Introduction

Location-based services (LBS) answer three questions: Where am I? What is around me? How do I get there? They determine the location of the user by using one of several technologies for determining position, and then use the location and other information to provide personalized applications and services. However, a user that employs location based services on a regular basis faces a potential privacy problem, as location may be gathered to allow for profiling of the user’s movements, which might discern personal information, based on places the user visits regularly or at specific times.
One example for a state-of-the-art privacy-respecting application is developed by T-Mobile in cooperation with University of Frankfurt as part of the PRIME project. For T-Mobile, the prototype leads to new insights into how privacy enhanced identity management can be introduced into an m-commerce scenario without restricting the business models. An idea on how privacy enhancing services can be deployed within a telecommunication environment, especially as a standardized IDM management system, can leverage new and efficient business models in such a scenario.

Scenario

Consider John Primeur, a businessman, who has just arrived in a new town on a business trip. He needs some medication he forgot at home, however he doesn’t know his way around town. So he decides to employ a location-based service accessible from his mobile phone to locate the nearest pharmacy.
John’s phone opens a connection to the pharmacy service for this, and then John is forwarded to his mobile operator, to determine his position. The determined position is passed to the service provider, who compares it to his database. The results – e.g. the k nearest pharmacies – are then returned to John’s mobile phone, where they are displayed.
Of course, this would probably lead to the mobile operator knowing that John is searching for a pharmacy, while the LBS would be able to tell which mobile operator John is using, and probably would have to be customized for usage with a specific service. Additionally, precautions should be taken to avoid giving LBS providers the possibility to track the user at will. More generally, there is a need for solutions that empower the user to enforce privacy policies for his personal data, including his location.

Mechanism

This scenario entails several challenges and opportunities for privacy enhancing technologies. The system should:

• Control the flow of dynamic personal information, such as location or service usage
• Determine who has received personal information for which purpose
• Delegate handling of context-based personal information
• Hide specifics of service usage from mobile operator
• Anonymize user towards service provider
• Provide a unique interface for all supported services
• Have a substantial initial installed user base for profitable, privacy-friendly LBSs

The prototype demonstrates how the user is given extended control of his personal information, but is still able to use a real mobile m-commerce application using features of the PRIME toolbox, including communication, authentication, authorization, policy management, data track and automatic handling of personal information. The architecture behind this prototype comprises four parties:

• The User who accesses the service over a WAP connection,
• The LBS application service provider (AP) which provides the pharmacy search service to the user,
• The mobile operator (MO) that serves as location source and as communication provider and
• The location intermediary (LI) which separates the mobile operator from the LBS application service provider and also represents the user’s interests on the service side.

The LBS application service provider maintains a database with pharmacies and their respective locations. When a user requests information about the closest pharmacy to his position, his location is retrieved and the pharmacy database is queried. Then a list with the closest few pharmacies is returned to the user. In contrast to the naïve implementation, the intermediary allows for pseudonymity of the user towards the service provider, while still offering user authentication, authorization, and accounting functionalities. Additionally, the intermediary provides a unified interface for LBS providers, thus minimizing the cost of developing and deploying new LBSs, while preserving the users’ privacy.
The prototype employs several advanced features of the PRIME toolbox, including authentication, authorization, policy management and data track functionalities.

Implemented Prototype

A first prototype version has already been finished, a mobile pharmacy search using Wireless Application Protocol. The usage of this widely deployed protocol enables T-Mobile to reach a maximum footprint for upcoming privacy-enhanced products based on the prototype.

Future Work

A next version of the prototype will be a push service, and deploy the PRIME user side on a mobile phone to reach even stronger privacy guarantees. In addition to (anonymous) PRIME credentials, the (anonymous) PRIME communication channels and dynamic personal information facilities will be employed to provide for a solid protection of users’ privacy.