Lin Yao,Chi Lin,Xiangwei Kong,Feng Xia,Guowei Wu

DOI: https://doi.org/10.1109/GreenCom-CPSCom.2010.109

2010-01-01

Abstract:In pervasive computing environments, Location-Based Services (LBSs) are becoming increasingly important due to continuous advances in mobile networks and positioning technologies. Nevertheless, the wide deployment of LBSs can jeopardize the location privacy of mobile users. Consequently, providing safeguards for location privacy of mobile users against being attacked is an important research issue. In this paper a new scheme for safeguarding location privacy is proposed. Our approach supports location K-anonymity for a wide range of mobile users with their own desired anonymity levels by clustering. The whole area of all users is divided into clusters recursively in order to get the Minimum Bounding Rectangle (MBR). The exact location information of a user is replaced by his MBR. Privacy analysis shows that our approach can achieve high resilience to location privacy threats and provide more privacy than users expect. Complexity analysis shows clusters can be adjusted in real time as mobile users join or leave. Moreover, the clustering algorithms possess strong robustness.

Yanzhe Che,Qinming He,Xiaoyan Hong,Kevin Chiew

DOI: https://doi.org/10.1002/dac.2650

2013-01-01

International Journal of Communication Systems

Abstract:While enjoying various LBS location-based services, users also face the threats of location privacy disclosure. This is because even if the communications between users and LBS providers can be encrypted and anonymized, the sensitive information inside LBS queries may disclose the exact location or even the identity of a user. The existing research on location privacy preservation in mobile peer-to-peer P2P networks assumed that users trust each other and directly share location information with each other. Nonetheless, this assumption is not practical for most of the mobile P2P scenarios, for example, an adversary can pretend to be a normal user and collect the locations of other users. Aiming at this issue, this paper presents x-region as a solution to preserve the location privacy in a mobile P2P environment where no trust relationships are assumed amongst mobile users. The main idea is to allow users to share a blurred region known as x-region instead of their exact locations so that one cannot distinguish any user from others inside the region. We propose a theoretical metric for measuring the anonymity property of x-region, together with three algorithms for generating an x-region, namely, benchmark algorithm, weighted expanding algorithm, and aggressive weighted expanding algorithm. These algorithms achieve the anonymity and QoS requirements with different strategies. Our experiments verify the performance of the algorithms against three key metrics. Copyright © 2013 John Wiley & Sons, Ltd.

Rongxing Lu,Xiaodong Lin,Zhiguo Shi,Jun Shao

DOI: https://doi.org/10.1109/infocom.2014.6848003

2014-01-01

Abstract:In this paper, we propose a privacy-preserving framework, called PLAM, for local-area mobile social networks. The proposed PLAM framework employs a privacy-preserving request aggregation protocol with k-Anonymity and l-Diversity properties while without involving a trusted anonymizer server to keep user preference privacy when querying location-based service (LBS), and integrates unlinkable pseudo-ID technique to achieve user identity privacy, location privacy. Moreover, the proposed PLAM framework also introduces the privacy-preserving and verifiable polynomial computation to keep LBS provider's functions private while preventing the provider from cheating in computation. Detailed security analysis shows that the proposed PLAM framework can not only achieve desirable privacy requirements but also resist outside attacks on source authentication, data integrity and availability. In addition, extensive simulations are also conducted, and simulation results guide us on how to set proper thresholds for k-anonymity, l-diversity to make a tradeoff between the desirable user preference privacy level and the request delay in different scenarios.

Bo Wang,Hongtao Li,Yina Guo,Xiaoyu Ren 

DOI: https://doi.org/10.3390/s23115219

IF: 3.9

2023-05-31

Sensors

Abstract:Location-based services (LBS) are widely used due to the rapid development of mobile devices and location technology. Users usually provide precise location information to LBS to access the corresponding services. However, this convenience comes with the risk of location privacy disclosure, which can infringe upon personal privacy and security. In this paper, a location privacy protection method based on differential privacy is proposed, which efficiently protects users’ locations, without degrading the performance of LBS. First, a location-clustering (L-clustering) algorithm is proposed to divide the continuous locations into different clusters based on the distance and density relationships among multiple groups. Then, a differential privacy-based location privacy protection algorithm (DPLPA) is proposed to protect users’ location privacy, where Laplace noise is added to the resident points and centroids within the cluster. The experimental results show that the DPLPA achieves a high level of data utility, with minimal time consumption, while effectively protecting the privacy of location information.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Fengwei Wang,Hui Zhu,Rongxing Lu,Fen Liu,Cheng Huang,Hui Li

DOI: https://doi.org/10.1109/jiot.2017.2766701

2018-01-01

Abstract:With the pervasiveness of location-aware mobile terminals and the popularity of social applications, location-based social networking service (LBSNS) has brought great convenience to people's life. Meanwhile, proximity detection, which makes LBSNS more flexible, has aroused widespread concern. However, the prosperity of LBSNS still faces many severe challenges on account of users' location privacy and data security. In this paper, we propose two efficient and privacy-preserving proximity detection schemes, named arbitrary geometric range query for polygons (AGRQ-P) and arbitrary geometric range query for circles (AGRQ-C), for location-based social applications. With proposed schemes, a user can choose any area on the map, and query whether her/his friends are within the region without divulging the query information to both social application servers and other users, meanwhile, the accurate locations of her/his friends are also confidential for the servers and the query user. Specifically, with algorithms based on ciphertext of geometric range query, users' query and location information is blurred into ciphertext in client, thus no one but the user knows her/his own sensitive information. Detailed security analysis shows that various security threats can be defended. In addition, the proposed schemes are implemented in an IM APP with a real LBS dataset, and extensive simulation results over smart phones further demonstrate that AGRQ-P and AGRQ-C are highly efficient and can be implemented effectively.

Yan-zhe Che,Kevin Chiew,Xiao-yan Hong,Qiang Yang,Qin-ming He

DOI: https://doi.org/10.1631/jzus.c1200267

2013-01-01

Abstract:Various solutions have been proposed to enable mobile users to access location-based services while preserving their location privacy. Some of these solutions are based on a centralized architecture with the participation of a trustworthy third party, whereas some other approaches are based on a mobile peer-to-peer （P2P） architecture. The former approaches suffer from the scalability problem when networks grow large, while the latter have to endure either low anonymization success rates or high communication overheads. To address these issues, this paper deals with an enhanced dual-active spatial cloaking algorithm （EDA） for preserving location privacy in mobile P2P networks. The proposed EDA allows mobile users to collect and actively disseminate their location information to other users. Moreover, to deal with the challenging characteristics of mobile P2P networks, e.g., constrained network resources and user mobility, EDA enables users （1） to perform a negotiation process to minimize the number of duplicate locations to be shared so as to significantly reduce the communication overhead among users, （2） to predict user locations based on the latest available information so as to eliminate the inaccuracy problem introduced by using some out-of-date locations, and （3） to use a latest-record-highest-priority （LRHP） strategy to reduce the probability of broadcasting fewer useful locations. Extensive simulations are conducted for a range of P2P network scenarios to evaluate the performance of EDA in comparison with the existing solutions. Experimental results demonstrate that the proposed EDA can improve the performance in terms of anonymity and service time with minimized communication overhead.

Hongtao Li,Yue Wang,Feng Guo,Jie Wang,Bo Wang,Chuankun Wu

DOI: https://doi.org/10.1155/2021/4696455

2021-06-30

Wireless Communications and Mobile Computing

Abstract:Location-based services (LBS) have become an important research area with the rapid development of mobile Internet technology, GPS positioning technology, and the widespread application of smart phones and social networks. LBS can provide convenience and flexibility for the users’ daily life, but at the same time, it also brings security risks to the users’ privacy. Untrusted or malicious LBS servers can collect users’ location data through various ways and disclose it to the third party, thus causing users’ privacy leakage. In this paper, a differential privacy location protection method based on the Markov model for user’s location privacy is proposed. Firstly, the transition probability matrix between states of the n -order Markov model is used to predict the occurrence state and development trend of events; thereby, the user’s location is predicted, and then a location prediction algorithm based on the Markov model (LPAM) is proposed. Secondly, a location protection algorithm based on differential privacy (LPADP) is proposed, in which location privacy tree (LPT) is constructed according to the location data and the difficulty of retrieval, the two nodes with the largest predicted value of LPT are allocated with a reasonable privacy budget, and Laplace noise is added to protect location privacy. Theoretical analysis and experimental results show that the proposed method not only meets the requirements of differential privacy and protects location privacy effectively but also has high data availability and low time complexity.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chao Huang,Fengli Xu,Yong Li,Xinlei Chen,Pei Zhang

DOI: https://doi.org/10.1145/3274783.3275164

2018-01-01

Abstract:Location-aware mobile crowdsourcing tasks like urban sensing always require exposing users' location, which lead to serious privacy breaches. In this poster, we propose a locally differentially private participants recruitment system to maximize spatial coverage of the mobile crowdsourcing task while preserving location privacy. Based on the mechanism of randomized response, our system preserves the privacy in a local way, which eliminates the need for a trusted server. With guaranteed location privacy protection, a heuristic algorithm is proposed to solve the maximum spatial coverage problem efficiently given the obfuscated reports. Extensive experiments on real-world user trajectories demonstrate the feasibility of our proposed system, which improves the spatial coverage by more than 10% on average compared with the state-of-the-art solutions.

Lichun Li,Rongxing Lu,Cheng Huang

DOI: https://doi.org/10.1109/jiot.2015.2469605

IF: 10.6

2015-01-01

IEEE Internet of Things Journal

Abstract:With the pervasiveness of smart phones, location-based services (LBS) have received considerable attention and become more popular and vital recently. However, the use of LBS also poses a potential threat to user's location privacy. In this paper, aiming at spatial range query, a popular LBS providing information about points of interest (POIs) within a given distance, we present an efficient and privacy-preserving location-based query solution, called EPLQ. Specifically, to achieve privacy-preserving spatial range query, we propose the first predicate-only encryption scheme for inner product range (IPRE), which can be used to detect whether a position is within a given circular area in a privacy-preserving way. To reduce query latency, we further design a privacy-preserving tree index structure in EPLQ. Detailed security analysis confirms the security properties of EPLQ. In addition, extensive experiments are conducted, and the results demonstrate that EPLQ is very efficient in privacy-preserving spatial range query over outsourced encrypted data. In particular, for a mobile LBS user using an Android phone, around 0.9 s is needed to generate a query, and it also only requires a commodity workstation, which plays the role of the cloud in our experiments, a few seconds to search POIs.

Cheng Huang,Dongxiao Liu,Anjia Yang,Rongxing Lu,Xuemin Shen

DOI: https://doi.org/10.1109/tmc.2024.3366340

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:In this paper, we propose a privacy-preserving range-based positioning scheme, named PPRP, which can preserve the location privacy of both user equipment (UE) and anchors (ACs) in mobile networks. Specifically, PPRP is established on a decentralized trust-based framework that divides trust between two location management function (LMF) servers. With such a framework, UE and ACs are allowed to securely upload their range/range-difference measurement data to LMF servers using lightweight additive secret sharing techniques (ASS) instead of cumbersome cryptographic operations. Then, PPRP takes secret-shared measurement data as inputs and decomposes UE's location estimation procedures into secure two-party matrix computation sub-protocols, which are elaborately crafted using somewhat homomorphic encryption and randomization techniques to ensure both efficiency and privacy preservation in positioning. Furthermore, to mitigate the negative effects arising from non-line-of-sight (NLoS) ACs, PPRP achieves privacy-preserving residual-based NLoS analysis. To this end, we additionally propose a series of secure two-party sub-protocols to support various non-linear functions, including comparison, division, square root computation, oblivious shuffle and sorting. These sub-protocols serve as fundamental modules that can be effectively combined to perform sophisticated operations of NLoS analysis in a privacy-preserving manner. A comprehensive simulation-based security analysis demonstrates that PPRP can achieve location privacy preservation. Finally, we develop a proof-of-concept prototype and conduct extensive experiments to show PPRP's high performance in terms of positioning accuracy, computational efficiency, and communication complexity.

Xingxing Xiong,Shubo Liu,Dan Li,Zhaohui Cai,Xiaoguang Niu

DOI: https://doi.org/10.1016/j.jisa.2020.102633

IF: 4.96

2020-12-01

Journal of Information Security and Applications

Abstract:<p>Technology and usage advances in wireless communication and smart mobile devices with localization capabilities enable a large number of emerging applications of location-based services, e.g. mobile crowdsourcing applications, which are facilitating our daily life. However, collecting and sharing location data to service providers of applications will give rise to mobile users' concerns on their privacy, especially location privacy. In this paper, we investigate the problem of real-time spatio-temporal data aggregation with privacy preservation in the local setting. In response to this, we propose a systematic solution based on stringent local differential privacy preservation technique to deal with the problem. Firstly, we introduce a novel definition of (ε,  δ)-local differential privacy with the ability to capture the temporal correlation in spatio-temporal data and provide differential privacy preservation. Secondly, we develop an efficient framework of generalized randomized response (GRR) based real-time and private spatio-temporal data aggregation with an untrusted server. Finally, we conduct experiments on two real-world datasets to evaluate our framework. The results show that our GRR based framework significantly outperforms that based on PIM and LRM in data utility and demonstrate its superiority to achieve better trade-off of privacy and utility for real-time spatio-temporal data aggregation with stringent privacy preservation.</p>

computer science, information systems

Kah Meng Chong,Amizah Malip

DOI: https://doi.org/10.1016/j.comnet.2024.110214

IF: 5.493

2024-01-31

Computer Networks

Abstract:With the development of Intelligent Transportation Systems (ITS), a vast amount of location data is being generated from various IoT devices equipped with location positioning sensors. Preserving the privacy of location data release is a critical concern, as the publication of aggregated data often reveals private information about the users. Differential Privacy (DP) has recently emerged as a robust framework to guarantee privacy in this context. However, conventional DP mechanisms commonly make no assumption about the distribution of the input data, which could lead to unexpected privacy leakage if the data are correlated. In this paper, we investigate the complex simultaneous impact of user correlation, spatial–temporal correlation and prior knowledge of an adversary on the privacy leakage of a DP mechanism, which has not been addressed in prior work. We derive several closed-form expressions that demonstrate and quantify the privacy leakage under correlated location data, followed by the design of efficient algorithms to compute such privacy leakage. Then, we propose a Δ -CDP (Correlated Differential Privacy) to provide a formal privacy guarantee against the additional privacy leakage incurred by these factors. Extensive comparisons, theoretical analysis, and experimental simulations are presented to validate the correctness and efficiency of the proposed work.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Kashif Sharif

2018-01-01

Abstract:Recent advances in Socially Aware Networks (SANs) have allowed its use in many domains, out of which social Internet of vehicles (SIOV) is of prime importance. SANs can provide a promising routing and forwarding paradigm for SIOV by using interest-based communication. Though able to improve the forwarding performance, existing interest-based schemes fail to consider the important issue of protecting usersu0027 interest information. In this paper, we propose a PRivacy-preserving Interest-based Forwarding scheme (PRIF) for SIOV, which not only protects the interest information, but also improves the forwarding performance. We propose a privacy-preserving authentication protocol to recognize communities among mobile nodes. During data routing and forwarding, a node can know othersu0027 interests only if they are affiliated with the same community. Moreover, to improve forwarding performance, a new metric {em community energy} is introduced to indicate vehicular social proximity. Community energy is generated when two nodes encounter one another and information is shared among them. PRIF considers this energy metric to select forwarders towards the destination node or the destination community. Security analysis indicates PRIF can protect nodesu0027 interest information. In addition, extensive simulations have been conducted to demonstrate that PRIF outperforms the existing algorithms including the BEEINFO, Epidemic, and PRoPHET.

Haina Song,Hua Shen,Nan Zhao,Zhangqing He,Minghu Wu,Wei Xiong,Mingwu Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103517

IF: 5.105

2024-01-01

Computers & Security

Abstract:Local differential privacy (LDP) enables terminal participants to share their private data safely while controlling the privacy disclosure at the source. In the majority of current works, they assumed that the privacy preservation parameter is totally determined by the data collector and then dispatched to all participants in mobile crowdsensing. However, in the real world, due to different privacy preferences of participants, it is inelegant and unpromising for all participants to accept the same privacy preservation level during data collection. To address such issue, an adaptive personalized local differential privacy (APLDP) data collection scheme is proposed to realize personalized privacy preservation while achieving higher data utility, in which two different LDP perturbation methods (basic RAPPOR and k-RR) are adaptively chosen by the participants according to their different privacy preferences, as well as the best perturbation probability is adaptively adopted by the participants to perturb their private data. In such case, the adaptive boundary based on the minimum mean square error (MSE) is theoretically derived to allow the participant to adaptively choose the best perturbation method, and meanwhile, it allows the participant to adaptively choose the best perturbation probability. Then, two estimation mergence methods named the direct combination (DC) and the weighted combination (WC) are demonstrated to do efficient data aggregation. Experiments on both synthetic and real data sets show that the proposed APLDP scheme performs better than previous non-personalized proposals in terms of the MSE and the average error rate (AER), especially using WC estimation method.

computer science, information systems

Qiong Zhang,Taochun Wang,Yuan Tao,Nuo Xu,Fulong Chen,Dong Xie

DOI: https://doi.org/10.1016/j.adhoc.2024.103464

IF: 4.816

2024-03-06

Ad Hoc Networks

Abstract:With the widespread popularity of smart phones, watches and other devices, mobile crowdsensing (MCS) has gradually entered the public's field of vision. However, the widespread use of MCS technology is accompanied by an increasing risk of workers' personal privacy being violated. Typically, workers are required to submit location information in order to participate in task assignments, and the privacy of a worker's location information is a key factor in determining worker participation. Therefore, in order to solve the problem of workers location privacy leakage in the process of task allocation, this paper proposes a location privacy protection method based on local differential privacy (VLDPP). VLDPP constructs a task map based on Voronoi diagram according to the task location, and each task location is mapped into a task area to hide the task location. A local coordinate system is constructed based on the task area, and all workers in the area have their relative location coordinates recalculated and encoded, and then the encoding is perturbed by local differential privacy, thus ensuring workers location privacy. The worker uploads the perturbed location information to the server, which determines the workers in the task by calculating the worker's acceptance rate and completes the task allocation. In addition, this paper improves the availability of perturbed worker location information by dividing the task area at a secondary level. This paper uses the internationally recognized World Check-In Gowalla dataset for experimental evaluation, which shows that the proposed method has good performance in terms of data availability and efficiency, providing adequate privacy guarantees.

computer science, information systems,telecommunications

Liang Yan,Lei Li,Xuejiao Mu,Hao Wang,Xian Chen,Hyoseop Shin

DOI: https://doi.org/10.3390/s23042121

IF: 3.9

2023-02-16

Sensors

Abstract:With the rapid development of intelligent mobile terminals and communication technologies, location-based services (LBSs) have become an essential part of users' lives. LBS providers upload and share the collected users' location data. The more commonly used methods for location privacy protection are differential privacy and its extensions. However, the semantic information about location, which is an integral part of the location data, often contains sensitive user information. Most existing research methods have failed to pay enough attention to protecting the semantic information in the location data. To remedy this problem, two different scenarios for location semantic privacy protection methods are proposed in this paper to address single-point and continuous location queries. Simulation experiments on real social location check-in datasets, and comparison of three different privacy protection mechanisms, show that our solution demonstrates good service quality and privacy protection considering location semantics.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ammar Haydari,Chen-Nee Chuah,Michael Zhang,Jane Macfarlane,Sean Peisert

DOI: https://doi.org/10.48550/arXiv.2112.08487

2024-01-15

Abstract:Location data is collected from users continuously to understand their mobility patterns. Releasing the user trajectories may compromise user privacy. Therefore, the general practice is to release aggregated location datasets. However, private information may still be inferred from an aggregated version of location trajectories. Differential privacy (DP) protects the query output against inference attacks regardless of background knowledge. This paper presents a differential privacy-based privacy model that protects the user's origins and destinations from being inferred from aggregated mobility datasets. This is achieved by injecting Planar Laplace noise to the user origin and destination GPS points. The noisy GPS points are then transformed into a link representation using a link-matching algorithm. Finally, the link trajectories form an aggregated mobility network. The injected noise level is selected using the Sparse Vector Mechanism. This DP selection mechanism considers the link density of the location and the functional category of the localized links. Compared to the different baseline models, including a k-anonymity method, our differential privacy-based aggregation model offers query responses that are close to the raw data in terms of aggregate statistics at both the network and trajectory-levels with maximum 9% deviation from the baseline in terms of network length.

Cryptography and Security

Fengwei Wang,Hui Zhu,Guozhang He,Rongxing Lu,Yandong Zheng,Hui Li

DOI: https://doi.org/10.1109/tifs.2023.3282133

IF: 7.231

2023-06-13

IEEE Transactions on Information Forensics and Security

Abstract:Location-based services (LBSs) provide enhanced functionality of mobile applications and convenience for mobile users, which plays a more and more remarkable role in people's daily life. In LBSs, spatial range query is an essential tool for users to find interesting points in a specific region. However, during spatial range query, it is necessary for data owners and query users to exchange their location data, and the leakage of private location information has drawn significant attention in both governmental and social aspects. Meanwhile, most existing location privacy protection schemes only focus on achieving regular geometry range query over static location datasets. In this paper, we present an efficient and privacy-preserving arbitrary polygon range query scheme, named EPAPRQ. With EPAPRQ, the arbitrary and fine-grained polygon range query can be executed over a dynamic and time-series location dataset with privacy protection. Specifically, in EPAPRQ, an arbitrary polygon range query algorithm is first introduced with sub-range query technique. Then, to protect the private location information of the data owner and query users, a series privacy-preserving data computation protocols are constructed with a symmetric homomorphic encryption algorithm, and a ciphertext-based location dataset updating strategy is also designed. Finally, we propose a double filtration method through combining the quadtree index structure and minimum bounded rectangle, which is able to greatly improve the query efficiency over ciphertexts. Detailed security analysis shows that the sensitive location information in EPAPRQ can be well protected. Furthermore, we evaluate the performance of EPAPRQ in the real map, and the results demonstrate that EPAPRQ is indeed efficient.

computer science, theory & methods,engineering, electrical & electronic

Jiadong Zhang,Chi-Yin Chow

DOI: https://doi.org/10.1109/TSC.2018.2810890

IF: 11.019

2021-03-01

IEEE Transactions on Services Computing

Abstract:The sequential pattern in the human movement is one of the most important aspects for location recommendations in geosocial networks. Existing location recommenders have to access users’ raw check-in data to mine their sequential patterns that raises serious location privacy breaches. In this paper, we propose a new <italic>P</italic>rivacy-preserving <italic>LO</italic>cation <italic>RE</italic>commendation framework (PLORE) to address this privacy challenge. First, we employ the <inline-formula><tex-math notation="LaTeX">$n$</tex-math><alternatives><mml:math><mml:mi>n</mml:mi></mml:math><inline-graphic xlink:href="zhang-ieq1-2810890.gif"/></alternatives></inline-formula>th-order additive Markov chain to exploit users’ sequential patterns for location recommendations. Further, we contrive the probabilistic differential privacy mechanism to reach a good trade-off between high recommendation accuracy and strict location privacy protection. Finally, we conduct extensive experiments to evaluate the performance of PLORE using three large-scale real-world data sets. Extensive experimental results show that PLORE provides efficient and highly accurate location recommendations, and guarantees strict privacy protection for user check-in data in geosocial networks.

Engineering,Computer Science

Shengchao Liu,Jessie Hui Wang,Jilong Wang,Qianli Zhang

DOI: https://doi.org/10.1109/access.2020.2978488

IF: 3.9

2020-01-01

IEEE Access

Abstract:As location-based services become widely used in daily life, there is growing concern in preserving location privacy of users to avoid that attackers infer information about users by collecting and analyzing requests initiated by users. We argue that a good location privacy preservation scheme should have these properties. First, a user should never expose its precise location to any other entity. Second, a user should be able to specify its own requirement on the strength of privacy preservation, since a stricter preservation requirement may increase its overhead. Third, the scheme should be able to preserve as many as possible aspects of users' privacy under various attacks. With these desired properties in mind, we carefully design an encoding scheme of users' identifiers and a fully distributed architecture for our purpose and propose a privacy preservation scheme based on them. With the help of the encoding scheme and the distributed architecture, we develop a distributed negotiation algorithm to help users conduct negotiations among themselves to find their cloaked regions that satisfy their self-defined requirements without exposing their precise locations. The negotiations are completed without coordination from any central servers, and a random proxy is selected for each individual request, therefore the potential risks caused by any central server (location-based service servers or trusted-third-party servers) are mitigated as much as possible. Experiments show that our scheme can satisfy different strengths of privacy preservation required by each user even under the most severe scenarios.