Press.

Consolvo, S., Smith, I. E., Matthews, T., LaMarca, A., Tabert, J., & Powledge, P.

(2005). Location disclosure to social relations: why, when, & what people

want to share. In Chi ’05: Proceedings of the sigchi conference on human factors

in computing systems (pp. 81 – 90). New York, NY, USA: ACM.

Cox, L. P., Dalton, A., & Marupadi, V. (2007). SmokeScreen: flexible privacy controls

for presence-sharing. In MobiSys ’07: Proceedings of the 5th international

conference on Mobile systems, applications and services (pp. 233 – 245). New

York, NY, USA: ACM.

Cranor, L., Langheinrich, M., & Marchiori, M. (2002). A P3P Preference Exchange

Language 1.0 (APPEL 1.0). W3C Working Draft 15 April 2002, Online:

http://www.w3.org/TR/P3P-preferences/ (11/17/2011).

140


Cranshaw, J., Toch, E., Hong, J., Kittur, A., & Sadeh, N. (2010). Bridging the

gap between physical location and online social networks. In Ubicomp ’10:

Proceedings of the 12th ACM international conference on Ubiquitous computing

(pp. 119 – 128). New York, NY, USA: ACM.

Cuellar, J., Morris, J., Mulligan, D., Peterson, J., & Polk, J. (2004). IETF RFC 3693

Geopriv Requirements. Online: http://www.ietf.org/rfc/rfc3693

.txt (11/17/2011).

Damiani, M. L., Bertino, E., & Silvestri, C. (2009). Protecting location privacy

against spatial inferences: the PROBE approach. In Proceedings of the 2nd

SIGSPATIAL ACM GIS 2009 International Workshop on Security and Privacy in

GIS and LBS (pp. 32 – 41). New York, NY, USA: ACM.

de Montjoye, Y.-A., Hidalgo, C. A., Verleysen, M., & Blondel, V. D. (2013). Unique

in the Crowd: The privacy bounds of human mobility. Scientific Reports, 3.

De Mulder, Y., Danezis, G., Batina, L., & Preneel, B. (2008). Identification via

location-profiling in GSM networks. In Proceedings of the 7th ACM workshop

on Privacy in the electronic society (pp. 23 – 32). New York, NY, USA: ACM.

Díaz, C., Seys, S., Claessens, J., & Preneel, B. (2003). Towards measuring anonymity.

In Proceedings of the 2nd international conference on Privacy enhancing technologies

(pp. 54 – 68). Berlin, Heidelberg: Springer-Verlag.

Diaz, C., Troncoso, C., & Danezis, G. (2007). Does additional information always

reduce anonymity? In Proceedings of the 2007 ACM workshop on Privacy in

electronic society (pp. 72 – 75). New York, NY, USA: ACM.

Drane, C., Macnaughtan, M., & Scott, C. (1998). Positioning GSM Telephones.

IEEE Communications Magazine, 36, 46 – 54.

Duckham, M., & Kulik, L. (2005). A Formal Model of Obfuscation and Negotiation

for Location Privacy. In H. W. Gellersen, R. Want, & A. Schmidt (Eds.),

Pervasive Computing (Vol. 3468, pp. 152 – 170). Springer Berlin / Heidelberg.

Duckham, M., & Kulik, L. (2006). Location privacy and location-aware computing.

In J. Drummond, R. Billen, E. Joao, & D. Forrest (Eds.), Dynamic & mobile gis:

Investigating change in space and time (pp. 35–51). CRC Press, Boca Rator, FL.

Dunlop, M., & Brewster, S. (2002). The Challenge of Mobile Devices for Human

Computer Interaction. Personal Ubiquitous Comput., 6, 235 – 236.

141


Economou, D., Gavalas, D., Kenteris, M., & Tsekouras, G. E. (2008). Cultural

applications for mobile devices: Issues and requirements for authoring tools

and development platforms. SIGMOBILE Mob. Comput. Commun. Rev., 12(3),

18 – 33.

Elnahrawy, E., Li, X., & Martin, R. (2004). Using area-based presentations and metrics

for localization systems in wireless LANs. In Local Computer Networks,

2004. 29th Annual IEEE International Conference on (pp. 650 – 657).

Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., & Sheth, A. N.

(2010). TaintDroid: an information-flow tracking system for realtime privacy

monitoring on smartphones. In Proceedings of the 9th USENIX conference on

Operating systems design and implementation (pp. 1 – 6). Berkeley, CA, USA:

USENIX Association.

European Parlament, & European Council. (1995). Directive 95/46/EC On the

protection of individuals with regard to the processing of personal data

and on the free movement of such data. Official Journal of the European

Communities(L281).

European Parlament, & European Council. (2002). Directive 2002/58/EC concerning

the procession of personal data and the protection of privacy in the

electronic communications sector. Official Journal of the European Communities.

European Organization for the Safety of Air Navigation. (1998). WGS 84 Implementation

Manual, Version 2.4.

European Parliament, C. (2006). Directive 2006/24/EC of the European Parliament

and of the Council of 15 March 2006 on the retention of data generated

or processed in connection with the provision of publicly available electronic

communications services or of public communications networks and

amending Directive 2002/58/EC. Official Journal of the European Union, L

105, 54 – 63.

Fechner, M. (2010). Deriving Context from Position Data. Unpublished master’s

thesis, Lehrstuhl für Kommunikationssysteme.

Federal Trade Commission. (2012). Mobile Apps for Kids: Current Privacy Disclosures

are Disappointing (Tech. Rep.). (http://www.ftc.gov/os/2012/02/

120216mobile_apps_kids.pdf)

142


Freudiger, J., Shokri, R., & Hubaux, J.-P. (2012). Evaluating the privacy risk of

location-based services. In Proceedings of the 15th international conference on

Financial Cryptography and Data Security (pp. 31 – 46). Berlin, Heidelberg:

Springer-Verlag.

Gedik, B., & Liu, L. (2008). Protecting Location Privacy with Personalized

k-Anonymity: Architecture and Algorithms. Mobile Computing, IEEE Transactions

on, 7(1), 1 – 18.

German Federal Network Agency (Bundesnetzagentur). (2010). Jahresbericht

2010. Online http://www.bundesnetzagentur.de/cae/

servlet/contentblob/195950/publicationFile/10486/

Jahresbericht2010pdf.pdf.

Ghinita, G., Kalnis, P., & Skiadopoulos, S. (2007). PRIVE: anonymous locationbased

queries in distributed mobile systems. In WWW ’07: Proceedings of the

16th international conference on World Wide Web (pp. 371 – 380). New York,

NY, USA: ACM.

Girardin, F., Calabrese, F., Dal Fiorre, F., Biderman, A., Ratti, C., & Blat, J. (2008).

Uncovering the presence and movements of tourists from user-generated

content. In Proceedings of International Forum on Tourism Statistics.

Girardin, F., Vaccari, A., Gerber, A., Biderman, A., & Ratti, C. (2009). Towards

estimating the presence of visitors from the aggragate mobile phone network

activity they generate. In Proceedings of International Conference on Computers

in Urban Planning and Urban Management.

Golle, P., & Partridge, K. (2009). On the Anonymity of Home/Work Location

Pairs. In H. Tokuda, M. Beigl, A. Friday, A. Brush, & Y. Tobe (Eds.), Pervasive

computing (Vol. 5538, pp. 390 – 397). Springer Berlin / Heidelberg.

Gonzalez, M. C., Hidalgo, C. A., & Barabasi, A.-L. (2008). Understanding individual

human mobility patterns. Nature, 453(7196), 779 – 782.

Grace, M. C., Zhou, W., Jiang, X., & Sadeghi, A.-R. (2012). Unsafe exposure

analysis of mobile in-app advertisements. In Proceedings of the fifth ACM

conference on Security and Privacy in Wireless and Mobile Networks (pp. 101 –

112). New York, NY, USA: ACM.

Greschbach, B. (2010). Location Privacy - Herausforderungen für den Datenschutz bei

Positionsinformationen verarbeitenden Diensten. Unpublished master’s thesis,

Lehrstuhl für Kommunikationssysteme.

143


Gruteser, M., & Grunwald, D. (2003). Anonymous Usage of Location-Based

Services Through Spatial and Temporal Cloaking. In Proceedings of the 1st

international conference on Mobile systems, applications and services (pp. 31 – 42).

New York, NY, USA: ACM.

Gruteser, M., & Grunwald, D. (2004). A Methodological Assessment of Location

Privacy Risks in Wireless Hotspot Networks. In D. Hutter, G. Müller,

W. Stephan, & M. Ullmann (Eds.), Security in Pervasive Computing (Vol. 2802,

pp. 113 – 142). Springer Berlin / Heidelberg.

Haeb-Umbach, R., & Peschke, S. (2007). A Novel Similarity Measure for Positioning

Cellular Phones by a Comparison With a Database of Signal Power

Levels. In (Vol. 56, pp. 368 – 372).

Hailperin, V. (2011). Evaluation of a user-centric metric for location sensitivity.

Unpublished bachelor’s thesis, Lehrstuhl für Kommunikationssysteme.

Hashem, T., & Kulik, L. (2007). Safeguarding location privacy in wireless adhoc

networks. In Proceedings of the 9th international conference on Ubiquitous

computing (pp. 372 – 390). Berlin, Heidelberg: Springer-Verlag.

Hofmann-Wellenhof, B., Lichtenegger, H., & Wasle, E. (2008). GNSS–global

navigation satellite systems: GPS, GLONASS, Galileo, and more. Springer.

Hoh, B., & Gruteser, M. (2005). Protecting Location Privacy Through Path

Confusion. In Proceedings of the First International Conference on Security

and Privacy for Emerging Areas in Communications Networks (pp. 194 – 205).

Washington, DC, USA: IEEE Computer Society.

Hoh, B., Gruteser, M., Xiong, H., & Alrabady, A. (2010). Achieving Guaranteed

Anonymity in GPS Traces via Uncertainty-Aware Path Cloaking. Mobile

Computing, IEEE Transactions on, 9(8), 1089 – 1107.

Hornyack, P., Han, S., Jung, J., Schechter, S., & Wetherall, D. (2011). These

aren’t the droids you’re looking for: retrofitting android to protect data from

imperious applications. In Proceedings of the 18th ACM conference on Computer

and communications security (pp. 639 – 652). New York, NY, USA: ACM.

Hutter, D., Stephan, W., & Ullmann, M. (2004). Security and Privacy in Pervasive

Computing State of the Art and Future Directions. In D. Hutter, G. Müller,

W. Stephan, & M. Ullmann (Eds.), Security in Pervasive Computing (Vol. 2802,

pp. 285 – 289). Springer Berlin / Heidelberg.

144


Isaacman, S., Becker, R., Cáceres, R., Kobourov, S., Rowland, J., & Varshavsky,

A. (2010). A tale of two cities. In HotMobile ’10: Proceedings of the Eleventh

Workshop on Mobile Computing Systems; Applications (pp. 19 – 24). New York,

NY, USA: ACM.

Kaliski, B., & Staddon, J. (1998). IETF RFC 2437: PKCS #1: RSA Cryptography

Specifications (Version 2.0). Online: http://www.ietf.org/rfc/

rfc2437.txt (12/1/2012).

Kalnis, P., Ghinita, G., Mouratidis, K., & Papadias, D. (2007). Preventing Location-

Based Identity Inference in Anonymous Spatial Queries. IEEE Transactions

on Knowledge and Data Engineering, 19(12), 1719 – 1733.

Kamiyama, K., Ngoc, T., Echizen, I., & Yoshiura, H. (2010). Measuring Accumulated

Revelations of Private Information by Multiple Media. In W. Cellary &

E. Estevez (Eds.), Software Services for e-World (Vol. 341, pp. 70 – 80). Springer

Boston.

Kenteris, M., Gavalas, D., & Economou, D. (2009). An innovative mobile electronic

tourist guide application. Personal Ubiquitous Comput., 13(2), 103 – 118.

Kifer, D., & Gehrke, J. (2006). Injecting utility into anonymized datasets. In

Proceedings of the 2006 ACM SIGMOD international conference on Management

of data (pp. 217 – 228). New York, NY, USA: ACM.

Kjaergaard, M. B. (2007). A taxonomy for radio location fingerprinting. In

Proceedings of the 3rd international conference on Location-and context-awareness

(pp. 139 – 156). Berlin, Heidelberg: Springer-Verlag.

Kravets, D. (2011). An Intentional Mistake: The Anatomy of Google’s Wi-Fi Sniffing

Debacle. Wired. (http://www.wired.com/threatlevel/2012/

05/google-wifi-fcc-investigation/)

Krumm, J. (2007). Inference attacks on location tracks. In PERVASIVE’07: Proceedings

of the 5th international conference on Pervasive computing (pp. 127 – 143).

Berlin, Heidelberg: Springer-Verlag.

Krumm, J. (2009). A survey of computational location privacy. Personal Ubiquitous

Comput., 13(6), 391–399. doi: http://dx.doi.org/10.1007/s00779-008-0212-5

Krumm, J. (2010). Ubiquitous Advertising: The Killer Application for the 21st

Century. IEEE Pervasive Computing, 99(PrePrints).

Kulik, L. (2009). Privacy for real-time location-based services. SIGSPATIAL Special,

1, 9 – 14.

145


Kullback, S., & Leibler, R. A. (1951). On Information and Sufficiency. The Annals

of Mathematical Statistics, 22(1), 79 – 86.

Langheinrich, M. (2001). Privacy by Design — Principles of Privacy-Aware

Ubiquitous Systems. In G. Abowd, B. Brumitt, & S. Shafer (Eds.), Ubicomp

2001: Ubiquitous Computing (Vol. 2201, pp. 273 – 291). Springer Berlin /

Heidelberg.

Langheinrich, M. (2002). A Privacy Awareness System for Ubiquitous Computing

Environments. In G. Borriello & L. Holmquist (Eds.), UbiComp 2002: Ubiquitous

Computing (Vol. 2498, pp. 315 – 320). Springer Berlin / Heidelberg.

Lee, C.-H., Hwang, M.-S., & Yang, W.-P. (1999). Enhanced privacy and authentication

for the global system for mobile communications. Wirel. Netw., 5, 231

– 243.

Lewis, J. P., Pighin, F., & Anjyo, K. (2010). Scattered data interpolation and

approximation for computer graphics. In ACM SIGGRAPH ASIA 2010

Courses (pp. 2:1 – 2:73). New York, NY, USA: ACM.

Li, T., & Li, N. (2009). On the tradeoff between privacy and utility in data

publishing. In Proceedings of the 15th ACM SIGKDD international conference

on Knowledge discovery and data mining (pp. 517 – 526). New York, NY, USA:

ACM.

Liu, L. (2009). Privacy and location anonymization in location-based services.

SIGSPATIAL Special, 1, 15 – 22.

Ma, C. Y., Yau, D. K., Yip, N. K., & Rao, N. S. (2010). Privacy vulnerability of

published anonymous mobility traces. In Proceedings of the sixteenth annual

international conference on Mobile computing and networking (pp. 185 – 196).

New York, NY, USA: ACM.

Machanavajjhala, A., Kifer, D., Abowd, J., Gehrke, J., & Vilhuber, L. (2008).

Privacy: Theory meets Practice on the Map. In Proceedings of the 2008 IEEE

24th International Conference on Data Engineering (pp. 277 – 286). Washington,

DC, USA: IEEE Computer Society.

Mascetti, S., & Bettini, C. (2007). A Comparison of Spatial Generalization Algorithms

for LBS Privacy Preservation. In Mobile Data Management, 2007

International Conference on (pp. 258 – 262).

May, J. M. (2008). Privacy APIs: Formal models for analyzing legal privacy requirements.

Dissertations available from ProQuest. Paper AAI3309474.

http://repository.upenn.edu/dissertations/AAI3309474.

146


Meier, K., Wehrle, D., Rechert, K., & von Suchodoletz, D. (2011). Testbed for

Mobile Telephony Networks. In Availability, Reliability and Security (ARES),

2011 Sixth International Conference on (pp. 661 – 666).

Ministerium für Inneres und Kommunales NRW. (2011). Drucksache 15/3300

Funkzellenauswertung (FZA) und Versenden "Stiller SMS" zur Kriminalitätsbekämpfung.

Online: http://www.landtag.nrw.de/portal/WWW/

dokumentenarchiv/Dokument?Id=MMD15/3300 (11/23/2011).

Moe, M. E. G. (2009). Quantification of anonymity for mobile ad hoc networks.

Electron. Notes Theor. Comput. Sci., 244, 95 – 107.

Mokbel, M. F., Chow, C.-Y., & Aref, W. G. (2006). The new casper: query processing

for location services without compromising privacy. In Proceedings of the

32nd international conference on Very large data bases (pp. 763 – 774). VLDB

Endowment.

Mulliner, C. (2010). Privacy Leaks in Mobile Phone Internet Access. In Proceedings

of the 14th International Conference on Intelligence in Next Generation Networks.

Berlin, Germany.

Muthers, S. (2009). Analyse und Weiterverarbeitung von OSM Daten. Unpublished

Studienarbeit, Lehrstuhl für Kommunikationssysteme.

Oikarinen, J., & Reed, D. (1993). RFC1459: Internet Relay Chat Protocol. RFC

Editor United States.

Patil, S., Norcie, G., Kapadia, A., & Lee, A. J. (2012). Reasons, rewards, regrets:

privacy considerations in location sharing as an interactive practice. In

Proceedings of the Eighth Symposium on Usable Privacy and Security (pp. 5:1 –

5:15). New York, NY, USA: ACM.

Pfitzmann, A., & Hansen, M. (2010). A terminology for talking about privacy

by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability,

Pseudonymity, and Identity Management. http://dud.inf.tudresden.de/literatur/Anon_Terminology_v0.34.pdf.

(v0.34)

Pfitzmann, A., & Köhntopp, M. (2001). Anonymity, Unobservability, and

Pseudonymity — A Proposal for Terminology. In H. Federrath (Ed.), Designing

Privacy Enhancing Technologies (Vol. 2009, pp. 1 – 9). Springer Berlin /

Heidelberg.

Rastogi, V., Suciu, D., & Hong, S. (2007). The boundary between privacy and

utility in data publishing. In Proceedings of the 33rd international conference on

Very large data bases (pp. 531 – 542). VLDB Endowment.

147


Rechert, K. (2009). MobIS: A Pragmatic Framework for Location Based Services.

In Positioning, Navigation and Communication, 2009. WPNC 2009. The Sixth

Workshop on (pp. 141 – 144).

Rechert, K. (2010a). Challenges and Success Criteria for Mobile Services in

Tourism. In Information and Communication Technologies in Tourism (ENTER

’10). The 17th International Conference on. e-Review of Tourism Research

(eRTR), TX, USA.

Rechert, K. (2010b). Privatsphäre im Kontext mobiler Dienste. PIK - Praxis der

Informationsverarbeitung und Kommunikation, 33(3), 220 – 226.

Rechert, K. (2013). Location Sharing with Trusted Peers — Measuring Sensitivity

of Location Observations. In Proceedings of MDM 13 Workshops – PriSMO:

Privacy and Security for Moving Objects (p. to appear). IEEE Computer Society.

Rechert, K., & Greschbach, B. (2012). Location Privacy in Relation to Trusted Peers.

In C. Meadows & C. Fernández-Gago (Eds.), Security and Trust Management

(Vol. LNCS 7170, pp. 106 – 121). Heidelberg: Springer.

Rechert, K., Meier, K., Greschbach, B., Wehrle, D., & von Suchodoletz, D.

(2011). Assessing Location Privacy in Mobile Communication Networks. In

H. L. X. Lai J. Zhou (Ed.), Proceedings of the 14th international conference on

Information security (pp. 309 – 324). Springer, Heidelberg.

Rechert, K., Meier, K., Wehrle, D., & von Suchodoletz, D. (2011). Location Privacy

in Mobile Telephony Networks – Conflict of Interest between Safety, Security

and Privacy. In Internet of Things (iThings/CPSCom), 2011 International

Conference on and 4th International Conference on Cyber, Physical and Social

Computing (pp. 508 – 513). IEEE Computer Society.

Rechert, K., Meier, K., Zahoransky, R., Wehrle, D., von Suchodoletz, D.,

Greschbach, B., . . . Echizen, I. (2013). Reclaiming Location Privacy in

Mobile Telephony Networks – Effects and Consequences for Providers and

Subscribers. IEEE Systems Journal, 7(2), 211 – 222. (Special Issue on Security

and Privacy in Complex Systems, Sushil Jajodia and Pierangela Samarati

(eds.))

Rechert, K., Wohlgemuth, S., Echizen, I., & Sonehara, N. (2011). User Centric

Privacy in Mobile Communication Scenarios. In Applications and the Internet

(SAINT), 2011 IEEE/IPSJ 11th International Symposium on (pp. 202 – 207).

IEEE Computer Society.

148


Rechert, K., Zahoransky, R., Meier, K., Wehrle, D., & von Suchodoletz, D. (2012).

Reliability and Trustworthiness of Cellular Location Data. In J. Jähnke,

N. von zur Mühlen, K. Rechert, & D. von Suchodoletz (Eds.), Current Issues

in IT Security 2012. Dunker & Humblot, Berlin.

Rubin, D. B. (1993). Discussion Statistical Disclosure Limitation. Journal of Official

Statistics, 9(2).

Sächsischer Datenschutzbeauftragter. (2011). Drucksache 5/6787. Online:

http://edas.landtag.sachsen.de/viewer.aspx?dok_nr=

6787&dok_art=Drs&leg_per=5 (11/17/2011).

Schilit, B., Hong, J., & Gruteser, M. (2003). Wireless location privacy protection.

Computer, 36(12), 135 – 137.

Schrittwieser, S., Kieseberg, P., Echizen, I., Wohlgemuth, S., & Sonehara, N.

(2011). Using Generalization Patterns for Fingerprinting Sets of Partially

Anonymized Microdata in the Course of Disasters. In Availability, Reliability

and Security (ARES), 2011 Sixth International Conference on (pp. 645 – 649).

Serjantov, A., & Danezis, G. (2003). Towards an Information Theoretic Metric

for Anonymity. In R. Dingledine & P. Syverson (Eds.), Privacy Enhancing

Technologies (Vol. 2482, pp. 259 – 263). Springer Berlin / Heidelberg.

Shannon, C. E. (2001). A mathematical theory of communication. SIGMOBILE

Mob. Comput. Commun. Rev., 5, 3 – 55. (reprint)

Shokri, R., Freudiger, J., Jadliwala, M., & Hubaux, J.-P. (2009). A distortion-based

metric for location privacy. In Wpes ’09: Proceedings of the 8th acm workshop

on privacy in the electronic society (pp. 21–30). New York, NY, USA: ACM.

Shokri, R., Theodorakopoulos, G., Danezis, G., Hubaux, J.-P., & Le Boudec, J.-

Y. (2011). Quantifying Location Privacy: The Case of Sporadic Location

Exposure. In S. Fischer-Hübner & N. Hopper (Eds.), Privacy Enhancing

Technologies (Vol. 6794, pp. 57 – 76). Springer Berlin / Heidelberg.

Shokri, R., Theodorakopoulos, G., Le Boudec, J., & Hubaux, J. (2011). Quantifying

location privacy. In Security and privacy (sp), 2011 ieee symposium on (pp. 247 –

262).

Smith, E. (2010). iPhone applications & privacy issues: An analysis of application

transmission of iPhone unique device identifiers (UDIDs) (Tech. Rep.).

PSKL. (http://www.pskl.us/wp/wp-content/uploads/2010/09/

iPhone-Applications-Privacy-Issues.pdf)

149


Sohn, T., Varshavsky, A., LaMarca, A., Chen, M., Choudhury, T., Smith, I., . . .

de Lara, E. (2006). Mobility Detection Using Everyday GSM Traces. In

P. Dourish & A. Friday (Eds.), UbiComp 2006: Ubiquitous Computing (Vol.

4206, pp. 212 – 224). Springer Berlin / Heidelberg.

Stoll, F. (1995). The need for decentralization and privacy in mobile communications

networks. Computers & Security, 14(6), 527 – 539.

Sun, G., Chen, J., Guo, W., & Liu, K. (2005). Signal processing techniques in

network-aided positioning: a survey of state-of-the-art positioning designs.

Signal Processing Magazine, IEEE, 22(4), 12 – 23.

Sun, Y., Liu, P., Kermani, P., & La Porta, T. (2005). An architecture and key

management approach for maintaining privacy in location based group

services. In Collaborative computing: Networking, applications and worksharing,

2005 international conference on.

Sweeney, L. (2002). k-anonymity: a model for protecting privacy. Int. J. Uncertain.

Fuzziness Knowl.-Based Syst., 10(5), 557 – 570.

Tayal, M. (2005). Location services in the GSM and UMTS networks. In Personal

wireless communications, 2005. icpwc 2005. 2005 ieee international conference on

(pp. 373 – 378).

Toch, E., Cranshaw, J., Drielsma, P. H., Tsai, J. Y., Kelley, P. G., Springfield, J.,

. . . Sadeh, N. (2010). Empirical models of privacy in location sharing. In

Ubicomp ’10: Proceedings of the 12th ACM international conference on Ubiquitous

computing (pp. 129 – 138). New York, NY, USA: ACM.

U.S. Department of Justice, Office of Privacy and Civil Liberties. (2010). Overview of

the privacy act of 1974 (2010 Edition). Online: http://www.justice.gov/

opcl/1974privacyact-overview.htm (11/17/2011).

Vossiek, M., Wiebking, L., Gulden, P., Wieghardt, J., Hoffmann, C., & Heide, P.

(2003). Wireless local positioning. Microwave Magazine, IEEE, 4(4), 77 – 86.

Voulodimos, A., & Patrikakis, C. (2009). Quantifying privacy in terms of entropy

for context aware services. Identity in the Information Society, 2, 155 – 169.

Wang, T., & Liu, L. (2009). Privacy-aware mobile services over road networks.

Proc. VLDB Endow., 2, 1042 – 1053.

Warren, S., & Brandeis, L. (1890).

Harvard Law Review, 4(5), 193 – 220.

150


Welke, K., & Rechert, K. (2009). Spontaneous Privacy-Aware Location Sharing. In

Pervasive Computing and Applications, 2009. ICPCA ’09. The Fourth International

Conference on (pp. 395 – 398). IEEE Computer Society.

Westin, A. F. (1967). Privacy and Freedom (1st ed.). Atheneum, New York.

Wicker, S. B. (2011). Cellular telephony and the question of privacy. Commun.

ACM, 54, 88 – 98.

Wicker, S. B. (2012). The loss of location privacy in the cellular age. Commun.

ACM, 55(8), 60 – 68.

Wohlgemuth, S., Echizen, I., Sonehara, N., & Müller, G. (2010). Tagging Disclosures

of Personal Data to Third Parties to Preserve Privacy. In K. Rannenberg,

V. Varadharajan, & C. Weber (Eds.), Security and Privacy – Silver Linings in

the Cloud (Vol. 330, pp. 241 – 252). Springer Boston.

Wong, C., Gouda, M., & Lam, S. (2000). Secure group communications using key

graphs. IEEE/ACM transactions on networking, 8(1), 16 – 30.

World Wide Web Consortium. (2006). The Platform for Privacy Preferences 1.1

(P3P1.1) Specification. W3C Working Group Note 13 November 2006, Online:

http://www.w3.org/TR/P3P11/ (11/17/2011).

Youssef, M., Agrawala, A., & Udaya Shankar, A. (2003). WLAN location determination

via clustering and probability distributions. In Pervasive Computing

and Communications, 2003. (PerCom 2003). Proceedings of the First IEEE International

Conference on (pp. 143 – 150).

Zahoransky, R., Rechert, K., Meier, K., Wehrle, D., & von Suchodoletz, D. (2012).

Cellular Location Determination – Reliability and Trustworthiness of GSM

Location Data. In G. Mühl, J. Richling, & A. Herkersdorf (Eds.), ARCS

Workshops (Vol. 200, pp. 63 – 73). GI.

Zahoransky, R. M. (2011). Localization in GSM Mobile Radio Networks. Unpublished

master’s thesis, Lehrstuhl für Kommunikationssysteme.

Zang, H., & Bolot, J. (2011). Anonymization of location data does not work: a

large-scale measurement study. In Proceedings of the 17th annual international

conference on Mobile computing and networking (pp. 145 – 156). New York, NY,

USA: ACM.

Zang, H., & Bolot, J. C. (2007). Mining call and mobility data to improve paging

efficiency in cellular networks. In Proceedings of the 13th annual ACM international

conference on Mobile computing and networking (pp. 123 – 134). New

York, NY, USA: ACM.

151


Zhong, G., Goldberg, I., & Hengartner, U. (2007). Louis, lester and pierre: Three

protocols for location privacy. In In Proc. Of the 7th Privacy Enhancing

Technologies Symposium. IEEE Computer Society (pp. 62 – 76). IEEE Computer

Society.

Zhou, R. (2008). Enable web-based tracking and guiding by integrating locationawareness

with the world wide web. Campus-Wide Information Systems, 25(5),

311 – 328.

Zhou, R., & Rechert, K. (2008). Personalization for Location-Based E-Learning. In

Next Generation Mobile Applications, Services and Technologies, 2008. NGMAST

’08. The Second International Conference on (pp. 247 – 253). IEEE Computer

Society.

Zimmermann, D., Baumann, J., Layh, A., Landstorfer, F., Hoppe, R., & Wolfle, G.

(2004). Database correlation for positioning of mobile terminals in cellular

networks using wave propagation models. In Vehicular technology conference,

2004. vtc2004-fall. 2004 ieee 60th (Vol. 7, p. 4682 - 4686).

152


APPENDIX A

Implementation Details

A.1 MobIS Framework

The proposed mobile platform has been successfully deployed in two public

projects. Both projects focus on outdoor applications with location-aware educational

and entertaining multimedia content.

Major goals of both projects were to prove technical feasibility, but also to

enable the service providers to maintain their content and to make smaller changes

to the user interface. Fig. A.1(a) and Fig. A.1(b) show the content management

system’s user interface.

(a) Content management system: Creating a

POI

(b) Content management system: Creating a

slideshow

Figure A.1: Web-based content management system.

The mobile platform’s source-code, libraries and patches as well as build

environment and tools for Linux and Windows (Desktop and Mobile) are enclosed

on a DVD.

153


Components and Libraries

The Mobis system was built on an Open Source software stack, such that it can

be deployed and run on a POSIX compatible system with no additional external

dependencies. All libraries and software components used are available either

under LGPL or BSD-style license.

• ECMA 262 Bytecode Compiler

Bytecode compiler for efficient script code representation and IPR protection

of service application issuers. Derived from libMing’s (http://

sourceforge.net/projects/ming/ ActionScript compiler.

• Enlightenment Foundation Library http://www.enlightenment.org/

Optional GUI elements optimized for mobile usage. E.g. lists, scrollelements,

file-chooser etc.

• FFmpeg http://ffmpeg.org

Audio/Video decoding library. Patched to provide a minimalistic fullscreen

player for slow ARM-based mobile devices.

• Flirt http://flirt.sourceforge.net

Reused ActionScript interpreter to support MobisScript classes.

• freetype http://freetype.org

• libjpeg http://www.ijg.org

• libpng http://libpng.org

• proj https://trac.osgeo.org/proj/

Library for various geo-coordinate projections.

• SDL http://libsdl.org

• sqlite http://sqlite.org

• zlib http://zlib.net

154


Available Classes

LBS Specific Class

MobisRootClass

MobisLayer(parent)

Description

Main / Root layer

Generic layer class. Provides basic layer operations

like:

• setVisible(bool)

• isVisible()

• place(item[,x,y,depth])

• move(dx,dy) / moveTo(x,y)

• setRotation(deg)

• scale(dx,dy)

• clear()

• getDepth()

• swap(layer)

• remove(item)

MobisButton(img,[func,args...])

Creates a button instance showing img and

calling function func(args) if clicked.

• setCallback(cb[,args..])

MobisButton(imUp,imDown,

[func,args...])

Creates a button instance showing img and

calling function func(args) if clicked.

• setCallback(cb[,args..])

MobisGps()

Creates a GPS controller instance. Provides

methods like:

• registerMap(map) control a map

object

• registerStateChangeListener(cb)

register callback for GPS events

• getData() get raw GPS data

cont. on next page

155


MobisImage(file)

Image file wrapping class.

• getProperties()

MobisMap(parent,mapfile)

Map file class, shares most of the functionality

of MobisLayer. However, methods like

moveTo(), etc. interpret position arguments

as geo-coordinates.

• move(dx,dy)

• moveTo(lat, lon)

• setPosition(lat,lon)

• zoom(float)

• addOverlay(overlay)

• showLocation(bool)

• getCenter() /

setCenter(lat,lon)

• setDargable(bool)

• getBounds()

• mapPoint(lat, lon) returns

pixel-coordinates relative to mapboundaries.

MobisOverlay(name,shape/image,cb) Overlay class. Specialized map layer. Manages

all POI trigger objects contained on this

overlay.

• addPoi(poi, lat, lon)

• setVisible(name)

MobisPoi(lat,lon,properties)

Wrapper for abstract point of interest class.

As properties objects can be defined,

which can be used by POI trigger callbacks.

• setTriggerRadius(meter)

• get/setProperties()

cont. on next page

156


MobisProjection()

Wrapper for map projection.

• toUTM(lat,lon)

• toLatLon(north, east, zone)

MobisShape()

Drawing primitives.

• drawLine(x1,y1,x2,y2,w)

• setColor(r,g,b[,a])

• drawRect(w,h)

MobisSql(file)

SQLite wrapper class.

• query(str)

• getNextRow(result)

• freeResult(result)

• close()

MobisFont(ttffile)

TTF Font file wrapper.

• setSize

MobisTextfield(font,w,h)

Text input and output class.

• getText()/setText(text)

• scrollUp/Down()

MobisTimeout(cb,msec,[args ...])

Calls a callback function after a timeout of

msec.

• release()

MobisVideo()

Audio/Video playback class.

• play(file)

• stop()/pause()

• setVolume(int)

cont. on next page

157


MobisActionArea(w,h,cb[,args...]) Creates an invisibly, clickable ActionArea,

executing cb(args...).

MobisKeyListener(cb)

Keylistener object listens to key events and

forwards key events to cb.

• release()

MobisMapPane(map)

Creates a canvas (pane) on top of a map. Inherits

the map’s coordinate system.

• place(obj, lat, lon)

• initPen(r,g,b[,a])

• finishPen()

• moveTo(lat, lon)

• drawLineTo(lat, lon)

• drawRect(lat, lon, w, h)

• setVisible(bool)

• clear()

• remove(obj)

158


A.1.1 Feldberg Ranger (2007 – 2008)

The Feldberg-Ranger 1 guides hikers through a round course and displays educational

and entertaining videos as well as text information and photographs about

nearby points of interests.

A.1.1.1

Requirements

1. POI triggered automatically if a user is close-by, showing either a slideshow,

multimedia content or a text-based information page. The user should be

notified of available information by an alarm sound.

2. Slideshows, including multi-page text and photography.

3. Fullscreen video playback.

4. Custom map covering the hiking path "Feldbergsteig".

5. Map following the user.

6. Zoomable map (at least two zoom-layers in/out).

7. Tamper-proof (kiosk) / fault-tolerant system.

(a) Feldberg Ranger hiking map.

(b) Educational multimedia presentation

(video).

Figure A.2: Feldberg Ranger Project

159


(a) NABU Sternberg-Entdecker Map

(b) NABU Sternberg-Entdecker location aware

encyclopedia.

Figure A.3: NABU Biosphäre Project

A.1.2 NABU Biosphäre (2009 – 2010)

The Sternberg-Entdecker 2 provides educational and interactive content for kids

together with basic navigation (Fig A.3(a)). Furthermore, a context-aware encyclopedia

was developed (Fig. A.3(b)) displaying only content relevant to current

position and season.

A.1.2.1

Requirements

The requirements of this projects were similar to the previous project, however,

with the following project-specific additions:

1. Support for customizable/exchangeable corporate identity design.

2. Inclusion of time/date/seasonal context for context-aware content (e.g.

POIs).

3. Development of a framework for a context-aware encyclopedia.

4. Development of a framework for a bounty-hunt application.

1

2

Feldberg Hosentaschen-Ranger, http://www.feldberg-steig.de/fst/

hosentaschen_ranger, version of 10/26/08

Sternberg-Entdecker, http://biosphaere-alb.nabu.de, (17/12/2009).

160


A.2 GSM Air-Interface Logging Device

The logger device was developed on the basis of a Nokia 3310 phone. These

phones are able to provide raw network data through a specific debug interface. 3

Figure A.4 shows all components used.

To make this setup mobile, a micro controller (LPC2141) was attached by

using an F-BUS cable 4 writing the data to a SD-Card. Furthermore, a GPS device

was added to tag the network data with a time stamp and to record the user’s

movement. Listing A.1 shows an excerpt of collected GPS data.

The phone emits binary frames in debug mode, each frame starting with

synchronization-byte 0x1e, followed by a frame header describing source and

destination (e.g. indicating that the captured frame originates from the phone),

message- or command-type and two bytes representing the message length. The

header information has already been processed by the mobile micro controller,

such that only the frame-payload, together with a timestamp is stored. The timestamp

originates from the GPS-source and is required to multiplex GSM and GPS

data-streams in a post-processing step. Unfortunately, the phone does not emit

timestamped frames. Listing A.2 shows raw GSM data obtained from the mobile

phone in the following format:

::

In a post-processing step, the raw GSM data frames are decoded and geocoordinates

are added. Further, the layer-1 data is partly decoded with layer-2 raw

data embedded. Finally, an XML data-stream is available to be decoded further

using tcpdump 5 . Listing A.3 shows the XML data-stream after post-processing.

In a final step, the XML data is parsed by the tcpdump application and fully

decoded GSM packets are available for further processing as XML data. Listing

A.4 shows the final result of captured GSM data.

3

4

5

GSM decoding with a Nokia 3310 phone, https://svn.berlin.ccc.de/projects/

airprobe/wiki/tracelog, (12/15/2010).

F-BUS documentation, http://www.embedtronics.com/nokia/fbus.html,

(15/1/2012).

tcpdump & libpcap project, http://www.tcpdump.org.

161


(a)

(b)

Figure A.4: Mobile logger device consisting of a Nokia 3310 with an ARM logic board

storing GSM and GPS messages on an SD-Card.

Listing A.1: Output of GPS device

1 $GPRMC, 1 0 2 5 1 4 . 0 1 7 ,A, 4 8 0 1 . 4 7 4 1 ,N, 0 0 7 5 2 . 0 7 9 2 , E , 0 0 3 . 7 , 2 1 4 . 0 , 3 1 1 0 1 0 , , ,A∗6D

2 $GPVTG, 2 1 4 . 0 , T , ,M, 0 0 3 . 7 ,N, 0 0 6 . 8 ,K,A∗00

3 $GPGGA, 1 0 2 5 1 5 . 0 1 7 , 4 8 0 1 . 4 7 3 5 ,N, 0 0 7 5 2 . 0 7 8 0 , E , 1 , 0 4 , 3 . 7 , 2 6 5 . 8 ,M, 4 9 . 3 ,M, , 0 0 0 0 ∗ 5 8

4 $GPGSA,A, 3 , 3 0 , 2 9 , 2 5 , 3 1 , , , , , , , , , 7 . 6 , 3 . 7 , 6 . 7 ∗ 3 B

5 $GPGSV, 3 , 1 , 1 2 , 2 9 , 6 8 , 0 5 6 , 2 1 , 3 0 , 6 7 , 1 2 0 , 1 9 , 3 1 , 5 4 , 2 4 8 , 1 8 , 2 1 , 4 4 , 1 7 4 , ∗ 7 1

6 $GPGSV, 3 , 2 , 1 2 , 2 5 , 4 0 , 1 1 8 , 2 4 , 1 6 , 2 5 , 3 0 0 , 1 8 , 0 5 , 1 6 , 0 6 8 , , 2 3 , 0 7 , 3 2 3 , 1 7 ∗ 7 2

7 $GPGSV, 3 , 3 , 1 2 , 1 0 , 0 5 , 0 2 7 , 1 4 , 1 2 , 0 5 , 1 1 8 , 0 7 , 0 6 , 0 3 , 2 5 4 , , 1 3 , 0 2 , 3 5 0 , ∗ 7 7

8 $GPRMC, 1 0 2 5 1 5 . 0 1 7 ,A, 4 8 0 1 . 4 7 3 5 ,N, 0 0 7 5 2 . 0 7 8 0 , E , 0 0 3 . 1 , 2 2 1 . 4 , 3 1 1 0 1 0 , , ,A∗68

9 $GPVTG, 2 2 1 . 4 , T , ,M, 0 0 3 . 1 ,N, 0 0 5 . 7 ,K,A∗08

10 $GPGGA, 1 0 2 5 1 6 . 0 1 7 , 4 8 0 1 . 4 7 1 2 ,N, 0 0 7 5 2 . 0 7 5 9 , E , 1 , 0 4 , 3 . 7 , 2 6 5 . 7 ,M, 4 9 . 3 ,M, , 0 0 0 0 ∗ 5 5

11 $GPGSA,A, 3 , 3 0 , 2 9 , 2 5 , 3 1 , , , , , , , , , 7 . 6 , 3 . 7 , 6 . 7 ∗ 3 B

12 $GPGSV, 3 , 1 , 1 2 , 2 9 , 6 8 , 0 5 6 , 2 1 , 3 0 , 6 7 , 1 2 0 , 2 0 , 3 1 , 5 4 , 2 4 8 , 1 6 , 2 1 , 4 4 , 1 7 4 , ∗ 7 5

13 $GPGSV, 3 , 2 , 1 2 , 2 5 , 4 0 , 1 1 8 , 2 4 , 1 6 , 2 5 , 3 0 0 , 1 6 , 0 5 , 1 6 , 0 6 8 , , 2 3 , 0 7 , 3 2 3 , 1 6 ∗ 7D

14 $GPGSV, 3 , 3 , 1 2 , 1 0 , 0 5 , 0 2 7 , 1 2 , 1 2 , 0 5 , 1 1 8 , 0 7 , 0 6 , 0 3 , 2 5 4 , , 1 3 , 0 2 , 3 5 0 , ∗ 7 1

15 $GPRMC, 1 0 2 5 1 6 . 0 1 7 ,A, 4 8 0 1 . 4 7 1 2 ,N, 0 0 7 5 2 . 0 7 5 9 , E , 0 0 3 . 7 , 2 2 5 . 1 , 3 1 1 0 1 0 , , ,A∗6D

162


Listing A.2: Raw GSM data output

1 3 1 1 0 1 0 : 1 0 2 5 1 4 . 0 1 7 : 0 x00 : 0 x01 0x01 0x18 0x05 0xFD 0x46 0x4F 0x0B 0x09 0

x05 0x1E 0x0C 0x00 0x7F 0x00 0x02 0x40 0x06 0x00 0x01 0xC1

2 3 1 1 0 1 0 : 1 0 2 5 1 6 . 0 1 7 : 0 x00 : 0 x01 0x01 0x18 0x05 0xFD 0x46 0x50 0x16 0x14 0

x05 0x1E 0x0C 0x00 0x40 0x00 0x0E 0x01 0x01 0x64 0x03 0x01 0x4F 0

x0D 0x01 0x01 0x01 0x1B 0x58 0x01 0x42 0x01 0xC3

3 3 1 1 0 1 0 : 1 0 2 5 1 6 . 0 1 7 : 0 x00 : 0 x01 0x01 0x19 0x83 0xFD 0x51 0x51 0x13 0x11 0

x83 0x00 0x00 0xB8 0xB8 0x40 0x06 0x9A 0xB2 0x80 0x80 0xA1 0xAA 0

xA5 0xAD 0xA1 0x9C 0xAD 0x01 0xC4

4 3 1 1 0 1 0 : 1 0 2 5 1 6 . 0 1 7 : 0 x00 : 0 x01 0x01 0x19 0x99 0xFD 0x51 0x52 0x03 0x01 0

x99 0x00 0x01 0xC5

5 3 1 1 0 1 0 : 1 0 2 5 1 6 . 0 1 7 : 0 x00 : 0 x01 0x01 0x18 0x4A 0xFD 0x52 0x53 0x06 0x04 0

x4A 0x01 0x26 0x14 0x50 0x01 0xC6

6 3 1 1 0 1 0 : 1 0 2 5 1 6 . 0 1 7 : 0 x00 : 0 x01 0x01 0x18 0x05 0xFD 0x85 0x54 0x16 0x14 0

x05 0x1E 0x0C 0x00 0x40 0x00 0x0E 0x01 0x01 0x64 0x03 0x01 0x4F 0

x0D 0x01 0x01 0x01 0x1B 0x58 0x01 0x42 0x01 0xC7

7 3 1 1 0 1 0 : 1 0 2 5 1 6 . 0 1 7 : 0 x00 : 0 x01 0x01 0x19 0x8E 0xFD 0xC4 0x55 0x4D 0x4B 0

x8E 0x1E 0x00 0x0C 0x40 0x00 0x45 0x00 0x01 0x70 0x00 0x00 0x00 0

xC0 0xFC 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0

x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0

x00 0x00 0x00 0x00 0x00 0x00 0xC0 0xFC 0x00 0x00 0x00 0x00 0x00 0

x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0

x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x40 0x01 0xC0

8 3 1 1 0 1 0 : 1 0 2 5 1 6 . 0 1 7 : 0 x00 : 0 x01 0x01 0x18 0x05 0xFD 0xC4 0x56 0x0B 0x09 0

x05 0x1E 0x0C 0x00 0x7F 0x00 0x02 0x40 0x80 0x71 0x01 0xC1

9 3 1 1 0 1 0 : 1 0 2 5 1 7 . 0 1 7 : 0 x00 : 0 x01 0x01 0x18 0x05 0xFD 0xC5 0x57 0x16 0x14 0

x05 0x1E 0x0C 0x00 0x40 0x00 0x0E 0x01 0x01 0x64 0x03 0x01 0x4F 0

x0D 0x01 0x01 0x01 0x1B 0x58 0x01 0x42 0x01 0xC3

10 3 1 1 0 1 0 : 1 0 2 5 1 7 . 0 1 7 : 0 x00 : 0 x01 0x01 0x19 0x83 0xFE 0x02 0x58 0x13 0x11 0

x83 0x00 0x00 0xB2 0xB2 0x00 0x00 0x80 0x80 0xAA 0x9D 0xA1 0x9D 0

x9C 0xA7 0xA1 0x98 0xA9 0x01 0xC4

11 3 1 1 0 1 0 : 1 0 2 5 1 7 . 0 1 7 : 0 x00 : 0 x01 0x01 0x19 0x99 0xFE 0x02 0x59 0x03 0x01 0

x99 0x00 0x01 0xC5

12 3 1 1 0 1 0 : 1 0 2 5 1 7 . 0 1 7 : 0 x00 : 0 x01 0x01 0x18 0x4A 0xFE 0x02 0x5A 0x06 0x04 0

x4A 0x01 0x26 0x14 0x50 0x01 0xC6

163


Listing A.3: GSM data after post-processing

1

2

3 < l 1 d i r e c t i o n ="down" l o g i c a l c h a n n e l =" 80 " physicalchannel=" 14 " sequence=

" 1321557 " e r r o r =" 0 " t i m e s h i f t =" 3530 " b s i c =" 31 " time=" 311010 :102525

. 0 1 7 " data=" 31061 C62F21072076504A500001D2B2B2B2B2B2B2B2B2B " >

4 < l 2 data=" 061 C62F21072076504A50000 " r e s t =" 1D2B2B2B2B2B2B2B2B2B " >

5

6

7 < l 1 d i r e c t i o n ="down" l o g i c a l c h a n n e l =" 80 " physicalchannel=" 17 " sequence=

" 1324016 " e r r o r =" 0 " t i m e s h i f t =" 3530 " b s i c =" 29 " time=" 311010 :102536

. 0 1 7 " data=" 59061 A0000000010080000000005088511200088A50000 " >

8 < l 2 data=" 061 A0000000010080000000005088511200088A50000 " r e s t =" " >

9

10

11 < l 1 d i r e c t i o n ="down" l o g i c a l c h a n n e l =" 80 " physicalchannel=" 17 " sequence=

" 1324067 " e r r o r =" 0 " t i m e s h i f t =" 3530 " b s i c =" 29 " time=" 311010 :102536

. 0 1 7 " data=" 49061 BB9C962F2107207D8043C556504A500003FB32B2B " >

12 < l 2 data=" 061 BB9C962F2107207D8043C556504A50000 " r e s t =" 3FB32B2B " >

13

14

15 < l 1 d i r e c t i o n ="down" l o g i c a l c h a n n e l =" 80 " physicalchannel=" 17 " sequence=

" 1324118 " e r r o r =" 0 " t i m e s h i f t =" 3530 " b s i c =" 29 " time=" 311010 :102537

. 0 1 7 " data=" 31061 C62F21072076504A500001D2B2B2B2B2B2B2B2B2B " >

16 < l 2 data=" 061 C62F21072076504A50000 " r e s t =" 1D2B2B2B2B2B2B2B2B2B " >

17

18

19 < l 1 d i r e c t i o n ="down" l o g i c a l c h a n n e l =" 80 " physicalchannel=" 17 " sequence=

" 1324169 " e r r o r =" 0 " t i m e s h i f t =" 3530 " b s i c =" 29 " time=" 311010 :102537

. 0 1 7 " data=" 010600D0A081700B03EC994274C340A30CEB2B2B2B2B2B " >

20 < l 2 data=" " r e s t =" 0600D0A081700B03EC994274C340A30CEB2B2B2B2B2B " >

21

22

23 < l 1 d i r e c t i o n ="down" l o g i c a l c h a n n e l =" 80 " physicalchannel=" 17 " sequence=

" 1324220 " e r r o r =" 0 " t i m e s h i f t =" 3530 " b s i c =" 29 " time=" 311010 :102537

. 0 1 7 " data=" 01060760002554 A8F974055E18732B2B2B2B2B2B2B2B2B " >

24 < l 2 data=" " r e s t =" 060760002554 A8F974055E18732B2B2B2B2B2B2B2B2B " >

25

26

27 < l 1 d i r e c t i o n ="down" l o g i c a l c h a n n e l =" 80 " physicalchannel=" 17 " sequence=

" 1324271 " e r r o r =" 0 " t i m e s h i f t =" 3530 " b s i c =" 29 " time=" 311010 :102537

. 0 1 7 " data=" 49061 BB9C962F2107207D8043C556504A500003FB32B2B " >

28 < l 2 data=" 061 BB9C962F2107207D8043C556504A50000 " r e s t =" 3FB32B2B " >

164


Listing A.4: GSM data after post-processing

1

2

3

4 < f i e l d name="num" pos=" 0 " show=" 1 " showname="Number" value=" 1 " s i z e

=" 23 "/>

5 < f i e l d name=" len " pos=" 0 " show=" 23 " showname=" Frame Length " value="

17 " s i z e =" 23 "/>

6 < f i e l d name=" caplen " pos=" 0 " show=" 23 " showname=" Captured Length "

value=" 17 " s i z e =" 23 "/>

7 < f i e l d name=" timestamp " pos=" 0 " show=" 311010 :102525 . 0 1 7 CET"

showname=" Captured Time " value=" 311010 :102525 . 0 1 7 " s i z e =" 23 "/>

8

9

10 < f i e l d name=" frame . time " showname=" Arrival Time: Jan 1 , 1970 01

: 0 0 : 0 0 .000000000 CET" s i z e =" 0 " pos=" 0 " show=" Jan 1 , 1970 01

: 0 0 : 0 0 .000000000 "/>

11 < f i e l d name=" frame . time_epoch " showname=" Epoch Time: 0.000000000

seconds " s i z e =" 0 " pos=" 0 " show=" 0.000000000 "/>

12 < f i e l d name=" frame . time_delta " showname=" Time d e l t a from previous

captured frame: 0.000000000 seconds " s i z e =" 0 " pos=" 0 " show="

0.000000000 "/>

13 < f i e l d name=" frame . time_delta_displayed " showname=" Time d e l t a from

previous displayed frame: 0.000000000 seconds " s i z e =" 0 " pos=" 0 "

show=" 0.000000000 "/>

14 < f i e l d name=" frame . t i m e _ r e l a t i v e " showname=" Time s i n c e r e f e r e n c e or

f i r s t frame: 0.000000000 seconds " s i z e =" 0 " pos=" 0 " show="

0.000000000 "/>

15 < f i e l d name=" frame . number " showname=" Frame Number: 1 " s i z e =" 0 " pos=

" 0 " show=" 1 "/>

16 < f i e l d name=" frame . len " showname=" Frame Length: 23 bytes (184 b i t s )

" s i z e =" 0 " pos=" 0 " show=" 23 "/>

17 < f i e l d name=" frame . cap_len " showname=" Capture Length: 23 bytes (184

b i t s ) " s i z e =" 0 " pos=" 0 " show=" 23 "/>

18 < f i e l d name=" frame . marked " showname=" Frame i s marked: False " s i z e ="

0 " pos=" 0 " show=" 0 "/>

19 < f i e l d name=" frame . ignored " showname=" Frame i s ignored: False " s i z e

=" 0 " pos=" 0 " show=" 0 "/>

20 < f i e l d name=" frame . p r o t o c o l s " showname=" P r o t o c o l s in frame:

gsm_um:gsm_a_dtap " s i z e =" 0 " pos=" 0 " show=" gsm_um:gsm_a_dtap "/>

21 < f i e l d name=" frame . p2p_dir " showname=" Point−to−Point D i r e c t i o n :

Received ( 1 ) " s i z e =" 0 " pos=" 0 " show=" 1 "/>

165


22

23

24 < f i e l d name="gsm_um . d i r e c t i o n " showname=" D i r e c t i o n : Downlink " s i z e =

" 0 " pos=" 0 " show=" Downlink "/>

25 < f i e l d name="gsm_um . channel " showname=" Channel: BCCH" s i z e =" 0 " pos=

" 0 " show="BCCH"/>

26 < f i e l d name="gsm_um . arfcn " showname="ARFCN: 14 " s i z e =" 0 " pos=" 0 "

show=" 14 "/>

27 < f i e l d name=" " show=" Band: P−GSM 900 , Frequency: 937.800MHz" s i z e ="

0 " pos=" 0 " value=" "/>

28 < f i e l d name="gsm_um . b s i c " showname=" BSIC: 31 " s i z e =" 0 " pos=" 0 " show

=" 31 "/>

29 < f i e l d name="gsm_um . frame " showname="TDMA Frame: 1321557 " s i z e =" 0 "

pos=" 0 " show=" 1321557 "/>

30 < f i e l d name="gsm_um . e r r o r " showname=" E r r o r : 0 " s i z e =" 0 " pos=" 0 "

show=" 0 "/>

31 < f i e l d name="gsm_um . t i m e s h i f t " showname=" T i m e s h i f t : 3530 " s i z e =" 0 "

pos=" 0 " show=" 3530 "/>

32 < f i e l d name="gsm_um . l2_pseudo_len " showname=" 0011 0 0 . . = L2 Pseudo

Length: 12 " s i z e =" 1 " pos=" 0 " show=" 12 " value="C" unmaskedvalue=

" 31 "/>

33

34

35 < f i e l d name=" " show=" Protocol D i s c r i m i n a t o r : Radio Resources

Management messages " s i z e =" 1 " pos=" 1 " value=" 06 ">

36 < f i e l d name=" gsm_a . skip . ind " showname=" 0000 . . . . = Skip

I n d i c a t o r : 0 " s i z e =" 1 " pos=" 1 " show=" 0 " value=" 0 "

unmaskedvalue=" 06 "/>

37 < f i e l d name=" gsm_a . L3_protocol_discriminator " showname=" . . . . 0110

= Protocol d i s c r i m i n a t o r : Radio Resources Management

messages ( 6 ) " s i z e =" 1 " pos=" 1 " show=" 6 " value=" 6 "

unmaskedvalue=" 06 "/>

38

39 < f i e l d name=" gsm_a . dtap_msg_rr_type " showname="DTAP Radio Resources

Management Message Type: System Information Type 4 (0 x1c ) "

s i z e =" 1 " pos=" 2 " show=" 0 x1c " value=" 1 c "/>

40 < f i e l d name=" " show=" Location Area I d e n t i f i c a t i o n ( LAI ) −

262/01/29191 " s i z e =" 5 " pos=" 3 " value=" 62 f2107207 ">

41 < f i e l d name=" e212 . mcc" showname=" Mobile Country Code (MCC) :

Germany ( Federal Republic of ) ( 2 6 2 ) " s i z e =" 2 " pos=" 3 " show="

262 " value=" 62 f2 "/>

166


42 < f i e l d name=" e212 . mnc" showname=" Mobile Network Code (MNC) : T−

Mobile Deutschland GmbH ( 0 1 ) " s i z e =" 2 " pos=" 4 " show=" 1 " value

=" f210 "/>

43 < f i e l d name=" gsm_a . l a c " showname=" Location Area Code (LAC) : 0

x7207 ( 2 9 1 9 1 ) " s i z e =" 2 " pos=" 6 " show=" 0 x7207 " value=" 7207 "/>

44

45 < f i e l d name=" " show=" C e l l S e l e c t i o n Parameters " s i z e =" 2 " pos=" 8 "

value=" 6504 ">

46 < f i e l d name=" gsm_a . r r . c e l l _ r e s e l e c t _ h y s t " showname=" 0 1 1 . . . . . =

C e l l R e s e l e c t i o n H y s t e r e s i s : 3 " s i z e =" 1 " pos=" 8 " show=" 3 "

value=" 3 " unmaskedvalue=" 65 "/>

47 < f i e l d name=" gsm_a . r r . ms_txpwr_max_cch " showname=" . . . 0 0101 = MS

TXPWR MAX CCH: 5 " s i z e =" 1 " pos=" 8 " show=" 5 " value=" 5 "

unmaskedvalue=" 65 "/>

48 < f i e l d name=" gsm_a . r r . acs " showname=" 0 . . . . . . . = ACS: False " s i z e

=" 1 " pos=" 9 " show=" 0 " value=" 0 " unmaskedvalue=" 04 "/>

49 < f i e l d name=" gsm_a . r r . neci " showname=" . 0 . . . . . . = NECI: 0 " s i z e ="

1 " pos=" 9 " show=" 0 " value=" 0 " unmaskedvalue=" 04 "/>

50 < f i e l d name=" gsm_a . r r . rxlev_access_min " showname=" . . 0 0 0100 =

RXLEV−ACCESS−MIN: −107 &l t ;= x &l t ; −106 dBm ( 4 ) " s i z e =" 1 "

pos=" 9 " show=" 4 " value=" 4 " unmaskedvalue=" 04 "/>

51

52 < f i e l d name=" " show="RACH Control Parameters " s i z e =" 3 " pos=" 10 "

value=" a50000 ">

53 < f i e l d name=" gsm_a . r r . max_retrans " showname=" 1 0 . . . . . . = Max

r e t r a n s : Maximum 4 r e t r a n s m i s s i o n s ( 2 ) " s i z e =" 1 " pos=" 10 "

show=" 2 " value=" 2 " unmaskedvalue=" a5 "/>

54 < f i e l d name=" gsm_a . r r . t x _ i n t e g e r " showname=" . . 1 0 0 1 . . = Tx−

i n t e g e r : 12 s l o t s used to spread transmission ( 9 ) " s i z e =" 1 "

pos=" 10 " show=" 9 " value=" 9 " unmaskedvalue=" a5 "/>

55 < f i e l d name=" gsm_a . r r . c e l l _ b a r r _ a c c e s s " showname=" . . . . . . 0 . =

CELL_BARR_ACCESS: The c e l l i s not barred ( 0 ) " s i z e =" 1 " pos="

10 " show=" 0 " value=" 0 " unmaskedvalue=" a5 "/>

56 < f i e l d name=" gsm_a . r r . re " showname=" . . . . . . . 1 = RE: True " s i z e =" 1

" pos=" 10 " show=" 1 " value=" 1 " unmaskedvalue=" a5 "/>

57 < f i e l d name=" gsm_a . r r . acc " showname=" 0000 0000 0000 0000 = ACC: 0

x0000 " s i z e =" 2 " pos=" 11 " show=" 0 x0000 " value=" 0 "

unmaskedvalue=" 0000 "/>

58

59

60

167


A.3 Sensitivity Evaluation Scenarios

Listing A.5: Day

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

Listing A.6: Night

1

2

3

4

5

6

7

8

9

10

11

12

13

168


14

Listing A.7: Saturday

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

Listing A.8: Sunday

1

2

3

4

5

6

169


7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

170

More magazines by this user
Similar magazines