New Cloaking System Makes Connected Cars Untrackable

Privacy and location-based services aren't incompatible.

A key promise of the car future is that driving will become rational. Traffic will cease to be because all of our cars will be synced together and subject to an all-knowing centralized controller. Traffic will become optimized. Merging into traffic will no longer be a matter of furtive over-the-shoulder glances, low-level panic, and ambiguous driver-to-driver communication. The system saw you coming, and lightly, unnoticably tweaked vehicle speeds to ensure that when your vehicle arrives, a suitable gap between vehicles will be there waiting.  

It's a nice idea, but it's also one that's entirely premised on location-tracking. To optimize anything, the system has to know where you are. Some may find this objectionable: a record of everywhere you've driven, a small hack away from public view. 

A team of South Korean computer scientists has developed a new method of location-hiding that can be employed while using potentially untrusted location-based services (LBSs). It sounds like a contradiction, but the idea is that the LBS can still access your vehicle's real-time position information while being unable to properly track it. The method, known as mutually obfuscating paths (MOPs), is described in the current IEEE Communications Letters.

First, let's restate the problem: "The LBS server (a third party) that receives and stores periodic location updates from users could use them to track users' locations. Using pseudonyms or even anonymization of location reports, i.e., simply removing identifiers, does not guarantee location privacy. Time-series analysis on location samples (i.e., following the footstep) could accumulate path information and eventually identify users' location history. Especially in sparse traffic conditions, users' paths can be easily tracked." 

The MOPs solution takes advantage of the fact that connected vehicles generally have two means of connection. The first is a standard LTE internet connection (which hooks up to one or more LBS), while the second is a beacon that broadcasts safety-related info locally to other nearby vehicles. 

"Our primary adversary in this paper is a hostile untrusted LBS or anyone with access to the LBS database," Suk-Bok Lee and colleagues explain. "These attackers may wish to track users via the collected location samples. Especially, if a user sends location updates frequently, this creates a trail of his/her locations–just like closely spaced breadcrumbs dropped behind the user–allowing a hostile LBS to easily follow a user's path. Such location tracking can further reveal users' very private information if the LBS can connect specific individuals to specific locations."

So, by matching location queries with contents of an LBS database, an adversary could come up with a driving history. This is what Lee wants to prevent. 

The solution is pretty clever IMO. When a couple of cars both being guided/tracked by a particular LBS get close enough to communicate directly via radio beacon, they can stop independently sending location info to the LBS. Instead, each of the cars sends the data for both cars: one real path and then a second fake path for the other car. Any location data sent back from the LBS to the two cars corresponding to the fake paths is discarded. It looks like this:

Lee and co. tried this out in simulations and it worked best for high-density traffic situations. Which makes sense given that the location hiding is based on exploiting communication among nearby vehicles. The more traffic there is, the more "location entropy" the system can deliver. 

It's a cool idea, though probably not applicable to my congestion example above, at least as formulated by Lee and co. In any case, it demonstrates that even in a hyper-connected world, even while exploiting technologies premised on location tracking, we can still have privacy.