Noname manuscript No. (will be inserted by the editor) Privacy in geo-social networks: proximity notification with untrusted service providers and curious buddies Sergio Mascetti · Dario Freni · Claudio Bettini · X. Sean Wang · Sushil Jajodia Received: date / Accepted: date Abstract A major feature of the emerging geo-social 1 Introduction networks is the ability to notify a user when any of his friends (also called buddies) happens to be geographi- A geo-social network is an extension of a social network cally in proximity. This proximity service is usually of- in which the geographical positions of participants and fered by the network itself or by a third party service of relevant resources are used to enable new information provider (SP) using location data acquired from the services. These networks are mostly motivated by the users. This paper provides a rigorous theoretical and increased availability of GPS-enabled mobile devices experimental analysis of the existing solutions for the that support both Location-Based Services (LBSs), and location privacy problem in proximity services. This is easy access to the current social networks. a serious problem for users who do not trust the SP to handle their location data, and would only like to As in most social networks, each user has a contact release their location information in a generalized form list of friends, also called buddies. A basic service in geo- to participating buddies. The paper presents two new social networks is the proximity service that alerts the protocols providing complete privacy with respect to user when any of her buddies is in the vicinity, possibly the SP, and controllable privacy with respect to the enacting other activities like visualizing the buddy's po- buddies. The analytical and experimental analysis of sition on a map, or activating a communication session the protocols takes into account privacy, service preci- with the buddy. Such proximity services, often called sion, and computation and communication costs, show- friend finder, are already available as part of geo-social ing the superiority of the new protocols compared to networks (e.g., Brightkite1), as part of a suite of map those appeared in the literature to date. The proposed and navigation services (e.g., Google Latitude2), or as protocols have also been tested in a full system imple- an independent service that can be integrated with so- mentation of the proximity service. cial networks (e.g., Loopt 3). From a data management point of view, a proxim- arXiv:1007.0408v2 [cs.DB] 6 Nov 2010 Keywords Proximity services, geo-social networks, ity service involves the computation of a range query location-based services, location privacy over a set of moving entities issued by a moving user, where the range is a distance threshold value decided by the user. All existing services are based on a central- S. Mascetti, D. Freni, and C. Bettini ized architecture in which location updates, issued from DICo, Universit`adegli Studi di Milano mobile devices, are acquired by the SP, and proximity E-mail: fmascetti,freni,[email protected] is computed based on the acquired locations. X.S. Wang Department of CS, University of Vermont E-mail: [email protected] S. Jajodia 1 http://brightkite.com CSIS, George Mason University 2 http://www.google.com/latitude E-mail: [email protected] 3 http://www.loopt.com 2 Privacy threats in LBS The location privacy problem in proximity services While proximity services are very attractive for many In this paper we consider geo-social networks proximity social network users, the repeated release of informa- services in which a user usually knows the identity of tion about where the user is at a given time raises se- her buddies, or may easily discover it. In this context, vere privacy concerns. This is an issue that has been identity privacy is not an issue, since the anonymity of deeply investigated in the last years for general LBSs, the buddies is not assumed. For this reason, the prob- even if no general consensus has been reached about lem we address is a location privacy preservation, i.e., how the privacy problem should be defined, measured the first notion accordingly to the above discussion. We and, consequently, alleviated. For this reason we briefly assume that both SP and buddies are considered as po- illustrate the general problem before describing our ap- tential adversaries, that is, a) the users do not trust the proach. service provider that will handle their (sensitive) loca- The lack of agreement observed in the literature is tion data, and b) the users would like to control the mainly due to the dual role that location information precision of the location data released to their buddies. plays in LBS privacy. On one side, location is considered The above assumption of limited trust is formalized the private data that a user does not want to disclose, in terms of privacy preferences. Regarding a), we make because it may be itself sensitive information, or be- the strong requirement that SP should not acquire any cause it may lead to disclosure of sensitive information. location information about the users; regarding b), each For example, by knowing that a user is in a synagogue user can specify the finest precision of the location infor- during an important religious ceremony, an adversary mation that can be disclosed to her buddies, where the may infer, with a certain probability, the user's religious precision is in terms of a spatial region of uncertainty belief, which may be considered a privacy violation by containing the current location. For example, user Al- this user. On the other side, location information may ice allows her buddy Bob to be notified when she is act as a quasi-identifier, i.e., when this information is in proximity, but she wants a) to hide completely her joined with external data it may compromise the user's location to the SP, and b) to ensure that whatever prox- anonymity, and hence allow an adversary to associate imity threshold (i.e., the radius of the proximity query) the user's identity with the sensitive information related Bob is using, he cannot understand where exactly Alice to the service. For example, suppose a user subscribes is located within a region decided by herself (e.g., the to a location-based dating service using a pseudonym; whole university campus). even if the locations released to the service are not Existing proximity services do not offer any protec- considered sensitive by her, her identity can be recov- tion regarding point a) above other than legal privacy ered by first deriving, from her trace of movements, her policy statements, and they offer a very limited control home and workplace addresses and then joining these regarding point b); for example, some solutions allow addresses with public data, like a telephone directory. the user to limit the location released to the buddies In this way, the adversary can deduce the identity of to the precision level of city. Preliminary studies of this the dating service user, a privacy violation. problem have appeared in the academic literature [30, 18,26,16,25], and are analysed in detail in Section 2, Since the specific position of a user at a given time but the solutions provided in these studies have limita- can play either roles illustrated above, two different pri- tions either in terms of safety, system costs, or in terms vacy notions have appeared in the LBS literature: a) of flexibility in the specification of user preferences and location privacy which assumes that untrusted parties adversary model. may know the user's identity but not the user's loca- tion, or at least not the user's precise location, which is considered sensitive and has to be protected [15,28, Contribution 18,11], and b) identity privacy in which the anonymity of the user must be preserved by avoiding the (pre- The main contributions of this paper are the following. cise or imprecise) location information being used as i) This is the first comprehensive rigorous study of lo- a quasi-identifier [10,12,17,7]. Techniques adopted for cation privacy in proximity services, explicitly taking the second notion (e.g., spatial cloaking to include at into account privacy control with respect to buddies. least k users in the released location) do not neces- ii) Two new location privacy preserving protocols are sarily provide privacy guarantees for the first notion, designed, formally analyzed, and empirically tested, show- and vice versa. In Section 2 we shortly review the main ing their superiority with respect to existing solutions. techniques applicable to proximity services, including approaches trying to address both privacy notions. We formally model the privacy preferences that each 3 user can specify as well as the properties that a set of models. In Section 4 we illustrate the two proposed pro- messages, exchanged between a user and the SP, should tocols, and in Section 5 we study their formal proper- have in order to satisfy the privacy preferences. To the ties, including the satisfaction of privacy requirements, best of our knowledge, the formal model proposed in the computational and communication costs, and the this paper is the first one to consider adversaries hav- service precision. In Section 6 we describe the system ing a-priori probabilistic knowledge of users' location. implementation, and in Section 7 we report experimen- For example, it is possible to model the presence of com- tal results. Section 8 concludes the paper with a discus- mon knowledge, like the fact that a user is more likely sion of possible extensions. to be located in the country where she lives rather than in a foreign one.