Privacy in Mobile Systems

The objective of this project is to study the threats related to the disclosure of location information about users and propose mechanisms to protect the user against these threats. We are specifically interrested in two use-cases where the location of users can be disclused: (1) when they access location-based services and (2) when mobility traces are collected and published by third parties. This research was originally carried out in the framework of the Priva'Mov project.

Challenges & Contributions

With the rise of handheld mobile devices (smartphones, tablets, etc.), more and more people are able to access location-based services (LBSs for short). These services provide them real-time and contextual information according to their current location. However, each time an LBS receives a location, it can store it along with a timestamp and a link to a specific user. With all this knowledge, they are able to infer a lot of sensitive knowledge about their users, e.g., their home/work places or religious/political preferences. Hopefully, literature contains many counter-measures to protect location privacy of users. All those protection mechanisms propose various privacy guarantees, typically ranging from k-anonymity to differential privacy.

A first problem we stumbled upon is the evaluation of those protection mechanisms. All protection mechanisms are parameterized with one or several configuration parameters, that can take wide range of values. We are interested in assessing the practical effectiveness of these solutions, both in terms of privacy for the user and in terms of utility (i.e., quality of service the user can expect), across many configurations. Then, with the knowledge, designing new protection mechanisms is another challenging task. There is an inherent trade-off between privacy and utility, that is difficult to master.

Results

At first, we conducted a practical evaluation of a differentially private protection mechanisms [Most'14]. Results of our work show that adding noise is not enough and, despite their strong theoretical guarantees, these approaches can not protect users' privacy efficiently. Worst, when much noise is added, a choice must be made between a degraded utility (e.g., accepting to lose some results when querying a geolocated service) and a degraded performance (e.g., performing much more queries until all correct results are retrieved). We show it is difficult to find a trade-off between privacy, utility and performance by using existing solutions.

Then we proposed a new protection mechanism called Promesse [TrustCom'15], whose goal was to distort the temporal information instead of the spatial information. It was shwon to be very efficient in protecting points of interest of users (i.e., important places where users spent their time such as home or work place).

More recently, we were interested in helping non-expert users to configure protection mechanisms. We proposed two approaches, that share the specificity of being objective-based. Instead of specifying configuration parameters, users are required to specify objectives in terms of privacy and utility. Then our systems compute an appropriate solution for those objectives to be met. ALP [SRDS'16] is a heuristic and iterative approach, which tries several solutions and propose the best one. Next, we proposed a more formal approach that produces a control law [Middleware'16], giving a direct relation between objectives and configuration parameters.

Contributors

• Vincent Primault
• Sophie Cerf
• Mohamed Maouche
• Antoine Boutet
• Sonia Ben Mokhtar
• Cédric Lauradoux
• Sara Bouchenak
• Lionel Brunie

Grants

The Priva'Mov project is supported by the LABEX IMU (ANR-10-LABX-0088) of Université de Lyon, within the program "Investissements d'Avenir" (ANR-11-IDEX-0007) operated by the French National Research Agency (ANR).

Selected publications

• [Middleware'16] Sophie Cerf, Bogdan Robu, Nicolas Marchand, Antoine Boutet, Vincent Primault, et al. Toward an Easy Configuration of Location Privacy Protection Mechanisms. In Proceedings of the 17th International Middleware Conference, Dec 2016, Trento, Italy. <hal-01376640>
• [SRDS'16] Vincent Primault, Antoine Boutet, Sonia Ben Mokhtar, Lionel Brunie. Adaptive Location Privacy with ALP. In Procedings of the 35th Symposium on Reliable Distributed Systems, Sep 2016, Budapest, Hungary. <hal-01370447>
• [TrustCom'15] Vincent Primault, Sonia Ben Mokhtar, Cédric Lauradoux, Lionel Brunie. Time Distortion Anonymization for the Publication of Mobility Data with High Utility. In Proceedings of the 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Aug 2015, Helsinki, Finland. <hal-01170060>
• [Most'14] Vincent Primault, Sonia Ben Mokhtar, Cédric Lauradoux, Lionel Brunie. Differentially Private Location Privacy in Practice. In Proceedings of the 3rd Workshop on Mobile Security Technologies (MoST) 2014, May 2014, San Jose, United States. <hal-01148230>

Software

Accio is a research oriented-tool whose goal is to provide a framework to study spatio-temporal data and location privacy. At its heart, Accio is a workflow management software whose goal is to schedule and execute operations, and then collect and anlyse their results. It comes with a large library allowing to perform various operations and is designed to be easily extended with new ones. Documentation for Accio is published on its own website, while the source code is available on GitHub.