Design Considerations

One usage example of a location sensor network is an in-building occupant movement tracking system. Such a location system would be useful for architectural and interior design, since it would deliver data on the popularity and usage of different building areas such as conference rooms, alcoves, individual offices, or supermarket aisles.² However, employees or customers might be concerned about their privacy. We will revisit this example throughout the paper. These applications require aggregate statistics on the popularity of certain locations but not necessarily precise information about a person's location at any given time. Therefore, we argue that this problem can reasonably be addressed through anonymity mechanisms that reduce data quality within known bounds to maintain a well-defined level of anonymity in different situations. We do not restrict the system to a specific location sensing technology but make the following assumptions. The location tracking system comprises an array of sensor nodes, one or more base stations, and a location server. The sensor nodes are resource limited computing devices with wireless communication capabilities (e.g., [17,18]). The sensors itself should be capable to determine the number of individuals in an area and monitor changes in real-time. Base stations bridge the wireless sensor communications into the wired network, where the location server collects the sensor data and publishes it to applications. The sensor system periodically reports location information as a set of tuples (c, a) where a labels an area and c the count of data subjects, who visited the area during the period. Areas are hierarchically organized; therefore, the network can present an overall count for a certain area in addition to counts for smaller sub-areas within.

Privacy Threats and Attack Model

We define a location privacy threat as an instance in which an adversary can obtain an individual's (the data subject's) location information through the location system and can identify the individual. For example, through the location system an adversary could obtain the current position of every individual. Continuous access to this information would allow him to track movements of an unknown user. However, for this to constitute a location privacy threat, the adversary must also be able to link identities to the reported user locations. To identify individuals, the adversary can have prior information about the people and space that are monitored. For example, knowing who owns a particular office would most likely correctly identify a person that is monitored in this office [12]. The adversary can simply link these two pieces of information and conclude that with very high probability the identified individual is in his office. Once identified, he can then track the individual's movements to other areas of the building by monitoring the location updates. Through adaptively changing data precision, the sensor network seeks to prevent (or at least make sufficiently difficult) that an adversary can link prior information with the information obtained through the sensor system. The network should only reveal precise locations of groups of people, but not of individuals and their paths. Inspired by Samarati and Sweeney [19,6,7], we consider the data k-anonymous, if every location reported from the network is indistinguishable from at least k - 1 other subjects. This work also considers a more sophisticated adversary, with local access to the sensor network, who attacks the network to gain more precise location information. In particular, the adversary could mount the following attacks:

• Passive Attacks

  Eavesdropping.

  The adversary could simply listen to data and control traffic. Control traffic conveys information about the sensor network configuration. Data traffic contains potentially more detailed information than accessible through the location server.

  Traffic analysis.

  An increase in the number of transmitted packets between certain nodes could signal that a specific sensor has registered activity.

• Active Attacks

  Insert false data.

  A malicious node could trick the system into reducing data distortion (privacy protection) through spoofing subjects.

  Change routing behavior.

  An inserted or compromised node could drop packets, forward them incorrectly, or advertise itself as the best route to all nodes (blackhole effect) in an attempt to gain information.

This paper focuses on user privacy; hence, we do not consider attacks such as denial of service, where the adversary does not learn any private information.