We use a different request-response architecture which is performed in two round-trips. The first round-trip is to get a list of POIs with just their names, locations, and their prominence values. In the second round-trip, the mobile application sends a set of POIs that are of interest to obtain detailed information about the POIs that are chosen. That is, initially, the user sends a query that includes the keyword(s) along with her location tag to the service provider. Location tags help the server define a wide geographical area wherein objects relevant to the search are identified. The location tag could be the name of a public area, a postal code, a street address, or an exact latitude/longitude of the location. LSP then responds by sending the set of matching POIs with respect to the user’s location. In order to prevent unwarranted data collection and protect the privacy of the user, we adopt a TTP less protocol where the client and server ends of the application perform intermediate meta-data exchanges to calculate the final result set. The client end application uses the meta-data to assess the results with respect to some geographic cloaking area or multiple pseudo location points. Given this information and the user’s privacy preferences, the client-end application can now retrieve, privately, the query’s answer.
One has to note that, in this model, during the first round-trip, the location information is sent as coarse as possible so that the service provider cannot accurately determine the location of the user. However, when a smaller set of POIs are included in the second round- trip, whose detailed information is desired, the service provider can easily pinpoint user’s location to a more granular level. So, preventing the service provider from learning a more accurate location of the user when the second query is issued is the core goal of our proposal. In this dissertation, we deal with two approaches to this problem.
1. Encrypting the query in such a way that the service provider cannot tell exactly what POIs the user is looking for extra information on, but still be able to respond with valid results.
2. We propose several approaches to anonymize the queried set of POIs in the second round-trip.
In either approach, the first round-trip of getting a list of POIs over a large region remains the same. The second round-trip is where LPPMs come into play. Although the techniques used and the exact query differs in the approaches presented, the idea remains common; the attacker should not be able to gain more than an acceptable level of knowledge about the user’s location from the second round-trip.
4.3.1 First round-trip
The user starts the process by specifying the search keyword through the client applica- tion interface. The client application determines a large geographical area that includes the current position of the user. This can be done by randomly select a sufficiently large area (say 500km2) around the user’s location, which could be obtained using the onboard GPS
unit. We will refer to this area as retrieval area, AR. An example of this query format will
be a query such as “cafe in Los Angeles, CA,” as is supported by the Radar Search method of the Google Places API4. We require such a large A
Rto prevent inference attacks against
the user’s location during this step. The client sends the coordinates of the generated AR
along with the search keyword to the server. After it receives the query, the server compiles it and determines the matching set of POIs. The location information and prominence value of each obtained POI are sent to the client. We aim to reduce the communication overhead by sending only the location and the prominence information instead of entire features (e.g. object names, phone numbers, addresses, etc.) corresponding to each POI at this point. It is assumed that the user does not care if the attacker places her in the large area picked in this step. If the user requires better privacy than this, then the size of AR
can be increased. But beyond some point, the user is better off using an offline approach such as using downloaded maps or offline GPS locators.
4.3.2 Second round-trip
In the second round-trip, an LPPM considers the current user location and the list of POIs and their prominence information obtained from the first round-trip to produce a smaller list of POIs that are preferable based on their location and prominence. These preferred POIs are then used in a query to the server to obtain detailed information about them. The number of preferred POIs that the user wishes the algorithm to pick can be configured, represented by a number K. Naturally one can argue that just by increasing K, the user can increase her privacy, as more POIs generally seem to get distributed across larger areas. But this method works only to an extent. Our assumption is that the attacker knows the algorithm and most of the parameters used in the LPPM, and he can pre-calculate the top-K POIs for each location on the map and keep the list ready. Now, his job, if he is able to see the exact top-K POIs used in this step is to match them against his pre- calculated list and determine the exact location of the user. If the LSP is semi-trusted, more sophisticated algorithms are needed. This is because, a semi-trusted LSP can easily determine the exact location of the user (or at least narrow it down to a very small area) if it has the knowledge of the top-K POIs, as the LSPs have access to vast amounts of geographical data at their disposal [56].
So, based on desired sensitivities, the user configures the application with an area large enough that she does not care if the attacker locates her there. In the application, this is usually specified by the user in the settings screen where she can pick a block, mall, subdivision etc., indicating the large enough acceptable area. This coarseness specification is internally translated into a number representing the side of a square area. Now, the goal of the LPPM is to prevent the attacker from determining the location of the user in an area smaller than the configured square. In order to do this, we present two sets of techniques. One based on encryption and second based on heuristics. These approaches are presented at a high level in the next two sections, with just enough detail to show the differences in the contents of the second query produced in this step.
Client Server
Coordinates of large area + Search query Location + Prominence for all matching POIs
Encrypted request for detailed features of top-K POIs Encrypted response for detailed features of top-K POIs
1 2 3 4 First round-trip Second round-trip
Figure 4.2: Client/Server communication steps in PIR based LPPM.