Privacy-Enhancing Technologies for Mobile Applications and Services

Over a third of the world's population owns a smartphone. As generic computing devices that support a large and heterogeneous collection of mobile applications (apps), smartphones provide a plethora of functionalities and services to billions of users. But the use of these mobile apps and services often introduces privacy risks for users. First, app developers often fail to take into account the fact that as smartphones are generic computing devices, they do not provide adequate privacy and security guarantees for certain types of apps (e.g., those that collect and process sensitive data). As a result, new security and privacy threats are introduced by such apps. Second, due to the lack of privacy by design, apps often over-collect information about users, and can misuse the collected data. Our goal in this thesis is to identify privacy risks in mobile apps and services, and to design privacy-enhancing technologies to mitigate the identified threats. To broaden the impact of our research efforts, we focus on popular apps and services that are currently used by millions of users, and potentially by billions in the future. These include three use-cases: (mobile-health) mHealth apps, ride-hailing services, and activity-tracking services. First, in the case of mHealth apps, we find that the Android operating system allows apps to easily fingerprint and identify other apps installed on the same phone. This causes privacy problems for mHealth apps, because the presence of an mHealth app can already reveal the medical conditions of its users. We investigate the apps' ability to fingerprint other apps and present HideMyApp, a practical system for hiding the presence of sensitive apps on Android. HideMyApp works on stock Android, and no firmware modification or root privilege is required. Second, in ride-hailing services (e.g., Uber), to use the services, riders have to share their pick-up and drop-off locations with service providers. Consequently, the service providers can infer sensitive information about riders' activities (e.g., their visits to health clinics). Therefore, we propose ORide, a privacy-preserving ride-hailing service that efficiently supports the anonymous matching of riders and drivers. Also, ORide still supports functionalities that are often considered as important as privacy, including accountability, payment and reputation-rating operations. Third, in activity-tracking services (e.g., RunKeeper), users report their location-based activities to service providers and obtain rewards based on their performance. However, from the location traces, the service providers can infer sensitive information about the users, e.g., their home/work addresses. Also, to obtain better rewards, the users might try to falsely report their activities to the service providers. Therefore, we propose SecureRun, a solution that enables service providers to compute accurate activity summaries of the users, while guaranteeing the users' location privacy vis-a-vis the service providers. In short, in this thesis, we identify privacy risks in popular mobile apps and services. We show that it is possible to provide them with added privacy, while preserving their rich functionality and usability. We are confident that the contributions presented in this thesis will inspire more future work on protecting users' privacy, not only in the context of mobile apps and services, but also in many other contexts brought about by new technological advances.

Quantifying and Protecting Location Privacy

Reza Shokri

Recent developments in information and communication technologies have been profound and life-changing. Most people are now equipped with smart phones with high computation power and communication capabilities. These devices can efficiently run multiple software applications in parallel, store a non-negligible amount of (personal) user data, process various sophisticated sensors and actuators, and communicate over multiple wireless media. Furthermore, they are commonly equipped with high-precision localization capabilities based, for example, on a GPS receiver or on triangulation with nearby base stations or access points. Mobile applications take advantage of this feature to provide location-based services to users. The ever-increasing usage of these personal communication devices and mobile applications, although providing convenience to their owners, comes at a very high cost to their privacy. Interacting with location-based services (LBSs) leaves an almost indelible digital trace of users' whereabouts. Moreover, the contextual information attached to these traces can reveal users' personal habits, interests, activities, and relationships. Consequently, exposure of this private information to third parties (such as service providers) escalates their power on individuals, and opens the door to various misuses of users' personal data. Individuals have the right, and should also have the means to control the amount of their private (location) information that is disclosed to others. In the context of location-based services, various privacy enhancing mechanisms, such as location obfuscation and user anonymization, are proposed in the literature. However, the existing design methodologies for location-privacy preserving mechanisms do not consistently model users' (privacy and service quality) requirements together with the adversary's knowledge and objectives. Protection mechanisms are instead designed in an ad hoc manner and irrespective of the adversary model. Consequently, there is a mismatch between the goals and results of these protection mechanisms. Furthermore, the evaluation of privacy preserving mechanisms and their comparison remain problematic because of the absence of a systematic method to quantify them. In particular, the assumptions about the adversary model tend to be incomplete, with the risk of a possibly wrong estimation of the users’ location privacy. Arguably, the lack of a generic analytical framework for specifying protection mechanisms and for evaluating location privacy is evident. The absence of such a framework makes the design of effective protection mechanisms and the objective comparisons between them impossible. In this thesis, we address these issues and provide solutions for a systematic quantification and protection of location privacy. To this end, we construct an analytic framework for location privacy. We formalize users' mobility model, their access pattern to location-based services, and their privacy and service quality requirements. We also model location-privacy preserving mechanisms as probabilistic functions that obfuscate users' (location and identity) information before being shared with location-based services. Moreover, in order to quantify users' location privacy, we propose inference mechanisms that measure users' information leakage to third parties. They combine various pieces of information about users and estimate (by establishing a probabilistic belief on) users' private information (e.g., their location at a given time). Therefore, we propose the adversary's expected estimation error as, arguably, the right metric for location privacy. In our inference framework, we formalize the adversary's prior knowledge on users, his observation (on the users' accesses to LBS), and his inference objectives (e.g., re-identifying or localizing users). We assume that adversary constructs a (mobility) profile for each user, to be used in his inference attacks. We make use of statistical tools to construct these profiles, given users' partial traces. Moreover, we model the inference attacks as the estimation of users' actual locations, given their profiles and their LBS accesses (observed by the adversary). We mainly use Bayesian inference to perform the estimation. In particular, we use known inference algorithms for hidden Markov models to design de-anonymization, localization, and tracking attacks. To cover more adversary's objectives, we propose an algorithm for generic location inference attacks, based on Markov-chain Monte-Carlo methods. We also provide a software tool: the Location-Privacy and Mobility Meter (LPM). It is designed based on our formal framework for evaluating the effectiveness of various location-privacy preserving mechanisms and quantifying users' location privacy. As an example, using LPM, we validate the efficacy of existing location obfuscation and anonymization mechanisms on real location traces. We show that other metrics (k-anonymity and entropy) are not correlated with the adversary's success (in learning users' private information), thus are inappropriate as privacy metrics. Our results also confirm that anonymization alone is a weak location-privacy preserving mechanism. Moreover, our results show how the resilience of a protection mechanism varies with respect to different inference attacks. Hence, it is a necessity for privacy protection mechanisms to be designed with concrete attack objectives in mind. Relying on these findings, we design optimal location obfuscation techniques tailored against localization attacks. A user needs a protection mechanism that maximizes her location privacy. This is at odds with the objectives of the adversary who designs inference attacks that minimize his estimation error. We propose a game-theoretic methodology that models the conflicting objectives of user and adversary simultaneously. More precisely, we model the problem as a Bayesian Stackelberg game and solve it by using linear programming. In the optimization problem, users constrain the protection mechanism to respect their service quality requirements. This enables us to find the optimal point in the tradeoff curve between privacy and service quality that satisfies both user privacy and service quality requirements. Our results indicate that anticipating for the inference attacks and considering the adversary's knowledge lead to the design of more effective protection mechanisms. This thesis is a step towards a more systematic modeling, analysis, and design of (location) privacy enhancing technologies. We believe that our analytical approach can be used to quantify and protect privacy in scenarios and domains that are not covered in this thesis.

EPFL2012

Access control and privacy in location-aware applications

Maria Luisa Damiani

The topic addressed in this thesis concerns the relationship between spatial knowledge and information protection in a mobile setting. The proliferation of mobile devices in an increasingly connected world raises growing concern for information security and privacy. For example, sensitive data recorded in corporate and networked information systems can be accessed from uncontrolled locations, downloaded on mobile terminals and disclosed to unauthorized third parties. The protection of information against improper use and modification in a mobile context poses research questions which solicit the investigation of unconventional protection strategies. In such a perspective, this thesis investigates how to provide strong control over information access based on knowledge of location and movement of individuals. Indeed, the use of spatial information for secure access support has been prospected in mid nineties, yet such a vision has not had a significant follow-up at research level. This work focuses on the definition of a comprehensive framework for the specification and enforcement of spatially-aware access control policies. Policies are spatially-aware in that the access authorization depends on the position of users. The core contribution of this work is the GEO-RBAC model, a role-based access control model that complies with current standards in access control and geo-spatial data representation. In addition, two further models have been specified, which are, to some extent, complementary to GEO-RBAC: the former is a decentralized administration model for the specification of GEO-RBAC access control policies in large organizations; the latter is a location privacy model which can be integrated into the GEO-RBAC framework to protect personal location information, for example in Location Based Services applications. The thesis addresses also issues related to the design of a system based on GEO-RBAC: an architecture has been defined based on which a prototype has been then developed. The use of geographical knowledge in security is a novel area of research and that motivates the existence of several open issues. Some of these have been discussed in the dissertation and a possible direction of research has been finally prospected for future activity.

EPFL2008

Quantifying and Protecting Location Privacy

Reza Shokri

Recent developments in information and communication technologies have been profound and life-changing. Most people are now equipped with smart phones with high computation power and communication capabilities. These devices can efficiently run multiple software applications in parallel, store a non-negligible amount of (personal) user data, process various sophisticated sensors and actuators, and communicate over multiple wireless media. Furthermore, they are commonly equipped with high-precision localization capabilities based, for example, on a GPS receiver or on triangulation with nearby base stations or access points. Mobile applications take advantage of this feature to provide location-based services to users. The ever-increasing usage of these personal communication devices and mobile applications, although providing convenience to their owners, comes at a very high cost to their privacy. Interacting with location-based services (LBSs) leaves an almost indelible digital trace of users’ whereabouts. Moreover, the contextual information attached to these traces can reveal users’ personal habits, interests, activities, and relationships. Consequently, exposure of this private information to third parties (such as service providers) escalates their power on individuals, and opens the door to various misuses of users’ personal data. Individuals have the right, and should also have the means to control the amount of their private (location) information that is disclosed to others. In the context of location-based services, various privacy enhancing mechanisms, such as location obfuscation and user anonymization, are proposed in the literature. However, the existing design methodologies for location-privacy preserving mechanisms do not consistently model users’ (privacy and service quality) requirements together with the adversary’s knowledge and objectives. Protection mechanisms are instead designed in an ad hoc manner and irrespective of the adversary model. Consequently, there is a mismatch between the goals and results of these protection mechanisms. Furthermore, the evaluation of privacy preserving mechanisms and their comparison remain problematic because of the absence of a systematic method to quantify them. In particular, the assumptions about the adversary model tend to be incomplete, with the risk of a possibly wrong estimation of the users’ location privacy. Arguably, the lack of a generic analytical framework for specifying protection mechanisms and for evaluating location privacy is evident. The absence of such a framework makes the design of effective protection mechanisms and the objective comparisons between them impossible. In this thesis, we address these issues and provide solutions for a systematic quantification and protection of location privacy. To this end, we construct an analytic framework for location privacy. We formalize users’ mobility model, their access pattern to location-based services, and their privacy and service quality requirements. We also model location-privacy preserving mechanisms as probabilistic functions that obfuscate users’ (location and identity) information before being shared with location-based services. Moreover, in order to quantify users’ location privacy, we propose inference mechanisms that measure users’ information leakage to third parties. They combine various pieces of information about users and estimate (by establishing a probabilistic belief on) users’ private information (e.g., their location at a given time). Therefore, we propose the adversary’s expected estimation error as, arguably, the right metric for location privacy. In our inference framework, we formalize the adversary’s prior knowledge on users, his observation (on the users’ accesses to LBS), and his inference objectives (e.g., re-identifying or localizing users). We assume that adversary constructs a (mobility) profile for each user, to be used in his inference attacks. We make use of statistical tools to construct these profiles, given users’ partial traces. Moreover, we model the inference attacks as the estimation of users’ actual locations, given their profiles and their LBS accesses (observed by the adversary). We mainly use Bayesian inference to perform the estimation. In particular, we use known inference algorithms for hidden Markov models to design de-anonymization, localization, and tracking attacks. To cover more adversary’s objectives, we propose an algorithm for generic location inference attacks, based on Markov-chain Monte-Carlo methods. We also provide a software tool: the Location-Privacy and Mobility Meter (LPM). It is designed based on our formal framework for evaluating the effectiveness of various location-privacy preserving mechanisms and quantifying users’ location privacy. As an example, using LPM, we validate the efficacy of existing location obfuscation and anonymization mechanisms on real location traces. We show that users’ location privacy measured by existing popular metrics, k-anonymity and entropy, is not correlated with the adversary’s success (in learning users’ private information), thus these metrics are inappropriate as privacy metrics. Our results also confirm that anonymization alone is a weak location-privacy preserving mechanism. Moreover, our results show how the resilience of a protection mechanism varies with respect to different inference attacks. Hence, it is a necessity for privacy protection mechanisms to be designed with concrete attack objectives in mind. Relying on these findings, we design optimal location obfuscation techniques tailored against localization attacks. A user needs a protection mechanism that maximizes her location privacy. This is at odds with the objectives of the adversary who designs inference attacks that minimize his estimation error. We propose a game-theoretic methodology that models the conflicting objectives of user and adversary simultaneously. More precisely, we model the problem as a Bayesian Stackelberg game and solve it by using linear programming. In the optimization problem, users constrain the protection mechanism to respect their service quality requirements. This enables us to find the optimal point in the tradeoff curve between privacy and service quality that satisfies both user privacy and service quality requirements. Our results indicate that anticipating for the inference attacks and considering the adversary’s knowledge lead to the design of more effective protection mechanisms. This thesis is a step towards a more systematic modeling, analysis, and design of (location) privacy enhancing technologies. We believe that our analytical approach can be used to quantify and protect privacy in scenarios and domains that are not covered in this thesis.

EPFL2013

Access control and privacy in location-aware applications

Maria Luisa Damiani

EPFL2008

Quantifying and Protecting Location Privacy

Reza Shokri

Recent developments in information and communication technologies have been profound and life-changing. Most people are now equipped with smart phones with high computation power and communication capabilities. These devices can efficiently run multiple software applications in parallel, store a non-negligible amount of (personal) user data, process various sophisticated sensors and actuators, and communicate over multiple wireless media. Furthermore, they are commonly equipped with high-precision localization capabilities based, for example, on a GPS receiver or on triangulation with nearby base stations or access points. Mobile applications take advantage of this feature to provide location-based services to users. The ever-increasing usage of these personal communication devices and mobile applications, although providing convenience to their owners, comes at a very high cost to their privacy. Interacting with location-based services (LBSs) leaves an almost indelible digital trace of users’ whereabouts. Moreover, the contextual information attached to these traces can reveal users’ personal habits, interests, activities, and relationships. Consequently, exposure of this private information to third parties (such as service providers) escalates their power on individuals, and opens the door to various misuses of users’ personal data. Individuals have the right, and should also have the means to control the amount of their private (location) information that is disclosed to others. In the context of location-based services, various privacy enhancing mechanisms, such as location obfuscation and user anonymization, are proposed in the literature. However, the existing design methodologies for location-privacy preserving mechanisms do not consistently model users’ (privacy and service quality) requirements together with the adversary’s knowledge and objectives. Protection mechanisms are instead designed in an ad hoc manner and irrespective of the adversary model. Consequently, there is a mismatch between the goals and results of these protection mechanisms. Furthermore, the evaluation of privacy preserving mechanisms and their comparison remain problematic because of the absence of a systematic method to quantify them. In particular, the assumptions about the adversary model tend to be incomplete, with the risk of a possibly wrong estimation of the users’ location privacy. Arguably, the lack of a generic analytical framework for specifying protection mechanisms and for evaluating location privacy is evident. The absence of such a framework makes the design of effective protection mechanisms and the objective comparisons between them impossible. In this thesis, we address these issues and provide solutions for a systematic quantification and protection of location privacy. To this end, we construct an analytic framework for location privacy. We formalize users’ mobility model, their access pattern to location-based services, and their privacy and service quality requirements. We also model location-privacy preserving mechanisms as probabilistic functions that obfuscate users’ (location and identity) information before being shared with location-based services. Moreover, in order to quantify users’ location privacy, we propose inference mechanisms that measure users’ information leakage to third parties. They combine various pieces of information about users and estimate (by establishing a probabilistic belief on) users’ private information (e.g., their location at a given time). Therefore, we propose the adversary’s expected estimation error as, arguably, the right metric for location privacy. In our inference framework, we formalize the adversary’s prior knowledge on users, his observation (on the users’ accesses to LBS), and his inference objectives (e.g., re-identifying or localizing users). We assume that adversary constructs a (mobility) profile for each user, to be used in his inference attacks. We make use of statistical tools to construct these profiles, given users’ partial traces. Moreover, we model the inference attacks as the estimation of users’ actual locations, given their profiles and their LBS accesses (observed by the adversary). We mainly use Bayesian inference to perform the estimation. In particular, we use known inference algorithms for hidden Markov models to design de-anonymization, localization, and tracking attacks. To cover more adversary’s objectives, we propose an algorithm for generic location inference attacks, based on Markov-chain Monte-Carlo methods. We also provide a software tool: the Location-Privacy and Mobility Meter (LPM). It is designed based on our formal framework for evaluating the effectiveness of various location-privacy preserving mechanisms and quantifying users’ location privacy. As an example, using LPM, we validate the efficacy of existing location obfuscation and anonymization mechanisms on real location traces. We show that users’ location privacy measured by existing popular metrics, k-anonymity and entropy, is not correlated with the adversary’s success (in learning users’ private information), thus these metrics are inappropriate as privacy metrics. Our results also confirm that anonymization alone is a weak location-privacy preserving mechanism. Moreover, our results show how the resilience of a protection mechanism varies with respect to different inference attacks. Hence, it is a necessity for privacy protection mechanisms to be designed with concrete attack objectives in mind. Relying on these findings, we design optimal location obfuscation techniques tailored against localization attacks. A user needs a protection mechanism that maximizes her location privacy. This is at odds with the objectives of the adversary who designs inference attacks that minimize his estimation error. We propose a game-theoretic methodology that models the conflicting objectives of user and adversary simultaneously. More precisely, we model the problem as a Bayesian Stackelberg game and solve it by using linear programming. In the optimization problem, users constrain the protection mechanism to respect their service quality requirements. This enables us to find the optimal point in the tradeoff curve between privacy and service quality that satisfies both user privacy and service quality requirements. Our results indicate that anticipating for the inference attacks and considering the adversary’s knowledge lead to the design of more effective protection mechanisms. This thesis is a step towards a more systematic modeling, analysis, and design of (location) privacy enhancing technologies. We believe that our analytical approach can be used to quantify and protect privacy in scenarios and domains that are not covered in this thesis.

EPFL2013

Quantifying and Protecting Location Privacy

Reza Shokri

EPFL2012