Abstract: This is a literature survey of location privacy in wireless networks, meaning privacy-preserving techniques that protect users’ location information in wireless communication networks as well as privacy-breaking mechanisms that exploit the designs of these networks to determine users’ location information, and consequently users’ identity. The definition also includes privacy threats associated with leaked location data. In this blog post, I am primarily concerned with location privacy in wireless LANs, where users’ location information can be inferred from their wireless transmissions. The survey omits other types of wireless networks such as cellular networks and sensor networks, although some techniques presented here can be easily applied to them as well.
Keywords: location privacy; wireless LANs
1. Introduction
In recent years, we have witnessed the pervasive deployment of Wi-Fi access points, mainly driven by the low cost of 802.11 equipment and its operation in unlicensed spectrum. For example, municipalities all over the world [1] set up free Wi-Fi hotspots for Internet access in public spaces, while it is typical for airports, coffee shops, restaurants, and hotels to provide their customers with Wi-Fi access. There have been an increasing number of tablet computers, cell phones, PDAs, and digital cameras equipped with WLAN interfaces. As the Wi-Fi deployment becomes more and more pervasive (see Fig. 2), the larger is the risk that malicious actors exploiting the inherent broadcast nature of the wireless medium could compromise users’ location privacy. Note that tracking users’ location does not require association to an access point: if a wireless client sends messages, any access points, or even wireless cards based on Prism, Hermes, or Aironet chipsets [2], in radio range and on the same channel can overhear these messages for location tracking purposes. This leads to significant privacy concerns, especially because everybody can install an inexpensive access point and act as a WLAN operator.
Location privacy can be defined as “the right of individuals to decide how, when, and for which purposes their location information could be released to or managed by other parties” [3]. It is possible that the location information itself can be linked to individuals and therefore can be considered personally identifiable information. Such personally identifiable information can take many forms, such as names and addresses of persons, or network/device identifiers. In the European Union and United States, privacy risks related to location information have been identified in the General Data Protection Regulation (EU) 2016/67 [4] and Location Privacy Protection Act of 2001 [5], respectively. A common example of such risks is the drawing of inferences about users’ medical condition, nightlife, or political activities from the places users visit: doctors’ offices, entertainment districts, or political events. This example illustrates that in some situations users may want to control the release of location information toward the WLAN operators, e.g. by controlling where and when they communicate or by using specialized privacy-preserving techniques to mask location or identifiers. In most cases, the lack of location privacy can lead to unsolicited advertising, while in extreme cases, a breach of it can result in denial of service, physical attacks or harassment. [6]
The rest of this blog post is organized as follows. To begin with, I assume a simple layered architecture for WLAN consisting of four layers: physical layer, medium access layer, network layer, and application layer. At each layer, I identify which personally identifiable data are at risk and how location data leakage can occur. Along the same lines, I briefly highlight some privacy-preserving techniques from the literature that mitigate the risk of location privacy compromise. Finally, I conclude with the importance of developing straightforward and simple to use privacy-preserving mechanisms for everyone, not only the privacy-conscious user, but the average person as well.
2. Location privacy threats in WLANs
The threats to location privacy in WLANs are the same that exist in other computer systems. However, the characteristics of WLANs (e.g. the shared physical medium) contribute to make these networks more vulnerable to privacy infringements than their wired counterparts. Unique identifiers can be obtained from different sources in a wireless device, ranging from the physical layer to the application layer [7][8]. Hence, to identify potential threats to privacy it is necessary to list possible sources of identifiable data that can be used by an attacker. The TCP/IP stack organization is used as a support for listing sources of identification in a WLAN, and for explaining the existing threats to these identifiers. A bottom-up approach is used in the rest of this section, i.e. from the physical layer to the application layer.
2.1 Physical layer
At the physical layer, when a Wi-Fi access point receives a signal from a user’s device, the user’s location is, with high probability, within the range of an 802.11b system, that is 50-100 meters [9]. In addition, triangulation techniques based on the signal strength and signal-to-noise ratio (SNR) received at multiple access points improve upon this accuracy, achieving accuracies of up to 1 meter in an indoor environment [9]. Any signal transmitted can also be located using radio fingerprinting: waveforms carry a radio frequency fingerprint, namely RF fingerprint [10], of the device that transmitted the signal. These fingerprints can be extracted by processing, for example, transient signal from received RF signals. When a Wi-Fi transmitter is turned on, the signal emitted from the transmitter shows a transient behavior with respect to instantaneous frequency and amplitude. The duration of the transient behavior is highly dependent upon the type and model of the transmitter. This unique turn-on transient behavior can be used to identify the Wi-Fi transmitter. However, the noise in WLANs would pose significant challenges to this technique and the characteristics of the fingerprints are likely to change due to multipath propagation, fading, temperature variation, battery condition, Doppler shift and device aging. Moreover, the cost of building an RF fingerprinting-enabled WLAN is high. [7]
Privacy-preserving techniques at this layer include reducing the frequency of transmissions and decreasing transmission power to reduce the chance of signal localization. In [11], the authors have shown that the precision to which we can locate a wireless client is related to the number of access points within that client’s communication range; the improvement is significant when using from 1 access point to 2 access points and from 2 access points to 3 access points. By decreasing the transmission power of a wireless client, we can minimize the number of access points in range, and thus reduce location precision.
2.2 Medium access layer
At the medium access layer, Wi-Fi devices carry a unique 48-bit identifier (MAC address) that is always visible in the communicated frames. The most significant 24 bits of the address identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI), while the remainder of the address are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. The complete address is stored in the firmware, and by default, the Wi-Fi card driver uses that stored address, meaning that a MAC address typically persists as long as the same Wi-Fi card is used. Thus, a particular MAC address is usually correlated with a certain device. This enables a malicious actor to reidentify a device that has been previously observed; thus, movement patterns can be created. In addition, location data collected from multiple access points can be merged. [9]
A key privacy-preserving technique at this layer is the frequent switching of MAC addresses to reduce the chance of identification and tracking of the device [9]. However, incorporating the concept of short-lived MAC addresses into WLAN creates several key design challenges: MAC selection, MAC uniqueness, and MAC authentication. Furthermore, it may be possible for an adversary to correlate two MAC addresses that are broadcasted separately from the same device moving through space. To combat this correlation attack, the authors in [12] introduce the concept of silent periods, where nodes intentionally do not transmit, in order to “mix” in with other possible nodes (through natural node mobility). Another privacy-preserving technique based on an identifier-free link layer protocol, called SlyFi [13], increases the difficulty of profiling users from this layer by obfuscating all transmitted bits including explicit identifiers such as MAC addresses, the contents of management messages, and other protocol fields that the existing 802.11 protocol relies on to be sent in the clear.
2.3. Network layer
At the network layer, the Internet protocol (IP) address acts as a unique, but not necessarily persistent, identifier that can be linked to a user. There are two types of IP addresses in widespread use today, IPv4 and IPv6. IPv4 uses a 32-bit addressing scheme to support approximately 4 billion devices, while the latest version, IPv6, uses 128-bit addressing to support approximately 340 undecillions. The IP address also describes the location of a device in the network topology. This topological location can often be mapped to city-level geographical location, or sometimes even to street-level geographical location [14]. A common example of such geolocation methods is GeoPing [15], which uses network delay measurements from geographically distributed locations to deduce the coordinate of the target host. Privacy-preserving methods at this layer include anonymizers [16], mix networks [17], onion routing [18], and Crowds [19]. All these methods have in common that they forward messages with the objective that an adversary cannot match incoming messages to outgoing messages. Lastly, the IPv6 privacy extension introduced temporary addresses with relatively short lifetimes (hours to days) to protect against address-based correlation [20].
2.4 Application layer
Finally, at the application layer, location-based applications can collect location information together with application-level identifiers (e.g. user or login names). Location is frequently obtained from Global Positioning System receivers (GPS), which can make it especially precise. Furthermore, since users connected to the same Wi-Fi hotspot share a unique public IP address, a single user’s making a location-based request is enough to enable a service provider to map the IP address of the hotspot to its geographic coordinates, thus compromising the location privacy of all the other connected users. Prior work on privacy aspects of location-based applications has mostly focused on a policy-based approach, meaning that users evaluate and choose privacy policies offered by the service provider. In contrast, the anonymity-based approach depersonalizes data before collection. More specifically, the IETF Geopriv working group focuses on the design of protocols and APIs that enable devices to communicate their location in a confidential and integrity preserving manner to a location server [21].
3. Conclusions
In this blog post, I reviewed location privacy threats in wireless LANs. Literature review revealed that typical designs of WLANs generate personally identifiable information at all layers of the network stack: physical layer, medium access layer, network layer, and application layer. Any message, be it a signal transmitted at the physical layer, be it a packet transmitted at the higher layers, can be localized and generate a location record. These location records can be used to build user profiles that include the history of communicating users and current and past geographical locations. In the worst-case scenario, the improper exposure of location data could result in abuses, such as stalking or physical harassment. Hence location privacy preservation in WLANs became very important. This blog post briefly highlights various privacy-preserving techniques, many of which assume, unfortunately, a privacy-conscious user. However, I believe that everyone has a right to the privacy of their location data. Thus, new privacy-preserving techniques should be developed with the average user in mind.
References
[1] WiGLE.net. (n.d.). Wireless Network Mapping. Retrieved from https://wigle.net/
[2] Haraszczuk, R. (2006). Cracking WPA? Is it possible?. Annales Universitatis Mariae Curie-Sklodowska, sectio AI–Informatica, 5(1).
[3] Van Tilborg, H. C., & Jajodia, S. (Eds.). (2014). Encyclopedia of cryptography and security. Springer Science & Business Media.
[4] General Data Protection Regulation (EU) 2016/679 (GDPR). (n.d.). Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj.
[5] Location Privacy Protection Act of 2001. (n.d.). Retrieved from https://www.congress.gov/bill/107th-congress/senate-bill/1164.
[6] Blumberg, A. J., & Eckersley, P. (2009). On locational privacy, and how to avoid losing it forever. Electronic Frontier Foundation whitepaper.
[7] Jiang, T., Wang, H. J., & Hu, Y. C. (2007, June). Preserving location privacy in wireless LANs. In Proceedings of the 5th international conference on Mobile systems, applications and services (pp. 246-257).
[8] Martucci, L. A. (2009). Identity and anonymity in ad hoc networks (Doctoral dissertation, Karlstad University).
[9] Gruteser, M., & Grunwald, D. (2005). Enhancing location privacy in wireless LAN through disposable interface identifiers: a quantitative analysis. Mobile Networks and Applications, 10(3), 315-325.
[10] Ureten, O., & Serinken, N. (2007). Wireless security through RF fingerprinting. Canadian Journal of Electrical and Computer Engineering, 32(1), 27-33.
[11] Bahl, V., & Padmanabhan, V. (2000). Enhancements to the RADAR user location and tracking system.
[12] Huang, L., Matsuura, K., Yamane, H., & Sezaki, K. (2005, March). Enhancing wireless location privacy using silent period. In IEEE Wireless Communications and Networking Conference, 2005 (Vol. 2, pp. 1187-1192). IEEE.
[13] Greenstein, B., McCoy, D., Pang, J., Kohno, T., Seshan, S., & Wetherall, D. (2008, June). Improving wireless privacy with an identifier-free link layer protocol. In Proceedings of the 6th international conference on Mobile systems, applications, and services (pp. 40-53).
[14] Wang, Y., Burgener, D., Flores, M., Kuzmanovic, A., & Huang, C. (2011, March). Towards Street-Level Client-Independent IP Geolocation. In NSDI (Vol. 11, pp. 27-27).
[15] Padmanabhan, V. N., & Subramanian, L. (2001, August). An investigation of geographic mapping techniques for Internet hosts. In Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications (pp. 173-185).
[16] Anonymizer. (n.d.). Retrieved from http://www.anonymizer.com
[17] Chaum, D. L. (1981). Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2), 84-90.
[18] Goldschlag, D., Reed, M., & Syverson, P. (1999). Onion routing. Communications of the ACM, 42(2), 39-41.
[19] Reiter, M. K., & Rubin, A. D. (1998). Crowds: Anonymity for web transactions. ACM transactions on information and system security (TISSEC), 1(1), 66-92.
[20] Ullrich, J., & Weippl, E. (2015, November). Privacy is not an option: Attacking the IPv6 privacy extension. In International Symposium on Recent Advances in Intrusion Detection (pp. 448-468). Springer, Cham.
[21] Gruteser, M., & Grunwald, D. (2004). A methodological assessment of location privacy risks in wireless hotspot networks. In Security in pervasive computing (pp. 10-24). Springer, Berlin, Heidelberg.