Binomial-Mix-based Location Anonymizer Systemwith Global Dummy Generation

to Preserve User Location Privacy in Location-Based Services

Minh-Triet Tran

University of Science227 Nguyen Van Cu, Dist.5Hochiminh City, Vietnamtmtriet@fit.hcmus.edu.vn

Isao Echizen

National Institute of Informatics2-1-2 Hitotsubashi, Chiyoda-ku

Tokyo 101-8430, Japaniechizen@nii.ac.jp

Anh-Duc Duong

University of Science227 Nguyen Van Cu, Dist.5Hochiminh City, Vietnamdaduc@fit.hcmus.edu.vn

Abstract—We propose a binomial-mix-based locationanonymizer system with global dummy generation to protectuser location privacy in location-based services in the face ofattacks from a global active adversary and even with untrustedlocation-based service providers. Our proposed system over-comes the disadvantages of high latency in general-purposemix-net systems when they are applied to location-basedservices, and the imprecision of query result or inefficiencydue to large number of candidates in query result of existingobfuscation or spatial cloaking techniques. In our system,dummies (false locations) are generated globally in order toreduce the latency of requests to location-based services. Acentralized dummy generation mechanism exploits all users’activities to optimize the system’s behavior and performance.Because of the randomness provided by a binomial mix, oursystem prevents an adversary from determining with certaintywhether a user is at a specific location. Our system also letsusers define and update their personal location privacy mapsand satisfies a probabilistic real-time condition that ensuresdelivery of any request within a predefined duration with highprobability.

Keywords-Location-based services, location privacy, binomialmixes.

I. INTRODUCTION

There is an increasing number of devices with geo-

positioning and data communication capabilities. Such ca-

pabilities enable any user to get his/her current location, for

example via GPS, and query useful information related to

this location from location-based services. In fact, various

service providers now offer location-based services. How-

ever, since users need to give their locations to different

service providers, it is of concern when a user reveals his/her

exact location to an untrusted service provider that might

illegally use this information [1]. Preserving user privacy

is thus a critical requirement to ensure development of

emerging location-based services [2].

Privacy in location-based services has become a topic of

interest for researchers. In fact, existing anonymous systems,

such as anonymous web surfing or email systems, are not ap-

propriate for location-based services. Mix-based anonymous

systems [3], [4], [5] tend to provide high latency; thus, they

are not able to process realtime requests sent to location-

based services. Low-latency anonymous systems, such as

Tor [6] or Tarzan [7], require a high-traffic environment

to keep latency low and maintain security against traffic

analysis attacks [8]. Hence, such low-latency systems do not

fit the context of location-based services with low traffic.

Different approaches have been proposed for location-

based services. In query enlargement techniques [9], [10],

[11], [12], although user’s exact location is blurred into

a large region, query results are imprecise or complicated

procedures are required to select appropriate candidates in

query results. In spatial cloaking techniques [13], [14], [15],

a minimum privacy region covering k user locations is

formed and sent as the parameter of the query to a location-

based service. However, the privacy region depends heavily

on the spatial distribution of users and it is inefficient to

transmit a large number of candidate records corresponding

to the large privacy region and to filter appropriate results.

Spatial obfuscation techniques [16], [17], [18], [19] generate

dummies (fake or fixed locations), usually at clients, and

send them together with the exact user’s location to a service

provider. These techniques require dedicated modules to be

installed at the client side in order to generate dummies, and

each client cannot utilize other users’ activities to reduce the

number of dummies in the system.

In this article, we propose a novel system to preserve user

location privacy in location-based services. Our proposal is

developed from binomial-mix-based anonymous communi-

cation framework RPROB [20] with a centralized dummy

generation mechanism. Because of the randomness of a

binomial mix[4], [5], an opponent can no longer determine

with certainty the probability that a user Si is a sender of an

outgoing request to a location-based service. As the system’s

buffer is always non-empty, an opponent cannot determine

exactly when an incoming request will be forwarded to

a location-based service. We use the dummy generation

algorithm ’Moving in a Limited Neighborhood’ (MLN) [16]

to generate meaningful false locations, but we implement

this algorithm in a centralized way to utilize all users’

2010 International Conference on Availability, Reliability and Security

978-0-7695-3965-2/10 $26.00 © 2010 IEEE

DOI 10.1109/ARES.2010.76

580

activities and to prevent each user from knowing others’

locations. Dummies help to reduce latency for requests to

location-based services as every cached query request is

always ready to be delivered in the same round of its arrival

into the location anonymizer. Moreover, each user can define

and update his/her own location privacy map to balance the

trade-off between delay and personal privacy.

The rest of the paper is organized as follows: first we

review and analyse different approaches to ensuring location

privacy in location-based services. We also briefly present

binomial mixes and RPROB, our generalized anonymous

communication system based on binomial mixes [20]. Then

we present our binomial-mix-based location anonymizer

with global dummy generation to guarantee location privacy

in location-based services and analyze its properties: its

security against global active adversary, its probabilistic-

real-time property, and its flexibility. Conclusions and open

questions for future study are in the final section.

II. BACKGROUND AND RELATED WORK

A. Privacy Preserving Techniques for location-based ser-vices

In a general scenario to use a location-based service, a

user first retrieves his/her location information, for exam-

ple, from GPS, then issues a query to a location-based

service with his/her location information as a parameter.

After processing the query, the location-based service returns

results to the requester. There are various service providers

to provide different location-based services and it is diffi-

cult to verify the honesty of an arbitrary servics for not

using illegally user’s location information. So far, different

approaches to protect user location privacy in location-based

services have been proposed.

In query enlargement techniques [9], [10], [11], [12] the

key idea is to lower the spatial resolution of location data

sent to a location-based service. User’s exact location is

expanded into a region before being sent to a location-

based service. These techniques hide the exact location

of the user but cannot hide the region where the user is.

Besides the quality of the service can be affected severely

or a complicated procedure is required to select appropriate

candidate results.

In spatial cloaking techniques[13], [14], [15], k user

locations are collected to form a corresponding (minimum)

cloaking region which is sent as a query parameter to

a location-based service. The location-based service then

returns all candidate results corresponding to any location

in the cloaking region. In fact, the cloaking region depends

heavily on the spatial distribution of users. In a high-density

region, the cloaking region may shrink into a small area that

cannot practically conceil user’s location. In a low-density

region, the cloaking region may be very large, thus there

are too many candidate results to be returned. In this case,

it is inefficient to process such query at the location-based

service as well as to filter appropriate candidate results.

In obfuscation techniques, user locations are concealed

within dummies (faked or fixed locations). Dummies can

be randomly generated faked locations [16], [17] or fixed

locations [18], [19], such as road intersections. In most of

the existing obfuscation systems, dummies are generated at

client side in the context of one client - one server. Therefore,

dummy generation at a single client cannot utilize other

users’ queries to all location-based serviced to reduce the

total number of dummies to be generated and sent to all

different location-based services. In our proposed system,

as we use the global dummy generation mechanism, we

can optimize the performance for multiple users to query

to multiple location-based services.

Temporal cloaking was also used in several systems. In

[13], the query may be delayed until there are k (or more)

users in the same region of the query’s issuer. In [21], a user

can specify a temporal interval Δt such that if there are not

enough users in the same region of the query’s issuer within

this time slot, the query is rejected. Using temporal cloaking

without dummy generation may cause a high latency to

deliver a query to a location-based service or even a query

rejection.

B. Mixes, Binomial Mixes, and Binomial-Mix-Based Anony-mous Communication Framework

Mixes are commonly used in anonymous and privacy

preserving systems. The first mix design was introduced by

Chaum [3] in 1981. A mix takes a number of input messages

from senders, changes their appearance (by encrypting and

padding messages) and flow (by delaying and/or reordering),

and delivers them to next hops or recipients in such a way

that it is hard to match an output to a corresponding input

(or an input to a corresponding output) with certainty.

C. Diaz and A. Serjantov proposed binomial mixes [4]

and the binomial mix framework [5] with randomness. Let

g : N→ [0, 1] be the probability of forwarding each message

and n be the number of messages in the mix right before

it flushes messages. Each message in the mix is selected to

be forwarded with probability g(n). Let X be a random

variable corresponding to the number of messages kept

in a binomial mix and P (X = x|n) be the conditional

distribution of the number of messages kept in the mix.

The number of messages kept in a binomial mix follows

a binomial distribution Bin(n, 1− g(n)).

P (X = x|n) =(

nx

)g (n)(1−x) (1− g (n))x

(1)

A mix usually causes high latency for messages, but

requests to location-based services should be processed in

a realtime manner. Therefore, it is not suitable to use an

original general-purpose mix without any modification to

provide location privacy in such services.

581

Based on binomial mixes, we proposed a framework

of binomial-mix-based anonymous communication, namely

RPROB [20]. The key idea of the RPROB framework is

to retain messages in the system’s pool in order to prevent

an adversary from determining exactly when an incoming

message will be delivered. An RPROB instance uses a

binomial mix to realize this idea. To ensure that the expected

number of messages kept in system’s pool is at least 1, the

following constraint is enforced on the mix function g(n):

n(1− g(n)) ≥ 1,∀n > 0 (2)

The processing of RPROB in round r is summarized as

follows [20]:

• Message collection: RPROB receives and caches every

new message α(r)i arriving in system. Let ar be the

number of new incoming messages.

• Message selection: Let N(r−1)p be the number of old

messages kept from the previous round r − 1. Let

nr = ar + N(r−1)p be the total number of messages in

the system’s pool (before flushing). If the anonymity

requirements (the source-hiding property[22]) of all nr

messages can be fulfilled, each message is selected to

be forwarded with probability g(nr). Let br be the

number of selected messages.

• Message transformation: Each selected message α(r)i

is cryptographically transformed into a message β(r)j .

This procedure aims to prevent an opponent from

matching output messages with input ones.

• Message delivery: Each transformed message β(r)j is

delivered. N(r)p =nr−br messages are kept in the pool

for the next round (r + 1).

The number of messages to be forwarded follows a

binomial distribution Bin(nr, g(nr)) and the number of

messages kept in the pool follows a binomial distribution

Bin(nr, 1 − g(nr)). By observing the number of output

messages br of round r, an adversary cannot be certain about

the number of messages nr in the system before it flushes

or the number of messages N(r)p kept in the pool for the

next round. As a result, an opponent cannot calculate with

certainty the probability of a sender Si being the true sender

of a delivered message β(r)j .

It should be noticed that in RPROB system, a message

may have very long delay, especially in low traffic envi-

ronment. Besides, if a user assigns a high source hiding

property to his/her messages, the whole system will be af-

fected. Therefore it is not practical to apply RPROB system

as it is into the context of location privacy preservation

for location-based services. In the next section, we will

present the evolution of RPROB system into a binomial-

mix-based location anonymizer system that can overcome

these limitations and can be practically used to protect user

location privacy in location-based services.

III. BINOMIAL-MIX-BASED LOCATION ANONYMIZER

SYSTEM WITH GLOBAL DUMMY GENERATION

First we present the attack model with a global active

adversary. Then we present our proposal of location-hiding

property and our binomial-mix-based location anonymizer

system with global dummy generation for location-based

services.

A. Attack Model

Our attack model considers a Global Active Adversary

(GAA) with the following capabilities:

• GAA is global and can monitor all external activities

of the whole system;

• GAA can delay any number of messages (including

query requests and query results) for arbitrary time;

• GAA can compromise a legal user in the system to

create any number of query requests or even insert

query requests directly into system.

• As all messages are encrypted in transmission, GAA

cannot read the internal content of any message or gain

insight when a message is transmitted in the network.

The only exception is when GAA compromises a

location-based service and can read all query requests

dispatched to this location-based service.

Since GAA is global and can monitor all external ac-

tivities of the system, it can detect any sender sending a

request. If this request is unencrypted, it learns the exact

location of Si. Therefore, we only consider the case when

every request is encrypted and GAA cannot read the internal

content of this message during its transmission to location-

based services. However, if an encrypted request is sent

directly to an untrusted location-based service that is under

the control of GAA, GAA can read the content of that

message and learn the location of the request issuer.

We assume that a location-based service always returns

legal and accurate results to any request, even if this service

is under control of an adversary.

B. Location-Hiding Property and User’s Location PrivacyMap

Inspired by the source-hiding property [22], we propose a

similar property of location privacy, called ’location-hiding’.

Definition 1: A user is location-hiding with a parameter

Θ if an adversary cannot infer where the user is with

probability higher than 1−Θ.

Definition 2: Location-hiding value of a spatial region:When a user Si assigns the location-hiding value 0 ≤ Θ < 1to a specific spatial region X , this user hopes that any ad-

versary cannot infer his/her location with probability higher

than 1−Θ while Si is in this region X . The location-hiding

value 0 means that the user does not care about the privacy

in that region.

Each user has different levels of location privacy for

different spatial regions at different time. For example,

582

a hospital is a normal region for a doctor but may be

considered as a sensitive region for others. Therefore in our

proposed system, each user can define his/her own location

privacy map.

Definition 3: The location privacy map of a user consists

of different spatial regions, each of which is assigned a

location-hiding value ranging in [0, 1). This map can be

redefined or updated by its owner at any time.

In our proposed system, when a user issues a query, the

current value of location privacy of the region where he/she

is will be tagged into the query. In case a user is in a spatial

region that he/she has not assigned a location privacy value,

the query will be tagged with the location privacy value 0.

C. Location Anonymizer

We propose to use a trusted location anonymizer as a

proxy to collect all users’ query requests and dispatch these

requests to location-based services. The location anonymizer

then receives all responses from location-based services and

forwards them to appropriate users.

The operations of location anonymizer is periodical. Each

period is called a round with the same duration. In each

round, all query requests from users are cached in the

location anonymizer. At the end of a round, the location

anonymizer generates dummies (if necessary), selects, trans-

forms and dispatches a fraction of query requests (including

dummies) to location-based services. The detail operations

of the whole system are presented in the following sections.1) Query Request Collection: In round r, a user sends

a query request α(r)i to the location anonymizer in an

encrypted form via a secure communication channel. Each

query request consists of the following information:

1) the query to be processed;

2) the exact location of the sender;

3) the location-based service to process the query;

4) the location-hiding value of the current location in

sender’s location privacy map. If the user has not

assigned a location-hiding value to his/her current

location, this value of the query is set to 0.

As the communication between a user and the location

anonymizer is secure, it is expected that only the location

anonymizer can decrypt and read the entire information of a

query request. Let ar be the number of new incoming query

requests in round r.

2) Dummy query request generation: Let N(r−1)p be the

number of old query requests kept from the previous round

r − 1. At the end of round r, the location anonymizer has

N(r−1)p + ar query requests in its buffer.

The location anonymizer randomly generate dummies

(false query requests) so that the location-hiding require-

ments of all cached requests can be fulfilled. Currently we

use the dummy generation algorithm ’Moving in a Limited

Neighborhood’ (MLN) [16] to generate meaningful false

locations. For each dummy query request:

• the type of query and corresponding location-based

service to process the query are randomly selected

• the location-hiding value of the query is randomly

selected such that this value does not excess the maxi-

mum location-hiding value of current query requests in

system’s buffer.

Let dr be the number of generated dummies in round r.

In our framework, the dummy generation is implemented

in a centralized way to utilize all users’ activities and to

prevent users from knowing each other’s locations. Dummies

help to reduce latency and provide an acceptable delay for

requests to location-based services.

It should be noticed that this step is the key difference

with RPROB system [20]. In RPROB system, as there is

no dummy, it is possible that some cached messages cannot

satisfy their own anonymity requirements at the end of a

round. Then all cached messages will be kept for next

rounds, yeilding high latency for all cached messages. In

RPROB, the high source-hiding requirements mean high

latency. In our current proposed system, the high location-

hiding values do not cause high delay but only affect the

number of dummies to be generated.

3) Query request selection: After this step, there are nr =ar +dr +N

(r−1)p query requests in system’s pool and all of

them satisfy their own location-hiding values. Each request

is independently selected to be forwarded with probability

g(nr). Let br be the number of selected requests. br follows

the binomial distribution Bin(nr, g(nr))4) Query request transformation and forwarding: Each

selected query request α(r)i is decrypted and transformed into

a query request β(r)j containing the following information:

• Query ID: the location anonymizer randomly generated

a unique ID for the request. This ID is used to match

the query result to the requester, i.e. the sender of the

query. Upon receiving the results from a location-based

service, the location anonymizer looks up in its log to

find the requester of a query to deliver the results.

• the query to be processed;

• the location γ(β(r)j ) as a parameter of the query to be

processed. This location information can be a real one

(from a real user) or a faked one (dummy).

Each transformed request β(r)j is forwarded to its corre-

sponding location-based service. N(r)p =nr−br requests are

kept in the pool for the next round (r + 1).

IV. ANALYSIS AND EVALUATION

A. Guaranteed location privacy

For simplicity in presentation, we shall introduce the

following additional notations:

Let L (Si, t) be the location of a user Si at time instant

t.Let S

(β

(r)j

)be the true sender of a delivered query β

(r)j

583

Let ε(r)S :=

{α

(r)k

}be the collection of all requests sent

to the system in round r;

Let A(r)Si

be the collection of all requests sent by sender

Si in round r. We have⋃

Si∈S A(r)Si

=ε(r)S .

Let Φ(γ(β(r)

j ), Si

)be the probability assigned by an

opponent to a sender Si to be at location γ(β(r)j ) in round

r.

Φ(γ(β(r)

j ), Si

)= P

(S

(β

(r)j

)= Si

)(3)

In round r, there are N(r−1)p old requests and ar new

requests. Hence, the probability of a request β(r)j being a

new one is P(β

(r)j ∈ ε

(r)S

)= ar/nr and that of β

(r)j being

an old request is P(β

(r)j /∈ ε

(r)S

)= N

(r−1)p /nr.

The probability that β(r)j is a new request and Si is its

sender is as follows:

P(S

(β

(r)j

)= Si ∧ β

(r)j ∈ ε

(r)S

)=

∣∣∣A(r)Si

∣∣∣nr

(4)

If β(r)j is an old request, it arrived in system during some

round k<r , and it was selected to be kept in system from

round k to round r−1 and was finally selected to be delivered

in round r. Then the probability that a sender Si sent β(r)j

and β(r)j arrived in system during round k<r is:

P(S

(β

(r)j

)= Si ∧ β

(r)j ∈ ε

(k)S

)

=

∣∣∣A(k)Si

∣∣∣ak

· ak

nk·(∏r−1

l=k+1

N(l−1)p

nl

)· N

(r−1)p

nr

=

∣∣∣A(k)Si

∣∣∣nr

·(∏r−1

l=k

N(l)p

nl

)(5)

From (4) and (5), the probability that a user Si is the

sender of a delivered request β(r)j in round r can be

formulated as follows:

Φ(β

(r)j , Si

)

=

∣∣∣A(r)Si

∣∣∣nr

+∑r−1

k=1

∣∣∣A(k)Si

∣∣∣nr

·(∏r−1

l=k

N(l)p

nl

)(6)

Note that this is also the probability that an adversary

assigned to a user Si to be at location γ(β(r)j ) in round r.

P (L(Si, r) = γ(β(r)j ))

=

∣∣∣A(r)Si

∣∣∣nr

+∑r−1

k=1

∣∣∣A(k)Si

∣∣∣nr

·(∏r−1

l=k

N(l)p

nl

)(7)

If a sender Si uses the system for the first time, the only

evidence to convince an opponent that Si is at the location

γ(β(r)j ) is the activities of Si in the current round r. Thus,

the probability assigned by the adversary to sender Si to be

at the location γ(β(r)j ) in round r is

∣∣∣A(r)Si

∣∣∣ /(ar + N

(r−1)p

)B. Probabilistic-real-time property

Let ε(r)R :=

{β

(r)j

}be the collection of all requests

delivered from the system to location-based services in

round r. For a request α(k)i arriving in system in round k,

the probability that it is forwarded in round k is

P(α

(k)i ∈ ε

(k)R

)=g (nk) (8)

and the probability that it is forwarded in the consecutive

round k+l is:

P(α

(k)i ∈ ε

(k+l)R

)=g (nk+l)

∏l−1

i=0(1− g (nk+i)) (9)

As every request is in general delivered within the first few

rounds with high probability, our system has a probabilistic-

real-time property. Note that an adversary cannot be certain

when a request is delivered in our system. Besides, as

our system uses global dummy generation, the location-

hiding requirement of every query request currently cached

in system’s buffer is satisfied at the end of each round. Thus

every query request is always ready at the end of each round

to be dispatched to an appropriate location-based service.

C. Flexibility for users

In our proposed system, each user can define and update

his/her own location privacy map. The location-hiding value

of a region is tagged into a query. Because we use dummy

generation in each round, the location-hiding property of

each message can be satisfied within the same round of its

arrival at the location anonymizer. The privacy preference of

any user does not cause high latency to the whole system as

in RPROB Channel but only affects the number of dummies

to be generated globally by the location anonymizer. The

global dummy generation helps us reduce the total number

of dummies in comparison to local dummy generation

techniques at every client.

V. CONCLUSIONS AND FUTURE WORK

We propose a binomial-mix-based location anonymizer

with global dummy generation for location-based services.

Our system uses the generalized binomial mix model and

each instant of our framework corresponds to a specific

binomial mix. As the system always keeps several requests

in its pool, an adversary cannot be certain when a request

will be delivered. Besides, because of the randomness of

binomial mixes, an opponent can no longer calculate with

certainty the probability that a user is at a certain location

at a certain time instant.

We use dummy generation to ensure that all cached re-

quests can satisfy their own location-hiding properties within

the same round of its arrival. Global implementation of

584

dummy generation enables us to utilize the global activities

of all users to optimize the number of false requests to be

generated.

We are currently studying various adaptive dummy gen-

eration strategies to utilize user location information to

maximize the privacy of multiple users within the same

region. We are also studying a range-based query approach

to reduce the number of actual requests to be delivered to

a location-based service because the results to be sent to

different users within a range can be incorporated into a

single request.

REFERENCES

[1] J. Voelcker, “Stalked by satellite: An alarming rise in GPS-enabled harassment,” IEEE Spectrum, vol. 47, no. 7, pp. 15–16, 2006.

[2] C. Bettini, S. Mascetti, X. S. Wang, D. Freni, and S. Jajodia,“Anonymity and historical-anonymity in location-based ser-vices,” in Privacy in Location-Based Applications, ser. LNCS,vol. 5599, 2009, pp. 1–30.

[3] D. Chaum, “Untraceable electronic mail, return addresses,and digital pseudonyms,” Communications of the ACM, vol.4(2), pp. 84–88, 1981.

[4] C. Diaz and A. Serjantov, “Generalising mixes,” in 3rd Pri-vacy Enhancing Technologies Symposium (PET 2003), 2003,pp. 18–31.

[5] A. Serjantov, “A fresh look at the generalised mix frame-work,” in 7th Privacy Enhancing Technologies Symposium(PET 2007), ser. LNCS, vol. 4776, 2007, pp. 17–29.

[6] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: Thesecond-generation onion router,” in 13th USENIX SecuritySymposium, 2004, pp. 303–320.

[7] R. T. Morris, M. J. Freedman, and M. J. Freedman, “Tarzan:A peer-to-peer anonymizing network layer,” in Proceedings ofthe 9th ACM Conference on Computer and CommunicationsSecurity (CCS 2002), 2002, pp. 193–206.

[8] S. J. Murdoch and G. Danezis, “Low-cost traffic analysis ofTor,” in Proceedings of the 2005 IEEE Symposium on Securityand Privacy, 2005, pp. 183–195.

[9] R. Cheng, Y. Zhang, E. Bertino, and S. Prabhakar, “Preservinguser location privacy in mobile data management infrastruc-tures,” in Privacy Enhancing Technology Workshop, 2006, pp.393–412.

[10] C. Ardagna, M. Cremonini, E. Damiani, S. di Vimer-cati, and P. Samarati, “Location privacy protection throughobfuscation-based techniques,” DBSec, pp. 47–60, 2007.

[11] J. Du, J. Xu, X. Tang, and H. Hu, “ipda: Supporting privacy-preserving location-based mobile services,” in 2007 Interna-tional Conference on Mobile Data Management, 2007, pp.212–214.

[12] S. Mascetti, C. Bettini, D. Freni, X. Wang, and S. Jajodia,“Privacy-aware proximity based services,” in 2009 Interna-tional Conference on Mobile Data Management, 2009, pp.1140–1143.

[13] M. Gruteser, D. Grunwalddepartment, and C. Science,“Anonymous usage of location-based services through spatialand temporal cloaking,” in the 1st international conferenceon Mobile systems, applications and services (USENIX Mo-biSys), 2003, pp. 31–42.

[14] M. F. Mokbel, C. yin Chow, and W. G. Aref, “The new casper:Query processing for location services without compromisingprivacy,” in VLDB, 2006, pp. 763–774.

[15] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias,“Preventing location-based identity inference in anonymousspatial queries,” IEEE Transactions on Knowledge and DataEngineering, vol. 19, no. 12, pp. 1719–1733, 2007.

[16] H. Kido, Y. Yanagisawa, and T. Satoh, “An anonymouscommunication technique using dummies for location-basedservices,” in IEEE International Conference on PervasiveServices (ICPS), 2005, pp. 88–97.

[17] H. Lu, C. Jensen, and M. Yiu, “Pad: Privacy-area aware,dummy-based location privacy in mobile services,” in Mo-biDE, 2008, pp. 16–23.

[18] M. Duckham and L. Kulik, “Simulation of obfuscation andnegotiation for location privacy,” in COSIT 2005, ser. LNCS,vol. 3693, 2005, pp. 31–48.

[19] M.Duckham and L.Kulik, “A formal model of obfuscationand negotiation for location privacy,” in PERVASIVE 2005,ser. LNCS, vol. 3468, 2005, pp. 152–170.

[20] M. T. Tran, A. D. Duong, and I. Echizen, “RPROB - a familyof binomial-mix-based anonymous communication systems,”in 2009 IEEE/IFIP International Symposium on Trust, Secu-rity and Privacy for Pervasive Applications (TSP-09), 2009,pp. 765–770.

[21] B. Gedik and L. Liu, “Protecting location privacy with per-sonalized k-Anonymity: Architecture and algorithms,” IEEETransactions on Mobile Computing, vol. 2007, 2007.

[22] G. Toth and Z. Hornak, “Measuring anonymity in a non-adaptive real-time system,” in 4th Privacy Enhancing Tech-nologies Symposium (PET 2004), ser. LNCS, vol. 3424, 2004,pp. 226–241.

585