Ef ficient Processing of Location-Cloaked Queries Patricio Galdames 1 Ying Cai 2 Department of Computer Science Iowa State University Ames, IA 50011, USA 1 patricio@iastate.edu 2 yingcai@iastate.edu Abstract—When requesting location-based services, users can associate their queries with a purposely blurred location such as a circular or rectangular geographic region instead of their exact position. This strategy makes it possible for privacy protection, but presents problems in query processing. Since the server does not know a user’s exact position, it has to retrieve query results for each position inside the user’s cloaking region. While the server workload dramatically increases, a client downloading all query results will waste its battery power, because most of the data may be irrelevant to its query interest. This paper considers the problems of efficient processing of location-cloaked queries (LCQs). Our key observation is that queries may overlap in their cloaking regions and thus share some query results. In light of this, we propose to pro- cess queries as a batch instead of one by one independently. The technical contributions of this paper are threefold. 1) We propose to decompose queries into subqueries based on their interested region. Since the subqueries with a common region need to be processed only once, the server workload is minimized. 2) We propose a novel scheduling technique that addresses the dilemma between minimizing server latency and ensuring good fairness in query processing. 3) We present a personalized air indexing technique by which a client can filter out and download only the needed query results, thus avoiding the waste of energy in downloading irrelevant data. Index Terms—Location cloaking, query processing, scheduling, air indexing. I. I NTRODUCTION The most visible technology advance in the last decade is arguably the populous uses of cellular phones. Today’s cellular phones are no longer just for phone calls, but also for the Internet access. An important application here is location-based services (LBS), which provide information to users based on their current location. Examples of such information can be the nearest gas station, hotel, and so on. To request an LBS, users need to disclose their loca- tion to service providers. Yet the providers may not be trustworthy in keeping the data in confidential. For self- protection, a user may choose a pseudonym in service uses. But simply using a pseudonym is not sufficient for privacy protection because the location data itself may reveal a subject. To address this problem, a number of location cloaking techniques have been developed. The key idea is to reduce location resolution to achieve a desired level of protection. When requesting a service, users report a cloaking region instead of their exact position. A cloaking region needs to contain a user’s current position and satisfy other constraints, depending on the types of privacy concern. For example, the techniques in ([1], [2], [3], [4], [5], [6], etc.) require a cloaking region to contain at least K users. This constraint is there to support anonymous uses of LBS. An adversary will not know who requests the service even if he manages to identify all these users by matching the cloaking region with restricted spaces such as houses and offices or having a direction observation over the cloaking region. In contrast, the techniques in ([7], [8]) ensure that each cloaking region has been visited by at least K different users. Since these users visit the region at different times, it prevents an adversary from identifying the user who was inside the region at the service request time, thus protecting a user’s location privacy from the time dimension. Reducing location resolution reduces privacy risks, but introduces problems in query processing. Instead of a precise location, a query is now associated with a cloaking region. We will refer to such a query as a location- cloaked query (LCQ). A user submitting an LCQ could be anywhere inside the query’s cloaking region. To guarantee that the user receives the required information, the server needs to retrieve the query results for each position in the cloaking region. This workload is many times more when compared to handling a query that is associated with a precise location. In addition to more server workload in terms of CPU and disk I/O costs, the server needs to transmit all query results. A client downloading these results will waste its battery power because most of this data can be useless. This is especially problematic to users 2012 Proceedings IEEE INFOCOM 978-1-4673-0775-8/12/$31.00 ©2012 IEEE 2480