[ieee 2010 international conference on availability, reliability, and security (ares) - krakow,...
TRANSCRIPT
Binomial-Mix-based Location Anonymizer Systemwith Global Dummy Generation
to Preserve User Location Privacy in Location-Based Services
Minh-Triet Tran
University of Science227 Nguyen Van Cu, Dist.5Hochiminh City, [email protected]
Isao Echizen
National Institute of Informatics2-1-2 Hitotsubashi, Chiyoda-ku
Tokyo 101-8430, [email protected]
Anh-Duc Duong
University of Science227 Nguyen Van Cu, Dist.5Hochiminh City, [email protected]
Abstract—We propose a binomial-mix-based locationanonymizer system with global dummy generation to protectuser location privacy in location-based services in the face ofattacks from a global active adversary and even with untrustedlocation-based service providers. Our proposed system over-comes the disadvantages of high latency in general-purposemix-net systems when they are applied to location-basedservices, and the imprecision of query result or inefficiencydue to large number of candidates in query result of existingobfuscation or spatial cloaking techniques. In our system,dummies (false locations) are generated globally in order toreduce the latency of requests to location-based services. Acentralized dummy generation mechanism exploits all users’activities to optimize the system’s behavior and performance.Because of the randomness provided by a binomial mix, oursystem prevents an adversary from determining with certaintywhether a user is at a specific location. Our system also letsusers define and update their personal location privacy mapsand satisfies a probabilistic real-time condition that ensuresdelivery of any request within a predefined duration with highprobability.
Keywords-Location-based services, location privacy, binomialmixes.
I. INTRODUCTION
There is an increasing number of devices with geo-
positioning and data communication capabilities. Such ca-
pabilities enable any user to get his/her current location, for
example via GPS, and query useful information related to
this location from location-based services. In fact, various
service providers now offer location-based services. How-
ever, since users need to give their locations to different
service providers, it is of concern when a user reveals his/her
exact location to an untrusted service provider that might
illegally use this information [1]. Preserving user privacy
is thus a critical requirement to ensure development of
emerging location-based services [2].
Privacy in location-based services has become a topic of
interest for researchers. In fact, existing anonymous systems,
such as anonymous web surfing or email systems, are not ap-
propriate for location-based services. Mix-based anonymous
systems [3], [4], [5] tend to provide high latency; thus, they
are not able to process realtime requests sent to location-
based services. Low-latency anonymous systems, such as
Tor [6] or Tarzan [7], require a high-traffic environment
to keep latency low and maintain security against traffic
analysis attacks [8]. Hence, such low-latency systems do not
fit the context of location-based services with low traffic.
Different approaches have been proposed for location-
based services. In query enlargement techniques [9], [10],
[11], [12], although user’s exact location is blurred into
a large region, query results are imprecise or complicated
procedures are required to select appropriate candidates in
query results. In spatial cloaking techniques [13], [14], [15],
a minimum privacy region covering k user locations is
formed and sent as the parameter of the query to a location-
based service. However, the privacy region depends heavily
on the spatial distribution of users and it is inefficient to
transmit a large number of candidate records corresponding
to the large privacy region and to filter appropriate results.
Spatial obfuscation techniques [16], [17], [18], [19] generate
dummies (fake or fixed locations), usually at clients, and
send them together with the exact user’s location to a service
provider. These techniques require dedicated modules to be
installed at the client side in order to generate dummies, and
each client cannot utilize other users’ activities to reduce the
number of dummies in the system.
In this article, we propose a novel system to preserve user
location privacy in location-based services. Our proposal is
developed from binomial-mix-based anonymous communi-
cation framework RPROB [20] with a centralized dummy
generation mechanism. Because of the randomness of a
binomial mix[4], [5], an opponent can no longer determine
with certainty the probability that a user Si is a sender of an
outgoing request to a location-based service. As the system’s
buffer is always non-empty, an opponent cannot determine
exactly when an incoming request will be forwarded to
a location-based service. We use the dummy generation
algorithm ’Moving in a Limited Neighborhood’ (MLN) [16]
to generate meaningful false locations, but we implement
this algorithm in a centralized way to utilize all users’
2010 International Conference on Availability, Reliability and Security
978-0-7695-3965-2/10 $26.00 © 2010 IEEE
DOI 10.1109/ARES.2010.76
580
activities and to prevent each user from knowing others’
locations. Dummies help to reduce latency for requests to
location-based services as every cached query request is
always ready to be delivered in the same round of its arrival
into the location anonymizer. Moreover, each user can define
and update his/her own location privacy map to balance the
trade-off between delay and personal privacy.
The rest of the paper is organized as follows: first we
review and analyse different approaches to ensuring location
privacy in location-based services. We also briefly present
binomial mixes and RPROB, our generalized anonymous
communication system based on binomial mixes [20]. Then
we present our binomial-mix-based location anonymizer
with global dummy generation to guarantee location privacy
in location-based services and analyze its properties: its
security against global active adversary, its probabilistic-
real-time property, and its flexibility. Conclusions and open
questions for future study are in the final section.
II. BACKGROUND AND RELATED WORK
A. Privacy Preserving Techniques for location-based ser-vices
In a general scenario to use a location-based service, a
user first retrieves his/her location information, for exam-
ple, from GPS, then issues a query to a location-based
service with his/her location information as a parameter.
After processing the query, the location-based service returns
results to the requester. There are various service providers
to provide different location-based services and it is diffi-
cult to verify the honesty of an arbitrary servics for not
using illegally user’s location information. So far, different
approaches to protect user location privacy in location-based
services have been proposed.
In query enlargement techniques [9], [10], [11], [12] the
key idea is to lower the spatial resolution of location data
sent to a location-based service. User’s exact location is
expanded into a region before being sent to a location-
based service. These techniques hide the exact location
of the user but cannot hide the region where the user is.
Besides the quality of the service can be affected severely
or a complicated procedure is required to select appropriate
candidate results.
In spatial cloaking techniques[13], [14], [15], k user
locations are collected to form a corresponding (minimum)
cloaking region which is sent as a query parameter to
a location-based service. The location-based service then
returns all candidate results corresponding to any location
in the cloaking region. In fact, the cloaking region depends
heavily on the spatial distribution of users. In a high-density
region, the cloaking region may shrink into a small area that
cannot practically conceil user’s location. In a low-density
region, the cloaking region may be very large, thus there
are too many candidate results to be returned. In this case,
it is inefficient to process such query at the location-based
service as well as to filter appropriate candidate results.
In obfuscation techniques, user locations are concealed
within dummies (faked or fixed locations). Dummies can
be randomly generated faked locations [16], [17] or fixed
locations [18], [19], such as road intersections. In most of
the existing obfuscation systems, dummies are generated at
client side in the context of one client - one server. Therefore,
dummy generation at a single client cannot utilize other
users’ queries to all location-based serviced to reduce the
total number of dummies to be generated and sent to all
different location-based services. In our proposed system,
as we use the global dummy generation mechanism, we
can optimize the performance for multiple users to query
to multiple location-based services.
Temporal cloaking was also used in several systems. In
[13], the query may be delayed until there are k (or more)
users in the same region of the query’s issuer. In [21], a user
can specify a temporal interval Δt such that if there are not
enough users in the same region of the query’s issuer within
this time slot, the query is rejected. Using temporal cloaking
without dummy generation may cause a high latency to
deliver a query to a location-based service or even a query
rejection.
B. Mixes, Binomial Mixes, and Binomial-Mix-Based Anony-mous Communication Framework
Mixes are commonly used in anonymous and privacy
preserving systems. The first mix design was introduced by
Chaum [3] in 1981. A mix takes a number of input messages
from senders, changes their appearance (by encrypting and
padding messages) and flow (by delaying and/or reordering),
and delivers them to next hops or recipients in such a way
that it is hard to match an output to a corresponding input
(or an input to a corresponding output) with certainty.
C. Diaz and A. Serjantov proposed binomial mixes [4]
and the binomial mix framework [5] with randomness. Let
g : N→ [0, 1] be the probability of forwarding each message
and n be the number of messages in the mix right before
it flushes messages. Each message in the mix is selected to
be forwarded with probability g(n). Let X be a random
variable corresponding to the number of messages kept
in a binomial mix and P (X = x|n) be the conditional
distribution of the number of messages kept in the mix.
The number of messages kept in a binomial mix follows
a binomial distribution Bin(n, 1− g(n)).
P (X = x|n) =(
nx
)g (n)(1−x) (1− g (n))x
(1)
A mix usually causes high latency for messages, but
requests to location-based services should be processed in
a realtime manner. Therefore, it is not suitable to use an
original general-purpose mix without any modification to
provide location privacy in such services.
581
Based on binomial mixes, we proposed a framework
of binomial-mix-based anonymous communication, namely
RPROB [20]. The key idea of the RPROB framework is
to retain messages in the system’s pool in order to prevent
an adversary from determining exactly when an incoming
message will be delivered. An RPROB instance uses a
binomial mix to realize this idea. To ensure that the expected
number of messages kept in system’s pool is at least 1, the
following constraint is enforced on the mix function g(n):
n(1− g(n)) ≥ 1,∀n > 0 (2)
The processing of RPROB in round r is summarized as
follows [20]:
• Message collection: RPROB receives and caches every
new message α(r)i arriving in system. Let ar be the
number of new incoming messages.
• Message selection: Let N(r−1)p be the number of old
messages kept from the previous round r − 1. Let
nr = ar + N(r−1)p be the total number of messages in
the system’s pool (before flushing). If the anonymity
requirements (the source-hiding property[22]) of all nr
messages can be fulfilled, each message is selected to
be forwarded with probability g(nr). Let br be the
number of selected messages.
• Message transformation: Each selected message α(r)i
is cryptographically transformed into a message β(r)j .
This procedure aims to prevent an opponent from
matching output messages with input ones.
• Message delivery: Each transformed message β(r)j is
delivered. N(r)p =nr−br messages are kept in the pool
for the next round (r + 1).
The number of messages to be forwarded follows a
binomial distribution Bin(nr, g(nr)) and the number of
messages kept in the pool follows a binomial distribution
Bin(nr, 1 − g(nr)). By observing the number of output
messages br of round r, an adversary cannot be certain about
the number of messages nr in the system before it flushes
or the number of messages N(r)p kept in the pool for the
next round. As a result, an opponent cannot calculate with
certainty the probability of a sender Si being the true sender
of a delivered message β(r)j .
It should be noticed that in RPROB system, a message
may have very long delay, especially in low traffic envi-
ronment. Besides, if a user assigns a high source hiding
property to his/her messages, the whole system will be af-
fected. Therefore it is not practical to apply RPROB system
as it is into the context of location privacy preservation
for location-based services. In the next section, we will
present the evolution of RPROB system into a binomial-
mix-based location anonymizer system that can overcome
these limitations and can be practically used to protect user
location privacy in location-based services.
III. BINOMIAL-MIX-BASED LOCATION ANONYMIZER
SYSTEM WITH GLOBAL DUMMY GENERATION
First we present the attack model with a global active
adversary. Then we present our proposal of location-hiding
property and our binomial-mix-based location anonymizer
system with global dummy generation for location-based
services.
A. Attack Model
Our attack model considers a Global Active Adversary
(GAA) with the following capabilities:
• GAA is global and can monitor all external activities
of the whole system;
• GAA can delay any number of messages (including
query requests and query results) for arbitrary time;
• GAA can compromise a legal user in the system to
create any number of query requests or even insert
query requests directly into system.
• As all messages are encrypted in transmission, GAA
cannot read the internal content of any message or gain
insight when a message is transmitted in the network.
The only exception is when GAA compromises a
location-based service and can read all query requests
dispatched to this location-based service.
Since GAA is global and can monitor all external ac-
tivities of the system, it can detect any sender sending a
request. If this request is unencrypted, it learns the exact
location of Si. Therefore, we only consider the case when
every request is encrypted and GAA cannot read the internal
content of this message during its transmission to location-
based services. However, if an encrypted request is sent
directly to an untrusted location-based service that is under
the control of GAA, GAA can read the content of that
message and learn the location of the request issuer.
We assume that a location-based service always returns
legal and accurate results to any request, even if this service
is under control of an adversary.
B. Location-Hiding Property and User’s Location PrivacyMap
Inspired by the source-hiding property [22], we propose a
similar property of location privacy, called ’location-hiding’.
Definition 1: A user is location-hiding with a parameter
Θ if an adversary cannot infer where the user is with
probability higher than 1−Θ.
Definition 2: Location-hiding value of a spatial region:When a user Si assigns the location-hiding value 0 ≤ Θ < 1to a specific spatial region X , this user hopes that any ad-
versary cannot infer his/her location with probability higher
than 1−Θ while Si is in this region X . The location-hiding
value 0 means that the user does not care about the privacy
in that region.
Each user has different levels of location privacy for
different spatial regions at different time. For example,
582
a hospital is a normal region for a doctor but may be
considered as a sensitive region for others. Therefore in our
proposed system, each user can define his/her own location
privacy map.
Definition 3: The location privacy map of a user consists
of different spatial regions, each of which is assigned a
location-hiding value ranging in [0, 1). This map can be
redefined or updated by its owner at any time.
In our proposed system, when a user issues a query, the
current value of location privacy of the region where he/she
is will be tagged into the query. In case a user is in a spatial
region that he/she has not assigned a location privacy value,
the query will be tagged with the location privacy value 0.
C. Location Anonymizer
We propose to use a trusted location anonymizer as a
proxy to collect all users’ query requests and dispatch these
requests to location-based services. The location anonymizer
then receives all responses from location-based services and
forwards them to appropriate users.
The operations of location anonymizer is periodical. Each
period is called a round with the same duration. In each
round, all query requests from users are cached in the
location anonymizer. At the end of a round, the location
anonymizer generates dummies (if necessary), selects, trans-
forms and dispatches a fraction of query requests (including
dummies) to location-based services. The detail operations
of the whole system are presented in the following sections.1) Query Request Collection: In round r, a user sends
a query request α(r)i to the location anonymizer in an
encrypted form via a secure communication channel. Each
query request consists of the following information:
1) the query to be processed;
2) the exact location of the sender;
3) the location-based service to process the query;
4) the location-hiding value of the current location in
sender’s location privacy map. If the user has not
assigned a location-hiding value to his/her current
location, this value of the query is set to 0.
As the communication between a user and the location
anonymizer is secure, it is expected that only the location
anonymizer can decrypt and read the entire information of a
query request. Let ar be the number of new incoming query
requests in round r.
2) Dummy query request generation: Let N(r−1)p be the
number of old query requests kept from the previous round
r − 1. At the end of round r, the location anonymizer has
N(r−1)p + ar query requests in its buffer.
The location anonymizer randomly generate dummies
(false query requests) so that the location-hiding require-
ments of all cached requests can be fulfilled. Currently we
use the dummy generation algorithm ’Moving in a Limited
Neighborhood’ (MLN) [16] to generate meaningful false
locations. For each dummy query request:
• the type of query and corresponding location-based
service to process the query are randomly selected
• the location-hiding value of the query is randomly
selected such that this value does not excess the maxi-
mum location-hiding value of current query requests in
system’s buffer.
Let dr be the number of generated dummies in round r.
In our framework, the dummy generation is implemented
in a centralized way to utilize all users’ activities and to
prevent users from knowing each other’s locations. Dummies
help to reduce latency and provide an acceptable delay for
requests to location-based services.
It should be noticed that this step is the key difference
with RPROB system [20]. In RPROB system, as there is
no dummy, it is possible that some cached messages cannot
satisfy their own anonymity requirements at the end of a
round. Then all cached messages will be kept for next
rounds, yeilding high latency for all cached messages. In
RPROB, the high source-hiding requirements mean high
latency. In our current proposed system, the high location-
hiding values do not cause high delay but only affect the
number of dummies to be generated.
3) Query request selection: After this step, there are nr =ar +dr +N
(r−1)p query requests in system’s pool and all of
them satisfy their own location-hiding values. Each request
is independently selected to be forwarded with probability
g(nr). Let br be the number of selected requests. br follows
the binomial distribution Bin(nr, g(nr))4) Query request transformation and forwarding: Each
selected query request α(r)i is decrypted and transformed into
a query request β(r)j containing the following information:
• Query ID: the location anonymizer randomly generated
a unique ID for the request. This ID is used to match
the query result to the requester, i.e. the sender of the
query. Upon receiving the results from a location-based
service, the location anonymizer looks up in its log to
find the requester of a query to deliver the results.
• the query to be processed;
• the location γ(β(r)j ) as a parameter of the query to be
processed. This location information can be a real one
(from a real user) or a faked one (dummy).
Each transformed request β(r)j is forwarded to its corre-
sponding location-based service. N(r)p =nr−br requests are
kept in the pool for the next round (r + 1).
IV. ANALYSIS AND EVALUATION
A. Guaranteed location privacy
For simplicity in presentation, we shall introduce the
following additional notations:
Let L (Si, t) be the location of a user Si at time instant
t.Let S
(β
(r)j
)be the true sender of a delivered query β
(r)j
583
Let ε(r)S :=
{α
(r)k
}be the collection of all requests sent
to the system in round r;
Let A(r)Si
be the collection of all requests sent by sender
Si in round r. We have⋃
Si∈S A(r)Si
=ε(r)S .
Let Φ(γ(β(r)
j ), Si
)be the probability assigned by an
opponent to a sender Si to be at location γ(β(r)j ) in round
r.
Φ(γ(β(r)
j ), Si
)= P
(S
(β
(r)j
)= Si
)(3)
In round r, there are N(r−1)p old requests and ar new
requests. Hence, the probability of a request β(r)j being a
new one is P(β
(r)j ∈ ε
(r)S
)= ar/nr and that of β
(r)j being
an old request is P(β
(r)j /∈ ε
(r)S
)= N
(r−1)p /nr.
The probability that β(r)j is a new request and Si is its
sender is as follows:
P(S
(β
(r)j
)= Si ∧ β
(r)j ∈ ε
(r)S
)=
∣∣∣A(r)Si
∣∣∣nr
(4)
If β(r)j is an old request, it arrived in system during some
round k<r , and it was selected to be kept in system from
round k to round r−1 and was finally selected to be delivered
in round r. Then the probability that a sender Si sent β(r)j
and β(r)j arrived in system during round k<r is:
P(S
(β
(r)j
)= Si ∧ β
(r)j ∈ ε
(k)S
)
=
∣∣∣A(k)Si
∣∣∣ak
· ak
nk·(∏r−1
l=k+1
N(l−1)p
nl
)· N
(r−1)p
nr
=
∣∣∣A(k)Si
∣∣∣nr
·(∏r−1
l=k
N(l)p
nl
)(5)
From (4) and (5), the probability that a user Si is the
sender of a delivered request β(r)j in round r can be
formulated as follows:
Φ(β
(r)j , Si
)
=
∣∣∣A(r)Si
∣∣∣nr
+∑r−1
k=1
∣∣∣A(k)Si
∣∣∣nr
·(∏r−1
l=k
N(l)p
nl
)(6)
Note that this is also the probability that an adversary
assigned to a user Si to be at location γ(β(r)j ) in round r.
P (L(Si, r) = γ(β(r)j ))
=
∣∣∣A(r)Si
∣∣∣nr
+∑r−1
k=1
∣∣∣A(k)Si
∣∣∣nr
·(∏r−1
l=k
N(l)p
nl
)(7)
If a sender Si uses the system for the first time, the only
evidence to convince an opponent that Si is at the location
γ(β(r)j ) is the activities of Si in the current round r. Thus,
the probability assigned by the adversary to sender Si to be
at the location γ(β(r)j ) in round r is
∣∣∣A(r)Si
∣∣∣ /(ar + N
(r−1)p
)B. Probabilistic-real-time property
Let ε(r)R :=
{β
(r)j
}be the collection of all requests
delivered from the system to location-based services in
round r. For a request α(k)i arriving in system in round k,
the probability that it is forwarded in round k is
P(α
(k)i ∈ ε
(k)R
)=g (nk) (8)
and the probability that it is forwarded in the consecutive
round k+l is:
P(α
(k)i ∈ ε
(k+l)R
)=g (nk+l)
∏l−1
i=0(1− g (nk+i)) (9)
As every request is in general delivered within the first few
rounds with high probability, our system has a probabilistic-
real-time property. Note that an adversary cannot be certain
when a request is delivered in our system. Besides, as
our system uses global dummy generation, the location-
hiding requirement of every query request currently cached
in system’s buffer is satisfied at the end of each round. Thus
every query request is always ready at the end of each round
to be dispatched to an appropriate location-based service.
C. Flexibility for users
In our proposed system, each user can define and update
his/her own location privacy map. The location-hiding value
of a region is tagged into a query. Because we use dummy
generation in each round, the location-hiding property of
each message can be satisfied within the same round of its
arrival at the location anonymizer. The privacy preference of
any user does not cause high latency to the whole system as
in RPROB Channel but only affects the number of dummies
to be generated globally by the location anonymizer. The
global dummy generation helps us reduce the total number
of dummies in comparison to local dummy generation
techniques at every client.
V. CONCLUSIONS AND FUTURE WORK
We propose a binomial-mix-based location anonymizer
with global dummy generation for location-based services.
Our system uses the generalized binomial mix model and
each instant of our framework corresponds to a specific
binomial mix. As the system always keeps several requests
in its pool, an adversary cannot be certain when a request
will be delivered. Besides, because of the randomness of
binomial mixes, an opponent can no longer calculate with
certainty the probability that a user is at a certain location
at a certain time instant.
We use dummy generation to ensure that all cached re-
quests can satisfy their own location-hiding properties within
the same round of its arrival. Global implementation of
584
dummy generation enables us to utilize the global activities
of all users to optimize the number of false requests to be
generated.
We are currently studying various adaptive dummy gen-
eration strategies to utilize user location information to
maximize the privacy of multiple users within the same
region. We are also studying a range-based query approach
to reduce the number of actual requests to be delivered to
a location-based service because the results to be sent to
different users within a range can be incorporated into a
single request.
REFERENCES
[1] J. Voelcker, “Stalked by satellite: An alarming rise in GPS-enabled harassment,” IEEE Spectrum, vol. 47, no. 7, pp. 15–16, 2006.
[2] C. Bettini, S. Mascetti, X. S. Wang, D. Freni, and S. Jajodia,“Anonymity and historical-anonymity in location-based ser-vices,” in Privacy in Location-Based Applications, ser. LNCS,vol. 5599, 2009, pp. 1–30.
[3] D. Chaum, “Untraceable electronic mail, return addresses,and digital pseudonyms,” Communications of the ACM, vol.4(2), pp. 84–88, 1981.
[4] C. Diaz and A. Serjantov, “Generalising mixes,” in 3rd Pri-vacy Enhancing Technologies Symposium (PET 2003), 2003,pp. 18–31.
[5] A. Serjantov, “A fresh look at the generalised mix frame-work,” in 7th Privacy Enhancing Technologies Symposium(PET 2007), ser. LNCS, vol. 4776, 2007, pp. 17–29.
[6] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: Thesecond-generation onion router,” in 13th USENIX SecuritySymposium, 2004, pp. 303–320.
[7] R. T. Morris, M. J. Freedman, and M. J. Freedman, “Tarzan:A peer-to-peer anonymizing network layer,” in Proceedings ofthe 9th ACM Conference on Computer and CommunicationsSecurity (CCS 2002), 2002, pp. 193–206.
[8] S. J. Murdoch and G. Danezis, “Low-cost traffic analysis ofTor,” in Proceedings of the 2005 IEEE Symposium on Securityand Privacy, 2005, pp. 183–195.
[9] R. Cheng, Y. Zhang, E. Bertino, and S. Prabhakar, “Preservinguser location privacy in mobile data management infrastruc-tures,” in Privacy Enhancing Technology Workshop, 2006, pp.393–412.
[10] C. Ardagna, M. Cremonini, E. Damiani, S. di Vimer-cati, and P. Samarati, “Location privacy protection throughobfuscation-based techniques,” DBSec, pp. 47–60, 2007.
[11] J. Du, J. Xu, X. Tang, and H. Hu, “ipda: Supporting privacy-preserving location-based mobile services,” in 2007 Interna-tional Conference on Mobile Data Management, 2007, pp.212–214.
[12] S. Mascetti, C. Bettini, D. Freni, X. Wang, and S. Jajodia,“Privacy-aware proximity based services,” in 2009 Interna-tional Conference on Mobile Data Management, 2009, pp.1140–1143.
[13] M. Gruteser, D. Grunwalddepartment, and C. Science,“Anonymous usage of location-based services through spatialand temporal cloaking,” in the 1st international conferenceon Mobile systems, applications and services (USENIX Mo-biSys), 2003, pp. 31–42.
[14] M. F. Mokbel, C. yin Chow, and W. G. Aref, “The new casper:Query processing for location services without compromisingprivacy,” in VLDB, 2006, pp. 763–774.
[15] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias,“Preventing location-based identity inference in anonymousspatial queries,” IEEE Transactions on Knowledge and DataEngineering, vol. 19, no. 12, pp. 1719–1733, 2007.
[16] H. Kido, Y. Yanagisawa, and T. Satoh, “An anonymouscommunication technique using dummies for location-basedservices,” in IEEE International Conference on PervasiveServices (ICPS), 2005, pp. 88–97.
[17] H. Lu, C. Jensen, and M. Yiu, “Pad: Privacy-area aware,dummy-based location privacy in mobile services,” in Mo-biDE, 2008, pp. 16–23.
[18] M. Duckham and L. Kulik, “Simulation of obfuscation andnegotiation for location privacy,” in COSIT 2005, ser. LNCS,vol. 3693, 2005, pp. 31–48.
[19] M.Duckham and L.Kulik, “A formal model of obfuscationand negotiation for location privacy,” in PERVASIVE 2005,ser. LNCS, vol. 3468, 2005, pp. 152–170.
[20] M. T. Tran, A. D. Duong, and I. Echizen, “RPROB - a familyof binomial-mix-based anonymous communication systems,”in 2009 IEEE/IFIP International Symposium on Trust, Secu-rity and Privacy for Pervasive Applications (TSP-09), 2009,pp. 765–770.
[21] B. Gedik and L. Liu, “Protecting location privacy with per-sonalized k-Anonymity: Architecture and algorithms,” IEEETransactions on Mobile Computing, vol. 2007, 2007.
[22] G. Toth and Z. Hornak, “Measuring anonymity in a non-adaptive real-time system,” in 4th Privacy Enhancing Tech-nologies Symposium (PET 2004), ser. LNCS, vol. 3424, 2004,pp. 226–241.
585