Automotive traffic monitoring using probe vehicles with Global Positioning System receivers promises significant improvements in cost, coverage, and accuracy. Current approaches, however, raise privacy concerns because they require participants to reveal their positions to an external traffic monitoring server. To address this challenge, we propose a system based on virtual trip lines and an associated cloaking technique. Virtual trip lines are geographic markers that indicate where vehicles should provide location updates. These markers can be placed to avoid particularly privacy sensitive locations. They also allow aggregating and cloaking several location updates based on trip line identifiers, without knowing the actual geographic locations of these trip lines. Thus they facilitate the design of a distributed architecture, where no single entity has a complete knowledge of probe identities and fine-grained location information. We have implemented the system with GPS

The road to a successful introduction of vehicular communications has to pass through the analysis of potential security threats and the design of a robust security architecture able to cope with these threats. In this paper, we undertake this challenge. In addition to providing a survey of related academic and industrial efforts, we also outline several open problems.

Abstract. The promise of vehicular communications is to make road traffic safer and more efficient. However, besides the expected benefits, vehicular communications also introduce some privacy risk by making it easier to track the physical location of vehicles. One approach to solve this problem is that the vehicles use pseudonyms that they change with some frequency. In this paper, we study the effectiveness of this approach. We define a model based on the concept of the mix zone, characterize the tracking strategy of the adversary in this model, and introduce a metric to quantify the level of privacy enjoyed by the vehicles. We also report on the results of an extensive simulation where we used our model to determine the level of privacy achieved in realistic scenarios. In particular, in our simulation, we used a rather complex road map, generated traffic with realistic parameters, and varied the strength of the adversary by varying the number of her monitoring points. Our simulation results provide detailed information about the relationship between the strength of the adversary and the level of privacy achieved by changing pseudonyms.

Motivated by a probe-vehicle based automotive traffic monitoring system, this paper considers the problem of guaranteed anonymity in a dataset of location traces while maintaining high data accuracy. We find through analysis of a set of GPS traces from 233 vehicles that known privacy algorithms cannot meet accuracy requirements or fail to provide privacy guarantees for drivers in low-density areas. To overcome these challenges, we develop a novel time-toconfusion criterion to characterize privacy in a location dataset and propose an uncertainty-aware path cloaking algorithm that hides location samples in a dataset to provide a time-to-confusion guarantee for all vehicles. We show that this approach effectively guarantees worst case tracking bounds, while achieving significant data accuracy improvements.

In wireless networks, the location tracking of devices and vehicles (nodes) based on their identifiable and locatable broadcasts, presents potential threats to the location privacy of their users. While the tracking of nodes can be mitigated to an extent by updating their identifiers to decorrelate their traversed locations, such an approach is still vulnerable to tracking methods that utilize the predictability of node movement to limit the location privacy provided by the identifier updates. On the other hand, since each user may need privacy at different locations and times, a user-centric approach is needed to enable the nodes to independently determine where/when to update their identifiers. However, mitigation of tracking with a user-centric approach is difficult due to the lack of synchronization between updating nodes. This paper addresses the challenges to providing location privacy by identifier updates due to the predictability of node locations and the asynchronous updates, and proposes a user-centric scheme called Swing that increases location privacy by enabling the nodes to loosely synchronize updates when changing their velocity. Further, since each identifier update inherently trades off network service for privacy, the paper also introduces an approach called Swap, which is an extension of Swing, that enables the nodes to exchange their identifiers to potentially maximize the location privacy provided by each update, hence reducing the number of updates needed to meet the desired privacy levels. The performance of the proposed schemes is evaluated under random and restricted pedestrian mobility.

Abstract. Inter-vehicle communication is regarded as one of the major applications of mobile ad hoc networks (MANETs). In these so called vehicular ad hoc networks (VANETs) security and privacy are crucial factors for successful deployment. In a scenario, where each vehicle would have a unique identifier, eavesdroppers could easily accumulate location profiles. As a solution approach, several authors suggest using changeable pseudonyms as temporary vehicle identifiers. If a vehicle changes its pseudonym from time to time, long-term tracking can be avoided. However, as we show in this paper, changing identifiers has detrimental effects on routing efficiency and increases packet loss. So, designers of VANET systems need to aim for a balance between privacy protection on the one and performance on the other hand. The results of this paper provide advise on how to achieve this balance. 1

In mobile networks, authentication is a required primitive of the majority of security protocols. However, an adversary can track the location of mobile nodes by monitoring pseudonyms used for authentication. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. Because this approach is costly, self-interested mobile nodes might decide not to cooperate and could thus jeopardize the achievable location privacy. In this paper, we analyze the non-cooperative behavior of mobile nodes with a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We first analyze the Nash equilibria in n-player complete information games. Because mobile nodes in a privacy-sensitive system do not know their opponents ’ payoffs, we then consider incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies in n-player games and derive the equilibrium strategies. By means of numerical results, we show that mobile nodes become selfish when the cost of changing pseudonym is small, whereas they cooperate more when the cost of changing pseudonym increases. Finally, we design a protocol- the PseudoGame protocol- based on the results of our analysis.

Abstract — Communication messages in vehicular ad hoc networks (VANET) can be used to locate and track vehicles. While tracking can be beneficial for vehicle navigation, it can also lead to threats on location privacy of vehicle user. In this paper, we address the problem of mitigating unauthorized tracking of vehicles based on their broadcast communications, to enhance the user location privacy in VANET. Compared to other mobile networks, VANET exhibits unique characteristics in terms of vehicular mobility constraints, application requirements such as a safety message broadcast period, and vehicular network connectivity. Based on the observed characteristics, we propose a scheme called AMOEBA, that provides location privacy by utilizing the group navigation of vehicles. By simulating vehicular mobility in freeways and streets, the performance of the proposed scheme is evaluated under VANET application constraints and two passive adversary models. We make use of vehicular groups for anonymous access to location based service applications in VANET, for user privacy protection. The robustness of the user privacy provided is considered under various attacks. I.

Abstract. In mobile wireless networks, third parties can track the location of mobile nodes by monitoring the pseudonyms used for identification. A frequently proposed solution to protect the location privacy of mobile nodes suggests changing pseudonyms in regions called mix zones. In this paper, we propose a novel metric based on the mobility profiles of mobile nodes in order to evaluate the mixing effectiveness of possible mix zone locations. Then, as the location privacy achieved with mix zones depends on their placement in the network, we analyze the optimal placement of mix zones with combinatorial optimization techniques. The proposed algorithm maximizes the achieved location privacy in the system and takes into account the cost induced by mix zones to mobile nodes. By means of simulations, we show that the placement recommended by our algorithm significantly reduces the tracking success of the adversary. 1

Abstract — Security and privacy are two integrated issues in deploying vehicular networks. Privacy-preserving authentication is a key technique in addressing these two issues. We propose a random key-set based authentication protocol to preserve user privacy during authentication. The proposed protocol can preserve user privacy under the zero-trust policy, in which no central authority is trusted with the user privacy. We show that the protocol can efficiently authenticate users without compromising their privacy with theoretical analysis. Malicious user identification and key revocation are also described. I.