Offline Approaches for Preserving Privacy of Trajectories on the Road Networks Rubina Shahin Zuberi Department of Electronics and Communications, Jamia Millia Islamia, New Delhi E-mail : rshahinz@gmail.com Abstract The new communication and knowledge transactions systems are opening endeavours with a fast pace. As a consequence the flow of information rather than its database is unboundedly increasing. The Location Based Services(LBS), Radio Frequency Identification devices (RFIDs) are few of the mainstream systems for this flow these days. But they also get limited due to some hindering factors at the user s end. The most important being the revelation of the user s information which at times affects their privacy which they deserve. The attack on their privacy could be real time in continuous LBS and offline if the collected data of these systems is analysed. This offline analyses must be done on privacy protected trajectories of moving objects and hence the name trajectory privacy. This paper discusses various methods already employed and the possibilities for further progress restricting ourselves to only the road networks. Keywords k-anonymity, Location Based Services(LBS), Radio Frequency Identification devices (RFIDs), R-tree. I. INTRODUCTION The advent of Location Based Services(LBS) especially in wireless communications systems has raised a growing concern for user about his privacy. As for every location based query the user has to reveal his location co-ordinates (through technologies like Global Positioning Systems), if this information could be revealed to anybody it becomes a privacy breach. Location services such as Yahoo! Fire Eagle, Google Latitude, InstaMapper, Trace4Youstoring the positions of mobile users have become an important prerequisite for many advanced location-based applications (LBA). In particular, LS are beneficial if various LBAs have to be provided with the position of the mobile user. For instance, the position of a user could be accessed by several social networks like Facebook and Gowalla, a friend alert service, a location-based advertising service, a traffic congestion service, etc. Provision of privacy in these systems could be either online(real time) or offline. Moreover in the present scenario we have more moving users than stationery for LBS or LBAs. Hence the privacy domain shifts more towards continuous LBS(online) or trajectories(offline) rather than simple Location privacy. Suppose adversary know a patient visited (1, 5) and(8, 10) at timestamps 2 and 5, respectively. It can be adjudged that this patient has HIV. Table 1: Trajectory chart of the patient. II. DEVELOPMENT OF TRAJECTORY PRIVACY A. Location Privacy In the Location Based Services the location of the moving object becomes the primary feature. Provision of privacy to this feature hence becomes the primary privacy need. There are numerous location privacy protection techniques but k-anonymity which was originally used for data privacy (see table 1) protection[13] became most popular. The queries and their response vary and hence is the variation in the algorithms of k-anonymity. When the user is moving and requesting a location based query then the time taken in answering the query should be low enough for the answer to be useful to the user. A request from a single location pertains to location k- anonymity techniques. Introduction of k-anonymity in the system taking the single location of the requester in consideration can be simply called location 104
anonymisation. In the beginning of research on privacy protection in LBS only location k-anonymity was considered in almost all the reported works[14,15,16,17]. B. Trajectory Privacy A continuous query or a request pertaining to a set of location points (where the user is assumed to be moving) is called the trajectory k-anonymity, and when the previous locations of the user are also considered for the anonymization process historical k- anonymity comes into the picture. Preservation of privacy of the set of these locations of the user becomes more important due to the correlation between subsequent location points even after k-anonymisation. Moreover, data analysis and publication or even use of trajectory data by the administrative or research agencies pose serious threat to the privacy of the user[13]. Hence preserving the privacy of this trajectory protects the user in a big way. trajectory privacy specific techniques. The use of dummy trajectories in k-anonymisation, mixed zone concept, path confusion, use of uncertainity of trajectory etc[18]. Some of the researchers have also incorporated the information of the map prior to the anonymisation[19]. Casper and its modification the NewCasper are amongst the popular grid-based techniques for location k-anonymity. In Casper the entire area is organized in a pyramid data structure of grid-layers and is similar to a Quad-tree (fig 1). In quad-tree partitioning the area is partitioned into equal quadrants. The algorithm then locates the grid cell of the user and checks the area of this cell and k and it recursively adds the adjacent grid cells until it finds the required minimum area and k. Fig 3: Example of sensitive (r1), unreachable (r2), and non-sensitive (r3) regions. Fig1. The incomplete pyramid made by Quad-tree partitioning used by The New Casper. The shaded area shows the presence of the user. FIG 2. A (2, R) ANONYMITY SET FORMED BY TWO CO-LOCALIZED TRAJECTORIES; THEIR UNCERTAINTY VOLUMES WITH RADIUS R AND THE CENTRAL UNCERTAINTY VOLUME WHICH CONTAINS BOTH TRAJECTORIES WITH RADIUS R/2. III. TECHNIQUES FOR TRAJECTORY PRIVACY Except extending some of the location privacy models to the trajectory privacy[9,12] there are many Fig 4: (a) Basic map: roads and squares; (b) Binary representation of the map knowledge In order to process continuous LBS requests, there are two main approaches: (a) an LBS request is submitted repeatedly for each time instance until it expires, thus requiring the evaluation of the results continuously, and (b) the query result is computed only once if the information on the future trajectory is provided. The first approach suffers from the drawback of sampling (if the sampling rate is too low the results will be incorrect). Hence there is no guarantee about the query results. Chow and Mokbel[20] made the algorithm for continuous queries which can achieve these goals: (a) distinguishes between location privacy and query privacy (b) employs the k-sharing region and memorization properties (c) supports continuous location-based queries. They although brought about the concept of continuous queries but were more 105
focused about query privacy when location information is available. Tau et al.[21] were the first to think about the possibility of continuous queries. They ventured with the problem of finding nearest neighbors (NN) continuously on a traversed segment or trajectory. The search for k-nn for a moving point also became the subject of the data base community. Based on the provision of future trajectories by the user, there are some approaches which anonymise the trajectories. Shin et al[22]. showed that the longer the adversary can track the user s trajectory, the stronger the possibility that the user s sensitive information is revealed. They proposed partitioning of trajectory and dividing the continuous requests too. The maximum number of splits of the trajectory is given as input and the algorithm simply has to find the best split time points. Song et al[23]. provided a nearest neighbor (NN) search algorithm for moving users which uses R-tree like structures storing historical information. Hence this paper gave the possible attack scenario for trajectory k-anonymity. Bettini et al.[24]. gave an algorithm which tracks the visited user locations in a particular area. Hence, it gives a sequence of spatiotemporal patterns. Each pattern involves an area and time span and they act as a pseudo-identifier for a particular user. This work was unable to present any result though, the new perspective proposed by this work Fig 5: Obfuscated regions on the grid map was utilized in some future works. They assigned sequences of spatiotemporal patterns to each user. They, in addition, devised a generalization algorithm and an unlinking algorithm too. The results shown in this paper prove it to be an effective privacy protecting algorithm. These approaches of anonymisation of continuous/ moving user location data which utilize the previously/ frequently used locations of the user forms another category in k-anonymity and is called historical k- anonymity. Gkoulalas et al.[25] proposed an approach which identifies and stores the frequently used routes of a user. Then it finds out those among these saved routes which are rarely followed by other users and they term these routes as unsafe. Then these unsafe routes are utilized in a grid based free terrain solution to provide k- anonymity while requesting LBS. Gkoulalas et al.[26] extended this idea to online user requests to provide trajectory k-anonymity by partitioning users path. Abul et al. [18]in their work assumed the user movement to be not a trajectory but a cylindrical volume which ascertains uncertainty of the exact path of the user and the anonymization is incurred when there is more than a user in the same cylindrical path (fig 2). The (2, r) anonymity can be extended to (k, r) anonymity and the obfuscated central trajectory can be returned as the anonymized trajectory in this system. IV. WHY SEPARATELY ROAD NETWORKS A. Capturing Location Information Although the geographic information systems have made it very easy to identify the locations through GPS when MO(moving object) is outdoor. They have to rely on other location finding techniques which are not that reliable. So, if we consider only outdoor privacy of the MO it solves the main privacy issues of the user. Later on we can consider indoor privacy and we can very well combine both types to achieve complete privacy protection. B. The background information of the map The map of the road network if considered in algorithm eradicates the attacks using map information. This is quite important and easy attack as map is easy to be found by an attacker. V. CONCLUSION The trajectory privacy techniques are the convergence for main privacy domain for Location Based Services. A lot is to be done in this field. Proper use of the uncertainity which can be combined with dummies to provide proper k-anonymity. A binary threshold map information at the background is also a vital suggestion towards privacy protection. VI. REFERENCES [1] Gkoulalas-Divanis, V. S. Verykios and P. Bozanis, A network aware privacy model for online requests in trajectory data, Data & Knowledge Engineering, pp. 431-452, 2009. [2] Gkoulalas-Divanis, Aris, and Vassilios S. Verykios. "A privacy-aware trajectory tracking query engine." ACM SIGKDD Explorations Newsletter 10, no. 1 (2008): 40-49. [3] Pelekis, Nikos, Elias Frentzos, Nikos Giatrakos, and Yannis Theodoridis. "HERMES: aggregative LBS via a trajectory DB engine." In Proceedings of the 2008 ACM SIGMOD international 106
conference on Management of data, pp. 1255-1258. ACM, 2008. [4] Pelekis, Nikos, Aris Gkoulalas-Divanis, Marios Vodas, Despina Kopanaki, and Yannis Theodoridis. "Privacy-aware querying over sensitive trajectory data." In Proceedings of the 20th ACM international conference on Information and knowledge management, pp. 895-904. ACM, 2011. [5] Phan, Trong Nhan, Tran Khanh Dang, and Josef Küng. "User Privacy Protection from Trajectory Perspective in Location-Based Applications." Proc. of the 19th Interdisciplinary Information Management Talks, Jindřichův Hradec, Czech Republic (2011): 281-288. [6] Pelekis, Nikos, Aris Gkoulalas-Divanis, Marios Vodas, Anargyros Plemenos, Despina Kopanaki, and Yannis Theodoridis. "Private-HERMES: a benchmark framework for privacy-preserving mobility data querying and mining methods." In Proceedings of the 15th International Conference on Extending Database Technology, pp. 598-601. ACM, 2012. [7] Leonardi, Luca, Gerasimos Marketos, Elias Frentzos, Nikos Giatrakos, Salvatore Orlando, Nikos Pelekis, Alessandra Raffaetà, Alessandro Roncato, Claudio Silvestri, and Yannis Theodoridis. "T-warehouse: Visual olap analysis on trajectory data." In Data Engineering (ICDE), 2010 IEEE 26th International Conference on, pp. 1141-1144. IEEE, 2010. [8] A. Gkoulalas-Divanis, V. S. Verykios, A network aware privacy model for online requests in trajectory data, Data & Knowledge Engineering, pp. 431-452, 2009. [9] Mokbel, Mohamed F., Chi-Yin Chow, and Walid G. Aref. "The new casper: A privacy-aware location-based database server." In Data Engineering, 2007. ICDE 2007. IEEE 23rd International Conference on, pp. 1499-1500. IEEE, 2007. [10] M. E. Nergiz, M. Atzori, Y. Saygin, and B. G u c. Towards trajectory anonymization: A generalization based approach. Transactions on Data Privacy, [11] M. F. Mokbel, C.-Y. Chow, and W. G. Aref. The new casper: Query procesing for location services without compromising privacy. In Proceedings of the International [12] C.-Y. Chow, M. F. Mokbel, and W. G. Aref. Casper*: Query processing for location services without compromising privacy. ACM Transactions on Database Systems, 34(4):24:1 24:48, 2009. Conference on Very Large Data Bases, 2006. [13] Chow, Chi-Yin, and Mohamed F. Mokbel. "Trajectory privacy in location-based services and data publication." ACM SIGKDD Explorations Newsletter 13, no. 1 (2011): 19-29. [14] Y. Tao, D. Papadias, and Q. Shen, Continuous nearest neighbor search, in proceedings of Very Large Data Bases, 2002, Hong Kong, pp. 287 298. [15] M. Gruteser and D. Grunwald, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, in Proceedings of 1st International Conference on Mobile Systems, Applications and Services, 2003, pp.31 42. [16] Y. Tao, D. Papadias and J. Sun, The TPR*-tree: an optimized spatio-temporal access method for predictive queries, in Proceedings of the 29th international conference on Very Large Data Bases, vol. 29, 2003, pp. 790 801. [17] G.Aggarwal, T. F`eder, K. Kenthapadi, R. Motwani, R. Panigrahy, D. Thomas and A. Zhu, Approximation algorithms for k-anonymity, in Proceedings of the 10th International Conference on Database Theory, 2005. [18] O. Abul, F. Bonchi, and M. Nanni. Never walk alone: Uncertainty for anonymity in moving objects databases. In Proceedings of the IEEE International Conference on Data Engineering, 2008. [19] Skvortsov, Pavel, Frank Dürr, and Kurt Rothermel. "Map-aware position sharing for location privacy in non-trusted systems." In Pervasive Computing, pp. 388-405. Springer Berlin Heidelberg, 2012. [20] C. Y. Chow and M. F. Mokbel, Enabling private continuous queries for revealed user locations, in Proceedings of the 10th International Symposium on Advances in Spatial and Temporal Databases,2007, pp.258-275. [21] Y. Tao, D. Papadias, and Q. Shen, Continuous nearest neighbor search, in proceedings of Very Large Data Bases, 2002, Hong Kong, pp. 287 298. [22] H. Shin, J. Vaidya, V. Atluri and S. Choi, Ensuring Privacy and Security for LBS through Trajectory Partitioning, in Eleventh 107
International Conference on Mobile Data Management, IEEE Computer Society, pp. 224-226, 23-26 May, 2010. [23] Z. Song and N. Roussopoulos, K-Nearest Neighbor Search for Moving Query Point, in Proceedings of Symposium on Advances in Spatial and Temporal Databases, (July 12-15, 2001). C. S. Jensen, M. Schneider, B. Seeger, and V. J. Tsotras, Eds. Lecture Notes In Computer Science, vol. 2121. Springer-Verlag, London, 79-96. [24] C. Bettini, X.S. Wang, S. Jajodia, Protecting privacy against location-based personal identification, in Proceedings of the 2nd VLDB Workshop on Secure Data Management, 2005, pp. 185 199. [25] A. Gkoulalas-Divanis and V. S. Verykios, A free terrain model for trajectory K-anonymity, in Proceedings of the 19th International Conference on Database and Expert Systems Applications 2008, pp. 49-56. [26] A. Gkoulalas-Divanis, V. S. Verykios and P. Bozanis, A network aware privacy model for online requests in trajectory data, Data & Knowledge Engineering, pp. 431-452, 2009. 108