On (The Lack Of) Location Privacy in Crowdsourcing Applications
Authors:
Spyros Boukoros,
Mathias Humbert,
Stefan Katzenbeisser,
Carmela Troncoso
Abstract:
Crowdsourcing enables application developers to benefit from large and diverse datasets at a low cost. Specifically, mobile crowdsourcing (MCS) leverages users' devices as sensors to perform geo-located data collection. The collection of geolocated data raises serious privacy concerns for users. Yet, despite the large research body on location privacy-preserving mechanisms (LPPMs), MCS developers…
▽ More
Crowdsourcing enables application developers to benefit from large and diverse datasets at a low cost. Specifically, mobile crowdsourcing (MCS) leverages users' devices as sensors to perform geo-located data collection. The collection of geolocated data raises serious privacy concerns for users. Yet, despite the large research body on location privacy-preserving mechanisms (LPPMs), MCS developers implement little to no protection for data collection or publication. To understand this mismatch, we study the performance of existing LPPMs on publicly available data from two mobile crowdsourcing projects. Our results show that well-established defenses are either not applicable or offer little protection in the MCS setting. Additionally, they have a much stronger impact on applications' utility than foreseen in the literature. This is because existing LPPMs, designed with location-based services (LBSs) in mind, are optimized for utility functions based on users' locations, while MCS utility functions depend on the values (e.g., measurements) associated with those locations. We finally outline possible research avenues to facilitate the development of new location privacy solutions that fit the needs of MCS so that the increasing number of such applications do not jeopardize their users' privacy.
△ Less
Submitted 5 June, 2019; v1 submitted 15 January, 2019;
originally announced January 2019.
QRES: Quantitative Reasoning on Encrypted Security SLAs
Authors:
Ahmed Taha,
Spyros Boukoros,
Jesus Luna,
Stefan Katzenbeisser,
Neeraj Suri
Abstract:
While regulators advocate for higher cloud transparency, many Cloud Service Providers (CSPs) often do not provide detailed information regarding their security implementations in their Service Level Agreements (SLAs). In practice, CSPs are hesitant to release detailed information regarding their security posture for security and proprietary reasons. This lack of transparency hinders the adoption o…
▽ More
While regulators advocate for higher cloud transparency, many Cloud Service Providers (CSPs) often do not provide detailed information regarding their security implementations in their Service Level Agreements (SLAs). In practice, CSPs are hesitant to release detailed information regarding their security posture for security and proprietary reasons. This lack of transparency hinders the adoption of cloud computing by enterprises and individuals. Unless CSPs share information regarding the technical details of their security proceedings and standards, customers cannot verify which cloud provider matched their needs in terms of security and privacy guarantees. To address this problem, we propose QRES, the first system that enables (a) CSPs to disclose detailed information about their offered security services in an encrypted form to ensure data confidentiality, and (b) customers to assess the CSPs' offered security services and find those satisfying their security requirements. Our system preserves each party's privacy by leveraging a novel evaluation method based on Secure Two Party Computation (2PC) and Searchable Encryption techniques. We implement QRES and highlight its usefulness by applying it to existing standardized SLAs. The real world tests illustrate that the system runs in acceptable time for practical application even when used with a multitude of CSPs. We formally prove the security requirements of the proposed system against a strong realistic adversarial model, using an automated cryptographic protocol verifier.
△ Less
Submitted 12 April, 2018;
originally announced April 2018.
