US 20060165100A1
`
`a2 Patent Application Publication () Pub. No.: US 2006/0165100 A1
`
`a9y United States
`
`Huang et al.
`
`43) Pub. Date: Jul. 27, 2006
`
`(54) WIRELESS LOCATION PRIVACY
`
`(76) Inventors: Leping Huang, Tokyo (JP); Kauta
`Matsuura, Tokyo (JP); Hiroshi
`Yamane, Tokyo (JP); Kaoru Sezaki,
`Tokyo (JP)
`
`Correspondence Address:
`ROBERT M BAUER, ESQ.
`LACKENBACH SIEGEL, LLP
`1 CHASE ROAD
`SCARSDALE, NY 10583 (US)
`
`(21) Appl. No.: 11/254,981
`(22) Filed: Oct. 20, 2005
`(30) Foreign Application Priority Data
`Oct. 22,2004 (GB) wcevvvevrreeirrerirerisecneinenis 0423529.7
`
`Publication Classification
`
`(51) Int.ClL
`
`HO4L 12/66 (2006.01)
`(52) US.CL oo, 370/400; 370/328; 370/352
`(57) ABSTRACT
`
`A method for combating the tracking of a mobile transceiver,
`the mobile transceiver forming a node in a wireless com-
`munication network which has at least one other node, the
`method comprising the steps for enabling, until a first time,
`the transmission of a radio packet that depends upon a first
`anonymous address; calculating, dependent on a privacy
`level for the mobile transceiver, a second time; enabling,
`from the second time, the transmission of a radio packet that
`depends upon a second anonymous address; and disabling,
`between the first time and the second time, the transmission
`of a radio packet that depends upon either the first anony-
`mous address or the second anonymous address.
`
`Google Exhibit 1013
`Google v. SecCommTech
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 1 of 4 US 2006/0165100 A1
`
`F"D'\
`
`s
`Lo
`\\ \3 { e
`W
`3344’:‘;,/’
`LUK
`A5 b
`
`S
`
`r - '
`o @ BOANRY - T
`/’]/E‘E:coam
`F.S-ZB.
`
`1]
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 2 of 4
`
`.
`Sef
`/ 1S
`
`,
`Tl |
`
`T
`
`l PLo¢eseon }'V 51
`
`4 1‘
`] MEMony | A
`—
`
`53 4¢
`
`US 2006/0165100 A1
`
`30
`
`i
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 3 of 4
`
`%
`Z &
`
`(x,y)
`
`Figure 4: illustration of calculating PPC
`
`Silent period va. GAS(accuracy: 9s0.2)
`
`250
`002w
`004 m?
`2| ——ooarm?
`
`00w m?
`——
`
`150! 018 m?
`
`g T 0280 m?
`
`—osim?
`
`Syt
`
`10 15 20
`Silent Period (in seconds)
`
`Figure 6: Silent period vs. GAS
`
`o Conparison of GAS under two acouracies
`o
`!’a
`
`.-'/
`
`] P
`
`e P
`
`[ e
`
`H -
`
`840’ o
`
`3 v
`
`i &
`
`3 e
`
`e
`.'/0/
`;’/ g
`4
`i 10" 10
`
`GAS{accuracy = = 0.05)
`
`Oensity vs. GAS
`
`° 50 200 250 300 350 400
`
`Figure 5: defiSit{'Vs. GAS
`
`pivot period of Silent period{accuracy: 9=0.2)
`
`ooy’
`— 004 m2
`T+ 008/m®
`—4— 000/ m?
`A osarm®
`
`YT 0280 mE
`O o0srm?
`
`™ ue?
`
`01 [ D4 a5
`
`02 .3
`Silent Period (in seconds)
`Figure 7: Pivot effect of silent
`period vs. GAS
`
`Figure 8: scatter plot to compare GAS under different accuracies
`
`US 2006/0165100 A1
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 4 of 4 US 2006/0165100 A1
`
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`WIRELESS LOCATION PRIVACY
`
`RELATED APPLICATION
`
`[0001] This application claims priority to UK Patent
`Application No. 0423529.7, filed Oct. 22, 2004, which is
`incorporated herein by reference in its entirety.
`
`BACKGROUND OF THE INVENTION
`
`[0002] The present invention relates to a method for
`combating tracking of a mobile transceiver.
`
`[0003] Recent technological advances in wireless loca-
`tion-tracking present unprecedented opportunities for moni-
`toring the movements of individuals. While such technology
`can support many useful location-based services (LBSs),
`which tailor their functionality to a user’s current location,
`privacy concerns might seriously hamper user acceptance.
`
`[0004] There are currently several efforts researching
`methods to protect users’ location privacy when conducting
`wireless transmission. The main idea of those approaches is
`to protect location privacy by periodically updating the
`nodes” MAC address. However, current solutions may not
`prevent nodes from being tracked as locating technology
`improves and nodes can be more accurately located. Under
`such high precision tracking system, new attacking methods
`using the correlation between old and new MAC address can
`defeat periodical address update methods. Examples of such
`problems and possible solutions are given below.
`
`[0005] According to the current Bluetooth Specification
`(version 1.1), Bluetooth devices, when in discoverable
`mode, always reply to inquiry requests with a FHS packet
`that identifies the unique 48-bit Bluetooth device address of
`the device.
`
`[0006] If a malicious user has access to a widely deployed
`Bluetooth Access Pont network, he can track the positions of
`all Bluetooth devices by repeatedly sending inquiry requests
`and collecting the FHS packets sent in reply. As each FHS
`packet received in reply contains a device’s permanent and
`unique Bluetooth address, the malicious user can track, from
`the received replies, individual devices as they move.
`
`[0007] A malicious user may alternatively intercept (sniff)
`all Bluetooth packets sent over the air.
`
`DESCRIPTION OF THE INVENTION
`
`[0008] To prevent position tracking, there is a current
`proposal to enhance the current Bluetooth specification by
`including an ‘anonymity mode’. The details of this proposal
`are not yet public. However, in anonymity mode, a node uses
`a randomly generated Bluetooth address BD_ADDR (an
`anonymous address) instead of the permanent and unique
`Bluetooth address. Location tracking is combated by regu-
`larly updating the anonymous address.
`
`[0009] According to the ‘anonymity mode’ proposal each
`Bluetooth device has a unique 48-bit Bluetooth device
`address (BD_ADDR_fixed). The address includes a lower
`address part (LAP) of 24 bits, an upper address part (UAP)
`of 8 bits and a non-significant address part of 16 bits. Each
`device also has a 48-bit Bluetooth active device address
`(BD_ADDR), which has the same format as BD_AD-
`DR_ fixed.
`
`Jul. 27,2006
`
`[0010] For non-anonymous devices or for devices that do
`not support anonymity mode, the BD_ADDR equals
`BD_ADDR_fixed and is not updated.
`
`[0011] For devices in anonymous mode, the LAP of the
`BD_ADDR is pseudo-random and is updated frequently.
`The updating depends upon two parameters: the address
`update period (T, ppr_updare) @nd the reserved period for
`inquiry (TAppr_inquiry perioa)- A timer t1 is used to trigger
`address updates and 1s re-started when a new BD_ADDR
`has been generated. A timer t2 is started whenever a
`BD_ADDR is sent in a FHS packet, such as in an inquiry
`response, master page response or master-slave role switch.
`The timer t2 prevents an address update for a critical period
`after sending an FHS packet.
`
`[0012] While t1=T.ppr update OF 2=Tanpr inquiry
`period, then the BD_ADDR is not updated. However, when-
`ever t1>’I‘ADDR7L1pdatf: and t2<’I‘ADDR7inc[uiry period the pro-
`cess for updating BD_ADDR is started.
`
`[0013] The value of T ppr_update €an range between 1
`second and 194 days, but has a default value of 24 hours.
`The value of T ppr_inguiry perioa €20 range between 30 and
`255 seconds, but has a default value of 60 seconds. Thus, if
`the default values are used, the anonymous address is
`updated approximately every 24 hours.
`
`[0014] If an updated address BD_ADDR is generated by
`a Master, all connected devices in the piconet that support
`anonymity mode are informed of the updated address
`BD_ADDR and of a future time at which the Master will
`start to use the updated address.
`
`[0015] The BD_ADDR of a device is used to define a
`hopping sequence, the channel access code (CAC) and
`device access code (DAC) for the device. A change in the
`BD_ADDR changes the DAC and hopping sequence used to
`transmit a FHS packet in response an inquiry request. A
`change in the BD_ADDR of a Master changes the CAC and
`hopping sequence used to transmit packets within the pico-
`net controlled by the Master.
`
`[0016] The periodic updating of the anonymous address is
`intended to prevent location tracking.
`
`[0017] However, the inventor has realized that the cur-
`rently proposed anonymity mode may not necessarily pre-
`vent location tracking.
`
`[0018] The proposal becomes inefficient at combating
`location tracking of a Bluetooth device when there is a low
`density of surrounding Bluetooth devices, when the Blue-
`tooth device moves very slowly and when the position of the
`Bluetooth device can be very accurately determined.
`
`[0019] Although the current proposal for anonymity mode
`may be sufficient for current Bluetooth based positioning
`technology that has a resolution of 1 m, the inventor has
`realized that as location technology improves and Bluetooth
`devices can be accurately located then the current proposal
`for ‘anonymity mode’ may not prevent Bluetooth devices
`being tracked. This is because, as a device can be positioned
`accurately it will be possible to find a strong correlation
`between a trail left by an old anonymous address and that
`left by a new anonymous address. The old and new anony-
`mous addresses can therefore be linked. Such correlation
`becomes easier as the distance between Bluetooth devices
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`increase, the speed of a device decreases and the accuracy
`with which a device can be positioned increases.
`
`DESCRIPTION OF THE DRAWINGS
`
`[0020] FIG. 1 illustrates a piconet 10 that comprises a
`plurality of Bluetooth-enabled radio transceiver devices 2.
`Some of the devices 2 may be mobile. Each device com-
`municates using packets transmitted over a radio commu-
`nication range of approximately 10 m.
`
`[0021] The transceiver devices 2 of the piconet 10 com-
`prise a Master M and a plurality of Slaves S1, S2, S3 and S4.
`The Master M controls the piconet 10. The timing of the
`piconet is based upon the timing of the Master M. The
`frequency-hopping sequence used by the network is based
`upon the BD_ADDR of the Master and the packets sent
`within the piconet have as their synchronization word an
`Access Code derived from the BD_ADDR of the Master M.
`
`[0022] FIG. 2A illustrates the movement of two mobiles
`transceiver devices 2A and 2B. The transceiver device 2A
`changes its anonymous address at each point 12 along its
`path. The new address may be immediately obtained by
`initiating an Inquiry request or by sniffing communications
`by the transceiver device 2A.
`
`[0023] The transceiver device 2B changes its anonymous
`address at each of the points 14 along its path. The new
`address may be immediately obtained by initiating an
`Inquiry request or by sniffing communications by the trans-
`ceiver device 2A.
`
`[0024] It may be possible to associate a first anonymous
`address received from a transceiver device when at position
`P1 with a second anonymous address previously received
`from a transceiver device when at position P2 with the same
`transceiver device because of temporal and/or spatial cor-
`relation. Temporal correlation may be used because the
`period with which transceiver devices change their anony-
`mous addresses may be fixed but different. Spatial correla-
`tion may be used if it is assumed that transceiver devices will
`generally continue in the same direction with the same speed
`as they traveled in the past.
`
`[0025] FIG. 2B illustrates the movement of two mobile
`transceiver devices 2A and 2B.
`
`[0026] The first mobile transceiver 2A enables, until a first
`time 11, the transmission of a radio packet that depends upon
`a first anonymous address BD_ADDR(1). The first mobile
`transceiver 2A enables, from a second time 16, the trans-
`mission of a radio packet that depends upon a second
`anonymous address BD_ADDR(2). The first mobile trans-
`ceiver 2A disables for a transitional silence period 18,
`between the first time 11 and the second time 16, the
`transmission of all radio packets that depend on either the
`first anonymous address BD_ADDR(1) or the second
`anonymous address BD_ADDR(2).
`
`[0027] Although, transmissions are limited between the
`first time and the second time, it is still possible to transmit
`radio packets that do not identify the first transceiver device
`because they depend on neither the first anonymous address
`nor the second anonymous address. This will only be
`possible if the transceiver device is operating as a Slave.
`
`[0028] The transceiver device 2A changes its anonymous
`address at each point 12 along its path. However, for the sake
`
`Jul. 27,2006
`
`of clarity the effect is only illustrated near the intersection of
`the paths of both transceiver devices. The silence period 18
`is illustrated by a break in the path of the device 2A. The
`silence period begins at the first time 11 and ends at a second
`time 16.
`
`[0029] Likewise the second mobile transceiver 2B
`enables, until a third time 15, the transmission of a radio
`packet that depends upon a third anonymous address BD
`ADDR(3). The second mobile transceiver 2B enables, from
`a fourth time 17, the transmission of a radio packet that
`depends upon a fourth anonymous address BD_ADDR(4).
`The first mobile transceiver 2A disables for a transitional
`silence period 19, between the third time 15 and the fourth
`time 17, the transmission of all radio packets that depend on
`either the third anonymous address BD_ADDR(3) or the
`fourth anonymous address BD_ADDR(4).
`
`[0030] Although, transmissions are limited between the
`third time and the fourth time, it is still possible to transmit
`radio packets that cannot identify the transceiver device
`because they depend on neither the third anonymous address
`nor the second anonymous address. This will only be
`possible if the transceiver device is operating as a Slave.
`
`[0031] The transceiver device 2B changes its anonymous
`address at each point 12 along its path. However, for the sake
`of clarity the effect is only illustrated near the intersection of
`the paths of both transceiver devices. The silence period 19
`is illustrated by a break in the path of the device 2B. The
`silence period begins at the first time 15 and ends at a second
`time 17.
`
`[0032] The silent transitional periods introduce ambiguity
`into any determination of the time and/or place at which a
`change of anonymous address occurred. This makes it more
`difficult to associate two separately received anonymous
`addresses with the same transceiver device because the
`silence periods disrupt temporal and/or spatial correlation.
`
`[0033] A transmission of a radio packet may depend upon
`an anonymous address when:
`
`[0034] a) it includes the anonymous address
`
`[0035] b) it includes a synchronization word based upon
`the anonymous address such a Common Access Code
`(CAC) or Device Access Code (DAC).
`
`[0036] c) it uses a frequency from a frequency-hopping-
`sequence based upon the anonymous address, for example
`when an FHS packet is sent by a Slave.
`
`[0037] d) itis a L2CAP link establishment packet
`
`[0038] Thus disabling during the silent transitional period
`may prevent:
`
`[0039] (i) the transmission of FHS packets between the
`first time and the second time
`
`[0040] (ii) the mobile transceiver performing an inquiry
`scan or replying to an inquiry request between the first
`time and the second time
`
`[0041] (iii) the mobile transceiver performing a page scan
`or replying to a page request between the first time and the
`second time
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`Synchronized Network
`
`[0042] The first transceiver device 2A and the second
`transceiver device 2B of FIG. 2B may be time synchronized
`to a common time reference. The first time and the third time
`correspond to the same first common time, and the second
`time and the fourth time correspond to the same second
`common time.
`
`[0043] The time duration between the first common time
`and the second common time is adjustable. The adjustment
`is preferably automatic and may be dependent upon:
`
`[0044] a) a measure of the separation of the mobile
`transceivers
`
`[0045] b) a measure of the accuracy with which a mobile
`transceiver can be located
`
`[0046] c¢) a measure of the speed with which a mobile
`transceiver moves
`
`[0047] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`[0048] The measure of the separation of the plurality of
`the mobile transceivers may be obtained automatically from
`one or more inquiry requests, which will identify the number
`of radio transceiver devices that are within communication
`range.
`
`[0049] The measure of the accuracy with which a mobile
`transceiver can be located may be remotely configurable by,
`for example, a data download. It will also depend upon the
`technology used for location e.g. triangulation, GPS etc.
`
`[0050] The time duration T between the first common time
`and the second common time, is such that T=(d-4* e)/2v,
`where d is a minimum separation in meters between the
`transceiver device and its neighboring transceiver devices, e
`is the error in meters associated with the technology used for
`locating the transceiver device and v is the average recti-
`linear velocity of the transceiver device. A pedestrian typi-
`cally moves with a velocity of 6 km/h, whereas a car may
`move with a velocity of 60 km/h.
`
`Unsynchronized Network
`
`[0051] The first transceiver device 2A and the second
`transceiver device 2B of FIG. 2B may not be time synchro-
`nized. Each transceiver device has its own local time refer-
`ence. In this case the first time and the third time are
`independent and the second time and the fourth time are
`independent.
`
`[0052] The difference between the first (local) time and the
`second (local) time may comprise a calculated minimum
`period and an independent, randomly generated period.
`
`[0053] The minimum period is calculated in dependence
`upon:
`
`[0054] a) a measure of the separation between the first
`mobile transceiver 2A and its neighboring mobile trans-
`ceivers
`
`[0055] b) a measure of the accuracy with which the first
`mobile transceiver 2A can be located
`
`[0056] c¢) a measure of the speed with which the first
`mobile transceiver 2A moves
`
`Jul. 27,2006
`
`[0057] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`[0058] The measure of the separation may be obtained
`automatically from one or more inquiry requests, which will
`identify the number of radio transceiver devices that are
`within communication range.
`
`[0059] The measure of the accuracy with which a mobile
`transceiver can be located may be remotely configurable by,
`for example, a data download. It will also depend upon the
`technology used for location e.g. triangulation, GPS etc.
`
`[0060] The minimum period T1, is such that T1=(d-4*
`e)/2v, where d is an average separation in meters between the
`first transceiver device 2A and its neighboring transceiver
`devices, e is the error in meters associated with the tech-
`nology used for locating the first transceiver device 2A and
`v is the average rectilinear velocity of the first transceiver
`device 2A.
`
`[0061] The value of T,ppr updates that is the frequency
`with which anonymous address of the first transceiver
`device 2A is changed, may also be automatically adjustable.
`The adjustment may dependent upon:
`
`[0062] a) a measure of the separation between the first
`mobile transceiver 2A and its neighboring mobile trans-
`ceivers
`
`[0063] b) a measure of the accuracy with which the first
`mobile transceiver 2A can be located
`
`[0064] c) a measure of the speed with which the first
`mobile transceiver 2A moves
`
`[0065] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`[0066] The measure of the separation may be obtained
`automatically from one or more inquiry requests, which will
`identify the number of radio transceiver devices that are
`within communication range.
`
`[0067] The measure of the accuracy with which a mobile
`transceiver can be located may be remotely configurable by,
`for example, a data download. It will also depend upon the
`technology used for location e.g. triangulation, GPS etc.
`
`[0068] The difference between third (local) time and the
`fourth (local) time also comprises a calculated minimum
`period and an independent, randomly generated period.
`
`[0069] The minimum period is calculated in dependence
`upon:
`
`[0070] a) a measure of the separation between the second
`mobile transceiver 2B and its neighboring mobile trans-
`ceivers
`
`[0071] b)a measure of the accuracy with which the second
`mobile transceiver 2B can be located
`
`[0072] c) a measure of the speed with which the second
`mobile transceiver 2B moves
`
`[0073] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`[0074] The minimum period T1, is such that T1=(d-4%e)/
`2v, where d is an average separation in meters between the
`second transceiver device 2B and its neighboring transceiver
`devices, e is the error in meters associated with the tech-
`nology used for locating the second transceiver device 2B
`and v is the average rectilinear velocity of the second
`transceiver device 2B.
`
`[0075] The value of T,ppr ypaares that is the frequency
`with which anonymous address of the second transceiver
`device 2B is changed, may also be automatically adjustable.
`The adjustment may dependent upon:
`
`[0076] a) a measure of the separation between the second
`mobile transceiver 2B and its neighboring mobile trans-
`ceivers
`
`[0077] b)a measure of the accuracy with which the second
`mobile transceiver 2B can be located
`
`[0078] c¢) a measure of the speed with which the second
`mobile transceiver 2B moves
`
`[0079] FIG. 3 illustrates an example of a typical Bluetooth
`enabled radio transceiver device 30. The transceiver device
`30 comprises a processor 32, a radio transceiver 34, a clock
`36, a memory 38 and a user interface 40, which includes a
`display 42 and a keypad 44 for user input. It should be
`appreciated that this illustration is only a schematic.
`
`[0080] The processor 32 is connected to each of the radio
`transceiver 34, clock 36, memory 38 and user interface 40.
`
`[0081] The processor uses the clock 36 to maintain a timer
`t, which is used to control the silent transitional period 18,
`19.
`
`[0082] The memory 38 stores computer program instruc-
`tions, which when loaded into the processor 32 enable it to
`perform the methods described above.
`
`[0083] The transceiver device 30 may park the Slaves in
`the piconet if the silent transitional period will exceed the
`Link_Supervision timeout period i.e. the maximum period
`for which there can be no communication on a link without
`it being assumed that the link has been lost.
`
`[0084] Although the above examples have been described
`in relation to a Bluetooth low power radio frequency net-
`work, they may be used in other radio networks where it is
`desirable to combat the tracking of devices and/or users, for
`example, to mobile cellular telecommunication networks.
`
`[0085] Through our previous research, we noticed that
`there is a quantitative measure missing in the latest location
`privacy protection researches. Current algorithms realize
`their effectiveness of location privacy protection with the
`cost of service degradation and/or out-of-service period. In
`other words, there is a tradeoff between service quality and
`privacy level a system can provide. Because current research
`lacks a quantitative measure for wireless location privacy
`level, the system designer cannot determine the parameters
`of those algorithms based on users’ privacy and service
`quality needs. Consequently, this restricts the feasibility of
`many location privacy protection algorithms.
`
`[0086] There are many important privacy related works in
`the anonymous communication research area. Several quan-
`titative measures are also used in these proposals. From
`these, the size of the anonymity set defined by Chaum
`
`Jul. 27,2006
`
`(David Chaum, “The Dining Cryptographers Problem:
`Unconditional Sender and Recipient Untraceability”, .
`Cryptol., vol. 1, pp. 65-75, 1988) is one of the most widely
`used to measure the anonymity of the Dining Cryptogra-
`pher’s (DC) network. The anonymity set is defined as the set
`of participants who may have sent a particular message, as
`seen by a global observer that also compromises a set of
`nodes. Recently, Serjantov et al. (Andrei Serjantov and
`George Danezis: “Towards an Information Theoretic Metric
`for Anonymity”, Proceedings of the Workshop on Privacy
`Enhancing Technologies (PET) 2002, LNCS 2482, 41-53,
`Springer-Verlag, 2003) and Diaz et al. (Claudia Diaz, Ste-
`faan Seys, Joris Claessens, and Bart Preneel: “Towards
`Measuring Anonymity”, Proceedings of the Workshop on
`Privacy Enhancing Technologies (PET) 2002, LNCS 2482,
`54-68, Springer-Verlag, 2003) have independently proposed
`an information theoretic model to measure the degree of
`anonymity of such a system. These papers identify that not
`all nodes involved in anonymous communication contribute
`same degree of anonymity to the system. The size of
`anonymity set cannot precisely describe the degree of ano-
`nymity a system provides. These papers therefore take into
`account the probability of a user sending and/or receiving a
`message and propose the use of entropy of all users’
`probabilities of sending and/or receiving message as the
`measure of anonymous system.
`
`[0087] Current location privacy protection algorithms lack
`a general quantitative measure. This problem causes diffi-
`culties in evaluating the feasibility of proposals and in
`implementing the algorithm in real systems. Therefore, there
`is aneed to fill in this missing part in current location privacy
`protection research
`
`[0088] Embodiments of the present invention introduce a
`new measure called the geographical anonymity set (GAS)
`to fill in the missing part in the location privacy protection
`area. The proposed measure can be used to evaluate most of
`the location privacy protection methods that are based on
`periodical address updates. The GAS measure is evaluated
`using the “silent period” method of location privacy protec-
`tion described above.
`
`[0089] According to a first embodiment of the present
`invention, there is provided a method for combating the
`tracking of a mobile transceiver, the mobile transceiver
`forming a node in a wireless communication network which
`has at least one other node, the method comprising the steps
`of enabling, until a first time, the transmission of a radio
`packet that depends upon a first anonymous address, calcu-
`lating, dependent on a privacy level for the mobile trans-
`ceiver, a second time, enabling, from the second time, the
`transmission of a radio packet that depends upon a second
`anonymous address and disabling, between the first time and
`the second time, the transmission of a radio packet that
`depends upon either the first anonymous address or the
`second anonymous address.
`
`[0090] Preferably, the second time is after the first time.
`
`[0091] Preferably, the mobile transceiver has a unique
`identity in the wireless communication network and the first
`anonymous address and second anonymous address are
`independent of that identity.
`
`[0092] The method may further comprise the steps of:
`randomly generating at least a portion of the first anonymous
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`address before enabling the transmission of a radio packet
`that depends upon the first anonymous address and ran-
`domly generating at least a portion of the second anonymous
`address before enabling the transmission of a radio packet
`that depends upon the second anonymous address.
`
`[0093] Preferably, the step of disabling comprises dis-
`abling between the first time and the second time, the
`transmission of all radio packets that depend on either the
`first anonymous address or the second anonymous address.
`
`[0094] Typically, a radio packet depends upon an anony-
`mous address when it includes the anonymous address.
`Alternatively, transmission of a radio packet may depend
`upon an anonymous address when it includes a synchroni-
`zation word based upon the anonymous address, when it
`uses a frequency from a frequency-hopping-sequence based
`upon the anonymous address or when it is a L2CAP link
`establishment packet.
`
`[0095] The step of disabling may prevent the transmission
`of FHS packets between the first time and the second time,
`may prevent the mobile transceiver replying to an inquiry
`request between the first time and the second time or may
`prevent the mobile transceiver replying to a page request
`between the first time and the second time.
`
`[0096] The method may further comprise transmitting,
`between the first time and the second time, radio packets that
`depend on neither the first anonymous address nor the
`second anonymous address.
`
`[0097] Preferably, at least one other node is also arranged
`to perform the method for combating tracking.
`
`[0098] The privacy level for the mobile transceiver may be
`dependent on the spatial location of the at least one other
`node with respect to the spatial location of the mobile
`transceiver and/or the first time and the second time for the
`at least one other node with respect to the first time and the
`second time for the mobile transceiver.
`
`[0099] The first time and second time for the mobile
`transceiver may be different from the first time and second
`time for the at least one other node.
`
`[0100] Preferably, the privacy level for the mobile trans-
`ceiver is the Geographical Anonymity Set (GAS) of the
`mobile transceiver, which may be calculated the privacy
`level of the mobile transceiver in accordance with equations
`1 to 5 below. The result for equation 2 may be calculated
`according to the pseudo code in table 3.
`
`[0101] The method may further comprise calculating the
`privacy level of the mobile transceiver using the following:
`the Position Privacy Contribution (PPC), the Node Privacy
`Level (NPL) and the System Privacy Level (SPC).
`
`[0102] The second time may be calculated dependent on a
`desired privacy level for the mobile transceiver. The second
`time may be calculated dependent on a desired privacy level
`for the mobile transceiver and a desired privacy level for at
`least one other node with which the mobile transceiver is
`communicating.
`
`[0103] Preferably, the second time is calculated by the
`steps of: determining the number of nodes located in an area
`of known size surrounding the mobile transceiver and in
`which the mobile transceiver is located; assessing the con-
`tribution that each of these nodes makes to a privacy level
`
`Jul. 27,2006
`
`of the mobile transceiver; and determining a duration of a
`silent period for which transmission by the node of a packet
`depending on an anonymous address is to be disabled in
`dependence on the assessed contribution and a desired
`privacy level of the mobile transceiver.
`
`[0104] The method may further comprise the step of
`calculating a node density from the determined number of
`nodes and the area of known size.
`
`[0105] The step of assessing the contribution that each of
`the surrounding nodes makes to a privacy level of the mobile
`transceiver may comprise estimating a relationship between
`the privacy level and the duration of the silent period at the
`calculated node density. The network element may deter-
`mine the duration of the silent period by selecting the
`duration that according to the relationship corresponds to a
`privacy level equal to the desired privacy level.
`
`[0106] According to a second embodiment of the present
`invention, there is provided a network element capable of
`operating in a wireless communication network and of
`communicating with at least one node in the network, the
`network element being arranged to combat tracking of a
`wireless transceiver that forms one of the nodes by the steps
`of: determining the number of nodes located in an area of
`known size surrounding the mobile transceiver and in which
`the mobile transceiver is located; assessing the contribution
`that each of these nodes makes to a privacy level of the
`mobile transceiver; and determining a duration of a silent
`period for which transmission by the node of a packet
`depending on an anonymous address is to be disabled in
`dependence on the assessed contribution and a desired
`privacy level of the mobile transceiver.
`
`[0107] Preferably the network element is arranged to
`calculate a node density from the determined number of
`nodes and the area of known size.
`
`[0108] The network element may be arranged to assess the
`contribution that each of the surrounding nodes makes to a
`privacy level of the mobile transceiver by estimating a
`relationship between the privacy level and the duration of
`the silent period at the calculated node density. Alternatively,
`the network element may be arranged to assess the contri-
`bution that each of the surrounding nodes makes to a privacy
`level of the mobile transceiver by accessing a known rela-
`tionship between the privacy level and the duration of the
`silent period at the calculated node density. The network
`element may be arranged to access the known relationship
`from a memory contained within the network element or
`from a memory external to the network element.
`
`[0109] Preferably the network element determines the
`duration of the silent
`
`a2 Patent Application Publication () Pub. No.: US 2006/0165100 A1
`
`a9y United States
`
`Huang et al.
`
`43) Pub. Date: Jul. 27, 2006
`
`(54) WIRELESS LOCATION PRIVACY
`
`(76) Inventors: Leping Huang, Tokyo (JP); Kauta
`Matsuura, Tokyo (JP); Hiroshi
`Yamane, Tokyo (JP); Kaoru Sezaki,
`Tokyo (JP)
`
`Correspondence Address:
`ROBERT M BAUER, ESQ.
`LACKENBACH SIEGEL, LLP
`1 CHASE ROAD
`SCARSDALE, NY 10583 (US)
`
`(21) Appl. No.: 11/254,981
`(22) Filed: Oct. 20, 2005
`(30) Foreign Application Priority Data
`Oct. 22,2004 (GB) wcevvvevrreeirrerirerisecneinenis 0423529.7
`
`Publication Classification
`
`(51) Int.ClL
`
`HO4L 12/66 (2006.01)
`(52) US.CL oo, 370/400; 370/328; 370/352
`(57) ABSTRACT
`
`A method for combating the tracking of a mobile transceiver,
`the mobile transceiver forming a node in a wireless com-
`munication network which has at least one other node, the
`method comprising the steps for enabling, until a first time,
`the transmission of a radio packet that depends upon a first
`anonymous address; calculating, dependent on a privacy
`level for the mobile transceiver, a second time; enabling,
`from the second time, the transmission of a radio packet that
`depends upon a second anonymous address; and disabling,
`between the first time and the second time, the transmission
`of a radio packet that depends upon either the first anony-
`mous address or the second anonymous address.
`
`Google Exhibit 1013
`Google v. SecCommTech
`
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 1 of 4 US 2006/0165100 A1
`
`F"D'\
`
`s
`Lo
`\\ \3 { e
`W
`3344’:‘;,/’
`LUK
`A5 b
`
`S
`
`r - '
`o @ BOANRY - T
`/’]/E‘E:coam
`F.S-ZB.
`
`1]
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 2 of 4
`
`.
`Sef
`/ 1S
`
`,
`Tl |
`
`T
`
`l PLo¢eseon }'V 51
`
`4 1‘
`] MEMony | A
`—
`
`53 4¢
`
`US 2006/0165100 A1
`
`30
`
`i
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 3 of 4
`
`%
`Z &
`
`(x,y)
`
`Figure 4: illustration of calculating PPC
`
`Silent period va. GAS(accuracy: 9s0.2)
`
`250
`002w
`004 m?
`2| ——ooarm?
`
`00w m?
`——
`
`150! 018 m?
`
`g T 0280 m?
`
`—osim?
`
`Syt
`
`10 15 20
`Silent Period (in seconds)
`
`Figure 6: Silent period vs. GAS
`
`o Conparison of GAS under two acouracies
`o
`!’a
`
`.-'/
`
`] P
`
`e P
`
`[ e
`
`H -
`
`840’ o
`
`3 v
`
`i &
`
`3 e
`
`e
`.'/0/
`;’/ g
`4
`i 10" 10
`
`GAS{accuracy = = 0.05)
`
`Oensity vs. GAS
`
`° 50 200 250 300 350 400
`
`Figure 5: defiSit{'Vs. GAS
`
`pivot period of Silent period{accuracy: 9=0.2)
`
`ooy’
`— 004 m2
`T+ 008/m®
`—4— 000/ m?
`A osarm®
`
`YT 0280 mE
`O o0srm?
`
`™ ue?
`
`01 [ D4 a5
`
`02 .3
`Silent Period (in seconds)
`Figure 7: Pivot effect of silent
`period vs. GAS
`
`Figure 8: scatter plot to compare GAS under different accuracies
`
`US 2006/0165100 A1
`
`
`
`
`
`
`
`
`Patent Application Publication Jul. 27,2006 Sheet 4 of 4 US 2006/0165100 A1
`
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`WIRELESS LOCATION PRIVACY
`
`RELATED APPLICATION
`
`[0001] This application claims priority to UK Patent
`Application No. 0423529.7, filed Oct. 22, 2004, which is
`incorporated herein by reference in its entirety.
`
`BACKGROUND OF THE INVENTION
`
`[0002] The present invention relates to a method for
`combating tracking of a mobile transceiver.
`
`[0003] Recent technological advances in wireless loca-
`tion-tracking present unprecedented opportunities for moni-
`toring the movements of individuals. While such technology
`can support many useful location-based services (LBSs),
`which tailor their functionality to a user’s current location,
`privacy concerns might seriously hamper user acceptance.
`
`[0004] There are currently several efforts researching
`methods to protect users’ location privacy when conducting
`wireless transmission. The main idea of those approaches is
`to protect location privacy by periodically updating the
`nodes” MAC address. However, current solutions may not
`prevent nodes from being tracked as locating technology
`improves and nodes can be more accurately located. Under
`such high precision tracking system, new attacking methods
`using the correlation between old and new MAC address can
`defeat periodical address update methods. Examples of such
`problems and possible solutions are given below.
`
`[0005] According to the current Bluetooth Specification
`(version 1.1), Bluetooth devices, when in discoverable
`mode, always reply to inquiry requests with a FHS packet
`that identifies the unique 48-bit Bluetooth device address of
`the device.
`
`[0006] If a malicious user has access to a widely deployed
`Bluetooth Access Pont network, he can track the positions of
`all Bluetooth devices by repeatedly sending inquiry requests
`and collecting the FHS packets sent in reply. As each FHS
`packet received in reply contains a device’s permanent and
`unique Bluetooth address, the malicious user can track, from
`the received replies, individual devices as they move.
`
`[0007] A malicious user may alternatively intercept (sniff)
`all Bluetooth packets sent over the air.
`
`DESCRIPTION OF THE INVENTION
`
`[0008] To prevent position tracking, there is a current
`proposal to enhance the current Bluetooth specification by
`including an ‘anonymity mode’. The details of this proposal
`are not yet public. However, in anonymity mode, a node uses
`a randomly generated Bluetooth address BD_ADDR (an
`anonymous address) instead of the permanent and unique
`Bluetooth address. Location tracking is combated by regu-
`larly updating the anonymous address.
`
`[0009] According to the ‘anonymity mode’ proposal each
`Bluetooth device has a unique 48-bit Bluetooth device
`address (BD_ADDR_fixed). The address includes a lower
`address part (LAP) of 24 bits, an upper address part (UAP)
`of 8 bits and a non-significant address part of 16 bits. Each
`device also has a 48-bit Bluetooth active device address
`(BD_ADDR), which has the same format as BD_AD-
`DR_ fixed.
`
`Jul. 27,2006
`
`[0010] For non-anonymous devices or for devices that do
`not support anonymity mode, the BD_ADDR equals
`BD_ADDR_fixed and is not updated.
`
`[0011] For devices in anonymous mode, the LAP of the
`BD_ADDR is pseudo-random and is updated frequently.
`The updating depends upon two parameters: the address
`update period (T, ppr_updare) @nd the reserved period for
`inquiry (TAppr_inquiry perioa)- A timer t1 is used to trigger
`address updates and 1s re-started when a new BD_ADDR
`has been generated. A timer t2 is started whenever a
`BD_ADDR is sent in a FHS packet, such as in an inquiry
`response, master page response or master-slave role switch.
`The timer t2 prevents an address update for a critical period
`after sending an FHS packet.
`
`[0012] While t1=T.ppr update OF 2=Tanpr inquiry
`period, then the BD_ADDR is not updated. However, when-
`ever t1>’I‘ADDR7L1pdatf: and t2<’I‘ADDR7inc[uiry period the pro-
`cess for updating BD_ADDR is started.
`
`[0013] The value of T ppr_update €an range between 1
`second and 194 days, but has a default value of 24 hours.
`The value of T ppr_inguiry perioa €20 range between 30 and
`255 seconds, but has a default value of 60 seconds. Thus, if
`the default values are used, the anonymous address is
`updated approximately every 24 hours.
`
`[0014] If an updated address BD_ADDR is generated by
`a Master, all connected devices in the piconet that support
`anonymity mode are informed of the updated address
`BD_ADDR and of a future time at which the Master will
`start to use the updated address.
`
`[0015] The BD_ADDR of a device is used to define a
`hopping sequence, the channel access code (CAC) and
`device access code (DAC) for the device. A change in the
`BD_ADDR changes the DAC and hopping sequence used to
`transmit a FHS packet in response an inquiry request. A
`change in the BD_ADDR of a Master changes the CAC and
`hopping sequence used to transmit packets within the pico-
`net controlled by the Master.
`
`[0016] The periodic updating of the anonymous address is
`intended to prevent location tracking.
`
`[0017] However, the inventor has realized that the cur-
`rently proposed anonymity mode may not necessarily pre-
`vent location tracking.
`
`[0018] The proposal becomes inefficient at combating
`location tracking of a Bluetooth device when there is a low
`density of surrounding Bluetooth devices, when the Blue-
`tooth device moves very slowly and when the position of the
`Bluetooth device can be very accurately determined.
`
`[0019] Although the current proposal for anonymity mode
`may be sufficient for current Bluetooth based positioning
`technology that has a resolution of 1 m, the inventor has
`realized that as location technology improves and Bluetooth
`devices can be accurately located then the current proposal
`for ‘anonymity mode’ may not prevent Bluetooth devices
`being tracked. This is because, as a device can be positioned
`accurately it will be possible to find a strong correlation
`between a trail left by an old anonymous address and that
`left by a new anonymous address. The old and new anony-
`mous addresses can therefore be linked. Such correlation
`becomes easier as the distance between Bluetooth devices
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`increase, the speed of a device decreases and the accuracy
`with which a device can be positioned increases.
`
`DESCRIPTION OF THE DRAWINGS
`
`[0020] FIG. 1 illustrates a piconet 10 that comprises a
`plurality of Bluetooth-enabled radio transceiver devices 2.
`Some of the devices 2 may be mobile. Each device com-
`municates using packets transmitted over a radio commu-
`nication range of approximately 10 m.
`
`[0021] The transceiver devices 2 of the piconet 10 com-
`prise a Master M and a plurality of Slaves S1, S2, S3 and S4.
`The Master M controls the piconet 10. The timing of the
`piconet is based upon the timing of the Master M. The
`frequency-hopping sequence used by the network is based
`upon the BD_ADDR of the Master and the packets sent
`within the piconet have as their synchronization word an
`Access Code derived from the BD_ADDR of the Master M.
`
`[0022] FIG. 2A illustrates the movement of two mobiles
`transceiver devices 2A and 2B. The transceiver device 2A
`changes its anonymous address at each point 12 along its
`path. The new address may be immediately obtained by
`initiating an Inquiry request or by sniffing communications
`by the transceiver device 2A.
`
`[0023] The transceiver device 2B changes its anonymous
`address at each of the points 14 along its path. The new
`address may be immediately obtained by initiating an
`Inquiry request or by sniffing communications by the trans-
`ceiver device 2A.
`
`[0024] It may be possible to associate a first anonymous
`address received from a transceiver device when at position
`P1 with a second anonymous address previously received
`from a transceiver device when at position P2 with the same
`transceiver device because of temporal and/or spatial cor-
`relation. Temporal correlation may be used because the
`period with which transceiver devices change their anony-
`mous addresses may be fixed but different. Spatial correla-
`tion may be used if it is assumed that transceiver devices will
`generally continue in the same direction with the same speed
`as they traveled in the past.
`
`[0025] FIG. 2B illustrates the movement of two mobile
`transceiver devices 2A and 2B.
`
`[0026] The first mobile transceiver 2A enables, until a first
`time 11, the transmission of a radio packet that depends upon
`a first anonymous address BD_ADDR(1). The first mobile
`transceiver 2A enables, from a second time 16, the trans-
`mission of a radio packet that depends upon a second
`anonymous address BD_ADDR(2). The first mobile trans-
`ceiver 2A disables for a transitional silence period 18,
`between the first time 11 and the second time 16, the
`transmission of all radio packets that depend on either the
`first anonymous address BD_ADDR(1) or the second
`anonymous address BD_ADDR(2).
`
`[0027] Although, transmissions are limited between the
`first time and the second time, it is still possible to transmit
`radio packets that do not identify the first transceiver device
`because they depend on neither the first anonymous address
`nor the second anonymous address. This will only be
`possible if the transceiver device is operating as a Slave.
`
`[0028] The transceiver device 2A changes its anonymous
`address at each point 12 along its path. However, for the sake
`
`Jul. 27,2006
`
`of clarity the effect is only illustrated near the intersection of
`the paths of both transceiver devices. The silence period 18
`is illustrated by a break in the path of the device 2A. The
`silence period begins at the first time 11 and ends at a second
`time 16.
`
`[0029] Likewise the second mobile transceiver 2B
`enables, until a third time 15, the transmission of a radio
`packet that depends upon a third anonymous address BD
`ADDR(3). The second mobile transceiver 2B enables, from
`a fourth time 17, the transmission of a radio packet that
`depends upon a fourth anonymous address BD_ADDR(4).
`The first mobile transceiver 2A disables for a transitional
`silence period 19, between the third time 15 and the fourth
`time 17, the transmission of all radio packets that depend on
`either the third anonymous address BD_ADDR(3) or the
`fourth anonymous address BD_ADDR(4).
`
`[0030] Although, transmissions are limited between the
`third time and the fourth time, it is still possible to transmit
`radio packets that cannot identify the transceiver device
`because they depend on neither the third anonymous address
`nor the second anonymous address. This will only be
`possible if the transceiver device is operating as a Slave.
`
`[0031] The transceiver device 2B changes its anonymous
`address at each point 12 along its path. However, for the sake
`of clarity the effect is only illustrated near the intersection of
`the paths of both transceiver devices. The silence period 19
`is illustrated by a break in the path of the device 2B. The
`silence period begins at the first time 15 and ends at a second
`time 17.
`
`[0032] The silent transitional periods introduce ambiguity
`into any determination of the time and/or place at which a
`change of anonymous address occurred. This makes it more
`difficult to associate two separately received anonymous
`addresses with the same transceiver device because the
`silence periods disrupt temporal and/or spatial correlation.
`
`[0033] A transmission of a radio packet may depend upon
`an anonymous address when:
`
`[0034] a) it includes the anonymous address
`
`[0035] b) it includes a synchronization word based upon
`the anonymous address such a Common Access Code
`(CAC) or Device Access Code (DAC).
`
`[0036] c) it uses a frequency from a frequency-hopping-
`sequence based upon the anonymous address, for example
`when an FHS packet is sent by a Slave.
`
`[0037] d) itis a L2CAP link establishment packet
`
`[0038] Thus disabling during the silent transitional period
`may prevent:
`
`[0039] (i) the transmission of FHS packets between the
`first time and the second time
`
`[0040] (ii) the mobile transceiver performing an inquiry
`scan or replying to an inquiry request between the first
`time and the second time
`
`[0041] (iii) the mobile transceiver performing a page scan
`or replying to a page request between the first time and the
`second time
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`Synchronized Network
`
`[0042] The first transceiver device 2A and the second
`transceiver device 2B of FIG. 2B may be time synchronized
`to a common time reference. The first time and the third time
`correspond to the same first common time, and the second
`time and the fourth time correspond to the same second
`common time.
`
`[0043] The time duration between the first common time
`and the second common time is adjustable. The adjustment
`is preferably automatic and may be dependent upon:
`
`[0044] a) a measure of the separation of the mobile
`transceivers
`
`[0045] b) a measure of the accuracy with which a mobile
`transceiver can be located
`
`[0046] c¢) a measure of the speed with which a mobile
`transceiver moves
`
`[0047] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`[0048] The measure of the separation of the plurality of
`the mobile transceivers may be obtained automatically from
`one or more inquiry requests, which will identify the number
`of radio transceiver devices that are within communication
`range.
`
`[0049] The measure of the accuracy with which a mobile
`transceiver can be located may be remotely configurable by,
`for example, a data download. It will also depend upon the
`technology used for location e.g. triangulation, GPS etc.
`
`[0050] The time duration T between the first common time
`and the second common time, is such that T=(d-4* e)/2v,
`where d is a minimum separation in meters between the
`transceiver device and its neighboring transceiver devices, e
`is the error in meters associated with the technology used for
`locating the transceiver device and v is the average recti-
`linear velocity of the transceiver device. A pedestrian typi-
`cally moves with a velocity of 6 km/h, whereas a car may
`move with a velocity of 60 km/h.
`
`Unsynchronized Network
`
`[0051] The first transceiver device 2A and the second
`transceiver device 2B of FIG. 2B may not be time synchro-
`nized. Each transceiver device has its own local time refer-
`ence. In this case the first time and the third time are
`independent and the second time and the fourth time are
`independent.
`
`[0052] The difference between the first (local) time and the
`second (local) time may comprise a calculated minimum
`period and an independent, randomly generated period.
`
`[0053] The minimum period is calculated in dependence
`upon:
`
`[0054] a) a measure of the separation between the first
`mobile transceiver 2A and its neighboring mobile trans-
`ceivers
`
`[0055] b) a measure of the accuracy with which the first
`mobile transceiver 2A can be located
`
`[0056] c¢) a measure of the speed with which the first
`mobile transceiver 2A moves
`
`Jul. 27,2006
`
`[0057] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`[0058] The measure of the separation may be obtained
`automatically from one or more inquiry requests, which will
`identify the number of radio transceiver devices that are
`within communication range.
`
`[0059] The measure of the accuracy with which a mobile
`transceiver can be located may be remotely configurable by,
`for example, a data download. It will also depend upon the
`technology used for location e.g. triangulation, GPS etc.
`
`[0060] The minimum period T1, is such that T1=(d-4*
`e)/2v, where d is an average separation in meters between the
`first transceiver device 2A and its neighboring transceiver
`devices, e is the error in meters associated with the tech-
`nology used for locating the first transceiver device 2A and
`v is the average rectilinear velocity of the first transceiver
`device 2A.
`
`[0061] The value of T,ppr updates that is the frequency
`with which anonymous address of the first transceiver
`device 2A is changed, may also be automatically adjustable.
`The adjustment may dependent upon:
`
`[0062] a) a measure of the separation between the first
`mobile transceiver 2A and its neighboring mobile trans-
`ceivers
`
`[0063] b) a measure of the accuracy with which the first
`mobile transceiver 2A can be located
`
`[0064] c) a measure of the speed with which the first
`mobile transceiver 2A moves
`
`[0065] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`[0066] The measure of the separation may be obtained
`automatically from one or more inquiry requests, which will
`identify the number of radio transceiver devices that are
`within communication range.
`
`[0067] The measure of the accuracy with which a mobile
`transceiver can be located may be remotely configurable by,
`for example, a data download. It will also depend upon the
`technology used for location e.g. triangulation, GPS etc.
`
`[0068] The difference between third (local) time and the
`fourth (local) time also comprises a calculated minimum
`period and an independent, randomly generated period.
`
`[0069] The minimum period is calculated in dependence
`upon:
`
`[0070] a) a measure of the separation between the second
`mobile transceiver 2B and its neighboring mobile trans-
`ceivers
`
`[0071] b)a measure of the accuracy with which the second
`mobile transceiver 2B can be located
`
`[0072] c) a measure of the speed with which the second
`mobile transceiver 2B moves
`
`[0073] Each of these measures may be user configurable.
`The user may either enter a value for the measure or select
`a pre-defined measure.
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`[0074] The minimum period T1, is such that T1=(d-4%e)/
`2v, where d is an average separation in meters between the
`second transceiver device 2B and its neighboring transceiver
`devices, e is the error in meters associated with the tech-
`nology used for locating the second transceiver device 2B
`and v is the average rectilinear velocity of the second
`transceiver device 2B.
`
`[0075] The value of T,ppr ypaares that is the frequency
`with which anonymous address of the second transceiver
`device 2B is changed, may also be automatically adjustable.
`The adjustment may dependent upon:
`
`[0076] a) a measure of the separation between the second
`mobile transceiver 2B and its neighboring mobile trans-
`ceivers
`
`[0077] b)a measure of the accuracy with which the second
`mobile transceiver 2B can be located
`
`[0078] c¢) a measure of the speed with which the second
`mobile transceiver 2B moves
`
`[0079] FIG. 3 illustrates an example of a typical Bluetooth
`enabled radio transceiver device 30. The transceiver device
`30 comprises a processor 32, a radio transceiver 34, a clock
`36, a memory 38 and a user interface 40, which includes a
`display 42 and a keypad 44 for user input. It should be
`appreciated that this illustration is only a schematic.
`
`[0080] The processor 32 is connected to each of the radio
`transceiver 34, clock 36, memory 38 and user interface 40.
`
`[0081] The processor uses the clock 36 to maintain a timer
`t, which is used to control the silent transitional period 18,
`19.
`
`[0082] The memory 38 stores computer program instruc-
`tions, which when loaded into the processor 32 enable it to
`perform the methods described above.
`
`[0083] The transceiver device 30 may park the Slaves in
`the piconet if the silent transitional period will exceed the
`Link_Supervision timeout period i.e. the maximum period
`for which there can be no communication on a link without
`it being assumed that the link has been lost.
`
`[0084] Although the above examples have been described
`in relation to a Bluetooth low power radio frequency net-
`work, they may be used in other radio networks where it is
`desirable to combat the tracking of devices and/or users, for
`example, to mobile cellular telecommunication networks.
`
`[0085] Through our previous research, we noticed that
`there is a quantitative measure missing in the latest location
`privacy protection researches. Current algorithms realize
`their effectiveness of location privacy protection with the
`cost of service degradation and/or out-of-service period. In
`other words, there is a tradeoff between service quality and
`privacy level a system can provide. Because current research
`lacks a quantitative measure for wireless location privacy
`level, the system designer cannot determine the parameters
`of those algorithms based on users’ privacy and service
`quality needs. Consequently, this restricts the feasibility of
`many location privacy protection algorithms.
`
`[0086] There are many important privacy related works in
`the anonymous communication research area. Several quan-
`titative measures are also used in these proposals. From
`these, the size of the anonymity set defined by Chaum
`
`Jul. 27,2006
`
`(David Chaum, “The Dining Cryptographers Problem:
`Unconditional Sender and Recipient Untraceability”, .
`Cryptol., vol. 1, pp. 65-75, 1988) is one of the most widely
`used to measure the anonymity of the Dining Cryptogra-
`pher’s (DC) network. The anonymity set is defined as the set
`of participants who may have sent a particular message, as
`seen by a global observer that also compromises a set of
`nodes. Recently, Serjantov et al. (Andrei Serjantov and
`George Danezis: “Towards an Information Theoretic Metric
`for Anonymity”, Proceedings of the Workshop on Privacy
`Enhancing Technologies (PET) 2002, LNCS 2482, 41-53,
`Springer-Verlag, 2003) and Diaz et al. (Claudia Diaz, Ste-
`faan Seys, Joris Claessens, and Bart Preneel: “Towards
`Measuring Anonymity”, Proceedings of the Workshop on
`Privacy Enhancing Technologies (PET) 2002, LNCS 2482,
`54-68, Springer-Verlag, 2003) have independently proposed
`an information theoretic model to measure the degree of
`anonymity of such a system. These papers identify that not
`all nodes involved in anonymous communication contribute
`same degree of anonymity to the system. The size of
`anonymity set cannot precisely describe the degree of ano-
`nymity a system provides. These papers therefore take into
`account the probability of a user sending and/or receiving a
`message and propose the use of entropy of all users’
`probabilities of sending and/or receiving message as the
`measure of anonymous system.
`
`[0087] Current location privacy protection algorithms lack
`a general quantitative measure. This problem causes diffi-
`culties in evaluating the feasibility of proposals and in
`implementing the algorithm in real systems. Therefore, there
`is aneed to fill in this missing part in current location privacy
`protection research
`
`[0088] Embodiments of the present invention introduce a
`new measure called the geographical anonymity set (GAS)
`to fill in the missing part in the location privacy protection
`area. The proposed measure can be used to evaluate most of
`the location privacy protection methods that are based on
`periodical address updates. The GAS measure is evaluated
`using the “silent period” method of location privacy protec-
`tion described above.
`
`[0089] According to a first embodiment of the present
`invention, there is provided a method for combating the
`tracking of a mobile transceiver, the mobile transceiver
`forming a node in a wireless communication network which
`has at least one other node, the method comprising the steps
`of enabling, until a first time, the transmission of a radio
`packet that depends upon a first anonymous address, calcu-
`lating, dependent on a privacy level for the mobile trans-
`ceiver, a second time, enabling, from the second time, the
`transmission of a radio packet that depends upon a second
`anonymous address and disabling, between the first time and
`the second time, the transmission of a radio packet that
`depends upon either the first anonymous address or the
`second anonymous address.
`
`[0090] Preferably, the second time is after the first time.
`
`[0091] Preferably, the mobile transceiver has a unique
`identity in the wireless communication network and the first
`anonymous address and second anonymous address are
`independent of that identity.
`
`[0092] The method may further comprise the steps of:
`randomly generating at least a portion of the first anonymous
`
`
`
`
`
`
`
`
`US 2006/0165100 A1
`
`address before enabling the transmission of a radio packet
`that depends upon the first anonymous address and ran-
`domly generating at least a portion of the second anonymous
`address before enabling the transmission of a radio packet
`that depends upon the second anonymous address.
`
`[0093] Preferably, the step of disabling comprises dis-
`abling between the first time and the second time, the
`transmission of all radio packets that depend on either the
`first anonymous address or the second anonymous address.
`
`[0094] Typically, a radio packet depends upon an anony-
`mous address when it includes the anonymous address.
`Alternatively, transmission of a radio packet may depend
`upon an anonymous address when it includes a synchroni-
`zation word based upon the anonymous address, when it
`uses a frequency from a frequency-hopping-sequence based
`upon the anonymous address or when it is a L2CAP link
`establishment packet.
`
`[0095] The step of disabling may prevent the transmission
`of FHS packets between the first time and the second time,
`may prevent the mobile transceiver replying to an inquiry
`request between the first time and the second time or may
`prevent the mobile transceiver replying to a page request
`between the first time and the second time.
`
`[0096] The method may further comprise transmitting,
`between the first time and the second time, radio packets that
`depend on neither the first anonymous address nor the
`second anonymous address.
`
`[0097] Preferably, at least one other node is also arranged
`to perform the method for combating tracking.
`
`[0098] The privacy level for the mobile transceiver may be
`dependent on the spatial location of the at least one other
`node with respect to the spatial location of the mobile
`transceiver and/or the first time and the second time for the
`at least one other node with respect to the first time and the
`second time for the mobile transceiver.
`
`[0099] The first time and second time for the mobile
`transceiver may be different from the first time and second
`time for the at least one other node.
`
`[0100] Preferably, the privacy level for the mobile trans-
`ceiver is the Geographical Anonymity Set (GAS) of the
`mobile transceiver, which may be calculated the privacy
`level of the mobile transceiver in accordance with equations
`1 to 5 below. The result for equation 2 may be calculated
`according to the pseudo code in table 3.
`
`[0101] The method may further comprise calculating the
`privacy level of the mobile transceiver using the following:
`the Position Privacy Contribution (PPC), the Node Privacy
`Level (NPL) and the System Privacy Level (SPC).
`
`[0102] The second time may be calculated dependent on a
`desired privacy level for the mobile transceiver. The second
`time may be calculated dependent on a desired privacy level
`for the mobile transceiver and a desired privacy level for at
`least one other node with which the mobile transceiver is
`communicating.
`
`[0103] Preferably, the second time is calculated by the
`steps of: determining the number of nodes located in an area
`of known size surrounding the mobile transceiver and in
`which the mobile transceiver is located; assessing the con-
`tribution that each of these nodes makes to a privacy level
`
`Jul. 27,2006
`
`of the mobile transceiver; and determining a duration of a
`silent period for which transmission by the node of a packet
`depending on an anonymous address is to be disabled in
`dependence on the assessed contribution and a desired
`privacy level of the mobile transceiver.
`
`[0104] The method may further comprise the step of
`calculating a node density from the determined number of
`nodes and the area of known size.
`
`[0105] The step of assessing the contribution that each of
`the surrounding nodes makes to a privacy level of the mobile
`transceiver may comprise estimating a relationship between
`the privacy level and the duration of the silent period at the
`calculated node density. The network element may deter-
`mine the duration of the silent period by selecting the
`duration that according to the relationship corresponds to a
`privacy level equal to the desired privacy level.
`
`[0106] According to a second embodiment of the present
`invention, there is provided a network element capable of
`operating in a wireless communication network and of
`communicating with at least one node in the network, the
`network element being arranged to combat tracking of a
`wireless transceiver that forms one of the nodes by the steps
`of: determining the number of nodes located in an area of
`known size surrounding the mobile transceiver and in which
`the mobile transceiver is located; assessing the contribution
`that each of these nodes makes to a privacy level of the
`mobile transceiver; and determining a duration of a silent
`period for which transmission by the node of a packet
`depending on an anonymous address is to be disabled in
`dependence on the assessed contribution and a desired
`privacy level of the mobile transceiver.
`
`[0107] Preferably the network element is arranged to
`calculate a node density from the determined number of
`nodes and the area of known size.
`
`[0108] The network element may be arranged to assess the
`contribution that each of the surrounding nodes makes to a
`privacy level of the mobile transceiver by estimating a
`relationship between the privacy level and the duration of
`the silent period at the calculated node density. Alternatively,
`the network element may be arranged to assess the contri-
`bution that each of the surrounding nodes makes to a privacy
`level of the mobile transceiver by accessing a known rela-
`tionship between the privacy level and the duration of the
`silent period at the calculated node density. The network
`element may be arranged to access the known relationship
`from a memory contained within the network element or
`from a memory external to the network element.
`
`[0109] Preferably the network element determines the
`duration of the silent
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
