Sage Journals: Discover world-class research

Abstract

To protect users’ private locations in location-based services, various location anonymization techniques have been proposed. The most commonly used technique is spatial cloaking, which organizes users’ exact locations into cloaked regions (CRs). This satisfies the K-anonymity requirement; that is, the querier is not distinguishable among K users within the CR. However, the practicality of cloaking techniques is limited due to the lack of privacy-preserving query processing capacity, for example, providing answers to the user's spatial queries based on knowledge of the user's cloaked location rather than the exact location. This paper proposes a cloaking system model called anonymity of motion vectors (AMV) that provides anonymity for spatial queries. The proposed AMV minimizes the CR of a mobile user using motion vectors. In addition, the AMV creates a ranged search area that includes the nearest neighbor (NN) objects to the querier who issued a CR-based query. The effectiveness of the proposed AMV is demonstrated in simulated experiments.

1. Introduction

With advances in mobile communication technology and the widespread use of GPS-enabled mobile devices, location-based services (LBS) are growing rapidly. In LBS, mobile users issue spatial queries to LBS providers to obtain information based on their geographical locations [1–4]. Typical LBS applications include road navigation, area-specific weather forecasts, map information, automotive traffic monitoring, location-based SNS, and nearest point of interest (POI) queries [5–7].

Because LBS is provided for users based on their locations, users must report their location information to an LBS provider. Although LBS provides valuable services to users, revealing one's private locations to potentially untrustworthy LBS providers poses privacy concerns [8, 9]. Knowledge of a person's location can be used by an adversary to physically locate and identify the person. In fact, there are many real-life scenarios in which perpetrators abuse technologies to gain access to private location information about victims [10]. In an effort to preserve the privacy of LBS users, a number of location anonymization techniques have been studied. In particular, spatial cloaking that blurs a user's exact location into the cloaked regions (CRs) such that the CR satisfies the user-specified K-anonymity requirement has been widely used [11–23].

Several researchers have presented the concept of a location anonymizer, a trusted third party that acts as a middle layer between the user and the LBS server [6]. The anonymizer blurs the users’ exact locations into CRs using existing location anonymization algorithms and sends the CRs, rather than the exact user location, to the LBS server. This mechanism enables the users to obtain the desired LBS without revealing their exact locations to the LBS server. The K-anonymity requirement given by the querier ensures that the CR is K-anonymous (e.g., the querier is indistinguishable among K users within the CR), thus reducing the probability of the querier's location being exposed to untrustworthy parties to 1/K. Because the LBS server does not know the querier's exact location, it can only return a set of candidate answers to the CR-based query.

This paper proposes a cloaking system model called anonymity of motion vectors (AMV), which provides anonymity for spatial queries. The proposed AMV can address user queries based on the user's cloaked location information from the location anonymizer. The AMV minimizes the CR by predicting user movements based on the motion vector. The proposed method can be applicable in both outdoor and indoor environments. For example, a client in the car moves along the road and a cloaked region (CR) can be created based on the client's moving speeds and directions. In indoor environments, the movement range of a client is generally restricted due to various obstacles like walls and doors. This might make the motion vectors produced by the proposed AMV invalid. Nevertheless, the AMV can achieve effective query processing by adjusting the update intervals of the vector according to the size of the indoor space (i.e., the movement range of the client). The main features of the AMV can be summarized as follows: (1)

Client movements are considered when generating a CR that satisfies the user-specified K-anonymity level.

(2)

The user location update cost of the anonymizer can be reduced by allowing the anonymizer to not check the user location from time t to $t + n$ .

(3)

Compared with the previous cloaking model (distributed grid based continuous cloaking (DGCC) (refer to Figure 1) [23], minimum cycle region (MCR) [24], which produces circular CRs (refer to Figure 2)), the AMV generates a smaller CR, thus lowering the query processing time.

Figure 1

An example of the CR creation (4-anonymity).

Figure 2

CRs satisfying 4-anonymity (the previous MCR).

The major notations used throughout this paper are as shown in Notations.

The rest of this paper is organized as follows. Section 2 highlights related works. Section 3 describes the proposed AMV model and depicts the creation of CRs using the previous MCR and proposed AMV. Section 4 describes the creation of $O_{ER}$ for CR-based NN queries. Section 5 presents the equations of the AMV. The experimental results are given in Section 6, and Section 7 concludes the paper.

2. Related Work

To address the location privacy protection of LBS users, many location anonymization techniques have been proposed. Cloaking and K-anonymity are the most commonly used forms of location anonymization [10–22]. Figure 1 depicts an example of the distributed grid based continuous cloaking (DGCC) area creation when the required K-anonymity level is 4 (e.g., $K = 4$ ) [23]. The DGCC method provides the privacy protection of the query issuer by maintaining K-anonymous clients adjacent to the querier. In Figure 1(a), the CR is represented by a minimum bounding circle and contains four mobile clients (q, $C_{2}$ , $C_{3}$ , and $C_{5}$ ) at time t. Figure 1(b) shows the 4-anonymous CR at $t + 1$ . Note that some of the clients have moved and that the CR is enlarged to enclose the original four clients. In Figure 1(a), the radius of the CR is $2 \sqrt{2}$ , and the radius of the CR in Figure 1(b) is $3 \sqrt{2}$ . To avoid such an increase in the CR size, a cloaking algorithm that forms a CR with the $K - 1$ clients that are currently most adjacent to the querier has been proposed. However, the weakness of this approach is that an adversary can guess the actual querier (denoted here by q), who remains constant over time, while other $K - 1$ clients in the CR are continuously being updated (e.g., q, $C_{2}$ , $C_{3}$ , $C_{5}$ → q, $C_{1}$ , $C_{4}$ , $C_{6}$ ) [23].

The cloaking method in [12] considers both K-anonymity and L-diversity. It creates a minimum CR by first finding L number of buildings. After satisfying the L-diversity requirement, it extends the CR to satisfy the K-anonymity requirement (e.g., the CR contains at least K number of users). The New Casper proposed by Mokbel et al. [11] is a research prototype of the framework for anonymous LBS. It satisfies the four requirements of location anonymity: accuracy, quality, efficiency, and flexibility. The cloaking algorithm in [13] employs dummy generation in creating a CR.

To solve the building double counting problem, it adds the building grouping item to the index structure of the existing privacy grid approach and minimizes the CR by finding K users (e.g., K-anonymity) in the grid cells adjacent to the buildings in the CR. However, these previous schemes ignore the client's movements.

Location anonymization techniques for LBS that consider the movement information of mobile users have been suggested [24, 25]. The technique in [24] addresses the anonymization of snapshot and continuous LBS queries. It creates a minimum circular CR based on mobile user's location trajectories. However, this requires tolerance of temporal errors, as the direction and speed of user movement are not taken into account. The technique in [25] considers the user's speed and direction of movement in addition to location. It requires information about the exact location of all user nodes and calculates the querier's movements based on his/her direction of movement and speed. There are some additional anonymization techniques that consider client movements using the Voronoi diagram, road networks, and historical location data [26–29]. However, none of these existing techniques support spatial queries with cloaked areas (e.g., CRs). Recently, a method for private kNN queries has been proposed. It creates a CR for the querier and performs query processing based on the type of objects (e.g., restaurants and cafes) in the CR [30]. This method does not consider K-anonymity while taking into account object types, so it cannot be directly compared with the proposed AMV.

3. Proposed AMV Model

The AMV proposed in this paper considers client movements to create a minimized K-anonymous CR and supports spatial queries with cloaked locations. The system model of the proposed AMV contains three components: the centralized LBS server, the location anonymizer, and the client. The location anonymizer is a trusted third party that is placed between the client and the LBS server [6]. To obtain LBS, the querier sends its location along with the spatial query to the location anonymizer. The location anonymizer that periodically receives location updates from mobile users blurs users’ exact locations into CRs and sends the query, along with the CR, to the LBS server. The anonymizer creates a session ID that is valid during the entire service period for the querier. The LBS server then processes the CR-based query from the anonymizer and returns a candidate list of answers to the anonymizer. Finally, the anonymizer computes the exact query answer from the candidate list and sends it to the querier.

The proposed AMV assumes that the $K - 1$ nearest clients that are most adjacent to the querier are bounded in a CR. This condition is assumed to lower the server overhead, which increases as the CR size increases.

Figure 2 shows the CR produced by the previous MCR method that considers only the user's speed [24]. The dotted rectangle represents a minimum CR that satisfies the 4-anonymity requirement at $t + 1$ . The solid rectangle is a modified version of the CR that encompasses all of the grid cells that are fully or partially included in the initial CR (i.e., the grid cells that are intersected by the initial CR are also enclosed). The CR of the solid rectangle is confirmed as a final CR. Figure 1 shows the CR at t, and the area of this CR is 25.1. The CR at $t + 1$ shown in Figure 2 has a larger area of 88. In Figure 2, the movement radius of each client is represented by a circle because only the speed, not the direction, is known.

Figure 3 presents the CR created by the proposed AMV, which considers the speed and direction of movement using the motion vector. It is assumed that these clients are moving at the same speed as the clients in Figure 2. The 4-anonymous CR at $t + 1$ shown in Figure 3 has an area of 42. In other words, the AMV produces a smaller CR than the MCR.

Figure 3

CRs satisfying 4-anonymity (the proposed AMV).

Compared to the existing technologies, the proposed AMV involves the extra cost of maintaining the speed and direction information of the moving users. However, the user can provide this motion information when submitting the location and K-anonymity parameter information to the LBS server. Thus, the overhead associated with this additional motion information is not significant. Assume that 1 byte of storage is required for the representation of client speed in the AMV and another 1 byte for the representation of client direction. As x- and y-axes exist in the coordinate information of object, it becomes 2 × coordinates (GPS coordinate information generally uses x-axis 4 bytes and y-axis 4 bytes; in case of detailed GPS measurement, the data size on x- and y-axes may increase). The size of object is typically assumed to be from 128 bytes to 1,024 bytes [31]. When the number of clients is 100, the size of data stored in the server is 1,000 bytes in the AMV, 900 bytes in the MCR, and 800 bytes in the DGCC. The DGCC yields the smallest data size, but it has a drawback that its data size increases by t times whenever an update is made. Note that the proposed work is not intended to reduce the data size maintained in the clients. This work aims to minimize the data to be delivered by the server by discovering $O_{ER}$ and $O_{EN}$ in response to the client query. In other words, the proposed method intends to address the problems caused by the growth of CR sizes. For example, the CR of the MCR is larger than the CR of the AMV, which can lead to increased $O_{ER}$ and $O_{EN}$ (see Sections 3 and 4). As $O_{EN}$ of the MCR is greater than $O_{EN}$ of the AMV, the MCR gets heavier server overheads than the AMV. The client's mobility pattern follows the random waypoint mobility model [32], which is widely used.

4. Finding $O_{ER}$ in NN Queries

This section illustrates how to create $O_{ER}$ for a CR-based NN query.

In Figure 4, it is assumed that there are no objects inside the CR. The CR of the AMV described in Section 3 is used to find $O_{ER}$ . The solid rectangle in Figure 4 represents the CR of a mobile user who issued a query, and the dotted rectangle denotes a search area where the nearest object to the CR is found. To create an $O_{ER}$ , one must first check the CR and then spread out to the neighboring grid cells around the CR one by one, until the nearest neighbor object $O_{N}$ is found. Here, the nearest object found is $O_{3}$ . Then, the top-left vertex of the CR (denoted by “A”) that is farthest from $O_{3}$ is connected to $O_{3}$ , which creates a line segment. Vertex A becomes the center of a circle whose radius is the distance between A and $O_{3}$ ; for example, $dist (O_{3}, A) = maxdistance (maxdist)$ . The grid cells within this circle and those intersected by this circle become $O_{ER}$ (the shaded area in Figure 4). If there is more than one object nearest to the CR, for example, $dist (CR, O_{i}) = dist (CR, O_{i + 1})$ , $O_{i}$ is prioritized over $O_{i + 1}$ .

Figure 4

Primary $O_{ER}$ generation (filtering).

Algorithm 1 describes the primary identification (filtering) of $O_{ER}$ depicted in Figure 4.

Algorithm 1: 1st $O_{ER}$ creation (filtering).

input: CR

output: $O_{ER}$

01: check the CR;

02: while ( $k \geq 1$ )

03: {take the grid cells around the CR one by one, e.g., the upper, lower, leftward, rightward, and diagonal grid cell of the CR is

added by 1}

04: terminate the iteration when $O_{N}$ is found

05: if (there exist more than one object with the same distance to the CR), then choose the one with a lower ID number as $O_{N}$

06: result = create a circle centering on the CR vertex farthest from $O_{N}$ with maxdist as the radius;

07: if (result ⊃ grid)

08: result = result ∪ grid;

09: return result;

The initial $O_{ER}$ returned by Algorithm 1 is insufficient to answer the user's exact NN query. In Figure 4, one can see there is an object other than $O_{3}$ that is nearer to the querier; for example, $dist (q, O_{3}) > dist (q, O_{4})$ . Algorithm 1 provides an inaccurate answer, in which the actual nearest object to the querier is $O_{4}$ . To resolve this problem, the secondary (refined) $O_{ER}$ creation is suggested.

Figure 5 depicts the secondary creation of $O_{ER}$ . In addition to the $O_{ER}$ found in the primary creation, other regions that can include the answers (e.g., the NN objects) to the CR-based query are located. The CR vertex that is farthest from $O_{3}$ (e.g., A) and the CR vertex with the shortest distance from $O_{3}$ (e.g., D) are excluded. Note that the distance between D and $O_{3}$ is denoted by mindistance (mindist). The distance from $O_{3}$ to the other two vertices B and C is denoted by minmaxdistance (minmaxdist). Of these two vertices, the one that is farther from $O_{3}$ is denoted by ${minmaxdist}_{L}$ ; that is, $dist (O_{3}, B) > dist (O_{3}, C)$ , and the other one is ${minmaxdist}_{S}$ . The $O_{ER}$ of each of the ${minmaxdist}_{L}$ and ${minmaxdist}_{S}$ is generated in the same way that the primary $O_{ER}$ is generated.

Figure 5

Secondary $O_{ER}$ generation (refinement).

The final $O_{ER}$ (the shaded area in Figure 5) includes the grid cells in the $O_{ER}$ of ${minmaxdist}_{L}$ and ${minmaxdist}_{S}$ , as well as those in the original $O_{ER}$ . With this final $O_{ER}$ , the exact answer to the user's NN query can be found.

Algorithm 2 describes the secondary creation (refinement) of $O_{ER}$ depicted in Figure 5.

Algorithm 2: 2nd $O_{ER}$ creation (refinement).

input: $O_{ER}$ from the first creation, $O_{N}$ , four vertices of the CR (A, B, C, D)

output: refined $O_{ER}$

01: check the vertices of the CR;

02: exclude mindist and maxdist;

03: create the circles of vertices B and C using the first $O_{ER}$ creation algorithm (e.g., create circles centering on B and C,

respectively, with ${minmaxdist}_{L}$ and ${minmaxdist}_{S}$ as their radius)

04: Result = (the circle of B ∪ the circle of C);

05: Result = Result ∪ grid;

06: Result = Result ∪ result of Algorithm 1;

07: return Result;

In the event that objects exist inside the CR, the creation of $O_{ER}$ does not differ, and Algorithms 1 and 2 can be applied in the same manner. This is depicted in Figure 6.

Figure 6

$O_{ER}$ creation for the NN object inside the CR.

5. AMV Equations

This section defines the proposed AMV and the previous MCR using equations. $dist (x, y)$ denotes the distance between x and y. $\vec{x}$ denotes the vector of x. Equations (1) and (2) express how to calculate the CR of a moving user in the MCR and AMV, respectively. The DGCC does not consider (estimated) client movements so it does not create a CR of the user who issued a query. In the DGCC, the location of the querier is represented with coordinates. However, the DGCC provides K-anonymity, so the coordinates of the querier are protected. $(X, x)$ and $(Y, y)$ denote coordinates. The associated conditions are $X \geq x$ and $Y \geq y$ :

\begin{array}{l} MCR's CR = \sqrt{dist {(x_{\min}, x_{\max})}^{2} + dist {(y_{\min}, y_{\max})}^{2}} \\ \times π, \end{array}

(1)

\begin{array}{l} DGCC's CR = (x, y), \end{array}

(2)

\begin{array}{l} AMV's CR = \vec{x} \times \vec{y} . \end{array}

(3)

The computation of the CR that satisfies the K-anonymity requirement in the AMV is represented in

\begin{matrix} K -AMV = dist (x_{\min}, x_{\max}) \times dist (y_{\min}, y_{\max}), \end{matrix}

(4)

where

{\vec{x}}_{1} \geq {\vec{x}}_{2}, {\vec{x}}_{\min}

denotes the smallest value in the x-axis of vector

{\vec{x}}_{2}

and

{\vec{x}}_{\max}

denotes the largest value in the x-axis of

{\vec{x}}_{1}

. In the y-axis, the same conditions as those in the x-axis are applied.

In comparison with the AMV, the circular CR of the MCR is transformed into a quadrate CR. The CR represented by a square is 1.17 times larger than the circular CR. If there are grid cells that intersect the CR, the CR is extended to enclose them. This decreases the error rate involved in CR-based queries. The equation below computes the CR of the MCR that satisfies the K-anonymity requirement:

\begin{matrix} K -MCR = dist (X_{\min}, X_{\max}) \times dist (Y_{\min}, Y_{\max}) . \end{matrix}

(5)

Similar to K-AMV, ${\vec{X}}_{\min}$ denotes the smallest value along the x-axis of ${\vec{X}}_{2}$ , whereas ${\vec{X}}_{1} \geq {\vec{X}}_{2}$ . ${\vec{X}}_{\max}$ denotes the largest value along the x-axis of ${\vec{X}}_{1}$ . These x-axis conditions are applied to the y-axis as well.

To represent the K-DGCC of the DGCC into an equation, the following definitions are made. When $C = {C_{1}, C_{2}, \dots, C_{n}}$ , K-anonymous clients satisfying the DGCC requirements are denoted as $K C = {C_{1}, C_{2}, \dots, C_{K}}$ :

\begin{array}{l} K -DGCC = dist (X_{\min \subset K C}, X_{\max \subset K C}) \\ \times dist (Y_{\min \subset K C}, Y_{\max \subset K C}) \end{array}

(6)

$X_{\min}$ ( $X_{\max}$ ) of K-DGCC denotes the clients that are located close to the querier, whereas $X_{\max}$ denotes those far from the querier. Only the clients that satisfy $K C ∋ {X_{\min}, X_{\max}, Y_{\min}, Y_{\max}}$ can be included in the CR of K-DGCC.

The case of having objects inside the CR ( $O_{N} \in CR$ ) and the case of having no object inside the CR ( $O_{N} \notin CR$ ) can be distinguished by developing the equations associated with CR-based NN query processing. Among the four vertices of the K-anonymous CR (e.g., A, B, C, and D), maxdist denotes the vertex farthest from $O_{N}$ , and mindist denotes the shortest CR vertex from $O_{N}$ . The distance from $O_{N}$ to the other two vertices is denoted by minmaxdist. Of these vertices, ${minmaxdist}_{L}$ denotes the vertex farther from $O_{N}$ , and ${minmaxdist}_{S}$ denotes the other one. When $dist (O_{N}, A) > dist (O_{N}, B) > dist (O_{N}, C) > dist (O_{N}, D)$ , the distance of each of the CR vertices to $O_{N}$ is expressed using the equations below:

\begin{matrix} maxdist = dist (O_{N}, A), \\ mindist = dist (O_{N}, D), \\ {minmaxdist}_{L} = dist (O_{N}, B), \\ {minmaxdist}_{S} = dist (O_{N}, C) . \end{matrix}

(7)

With the defined distances, the search area for the NN object that answers the CR-based query can be defined as follows:

\begin{matrix} Search area of maxdist = {(maxdist)}^{2} \times π . \end{matrix}

(8)

The search area of mindist is included in that of maxdist, so its calculation can be omitted.

The search areas of ${minmaxidst}_{L} = dist (O_{N}, B)$ and ${minmaxidst}_{S} = dist (O_{N}, C)$ may contain objects that are nearer to the CR but are not included in the search area of maxdist. Hence, the search area of minmaxdist (the generic term for ${minmaxidst}_{L}$ and ${minmaxidst}_{S}$ ) should also be created:

\begin{array}{l} Search area of minmaxdist \\ = {({minmaxdist}_{L})}^{2} \times π \cup {({minmaxdist}_{S})}^{2} \times π . \end{array}

(9)

The final search area $O_{ER}$ for the NN query includes the search areas of (8) and (9): all of the grid cells enclosed by the computed search areas and those intersected by the search areas are included in the final search area.

In kNN queries, k nearest objects satisfying the query can be both inside and outside the CR. In this case, the final search area for both the inside objects and the outside objects is calculated individually using the equations presented in this section. The results are then combined, for example, inside $CR {$ (8) ∪ (9) $} \cup outside CR {$ (8) ∪ (9)}.

6. Experimental Evaluation

Through simulated experiments, the performances of the proposed AMV and the previous MCR were measured for comparison. These experiments were performed on a computer with a 2.9 GHz processor and 4 GB memory. C++ was used to conduct the experiments. It was assumed that the querier was stationary and that $K - 1$ clients were moving. The distance of a single grid cell was set to 10 m. The MCR to which the AMV was compared created a minimum CR that satisfies the specified K-anonymity requirement (e.g., the stationary querier and $K - 1$ clients are bounded in a CR). The experiment results are the average of the values obtained by executing the experiments 100,000 times.

Table 1 summarizes the parameter settings of the experimental environment.

Table 1

Experimental environment settings.

Parameters	Setting values
Number of grids	1000 × 1000
Number of clients	50,000, 70,000, 〈100,000〉, and 200,000
Number of objects	30,000, 〈50,000〉, 70,000, and 100,000
Client's movement radius (e.g., number of grids)	〈10〉, 30, 50, and 100
K-anonymity (K)	5, 〈10〉, 20, and 30
Update time (sec; t)	〈3〉, 5, 7, and 10
kNN (k)	3, 5, 〈10〉, and 20

Figure 7 shows how the size of the CR varies according to the K-anonymity levels.

Figure 7

CR sizes with respect to K-anonymity levels.

In the experiments, the movement radius of the client was set to 10 grid cells and the update interval of the anonymizer was 3 seconds. CR of AMV generates 30.9% and 55.6% less CR for each of the MCR and the DGCC. $X_{\min}$ ( $X_{\max}$ ) of K-DGCC denotes the clients that are located close to the querier, whereas $X_{\max}$ denotes those far from the querier. Only the clients that satisfy $K C ∋ {X_{\min}, X_{\max}, Y_{\min}, Y_{\max}}$ can be included in the CR of K-DGCC. Therefore K-DGCC's slope is increased significantly when K was increased in the graph. Though the MCR considers only the speed of user movements, the AMV considers both the direction and speed using the motion vector, thus producing a smaller CR.

Figure 8 shows the size of CRs with respect to the movement radius of the client. In the experiments, the K-anonymity level was set to 10 ( $K = 10$ ), and the anonymizer update interval was 3 and 5 seconds. On average, CR of AMV creates 49.2% and 67.6% less CR for each of the MCR and the DGCC. In Figure 8, for AMV, DGCC, and MCR, the CR size increases as the client's movement radius increases, but the rate of increase of the AMV is less steep than that of the MCR and DGCC. When $t = 5$ , the DGCC has the largest CR. The reason is that the distance of the querier from the clients satisfying $K C$ increases as the movement radius of client and update time increase.

Figure 8

The size of CRs with respect to the client's movement radius.

Figure 9 depicts the size of CRs with regard to the location anonymizer's update interval, denoted by t. The location of the moving client at t is predicted based on the speed and direction of the client's motion vectors, and the CR is created by considering the predicted client location. In the experiments, the K-anonymity level was 10, and the client's movement radius was 10 and 30 grid cells. On average, CR of AMV makes 42.7% and 65.2% less CR for each of the MCR and the DGCC.

Figure 9

CR sizes with respect to the anonymizer update intervals.

Figures 10 through 14 examine the search area $O_{ER}$ for the NN objects satisfying the CR-based query and the number of objects $O_{EN}$ in $O_{ER}$ . In the experiments, the number of clients was set to 100,000, and the number of objects was 50,000. The k of the kNN query was 10, and the anonymizer update interval was 3 seconds. The client's movement radius was 10 grid cells. The experiment results of a 10NN query (e.g., $k = 10$ ) are presented in Figures 10 through 13, and Figure 14 shows the result of a kNN query (e.g., k is a variable).

Figure 10

$O_{ER}$ sizes with respect to the number of objects.

Figure 10 shows $O_{ER}$ for the NN objects that satisfy the CR-based 10NN query.

The size of $O_{ER}$ decreases as the number of objects increases, which occurs at the following intervals: 30,000, 50,000, 70,000, and finally 100,000. This occurs because the objects satisfying the 10NN query are located nearer to the CR when the objects are more densely populated. $O_{ER}$ of AMV generates 46.7% and 53.7% less $O_{ER}$ for each of the MCR and the DGCC.

Figure 11 presents $O_{EN}$ of the 10NN query that varies according to K-anonymity levels. $O_{EN}$ of AMV creates 24.2% and 41.3% less $O_{EN}$ for each of the MCR and the DGCC. As demonstrated above, the AMV yields a smaller CR than the MCR and DGCC, which decreases the size of $O_{ER}$ . Naturally, the number of objects enclosed in a smaller $O_{ER}$ is smaller.

Figure 11

$O_{EN}$ with respect to K-anonymity levels.

Figure 12 shows $O_{EN}$ of the 10NN query with respect to the number of clients, varying from 50,000 to 200,000. $O_{EN}$ decreases as the number of clients increases because the CR size decreases when the clients are more densely populated. A smaller CR leads to a smaller $O_{ER}$ , which, in turn, decreases $O_{EN}$ . On average, $O_{EN}$ of AMV creates 42.0% and 51.7% less $O_{EN}$ for each of the MCR and the DGCC.

Figure 12

$O_{EN}$ with respect to the number of clients.

Figure 13

$O_{EN}$ with respect to client's movement radius.

Figure 14

$O_{EN}$ with respect to the k value of the kNN query.

Figure 13 shows $O_{EN}$ in connection with the client's movement radius. $O_{EN}$ of AMV generates 55.4% and 71.6% less $O_{EN}$ for each of the MCR and the DGCC. The gap between the AMV, DGCC, and MCR graphs grows as the client's movement radius increases. Compared with the AMV, the MCR's and DGCC's CR size increases more rapidly as the client's movement radius increases, and a larger CR leads to a larger $O_{ER}$ (and a larger $O_{EN}$ ).

Figure 14 presents $O_{EN}$ of the CR-based kNN query with respect to varying k, from 3 to 5 to 10 to 20. The MCR graph increases more rapidly than the AMV graph. When $k = 3$ , there is a high likelihood that the requested object can be found inside the CR, thus minimizing $O_{ER}$ . When $k = 20$ , the objects outside the CR need to be searched, which increases both $O_{ER}$ and $O_{EN}$ . On average, $O_{EN}$ of AMV makes 45.8% and 62.1% less $O_{EN}$ for each of the MCR and the DGCC.

7. Conclusion

This paper presents a cloaking system model that enables mobile users to make spatial queries without revealing their exact location information. The proposed AMV generates a minimum K-anonymous CR by predicting the future location of the moving client based on the motion vector. This enables the AMV to generate a smaller CR than the previous cloaking method. In addition, the AMV creates a search area $O_{ER}$ for the nearest neighbor objects that satisfies the NN query with the K-anonymized region. The $O_{ER}$ creation algorithms are performed in two phases: filtering that finds the initial $O_{ER}$ and refinement that supplements the initial $O_{ER}$ . By minimizing $O_{ER}$ for the CR-based NN query, the AMV allows the location anonymizer to return the exact query answers (e.g., the NN objects) to the querier.

In the future, the performance of the AMV can be further examined through experiments in which the querier is moving rather than remaining stationary.

Footnotes

Notations

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Authors’ Contribution

Kwangjin Park and Moonbae Song are equal contributors to this paper.

Acknowledgments

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (2013R1A1A1004593 and 2014R1A1A2054315).

References

Park

Efficient data access for location-dependent spatial queries

Journal of Computer Science and Technology 2014 29 3 449 469

2-s2.0-84901680655

10.1007/s11390-014-1442-9

MR3235826

Song

Park

An efficient adaptive bitmap-based selective tuning scheme for spatial queries in broadcast environments

KSII Transactions on Internet and Information Systems 2011 5 10 1862 1878

2-s2.0-80355138943

10.3837/tiis.2011.10.011

Park

Valduriez

A hierarchical grid index (HGI), spatial queries in wireless data broadcasting

Distributed and Parallel Databases 2013 31 3 413 446

10.1007/s10619-013-7121-y

2-s2.0-84878651677

Park

Location-based grid-index for spatial query processing

Expert Systems with Applications 2014 41 4 1294 1300

10.1016/j.eswa.2013.08.027

2-s2.0-84888384340

Park

C.-G.

Kim

J.-J.

Han

K.-J.

Efficient POI search for location-based services in road networks

Journal of Computing Science and Engineering 2013 40 2 141 151

Sim

LBS description element and research trend

Journal of Information Processing Systems 2013 20 6 3 12

Sun

La Porta

T. F.

Kermani

A flexible privacy-enhanced location-based services system framework and practice

IEEE Transactions on Mobile Computing 2009 8 3 304 321

10.1109/tmc.2008.112

2-s2.0-58849100317

Voelcker

Stalked by satellite—an alarming rise in GPS-enabled harassment

IEEE Spectrum 2006 43 7 15 16

10.1109/mspec.2006.1652998

Wrrior

McHenry

McGee

They know where you are

IEEE Spectrum 2003 40 7 20 25

10.1109/MSPEC.2003.1209608

2-s2.0-0038389318

10.

Muntz

W. R.

Barclay

Dozier

Faloutsos

Maceachren

A. M.

Martin

J. L.

Pancake

C. M.

Satyanarayanan

C. M.

IT Roadmap to a Geospatial Future 2003

Washington, DC, USA

The National Academics Press

11.

Mokbel

M. F.

Chow

C.-Y.

Aref

W. G.

The new Casper: query processing for location services without compromising privacy

Proceedings of the 32nd International Conference on Very Large Data Bases

September 2006

763 774

12.

Kim

Lee

A.-R.

Kim

Y.-K.

J.-H.

Chang

J.-W.

Cloaking method supporting K-anonymity and L-diversity for privacy protection in location-based services

Journal of Korea Spatial Information Society 2008 10 4 1 10

13.

Kim

J.-Y.

Jeong

E.-H.

Lee

B.-K.

A design of cloaking region using dummy for privacy information protection on location-based services

The Journal of Korea Information and Communications Society 2011 36 8 929 938

10.7840/kics.2011.36b.8.929

14.

Park

Bai

Park

An anonymization technique of continuous query and query log for privacy in location-based services

Journal of Computing Science and Engineering 2011 38 2 65 71

15.

Lee

Hierarchical clustering-based cloaking algorithm for location-based services

Journal of Korea Information and Communicatuons Society 2013 8 8 1155 1160

16.

Gruteser

Grunwald

Anonymous usage of location-based services through spatial and temporal cloaking

Proceedings of the 1st International Conference on Mobile Systems, Applications and Services

May 2003

San Francisco, Calif, USA

ACM

31 42

10.1145/1066116.1189037

17.

Gedik

Liu

A customizable k-anonymity model for protecting location privacy

Proceedings of the IEEE International Conference on Distributed Computing Systems

June 2005

620 629

18.

Kalnis

Ghinita

Mouratidis

Papadias

Preventing location-based identity inference in anonymous spatial queries

IEEE Transactions on Knowledge and Data Engineering 2007 19 12 1719 1733

10.1109/tkde.2007.190662

2-s2.0-35648982949

19.

Gedik

Liu

Protecting location privacy with personalized k-anonymity: architecture and algorithms

IEEE Transactions on Mobile Computing 2008 7 1 1 18

10.1109/tmc.2007.1062

2-s2.0-36549043405

20.

Chow

C. Y.

Mokbel

M. F.

Naps

Nath

Approximate evaluation of range nearest neighbor queries with quality guarantee

Advances in Spatial and Temporal Databases 2009 5644

Berlin, Germany

Springer

283 301 Lecture Notes in Computer Science

10.1007/978-3-642-02982-0_19

21.

Yao

Lin

Kong

Xia

A clustering-based location privacy protection scheme for pervasive computing

Proceedings of the IEEE/ACM International Conference on Green Computing and Communications & International Conference on Cyber, Physical and Social Computing (GreenCom-CPSCom ′10)

December 2010

Hangzhou, China

IEEE

719 726

10.1109/GreenCom-CPSCom.2010.109

22.

Park

Jeong

S. J.

An anonymization scheme protecting querist identification in location-based service with user profile

Journal of Computing Science and Engineering 2011 38 4 201 207

23.

Kim

Chang

A grid-based cloaking area creation scheme for continuous LBS queries in distributed systems

Journal of Convergence 2013 4 1 23 30

24.

Cai

Location anonymity in continuous location-based services

Proceedings of the 15th Annual ACM International Symposium on Advances in Geographic Information Systems

November 2007

1 8

25.

Wang

Fung

B. C. M.

Preserving privacy for location-based services with continuous queries

Proceedings of the IEEE International Conference on Communications (ICC ′090)

June 2009

Dresden, Germany

IEEE

1 5

10.1109/icc.2009.5199361

2-s2.0-70449510845

26.

Zheng

Gao

Efficient algorithms for k-anonymous location privacy in participatory sensing

Proceedings of the IEEE Conference on Computer Communications (INFOCOM ′12)

March 2012

2399 2407

27.

Palanisamy

Liu

MobiMix: protecting location privacy with mix-zones over road networks

Proceedings of the IEEE 27th International Conference on Data Engineering (ICDE ′11)

April 2011

494 505

10.1109/icde.2011.5767898

2-s2.0-79957837932

28.

Cai

Exploring historical location data for anonymity preservation in location-based services

Proceedings of the 27th IEEE Conference on Computer Communications (INFOCOM ′08)

April 2008

IEEE

547 555

10.1109/infocom.2007.103

2-s2.0-51349083760

29.

Ardagna

Livraga

Samarati

Protecting privacy of user information in continuous location-based services

Proceedings of the IEEE 15th International Conference on Computational Science and Engineering (CSE '12)

December 2012

Nicosia, Cyprus

162 169

10.1109/ICCSE.2012.31

30.

Paulet

Bertino

Varadharajan

Practical k nearest neighbor queries with location privacy

Proceedings of the 30th IEEE International Conference on Data Engineering (ICDE ′14)

April 2014

Chicago, Ill, USA

IEEE

640 651

10.1109/icde.2014.6816688

2-s2.0-84901814752

31.

Zheng

Lee

W.-C.

Lee

K. C. K.

Lee

D. L.

Shao

A distributed spatial index for error-prone wireless data broadcast

VLDB Journal 2009 18 4 959 986

10.1007/s00778-009-0137-2

2-s2.0-70350525310

32.

Camp

Boleng

Davies

A survey of mobility models for ad hoc network research

Wireless Communications and Mobile Computing 2002 2 5 483 502

10.1002/wcm.72

2-s2.0-0038675868

A Privacy-Preserving Continuous Location Monitoring System for Location-Based Services

Abstract

1. Introduction

2. Related Work

3. Proposed AMV Model

4. Finding O ER in NN Queries

Algorithm 1: 1st O ER creation (filtering).

Algorithm 2: 2nd O ER creation (refinement).

5. AMV Equations

6. Experimental Evaluation

7. Conclusion

Footnotes

Notations

Conflict of Interests

Authors’ Contribution

Acknowledgments

References

4. Finding $O_{ER}$ in NN Queries

Algorithm 1: 1st $O_{ER}$ creation (filtering).

Algorithm 2: 2nd $O_{ER}$ creation (refinement).