Privacy-Preserving Optimal Meeting Location

Determination on Mobile Devices

Abstract:
Equipped with state-of-the-art smart phones and mobile devices, todays
highly interconnected urban population is increasingly dependent on these gadgets
to organize and plan their daily lives. These applications often rely on current(or
preferred locations of individual users or a group of users to provide the desired
service, which !eopardizes their privacy" users do not necessarily want to reveal
their current (or preferredlocations to the service provider or to other, possibly un-
trusted, users. #n this paper, we propose privacy-preserving algorithms for
determining an optimal meeting location for a group of users. $e perform a
thorough privacy evaluation by formally quantifying privacy-loss of the proposed
approaches. #n order to study the performance of our algorithms in a real
deployment, we implement and test their e%ecution efficiency on &o'ia smart
phones. (y means of a targeted user-study, we attempt to get an insight into the
GLOBALSOFT TECHNOLOGIES
IEEE PROJECTS & SOFTWARE DEVELOPMENTS
IEEE FINAL YEAR PROJECTS|IEEE ENGINEERING PROJECTS|IEEE STUDENTS PROJECTS|IEEE
BULK PROJECTS|BE/BTECH/ME/MTECH/MS/MCA PROJECTS|CSE/IT/ECE/EEE PROJECTS
CELL: +91 9!9" #9$"% +91 99&&' #"(% +91 9!9" "(9$% +91 9($1! !$!$1
V)*)+: ,,,-.)/012304546738+*-649 M0)1 +6:)333.)/01*3:546738+*;9:0)1-86:
GLOBALSOFT TECHNOLOGIES
IEEE PROJECTS & SOFTWARE DEVELOPMENTS
IEEE FINAL YEAR PROJECTS|IEEE ENGINEERING PROJECTS|IEEE STUDENTS PROJECTS|IEEE
BULK PROJECTS|BE/BTECH/ME/MTECH/MS/MCA PROJECTS|CSE/IT/ECE/EEE PROJECTS
CELL: +91 9!9" #9$"% +91 99&&' #"(% +91 9!9" "(9$% +91 9($1! !$!$1
V)*)+: ,,,-.)/012304546738+*-649 M0)1 +6:)333.)/01*3:546738+*;9:0)1-86:
privacy-awareness of users in location based services and the usability of the
proposed solutions.
Architecture Diagram:

Existing System:
The rapid proliferation of smart phone technology in urban communities has
enabled mobile users to utilize conte%t aware services on their devices. )ervice
providers ta'e advantage of this dynamic and ever-growing technology landscape
by proposing innovative conte%t-dependent services for mobile subscribers.
*ocation-based )ervices (*(), for e%ample, are used by millions of mobile
subscribers every day to obtain location-specific information .Two popular features
of location-based services are location check-ins and location sharing. (y
chec'ing into a location, users can share their current location with family and
friends or obtain location-specific services from third-party providers ,The
obtained service does not depend on the locations of other users. The other type of
location-based services, which rely on sharing of locations (or location
preferences by a group of users in order to obtain some service for the whole
group, are also becoming popular. +ccording to a recent study , location sharing
services are used by almost ,-. of all mobile phone users. /ne prominent
e%ample of such a service is the ta%i-sharing application, offered by a global
telecom operator , where smart phone users can share a ta%i with other users at a
suitable location by revealing their departure and destination locations. )imilarly,
another popular service enables a group of users to find the most geographically
convenient place to meet.
Disadvantages0
1.2rivacy of a users location or location preferences, with respect to other users
and the third-party service provider, is a critical concern in such location-sharing-
based applications. 3or instance, such information can be used to de-anonymize
users and their availabilities , to trac' their preferences or to identify their social
networ's. 3or e%ample, in the ta%i-sharing application, a curious third-party service
provider could easily deduce home4wor' location pairs of users who regularly use
their service.
,.$ithout effective protection, evens parse location information has been shown to
provide reliable information about a users private sphere, which could have severe
consequences on the users social, financial and private life . Even service
providers who legitimately trac' users location information in order to improve
the offered service can inadvertently harm users privacy, if the collected data is
lea'ed in an unauthorized fashion or improperly shared with corporate partners.
Proposed System:
$e then propose two algorithms for solving the above formulation of the 3562
problem in a privacy-preserving fashion, where each user participates by providing
only a single location preference to the 3562 solver or the service provider.
#n this significantly e%tended version of our earlier conference paper ,we evaluate
the security of our proposal under various passive and active adversarial scenarios,
including collusion. $e also provide an accurate and detailed analysis of the
privacy properties of our proposal and show that our algorithms do not provide
any probabilistic advantage to a passive adversary in correctly guessing the
preferred location of any participant. #n addition to the theoretical analysis, we also
evaluate the practical efficiency and performance of the proposed algorithms by
means of a prototype implementation on a test bed of &o'ia mobile devices. $e
also address the multi-preference case, where each user may have multiple
prioritized location preferences. $e highlight the main differences, in terms of
performance, with the single preference case, and also present initial e%perimental
results for the multi-preference implementation. 3inally, by means of a targeted
user study, we provide insight into the usability of our proposed solutions.
Advantages0
$e address the privacy issue in *)()s by focusing on a specific problem called
the Fair Rendez-Vous Point (FRVP) problem. 7iven a set of user location
preferences, the 3562 problem is to determine a location among the proposed ones
such that the ma%imum distance between this location and all other users locations
is minimized, i.e. it is fair to all users.
Goal0
/ur goal is to provide practical privacy preserving techniques to solve the 3562
problem, such that neither a third-party, nor participating users, can learn other
users locations" participating users only learn the optimal location. The privacy
issue in the 3562 problem is representative of the relevant privacy threats in
*)()s.
Algorithms:
/ur proposed algorithms ta'e advantage of the homomorphic properties of well-
'nown cryptosystems, such as (7&, El7amal and 2aillier, in order to privately
compute an optimally fair rendez-vous point from a set of user location
preferences.
Implementation Modules:
1 !ser Privacy
" Server Privacy
# PP$%&P protocol
' Privacy !nder Multiple Dependent Executions
!ser Privacy:
The user-privacy of any 223562 algorithm + measures the probabilistic advantage
that an adversary a gains towards learning the preferred location of at least one
other user ,e%cept the final fair rendez-vous location, after all users have
participated in the e%ecution of the 223562 protocol. +n adversary in this case is a
user participating in +. $e e%press user-privacy as three different probabilistic
advantages.
1. we measure the probabilistic advantage of an adversary ua in correctly
guessing the preferred location Li of any user ui 89 ua. This is referred to as
the identifiability advantage.
,. The second measure of user-privacy is the distance linkability advantage,
which is the probabilistic advantage of an adversary ua in correctly guessing
whether the distanced i, between any two participating users ui 89 u , is
greater than a given parameter s, without learning any users preferred
locations Li , L .
:. The coordinate-linkability advantage, denoted as !dvc;L"#a , is the
probabilistic advantage of an adversary ua in correctly guessing whether a
given coordinate $i (or yi of a user ui is greater than the corresponding
coordinate(sof another user u 89 ui without learning the users preferred
locations Li , L .
Server Privacy:
3or the third-party (*<) adversary, the game definitions are similar to those
defined for an user adversary, e%cept that the *<) does not receive * f air in the
)tep , of the game. Then, the server-privacy of a 223562 algorithm + can then
be defined as follows. <efinition :0 +n e%ecution of the 223562 algorithm + is
server-private if the identifiability advantage <T*<)(+, the distance-lin'ability
advantage +dvd;*&=*<) and the coordinate lin'ability advantage
+dvc;*&=*<) of an *<) are negligible. #n practice, users will e%ecute the
223562 protocol multiple times with either similar or completely different sets of
participating users, and with the same or a different location preference in each
e%ecution instant. Thus, although it is critical to measure the privacy lea'age of the
223562 algorithm in a single e%ecution, it is also important to study the lea'age
that may occur over multiple correlated e%ecutions, which in turn depends on the
intermediate and final output of the 223562 algorithm. $e discuss the privacy
lea'age of the proposed algorithms over multiple e%ecutions in )ection 6#-<.
PP$%&P protocol:
The 223562 protocol (shown in 3ig. > has three main modules0
(+ the distance computation module,
(( the ?+@ module and
%) &istance 'o()utation* The distance computation module uses either the (7&-
distance or the 2aillier- El7amal distance protocols. $e note that modules (( and
(A use the same encryption scheme as the one used in module (+. #n other words,
(+).,t refers to encryption using either the (7& or the 2aillier encryption scheme.
-) .!/ 'o()utation* #n )tep (.1, the *<) needs to hide the values within the
encrypted elements (i.e., the pair wise distances computed earlier before sending
them to the users.
This is done in order to
(i ensure privacy of real pair wise distances,
(ii be resilient in case of collusion among users and
(iii preserve the internal order (the inequalities among the pair wise distance
from each user to all other users.
Privacy !nder Multiple Dependent Executions:
+s defined earlier, in a dependent e%ecution of the 223562 protocol, all the
involved parties possess information from the previous e%ecutions, in addition to
the current input, output and intermediate data. #t is clear that, due to the oblivious
or blind nature of the computations, the privacy guarantees of the proposed
223562 protocols with respect to the *<) independent e%ecutions remains the
same as that for independent e%ecutions. 3urthermore, dependent e%ecutions in
which the information across e%ecutions is completely uncorrelated (e.g., different
set of users in each e%ecution or different and unrelated preferences in each
e%ecution reduce to independent e%ecution. $e analyze two different scenarios of
dependent
e%ecutions involving differential information .3irst, we consider the case of
dependent e%ecutions with different subsets of participants. $e assume that, in
each sequential e%ecution, the set of users or participants is reduced by e%actly one
(the adversary participant remains until the end, and that the retained participants
preferences remain the same as the previous e%ecution(s. The following
information is implicitly passed across e%ecutions in this scenario0
(i participant set,
(ii optimal fair location L f air ,
(iii permuted and randomly scaled pair wise distances from
the participant to every other participant, and (iv scaled (but order preserving
ma%imum distance from every participant to every other participant.
System Confguration:-
H/W System Confguration:-
Processor - Pentium !!!
Spee" - #$# %&'
()M - *+, M-.min/
Har" Dis0 - *1 %-
2loppy Drive - #$33 M-
4ey -oar" - Stan"ar" Win"o5s 4eyboar"
Mouse - 65o or 6&ree -utton Mouse
Monitor - S7%)
S/W System Confguration:-
/perating )ystem 0$indowsBC4BD4,---4@2
3ront End 0 !ava, !d'1.E
<atabase 0 ?y sqlserver ,--C
<atabase Aonnectivity 0 F<(A.