A System for Locating Mobile Terminals with Tunable Privacy

Journal of Theoretical and Applied Electronic Commerce Research, Aug 2007 by Bessler, Sandford

Abstract

A number of approaches for capturing and processing location information of mobile users have been proposed in the past; however, only with the latest advances in the handset technology, a terminal-based positioning approach, using overlay SIP signaling on top of a packet switched bearer and area notification as basic functionality becomes feasible for mass applications. Especially in electronic commerce scenarios, in which users often interact with non-trusted services and shops, any location-based solution has to consider privacy aspects as well. The terminal-centric model presented in the paper leads to a simple and efficient way to achieve tunable privacy: mobile users define own "zones" and selectively disclose them to their buddies and to external services. As a result, localization can be performed only in the allowed places and by the allowed watchers, both parameters being configured by the user herself on her mobile terminal. We describe the system architecture, protocols and present representative technical scenarios.

Key words: Location, zones, privacy, SIP, GPS, presence, notification events, GML, IETF Geopriv, m-advertising

1 Introduction

The Location Based Services (LBS) in operation nowadays provide added value mainly by using the physical position of mobile users. This location data may consist of geographical coordinates, access point cell IDs, or civil location in form of postal addresses.

Some of the privacy problems arising through disclosure of location information have been solved in the past through anonymity and pseudonymity [22], [4] achieving unlinkability between user identity and position data, and between successive locations of the same user [6], [19]. Location privacy should to be protected also when the interacting parties and services trust each other: however, for communicating friends or even within the family, hiding the identity behind pseudonyms does not make much sense [15]. The same applies for trusted services run by the employer of the user in the health or logistics sector, for emergency or insurance services. For example, in case of an emergency service the business model could be the following: as a part of an insurance contract, the user allows the service provider to subscribe to location events restricted to the visited zone (e.g. ski region, mountaineering, safari, etc). In the following, we mention some more application examples:

* A mobile user wants to localize any other user from her address book.

* A health worker visits patients at home. The locating service operated by the employer would help answer queries about the worker's time schedule and delays (from Myles et al. [17]).

* An advertisement service responsible for several shopping or entertainment locations, would push information to the users passing nearby

* A service provider operates an emergency service in a ski region and needs to know and communicate with all users present in a certain area in case of an avalanche or of other accidents.

The scheme described in this paper applies for all the applications mentioned above and delivers user tunable privacy.

1.1 Architectural prerequisites

At the core of location based services are positioning techniques. Küpper [14] categorizes them along three dimensions into terminal- and network-based positioning, satellite, cellular and indoor positioning, stand-alone vs. integrated infrastructure. For our approach we advocate the terminal-based positioning architecture since it allows processing the location information at its source, at the user terminal itself. The superiority in accuracy and performance over the cellular network-based positioning becomes relevant in the triggered location update (or notification) mode: instead of repeatedly polling the current position of the target terminal, the watching entity subscribes to events triggered when the target enters or leaves a certain circular or rectangular area. This mode of operation doesn't work efficiently with the current GSM network-based positioning infrastructure. Based on simulations, we have shown [25] that the signaling overhead is about 15% lower in triggered mode than in the polling mode. The most used terminal-based positioning technology is based on satellite (GPS), although the initial position determination is slow and it doesn't work well in buildings. Other positioning methods suited also for indoor spaces are based on WLAN, RFID and Bluetooth beacons and will be subject of future work.

The realization possibilities for the triggered location update narrow down when it comes to connecting mobile terminals via a packet bearer such as GPRS. The session initiation protocol (SIP) [26] is probably the best choice, since it has been selected by the 3GPP as the fundament for the IP Multimedia Subsystem, and as a consequence the SIP stack will be found soon in all next generation mobile phones. Thus, the location system described in previous works (NILS - Native IMS location system [19], [24], [25]) has nice properties: it is IMS-aware and it is completely independent of the current GSM/UMTS network-based location system. The solution described in more detail in the next sections requires implementing in each mobile terminal a component similar to an edge presence server. Slightly modified SIP/SIMPLE subscribe messages are received by this miniature presence server and processed to deliver immediate location information or a notification, triggered by the conditions mentioned in the subscription.