Everyday applications and ubiquitous devices contribute data to the Internet of Things, oftentimes including sensitive information of people. This opens new challenges for protecting users' data from adversaries, who can perform different types of attacks using combinations of private and publicly available information. In this work, we discuss some of the main challenges, especially regarding location-privacy, and a general approach for adaptively protecting this type of data. This approach considers the semantics of the user location, as well as the user's sensitivity preferences, and also builds an adversary model for estimating privacy levels.

1. Semanticand SensitivityAwareLocation-PrivacyProtection for the Internet of Things
Berker Ağır, Jean-Paul Calbimonte, Karl Aberer
Workshop on Society, Privacy and the Semantic Web -Policy and Technology 2014
20 October2014

2. Introduction
•Online Devices
•more infiltratingin dailylife
•online services & applications
•They are capable of sensing
their environment and context
GPS
Accelerometer
Barometer
Thermometer
2

3. PrivacyUnder Threat
•Honest but curious server
•Exploits all available data
•With limited computational power, tries to infer private information
Background knowledge on user history
User Events
Process according to objectives
Perform attack
Observed events
Privacy Protection Mechanism(s)
Application Server
3

4. Location Privacy
•Location data carries highly contextual information
•Activity tracking
•Inferring habits
•Physical assault
•Rich sensor environment and continuous connectivity
•A non-stop and unbalanced threat on privacy
4

5. Common Location-Privacy Protection Approaches
?
Obfuscation
Perturbation
Hiding
Anonymization
Actual location
Observed locations
5

6. Shortcomings of Existing Approaches
•Location information is multi- dimensional
•Semantics
•Not every location / semantic tagmight have the same importance in terms of privacy
•Home location
•Hospitals, restaurants
•Overprotection
•Service degradation
6

7. Smart Adversariesand Strategies
•Privacy has to be evaluated w.r.t. a real attack scenario
•Adaptive protection mechanisms on user device
•Move against each other in a strategic game
•Location Semantics
•User Mobility History
•Common-knowledge sensitivities
→Inference
•Location Semantics
•Adversary Modelling
•Sensitivity Profile
→Real-Time Adaptive Protection
User
Adversary
7

8. Adaptive Location Privacy Protection
8
Adaptive Privacy Protection Mechanisms
Privacy Estimation Module
Estimate
Candidate obfuscation area
Sensitivity Profile
Geographical& Semantic
User History
•Adaptive approach:Past behavior is considered before making a privacy decision
•Causality and physical feasibility between transitions

9. Sensitivity Profile Configuration
Android application allowing to set semantic and geography based sensitivity levels
9

10. Adaptive Protection in Action
10
Lowsensitivity-university
High sensitivity-hospital

11. SemanticLocation Privacy
•Whatabout the privacyof the semantics?
•Location mightnot matteras long as the user activityisunknown
11
Cinema?
Pharmacy?
Hotel?
Hospital?
Bar?

12. EvaluatingPrivacy
•What is the adversary’s errorin inferring
•users’ geographical locations?
•the semantics of user locations?
•How confidentis the adversary?
•Probabilistic nature of inference
•What is the user’s desired privacy level (i.e., sensitivity) for
•his geographical location?
•the semantics of his location?
12

13. NextSteps& Future Work
•Model & implementinferenceconsideringlocation semanticsand user sensitivities
•Inferring user activity from a collection of location and semantic tag series
•Private attributes such as age, gender, occupation
•Reasoningabout causalityin the semanticlevel
•Goingto a cinemaafterhavingdinnerat a nearbyrestaurant
13

14. Future Work
14
Health-care
(x, y)coordinates
Geographical
Semantics
Visit
Interactions/
Relationships
Work
Treatment
Has sick friend
Attributes
Is Doctor
Is Nurse
Has
Broken Leg
Has Cancer
Work Place
Business
Has customer
User
Adversary