POBLACION CON DISCAPACIDAD EN EL SISTEMA EDUCATIVO

Location obfuscation is a technique used in LBS to protect the location privacy of the user by degrading the quality of information about her location in order to avoid revealing the exact spatial location. Duckham and Kulik developed a formal model for spatial obfus- cation and privacy [48]. They define obfuscation as: “introducing imperfection as the result of the deliberate degradation of spatial information quality.” They refer to three types of imperfection: inaccuracy, imprecision, and vagueness. Inaccuracy is a situation in which the provided information is not true; imprecision occurs when the provided information is not specific; vagueness is the lack of definite boundary. For example, the position of the

user shown in the map in Figure 2.5 can be obfuscated by giving an imprecise location data, such as saying that the user is located in the campus of the University of Denver, or an inaccurate position such as the intersection of Evans Ave and S University Blvd, or a vague location such as near to Daniels College of Business.

Figure 2.5: Spatial obfuscation types: ¸u is the user’s location, the entire map represents

imprecision obfuscation, ¸1represents inaccuracy obfuscation, and ¸2vagueness obfuscation.

The straightforward approach for implementing this technique is by creating a closed region around the client’s location and send it to the service provider instead of revealing the exact location information in order to obtain a specific LBS [7,29,48,160]. The service provider returns the candidate result based on the given region. Obviously, this approach puts the onus on the client to determine and send a large enough region as part of the query to the LBS and to process the large dataset containing information about the large region

coming back from the LBS as a response. With both processing power on mobile devices at that time and communication bandwidth being precious, this straightforward approach needs to be improved. This had led to several existing approaches that use TTP that does the obfuscation on behalf of the users and processes the bigger datasets obtained as part of the response from LBS for obfuscated region queries. In fact, these approaches impose a change to the current working structure of the LBSs. Additionally, in practice, it is difficult in real life scenarios to obtain a trusted third party and even then, get enough critical mass of users that trust the same TTP. Further, TTP has the major disadvantage of creating a bottleneck for data transmission and also become a single point of failure both in terms of utility and privacy. A breach of security on the TTP often results in total loss of privacy of all users utilizing that TTP.

There were several attempts to eliminate the use of TTP. For example, Yiu et al. [165] proposed the “SpaceTwist” algorithm to offer location privacy for n nearest neighboring POIs without requiring a TTP anonymizer. The client sends a fake location information called anchor to the server. The SpaceTwist on the server returns POIs to the client in ascending order based on their distances from the received anchor. The client iteratively processes the received POIs based on the actual location of the user until the nearest n- neighbor POIs are collected. For the same purpose of avoiding the TTP, Kim [95] proposed a framework based on Voronoi diagrams [1, 11, 101] to obfuscate the location of the user. Similar to Yiu et al. [165], the service of finding the best set of POIs for the user has been reduced to the problem of finding the nearest neighbor object and ignore any other possible user’s preferences for the POI. Another approach is the coordinate transformation by Gutscher [78, 152] where the mobile client applies a geometric transformation function over the user’s location and then sends it to the LSP. For example, in range query, after receiving transformed coordinates of the query area, the LSP selects all POIs located in that area and sends them to the mobile client. The client then applies inverse transforms to the locations of the returned objects. The main disadvantages of this approach were

observed by Gutscher [78]: (1) additional processing complexity needed for transformation, and (2) it provides a relatively “weak” protection.

Hashem et al. [82] adopted obfuscation approach in order to answer a query of group nearest location of a meeting place. For example, consider a group of users who wants to meet in a restaurant where the total travel distance is minimized for all group members. The privacy of the user is protected by sending an obfuscated region to the LSP instead of the exact position in such a way that the results returned by the LSP will include the actual nearest neighbors of the user. The set of candidate answers is passed to each user individually in a random order to modify it. The actual answer is broadcast after all users modify the set of candidate answers. If the attacker already has a background knowledge about the targeted map he may be able to reduce the size of the obfuscated area by using this background knowledge.

Based on the geographic context of the map, Damiani et al. [37,38] proposed an obfus- cation technique in which any POI on the map is abstracted as a feature of a specific type. The privacy profile of the user describes the sensitivity level for each type. The cloaked region covers both sensitive and non-sensitive areas. This is done in such a way that the probability of associating the user to a sensitive feature is below a configured threshold. Ardagna et al. [8] characterized the probabilistic requirements for a general model of geo- graphic aware obfuscation mechanisms.

The literature discussed so far is based on giving imprecise information to the service provider in order to obfuscate the location information of the user. An alternative type of location information imperfection is when the user presents an inaccurate or a false position to other parties in a communication system. Using a Bayesian network model An et al. [5] shows how the user can choose the “right” false position, i.e., the position that seems reasonable to the attacker. The natural extension of this work is when the user needs to navigate a path from some source location to a destination. If the attacker can successfully trace some of the requested paths by the user, then the attacker may have a good chance of finding out the identity of the user and some of her activities based on the

collected source and destination locations (see Section 1.3.2 & Chapter 3). To solve this problem, Krumm [98] proposes generating extra false trips that are indistinguishable from the true one to confuse the attacker that is trying to trace. Towards the same purpose, Lee et al. [103] suggested adding extra fake sources and destinations to path queries.

Most proposals that use obfuscation techniques, model an attacker and discuss various ways the attacker can gain more knowledge even in the case of obfuscation. Duckham et al. [50] model a geographic environment of road networks as a weighted graph where the user can move between adjacent nodes along the edges. The weight of the edge represents the distance along that edge. The authors presented in that work a formal model for different possible strategies for an attacker to enhance his knowledge about the user’s location given an obfuscated location information over time.

Although they require some changes, most existing privacy preserving algorithms for LBSs are designed based on the mobile telecommunications infrastructure, e.g., base sta- tions or cell towers and mobile phones in large geographical areas. Consequently, these algorithms cannot be applied to an ad-hoc environment such as mobile P2P networks, where a user can only communicate with other peers through P2P multi-hop routing with- out any support from servers. Several works [35, 81] proposed obfuscation algorithms for mobile P2P networks.

QoS vs LoP trade off. The main disadvantage of any obfuscation technique comes from the clear trade-off between QoS and Level of Privacy (LoP) that can be achieved by the obfuscation. Most proposals that use an obfuscation technique provide a configurable parameter or a tuning mechanism that achieves a balance between QoS and LoP based on the intended situation. For example, Duckham and Kulik [48] propose a negotiation algorithm between the user and the service provider to find a satisfactory balance of QoS and LoP. They present different negotiation strategies and simulate them [49]. They propose that the obfuscation region can be imagined as a set of discrete location. The negotiation process terminates if the proportion of the obfuscation set that is closest to each POI in the query is greater than or equal to some threshold value selected by the user. This threshold

is a fraction ranges from 0.0 to 1.0, and it is called the confidence value. The confidence value reflects the satisfactory QoS chosen by the user where 1.0 means perfect QoS. Cheng et al. [29] also study this trade-off in their proposed probabilistic model for range queries.