2012 IEEE 18th International Conference on Parallel and Distributed Systems

Privacy Preserving for Continuous Query in Location Based Services

Yong Wang, Long-ping He, Jing Peng, Ting-ting Zhang, Hong-zong Li

Department of Computer Science and Communication Engineering
University of Electronic and Science Technology of China, 611731
Chengdu, China
cla@uestc.edu.cn

query continuously send me real-time weather forecast

according to my position. A continuous query is made up
of several snapshots. The traditional cloaking method may
lead to the privacy leakage because of the close relationship
among the successive locations. The continuous query may
suffer from the maximum movement boundary attack which
is well discussed in [3, 4]. On the other hand, with the
assumption that the attacker possesses the cloaking history,
the user who sends the query can be determined by getting
the intersection of all the cloaking sets, as is called query
tracking attack [2]. An intuitive approach for the attack is to
maintain the original cloaking set effective during the whole
lifetime. However, the clients cloaked together may become
far apart in the following snapshots, leading to high
processing cost and low quality of service (QoS). In an
extreme circumstance, the clients may even stand at one
point, which may cause the users location privacy leakage.
In this paper, we design a novel query linking privacy
preserving algorithm named V-DCA for continuous query
in LBSs, which considers the clients moving status and
trend the velocity and acceleration when generating
cloaked regions. The neighboring generated cloaked sets are
used to create the new cloaked region, which decreases the
complexity of the algorithm while fulfilling the privacy
requirements. The experimental results show that V-DCA
algorithm can provide better QoS while resisting the query
tracking attack.
The main contributions of our work are:
(1) A new query linking privacy preserving algorithm VDCA is proposed, by taking the velocity and acceleration
features of the mobile clients into account. The analyzing
results show that the algorithm can get a good balance
between QoS and privacy;
(2) The metrics considering QoS, privacy guaranty, and
performance are introduced to evaluate the query linking
privacy preserving algorithm comprehensively;
(3) The evaluation experiments based on the real city
map [5] are carried out to analyze the efficiency of our
algorithm and the results indicate that our algorithm has
relatively shorter response time, higher QoS, and better
privacy preservation compared with those proposed in [6]
and [7].
The rest of the paper is organized as follows: in section
2, related work on LBS privacy preserving is discussed. In
section 3, the preliminaries, including the system
architecture, attacking properties, anonymizing goal and

AbstractLocation-based services (LBSs) have become a

popular and important way to provide real-time information
and guidance. The abuse of mobile users location data, which
may violate their sensitive and private personal information, is
one of the major challenges faced by LBSs. On the other hand,
the query launched by mobile users should not be linked to
them even if they are required to expose their location
information to attain some services. However, many location
based systems (e.g., mobile social networks, store finders) are
lacking of users private preserving consideration. In this
paper, we focus on the issues related to query linking privacy.
Particularly, we aim to preserve mobile users privacy in
location based mobile systems where their location information
may be available, furthermore, while facing attacks, the
sensitive data of a specific mobile user launching the query
should not be disclosed to an adversary. We present a new
query linking privacy preserving algorithm (V-DCA) for
continuous LBS by taking the users velocity and acceleration
similarity into consideration. The consecutive generated
cloaked sets are used to create the new cloaked region, which
decreases the complexity of the algorithm while fulfilling the
privacy requirement. The simulation results show that V-DCA
can preserve mobile users privacy as well as provide better
Quality of Service (QoS).
Keywords- location-based services (LBSs); privacy
preserving; query linking privacy; velocity and acceleration
similarity; quality of service(QoS)

I.

INTRODUCTION

In recent years, Location-Based Services (LBSs) have

been obtaining extensive concerns. Although these services
provide us with convenience, privacy related problems arise
at the same time. The location privacy [1] focuses on
protecting the clients exact location, while the query
linking privacy [2] aims to cut off the link of some sensitive
query (tumor hospital, etc.) to a particular client despite of
the clients location disclosure.
Spatial cloaking based on k-anonymity is the most
common and useful approach both for location privacy and
query linking privacy. Upon receiving the query for LBSs,
the privacy preserving system enlarges the exact location
into a cloaked region which contains not only the query
location but also at least k-1 other users. Privacy
preservation of LBSs mainly concentrates upon the snapshot
query in the past without considering the continuous query,
which is another important application [2]. For example, the
1521-9097/12 $26.00 2012 IEEE
DOI 10.1109/ICPADS.2012.38

213

according to the client location. On the other hand, the

cloaking area may narrow down to one point in the extreme
case which results in the leakage of the clients location. In
[3], the cloaked set is generated at the query time and
remains unchanged during the whole active time. X. Pan et
al. [7] introduce the distortion of locations during the entire
section to avoid the cloaked region becoming unacceptable.
As velocity cannot remain the same, using the distortion for
the whole period seems impractical. Leon Stenneth and
Phillip S. Yu [6] proposed the Dynamic Transportation
Mode Cloaking algorithm. It introduces a new concept of
transportation mode homogeneity on a reasonable
assumption that the clients with the same transportation
mode can stay close in the future, based on which, the
anonymity server engenders different cloaked regions for
each snapshot. Furthermore, kglobal is proposed to indicate
consecutive intersection set should contain at least k
elements. However, even with the same transportation mode,
clients cloaked together at the beginning may have
absolutely different moving status and trend, which reduces
the possibility that these clients are cloaked together later.
The privacy model and the quality model were proposed
in [7] to ensure the cloaked region balancing between
privacy and quality requirements. M. L. Yiu et al. [19]
presented a framework called SpaceTwist to manage the
trade-offs among the privacy, performance and accuracy.
Toby Xu et al. [20] introduced entropy to estimate the
anonymity degree of the cloaked region, which can generate
the relatively smallest cloaked area reaching a given privacy
level.

cloaking principle, are presented. The design of our

algorithm is proposed in section 4. Simulating experiments
and evaluations are provided in section 5. Finally, brief
conclusions are presented in section 6.
II.

RELATED WORKS

For privacy preservation of LBSs, there are three main

fundamental methods [8]: dummy [9], spatial cloaking [1],
and spatial-temporal cloaking [10]. The distance between
the false location that the client sends to the anonymizing
server and the true location varies inversely with the quality
of service and directly with the level of privacy while using
the dummy. The dummy is to report the fake location or
query instead of or together with the true one. Aniket
Pingley et al [11] introduced the DUMMY-Q to avoid the
real query being identified by maintaining the context
consistency of the fake queries. The spatial cloaking is to
reduce the resolution of the moving objects location, i.e.,
using the region to represent the exact location. On the basis
of spatial cloaking, spatial-temporal cloaking tries to delay
the response of the service required by the client, cloaking
the temporal dimension in addition to obfuscating location.
k-anonymity model proposed by Gruteser and Grunwald [1]
is a widely accepted method employing the spatial cloaking.
k-anonymity algorithm blurs the exact location of the client
into the region which contains the client who makes a query
and other k-1 clients. Gedik and Liu [12, 13] suggest a
personalized k-anonymity model that allows the client to put
forward the privacy requirements including the parameter k.
Considering that all clients in the same region may come up
with queries with the same sensitivity, Liu et al. [14]
proposed the l-diversity model to ensure not revealing query
privacy. Koi [26] platform can provide location
functionality to applications that need it while ensuring that
no third party can get the relations of users and their
attributes.
While the previous techniques depend on the noncooperative or the centralized trusted party architecture,
Chow et al. [15] proposed a new cloaking algorithm based
on the peer-to-peer cooperative architecture in which clients
cooperate with each other to provide privacy preservation
without any centralized entity. Prive [16] is a P2P system
which generates 1-D sequence of clients by using Hibert
Transformation. J. Xu et al. [3] mixed the real queries with
others in P2P architecture to provide privacy preserving of
LBSs. Frank Durr et al. [17] proposed a position sharing
scheme to hide the exact location position information. A
two-tie interaction approach for generating cloaked region is
proposed by Sisi Zhong et al. [18]. When a client submits a
query, the server determines an approximate region that the
client may located in according to the message of the
clients answers.
The privacy preservation scheme of continuous query
first proposed by Chow et al. in [2] claims that the
anonymous set formed in the first moment should be valid
during the whole period which can defend against the query
tracking attack. However, as the clients in the set may
become far apart in the following snapshots, the region may
be too large for the refiner to get the accurate result

III.

PRELIMINARIES

A. System Architecture and Assumptions

We adopt the trusted third party architecture consisting of
mobile clients, Anonymizing Server (AS) and LocationBased Server (LBS) [1, 3, 7, 21]. The core of the system is
the AS which contains three parts: Cloaking engine is
responsible for cloaking the exact location into a region
containing at least k-1 other clients and forwards the region
request to LBS; Results refiner filters the candidate results
generated by LBS into an accurate one based on the clients
location; Cloaked repository may keep some previously
cloaked results and use them to generate the new region. The
AS is placed at some cellular service provider (e.g. mobile
base stations) and mobile clients can access to the LBS
through it. The architecture is shown in Fig.1.
In a continuous query, a mobile client submits the
request to the AS only at the initiating time. AS generates
the cloaked region of the accurate location and sends the
query with cloaked region to the LBS. Upon receiving the
query with the cloaked region, the service provider
calculates many candidate results due to the locations in the
region and passes all the results to AS. AS can pick up the
correct query answer due to the exact location of the query
client and return the results to the client. The AS continues
to issue the request to LBS in the following lifetime of the
query with different cloaked regions related to the real-time
location of the query client.

214

time at which the query is created. Texp is the expiration time

of the query and a continuous query will be issued
periodically by the AS before Texp has reached. Texp can be
used to determine the number of snapshots n in the
continuous query. Generally, the longer the active period is,
the larger n will be. The content of the query is noted by
Con.
On receiving the query, cloaking engine cloaks location l
into a region R. For each snapshot in the continuous query,
different cloaks are generated to provide privacy
preservation.
The ith successfully cloaked region is
represented as Ri. A region request Ri is formed with three
parts: Rid, Si and RL. Rid is the identification attribute of a
region. Si is the set of queries in Ri, and RL is the Minimum
Boundary Rectangle (MBR) covering all queries in S. We
use |Ri| to define the number of clients in Si. The region
request (Ri, Con) will substitute the original query request
and be passed to LBS to generate the candidate results.
A continuous query may have one of the three statuses:
(1) fresh: A newly created query at Tq is called fresh query.
(2) active: A query is active during the period of Texp - Tq and
an active query is the query which was initiated before and
has not been terminated. (3) expired: An active query turns
expired when the time reaches Texp.
A well-performed cloaking algorithm protecting against
query tracking attack means maintaining as many clients in
R as possible. There are three factors affecting the locations
in the future: the locations at the current time, the clients
velocity, and the clients acceleration. The acceleration
affects the locations in the future in the way of influencing
velocity in the following snapshots, i.e., velocity changing
trend. While choosing the clients cloaked together, we
should privilege those staying close at the operating time
and owning similar velocity and acceleration.
Definition 1. (Velocity similarity and acceleration
similarity) We introduce the velocity similarity SimV
(acceleration similarity SimA) to reflect the similarity of
mobile clients velocity (mobile clients acceleration). Let
vi= (vix, viy) and ai= (aix, aiy) be two-dimensional vectors of
client i, the velocity similarity SimV(i, j) and acceleration
similarity SimA(i, j) of client i and j can be calculated as
follows:

Figure 1. The System Architecture

We assume that the mobile clients possess the capability

of positioning, which can report the clients locations to AS
for cloaking. It is reasonable to make another assumption
that the adversaries may know the exact location of the
mobile users because of the possibility of LBS disclosing
clients locations. However, the query should not be linked
to the mobile clients. As the consequence, we concentrate
on the query linking privacy preservation rather than
location privacy. Our algorithm runs on the middleware of
AS.
B. Attacking Properties
A user obtaining the following knowledge can be a
potential attacker:
(1) The cloaking sets in a continuous time;
(2) The locations of the mobile clients that submit the
query.
When obtaining client qs cloaking region at t and t as
R and R , an attacker can launch query tracking attack by
calculating R R to narrow the cloaked region of client q.
As shown in Fig. 2, there are nine clients in the system
and the attacker only knows some continuous query exists.
The rectangles with solid line in Fig. 2 (a, b, c) are cloaking
regions of A at three different timestamp readings (t , t , t )
and the cloaking sets are {A, B, C, D}, {A, C, D, H} and {A,
B, H, I}. If the attacker possesses the cloaking history and
can infer that it is A who sends the query by getting the
intersection of all the cloaking sets.
i

i+1

i+1

i+1

i+1

i+2

Simv (i, j ) = (vix v jx ) 2 + (viy v jy ) 2

(1)

SimA (i, j ) = (aix a jx )2 + (aiy a jy )2

(2)

The velocity and acceleration are the two significant

features reflecting the mobile clients moving
characteristics. The mobile clients cloaked in the same
region with similar velocity and acceleration will stay
together in the consecutive snapshots. As the results,
velocity similarity SimV(i, j) and acceleration similarity
SimA(i, j) can be used to select the cloaking candidates.max()
In the meantime, the cloaking algorithm should perform
relatively well in quality. Hence, the cloaking area is

Figure 2. Example Privacy for Continuous Query. (a) Cloaking Set at ti;
(b) Cloaking Set at ti+1 (c) Cloaking Set at ti+2.

C. Cloaking Principle
The mobile client sends a new query in the form of (l, p,
Tq, Texp, Con). Where l =(x, y) is the latitude and longitude of
the clients location and their value can be determined by
GPS or other positioning components. p represents the
privacy parameters which will be discussed later. Tq is the

215

For a particular algorithm, a larger K means a better

privacy preserving and the maximum value of K is |R1|.
Without considering Texp, n should be as big as possible (be
infinite in the ideal conditions). Both of them can be used to
measure the performance of the cloaking algorithms.

introduced. If Rt is a cloaking region and St is the set of

clients cloaked in Rt at time t, the cloaking area A of Rt is:

A = [max( x ) min( x)] [max( y ) min( y )]

(3)

Where max(x) and max(y) are the maximum value of

latitude and longitude of the clients location in St and
min(x) and min (y) are the minimum value of them.

IV.

ALGORITHM

A. Algorithm Depiction
We propose the Velocity based Dynamic Cloaking
Algorithm (V-DCA) in this section. The velocity similarity
and acceleration similarity are considered for each snapshot
cloaking. V-DCA is a history-based cloaking strategy that
believes the queries cloaked together at time ti-1 have higher
likelihood staying together at ti. So when generating the
cloaking region Ri, the clients in the nearest m successfully
cloaking regions should be given prior consideration.
When a new query q comes, we search all the clients in
the pre-cloaked set Rset and check if they satisfy the
condition (1) in definition 3 while forming a cloaking
region. If so, q should be cloaked with the one causing the
lowest data distortion. Otherwise, the cloaking step will be
skipped to the next snapshot. These steps continue until
there are no clients to be cloaked together any more (step 414). Then the velocity similarity and acceleration similarity
will be calculated (step 15-18). After which, only the
cloaking region meeting the requirement of klocal and p is
treated as the qualified cloaking region (step 20-22).
For the subsequent snapshot i in the query lifetime, we
respectively check the satisfaction of the q by adding each
client in Ri-1, Ri-2,, Ri-m into Si. The client causing the
lowest data distortion is chosen into Si. The steps will be
repeated until the size of Si doesnt change (step 23-25). The
cloaking step continues if and only if the intersection size of
Si and all the previous cloaking sets is larger than kglobal. The
MBR ri covering Si can be a candidate cloaking region (step
26-27). For a continuous query, the privacy is depending on
kglobal and the klocal restriction in the following snapshot
should be ignored. Finally, the privacy model p is
calculated. If it is not satisfied, ri is expanded from all the
sides until it is equal to p and Ri=ri (step 28-30). When all
these conditions are achieved, V-DCA proceeds to issue the
snapshot query to the LBS with Ri (step 31). Otherwise, the
snapshot will be suppressed and the cloaking engine will
process the subsequent snapshots (step 32-33). The detailed
algorithm is depicted as follows:

D. Anonymizing Goal
Definition 2. (Privacy parameter) In our system, the user
can define its own privacy parameters as it may differ a lot
due to different clients and occasions which can be
delivered to the anonymizing server together with the query:
klocal: It shows that at least klocal-1 other users should be
cloaked with the query client in the first snapshot. So the
probability of discovering the exact location is less than
1/klocal.
kglobal: The size of intersection of the current cloaking set
with those generated previously should be larger than kglobal.
The requirement of kglobal can resist the query tracking
attack. Though the adversaries may own all of the cloaking
sets, they cant distinguish the query client from at least
kglobal-1 others. However, in practice, kglobal may be defined
much smaller than klocal.
Definition 3. (Qualified cloaked region) For a particular
query q, the client q can be cloaked together with q should
satisfy the following conditions using formulas (1) (2) and
(3):
(1) A(R)q;
(2) Simv(q, q) ;
(3) SimA(q, q) ;
The first condition ensures that adding q into the
cloaking set meets the quality requirement. R is the cloaked
region formed by q and the clients already been cloaked
with q and the cloaking area A(R) is calculated with formula
(3). As a larger cloaking area indicates a higher data
distortion, we introduce q to limit data distortion in case
that it brings out bad QoS. q is combined with klocal and
kglobal to balance the privacy and quality. q can be
determined by the anonymizing server based on the history.
Conditions (2) and (3) give the velocity similarity and
acceleration similarity restrictions  and  for the clients
cloaked together. A region meeting all the conditions can be
a candidate cloaking region. If and only if the candidate
cloaking region CR at time t fulfills the flowing
prerequisites, CR is a qualified cloaking region:
|CRR1R2Rt-1|kglobal
This condition protects the client from query tracking
attack. The clients in the qualified cloaking region CR form
the qualified cloaking set.
Definition 4. (Evaluation <K, n>) Given a continuous
query, K represents the size of the intersection of all the
successfully cloaked sets formed consecutively. The
maximum number of cloaked sets meeting the privacy and
quality requirements in the continuous snapshots is denoted
as n.

Algorithm V-DCA
Input: query q <l, p, Tq, Texp, Con>
Output: cloaking region R
1. candidate cloaking set U= null, minA=1016, qmin=
null;
2. If q is fresh; /q is a newly established query*/
3. put q into U;
4. for q in Rset /searching each client q in the precloaked set Rset*/
5.
calculating the area A(r1) after q added;
6.
if A(r1)q / checking if they satisfy q quality

216

7.
8.
9.
10.
11.
12.
13.
14.
15.
16.

17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.

privacy guaranty. Besides, as a better algorithm reflects a

larger number of consecutive successfully cloaked
snapshots as defined in definition 4, the n can be used as
another important metric to measure privacy.

model while forming a cloaking region*/

if (minA> A(r1))
minA=A(r1);
qmin = q;
endif
endif
end
put qmin into U; /cloaking q with client causing the
lowest area as the candidate region*/
repeat 4 to 13 until |U| doesnt change;
for each query q in U /searching all the clients in
the candidate set U/
If (Simv (q, q))&(SimA(q, q))); /checking if
the velocity similarity and acceleration similarity
requirement been achieved/
else
delete q from U;
endif
if (|U| klocal)
S1= U, R1 = MBR(U); /successfully cloaked*/
else insert q into Rset; /inserting q into pre-cloaked
set*/
else /query q is active*/
for each query q in Ri-1, Ri-2,, Ri-m; /searching
every client in the nearest m cloaking sets*/
repeat 3 to 19;
if( | UR1R2Ri-1|kglobal )& MBR(U)
p
Si=U, Ri= MBR(U) ;
If Rip
Expand Ri until MBR(U) p
End if
forward the query to the LBS;
else
suppress the query;
endif
endif

V.

K percentage =

| R1  R2  ...  Rn |
100%
| R1 |

(4)

2) QoS: As the clients staying far apart may reduce the

accuracy of the results, we evaluate the QoS using two
metrics: average distance and average cloaking area during
the query lifetime. For both of the two metrics, a larger
value is indicates a worse QoS Average distance is the
average value of the distance between the query client and
the clients being cloaked together. For a continuous query
q, Ri is the cloaked region of q at snapshot time i. D (q, mi)
represents the distance between q and mobile user mi which
was anonymized with q. The average distance Davg(q, Ri)
of the region Ri is calculated as:

Davg (q, Ri ) = i =1tok

local 1

D (q, mi ) / (klocal 1)

(5)

For a query with n snapshots, the average distance Davg(q) of

all the snapshots is:

Davg (q) = i =1ton Davg (q, Ri ) / n

(6)

The average cloaking area Aavg(q) is the mean of all the

cloaked area A. The computation of Aavg(q) is:

Aavg (q) = i =1ton A( Ri ) / n

(7)

3) Performance: We evaluate the performance using

average cloaking-time Ct-avg to find cloaked regions for a
particular query q. The query q consists of n snapshots and
Ct(Ri) represents the cloaking-time for each cloaked region,
Ct-avg can be calculated as:

EXPERIMENT AND EVALUATION

In this section, we evaluate our proposed V-DCA

algorithm. The evaluation criteria and metrics are described
in Section A recognizing the related work on quantifying
location privacy [22] [23] and query privacy [24], followed
by the experiments setup in Section B. The evaluation
results are presented in Section C with the comparison of DTC proposed in [6] and GCA in [7].

Ct avg = i =1ton Ct ( Ri ) / n

(8)

B. Experiment Setup
Due to the privacy concerns, there are no real large-scale
moving object datasets published according to our
knowledge. We use the famous Thomas Brinkhoff Networkbased Generator of Moving Objects [25] as many works.
The road map we adopt is the highway of Shanghai. 300

A. Evaluation Criteria and metrics

We evaluate our algorithm from three aspects: privacy
guaranty, QoS and performance.
1) Privacy Guaranty: For a continuous query, the
privacy depends on K discussed in definition 4 and the
cloaked clients in R1 should be in the subsequent snapshots
as many as possible. So the Kpercentage is defined as the

217

restraint V-DCA maintains more clients of the first cloaked

region in the consecutive snapshots than the other two
algorithms. A conclusion can be drawn by combining the
results of Fig.4 (b) and Fig 4. (d) that V-DCA provides
larger Kpercentage with more successfully cloaked snapshots,
which shows that V-DCA can achieve better privacy
guaranty when providing the same level quality of
continuous query response service.
The experiments of Fig.4 show that V-DCA performs
much better both on n and Kpercentage by taking velocity
similarity and acceleration similarity into consideration. In
other words, D-TC considers the transportation mode other
than the accurate velocity. GCA calculates the cloaking sets
at the beginning section and cant succeed for high quality
model restraints. As the result, V-DCA can guarantee
privacy better than D-TC and GCA when satisfying the
same quality model requirements.
Fig.5 shows the comparison results on the QoS of the
three algorithms using the metrics mentioned above, i.e.,
average distance and average cloaking area during the
lifetime. Fig. 5 (a) and Fig.5 (d) plot the cloaking area and
average distance versus the variant of the kglobal respectively,
with the quality model q= 1.0e+7 and n=100. The results
show that the kglobal has hardly influence on the cloaking
area and average distance for all the three algorithms.
However, V-DCA generates the smallest average cloaking
area and average distance among the three algorithms,
which leading to better QoS. GCA fails to satisfy the
requirements of the quality model q, which make the two
metrics zero. According to the comparison results, a simple
conclusion may be drawn that V-DCA is able to provide the
best QoS while achieving the same level of QoS.
Fig.5 (b) and Fig.5 (e) illustrate the two metrics versus
various quality models q, where n=100, and kglobal=2. The
plotting results show that the cloaking area of GCA is the
largest among the three algorithms, but GCA may fail when
the q becomes low. However, the average distance of GCA
is the shortest when the q is high. V-DCA performs better
than GCA with smaller average cloaking area and shorter
average distance when q becomes low which means the
high QoS requirement. V-DCA performs better than D-TC
when the quality model is less than or equal to 1.0e+7,
while D-TC outperforms V-DCA when the quality model is
greater than 1.0e+7.
Fig. 5 (c) and Fig. 5 (f) show that the average cloaking
area of V-DCA is stable and much smaller than D-TC,
which shows that V-DCA can provide more stable and
higher quality of service than D-TC. Because of GCA
unable to satisfy the quality model q requirement
(q=1.0e+7), the average cloaking area and the average
distance of GCA is zero, which indicates the failure of GCA.
The experimental results of Fig.5 suggest that V-DCA
can offer high quality of service without cutting-back of the
privacy guaranty. D-TC can preserve the privacy guaranty
but leading to the decrease of quality of service. GCA can
cloak successfully only when the quality model q declines
to a rather low level.
Fig.6 depicts the algorithms performance in terms of the
cloaking time. Fig. 6 (a) shows that V-DCA and D-TC run

mobile clients are generated moving along the map with

medium speed for 100 snapshots. Hence, corresponding
speeds and locations of all the clients can be obtained from
the generator. For all the experiments, the velocity similarity
is limited to 300 and so is to acceleration similarity. The
privacy model restricts the area larger than 100 square
meters.
With the simulated data, we implement all the three
algorithms and run them on a note book with 2GB memory
and Dual Core 2.17GHz.

Figure 3. Generated Objects on the Highway Map of ShangHai.

C. Evaluation Results
The privacy guaranty comparison results are shown in
Fig. 4. In the Fig.4 (a), the results show that both V-DCA
and D-TC can achieve relative higher n (n>50) than GCA
when kglobal is smaller than 6, while V-DCA is much more
stable than D-TC. With the increase of the kglobal, the quality
model requirement (q=1.0e+7) cannot be achieved for all
the snapshots by GCA, the cloaking process failed.
However, V-DCA and D-TC can provide several (n<10)
consecutive successfully cloaked snapshots.
The quality model has a significant influence on n as
shown in Fig.4 (b). With the increase of quality restraint,
both V-DCA and D-TC can cloak successfully for a larger n
than GCA, while V-DCA performs relatively better than DTC. Telling from Fig.4 (a) and Fig.4 (b), we can infer that
V-DCA provides a larger number of consecutive successful
snapshots than D-TC and GCA, furthermore, the V-DCA
can provide more stable query response than the other two
algorithms.
The n and the quality model q also influence the
intersection percentage Kpercentage of the consecutive
successfully cloaked snapshots as shown in Fig.4 (c) and
Fig.4 (d). From Fig. 4 (c), we can find that the Kpercentage of
V-DCA is the highest among the three algorithms. Because
the GCA fails to satisfy the quality model requirement
(q=1.0e+7), its Kpercentage keeps zero, which indicates that
GCA cannot provide the same quality of continuous query
response service. Comparing with D-TC, the Kpercentage of VDCA is much more stable, steady with 0.42 for more than
80 snapshots; furthermore, it has a relative larger Kpercentage
when the number of snapshots reaches 70. Fig.4 (d)
compares the Kpercentage and the quality model q. The results
show that V-DCA has the highest Kpercentage throughout the
whole snapshots when satisfying the same quality model q.
The results suggest that with the same quality model

218

[3]

much faster than GCA for different kglobal requirement, VDCA and D-TC are equally matched. It is because that GCA
generates the cloaking area for each snapshot during the
entire section by estimating the distortion of the whole
query period, while V-DCA and D-TC only calculate the
current cloaking region.
Fig.6 (b) illustrates that V-DCA and D-TC have much
better performance than GCA for different quality models q
with 100 snapshots and kglobal set to 2. Furthermore, V-DCA
consumes less time than D-TC. The result indicates that the
performance of V-DCA is superior to both D-TC and GCA.
The performance varying with snapshot number n is
shown in Fig.6 (c). V-DCA and D-TC perform much better
than GCA as with Fig.6 (a) and Fig.6 (b). With the increase
of snapshots number, the average cloaking-time of GCA
deceases, but those of V-DCA and D-TC staying stable. At
the first sight, D-TC performs a little better than V-DCA in
the first few snapshots. Thats because we consider much
more factors such as velocity similarity and acceleration
similarity in order to achieve better privacy, However, VDCA is comparable with D-TC as we privilege the clients in
the nearest m successfully cloaking regions when generating
the new cloaking set in the long run.
According to the comparison and evaluation results of
the three algorithms, V-DCA can make a good balance
among privacy, QoS and performance. It can achieve the
privacy guaranty with a low QoS impairment and low
processing cost. V-DCA performs better than D-TC and
GCA in the circumstance which has a high QoS
requirement.
VI.

[4]

[5]
[6]

[7]
[8]
[9]
[10]

[11]

[12]
[13]

[14]
[15]

[16]

CONCLUSION

In this paper, we investigate the query linking privacy

preserving for continuous LBS queries. We proposed a new
algorithm V-DCA, which taking the users velocity and
acceleration similarity into account. By using the consecutive
generated cloaking sets to create the new cloaking region, VDCA decreases the complexity of the algorithm while
fulfilling the global privacy requirement. We described a
comprehensive set of experiments that evaluate the privacy
guaranty, quality of service, and performance to demonstrate
the effectiveness of V-DCA over a real-world map and
various generated moving objects.

[17]
[18]

[19]

[20]
[21]
[22]

ACKNOWLEDGMENT
This work is partially supported by SafeNet research
award, by key technology research and development
program of Sichuan province under grant No.
M110106012009FZ0148, and by National Science
Association Foundation under grant number: U1230106.

[23]

[24]

REFERENCES
[1]
[2]

M. Gruteser and D. Grunwald. Anonymous Usage of Location-Based

Services Through Spatial and Temporal Cloaking. MobiSys, 2003.
C.-Y. Chow and M. F. Mokbel. Enabling Private Continuous Queries
for Revealed User Locations. SSTD, 2007.

[25]

[26]

219

J. Xu, J. Du, X. Tang and H. Hu. Privacy-Conscious Location-Based

Queries in Mobile Environments. Parallel and Distributed
Systems,2010.
X. Pan, X. Meng, J. Xu. Protecting Location Privacy against
Location-Dependent Attack in Mobile Services. Knowledge and Data
Engineering, 2011.
http://www.mapcruzin.com/free-china-country-city-placegisshapefiles.html.
Leon Stenneth and Philip S. Yu. Global Privacy and Transportation
Mode Homogeneity Anonymization in Location Based Mobile
Systems with Continuous Queries. CollaborateCom, 2010:1-10.
X. Pan, X. Meng, J. Xu. Distortion-Based Anonymity for Continuous
Queries in Location-Based Mobile Services. ACM GIS, Nov. 2009.
X. Pan, X. Meng, J. Xu. Survey of Location Privacy- Preserving.
Journal of Computer Science and Frontiers2007, 1(3):268-281
H. Kido, Y. Yanagisawa, T. Satoh. Protection of Location Privacy
Using Dummies for Location-Based Services. ICDE, 2005.
M. F. Mokbel, C.-Y. Chow and W. G. Aref. The New Casper: Query
Processing for Location Services without Compromising Privacy.
VLDB, 2006.
Aniket Pingley, Nan Zhang, Xinwen Fu, Hyeong-Ah Choi, Suresh
Subramaniam, Wei Zhao. Protection of Query Privacy for Continuous
Location Based Services. INFOCOM, 2011.
B. Gedik and L. Liu. A Customizable k-Anonymity Model for
Protecting Location Privacy. ICDCS, 2005.
B. Gedik and L. Liu. Protecting Location Privacy with Personalized
k-Anonymity: Architecture and Algorithms. Mobile Computing,
2008.
F. Liu, K. A. Hua and Y. Cai. Query l-diversity in Location-Based
Services. Mobile Data Management, 2009
C.-Y. Chow and M. F. Mokbel and X. Liu. A Peer-to-Peer Spatial
Cloaking Algorithm for Anonymous Location- Based Services. GIS,
2006.
G. Ghinita, P. Kalnis and S. Skiadopoulos. PRIVE: Anonymous
Location-Based Queries in Distributed Mobile Systems. WWW,
2007.
Frank Durr, Pavel Skvortsov, Kurt Rothermel. Position Sharing for
Location Privacy in Non-trusted Systems. PerCom, 2011.
Sisi Zhong, Yingjie Wu, Zhao Luo, Hao Zhou. A Two-tie Interaction
Approach for Generating Cloaked Region in Location-Based
Services. MINES, 2011.
M. L. Yiu, C. Jensen, X. Huang, and H. Lu. SpaceTwist: Managing
the Trade-Offs Among Location Privacy, Query Performance, and
Query Accuracy in Mobile Services. ICDE, 2008.
T. Xu, Y. Cai. Location Anonymity in Continuous Location Based
Services. GIS, 2007.
Y. Wang, L. Wang, and B. Fung. Preserving Privacy for LocationBased Services with Continuous Queries. ICC, 2009.
R. Shokri, G. Theodorakopoulos, J.-Y. L. Boudec, and J.-P.Hubaux.
Quantifying location privacy. In Proc. 32nd IEEE Symposium on
Security and Privacy (S&P). IEEE CS, 2011.
R. Shokri, G. Theodorakopoulos, G. Danezis, and J.-P. Hubaux.
Quantifying location privacy: The case of
sporadic location
exposure. In Proc. 11th Privacy Enhancing Technologies Symposium
(PETS), 2011.
Xihui Chen, Jun Pang. Measuring Query Privacy in Location-Based
Services. Proceeding of 2nd ACM Conference on Data and
Application Security and Privacy, 2012.
Thomas Brinkhoff Network-based Generator of Moving Objects.
Available
at
http://www.fhoow.
de/institute/iapg/personen/brinkhoff/generator/, 2008.
Saikat Guha, Mudit Jain, and Venkata N. Padmanabhan. Koi: A
Location-Privacy Platform for Smartphone Apps. NSDI 12

><

70

50
40
30
20
10
0
2

6
kglobal

10

80

50
40
30

50

60
50
40
30

20

20

10

10

0
2

10

40
30
20
10
0

10

20

30

quality model (m*m)*10^6

(b) snapshots vs. quality model

(a) snapshots vs. kglobal

V-DCA
D-TC
GCA

60

70

60

12

V-DCA
D-TC
GCA

90

k p e rce n ta ng e (% )

60

V-DCA
D-TC
GCA

80

n u m b e r o f s n a p s h o ts

70

n u m b e r o f s n a p s h o ts

100

90
V-DCA
D-TC
GCA

80

k p e rce n ta ng e (% )

90

40

50

60

70

80

90

10

number of snapshots

quality model (m*m)*10^6

(c) kpercentange vs. snapshots

(d) kpercentange vs. quality model

Figure 4. Privacy Guaranty Evaluation

V-DCA
D-TC
GCA

10

160

cloaking area (m*m)*10^7

cloaking area (m*m)*10^6

V-DCA
D-TC
GCA

140

V-DCA
D-TC
GCA

120
100

cloaking area (m*m)*10^6

10

80
60
40
20

0
0
0

kglobal

10

12

10

12

14

16

18

20

22

4
2

8
6
4
2

6
kglobal

10

50

60

70

80

12

V-DCA
D-TC
GCA

8
6
4
2

10

12

14

16

18

20

22

10

20

quality model (m*m)*10^7

(e) avarage distance vs. quality model

(d) avarage distance vs. kglobal

30

40

50

60

70

80

number of snapshots

90 100 110

(f) avarage distance vs. snapshots

Figure 5. Quality of service (QoS) Evaluation

V-DCA
D-TC
GCA

18
V-DCA
D-TC
GCA

60

30

cloaking time (ms)*10

cloaking time (ms)*10

35

25
20
15
10

16

cloaking time (ms)*10^2

40

40

20

14
V-DCA
D-TC
GCA

12
10
8
6
4
2

0
0

kglobal
6

(a) cloaking time vs. kglobal

10

12

90

40

10

avarage distance (m)*10^3

avarage distance (m)*10^3

30

number of snapshots

V-DCA
D-TC
GCA

10

20

(c) cloaking area vs. snapshots

(b) cloaking area vs. quality model

V-DCA
D-TC
GCA

10

10

quality model(m*m)*10^7

(a) cloaking area vs. kglobal

avarage distance (m)*10^3

0
0

10

12

14

16

18

20

22

20

40

60

80

quality model (m*m)*10^7

number of snapshots

(b) cloaking time vs. quality model

(c) cloaking time vs. snapshots

Figure 6. Performance Evaluation

220

100