I'd sorely like to add additional goals that rely on topology, routing, or behavioral information. But, I'm afraid that we'll never get an algorithm deployed based on something that complex. All current indications are that such a method is necessary, but more research is necessary before anything concrete could be proposed.
--Martin
----
The purpose of a location obscuring algorithm is to provide a location recipient (LR) with location information of reduced quality. The intent is to provide an LR with location information that is correct, but insufficient to identify the known location without a chosen amount of uncertainty.
The obscuring algorithm takes a series of _known locations_, which might have greater accuracy than the recipient is permitted to receive. The obscuring process produces a series of _reported locations_.
Algorithm Constraints
Each algorithm MUST be assigned a label. This label is used to identify the algorithm. Algorithm labels are added to the location obscuring algorithm registry (see Section x.x).
The algorithm MUST accept known locations with uncertainty and produce reported locations with uncertainty that encloses the known location at that time. That is, the reported location is no less correct than the known location.
Any obscuring algorithm MUST accept a single input parameter of a distance in meters. Any other tuning parameters for the algorithm MUST be fixed in the definition of the algorithm.
Algorithm Goals
In assessing any algorithm, the information that a recipient can recover determines how effective that algorithm is. When a recipient (or adversary) makes assumptions [Duckham05] about the movement of the target, they may be able to recover more information than is intended.
The assumptions that a recipient is forced to make to recover information determines how effective an algorithm is. The more assumptions that are necessary, the more difficult it is to reliably recover the known location. While it cannot be assumed that the complexity of applying multiple assumptions would prevent a recipient from applying those assumptions, the probability that a given set of assumptions is incorrect increases with number.
The following assumptions are considered important for the development of an algorithm that obscures location. These assumptions are considered to have a high probability of being correct and are therefore the most important assumptions to protect against.
Stationary assumption:
An algorithm SHOULD obscure the location of a stationary target. More specifically, when a target does not move, a location recipient should be unable to determine the known location using only the reported locations that are output from the algorithm.
Continuous movement assumption:
An algorithm SHOULD obscure the location of a moving target. More specifically, when a target moves, a location recipient should be unable to determine the known location of the target at any point in time using only the reported locations that are output from the algorithm.
Frequent destination assumption:
An algorithm SHOULD obscure the details of a frequently visited location or path. For a destination that is regularly visited, the algorithm cannot provide the precise location of the frequented location.
Any description SHOULD indicate whether the algorithm prevents a recipient from identifying whether different reported locations correspond to the same known location, and under what circumstances. This would permit a recipient to learn that the same location is being visited, even if the identity of that location is obscured.
High accuracy assumption:
An algorithm SHOULD obscure location when the known location has low uncertainty or a high frequency update rate. A theoretical analysis of the algorithm based on a continuous series of perfect known locations is desirable.
An algorithm may also provide protection for the speed or velocity of a target. It is desirable that the precise speed of a target cannot be easily learned. The following assumptions are also important in assessing an algorithm:
Constant velocity assumption:
An algorithm SHOULD obscure the speed of a target under the assumption of constant velocity or constant speed along a predefined path (such as a road).
Other assumptions that a location recipient might use to improve their ability to recover a known location might include: upper and lower bounds to speed or acceleration, constrained movement along specific thoroughfares, or inability to be located in areas that are designated inaccessible.
Discussion of any additional assumptions that are either rendered ineffective or especially effective is useful in evaluating an algorithm.
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
