Abstract
With the expansion of wireless-communication infrastructure and the evolution of indoor positioning technologies, the demand for location-based services (LBS) has been increasing in indoor as well as outdoor spaces. However, we should consider a significant challenge regarding the location privacy for realizing indoor LBS. To avoid violations of location privacy, much research has been performed, and location \(\mathcal {K}\)-anonymity has been intensively studied to blur a user location with a cloaking region involving at least \(\mathcal {K}-1\) locations of other persons. Owing to the differences between indoor and outdoor spaces, it is, however, difficult to apply this approach directly in an indoor space. First, the definition of the distance metric in indoor space is different from that in Euclidean and road-network spaces. Second, a bounding region, which is a general form of an anonymizing spatial region (ASR) in Euclidean space, does not respect the locality property in indoor space, where movement is constrained by building components. Therefore, we introduce the concept of indoor location \(\mathcal {K}\)-anonymity in this paper. Then, we investigate the requirements of ASR in indoor spaces and propose novel methods to determine the ASR, considering hierarchical structures of the indoor space. While indoor ASRs are determined at the anonymizer, we also propose processing methods for r-range queries and k-nearest-neighbor queries at a location-based service provider. We validate our methods with experimental analysis of query-processing performance and resilience against attacks in indoor spaces.
Similar content being viewed by others
Notes
It takes approximately 6 s to build the 430-by-430 D2D table in our settings (Section 6.1), in which the modification of the D2D table is only required for each build reconfiguration.
References
Afyouni I, Ray C, Claramunt C (2012) Spatial models for context-aware indoor navigation systems: A survey. J Spat Inf Sci 4(1):85–123
Gedik B, Liu L (2005) Location privacy in mobile systems: a personalized anonymization model. In: ICDCS, pp 620–629
Ghinita G, Kalnis P, Khoshgozaran A, Shahabi C, Tan KL (2008) Private queries in location based services: anonymizers are not necessary. In: SIGMOD Conference, pp 121–132. doi:10.1145/1376616.1376631
Ghinita G, Zhao K, Papadias D, Kalnis P (2010) A reciprocal framework for spatial k-anonymity. Inf Syst 35(3):299–314. doi:10.1016/j.is.2009.10.001
Gkoulalas-Divanis A, Kalnis P, Verykios VS (2010) Providing k-anonymity in location based services. SIGKDD Explor 12(1):3–10
Gruteser M, Grunwald D (2003) Anonymous usage of location-based services through spatial and temporal cloaking. In: MOBISYS, pp 31–42
Hagedorn B, Trapp M, Glander T, Dollner J (2009) Towards an indoor level-of-detail model for route visualization. In: MDM, pp 692–697
Kalnis P, Ghinita G, Mouratidis K, Papadias D (2007) Preventing location-based identity inference in anonymous spatial queries. IEEE Trans Knowl Data Eng 19(12):1719–1733
Khoshgozaran A, Shahabi C (2007) Blind evaluation of nearest neighbor queries using space transformation to preserve location privacy. In: SSTD, pp 239–257
Khoshgozaran A, Shahabi C (2010) A taxonomy of approaches to preserve location privacy in location-based services. Int J Comput Sci Eng 5 (2):86–96. doi:10.1504/IJCSE.2010.036819
Khoshgozaran A, Shahabi C, Shirani-Mehr H (2011) Location privacy: going beyond k-anonymity, cloaking and anonymizers. Knowl Inf Syst 26(3):435–465. doi:10.1007/s10115-010-0286-z
Kim JS, Han Y, Li KJ (2012) K-anonymity in indoor spaces through hierarchical graphs. In: Proceedings of the fourth ACM SIGSPATIAL international workshop on indoor spatial awareness, pp 21–28. doi:10.1145/2442616.2442622
Kim YK, Hossain A, Hossain AA, Chang JW (2013) Hilbert-order based spatial cloaking algorithm in road network. Concurrency Comput Prac Exp 25 (1):143–158. doi:10.1002/cpe.2844
Lee J, Li KJ, Zlatanova S, Kolbe TH, Nagel C, Becker T (2014) Ogc indoorgml v.1.0, accessed: 2015-02-25. http://docs.opengeospatial.org/is/14-005r3/14-005r3.html
Li KJ (2008) A new notion of space. In: W2GIS, pp 1–3
Li PY, Peng WC, Wang TW, Ku WS, Xu J, Hamilton JA Jr (2008) A cloaking algorithm based on spatial networks for location privacy. In: SUTC, pp 90–97. doi:10.1109/SUTC.2008.56
Lozano-Pérez T, Wesley MA (1979) An algorithm for planning collision-free paths among polyhedral obstacles. Commun ACM 22(10):560–570. doi:10.1145/359156.359164
Lu H, Cao X, Jensen CS (2012) A foundation for efficient indoor distance-aware query processing. In: ICDE, pp 438–449. doi:10.1109/ICDE.2012.44
Mokbel MF, Chow CY, Aref WG (2006) The new casper: Query processing for location services without compromising privacy. In: VLDB, pp 763–774
Mouratidis K, Yiu ML (2010) Anonymous query processing in road networks. IEEE Trans Knowl Data Eng 22(1):2–15. doi:10.1109/TKDE.2009.48
Papadopoulos S, Bakiras S, Papadias D (2010) Nearest neighbor search with strong location privacy. Proc VLDB Endow 3(1–2):619–629. doi:10.14778/1920841.1920920
Richter K, Winter S, Ruetschi U (2009) Constructing hierarchical representations of indoor spaces. In: MDM, pp 686–691
Stoel E, Schoder K, Ohlbach HJ (2008) Applying hierarchical graphs to pedestrian indoor navigation. In: ACM SIGSpatial GIS, pp 54:1–54:4
Wang T, Liu L (2009) Privacy-aware mobile services over road networks. Proc VLDB Endow 2(1): 1042–1053
Xie X, Lu H, Pedersen TB (2013) Efficient distance-aware query evaluation on indoor moving objects. In: ICDE, pp 434–445
Xue J, Liu X, Yang X, Wang B (2010) Protecting location privacy using cloaking subgraphs on road network. In: WISA, pp 65–68
Xue M, Kalnis P, Pung H (2009) Location diversity: enhanced privacy protection in location based services. In: LoCA, pp 70–87
Yang B, Lu H, Jensen CS (2010) Probabilistic threshold k nearest neighbor queries over moving objects in symbolic indoor space. In: EDBT, pp 335–346. doi:10.1145/1739041.1739083
Yiu ML, Jensen CS, Huang X, Lu H (2008) Spacetwist: managing the trade-offs among location privacy, query performance, and query accuracy in mobile services. In: ICDE, pp 366–375. doi:10.1109/ICDE.2008.4497445
Yuan W, Schneider M (2010) Supporting continuous range queries in indoor space. In: MDM , pp 209–214
Acknowledgments
This research was partially supported by a grant(11 High-tech G11) from Architecture & Urban Development Research Program funded by Ministry of Land, Infrastructure and Transport of Korean government, and a grant(14NSIP-B080144-01) from National Land Space Information Research Program funded by Ministry of Land, Infrastructure and Transport of Korean government. This work was partially supported by BK21PLUS, Creative Human Resource Development Program for IT Convergence.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Cost for Algorithm 2
Let us discuss the cost of \(\mathcal {K}\)-anonymization to determine the ASR using Algorithm 2. The cost C T o t a l for Algorithm 2 is expressed as
where \(C_{Loc(x,G_{0})}\) is the cost for finding the node containing the requester (line 1) at level 0, C F i n d M O is the cost for retrieving moving objects within the ASR(lines 4–5), and C T r a v e r s e N o d e s is the cost for finding the parent node (line 8) and its child nodes (line 3). We assume that the location of moving objects is specified as a cell identifier, as discussed in Section 3.2. Therefore, \(C_{Loc(x,G_{0})}\) is given as a small constant time without additional computation. While C F i n d M O is mainly determined by the number of leaf nodes of n o d e A S R , C T r a v e r s e N o d e s depends on the size of the subtree of n o d e A S R . For simplicity, we also assume that the hierarchical graph is balanced and the distribution of objects is uniform. Then, C T o t a l is mainly determined by C F i n d M O and C T r a v e r s e N o d e s because \(C_{Loc(x,G_{0})}\) is very small and can be ignored, as discussed above.
Lemma 1
Time complexity of Algorithm 2 The time complexity of Algorithm 2 is given as O(bf i ) where
-
\(i = \left \lceil \log _{bf}{ \frac {n \cdot \mathcal {K}}{m}} \right \rceil \),
-
bf: branching factor of the hierarchical graph,
-
n: the total number of cells,
-
m: the total number of moving objects
Proof
The expected number of selected leaf nodes of n o d e A S R containing the requester at level i is
For instance, when i = 0, we are at the bottom level and the number of the cell containing the requester is unique. Therefore, |L e a f(L o c(x,(G i ))| = b f i = 1. While |L e a f(L o c(x,(G i ))| considers the number of leaf nodes, the expected number of selected nodes (including internal nodes) containing the requester at level i is shown as follows:
The average number of moving objects per cell is \(\frac {m}{n}\). Then, the expected number of moving objects within the selected cells becomes \(\frac {m}{n}\cdot bf^{i}\). In order to satisfy \(\mathcal {K}\)-anonymity, it should be
Consequently, the expected number of levels of the hierarchical graph is
From Eqs. 5, 6, 7 and 8, we describe C T o t a l with the big O notation as
Therefore, the time complexity of Algorithm 2 is given as O(b f i). □
If we assign the i of Eq. 8 to Eq. 6, we obtain the range of the expected number of levels of the hierarchical graph as
The cost is mainly determined by the branching factor. We draw an important conclusion that small branching factors yield better performance in most cases; thus, it is recommended to build a hierarchical graph with a small branching factor.
Appendix B: Finding the bucket using cell index
Given a \(\mathcal {K}\) value, the process of finding the bucket containing the requester using the cell index is described in Algorithm 7. First, we find the cell containing the requester (line 1). In order to calculate S r e q , the global sequence number of the requester, we calculate the sum of the number of users in each cell by using the cell index before c e l l r e q (lines 2–6); we add the sequence number of the requester in the cell into S r e q (line 7). We calculate the two numbers n p r e v and n n e x t , which denote the number of previous and next candidate users for the requester we have to find, respectively (lines 8–9). If the bucket is merged into (line 10), we may modify n p r e v and n n e x t (lines 11–16) because we have to merge the last two buckets. If the requester is located in the penultimate bucket (line 11), we need to find users in the last bucket (line 12). If the requester is located in the last bucket (line 13), we need to find users in the penultimate bucket (lines 14–16). Finally, we find n p r e v previous and n n e x t next users of the requester; then, we add them into the bucket b r e q (line 18).
Given that \(\mathcal {K}=3\), U = {m 1, m 2,..., m 7}, and the requester is m 5 in Fig. 14, we demonstrate how to find all users in the bucket by using Algorithm 7. User m 5 is located in C 1 and two cells R 1 and R 2 exist before C 1 in the index. The total number of objects in R 1 and R 2 is 2+1=3, and m 5 is the second in C 1. Thus, S r e q is 3+2=5. We obtain n p r e v = (S r e q −1) mod \(\mathcal {K} = 1\) and \(n_{next}=\mathcal {K} - n_{prev} - 1 = 1\). Since |U| mod \(\mathcal {K} = 1\), we need to merge the buckets and modify the values. Because the requester is located in the penultimate bucket (\(\lceil S_{req}/\mathcal {K} \rceil = |B|\)), n n e x t = n n e x t +(|U| mod \(\mathcal {K})=2\). We need to find the previous n p r e v = 1 user (m 4), and the next n n e x t = 2 users (m 6 and m 7). Finally, we obtain b r e q = {m 4, m 5, m 6, m 7}.
Rights and permissions
About this article
Cite this article
Kim, JS., Li, KJ. Location K-anonymity in indoor spaces. Geoinformatica 20, 415–451 (2016). https://doi.org/10.1007/s10707-015-0241-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10707-015-0241-y