One document matched: draft-thomson-geopriv-location-obscuring-00.txt
GEOPRIV M. Thomson
Internet-Draft Andrew Corporation
Intended status: Informational October 18, 2010
Expires: April 21, 2011
A Process for Obscuring Location
draft-thomson-geopriv-location-obscuring-00
Abstract
A method for obscuring location information is described. Both
static and changing location information can be obscured. A single
distance measure is input to the process; this parameter controls the
precision of location information that can be extracted by a
recipient.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2011.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Thomson Expires April 21, 2011 [Page 1]
Internet-Draft Obscuring Location October 2010
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Method Characteristics and Applicability . . . . . . . . . . . 3
3. Obscuring Static Locations . . . . . . . . . . . . . . . . . . 4
3.1. Known Point Locations . . . . . . . . . . . . . . . . . . 4
3.2. Known Locations with Uncertainty . . . . . . . . . . . . . 5
3.3. Selecting a Offset Vector . . . . . . . . . . . . . . . . 5
3.4. Multiple Reported Locations . . . . . . . . . . . . . . . 6
4. Obscuring Changing Locations . . . . . . . . . . . . . . . . . 6
4.1. Update Conditions . . . . . . . . . . . . . . . . . . . . 7
4.1.1. Bad Triggers . . . . . . . . . . . . . . . . . . . . . 7
4.1.2. Hidden Trigger . . . . . . . . . . . . . . . . . . . . 8
4.2. Consecutive Reported Locations . . . . . . . . . . . . . . 9
4.2.1. Reducing Variation between Offset Vectors . . . . . . 10
4.2.2. Trade-off in Reducing Variation . . . . . . . . . . . 11
4.3. Returning to the Same Location . . . . . . . . . . . . . . 12
4.3.1. Positional Stability . . . . . . . . . . . . . . . . . 12
4.3.2. Selecting a Grid . . . . . . . . . . . . . . . . . . . 13
4.3.3. Random Grid . . . . . . . . . . . . . . . . . . . . . 14
4.3.4. Interpolation of Random Offsets . . . . . . . . . . . 15
4.3.5. The Wonky Grid . . . . . . . . . . . . . . . . . . . . 15
4.3.6. Temporal Interpolation . . . . . . . . . . . . . . . . 17
4.3.7. Triggering with Positional Stability . . . . . . . . . 17
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. Informative References . . . . . . . . . . . . . . . . . . . . 18
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 19
Thomson Expires April 21, 2011 [Page 2]
Internet-Draft Obscuring Location October 2010
1. Introduction
A method for obscuring location information is described. This
method obscures location information such that it can be provided to
recipients without revealing the location of the subject to within
the desired distance.
Obscuring location has applications for protecting privacy, as
described in [I-D.ietf-geopriv-policy].
This method uses a single configuration parameter as input: an
_obscuring distance_.
A location recipient (or recipient) is the entity that is given
location about a target entity. The goal is to ensure that the
recipient is unable to recover location information with better
accuracy than is desired. Despite this obscuring the recipient
should still be able to use the reported locations.
The obscuring process takes a series of _known locations_, which
might have greater accuracy than the recipient is permitted to
receive. The obscuring process produces a series of _reported
locations_.
2. Method Characteristics and Applicability
The method described here is intended to provide limited protection
for location information. The method has the following
characteristics:
Simple: It might be possible to define a more complete solution for
obscuring location information that is more configurable.
However, a more configurable option would also demand greater
involvement from users so that they would be able to specify a
configuration that meets their goals. This method is designed to
be easy to understand, which increases the chances that a user is
able to successfully choose an appropriate configuration. The
method has just one input parameter: the obscuring distance.
Irreversible: Obscuring is intended to be irreversible. Information
is lost by applying the process. Multiple applications of this
process to the same input location is could reduce information
more than a single application of the process with the largest
obscuring distance.
Thomson Expires April 21, 2011 [Page 3]
Internet-Draft Obscuring Location October 2010
Increases Uncertainty: A recipient does not need to treat obscured
location information any differently to location information that
contains uncertainty. The uncertainty of the reported location is
increased so that the reported location includes the known
location. Thus, the information that is reported is correct,
though the accuracy might be reduced. This document relies on a
definition of uncertainty for location described in more detail in
[I-D.thomson-geopriv-uncertainty].
Two Dimensions: The method described in this document operates in
two dimensions only. Many of the principles might be applicable
in a higher number of dimensions, though no effort has been made
to validate their integrity. A three-dimensional location can be
reduced to a two-dimensional form for use in this algorithm. This
is not contrary to the goal of reducing the amount of information
provided.
Time Invariant: The method described in this document does not use
time. Only the location is protected, not the time that the
location was determined. An entity performing obscuring does not
need to consider time in applying this method. The time from the
known location is included in the reported location.
Obscuring Distance Not Secret: No attempt is made to retain any
secrecy of the obscuring distance. It is assumed that a recipient
is able to learn this value over time.
3. Obscuring Static Locations
The basic location obscuring case involves an isolated instance of
location information.
It might be appropriate to apply just this section in protecting the
privacy of a single location. A recipient must be unable to acquire
multiple location instances for the same entity if this is the only
form of obscuring used.
3.1. Known Point Locations
A known point location can be obscured by adding a randomized offset
vector to the location. The size of the offset vector is randomly
selected so that the reported location could be anywhere within the
obscuring distance of the known location, see Section 3.3.
The uncertainty of the reported location is set to the obscuring
distance. This ensures that the reported uncertainty region encloses
the known location.
Thomson Expires April 21, 2011 [Page 4]
Internet-Draft Obscuring Location October 2010
Note: It's not sufficient to increase the uncertainty region so that
it minimally includes the known location. Doing this reveals that
the known location is at the boundary of the reported uncertainty
region.
3.2. Known Locations with Uncertainty
A known location with uncertainty is reduced to a circular
uncertainty region (see [I-D.thomson-geopriv-uncertainty], Section
4.2). An irregularly shaped uncertainty region is difficult to
evaluate against the scalar obscuring distance, and it might
inadvertently reveal more information than intended.
A known location with uncertainty greater than the obscuring radius
does not require additional obscuring. The radius of the circular
uncertainty region is compared to the obscuring distance to determine
if further obscuring is necessary. A location with sufficient
uncertainty can be directly reported.
Randomization is needed if the known location contains insufficient
uncertainty. As for a point location, an offset vector is added and
the uncertainty increased to the obscuring distance. A smaller
offset vector is necessary where the known location has uncertainty -
this vector need only be of a size up to the obscuring distance, less
the existing uncertainty.
The reported uncertainty is increased so that the reported location
contains an uncertainty radius of at least the obscuring distance.
An uncertainty in a known location cannot be recovered by a recipient
of an obscured location unless it is larger than the obscuring
distance.
3.3. Selecting a Offset Vector
To select a random offset vector of up to a given size, select two
evenly distributed random numbers. The first is used to select a
random angle, the second to select a random distance.
Assuming a "random()" function produces a number distributed between
0 (inclusive) and 1 (exclusive), the angle and distance can be
produced by the following:
angle = random() * 2 * pi
distance = sqrt(random()) * size
or
distance = (1 - |random() - random()|) * size
...where "sqrt(x)" takes the square root of "x" and "|" takes the
Thomson Expires April 21, 2011 [Page 5]
Internet-Draft Obscuring Location October 2010
absolute value of the enclosed. "size" is the desired size of the
random vector, which could be the obscuring distance less any
existing uncertainty.
A recipient that is able to learn the state of the random number
generator could use this to determine the known location from a
reported location. A secure random number generator [RFC4086]
provides an assurance that recovering the state of the random number
generator is made more difficult.
3.4. Multiple Reported Locations
Multiple applications of this algorithm produce different results.
The intersection of multiple reported locations can be used to
recover a better estimate of the known location. This recovered
estimate has less uncertainty than the obscuring distance, which is
not desirable.
Multiple reported locations for the same known location MUST NOT be
produced. An entity that is responsible for obscuring location might
achieve this by storing the reported location with the obscured
location.
It is possible to implement obscuring for a static location without
retaining state. Seeding a pseudo-random number generator with data
that is not available to the recipient can ensure that the same
result is produced from the same input. Taking a hash of the known
location combined with a secret key ensures that this seed cannot be
easily determined by a recipient. A hash function that includes the
values shown in Section 4.3.3 is sufficient for this task.
4. Obscuring Changing Locations
Applications that use the location of a target over time, such as
presence [RFC4079] require additional steps to ensure that the
location a recipient acquires does not reveal more information than
desired.
The first consideration is the frequency of updates. As the target
moves, the known location changes. A continuous stream of reported
locations could give a recipient sufficient information to determine
the known location with low uncertainty in a fashion close to that
described in Section 3.4.
Thomson Expires April 21, 2011 [Page 6]
Internet-Draft Obscuring Location October 2010
Note: It is not necessary to ensure that a recipient always has
accurate location information. Early proposed algorithms wrongly
assumed that the reported location was required to cover the known
location at all times. Even in the absence of obscuring, changes
in location result in a recipient having outdated information.
The only necessary constraint is that the location be accurate at
the time that it is reported (or the time associated with that
report).
4.1. Update Conditions
To limit the amount of information provided to a recipient, new
reported locations are not generated in response to all changes in
the known location. The trigger for creating a new reported location
can be defined.
Any trigger condition needs to be constructed in a way that does not
reveal information. At the point that a new reported location is
provided to a recipient, the fact that the trigger conditions are met
at that point in time provides the recipient with significant
information that could - if the trigger conditions were poorly
defined - reveal significant information.
The goal is to provide a new reported location when the known
location moves by approximately the obscuring distance. This limits
the information that a recipient has available with similar accuracy
to each individual location.
4.1.1. Bad Triggers
One potential trigger is the movement of the target outside of the
reported uncertainty region. At the point that a new reported
location is generated, a recipient knows that the target is a) at the
boundary of the last uncertainty region, and b) somewhere in the new
uncertainty region. The intersection of these two regions produces
an area that is significantly smaller than desired.
Thomson Expires April 21, 2011 [Page 7]
Internet-Draft Obscuring Location October 2010
New Reported
Location
..--"""--.. ..--"""--.. /
.-' /=\. `-.
,' ,' \\ `.
/ / \\ \
/ / \\ \
| | || |
| | || |
| | || |
\ \ // /
`. `. // \ .'
`._ `._// \ _.'
/ `--..___..--' `--..__\..--'
Last Reported \
Location Recovered Location
Along Border
Figure 1: Trigger on Leaving the Reported Location
Similarly, information is revealed if the trigger is movement based
on the known location. A new reported location might be produced
when the known location moves more than the obscuring distance from
the known location from the last report.
That is, when a new location is reported, the corresponding known
location is saved. A new reported location is determined when the
current known location is more than the obscuring distance from
the saved location.
If the recipient is able to assume that the target is moving in a
straight line, the speed of the target is revealed.
4.1.2. Hidden Trigger
To limit the information that is revealed at the point that a new
reported location is provided, the trigger conditions can be based on
information that is not available to the recipient.
Applying randomization to the trigger reduces the ability of a
recipient to make assertions about the significance of a new reported
location.
A hidden trigger is established using the following process:
o When a new reported location is generated:
Thomson Expires April 21, 2011 [Page 8]
Internet-Draft Obscuring Location October 2010
1. The centroid of the known location is determined.
2. A random offset vector (Section 3.3) of a maximum size of half
the obscuring distance is determined.
3. The offset vector is added to the centroid and this value is
saved as a trigger point.
o When the known location changes:
1. The centroid of the (new) known location is determined.
2. If this centroid is further than the obscuring distance from
the saved trigger point, a new reported location is generated.
Each new reported location is randomized using the process described
in Section 3.
This algorithm ensures that the centroid of the known location moves
between 0.5 and 1.5 times the obscuring distance before a new
reported location is produced. As a consequence, the uncertainty in
the distance moved is equal to the obscuring distance.
4.2. Consecutive Reported Locations
The obscuring method has a weakness that is as a direct consequence
of the triggering conditions. These conditions grant a recipient
this information:
For any two consecutive reported locations there is a pair of
points that are less than 1.5 times the obscuring distance apart,
with one point in the area described by each reported location.
The first point is the known location at the time of the first
reported location; the second point is the known location at the
time of the second reported location.
At the time that a location is reported, the recipient can use this
knowledge to determine that the current location of the target is at
the intersection of the new reported location and a circle with a
radius of 2.5 times the obscuring distance, centered on the last
reported location, as shown in Figure 2
Thomson Expires April 21, 2011 [Page 9]
Internet-Draft Obscuring Location October 2010
Known location .
is in overlap \
Last \ \ New
,.--"--.. \ \ ,.--"--..
,-' `-. \ |,-' `-.
/ \ \_ + \
| | /| |
| o |<---------->|| o |
| \ | --> 1.5OD \| |
\ \ / + /
`. \ ,' |`. ,'
`-..___,.+' ; `-..___,.-'
\ /
|<------>|<----\->|<------>|<-/---->|<------>|<--...
OD OD \ OD / OD OD
\ ,'
2.5OD \ /
\ _,'
_\/' OD = obscuring
_,,-' distance
Figure 2: Consecutive Reported Locations
Two consecutive reported locations can have their centers up to 3.5
times the obscuring distance apart; making the closest points on each
uncertainty region up to 1.5 times the obscuring distance apart.
When consecutive reported locations are maximally distant, a
recipient can recover the location of the target almost perfectly.
This relies on the recipient being able to determine the obscuring
distance. As identified, the obscuring distance is not protected.
4.2.1. Reducing Variation between Offset Vectors
This shortcoming can be addressed by reducing the difference between
the random offset vector added to consecutive reported locations.
The extreme case shown in Figure 2 only arises because the absolute
difference between the randomization vector used for in consecutive
reported locations is twice the obscuring distance. The problem
occurs when the difference between consecutive know locations
approachs 1.5 times the obscuring distance in combination with this
large difference between randomization vectors.
Reducing the amount that a offset vector can change between
consecutive reported locations reduces. If the difference between
offset vectors is constrained then the effect of this problem is
reduced.
Thomson Expires April 21, 2011 [Page 10]
Internet-Draft Obscuring Location October 2010
Using the same offset vector for all reported locations removes the
problem entirely. However, using the same offset vector increases
the chances of that vector being discovered. For instance, if the
target is following a road, reported locations that have a fixed
offset from the known location will reveal the shape of the road.
From this it is trivial to learn the offset vector and hence all
presence and past locations can be recovered.
Each time a location is randomized, the offset vector used can be the
combination of a new random offset vector and the offset vector that
was last used. The proportion of old and new vectors determines the
trade-off between the probability that a recipient is able to learn a
more accurate location with the probability that a recipient is able
to learn the offset.
4.2.2. Trade-off in Reducing Variation
A small amount of randomness at each stage makes it difficult to
learn the offset vector. A number reported locations are required to
learn the offset vector. Therefore, as long as the offset vector is
able to change significantly over a number of reported locations, the
goal is achieved, Thus, the offset vector need only change a small
amount for each consecutive reported location. This need only make
it difficult to learn the vector and to make learning the vector less
useful if it is revealed.
In turn a smaller change in the offset vector maximizes the worst
case area. If the absolute difference in offset vectors is half the
obscuring distance, then there is no gap between consecutive reported
locations and in the worst case the recipient is able to determine
the known location to be within 77 percent of the desired area. This
varies based on "p(diff)", as follows:
a(diff) = ((1.5 + diff)^2 - 5.25) / (2*(1.5 + diff))
p(diff) = acos(a(diff)) + 6.25 * acos((1.5 + diff - a(diff)) / 2.5)
- (1.5 + diff) * sqrt(1 - a(diff)^2)
...where "acos(x)" returns the inverse cosine of "x". This only
produces a result where "diff" is less than 2.
To create a offset vector that is no more than "diff" times the
oscuring distance different to the previous vector, create a new
random offset vector and take the weighted average of the two as
follows:
o[new] = (o[prev] * (2 - diff) + o[random] * diff) / 2
...where "o[new]" is the new ofset vector, "o[prev]" is the new
Thomson Expires April 21, 2011 [Page 11]
Internet-Draft Obscuring Location October 2010
previous vector, and "o[random]" is a completely random vector of the
same magnitude.
4.3. Returning to the Same Location
A moving target might return to the same location several times. The
method described thus far produces a different reported location each
time. With some inferences, a recipient that is able to observe
location over time could intersect reported locations to recover
Furthermore, if known locations are not available before and after
leaving the location that is frequently visited, only that location
is obscured. The known location could be readily extracted.
4.3.1. Positional Stability
The key to addressing this flaw is to have the randomization of
offset vectors based on the known location. If the same known
location produced a reported location that was equal or very close to
it each time that the location was obscured, this would address the
problem.
It might be possible to take the coordinates of the known location
and pass them through a cryptographic hash function along with a
secret key. The result bits would be sufficiently random to produce
an offset vector. This would ensure that the exact same location
would produce the same random vector.
The drawback of this sort of method is that the location is obscured
inconsistently when even the slightest difference occurs.
Imprecision in the location determination method used produces
variations in the known location.
The goal is to ensure that two known locations in close proximity
produce a constant (or almost constant) random vector. It is also
desirable that the random vector change as the locations change.
This has the consequence of reducing the difference in randomness
between consecutive reported locations, provided that the random
values do not vary significantly over a distance of 1.5 times the
obscuring distance.
It might be desirable if the random vectors changed over a longer
distance, as Section 4.2.1 demonstrates. If the offset vector
changed over a period of approximately 4 times the randomization
distance, the vector would change by no more than about 3/4 of the
offset distance.
An approach similar to that described in [PERLIN] is used to achieve
Thomson Expires April 21, 2011 [Page 12]
Internet-Draft Obscuring Location October 2010
a continuously varying random field. In this, randomness is
constrained to a grid of points with interpolation used to determine
values for intervening points.
4.3.2. Selecting a Grid
In selecting an appropriate grid with two dimensions, the curvature
of the surface of the Earth presents a challenge. The simplest
approach might be to select an origin at latitude 0, longitude 0.
Grid points could be placed at increments based on a constant ratio
between latitude and longitude and distance; for example, 9e-6
degrees per meter assumes a spherical planet of 6366197 meter radius,
which is slightly smaller than the semi-major axis of the ellipsoid
used in most Earth models.
Grid intervals can be set to between 4 and 10 times the obscuring
distance to ensure that consecutive reported locations have
continuously varying offset vectors. In "n" dimensions, for a given
multiple of "m", the offset vector changes by a factor of:
change = (1 - (m - 1.5 * 2^((3 - n)/2)) / m)^n
For a two-dimensional grid with a multiple of "m", the following
equations identify the latitude and longitude of the four nearest
grid points to a given location:
grid = m * obscuring distance * 9e-6
latitude[low] = floor(latitude / grid) * grid
latitude[high] = latitude[low] + grid
longitude[low] = floor(longitude / grid) * grid
longitude[high] = longitude[low] + grid
...where "floor(x)" produces the nearest whole integer that is more
negative than "x".
The shortcoming of a grid of this nature is that changes in longitude
are more rapid as locations get closer to the poles. At
approximately 60 degrees of latitude (North or South), grid intervals
on the East-West direction are twice as frequent as desired. For
this reason, larger intervals between grid points might be chosen for
longitudes.
Selecting a local tangent plane removes the effect of the curvature
of the Earth, but introduces the problem of selecting an appropriate
tangent plane as locations change.
Thomson Expires April 21, 2011 [Page 13]
Internet-Draft Obscuring Location October 2010
In three dimensions, conversion to Earth-centered, Earth-fixed
Cartesian coordinates renders this problem moot.
4.3.3. Random Grid
At each of the points on the grid, a random offset vector is produced
using the method described in Section 3.3. The resulting offset
vectors are interpolated as shown in Figure 3.
Rather than use a random number generator, the random number should
be produced using a cryptographic hash function. The input to this
hash should include:
o a secret sequence that is only known by the entity that performs
the obscuring,
o the identity of the target,
o each individual coordinate of the grid point, and
o as necessary, an identifier for the purposes of the random number:
angle, distance, and (optionally) a second distance, depending on
the method used to generate the random offset vector.
The inclusion of a secret ensures that a recipient is unable to
construct the offset vector. This secret is persistent so that later
applications of the obscuring formula do not produce a different
offset vector for the same location.
Section 3.3 requires that two or three random numbers are produced.
The additional identifier produces additional randomness where
multiple random (or pseudo-random) numbers are required.
Using a hash in this fashion ensures that each target gets a
different set of random offset vectors and that the same grid point
coordinates produce the same result.
Though ordering need only be consistent between consequent
applications of the obscuring algorithm, the following might be used:
random_bits = H(secret key + target identity + identifier
+ grid coordinate + grid coordinate + ...)
...where "+" implies concatenation, including a delimiter as
necessary (that is, where elements are of variable length).
One consequence of this approach is that changes to the obscuring
distance result in the noise pattern being completely changed. This
Thomson Expires April 21, 2011 [Page 14]
Internet-Draft Obscuring Location October 2010
can result in the same known location producing a significantly
different reported location before and after the change.
4.3.4. Interpolation of Random Offsets
Once a grid of random offset vectors is established, an offset vector
is calculated based on the centroid of the known location. Figure 3
shows a point at "(x,y)" and the values that are used in the
interpolation process.
| |
- ---o------------------------------o---
/| ^ /|
(x1,y2) | | (x2,y2) |
| | (y2-y) |
| (x,y) | |
| \ v |
|<-(x-x1)->X<------(x2-x)----->|
| ^ |
| | (y-y1) |
| v |
- ---o------------------------------o---
/| /|
(x1,y1) | (x2,y1) |
Figure 3: Grid Interpolation
The offset vector at the identified point is produced by taking the
weighted average of the offset vectors. Two weighted averages are
taken between pairs of adjacent grid points along the same axis, then
the weighted average of the two resulting vectors is taken along the
other axis.
The following equations produce an interpolated offset vector for any
point in this grid cell:
w1 = (o[x1,y1] * (x2-x) + o[x2,y1] * (x-x1)) / (x2-x1)
w2 = (o[x1,y1] * (x2-x) + o[x2,y1] * (x-x1)) / (x2-x1)
offset = (w1 * (y2-y) + w2 * (y-y1)) / (y2-y1)
...where "o[x1,y1]" is the random offset vector at the grid point
"(x1,y1)".
4.3.5. The Wonky Grid
To address the concerns caused by the curvature of the Earth, a
modified grid-like structure can be used. It is not strictly
necessary that the grid be absolutely grid-like in structure.
Thomson Expires April 21, 2011 [Page 15]
Internet-Draft Obscuring Location October 2010
Therefore, it's possible that different grid intervals could be
selected.
This structure uses a different interval for points at different
latitudes, at the selected low latitude:
grid[llat] = grid / cos(latitude[low])
longitude[low,llat] = floor(longitude / grid[llat]) * grid[llat]
longitude[high,llat] = longitude[low,llat] + grid[llat]
...and at the high latitude:
grid[hlat] = grid / cos(latitude[high])
longitude[low,hlat] = floor(longitude / grid[hlat]) * grid[hlat]
longitude[high,hlat] = longitude[low,hlat] + grid[hlat]
...where "cos(x)" produces the cosine of "x".
This produces fewer grid points for latitudes that are further from
the Equator. At the poles (and above), a single offset vector is
sufficient.
Interpolation of these points uses four distinct points, as shown in
Figure 4.
(x-x1_2) (x2_2-x)
|<-------->|<----------------->|
| | |
- ---o------------------------------o--- -
/| | ^ |\
(x1_2,y2) : | | : (x2_2,y2)
| | (y2-y)
(x,y) ' |
\ v
X - ------
^
: . : | (y-y1)
| | | v
- ---o---------------------------o--------------- -
/| | |\
(x1_1,y1) |<--------------------->|<->| (x2_1,y1)
(x-x1_1) (x2_1-x)
Figure 4: Wonky Grid Interpolation
Interpolation uses the amended equations:
Thomson Expires April 21, 2011 [Page 16]
Internet-Draft Obscuring Location October 2010
w1 = (o[x1_1,y1] * (x2_1-x) + o[x2_1,y1] * (x-x1_1)) / (x2_1-x1_1)
w2 = (o[x1_2,y2] * (x2_2-x) + o[x2_2,y2] * (x-x1_2)) / (x2_2-x1_2)
offset = (w1 * (y2-y) + w2 * (y-y1)) / (y2-y1)
4.3.6. Temporal Interpolation
[MT: This is a little speculative, but I thought it interesting.
This might need to go.]
It is also possible to create an additional dimension upon which to
interpolate the offset vector. This would allow the offset vector to
change gradually over time as well as with respect to space.
This might be done to allow the obscuring entity to change the secret
key that it maintains.
4.3.7. Triggering with Positional Stability
The concept of a trigger is less crucial in protecting the privacy of
the location when the positional stability method is used. As long
as the trigger for providing a new reported location to a recipient
is based on something other than direct movement, the actual location
of the target is protected.
The advantage of retaining a specific trigger for provided new
reported location is that it reduces the information provided to a
recipient. Providing updates at a higher rate provide a recipient
with additional information that could be used to recover the offset.
No specific changes are required for the triggering process, though
this does require that some state be maintained by the entity that
performs obscuring. [TBD: work out how to avoid this - should be
relatively easy to trigger based on a similar process as is used to
construct the grid.]
The alternative is to place a limit on the rate that new reported
locations are reported to recipients. The drawback to this approach
is that as the speed of the target varies, the effectiveness of this
approach varies. At a slow speed (relative to the obscuring
distance), this could still produce more updates than are desirable.
5. Examples
[TBD: worked examples and reference implementation.]
Thomson Expires April 21, 2011 [Page 17]
Internet-Draft Obscuring Location October 2010
6. Acknowledgements
Thanks go to Robert Sparks for identifying key shortcomings in the
original attempts. Richard Barnes, Jorge Cuellar, Warren Kumari, and
Hannes Tschofenig variously provided input, feedback, criticisms and
insightful ideas.
7. IANA Considerations
This document has no IANA actions.
[RFC Editor: please remove this section prior to publication.]
8. Security Considerations
This entire document is about security.
9. Informative References
[I-D.ietf-geopriv-arch]
Barnes, R., Lepinski, M., Cooper, A., Morris, J.,
Tschofenig, H., and H. Schulzrinne, "An Architecture for
Location and Location Privacy in Internet Applications",
draft-ietf-geopriv-arch-03 (work in progress),
October 2010.
[I-D.ietf-geopriv-policy]
Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J.,
and J. Polk, "Geolocation Policy: A Document Format for
Expressing Privacy Preferences for Location Information",
draft-ietf-geopriv-policy-21 (work in progress),
January 2010.
[I-D.thomson-geopriv-uncertainty]
Thomson, M. and J. Winterbottom, "Representation of
Uncertainty and Confidence in PIDF-LO",
draft-thomson-geopriv-uncertainty-05 (work in progress),
May 2010.
[PERLIN] Perlin, K., "An Image Synthesizer", ACM SIGGRAPH Computer
Graphics v.19 n.3, p.287-296, July 1985.
[RFC4079] Peterson, J., "A Presence Architecture for the
Distribution of GEOPRIV Location Objects", RFC 4079,
July 2005.
Thomson Expires April 21, 2011 [Page 18]
Internet-Draft Obscuring Location October 2010
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005.
Author's Address
Martin Thomson
Andrew Corporation
Andrew Building (39)
Wollongong University Campus
Northfields Avenue
Wollongong, NSW 2522
AU
Phone: +61 2 4221 2915
Email: martin.thomson@andrew.com
Thomson Expires April 21, 2011 [Page 19]
| PAFTECH AB 2003-2026 | 2026-04-23 01:26:35 |