Computer Laboratory

Technical reports

Location privacy in ubiquitous computing

Alastair R. Beresford

January 2005, 139 pages

This technical report is based on a dissertation submitted April 2004 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Robinson College.


The field of ubiquitous computing envisages an era when the average consumer owns hundreds or thousands of mobile and embedded computing devices. These devices will perform actions based on the context of their users, and therefore ubiquitous systems will gather, collate and distribute much more personal information about individuals than computers do today. Much of this personal information will be considered private, and therefore mechanisms which allow users to control the dissemination of these data are vital. Location information is a particularly useful form of context in ubiquitous computing, yet its unconditional distribution can be very invasive.

This dissertation develops novel methods for providing location privacy in ubiquitous computing. Much of the previous work in this area uses access control to enable location privacy. This dissertation takes a different approach and argues that many location-aware applications can function with anonymised location data and that, where this is possible, its use is preferable to that of access control.

Suitable anonymisation of location data is not a trivial task: under a realistic threat model simply removing explicit identifiers does not anonymise location information. This dissertation describes why this is the case and develops two quantitative security models for anonymising location data: the mix zone model and the variable quality model.

A trusted third-party can use one, or both, models to ensure that all location events given to untrusted applications are suitably anonymised. The mix zone model supports untrusted applications which require accurate location information about users in a set of disjoint physical locations. In contrast, the variable quality model reduces the temporal or spatial accuracy of location information to maintain user anonymity at every location.

Both models provide a quantitative measure of the level of anonymity achieved; therefore any given situation can be analysed to determine the amount of information an attacker can gain through analysis of the anonymised data. The suitability of both these models is demonstrated and the level of location privacy available to users of real location-aware applications is measured.

Full text

PDF (1.9 MB)

BibTeX record

  author =	 {Beresford, Alastair R.},
  title = 	 {{Location privacy in ubiquitous computing}},
  year = 	 2005,
  month = 	 jan,
  url = 	 {},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-612}