Related Work

Privacy concerns in location-based application scenarios are typically addressed in a location broker residing in the middleware layer. To our knowledge, Spreitzer and Theimer [8] pioneered the development of such an architecture. In this work, each user owns a trusted user agent that acts as an intermediary. It collects location information from a variety of sensors and controls application access to this data. More recent research addresses the specifics of privacy policies, on which access control decisions are based. For instance, Myles and colleagues [9] describe an architecture for a centralized location server that controls access from client applications through a set of validator modules that check XML-encoded application privacy policies. In the automotive telematics domain, Duri and colleagues [4] present a policy-based framework for protecting sensor information, where an in-car computer can act as a trusted agent. Hengartner and Steenkiste [10] point out that access control decisions can be governed by either room or location policies; thus, such systems should be able to resolve conflicts between several different policies. Snekkenes [3] presents advanced concepts for specifying policies in the context of a mobile phone network. These concepts enable access control based on criteria such as time of the request, location, speed, and identity of the located object. However, the author concludes by expressing doubt that the average user will specify such complex policies. In addition, privacy policies mainly serve as a vehicle for establishing trust in a service provider--they cannot guarantee that the provider adequately protects the collected data from in- or outside attacks. Anonymity mechanisms present an alternative to privacy policy-based access control through de-personalization of data before its release. Specifically, Gruteser and Grunwald [11] analyze the feasibility of anonymizing location information for location-based services in an automotive telematics environment. In addition, Beresford and Stajano [12] independently evaluate anonymity techniques for an indoor location system based on the Active Bat. These approaches address the problem of too precise location information that enables identification of a user or continued tracking of movements. However, access control or anonymity mechanisms in the middleware offer little protection when the location tracking system (the sensors) are owned by an untrusted party, such as in a shopping mall. The Cricket Location-Support System [13] incorporates privacy concern in the design of the location sensor system itself. The system comprises a set of beacons embedded into the environment and receiving devices that determine their location through listening for the radio and ultrasound beacons. This approach enhances user privacy over previous systems, such as the Active Badge [14] and the Active Bat [15], because device location information is initially only known to the devices themselves. The owner can then conceivably decide to whom this data should be released. Therefore, users do not need to trust the embedded sensors or a location server. However, it requires the user to carry a device that is compatible with the beacons and powerful enough to make access control decisions, to delegate them to the user (via a suitable interface), or to communicate the request to another trusted agent. It does not cover other classes of location-tracking systems, where the user carries no device (e.g., infrared cameras) or the device is not powerful enough to allow such decision-making (e.g., RFID or the Active Bat).