Personal and Ubiquitous Computing, 2008
John Krumm
A Survey of Computational Location Privacy
Abstract This is a literature survey of computational location privacy, meaning computation-based privacy mechanisms that treat location data as geometric information. This definition includes privacy-preserving algorithms like anonymity and obfuscation as well as privacy-breaking algorithms that exploit the geometric nature of the data. The survey omits non-computational techniques like manually inspecting geotagged photos, and it omits techniques like encryption or access control that treat location data as general symbols. The paper reviews studies of peoples’ attitudes about location privacy, computational threats on leaked location data, and computational countermeasures for mitigating these threats. Keywords Location · Privacy · Context
1
Introduction
The temptation to give away location data grows as location-based services become more compelling. With this growth comes concern about location privacy. What are the risks if location data leaks to an unscrupulous actor? How can we avoid the bad consequences of a location leak? This paper surveys research relevant to computational location privacy, i.e. the ways that computation can be used to both protect and compromise location data. Location data affords privacy techniques that exploit its geometric nature, and we limit our definition of computational location privacy to largely geometric-based algorithms. Thus we do not include protection schemes based on laws, policies, access control, standard encryption [31], and special communication protocols like mix routing [21]. Likewise, we concentrate on computational priacy attacks that take advantage of the geometric nature of location data, thus omitting attacks based on manual surveillance or hacking around standard data protection schemes.. This leaves a rich set of computational privacy attacks and countermeasures that treat location in a quantitative, geometric way. In this paper, we are most concerned with an attacker gaining John Krumm Microsoft Research, Redmond, Washington, USA E-mail: jckrumm@microsoft.com
access to location data and using it to algorithmically discover a subject’s whereabouts and other information. Beresford and Stajano define location privacy as … the ability to prevent other parties from learning one’s current or past location. [6] This definition captures the idea that the person whose location is being measured should control who can know it. It also recognizes that past location information is important to protect. While real time location could enable an attacker to find you, past data could help him or her discover who you are, where you live, and what you do. Duckham and Kulik refine the concept of location privacy by defining it as … a special type of information privacy which concerns the claim of individuals to determine for themselves when, how, and to what extent location information about them is communicated to others. [16] This definition is based on Weston’s definition of information privacy in general [63]. It recognizes subtle preferences of revealing location data in different forms: When – A subject may be more concerned about her current or future location being revealed than locations from the past. How – A user may be comfortable if friends can manually request his location, but may not want alerts sent automatically whenever he enters a casino or bar. Extent – A user may rather have her location reported as an ambiguous region rather than a precise point. These different forms are the subject of many different computational schemes for protecting privacy, such as using a pseudonym instead of an actual name, intentionally adding noise to the data, and reporting location as a region instead of a point. This paper first considers why someone would want to report their location and then reviews people’s actual feelings about location privacy based on several studies. We then look at location privacy threats and countermeasures.