Query m-Invariance: Preventing Query Disclosures in Continuous Location-Based Services

摘要

Location obfuscation using cloaking regions preserves location anonymity by hiding the true user among a set of other equally likely users. Furthermore, a cloaking region should also guarantee that the type of queries issued by users within the region are mutually diverse enough. The first requirement is fulfilled by satisfying location k-anonymity while the second one is ensured by satisfying query l-diversity. However, these two models are not sufficient to prevent the association of queries to users when the service depends on continuous location updates. Successive cloaking regions for a user may be k-anonymous and query l-diverse but still be prone to correlation attacks. In this paper, we provide a formal analysis of the privacy risks involved in a continuous location-based service, and show how continuous queries can invalidate the privacy guarantees provided by k-anonymity and l-diversity. Drawing upon the principle of m-invariance in database privacy, we show how query m-invariance can provide location and query privacy in continuous services.