Place vs. Space: On the Future of Location Obfuscation
Seda Gürses, University of Leuven
Obfuscation has proven to be a successful strategy in preserving location privacy, and yet, we may have only scratched the surface of its potential in location services. Location privacy is a challenging topic that came to prominence with the introduction of location based services (LBS) (e.g., Beresford and Stajano 2003, Gruteser and Grunwald 2003, Wernke 2014). The objective of the research is to develop mechanisms that would protect individuals from other parties that may be able to “algorithmically discover a subject’s whereabout and other information” throughout time (Krumm, 2009). Throughout the years, researchers have demonstrated that achieving location privacy is extremely hard and improvements to proposed mechanisms have come hand in hand with the development of mathematical foundations of obfuscation (e.g., Theodorakopoulos et al. 2014, Olteanu 2017). Building on these advances, and given the state of the art in Location Based Services, I would like to explore whether we can expand the scope of the research questions related to privacy and autonomy of individuals in space and time. To do so, I propose to revisit the common premises of location privacy research: its assumptions about space and time, its objectives and relationship to obfuscation.
Location privacy work builds on a specific understanding of space and time. Specifically, most of the models used in location privacy treat space as a kind of container that shapes people’s movements and from which unwanted inferences can be made. When speaking about privacy risks, the authors often refer to inferences that can be made based on “proximity to an abortion clinic, crack house, AIDS clinic, business competitor, or political headquarters.” Movement trajectories and behavioral patterns are captured too, typically represented as the sequence of locations associated with that individual. These trajectories are so unique, that researchers go as far as arguing “location is identity.” Given this container model of space, technical strategies to ensure location privacy have followed two main paths. The first set of techniques aspire to conceal the identity of the person associated with the given location or movement (anonymity). The second set, of interest to us, protect location privacy by providing inaccurate, imprecise, or vague information concerning the location of that person (obfuscation) (Duckham and Kulik 2006).
The container model of space implicit to most location privacy research contrasts with more relational and dynamic understandings of space that conceive it as something that is constituted. In this latter framing, places are co-constructed in relation to the patterns of activity of people who use, observe or experience them. For example, a park may be designated as such by the municipality, and marked as such on a map, but when it becomes the site of a political demonstration, what can be inferred from this location changes. In this more dynamic model, the relationship between space and people is bidirectional: a specific place may determine what are meaningful activities in that location, but people may also transform the meaning attached to that location with their actions. Once we accept the premise that space is not static and that people play a role in the making of a place, they can be treated as active geographic agents in the constitution of space in time.
In their work tracing the history of geodemographic systems, Phillips and Curry show that with the advances made in GPS and cellular technologies, Location Based Services have started working with this relational and dynamic conception of constituted space (Phillips and Curry, 2003). LBS systems are no longer only concerned with tracking individuals and building profiles, but also with leveraging this information to manipulate the behavior of their users to create “ideal” geographies. Most strikingly, based on the state of the art in 2003, they predict that “new [LBS] systems will potentially allow the instantaneous reconfiguring of spatial elements toward any emergent strategic end” (Phillips and Curry, 2003). The authors worry that harnessing such capabilities will accelerate the way in which the meaning of space gets negotiated and such negotiations will become increasingly invisible to their inhabitants.
Today, services like Waze, for sharing real time traffic and road info, Uber, for cab hailing, and Pokemon Go, an augmented reality game, are second nature to the billions of users of mobile devices. These services exemplify exactly the kind of LBS systems that Philips and Curry predicted over a decade ago. They gather location information based on which they make behavioral and spatial inferences. But, more importantly, they treat their users like active geographical agents that not only sense environments but can also be brought to co-create them based on notifications from LBS. The instantaneous feedback on how these users react to the notifications provided by these services are leveraged to devise experiments on how well their services create optimized geographies in line with their business interests while upholding a valuable user experience.
Exemplary of current day LBS, Waze, Uber and Pokemon Go also provide all actors involved in these systems new opportunities to apply obfuscation. Some of these techniques make news headlines. For example, when Waze rerouted cars avoiding freeway traffic jams to residential neighborhoods, residents turned to reporting road blocks in order to get the algorithm to re-route the cars elsewhere. They aspired to preserve the state of their neighborhood using obfuscation to change the availability that Waze attributed to their roads. Similarly, researchers have reported that they created hundreds of ghost Waze accounts to simulate a traffic jam, only to get Waze to reroute all other cars on the highway, sweeping the road empty for them to whiz through. Pokemon Go users have been reported to spoof their GPS to scoop Pokemon’s where they are more densely available, not very different from app developers who want to test their new apps in different locations. The short history of Uber is cluttered with stories about the numerous ways in which the company developed systems to deceive its drivers, customers and authorities, obfuscating their actual prices, capacity and practices.
What is common to these stories of obfuscation is that they all function on the premise of constituted space and its byproducts. In order to infer, manage and shape events in constituted space, LBS call other novel kinds of space into being. For example, to optimally manage space, LBS services providers are constantly in the process of modeling and converging upon an ‘optimized space’. This optimized space is a reference object towards which all geographic agents are managed. In order to shape events, they may make use of indicators about a possible ‘future space’ to mobilize different geographic agents towards it. The interplay between optimized and future space is exemplified in the notifications that Uber sends to its drivers about an upcoming surge. That they initially included information about the price increase expected with the surge, and later removed this indicator, can be interpreted as the introduction of vagueness to gamify drivers into action in a future space given outcomes for an optimized space. When developers spoof GPS or use simulations to test their applications, one could argue that they are acting in “simulated space.” Analysis of movements in physical space and simulations can be used to generate predictions about future space, develop optimized space, mobilize or gamify geographic agents, and to sort desirable and undesirable behaviors across these spaces.
Users now knowingly, or not, participate in these different spaces, and using obfuscation, can come to create yet other spaces. When Pokemon Go players spoof their GPS signals, one could argue that they enter a sort of “ghost space.” Assuming the users spoof their location perfectly, to the game servers they may be located in Manhattan, to other players in Manhattan they are representatives of the increasing number of ghosts registered on their devices. Similarly, when Uber drivers synchronize to turn off their apps in order to stimulate a surge, one could argue that they generate a “resistance space.” In constituted space, it seems that obfuscation acts on another level of abstraction. These users deliberately generate new spaces that are intended to escape or intentionally confuse the LBS capture mechanisms to identify, manage and shape events. The objective is not to obfuscate individual identities in a static space, but to obfuscate the many models of space captured in LBS systems.
So, what other questions can we pose in location privacy research if we shift from the container to the constituted model of space as a premise? LBS have moved from being systems intended to enrich a static understanding of space to dynamic systems of capture. It is true that if location privacy is in place, the inferences necessary for such LBS to work would be removed. However, we can still ask whether there are ways to use obfuscation to not conceal the static but dynamic aspects of geographic behavior. For example, would it be able to obfuscate that people are converging upon a political demonstration. In such a case, the obfuscation techniques may remain the same, but what is evaluated may include more than the effectiveness of the strategy in concealing an individual’s movements.
We further see that the impact of location information leakage includes inferring information about people and their behaviors, but also extends to being able to leverage that information to optimize locations and behaviors. Researchers in location privacy have studied the impact of past, present and future locations on possible inferences. Moreover, those inferences and real-time observations of movements in space can co-exist and impact each other. Predictions are not only that, but can be used to nudge people to change their location, movement and behavior in order to create ideal geographies. What does location privacy have to say about this practice of co-constructing space using past and predicted data: should we also study ways to do privacy preserving simulation? Would that be sufficient to deal with the different societal and individual autonomy concerns that may arise from such practices?
All of this may seem very complex to fit into the problem frame called location privacy. To shift assumptions about space and time that underlie an already challenging research question can easily be seen as daunting. However, some of these challenges may be seen as an opportunity to bring together communities that work on location privacy, malicious and deceptive behavior, and geography around a table. Once there, we may also discover many potential uses of obfuscation, good and bad, which may contribute greatly to the endeavors of researchers using this strategy in their work. If we do so, we may also make some necessary contributions to building systems that respect individuals and communities in space and time.
Beresford, Alastair R., and Frank Stajano. “Location privacy in pervasive computing.” IEEE Pervasive computing 2.1 (2003): 46-55.
Duckham, Matt, and Lars Kulik. “Location privacy and location-aware computing.” Dynamic & mobile GIS: investigating change in space and time 3 (2006): 35-51.
Gruteser, Marco, and Dirk Grunwald. “Anonymous usage of location-based services through spatial and temporal cloaking.” Proceedings of the 1st international conference on Mobile systems, applications and services. ACM, 2003.
Krumm, John. “A survey of computational location privacy.” Personal and Ubiquitous Computing 13.6 (2009): 391-399.
Olteanu, Alexandra-Mihaela, et al. “Quantifying interdependent privacy risks with location data.” IEEE Transactions on Mobile Computing 16.3 (2017): 829-842.
Phillips, David. and Michael Curry (2003) ‘Privacy and the Phenetic Urge: Geodemographics and the Changing Spatiality of Local Practice’, in David Lyon (ed.) Surveillance as Social Sorting: Privacy, Risk and Automated Discrimination, pp 137–152. London: Routledge.
Theodorakopoulos, George, et al. “Prolonging the hide-and-seek game: Optimal trajectory privacy for location-based services.” Proceedings of the 13th Workshop on Privacy in the Electronic Society. ACM, 2014.
Wernke, Marius, et al. “A classification of location privacy attacks and approaches.” Personal and ubiquitous computing 18.1 (2014): 163-175.
This research was completed with the generous support of the Research Foundation of Flanders (FWO), IMEC-COSIC KU Leuven and Center for Information and Technology at Princeton University.
Stay in Touch
We'll send occasional announcements about conference details and follow-up initiatives.
International Program and Organizing Committee:
Paul Ashley, Anonyome Labs Benoît Baudry, INRIA, France Finn Brunton, New York University Saumya Debray, University of Arizona Cynthia Dwork, Harvard University Rachel Greenstadt, Drexel University Seda Gürses, Princeton University Anna Lysyanskaya, Brown University Helen Nissenbaum, Cornell Tech & New York University Alexander Pretschner, Technische Universität München Reza Shokri, Cornell Tech