By eavesdropping on a user's query in a sensor network, an adversary can deduce both the user's current location and his/her location of interest. Issuing k queries instead of one (our "k-query" scheme) protects the privacy of the user's location of interest, but facilitates the adversary determining the user's current location. We propose a formal method for measuring how well issuing k queries to locations dispersed throughout the network protects the privacy of the user's location of

more »

... , as well as a quantitative measure of how much information the k queries leak about the user's current location. Experiments reveal that how physically dispersed the k queries are has no meaningful effect on the user's privacy. However, there is a direct trade-off between the user's location-of-interest privacy and his/her current-location privacy, controlled by the value of k the user chooses. User interactions with sensor networks do not occur in featureless, uniform environments. To facilitate the study of our k-query scheme in a rich environment characterized by realistically mobile users, we developed a new generative mobility model to produce mobility data for simulated agents. Existing generative mobility models suffer from a number of limitations. Most significantly, existing models are not representative of actual human movement. Our new mobility model is based on state-of-the-art work in understanding pedestrian mobility patterns in urban areas, known as Space Syntax. Under our model, agents move in a meaningful fashion in terms of destination selection and pathfinding, constrained by their surroundings in an outdoor urban environment. Results obtained from our publicly available Destination-Based Space Syntax Simulator (DBS3), independent from our k-query experiments, demonstrate which mobility model parameters affect wireless network simulations in general: the pathfinding metric in grid-based urban centres and centrality bias in other urban centres. We combined DBS3 with our k-query scheme in order to study how long in advance a user should issue the k queries if travelling from some current location to his/her location ii of interest. While the exact threshold depends on the urban environment and speed of the agents in question, the typical threshold is very low, e.g., 10 minutes when using k = 3 in downtown Edmonton, Canada. iii Preface Chapter 2 is based on a previously published paper: Ryan Vogt, Ioanis Nikolaidis, and Pawel Gburzynski. A realistic outdoor urban pedestrian mobility model. Simulation Modelling Practice and Theory, 26:113-134, 2012. Ryan Vogt was responsible for the design of the mobility simulation system described therein, the implementation of that system, experimental design, analysis, and manuscript composition. Ioanis Nikolaidis and Pawel Gburzynski were supervisory authors, and were involved with concept formation and manuscript composition. Chapter 3 is a significant extension of a previously published paper: Ryan Vogt, Mario Nascimento, and Janelle Harms. On the trade-off between user-location privacy and queried-location privacy in wireless sensor networks. In Proceedings of the 8th International Conference on Ad-Hoc Networks and Wireless, pages 241-254, 2009. Ryan Vogt was responsible for the design and implementation of the experiments, analysis, and manuscript composition. Mario Nascimento and Janelle Harms were supervisory authors, and were involved with concept formation and manuscript composition. iv