Location privacy of users in mobile systems

From CryptoWiki
Jump to: navigation, search

Location privacy of users in mobile systems – a problem which is becoming more actual with the advent of mobile devices and hardware modules allowing to determine user's position using satellite navigation systems and a variety of algorithms and tools to accurately determine the location of the device using secondary characteristics.


Tools for locationing


GPS (Global Positioning System) - satellite navigation system that allows locationing in the WGS 84 coordinate system as well as time and distance. The system is able to determine the location and speed of the objects under virtually all conditions, and virtually anywhere in the world. It was developed in 1973 by the Ministry of Defense of the United States, currently used including civilian purposes. To make use of it, the device should be equipped with GPS-receiver. The maximum error in determining the location of the object can reach 13 meters; maximum accuracy in case of using complex differential algorithms can reach 10 cm.


GLONASS (rus. ГЛОНАСС – Global Navigation Satellite System) - the second global satellite navigation system after the GPS. Was designed for the Ministry of Defense of Russia, but currently maintained and developed by Roskosmos and JSC "Russian Corporation Rocket and Space Instrumentation and Information Systems." The accuracy of determining the location of an object is lying in the range 1.5 - 6 meters, depending on various conditions.


An auxiliary system which designed to improve positioning accuracy and reduce the time of a "cold" start of GPS and should be used in conjunction with a GPS receiver. System's functionality is usually provided by the cellular operator and comprises of transmitting auxiliary data (approximate location, visible satellites in the area and so on) to the subscriber through the GSM-network.

Cell of Origin

This method for determining the location of a mobile device equipped with GSM module and connected to the GSM network, based on a comparison of the mobile operator's base stations data (one or more) and their locations. Location accuracy with this approach strongly depends on different parameters: the area in which is the mobile device, concentration and number of base stations, activity of the subscriber and his mobility.


TOA (Time of Arrival) and OTD (Observed Time Difference) methods of determining location are based on physical principles of electromagnetic signal spreading. To location subscriber's device, information about the time difference of the signals from several base stations to the mobile device is required. Each of the methods requires GSM network equipment upgrade.

IP-based method

Known external IP address of the device under certain conditions and with necessary data is enough to determine the location of the device up to the gateway router. Usually, information on the relationship of a particular IP-address and / or subnets, to which it belongs, can not be disclosed to anybody (with the exception of judgments at the request of law enforcement) and is owned only by the Internet provider who issued the IP-address. However, information about the country of origin and often about the city of a particular IP-address is publicly available and can be obtained with help of WhoIS service. It should be noted that this method is applicable for mobile device locationing only if it is connected to the Internet via fixed access points (through WLAN networks or via twisted pair).

Services and location data

Search engines

Most of popular search engines such as Google and Yahoo! determines and uses it's user's location. Usually location data is taken into account to display targeted advertising, to provide services and information tied to a particular location (weather, traffic jams, and so on) and for search optimization and analytics.

Social networks

As in search engines, social networks uses location information for displaying targeted advertising. Most of location information is tied to the pictures uploaded by users of the social network. Almost all modern mobile devices puts information about the place where the photo was taken in photo's metadata. File's metadata allows social networks to store and display information about the shooting location.

There is a separate category of social networking services in which user's location information is often the key information. Flickr and Instagram are such networks.


Widely spreaded various services that interact with the user's location directly. Such services (Foursquare and AlterGeo for example) uses user's location to provide various recommendations related to the place, environment and user's interests.

Foursquare, for example, recommends user to visit some places that he likely interested to see among those that are close to his current location. Recommendations are based on user's interests, previously visited sites and the residence time in a particular point. Many of these services allows user to "check in" at any place and share this information with friends and other users.

Mobile operating systems

To date, manufacturers of mobile devices and operating systems are formed a certain approach to the handling of users' personal data including location data. In addition, each of the mobile operating systems provides various tools and approaches for ensuring the confidentiality of this data.


Android OS is developed and manufactured by Google inc. Nevertheless each manufacturer of mobile devices has ability and tools to modify the operating system at its discretion. The vast majority of mobile Android device comes with Google services, that collects and uses information about location of the user. It is worth noting that at the moment there is Google's entire ecosystem, represented by different types of devices (mobile and wearable), each of which can be equipped with it's own location sensors. Typically, Google services requests additional authorization in case of using data from these sensors and third-party sources to improve the accuracy of the positioning.

A very simple mechanism of ensuring confidentiality of subscriber's location was provided in OS versions up to 6. Pre-installed Google services requests user permission for positioning once while first time setting up the operating system. After that authorization for these services can be changed. Third-party applications that are installed by the user must request permission to use location data along with Internet access and other mobile device functions' permissions. Unfortunately, the mechanism has been constructed in such a way that when user installs an application he either have to give all the necessary permits at the same time or not to install a particular application. The disadvantage of this approach is that the strong need for a user in an application rather makes him to put up with the possible loss of confidentiality of his location than abandon installation of the application.

Starting from version 6.X Android provides an enhanced mechanism of permission management for applications allowing user to deny the application's access to a part of the requested features and allow access to others. Thus, in the latest versions of Android OS protecting location data from the third-party services has been made much easier.


iOS since earlier versions supports advanced privacy settings that are similar to Android 6.X settings. Thus it is possible to disable the operating system from writing location data in metadata of images taken with the camera of the mobile device.

Approaches to ensure location privacy of mobile users

The problem of providing location privacy of mobile users is complex and it's solution depends not only on the actions of the user, but also on the policy of software, mobile devices and mobile operating systems manufacturers, Internet service providers and mobile operators. User location data in different systems (GSM networks, wired Internet access points) are side and can not be hidden by the user by virtue of the system's structure. On the other hand mobile users themselves provides their location data to service providers in order to obtain service. Thus ensuring the confidentiality of location data makes to create a regulatory framework consisting of laws and regulations governing the procedure of dealing with location data.

However, in the case of the need of ensuring location privacy it can be used a variety of software and hardware (directional antennas for connecting to remote mobile operator's base station, different base station selecting algorithms), protocols and services (proxy, VPN) that are reduces the accuracy of locating or completely distorts the data. Today, there are few scientific papers on the concealment of the user's location in the mobile networks.

Providing location confidentiality through Group Relations (MobiCrowd)

The method of providing location privacy through group relations considering a finite number of users on a territory divided into regions. Each user is described by a Markov chain on the group of regions, which allows to estimate the probability Pu (Ri | Rj), with which the user u will move to the region Ri with the probability π (Rj) his stay in the region Rj. Each user within the described system has a mobile device supporting the Ad-Hoc connections and connected to WLAN and to a mobile network.

The paper deals with the interaction of user's mobile device with Location Based Services, provided by mobile operator, through which user's location data can be obtained by third parties. It should be noted that the authors of the paper do not consider the local observation of the user (when the attacker gets information about the location of the user in the immediate vicinity) and is aimed, first of all, to conceal the location from the "global" observer which interacting with the cellular operator. Thus the user model in addition to the Markov chain includes LBS' messaging frequency, as well as the time during which the location information is relevant.

Providing location privacy using the group communication is achieved by storing information about the location of a user or a group of users in the immediate vicinity to the point of receipt of the user information and then sending this information to other users in the region. Thus each user gets location information without disclosing his location to mobile operator's services.

The method is based on proxy-service which is in between the user and the LBS. Mobile device handles some software which contains a buffer for temporary storing information about the location, as well as some tools for redirecting traffic that contains information about the location. The system determines three different user groups and two types with respect to some region:

  • Seeker – users that are interested in getting location-specific information about a region are called information seekers of that region. A Seeker who leaves the region after requesting information about that region is called an Outsider Seeker. As long as a Seeker user stays in the region that she seeks information about, she is called an Insider Seeker.
  • Informed - each user with valid information about a region is termed informed user for that region. If they are inside the region (called Insider Informed), they accept to spread the information at each contact with a Seeker user with some probability. If they are outside the region they called Outsider Informed.
  • Removed - users who do not have information and are not currently interested in obtaining information are in the removed state. An Insider Removed user becomes a Seeker if the user becomes interested in obtaining information about the region.

Probability of location enclosure

Probability of hiding locations using this method is determined by the time during which a user does not interact the LBS to obtain location information. Accordingly no longer requests to LBS the higher the probability of hiding location. However even the concealment of a part of the regions has at least two advantages: the user is much more difficult to be traced because loosing track in both time and space and at some point observer may be confused by signs of other users which complicates the analysis of the trace; a smaller set of user requests to the LBS complicates user's identification.

In addition to frequency of requests the lifetime of location data and the level of user's interaction (collaboration) with MobiCrowd are also affects. Higher the frequency of requests and higher the level of interaction the more this method reduces the probability of locating user. Given the high rate packet exchange information about the location and level of interaction > 0.6 MobiCrowd reduces the probability of locating by 6.5 times.


This method has been implemented and tested by the authors of the paper. The resulting implementation is an application for the Maemo platform does not require any modifications to the system and has low requirements of the mobile device's resources.

The application works as a proxy-service and redirects user's HTTP traffic. Beyond the basic algorithms implementation comprises tools for signing location reports (OpenSSL) as well as tools to eliminate the personified information (MAC, etc.) from the data messages.

Location privacy using fake data (Dummy-Based Location Privacy)

A method of hiding a user's mobile device location using fake information involves the use of a client-server model without introducing additional proxy-services between the client and the server. This method comparing to MobiCrowd does not makes user to regularly spread information about the location.

In terms of the method there is the original expression of the location Q ( 'original query' ) defined as Q = (pos, P) where pos - the location of the user and P - a set of parameters associated with the user. This expression is converted to Q '(' location privacy query '), Q' = (pos1, pos2, ..., posk, P) where the posi - fictional location, and P - parameter of the original expression applicable to each parameter pos. It is worth noting that P is stored for each location setting assuming every fake location provides a sufficient level of confidentiality. Thus achieved k-1 location privacy.

Circular algorithm of generating fake locations (Cir Dummy)

Круг фиктивных местоположений

Generating fake locations using a circular algorithm begins with defining the center of the circle r within which will be covering all locations. Circle center pos' randomly determined assuming rmin ≤ dist (pos, pos') ≤ r where dist - Euclidean distance between the pos and pos'.

Algorithm 'CirDummy' :

Input: location pos, anonymity factor k, anonymity area s, coefficient p.

1. ← θ 2 · π / k; ← r 2 · s / (k · sinθ)

2. assume the pos ' at random, taking into account the dist (pos, pos') ∈ [ρ · r, r]

3. Create an empty array K [0..k - 1]; K [1] ← pos

4. for i from 1 to k-1

5. assume pos ' at random, taking into account the dist (pos', p) ∈ [ρ · r, r]

6. and ∠p pos' K [i-1] = θ 7. K [i] ← p

8. idx ← random (0, k - 1)

9. swap K [0] and K [idx]

10. return K and idx

The algorithm first calculates the upper radius limit r of the virtual circle and the angle between any pair of locations (1). Further randomly determined virtual center circle pos' (2) that its distance from pos lies in [p · r, r]. Then an empty array with length K is initialized with the first element pos (3). Further it's generating K - 1 fake locations: their distance to the center pos 'limited [p · r, r] whereas they are distributed evenly in terms of angles relative to the pos' (4-6). After the formation of fake locations randomly selected index idx in the range [0, k - 1]. The actual location is swapped with the element at index idx (7-8). The output of the algorithm is k and idx.

This algorithm makes possible to extend the zone of location privacy by 0.9 square kilometers at the desired area of ​​1 sq km assuming sqr (p) = 0.75.

Server side calculations

1. initialize the result vector R

2. create vector L for mask storing

3. for i from 1 to k:

4. send (Q'.posi, Q'.P) in the query processor and get Ri
5. for each point pt ∈ Ri:
6. if pt in R j, set bit i in L [j]
7. else
8. put pt in R
9. create a mask bmp with bit i set
10. put bmb into L

11. send R and L to the client

The probability of locating user

Use of this algorithm reduces the number of transmitted information about the location of the user up to 20% of the original amount. At the same time it ensures blur of zone of user location making it difficult to be determined. Each of these factors positively affects the level of confidentiality of the user's location. However with all the pros and low costs this algorithm has one serious drawback - it does not take into account and does not rule out the location in which the user can not physically be due to various reasons.



Go to bibliography of Location privacy of users in mobile systems.