Spatial Bloom Filters: Enabling Privacy in Location-Aware Applications

Abstract

The wide availability of inexpensive positioning systems made it possible to embed them into smartphones and other personal devices. This marked the beginning of location-aware applications, where users request personalized services based on their geographic position. The location of a user is, however, highly sensitive information: the user’s privacy can be preserved if only the minimum amount of information needed to provide the service is disclosed at any time. While some applications, such as navigation systems, are based on the users’ movements and therefore require constant tracking, others only require knowledge of the user’s position in relation to a set of points or areas of interest. In this paper we focus on the latter kind of services, where location information is essentially used to determine membership in one or more geographic sets. We address this problem using Bloom Filters (BF), a compact data structure for representing sets. In particular, we present an extension of the original Bloom filter idea: the Spatial Bloom Filter (SBF). SBF’s are designed to manage spatial and geographical information in a space efficient way, and are well-suited for enabling privacy in location-aware applications. We show this by providing two multi-party protocols for privacy-preserving computation of location information, based on the known homomorphic properties of public key encryption schemes. The protocols keep the user’s exact position private, but allow the provider of the service to learn when the user is close to specific points of interest, or inside predefined areas. At the same time, the points and areas of interest remain oblivious to the user.

L. Calderoni—Part of this research work was accomplished while visiting the Parallel and Distributed Systems group of Delft University of Technology (The Netherlands).

Appendices

A Bloom Filters Properties

The bloom filter is built as follows. Initially all bits are set to \(0\). Then, for each element \(a \in S\) and for each \(h \in H\) we calculate \(h\left( a\right) = i\), and set the corresponding \(i\)-th bit of \(b\) to \(1\). Thus, \(m\) bits are needed in order to store \(b\).

We test an element \(a_u\) against \(b\) to determine membership in \(S\), that is, we verify whether \(a_u \in S\) if

$$\begin{aligned} \forall h \in H, b\left[ h(a_u)\right] = 1. \end{aligned}$$

(14)

If any bit in \(b\) that corresponds to a value output by one of the hash functions for \(a_u\) is \(0\), then \(a_u \not \in S\). If, instead, all the hashes map to bits of value \(1\), then \(a_u \in S\) minus a false positive probability \(p\) determined by the number \(n\) of elements in \(S\), the number \(k\) of hash functions in \(H\) and the maximum possible value \(m\) output by the hash functions (equal to the binary length of \(b\)) as follows:

$$\begin{aligned} p = \left( 1 - \left( 1 - \frac{1}{m} \right) ^{kn} \right) ^k \approx \left( 1 - e^{-{\frac{kn}{m}}}\right) ^k. \end{aligned}$$

(15)

This small false positive probability is due to the potential collision of hashes evaluated on different inputs, resulting into all bits associated to an element outside the originating set having value \(1\). As such, it is determined largely by \(k\): if \(k\) is sufficiently small for given \(m\) and \(n\), the resulting \(b\) is sufficiently sparse and collisions are infrequent. If we consider the approximation in (15), we can calculate the optimal number of hashes \(k\) as

$$\begin{aligned} opt\left( k\right) = \frac{m}{n} \ln 2, \end{aligned}$$

(16)

from which we can infer

$$\begin{aligned} m = {\bigg \lceil }{-\frac{n \ln p}{\left( \ln 2\right) ^2}}{\bigg \rceil }. \end{aligned}$$

(17)

However, the number of hashes also determines the number of bits read for membership queries, the number of bits written for adding elements to the filter, and the computational cost of calculating the hashes themselves. Therefore, in constrained settings, we may choose to use a less than optimal \(k\), according to performance reasons, if the resulting \(p\) is considered sufficiently low for the specific application domain.

B More on Spatial Representation

The most natural spatial representation for Earth is the standard geographic coordinate system. In the geographic coordinate system every location on Earth can be specified by using a set of values, called coordinates. Standard coordinates are latitude, longitude and elevation. For the purposes of this work we focus on longitude and latitude only, as the combination of these two components is enough to determine the position of any point on the planet (excluding elevation or depth). The whole Earth is divided with 180 parallels and 360 meridians; the plotted grid resulting on the surface is known as the graticule (Fig. 4).

Fig. 4.

An example of the planet’s surface and the grid plotted on it. \(\phi _1\) and \(\phi _2\) are longitude values while \(\lambda \) is a latitude value.

Longitude (lng) and latitude (lat) can be stored and represented according to several formats. In the following we use the decimal degrees plus/minus format, where latitude is positive if it is north of the equator (negative otherwise), and longitude is positive if it is east of the prime meridian (negative otherwise); for instance, \(31.456764^\circ \) (lat) and \(-85.887734^\circ \) (lng) are two possible values.

Using a fixed precision in longitude and latitude (that is, choosing a fixed number of decimal points for their values) allows us to easily divide the planet’s surface into a discrete grid. Since meridians get closer as they converge the poles, as can be seen in Fig. 4, the portions of the Earth’s surface defined by such a grid have varying areas depending on their position (Table 2). While the construction proposed in the following is not dependent on the size or shape of the regions, for simplicity in the discussion it is reasonable to approximate such portions to rectangles and assume they have the same area.

Table 2. Some reference values of accuracy using three decimal places for coordinate representation.

In actual applications, the precision in decimal points for longitude and latitude should reflect the expected error of the device or sensor used for learning the location information. The precision and accuracy of mobile devices in determining their geographic position were proved to vary considerably depending on the context (urban areas, rural areas, etc.) [20].

In a detailed experiment on the accuracy of GPS sensors installed on mobile devices, Blum et al. show that the location is reported with a precision varying from 10 to 60 meters, depending on the device orientation and type, and, in cities, on the surrounding buildings [3]. Hence, when designing a system based on mobile devices it would reasonable to consider regions with sides tens of meters long.