46PERVASIVEcomputingPublished by the IEEE CS and IEEE Communications Society■ 1536-1268/03/$17.00 © 2003 IEEESECURITY & PRIVACYSECURITY & PRIVACYLocation Privacy inPervasive ComputingMany countries recognize privacyas a right and have attempted tocodify it in law. The first knownpiece of privacy legislation wasEngland’s 1361 Justices of thePeace Act, which legislated for the arrest of eaves-droppers and stalkers. The Fourth Amendment tothe US Constitution proclaims citizens’ right to pri-vacy, and in 1890 US Supreme Court Justice LouisBrandeis stated that “the right to be left alone” isone of the fundamental rights of a democracy.1The1948 Universal Declaration ofHuman Rights2declares thateveryone has a right to privacy athome, with family, and in corre-spondence. Other pieces of morerecent legislation follow this prin-ciple. Although many peopleclearly consider their privacy a fundamental right,comparatively few can give a precise definition ofthe term. The Global Internet Liberty Campaign3has produced an extensive report that discusses per-sonal privacy at length and identifies four broad cat-egories: information privacy, bodily privacy, privacyof communications, and territorial privacy.This article concentrates on location privacy, aparticular type of information privacy that we defineas the ability to prevent other parties from learningone’s current or past location. Until recently, the veryconcept of location privacy was unknown: peopledid not usually have access to reliable and timelyinformation about the exact location of others, andtherefore most people could see no privacy impli-cations in revealing their location, except in specialcircumstances. With pervasive computing, though,the scale of the problem changes completely. Youprobably do not care if someone finds out whereyou were yesterday at 4:30 p.m., but if this someonecould inspect the history of all your past movements,recorded every second with submeter accuracy, youmight start to see things differently. A change of scaleof several orders of magnitude is often qualitativeas well as quantitative—a recurring problem in per-vasive computing.4We shall focus on the privacy aspects of usinglocation information in pervasive computing appli-cations. When location systems track users auto-matically on an ongoing basis, they generate anenormous amount of potentially sensitive informa-tion. Privacy of location information is about con-trolling access to this information. We do not nec-essarily want to stop all access—because someapplications can use this information to provide use-ful services—but we want to be in control.Some goals are clearly mutually exclusive and can-not be simultaneously satisfied: for example, want-ing to keep our position secret and yet wanting col-leagues to be able to locate us. Despite this, there is stilla spectrum of useful combinations to be explored.Our approach to this tension is a privacy-protectingframework based on frequently changing pseudo-nyms so users avoid being identified by the locationsthey visit. We further develop this framework byintroducing the concept of mix zones and showingAs location-aware applications begin to track our movements in thename of convenience, how can we protect our privacy? This articleintroduces the mix zone—a new construction inspired by anonymouscommunication techniques—together with metrics for assessing useranonymity.Alastair R. Beresford and Frank StajanoUniversity of Cambridgehow to map the problem of location pri-vacy onto that of anonymous communi-cation. This gives us access to a growingbody of theoretical tools from the infor-mation-hiding community. In this context,we describe two metrics that we havedeveloped for measuring location privacy,one based on anonymity sets and the otherbased on entropy. Finally, we move fromtheory to practice by applying our meth-ods to a corpus of more than three millionlocation sample points obtained from theActive Bat installation at AT&T LabsCambridge.5Problem, threat model, andapplication frameworkIn the pervasive computing scenario, loca-tion-based applications track people’smovements so they can offer various use-ful services. Users who do not want suchservices can trivially maintain location pri-vacy by refusing to be tracked—assumingthey have the choice. This has always beenthe case for our Active Badge (see the“Related Work” sidebar) and Active Batsystems but might not be true for, say, anationwide network of face-recognizingCCTV cameras—an Orwellian dystopianow dangerously close to reality. The morechallenging problem we explore in this arti-cle is to develop techniques that let usersbenefit from location-based applicationswhile at the same time retaining their loca-tion privacy.To protect the privacy of our locationinformation while taking advantage oflocation-aware services, we wish to hideour true identity from the applicationsreceiving our location; at a very high level,this can be taken as a statement of oursecurity policy.Users of location-based services will not,JANUARY–MARCH 2003PERVASIVEcomputing47The first wide-scale outdoor location system, GPS,1lets users cal-culate their own position, but the flow of information is unidi-rectional; because there is no back-channel from the GPS receiver tothe satellites, the system cannot determine the user’s computed loca-tion, and does not even know whether anyone is accessing theservice. At the level of raw sensing, GPS implicitly and automaticallygives its users location privacy.In contrast, the first indoor location system, the Active Badge,2detects the location of each user and broadcasts the informationto everyone in the building. The system as originally deployedassumes anyone in the building is trustworthy; it thereforeprovides no mechanisms to limit the dissemination of individuals’location information. Ian W. Jackson3modified the Active Badgesystem to address this issue. In his version, a badge does not revealits identity to the sensor detecting its position but only to a trustedpersonal computer at the network edge. The system usesencrypted and anonymized communication, so observation of thetraffic does not reveal which computer a given badge trusts. Thebadge’s owner can then use traditional access control methods toallow or disallow other entities to query the badge’s location.More recent location systems, such as Spirit4and QoSDream,5have provided applications with a middleware event modelthrough which
View Full Document
Unlocking...