Formal Analysis of Privacy for Anonymous Location Based Services Morten Dahl 1 , St´ ephanie Delaune 2 , and Graham Steel 2 1 Department of Computer Science, Aalborg University 2 LSV, ENS Cachan & CNRS & INRIA Saclay ˆ Ile-de-France Abstract. We propose a framework for formal analysis of privacy in location based services such as anonymous electronic toll collection. We give a formal definition of privacy, and apply it to the VPriv scheme for vehicular services. We analyse the resulting model using the ProVerif tool, concluding that our privacy property holds only if certain conditions are met by the implementation. Our analysis includes some novel features such as the formal modelling of privacy for a protocol that relies on interactive zero-knowledge proofs of knowledge and list permutations. 1 Introduction The sophistication and quantity of embedded devices in modern vehicles is grow- ing rapidly. Ad-hoc wireless networking is envisioned as one of the next big steps, with various car-to-infrastructure and car-to-car communication applica- tions planned [12,14]. Many of these applications are location-based, and pro- viding the precise position of the vehicle is essential to the quality of the service provided. As these applications are deployed, privacy concerns naturally emerge. Some of the location-based services already in widespread use today, such as RFID tag based electronic toll collection systems, offer little privacy protection to drivers [16]. By using the same fixed identifying tag whenever they have to pay a toll fee, it becomes trivial to later trace the routes of any driver given the database of payments. Little is gained by using a fixed random tag instead of a real-world identifier such as the license plate. Although the tolling database may not be publicly available, the privacy of drivers is still at risk of exploitation from within the toll company. The more widespread employment of such systems, combined with the possi- bility of moving them to the emerging general framework for network communi- cation, increases the need for privacy oriented systems. In this paper, we bring the privacy analysis of location-based services into the world of formal methods, leveraging previous work on privacy for vehicular mix-zones [10], electronic vot- ing [11,15], and RFID tags [3,8]. In particular, we concentrate on VPriv [7], a proposed scheme for building location-based services using zero-knowledge tech- niques, designed to ensure that the paths of drivers are not revealed to the service providers, while nonetheless preventing drivers from reporting fake paths. We use the formal notion of indistinguishability to formalise privacy and carry out the S. M¨odersheim and C. Palamidessi (Eds.): TOSCA 2011, LNCS 6993, pp. 98–112, 2012. c  Springer-Verlag Berlin Heidelberg 2012