^{1}

^{2}

^{3}

^{1}

^{2}

^{1}

^{2}

^{1}

^{2}

^{1}

^{2}

^{1}

^{2}

^{3}

With the proliferation of smartphones and the usage of the smartphone apps, privacy preservation has become an important issue. The existing privacy preservation approaches for smartphones usually have less efficiency due to the absent consideration of the active defense policies and temporal correlations between contexts related to users. In this paper, through modeling the temporal correlations among contexts, we formalize the privacy preservation problem to an optimization problem and prove its correctness and the optimality through theoretical analysis. To further speed up the running time, we transform the original optimization problem to an approximate optimal problem, a linear programming problem. By resolving the linear programming problem, an efficient context-aware privacy preserving algorithm (CAPP) is designed, which adopts active defense policy and decides how to release the current context of a user to maximize the level of quality of service (QoS) of context-aware apps with privacy preservation. The conducted extensive simulations on real dataset demonstrate the improved performance of CAPP over other traditional approaches.

Nowadays, smartphones have been greatly proliferated and smartphone applications (apps) have been widely developed. Specifically, context-aware apps greatly facilitate people as context-aware personalized services related to people’ contexts have been provided. In fact, a variety of sensors (e.g., GPS, microphone, accelerometers, magnetometer, light, and proximity) embedded in smartphones have the capability to measure the surroundings and the status related to the smartphone owner and then provide related data to context-aware apps. These sensory data can be exploited to infer the context or the status about a user. For example, the location information of a user can be reported by GPS data, the transportation state (e.g., walking, running, or standing) can be evaluated by the accelerometers, and the voice and scene can be recorded by microphone and camera, respectively. Furthermore, the inferred context can be further analyzed by context-aware apps for providing context-aware personalized services. There exist a variety of context-aware apps, of which GeoReminder can notify a user when she/he enters particular locations, HealthMonitor can record the amount of exercise of a user in each day, and PhoneWise can smartly mute the phone.

While people’s experience and convenience are enhanced by context-aware apps, they raise serious privacy issues [

However, context-privacy preservation for smartphones is not an easy task because there exist high temporal correlations among human contexts and behaviors in daily life, and these temporal correlations can be used by adversaries to infer the hidden sensitive information. In fact, temporal correlations among human contexts can be modeled well with a Markov chain [

To cope with the temporal correlations between contexts, Götz et al. [

In this paper, we first model the temporal correlations between user contexts with a heterogeneous Markov model and then formalize the context-privacy problem for smartphones to an optimization problem followed with correctness proof. Then, in order to speed up the running time, we further transform the original optimization problem to a near optimal problem, a linear programming problem. Moreover, by resolving the linear programming problem, we design an efficient context-aware privacy preserving algorithm (CAPP), which adopts active defense policy, and can decide how to release the current context of a user to maximize the level of quality of service (QoS) of context-aware apps with privacy preservation. Finally, we conduct extensive simulations to evaluate the algorithm performance, and the simulation results demonstrate the effectiveness and efficiency of the proposed algorithm. In summary, the main contributions of this paper are threefold. First, we formalize the context-privacy problem with the consideration of existence of temporal correlations between user contexts to an efficient optimization problem and prove its correctness and the optimality. Second, to speed up the running time further, we transform the original optimization problem to an approximate optimal problem, a linear programming problem. By resolving the linear programming problem, an efficient context-aware privacy preserving algorithm (CAPP) is designed, which adopts active defense policy and decides how to release the current context of the user to maximize the level of quality of service (QoS) of context-aware apps with privacy preservation. Finally, we conduct extensive evaluations on real smartphone context traces to demonstrate the effectiveness and efficiency of the proposed CAPP compared with the traditional approaches.

The rest of the paper is organized as follows. Section

With the rapidly growing popularity of smartphones as well as popular mobile social applications, various kinds of mobile smartphone apps are developed to provide context-aware services for users. Meanwhile, individual privacy issues on smartphones are increasingly receiving attentions due to the risk of disclosure of user’s privacy sensitive information. Various approaches have been proposed to protect users’ sensitive information in location-based services (LBSs) and participatory sensing applications [

The hiding or deception policies are first used in location privacy preserving approaches in [

There have been several popular works of privacy protection against adversaries who are aware of the temporal correlations between contexts [

MaskIt [

The work in [

A number of privacy preservation techniques have been proposed by using access control techniques [

Besides the aforementioned mechanisms, a variety of privacy preservation schemes have been introduced in other application scenarios like data collection [

To the best of our knowledge, our approach is the first work to provide an efficient optimal approach in which the deception policy is introduced with privacy preservation on smartphones while considering the temporal correlations between user contexts. In the proposed approach, a Markov chain is used to model the contexts of a user and the temporal correlations between user contexts. Then, with the Markov model, the context-privacy problem for smartphones is formalized to an optimization problem and its correctness and the optimality are proved. To further speed up the computation, a linear programming problem is obtained to look for an efficient feasible solution. By resolving the linear programming problem, a near optimal context-aware privacy preserving algorithm (CAPP) is proposed, which is designed to accelerate the computation through local optimization at any time with user-defined privacy preservation.

We illustrate a smartphone context sensing system in Figure

A mobile phone context sensing system [

User’s context can be inferred from sensory data. That is, at any time the privacy preserving system can obtain user’s context according to the collected sensory data. So, in the following we use context to represent the related sensory data for ease of illustration. In this paper, we adopt periodic discrete time as in [

Unlike the “release or suppress” paradigm in [

As aforementioned, the periodic discrete time is adopted, so we try to model a user’s contexts over a period of discrete time (e.g., a day, a week). All the possible contexts of a user in a period of time are represented by a finite set

To make our approach more robust, we assume adversaries could obtain the knowledge of the Markov chain, in which the temporal correlations between the contexts of a user through observing the output sequence of the sensory data are modeled. By using the Markov chain

Let

Consider a hidden Markov chain

The prior belief of an adversary (who knows a user’s hidden Markov chain

It is worth mentioning that, whatever policies are applied and whatever the output context is, if an adversary guesses that the user is in a sensitive context

For a hidden Markov chain

From (

For a user, the context that the user dwells at any time is hidden from the adversaries. Suppose at time

We adopt the definition of privacy in [

We claim that a system preserves

Note that the

The goal of a privacy preserving system is to release as many real contexts as possible, while satisfying the

We say that the utility of a system is the expectation of the number of the released real contexts; that is,

Therefore, the objective of a privacy preserving system is obtaining an emission matrix

Götz et al. [

To cope with the issue of the huge computation consumption in the above approach, in this section, we design an efficient privacy preserving approach, in which the emission matrix can be obtained in an efficient way. We first present some propositions to illustrate our privacy preserving approach and then describe our privacy preserving algorithm.

To make the privacy preservation problem easier, we first assume that there exist no temporal correlations between user contexts. Under this assumption, to preserve

Under the assumption that there exist no temporal correlations between the adjacent contexts, a system

The above proposition is evident since it needs no consideration of the temporal correlations between the adjacent contexts. Moreover, there always exists a feasible solution to (

However, by knowing the posterior belief of a context

Motivated by the above analysis, to preserve

Under the existence of temporal correlations between the contexts, a system preserves

As mentioned in Proposition

Therefore, for any time

We have to mention that the condition in the posterior probability in (

Under the existence of temporal correlations between user contexts, a system preserves

The proof is evident because, at any given time

According to Theorem

(1)

(2) compute

(3)

(4)

(5) construct a linear programming problem as Eq. (

(6) compute

(7)

Based on the generated emission probabilities, Algorithm

(1)

(2)

(3)

It is worth mentioning that even if an adversary had known the Markov model and even the related emission probability matrices, he/she cannot infer the original context with a large probability from the output context sequence of CAPP. The main reason lies in the fact that the constraint of

We implement our context-aware privacy preserving algorithm (called CAPP) and compare it with traditional privacy approaches, such as MaskSensitive, MaskIt (using the hybrid check) [

In this paper, the dataset used in the simulation is from real human traces: Reality Mining dataset, in which fine-grained mobility data of 100 students and staff at MIT over the 2004-2005 academic year are contained [

To obtain a Markov chain for each user, we train on the first half of the user’s trace with the remaining half being used for evaluation. Note that, during the collection of the trace of the user,

For the simulation parameters, we choose the privacy parameter

As aforementioned, the utility of a privacy preserving approach is the expectation of the number of the released real contexts, so we use the normalized utility as the measurement which is defined as the fraction of the released real contexts. We should note that a higher utility of an approach means a higher quality of service is provided by context-aware apps. Similarly, we measure privacy breaches as the number of the sensitive contexts in the user’s context sequence that are breached divided by the length of the user’s context sequence. Note that, from the definition, the three approaches CAPP, EfficientFake, and MaskIt always guarantee no privacy breaches. MaskSensitive probably cannot guarantee the

First, we compare the privacy breaches of CAPP with other approaches in the following two scenarios. In one scenario, we choose three contexts for each user at random as sensitive, and, in the other, we choose the home of each user as sensitive. Note that the home of a user has the highest prior belief, which means the user spends most of his/her time at home compared to that at other locations.

Figures

Privacy breach comparison (home as sensitive).

Privacy breach comparison (random as sensitive).

We then compare the utility of our CAPP with other approaches under different privacy parameters which varies from 0.05 to 0.3. Similar to the former experiments, we choose different sensitive contexts in the experiments: the sensitive context for a user is chosen to be the user’s home, and the other is chosen at random. We expect the utility to increase with the decrease of the privacy requirement. As we can see from Figures

Privacy-utility tradeoff (home as sensitive).

Privacy-utility tradeoff (random as sensitive).

In this paper, we address the context-aware privacy preserving problem for smartphones. We formalize the context-privacy preservation problem to an optimization problem and prove the correctness and the optimality of our formulation through theoretical analysis. In order to speed up the computing further, we propose an efficient near optimal approach in which a linear programming problem is formulated. By resolving the linear programming problem, an efficient context-aware privacy preserving algorithm (CAPP) is proposed. Through the extensive experimental evaluations on real mobility trace, we demonstrate that our proposed CAPP achieves much more utility than the traditional approaches while guaranteeing the user’s

The authors declare that they have no conflicts of interest.

This work is partly supported by the National Natural Science Foundation of China (nos. 61402273, 61373083, and 61601273), the NSF of USA (no. CNS-1252292), the Fundamental Research Funds for the Central Universities of China (nos. GK201603115 and GK201703061), and the Program of Shaanxi Science and Technology Innovation Team of China (no. 2014KTC-18).