Cloaking Algorithms for Location Privacy

Abstract

DEFINITION Spatial cloaking is a technique to blur a user's exact location into a spatial region in order to preserve her location privacy. The blurred spatial region must satisfy the user's specified privacy requirement. The most widely used privacy requirements are k-anonymity and minimum spatial area. The k-anonymity requirement guarantees that a user location is indistinguishable among k users. On the other hand, the minimum spatial area requirement guarantees that a user exact location must be blurred into a spatial region with an area of at least A, such that the probability of the user being located in any point within the spatial region is 1 A. A user location must be blurred by a spatial cloaking algorithm either on the client side or a trusted third-party before it is submitted to a location-based database server. HISTORICAL BACKGROUND The emergence of the state-of-the-art location-detection devices, e.g., cellular phones, global positioning system (GPS) devices, and radio-frequency identification (RFID) chips, has resulted in a location-dependent information access paradigm, known as location-based services (LBS). In LBS, mobile users have the ability to issue snapshot or continuous queries to the location-based database server. Examples of snapshot queries include "where is my nearest gas station" and "what are the restaurants within one mile of my location", while examples of continuous queries include "where is my nearest police car for the next one hour " and "continuously report the taxis within one mile of my car location". To obtain the precise answer of these queries, the user has to continuously provide her exact location information to a database server. With untrustworthy database servers, an adversary may access sensitive information about individuals based on their location information and queries. For example, an adversary may identify a user's habits and interests by knowing the places she visits and the time of each visit. The k-anonymity model [12, 13] has been widely used in maintaining privacy in databases [6, 8, 9, 10]. The main idea is to have each tuple in the table as k-anonymous, i.e., indistinguishable among other k − 1 tuples. However, none of these techniques can be applied to preserve user