Evaluating the Privacy Guarantees of Location Proximity Services

Location-based services have become an integral part of everyday life. To address the privacy issues that emerge from the use and sharing of location information, social networks and smartphone applications have adopted location proximity schemes as a means of balancing user privacy with utility. Unfortunately, despite the extensive academic literature on this topic, the schemes that large service providers have adopted are not always designed or implemented correctly, rendering users vulnerable to location-disclosure attacks. Such attacks have recently received major publicity as, in some cases, they even exposed citizens of oppressive regimes to life-threatening risks. In this article, we systematically assess the defenses that popular location-based services and mobile applications deploy to guard against adversaries seeking to identify a user's location. We provide the theoretical foundations for formalizing the privacy guarantees of currently adopted proximity models, design practical attacks for each case, and prove tight bounds on the number of queries required for carrying out successful attacks in practice. To evaluate the completeness of our approach, we conduct extensive experiments against popular services including Facebook, Foursquare, and Grindr. Our results demonstrate that, even though the aforementioned services implement various privacy-preserving techniques to protect their users, they are still vulnerable to attacks. In particular, we are able to pinpoint Facebook users within 5m of their exact location. For Foursquare and Grindr, users are pinpointed within 15m of their location in 90% of the cases, even with the strictest privacy settings enabled. Our attacks are highly efficient and complete within a few seconds. The severity of our findings was acknowledged by Facebook and Foursquare, both of which have followed our recommendations and adopted our design of a safe proximity scheme in their production systems. As the number of mobile applications offering location functionality will continue to increase, service providers and software developers must be able to assess the privacy guarantees that their services offer. To that end, we discuss viable defenses that can be currently adopted by all major services, and provide an open-source testing framework to be used by researchers and service providers who wish to evaluate the privacy-preserving properties of applications offering proximity functionality.