Trust and Privacy in Location-Based Services

Transcription

1 Trust and Privacy in Location-Based Services (Schutz der Privatsphäre bei ortsbasierten Diensten) Dr. Oliver Jorns 1), Univ.Prof. DDr. Gerald Quirchmayr 2) 1) Ferdinand Porsche Fern Fachhochschule Wien, Wr. Neustadt Studiengang Wirtschaftsinformatik Master Lothringerstraße 4-8, 1040 Vienna, Austria Tel: ) Universität Wien, Fakultät für Informatik, Department of Distributed and Multimedia Systems Liebiggasse 4/3-4, A-1010 Vienna, Austria Keywords: privacy, security, trust, pseudonym, identity

2 Abstract The continuous expansion of diverse mobile devices with various kinds of integrated sensors, namely GPS receivers, different mobile communications technologies and along with these the ubiquitous availability of and access to the Internet fosters the development of Location-Based Services (LBS). Yet again trust, security and protection of the user s privacy are important for the success of such services. The proposed solution is based on cryptographic techniques, which allow the development and deployment of commercial LBS with privacy protection. Zusammenfassung Ortsbasierte Systeme und Dienste gewinnen durch Expansion unterschiedlicher mobiler Endgeräte sowie Mobilfunktechnologien, Technologien wie GPS und der Verfügbarkeit von Internettechnologien zunehmend an Bedeutung. Umso mehr nimmt auch der Bedarf des Schutzes der Privatsphäre der Benutzer zu. Das vorgestellte Verfahren nutzt kryptographische Methoden, um kommerzielle ortsbasierte Dienste zu ermöglichen die den Schutz der Privatheit der Nutzer garantieren müssen. 1. Introduction With the emergence of mobile devices and the facilitation to access various kinds of services any time anywhere, the notion of context-aware computing is to be deemed as next wave in the mobile computing domain. The term awareness is important and the key for dynamic user friendly and supportive environments. The implementation of awareness is realized with the help of information appliances and known as context-awareness. Various researchers and research groups investigate the notion of context and context-aware computing since more than 40 years [1]. 20 years ago Mark Weiser described in his meanwhile famous paper the vision of ubiquitous computing [2]. At this time the technological progress was not mature enough to implement this vision. Today s mobile devices provide sensors, allow processing of various kinds of information and dispose of different communication capabilities. Perhaps the most prominent information source is location information which enables the development of diverse applications that can be subsumed as location-based services (LBS) and applications. But LBS do not rely on location information only. Various definitions explaining what LBS are or should be such as those by ISO [9] Service whose return or other property is dependent on the location of the client requesting the service or of some other thing, object or person or Adusei et a. [2] who state more specifically Location Based Services are business and customer services that give users a set of services starting from the geographic location of the client. Amongst these and other definitions Küpper alludes in [3] that the term location-based service has no common definition or terminology. Rather the term itself is often used non-uniformly as location-aware service, location-related service or location service. In this paper we use the widely used term location-based service short LBS. Meanwhile numerous different kinds of applications that make use of location information exist. A classification of LBS allows for example the distinction between position-aware and locationtracking applications. This distinction is primarily based on the role of the requester of the location. Whereas in the first case the requester receives at the same time location information, tracking services allow location information to be collected and processed by external third-party applications and thus on behalf of the user. Position and location-tracking applications are also often referred as self and cross referencing LBS. Especially in case of tracking services the exchange, use and processing of sensitive information, in particular that of the location information, bears risks. Unfortunately, with the widespread use of LBS and applications people's whereabouts also bear potential for an unprecedented raise of misuse and crime. Privacy has thus become an important good and is crucial for the success or failure of many different existing and future services and applications.

3 As a result of this development there is a strong need for privacy protection. One of the most important prerequisites that are needed for the realization of controlled and restricted access to location information is an adequate legal system. The first data protection law in the world was initiated in Germany Hessen, Federal Republic of Germany, 1970 [11] and was the initiative for a number of data protection laws such as those in Sweden in 1974 [3]. Negotiations between European member states about the processing of data and privacy led to the Directive 2002/58/EC (2002) [6] (EU Directive on Privacy). The implementation of standards results in jurisdiction software systems, which is a complex matter since privacy regulations may vary over time. As a result, systems should provide users information about other 3 rd party provider's who receive data and for what purpose, data usage and the time span the location data is used. The data owner should have sole control over her data even if it is processed in different countries. For that case the directive defines the transitive closure which prohibits data export to countries which do not provide equal data protection guidelines or provisions of special contracts. Fischer-Hübner states in [20] that from an international and global information society the EU Directives do not provide sufficient privacy protection. Fortunately, the number of EU member states and the number of countries that are still outside the EU adopting their laws to comply with the EU Directives grows. Recent discussions related to the implementation of the EU Data Retention Directive [7] show how important the issue of data collection in the telecommunication sector has become. 2. The Importance of Trust Trust plays an important role for the success of mobile applications and LBS and it is important to mention that not only the location information but more importantly the user's identity has to be protected. As a result, knowledge about some position information gains much more value if it can be related to identified entities. There are at least three threats that may occur if there are no means implemented for location privacy protection [14]: Location-based spam, personal wellbeing and safety and intrusive inferences. The only way to completely avoid misuse is to entirely avoid sending location information, that is, to neglect such services et all. Since this is not an adequate option, it is important to develop means that allow all participants to trust each other. Thus, trust is the key to the realization of mobile applications that exchange sensitive information. The goal of all efforts that are put into the implementation of privacy means must be the establishment and maintenance of the various existing trust relations. In [15] M. F. Mokbel distinguishes three paradigms that are important to consider for the realization of trust. The minimal information sharing paradigm, the untrusted third party paradigm and the trusted third party paradigm. The first paradigm was the result of database research by R. Agrawal [18] and stems from need of revealing not more information among databases than needed. The untrusted third party paradigm was proposed by F. Emerkei et al. [8] and is a hash based peer-topeer system. It allows the selection of third parties to take over the part of communication for the privacy preserving queries which are executed over multiple provider's data. Finally, the trusted third party paradigm provides one or several servers as intermediary between the users and the service providers. This paradigm is perhaps the most commonly used one. Examples like Tor [19] and PayPal 1 are diverse in their application but follow the same paradigm. 1 PayPal URL: (last viewed 11. Jan. 2010)

4 2.1 The Protection of Identities in LBS There are four approaches which aim at protecting the user's identity while uploading location information to LBS [14]: The first one suggests the use of false dummies and is very simple since users do not send only one location at a time but several different locations as part of one location update message. On the one hand, this strategy hides the user's true location but on the other hand this also generates more data traffic. Another similar approach that also generates more traffic as a side effect is the use of dummy users. Further research by Beresford and Stajano [4] conclude, that especially in the pervasive computing environment the use of dummy users is difficult because it requires dummy users to fulfill also complex tasks. Landmark objects are used by the Confab system that is proposed by Hong et al. [139]. This system uses a location scheme that does not operate on precise location information but on nearby objects or landmarks. Location perturbation uses blurred but not exact location information. This can be realized by using spatio-temporal cloaking techniques where only the spatial region instead of the exact position is sent or obfuscation of location information [45]. Here, concepts like k-anonymity [13] or graph models can be used. This approach avoids location tracking since the actual location information is hidden as long as the user is provided within a certain area. 2.2 Major Research Directions The three major research directions that aim to protect location information are: Location blurring, cloaking or obfuscation means to lower the spatial and temporal resolution of location data in order to raise the user's privacy. Not revealing the precise location information exacerbates data mining efforts with the aim at revealing the individual's identity. Furthermore, it is flexible, complies with legal requirements and obligations set up by some policy infrastructure and if needed allows to disclose of the identity of individuals which enables authentication and personalization. Regulatory strategies include the use of privacy policies require trust in some 3 rd party and results in considerable information infrastructure overheads [13]. Anonymity and pseudonymity are also possible means to achieve location privacy but cannot provide a complete answer to privacy concerns [13]. One reason is that it may be a barrier to authentication and personalization. Furthermore, it may be vulnerable to data mining offenses. J. Krumm shows in [10] that given enough anonymous tracks it is possible to identify a significant number of persons. The use of permanent pseudonyms as identifier abstraction allows for easy identification. But, permanent pseudonyms also allow for easy de-anonymization and identity theft [5]. The proposed pseudonym generation allows for generation of non-permanent pseudonyms which prevent from generation of the pseudonym needed for the next service even if a huge amount of used pseudonyms was collected. Thus, the communication between different entities cannot be linked, nor is it possible to identify the respective identities. The following section discusses this scheme and the system architecture that is used for the realization of LBS that make use of the pseudonym generation scheme. 3. Proposed Service Architecture and Privacy Protection Scheme The system architecture depicted in figure 1. shows the core components and services and the security and trust relations between users and the different entities of the systems. Basically three core components can be distinguished that is the user, the Application Service Provider (ASP) and

5 the Network Operator (NO) with its services. Both, the ASP and the user entity implement a service called Privacy Agent that communicate with the NO s Privacy Service. These services are responsible for the generation and administration of pseudonyms. The depicted communication links between the Privacy Agents and the Privacy Service also reflect the trust relations. The missing relation between the user s Privacy Agent and the ASPs Privacy Agent indicates that no trust relation between these entities exist. The NO offers different services such as the Subscription, Message and Location Service. Users and ASPs may use these services. They send pseudonyms as part of their requests for identification. Depending on which service the user or the ASP calls, the NOs Privacy Service translates each pseudonym into the respective identity. For example, if a user requests some location information it sends a pseudonym as part of the location request to the ASP, which forwards the request to the NOs Location Service. Upon receipt the NOs Privacy Service translates the received pseudonym into the respective identity (e.g. the MSISDN (Mobile Subscriber Integrated Services Digital Network Number)) whereupon the Location Service queries the mobile network for the actual position of this number. The location information is now returned to the ASP that may generate some added value such as maps, routes and other information. Since pseudonyms change for each request, the location information cannot be assigned to the corresponding identity. In case of tracking applications the NO s location service sends asynchronous location updates to the application. Even then it is not possible to re-identify neither the requester nor the one whose location is requested. However, without additional methods such as location blurring, cloaking or obfuscation it is still possible that malicious ASP s may re-identify some users [8]. Figure 1: Proposed System Architecture [16] 3.1 The Pseudonym Generation Scheme The proposed pseudonym generation scheme is based on HMAC [12] that is the underlying cryptographic function. The keyed hash function was designed for authentication purposes and requires two parameters. One parameter is reserved as input; the second one is a secret that is shared between two communication parties. Each single pseudonym, except the first one, is the result of an earlier calculation that in turn is based on the calculation of its respective successor pseudonym. As depicted in the equation above we denote the keyed cryptographic function as h k with input r. For the initialization of the pseudonym chain the initial shared secret k is the result of a proceeding Diffie-Hellman key exchange [21]. For the first pseudonym the initial input value r is a parameter of this key exchange.

6 3.2 Security Considerations The security of hash functions mainly relies on the following requirements [2]: Pre-image Resistance: given a secure hash function h(x)=y it is impossible to find x for the given hash value y. Second Pre-image Resistance: it is computationally impossible to find two different values x 1, x 2 such that h(x 1 )=h(x 2 ). Collision Resistance: it is computationally infeasible to find a pair x 1 and x 2 such that h(x 1 )=h(x 2 ). The security of HMAC relies on the security of the respective underlying hash function. Given a keyed hash function y=h k (r) an attacker would be able to calculate the output y without knowledge of the secret key by either finding a collision of the underlying hash function or by finding the output of the compression function with a random and secret initial value. The use of modern hash functions such as SHA-2 protects against such attacks. But even known collisions of other underlying hash functions do not show any significant implication on the security of the HMAC scheme which. As a result, the proposed solution that is based on HMAC is secure. 4. Application Fields Meanwhile many mobile applications make use of location information. Especially in case of commercial and large scale applications privacy protection is obligatory. We developed a transport ticket application that allows use of proposed pseudonyms. Alike the paper based version, the digital transport ticket allows users to buy various kinds of transportation tickets. Furthermore, the digital ticket provides some distinctive features such as the integration of location information. Tickets that process also location information allow for route-based charging. This enables providers to offer tickets that are better tailored to the user s needs and offer additional features that are even not possible with paper based tickets but at the same reduce costs. The use of pseudonyms provides further advantages such as the usage of LBS across different NOs domains. Different ASPs with contractual relationships to one or more local NOs may now receive and process location information of users that are even outside the local NO s domain and/or in a different geographic area. This is realized through a virtual identity domain where assertions are passed between different NO s. The system architecture is basically the same as depicted in figure 1. The virtual identity domain is realized by additional interfaces that allow Location and Privacy Services of different NOs to communicate with each other. O. Jorns et al. provides in [17] further details about the virtual identity domain and the communication protocol. 5. Conclusions Meanwhile location-based services are widely deployed and very popular. As these applications mainly rely on the user s location information the implementation of proper means that allow for the protection of sensitive information becomes a necessity. Another important aspect is the integration of internet technologies with services provided by network operators such as location, presence or messaging services. The proposed pseudonym generation scheme is an integral part of this system architecture. It combines different technologies, enables 3 rd party application providers to request and process location information and enables trust relations. This enables the development of different kinds of position-aware and location-tracking applications. As an example we demonstrated a transport ticket application that extends the paper-based tickets by adding location information. Furthermore, the proposed pseudonym mechanism can be applied for the realization of applications that exchange sensitive information even across different NO s domains.

7 References [1] Adam Warren (2002): Right to privacy? The protection of personal data in UK public organisations. In New Library World, pages [2] A.J. Menezes, P.C. Van Oorschot, S.A. Vanstone (1997): Handbook of applied cryptography. The CRC Press series on discrete mathematics and its applications. CRC Press, 2000 N.W. Corporate Blvd., Boca Raton, FL [3] Albrecht Schmidt, Michael Beigl, and Hans-W. Gellersen (1999): There is more to Context than Location. Computers and Graphics, 23(6): [4] A. R. Beresford and F. Stajano (2003): Location Privacy in Pervasive Computing. In IEEE Pervasive Computing, Volume 2, pages [5] Axel Küpper (2005). Location-based Services Fundamentals and Operation. John Wiley and Sons [6] Directive 2002/58/EC (2002): Directive 2002/58/EC of the European Parliament and of the Council concering the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). In Official Journal of the European Communities L 201/37 [7] Directive 2006/24/EC (2006): Directive 2006/24/EC of the European Parliament and on the Retention of Data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. In Official Journal of the European Communities [8] Fatih Emekci, Divyakant Agrawal, Amr El Abbadi, and Aziz Gulbeden (2006): Privacy Preserving Query Processing using Third Parties. In Proceedings of the 22nd International Conference on Data Engineering [9] ISO 19133:2005 (2005): Geographic information Location-based services Tracking and Navigation [10] John Krumm (2007). A Survey of Computational Location Privacy. In 5th International Workshop on Privacy in UbiComp (UbiPriv 07), pages Springer [11] Land Hessen Federal Republic of Germany (1970): Data Protection Act of 7. October 1970 [12] M. Bellare, R Canetti, and H. Krawczky (1996): Message Authentication using Hash Functions - The HMAC Construction. In RSA Labratories CryptoBytes, Volume 2 [13] Marco Gruteser and Dirk Grunwald (2003): Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking. In International Conference on Mobile Systems, Applications and Services. ACM Press [14] Matt Duckham and Lars Kulik (2005): A Formal Model of Obfuscation and Negotiation for Location Privacy. In Pervasive Computing, Third International Conference, PERVASIVE 2005, pages Springer, Lecture Notes in Computer Science [15] Mohamed F. Mokbel (2006): Towards Privacy-Aware Location-Based Database Servers. In Second International Workshop on Privacy Data Management (PDM 2006) [16] O. Jorns (2009): Privacy in Location-Based Services. PhD Thesis, University of Vienna [17] O. Jorns, G. Quichmayr, and O. Jung (2007): A Privacy Enhancing Mechanism based on Pseudonyms for Identity Protection in Location-Based Services. In Australasian Information Security Workshop (Privacy Enhancing Technologies) AISW-PET2007 at the Australasian Computer Science Conference in Ballerat, Victoria, Australia [18] Rakesh Agrawal, Alexandre Evfimiesvski, and Ramakrishnan Srikant (2004): Information Sharing Across Private Databases. In Proceedings of the ACM International Conference on Management of Data, SIGMOD03 [19] Roger Dingledine, Nick Mathewson, and Paul Syverson (2004): Tor: The second-generation onion router. In August, editor, Proceedings of the 13th USENIX Security Symposium [20] Simone Fischer-Hübner (2001): IT-Security and Privacy. LNCS Springer-Verlag Berlin Heidelberg [21] W. Diffie and M. E. Hellman (1976): New Directions in Cryptography. In IEEE Trans. Inform. Theory IT-22, Volume 22(6), pages