Engineering advances, like precise and accurate personal positioning systems, are helping to enable a wide range of commercially and socially beneficial information services. In this context, location privacy (the right of individuals to control information about their personal location) can seem a peripheral or puzzling issue for many engineers. As one engineering colleague put it to me: “If you have nothing to hide, why should you be concerned about location privacy?” However, location privacy is increasingly becoming a vital function of any location-based service, and a function that presents spatial information engineers with interesting new challenges.

My colleague is not alone in taking a lean view of privacy issues. The Sun Microsystems chairman and co-founder, Scott McNealy, once (in)famously said: “You have zero privacy anyway, get over it!” (Springer, 1999). Society’s attitude to privacy undoubtedly changes over time and with circumstances, especially in connection with the advent of new technology. One of the landmark publications that shaped modern attitudes privacy, Warren and Brandeis (1890), was in part a response to the perceived threats to privacy resulting from (then) recent advances in photographic technology. Although many of the basic privacy principles set out by Warren and Brandeis have endured, societal attitudes to the underlying technology, and the privacy issues connected with having your picture taken, have changed and are today much more relaxed.

Nevertheless, even if the future holds a society in which we are as comfortable revealing our individual locations as, say, having our photo taken, there are reasons to believe that techniques for location privacy protection are important, at least in the short- to medium-term. The risks of a lack of location privacy range from annoyances like unsolicited marketing (so-called “location-based spam”) through to serious personal safety issues, such as stalking or assault. Location information is also unique in that it where a person is located (such as at a hospital or political rally) can provide a basis for inferences about a wide range other personal information to be inferred (such as political affiliations or state of health). From a pragmatic perspective, perhaps the most immediate effect of a perceived lack of privacy protection is the potential to inhibit the development, uptake, and acceptance of new location-based services in this nascent technology.

FIGURE 1: Strategies for location privacy protection

When thinking about how to protect an individual’s location privacy, there exist two main classes of mechanisms (see Figure 1). First, proscriptive strategies aim to specify acceptable uses of private location information, and proscribe unacceptable uses. Privacy laws and other privacy regulations are amongst the most fundamental proscriptive mechanisms. A more technological approach to proscriptive strategies is privacy policies, which aim to annotate personal data with digital certificates that specify acceptable use policies. However, laws, regulations, and privacy policies are all vulnerable to inadvertent or malicious disclosure of personal information. Once a breach of privacy has occurred, sanctions can be applied to the person or organization responsible, but it is often difficult to undo the damage caused by the breach, once the “cat is out of the bag.”

As a result, it is acknowledged that proscriptive strategies alone cannot offer a complete solution to privacy protection. Complementary to proscriptive mechanisms, information hiding strategies aim to “hide” personal information in some way. In non-spatial domains, anonymity (the process of dissociating a person’s identity from personal information about that person) is a widely used information hiding mechanism for privacy protection. Medical records, for example, can often safely be used in scientific research by simply removing personal identifiers, like names or health insurance numbers. However, anonymizing location data is more difficult, since identity can often be inferred from location; your precise location can uniquely identify you, more so than your fingerprint or even your genetic profile. For example, recent work by Krumm (2007) investigates how easy it is to identify an individual’s home location, and so their identity, from anonymized location traces using publicly available data sources.

An alternative information hiding approach to anonymization is to degrade the quality of location data in some way, so as to “blur” a person’s precise or accurate location, termed obfuscation (Duckham and Kulik, 2007). Developing practical and safe obfuscation systems presents a number of interesting engineering challenges, which spatial information science is helping to address. Figure 2 illustrates schematically the obfuscation process. Given (reasonably) precise and accurate information about an individual’s location, an obfuscation system will deliberately degrade that information, perhaps perturbing the individual’s location slightly (inaccuracy) or by only reporting a region or vicinity in which the individual is located (imprecision). The problem is then to still provide information services (like finding the address of the nearest point of interest providing a route to some remote location) based on this imperfect information about an individual’s location.

FIGURE 2. Obfuscation: protecting location privacy by degrading the quality of location information.

For example, I might actually be located on the corner of Flinders and Elizabeth Streets in Melbourne, and be seeking my nearest WiFi hotspot using a smart phone or PDA and a web-enabled location-based service provider. Instead of revealing my precise and accurate location to the remote service provider, who I might not trust with this personal information, I could obfuscate, adding inaccuracy or imprecision to my location. In the case of inaccuracy, my PDA might only reveal to the service provider that I am located on the corner of Flinders and Spring Streets (i.e., a few hundred meters from my actual location). Alternatively, using imprecision, I might only specify that I am located on Flinders Street. In either case, if I am concerned about privacy I am likely to prefer any service provider that can still provide a good (even if not necessarily optimal) answer to my query using only my degraded location information.

Clearly, there will be limits to the extent to which location information can be degraded. In general, as location information becomes more and more degraded, so the quality of resulting location-based service becomes can become similarly degraded. In the example above, if I reveal my (imprecise) location only as “in Australia”, I am unlikely to get any useful responses to my location-based query. However, location information is highly information-rich, and typically contains much more detail about where we are located than is strictly required to answer many queries. Consequently, some level of degradation can usually be tolerated. Further, many location-based queries do not require the optimal answer, and may be adequately satisfied by a near-optimal answer. In the example of looking for the nearest WiFi hotspot, it is likely that obfuscating my location to, say, within a few hundred meters will make no difference to the result of the query. Even in the event that the service does not return the nearest hotspot, there is every chance in busy urban areas that the service will identify a hotspot that is only marginally further away than the optimal answer.

Happily, spatial information engineers have much expertise they can contribute to designing such privacy-preserving obfuscation systems. Processing spatial information in the presence of obfuscation is really a special case of processing spatial information under uncertainty, a long-established topic in spatial information science. Where traditional spatial information systems design aims to minimize the uncertainty, but still operate in the presence of imperfect spatial information, an obfuscation system aims to do the maximize the uncertainty (because the more uncertain a person’s location is, the more private is their true location). Some existing spatial algorithms for operating in such conditions include computing nearest neighbors (for example, find the nearest points of interest) and navigation instructions in the presence of high levels of uncertainty (e.g., Duckham et al. 2003, Duckham and Kulik 2006). However, as the importance of location-based services grows, so too does the potential for the development of new and innovative spatial algorithms and information systems for supporting privacy-aware location-based services.

References
Duckham, M., Kulik, L., Worboys, M.F. (2003) Imprecise navigation. GeoInformatica 7(2): 79-94.

Duckham, M. and Kulik, L. (2005) A formal model of obfuscation and negotiation for location privacy. In Gellersen, H.W. et al (eds) Lecture Notes in Computer Science v3468, pp. 152-170.

Duckham, M. and Kulik, L. (2006) Location privacy and location-aware computing. In Drummond, J., Billen, R., Forrest, D. and Joao, E. (Eds) Dynamic & Mobile GIS: Investigating Change in Space and Time, chapter 3, pp. 34-51. CRC Press, Boca Rator, FL.

Krumm, J. (2007) Inference Attacks on Location Tracks. In LaMarca, A., Marc Langheinrich, M., Truong, K.N. (Eds.) Lecture Notes in Computer Science v4480, pp127-143.

Sprenger, P. (1999). Sun on privacy: “Get over it”. Wired, January 26 1999.
Warren, S. and Brandeis, L. (1890) The Right to Privacy. Harvard Law Review 4:193-220.

Dr. Matt Duckham, Senior Lecturer
Department of Geomatics
University of Melbourne, Australia