Nonexposure Accurate Location K-Anonymity Algorithm in LBS

This paper tackles location privacy protection in current location-based services (LBS) where mobile users have to report their exact location information to an LBS provider in order to obtain their desired services. Location cloaking has been proposed and well studied to protect user privacy. It blurs the user's accurate coordinate and replaces it with a well-shaped cloaked region. However, to obtain such an anonymous spatial region (ASR), nearly all existent cloaking algorithms require knowing the accurate locations of all users. Therefore, location cloaking without exposing the user's accurate location to any party is urgently needed. In this paper, we present such two nonexposure accurate location cloaking algorithms. They are designed for K-anonymity, and cloaking is performed based on the identifications (IDs) of the grid areas which were reported by all the users, instead of directly on their accurate coordinates. Experimental results show that our algorithms are more secure than the existent cloaking algorithms, need not have all the users reporting their locations all the time, and can generate smaller ASR.


Introduction
In recent years, the consumer electronics markets witnessed a booming sale of smart mobile devices. These devices, typically smart phones and Personal Digital Assistants (PDA), are equipped with powerful CPU, large ROM and RAM, and positioning technology (e.g., GPS and AGPS). The omnipresence of these devices opens up new applications for the mobile users [1][2][3]. In particular, with the combination of GPS and wireless internet, mobile users can enjoy LBS, which provide dynamic content according to where the user is located. Typical LBS applications include the nearest point of interest (POI) query, location-aware advertisement, and road navigation. In order to enjoy such services, mobile users must explicitly expose their accurate locations to the server. For example, if the users ask for the nearest hospital, they must provide the LBS server with their accurate position in terms of GPS coordinates. In this sense, the privacy of the user's location is compromised in exchange for services. To solve this problem, an intuitive method is to cache the entire datasets of POIs on the mobile device, which can then resolve location-based queries locally. However, the resources of the mobile device are limited. This method can neither scale to large POIs datasets nor deal with data updates. Therefore, a more sophisticated strategy called location anonymity has been proposed and studied [4][5][6][7]. The purpose is to allow the mobile user to request services without revealing the accurate location. Among various approaches proposed along this line, location cloaking is predominant [4][5][6]. It blurs the user's accurate location and replaces it with a well-shaped cloaked region (usually a circle or a rectangle), according to some anonymity metric such as -anonymity (the cloaked region must contain at least users) or granularity (the size of the cloaked region must exceed a threshold). In effect, location cloaking achieves privacy protection at the cost of degrading service. The larger the cloaked region is, the more privacy is preserved, but the less precise the demand is. Therefore, most existent location cloaking research focuses on minimizing the size of the cloaked region while still satisfying the anonymity metric. To this end, a number of location cloaking algorithms have been proposed for different anonymity metrics [4,5,8]. However, to get the ASR and optimize its size, all the existent algorithms require the accurate locations (i.e., the coordinates) of all users. As the accurate locations are exactly what the users want to hide, all the existent work essentially imposes an assumption that all parties involved in the cloaking process must be trusted. Typical parties include the "anonymizer" that sits in between the user and 2 The Scientific World Journal the LBS server [5,8]. However, in practice, any of these parties could be malicious and the exposure of the accurate location information to any party might reveal users' identity or other sensitive information. In this sense, existent algorithms have limited applications and location cloaking without exposing the accurate user location to any party is urgently needed.
Recently, a great deal of interest has been focused in the study of location privacy protection [4][5][6][7][8][9][10][11][12][13][14] and many of the references therein. But they exposure the users' accurate location to the third party. In this paper, we present such two nonexposure accurate location cloaking algorithms. They are designed for -anonymity, and cloaking is performed based on the IDs of the gridareas which were reported by all the users.
To summarize, our contributions in this paper are as follows.
(i) In order to get such a cloaked region without exposing the accurate user locations, we propose two algorithms. One is Optimal cloaking algorithm and the other is random cloaking algorithm Both need not have all the users reporting the information of their positions all the time; they just report the information of their positions to the centralized anonymizer when they move to a new grid-area. To the best of our knowledge, this is the first study that explores the problem of location cloaking with the IDs of the gridareas (not the users' accurate coordinates) which were reported by all the users, and the users can distinguish the grid-area which they are being in by themselves (not the centralized anonymizer).
(ii) Our algorithms can generate multiple ASRs for one query instead of a single ASR directly. We propose a measure model to measure the quality of service (QoS) of the grid-area. The optimal cloaking algorithm uses it to generate ASR with grid-area, which has the highest QoS. So the total square measure of the multiple ASRs is smaller than the single ASR which was generated by the existent cloaking algorithms.
The rest of the paper proceeds as follows. Section 2 reviews existent work on location anonymity and privacyaware LBS. Section 3 presents the system architecture. Section 4 presents the measure model for QoS and 2 generated ASR algorithms for the centralized environment. The experimental results are shown in Section 5 followed by the conclusion and future work in Section 6.

Related Work
Location anonymity has attracted intensive research as a solution to protect user privacy in mobile computing, especially for LBS. The purpose is to allow the mobile users to request services without disclosing their position. Among various anonymous techniques, location cloaking is the predominant. It sends to the server a cloaked region (usually a circle or a rectangle) that contains the genuine user position and is large enough to satisfy some privacy metric. The two most widely adopted metrics are -anonymity-this region must contain at least users so that the genuine requesting user is indistinguishable from at least − 1 other users who have the same cloaked region-and granularity-the area of this region must exceed a threshold. Interval Cloak [4] is one of the first cloaking techniques. The anonymizer indexes the users with a quadtree. To form an ASR for the querying user, Interval Cloak descends the quad-tree up to the topmost node that contains at least users (including querying user). The extent of this node is returned as the ASR. Casper Cloak [5] is similar to Interval Cloak, with two major differences. First, Casper Cloak identifies and accesses the leaf level of the quadtree directly through the use of a hash table. Second, instead of immediately back tracking to the parent quadrant, it checks the two neighboring quadrants to see if their combination with the user quadrant contains (or more) users. Gedik and Liu considered a personalized -anonymity model and proposed Clique-Cloak, which constructs a clique graph to combine clients that can share the same cloaked region [9]. They addressed the issue when a client continuously requested location cloaking and developed an optimal cloaking technique to resist tracing analysis attacks [6].
It is noteworthy that all these cloaking approaches (i.e., Interval Cloak, Casper Cloak, and Clique-Cloak) require the user to expose the accurate coordinates to the trusted centralized anonymizer. Hu and Xu proposed a nonexposure cloaking algorithm to generate the ASR. The algorithm is performed based on the proximity information among mobile users, instead of directly on their coordinates [10]. The proximity information which was used by the algorithm is the WiFi received signal strength (RSS) of neighboring peers or the time difference of arrival (TDOA) of beacon signals from its peers (the shorter the closer). To the best of our knowledge, the WiFi RSS which the android smart phones received comes from the WiFi access points (AP). Usually the android mobile telephones do not work in AP mode. The TDOA can be only measured by the base stations. And the TDOA is just related to the mobile phone and the base station. So the mobile phone cannot use TDOA to determine the proximity information between its peers. So their algorithm cannot be used for the smart phones which adopted the android OS. Wu et al. proposed a Guess-Answer cloaking algorithm to generate ASR with the interaction between user and server [11]. The server guesses an ASR and gives it to the users. The users tell their relative directions of the guess ASRs to the server. The server guesses new ASRs with the answers and gives them to the users. The users answer it. This work continues until the users are in the guessed ASRs. Their algorithm can work without the third centralized anonymizer, but it does not belong to the -anonymity, and the user's location can be gotten through the IP of the user.
On the server side, to support location cloaking, spatial query processing on cloaked regions has also been studied. The Casper framework proposed by Mokbel et al. consists of both an anonymizer and a query processor. The processor evaluates spatial queries over the cloaked regions and returns a superset of the results to the client for further filtering [5]. Cheng et al. proposed a similar framework based on location uncertainty [12], where the returned results are probabilistic results.
The Scientific World Journal 3 Besides location cloaking, other anonymous techniques have also been proposed. Pseudonym decouples the mapping between the user identity and the location so that the server only receives the location without the user identity. However, such a technique is limited to those location-based services that do not require the user's identity. In particular, the lack of user identity makes the billing of these services impossible. Dummy generates fake user locations (called dummies) and mixes them together with the genuine user location into the request [13]. However, by monitoring long-term movement patterns of the user, the server may distinguish the authentic location from dummies. You et al. enhanced this technique by generating consistent movement patterns for dummies in a long run [14]. More recently, Man et al. proposed SpaceTwist [7], where the user repeatedly issues kNN queries from dummies, which they called anchors, until the kNN result for the genuine location is guaranteed. Ghinita et al. proposed a similar framework that is based on private information retrieval (PIR) [15]. The framework partitions the space into grid cells and then the user requests the content within the cell where they are located. Thanks to PIR, the user can encrypt which cell is requested while receiving the correct content. By setting proper content for each cell, this framework can support approximate and exact NN queries. Furthermore, the framework is shown to guard against correlation attacks, but this framework does not belong to the -anonymity.

System Architecture
In this section, we give the space cutting in our system, privacy threat model, and the system architecture.
In our algorithms, the space provided by the LBS system is divided into small rectangular areas. Such a rectangular area can be called grid-area. And all their width, and heights are the same. Every grid-area is marked by its ID. The ID is made up of id and id , so a grid-area can be marked as ID( , ). All the users' locations are marked by their coordinates ( , ). The width of the area is Δ which is given by the system. The height of the area is Δ which is given by the system too. If the Δ and Δ are too small, it reduces the degree of anonymity. If the Δ and Δ are too big, it increases the network load. Usually, the Δ and the Δ are set by the most users' minimum requirement of ASR. The origin of the entire space is ( 0 , 0 ). When we have the ( , ), we can calculate out the ID( , ) by (1). Consider |3 − 3| and |2 − 3|; the result is 1. We do not use the Euclidean distance, because our distance of Definition 1 represents the number of layers, we can use it to expand the search layer by layer conveniently. Figure 1 depicts the system architecture that consists of three entities: mobile users, anonymizer, and LBS server. We will first discuss our privacy threat model and privacy settings in user privacy profiles and then describe each entity in our system.

Privacy Threat Model.
We assume that the centralized anonymizer is trusted, but not 100%. It does not leak the position information of the users, but it may be attacked by the adversary, and the adversary may capture the anonymizer, although the probability is very low. However, we do not have any assumption about the trustworthiness of the LBS providers (LBS servers).

User Privacy Profiles.
All the users specify their privacy requirements in a privacy profile in a form of , min , where indicates the required anonymity level and min indicates the required minimum area of their cloaked areas. In other words, the user wants to find an ASR that includes at least users and has an area of at least min . It is important to note that the query user can change their privacy profile at the start time of any query to guarantee that her specified privacy settings achieve her desired privacy protection in different situations.

Mobile Users.
All the mobile users are equipped with a wireless network interface card for communicating with the anonymizer, for example, GPRS, WCDMA, and CDMA2000. All the users are also equipped with a GPS or AGPS device to determine their location that is represented as a coordinate ( , ). All the users in the system can calculate the ID of the grid-area which they are being in by themselves (not the anonymizer) using (1). If they come into a new grid-area, they send their IDs of the new grid-areas and the IDs of the previous grid-areas which they have left to the anonymizer. When the users want to query something with -anonymity, they send , min , content of the query, and their grid-area IDs to the anonymizer. When the result of the query comes back from the anonymizer, they filter the useless POIs by their coordinates to get the last result.

Anonymizer.
The anonymizer has a table or an array to record the numbers of users for each grid-area. When the users send their new ID, it updates the total of users in the previous grid-area and the new grid-area. It just records the total of users for each grid-area and does not record "which user is being in which grid-area. " So if the anonymizer is attacked by the adversary, it is very difficult for the adversary to know the accurate coordinates of the users. When the users want to query, the anonymizer generates the ASR for them, and then sends the query with the ASR to the LBS servers. The LBS server sends back the results of the query to the anonymizer. The anonymizer removes the useless information from the results by the query user's grid-area ID and then gives the useful information to the users.

LBS Servers.
A privacy-aware query processor embedded inside the LBS servers has the ability to deal with locationbased queries with multiple cloaked areas for one query. Since the query processor does not know the exact user location and which subASR the user is being in, it can only compute a candidate set (CS) of points of interest (POIs) for all the subASRs in the ASR which includes the exact answer for the user.

Generated ASR Algorithms
In this section, we give the main idea of the query algorithm at the LBS server, the measure model for QoS, two definitions, and two generated ASR algorithms. Figure 2 depicts the principle of the query algorithm at the LBS server. The ASR of the query is made up of three isolated subASRs which are painted by the oblique lines. The LBS server does not know which subASR the user is being in, so it has to extend all the subASRs with a distance to get the area for searching the POIs. The detail of the query algorithm at the LBS server oversteps the scope of this paper.

Measure Models.
In order to reduce the size of CS, the total of the extended subASRs must be the smallest. The total of the extended subASRs is decided by the amount of the gridareas and the distances between the grid-areas, so the gridareas which are near to the query user's grid-area and have more users are the best for making the ASR. If the total of users in the cloaked set of grid-areas is not less than (the degree of the anonymity for the user) and the total square measure of is smaller than the min (the smallest square measure of ASR required by the query user), the distance is the greater decisive factor. So we choose the grid-area which has the smallest sum of distances to each grid-area in . The measure of the QoS is If the total of users in is less than , in order to decrease the extended subASRs, the amount of users for the grid-area is the greatest decisive factor. The measure of the QoS is When users in the grid-area are less than the difference between and the total users in , it means that we have to choose more than one grid-area to add to . So the users and the distance are both the decisive factors. As the amount is more important than distance, we set the coefficient of the "users/ " to 2. So the QoS is 2 * users/ + 1/sum( ).
When users in the grid-area are not less than the difference between and the total users in , it means that we need to choose only one grid-area to add to . So the QoS is just decided by the sum of distances. As the "2 * users/ + 1/sum( )" is not greater than 3, in order to let the QoS be greater than "2 * users/ +1/sum( ), " we let it be 3+1/sum( ).

Optimal ASR Algorithm
Definition 2. A rectangle can be indicated by Rec⟨( ul , ul ), ( dr , dr )⟩, when the ( ul , ul ) is the coordinate of the upperleft vertex of the rectangle and the ( dr , dr ) is the coordinate of the lower-right vertex of the rectangle.
Algorithm. Algorithm 1 depicts the pseudo code of our optimal generating ASR. The anonymizer has a table of database or a two-dimensional array to record the total of users for each area. At most times, the querying users' gridareas have enough users and are not less than the minimum The Scientific World Journal 5 (1) function optimal ASR ( , min , ID now ( , )) (2) if ( >= ) // indicates the number of the user's grid-area. (3) = the area of ID now ( , ); //ID now ( , ) is the user's grid-area; is cloaked set of grid-areas. (4) else { (5) i n t = 1; //the distance from the grid-area of ID now ( , ). (6) while all the useful areas have not yet been searched {.
d++; // Extends the distance to search, for the first time, = 2, so there are 24 grid-areas can be chosen. (8) if (total number of the users in all the grid-areas nearby whose distance from ID now ( , ) <= is less (9) t h a n − ) continue; (10) = the grid-area of ID now ( , ); (11) Adds the grid-area which has the highest QoS into until the total users in is not less than ; (12) // the QoS of the grid-area can be calculated by Formula (3). (13) break; (14) } //end while (15) } //end else (16) if( is null) = the grid-area of ID now ( , ); (17) // Not enough users, so reduce the degree of anonymity. (18) if (the total square measure of < min ) (19) adds the grid-area which has the highest QoS into until the total square measure of (20) i sn o tl e s st h a n min ; // the QoS of the grid-area can be calculated by Formula (2). all the effective areas, it reduces the degree of anonymity and lets be the querying users' grid-areas; this situation is rare. If the total square measure of is less than the min , it adds the grid-areas which have the highest QoS to until the total square measure of is not less than min . If there are grid-areas which are adjacent, it combines the adjacent grid-areas to the single area which can be indicated by a rectangle or a convex polygon. In the end, if there are gridareas which are indicated by ID( , ) in , it replaces them with Rec⟨( ul , ul ), ( dr , dr )⟩, because the LBS servers cannot understand the IDs of grid-areas. The areas in are the query user's ASR. Figure 3 depicts an example of our optimal algorithm. The width and the height of the grid-areas are both 1000. The hollow dot is the querying user. The solid dots are the other users. If the = 3 and min = Δ * Δ , the querying user's gridarea has three users and is not less than min , so the ASR will be the querying user's grid-area. After replacing the ID( , ) of the grid-area with Rec⟨( ul , ul ), ( dr , dr )⟩, the result can be indicated by ASR = {Rec⟨(1000, 1000), (2000, 2000)⟩}. If = 3 and min = 2 * Δ * Δ , then the querying user's grid-area is less than min , so it adds the grid-area  The Scientific World Journal Our Optimal algorithm generates the ASR using the gridareas which have the highest QoS, so the ASR generated by our Optimal algorithm is smallest among all the existent cloaking algorithms [4,5]; the experiments will verify this. So our Optimal algorithm is optimal.
4.4. Random ASR Algorithm. The optimal ASR algorithm can generate an ASR which has higher QoS, but if the adversaries knows the tactics of our generating ASR algorithm, they can know the query user's grid-area. It will decrease the security of the query user. For example, in line 5 of Algorithm 1, the distance is initialized to 1. When it runs to line 7 of Algorithm 1, the value of is 2. So the 24 grid-areas nearby the user's grid-area can be chosen. In fact, the distribution of users is not uniform. Usually, there are a lot of users in some small areas, such as the bus stations and cinemas. If the ASR is {ID (1, 1), ID(1, 3)} in Figure 3 and there is a bus station in ID(1, 1), the adversary can know the user is in ID(1, 3), because there may be a lot of users in ID(1, 1) as there is a bus station. If the user is in ID(1, 1), the ASR may be two gridareas, which are adjacent as Algorithm 1. But the two gridareas "ID(1, 1), ID(1, 3)" are not adjacent; that means "the user is in ID(1, 1)" is not true. If the adversary can guess the subASR which the query user is being in, the other subASRs in the ASR will be useless.
Algorithm. Algorithm 2 depicts the pseudo code of our random generating ASR. In order to lead randomness into the algorithm, it creates "random" integer and sets its value randomly from 1 to 10. When it adds the grid-area to , it judges whether "random" is greater than "rnd" ("rnd" is a threshold). If it is true, it adds the grid-area which has the highest QoS to , or it adds the grid-area to randomly. Usually, the threshold "rnd" is set to 2 or 3.

Experiment
In this section, we evaluate the performance of our proposed algorithms. The results of our algorithms are compared with Interval cloaking algorithm and Casper cloaking algorithm.

Experiment Settings.
In all the experiments, we use the Network-based Generator of Moving Objects [16] to generate moving objects using a real road network. The actual query examples ( nearest neighbor query) are used for the experiments. The target objects are uniformly distributed in the space. The initial locations and moving trajectories of all the clients are constrained by the road network. Unless specified, our simulation is running over 5 K clients and 500 static query targets. All the clients can use their own GPS devices to get their coordinates. The speeds of all the users fall in the range of [0, 40] km per hour. The probability of each user sending LBS requests follows an exponential distribution.
The space of our algorithm is divided into grid-areas. Both the width and height are 2 km. The anonymizer of our algorithm records the total users of each grid-area by a twodimensional array or a table of the database. While the space of Interval cloaking algorithm and Casper cloaking algorithm is divided into multiple cells, the size of the cell is the same as our grid-area, and the anonymizer of the original algorithms maintains the cells using a quadtree structure.

Security Experiments and Theoretical
Comparison. The purpose of our algorithms is to resolve the securities of the anonymizer. We use two computers to act as "the centralized anonymizer for Casper cloaking algorithm [5]" and "the centralized anonymizer for our cloaking algorithms"; we pretend to be the attackers to attack the two centralized anonymizers.
For the Casper cloaking algorithm [5], if we capture the anonymizer, we can know the accurate coordinates of all the users, because all the users report their accurate coordinates to the anonymizer, and the anonymizer records the accurate coordinates. Although the anonymizer may use the pseudonyms of the users, the information of accurate coordinates of all the users is very helpful for the adversary to guess the real users of the query and their accurate coordinate. For example, if Jack knows Jim has sent a query at his workplace and Jack has captured the anonymizer, the anonymizer will generate an ASR for Jim. If there is only one user at Jim's workplace, although there are users in the ASR, Jack can guess the pseudonym of Jim easily. If Jim sends a query of the nearest help center of AIDS later, Jack will know that Jim may be suffering from AIDS. So do all the queries of Jim later.
For our algorithms, if we capture the anonymizer, we cannot know the accurate coordinates of all the users, because the anonymizer just records the total users for each grid-area, it does not record "which user is being in which grid-area. " It just records the grid-area ID of the query user temporarily. It erases this information after sending back the CS to the user. So we can only get the grid-area ID of the querying user and the total users of the querying user's grid-area. Usually the width and height of the grid-area are about 2 km, so it is very difficult to get the accurate coordinates of the querying user. The adversary can know nothing at all about the accurate coordinates of other users. What a pity! The anonymity level of the querying user should be reduced to the total users in the querying user's grid-area. However, it compares to the Casper cloaking algorithm [5]; our algorithms have improved the securities of the anonymizer.

Performances of Centralized Environment.
The times of all the users' report to the anonymizer are an important factor for the performance of the centralized anonymizer. The more times reported, the poorer performance of the centralized anonymizer. Figure 4 depicts the times of the 10 K users' report to the anonymizer during one hour at different velocities from 0 to 40 km/h for our Random algorithm, our optimal algorithm, the interval algorithm [4], and Casper algorithm [5] (the Casper algorithm uses the same strategy as the Interval algorithm for reporting the location, so we put them together). We can see the report times of our algorithms are smaller than the interval algorithm and Casper algorithm. It is very obvious when the velocity is low. The times and The Scientific World Journal 7 (1) function random ASR ( , min , ID now ( , )) (2) int random = new Random (10); //new an integer and set its value randomly from 1 to 10. (3)(4)(5)(6)(7)(8)(9)(10)(11) // "line 3 to line 11" are the same to "line 2 to line 10" in the Algorithm 1. (12) if (random > rnd ) { //rnd is integer which is set by the system. (13) Adds the grid-area which has the highest QoS into until the total users in is not less than ; (14) // the QoS of the grid-area can be calculated by Formula (3). (15) break; (16) } //end if (17) else { (18) Adds the grid-area into by randomly until the total users in is not less than ; (19) break; (20) } //end else (21-25) // "line 21 to line 25" are the same to "line 14 to line 18" in the Algorithm 1.
adds the grid-area which has the highest QoS into until the total square measure of (28) i sn o tl e s st h a n min ; // the QoS of the grid-area can be calculated by Formula (2). (29) break; Adds the grid-area into by randomly until the total square measure of is not less than min ; (33) break;  Because the Interval [4] and Casper [5] cloaking algorithms cannot judge the cells by themselves, they must report at a specified frequency. While our two algorithms can judge the grid-areas by themselves, they just report to the centralized anonymizer when they come to a new grid-area. Reducing the report times is not only helping to improve the performance of the centralized anonymizer but also can save the resources of the wireless communication.
The square measure of ASR is an important factor for the performance of the LBS servers. The greater the ASR is, the poorer the performance of LBS servers, because LBS servers have to cope with more useless areas in the ASR, and the CS contains more useless POIs. Figure 5 depicts the average square measure of ASR generated by the Interval Cloak algorithm, Casper Cloak algorithm, our Random algorithm and our Optimal algorithm when is from 10 to 150, min = 4 km 2 , and the threshold of randomness in our random algorithm is 2.
We can see clearly that the square measures of ASR generated by our two algorithms are not greater than the interval cloaking algorithm [4] and the Casper cloaking algorithm [5] from the bar graph, because when the value of is small, the grid-area which the user is being in has enough users. The user's grid-area is the ASR. The grid-area is the same as the cell of the Interval cloaking algorithm [4] and the Casper cloaking algorithm [5], so the results are equal. When the value of is a little greater, there are not enough users in the user's grid-area. The interval cloaking algorithm [4] has to find the father node for help. The Casper cloaking algorithm [5] can search its adjacent cells from its brotherly nodes. Our 2 algorithms can utilize any nearby grid-areas. So 8 The Scientific World Journal the results of the Casper cloaking algorithm [5] is larger; the results of the Interval cloaking algorithm [4] is largest; the results of our Random algorithm is smaller; the results of our Optimal algorithm is the smallest. The smaller the ASR is, the smaller the CS is. So our algorithms can save the resources of the communication between the centralized anonymizer and the LBS server.

Conclusion and Future Work
In general, we proposed two algorithms for nonexposure accurate location -anonymity in LBS. The centralized anonymizer gave the origin of the entire space ( 0 , 0 ), the width of area Δ , and the height of area Δ to all the mobile users in the system. Mobile users judged their gridareas IDs by themselves and reported their grid-areas IDs instead of their accurate coordinates to the anonymizer. So when the anonymizer was captured by the adversaries, the adversaries could not get the accurate coordinates of all the users (including the querying user) as easly as the existent algorithms. When the mobile users wanted to query, the anonymizer generated the ASR, which was composed of gridareas and was expressed by the real coordinates instead of the grid-areas' IDs. The anonymizer sent the ASR instead of the query users' grid-areas IDs to the LBS server. When the query result came back to the anonymizer, the anonymizer filtered out the useless POIs by the query user's grid-areas ID and sent the result to the query users. When the query user received the result from the anonymizer, they filtered the useless POIs by their coordinates to get the last result.
It was a pity that our nonexposure accurate locationanonymity algorithms could not resist the attack of continuous queries, could not satisfy the road network environment [17], and did not solve the single point of failure and scalability issues of the centralized anonymizer. How to improve our nonexposure accurate location anonymity algorithms to meet these needs is our work in the future.