05-05-2011, 03:35 PM
APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services
Abstract
Today’s location-sensitive service relies on user’smobile device to determine its location and send the locationto the application. This approach allows the user to cheatby having his device transmit a fake location, which mightenable the user to access a restricted resource erroneouslyor provide bogus alibis. To address this issue, we propose APrivacy-Preserving LocAtion proof Updating System (APPLAUS)in which co-located Bluetooth enabled mobile devices mutuallygenerate location proofs, and update to a location proof server.Periodically changed pseudonyms are used by the mobile devicesto protect source location privacy from each other, and fromthe untrusted location proof server. We also develop user-centriclocation privacy model in which individual users evaluate theirlocation privacy levels in real-time and decide whether andwhen to accept a location proof exchange request based on theirlocation privacy levels. APPLAUS can be implemented with theexisting network infrastructure and the current mobile devices,and can be easily deployed in Bluetooth enabled mobile deviceswith little computation or power cost. Extensive experimentalresults show that our scheme, besides providing location proofseffectively, can significantly preserve the source location privacy.
I. INTRODUCTION
Mobile devices, such as smartphones and PDAs, are playingan increasingly important role in people’s lives. Locationbasedservices take advantage of user location informationand provide mobile users with a unique style of resource andservices. Nowadays more and more location-based applicationsand services require users to prove their locations at aparticular time. For example, “Google Latitude” and “Loopt”are two services that enable a user to track his friend’s locationin real-time. As location proof plays a critical role in enablingthese applications, they are location-sensitive. The commontheme across all these applications is that they offer a rewardor benefit to users located in a certain geographical location.Thus, users have the incentive to lie about their locations.There are many kinds of location-sensitive applications.One category is location-based access control. For example, ahospital might limit access to patient information by doctorsor nurses unless they can prove that they are in a particularroom of the hospital [16]. Meanwhile, one class of popularlocation-aware applications works only when users are able toprove their history locations [22], such as auto insurance quotein which auto insurance company might provide discounts todrivers who can prove that they take high-safety routes duringtheir daily commutes, fraud reduction on eBay in which locationproofs from the seller can serve as additional evidence thatthe seller’s account has not been compromised by an attacker,police investigations in which police forces are interested infinding ways for people to be able to provide efficient andtrusted alibis, and location-based social networking in whicha user can ask for a location proof from the service requesterand accepts the request only if the sender is able to present avalid location proof.All these location-sensitive applications require users toprove that they really are (or were) at the claimed location.Although most mobile users have devices capable ofdiscovering their locations, they lack a mechanism to provetheir current or past locations to applications and services.One possible solution is to build a trusted computing moduleon each mobile device to make sure trusted GPS data isgenerated and transmitted, but its cost will be very high.Although cellular service providers have tracking services thatcan help verify the locations of mobile users in real-time, theaccuracy is not good enough and the location history can notbe verified. Several systems have recently been designed toprovide end users the ability to prove their locations throughWiFi infrastructure. For example, [22] proposed a solutionthat is suitable for third-party attestation, but relies on a PKIand the wide deployment of 802.11 access-point infrastructure.[14] described a trusted computing platform that can be usedto generate unforgeable geotags for mobile content such asphotos and video, however, it relies on the expensive trustedcomputing module on mobile devices to generate proofs.In this paper, we propose A Privacy-Preserving LocAtionproof Updating System (APPLAUS), which does not relyon the wide deployment of network infrastructure or theexpensive trusted computing module. In APPLAUS, Bluetoothenabled mobile devices in range mutually generate locationproofs, which are uploaded to a untrusted location proof serverthat can verify the trustworthy level of each location proof. Anauthorized verifier can query and retrieve location proofs fromthe server. Moreover, our location proof system guaranteesuser location privacy from every party. More specifically, weuse statistically changed pseudonyms at each mobile deviceto protect location privacy from each other, and from theuntrusted location proof server. We use user-centric locationprivacy model in which individual users evaluate their locationprivacy levels in real-time and decide whether and when toaccept a location proof request based on their location privacylevels. Extensive experimental and simulation results show thatour scheme, besides providing location proofs effectively, cansignificantly preserve the source location privacy.Journal of the American Statistical Association Sep 2009, Vol. 104, No. 487: 993–1003The rest of the paper is organized as follows: we firstintroduce the preliminaries of our scheme in Section II. Afterthat, Section III presents our location proof updating scheme.Section IV presents the source location privacy analysis andhow to deal with colluding attacks. The performance of ourscheme is evaluated in Section V. Finally, we describe therelated work in Section VI and conclude the paper in SectionVII.
Download full report
http://mcn.cse.psu.edu/paper/zhichao/infocom11.pdf