| Location-Related Privacy Challenges in Geo-Social Networks |
| Written by Carmen Ruiz Vicente |
|
Due in part to the widespread adoption of Internet-enabled smartphones with positioning capabilities, users are active, mobile participants in today's Internet. This development motivates a broad variety of Internet services that provide functionality relevant to the users' locations and, more recently, users' social circles. Emerging services pose significant threats to user privacy that may hinder the spread of these services. This article gives examples of privacy violations that occur when using such services and identifies key properties of this new setting. What's a Geo-Social Network
More recently, the combination of real-time location-reporting capabilities with traditional social network functionality has attracted the attention of users and service providers, leading to the emergence of Geo-Social Networks (GeoSNs). Many existing services are designed specifically to enable this functionality, and other services are increasingly assimilating it. Prominent examples of GeoSNs include Facebook, Foursquare, Twitter, Google+, Google Latitude, Flickr, Gowalla, Loopt, and MyTown; and new services are being invented quite rapidly. GeoSNs offer functionality that helps associate location with users and content, providing diverse services such as photo sharing, friend tracking, and "check-ins." The Dangers of Exposing Location Information However, with this functionality comes increased potential for location-related privacy violations [2,3]. For instance, it may be possible to infer personal information from the locations that people visit, e.g., a user's presence at a church or at the location of a political meeting may reveal the user's religious or political views. Similarly, periodical visits to a medical facility may suggest a health problem. GeoSNs enable the dissemination of this information without the user being aware of the risks of this exposure [4]. For these reasons, users may be concerned about disclosing their exact locations at certain times to untrusted entities. There exist several examples of documented privacy violations using existing Internet services. For instance, [5] demonstrates how it's possible to find a user's home by looking at geo-tagged pictures in the photo-sharing service Flickr. Similarly, Friedland et al. [6] have shown that it's possible to find users' exact home addresses by correlating data from various Internet services. Disclosing Where You Are Not Users may be concerned about revealing not only the location, but also the absence from a place. Publishing a user's location can let an adversary infer that the user isn't at a certain place at a given time. Consider the following situation:
It's also easy for an adversary to know how far a user is from a location and thus make reasonable assumptions about how long the user might be absent. For instance a person with access to recent vacation photos or videos can infer that the user's house is likely to be empty for some days and could use this information to plan a burglary [6]. In addition, the use of certain GeoSN services (such as check-in services) is typically associated with the user's absence from home. This idea was demonstrated by the online website PleaseRobMe [7] that gathered user check-ins from different services in real time, listing houses that are likely to be empty. Disclosing Co-Location In most GeoSNs, an adversary might be able to observe multiple users' presence in the same place. Some users might consider such co-location to be sensitive, as it might reveal information about the relationship among those users. Important factors that affect the sensitivity of the information include frequency, locations or time periods of the co-location, or other users' presence at the same location. For example, if two users attend the same event together with many other users, they might not consider their co-location to be sensitive; the same might hold true if the co-location only happens sporadically. Features of the GeoSNs When devising a privacy protecting mechanism for a GeoSN, we need to take into account its fundamental purpose and features. Next, we're going to analyze four dimensions inherent to GeoSNs: location, time, user tagging, and identity, and analyze how they affect privacy. Location We have seen how users can consider a location to be sensitive. Sometimes, it's possible to decrease the sensitivity of a location if a large location is given instead of an exact one [2]. For instance, Twitter and Google Latitude let users release location information to other users at a coarser granularity than what's actually available (e.g., "city" or "neighborhood"). This technique can be applied in services that don't require using exact locations - such as microblogging, photo sharing, or proximity-notification services. However, some GeoSNs require using exact locations. Examples include check-in-based services, social navigation services, and user reviews. In such services, the use of a coarser granularity is problematic because the locations either still identify the places to be hidden (if a finite set of possible places exists) or will compromise the services' utility. Recently, some of these services let users hide the exact location of certain sensitive places. This is the case of Foursquare [8] that hides the exact location of places categorized as "homes". Similarly, Flickr [9] allows to specify an area (called geofence) that prevents untrusted users from accessing pictures located in that area. Time Not only the location, but also the time associated with a location is important. For instance, a user's presence in a bank outside opening hours is probably sensitive. Some GeoSNs' utility depends on publishing information in real time because it's inherent to the services' purpose. This is the case of dating and proximity services, micro-blogging, and social navigation services. In contrast, services such as user review and photo-sharing services can tolerate some temporal uncertainty without it substantially affecting the quality of service. Thus, it's possible to delay the publication of certain content so that an adversary has uncertainty about the actual time associated with it. For instance, the publication of vacation photos that are one week old is not as sensitive as publication in real time. User tagging An adversary can violate users' privacy by analyzing and linking resources others have published. For instance, consider a user that is concerned about being reported as absent from home. In a GeoSN that allows multiple user tagging, another user (e.g., a friend) could upload a geo-tagged picture and tag the concerned user in it, which would result in a privacy violation. GeoSNs generally afford their users little support for setting privacy preferences with regard to information other users upload about them. Regardless of the strategy adopted to achieve privacy, when content is tagged with multiple users (for example, a photo tagged with everyone who appears in it), the content should be altered so that all tagged users' privacy requirements are satisfied, meaning that an adversary can't violate privacy by observing multiple published resources [10]. Removing a user tag can also be effective when it isn't possible for an adversary to identify that user from the content. User Identity Some GeoSNs, such as proximity-based dating services and location-based social gaming, let users employ pseudonyms instead of real names, which hides their real identities. Maintaining user anonymity is particularly important for certain services, as the following example illustrates. Bob is using an anonymous location-based dating service, and he's concerned about others discovering it. One night, Bob tells his wife that he's working late and accesses the dating service from his office. Bob's wife, who is suspicious, accesses the same service and looks for people located at Bob's workplace. If Bob's wife knows that Bob is the only one present at the office at that moment, she can deduce that he's using the service - hence violating Bob's privacy. The actual risk of re-identification through location depends on the external information that an adversary can acquire to match the anonymous users in that location at a given time with their identities. Techniques for protection against re-identification through location alter a reported user location so that it can be associated with at least k users (the principle of k-anonymity) [11]. Conclusion Internet services are increasingly assimilating location- and social-based functionality, leading to the emergence of GeoSNs. Several sites and mainstream articles are alerting users about the risks of oversharing without appropriate privacy controls. Indeed, users are, in many cases, unaware that they're publishing location information, as when they upload a picture from a smartphone that automatically geotags photos. We must fully understand the privacy issues involved in participating in GeoSNs, and the features of the GeoSNs that may have an impact on the privacy, in order to provide users with appropriate privacy controls. Acknowledgements This work is partially supported by the Spanish Ministry of Science and Innovation and the FEDER funds under the grants TIN2011-27076-C03-02 CO-PRIVACY and CONSOLIDER-INGENIO 2010 CSD2007-00004 ARES. References
|
We are witnessing a gradual transformation of the essence of the Internet. The advances in positioning techniques, together with the widespread adoption of Internet-enabled smartphones, has fostered a new generation of Internet services that provide functionality relevant to the users' locations.
One day, Bob leaves work early to meet Charlie. Charlie updates his GeoSN status, writing "chilling in the park with Bob." If Bob's manager sees the update, he can infer that Bob was absent from the office during work hours.