Nowadays, Location-based services (LBS) System is commonly used by Mobile users worldwide due to the immense growth of the Internet and Mobile devices. A mobile user uses LBS to access services relevant to their locations. LBS usage raises severe privacy concerns. A secure LBS system is required to protect three fundamentals metrics such as temporal information, user identity, and spatial information. Different models are being used to deal with such privacy metrics such as TTP and NTTP. In current study, we have conducted a comprehensive survey on TTP privacy protecting techniques which are being used in LBS systems. Primarily, it would be facilitating the mobile users with full privacy when they interact with the LBS system. Moreover, it is aimed to provide a promising roadmap to research and development communities for right selection of privacy approach.

1. DOI: http://dx.doi.org/10.26483/ijarcs.v10i2.6396
Volume 10, No. 2, March-April 2019
International Journal of Advanced Research in Computer Science
REVIEW ARTICLE
Available Online at www.ijarcs.info
© 2015-19, IJARCS All Rights Reserved 68
ISSN No. 0976-5697
STATE-OF-THE-ART, CHALLENGES: PRIVACY PROVISIONING IN TTP
LOCATION BASED SERVICES SYSTEMS
Muhammad Usman Ashraf
Department of Computer Science
Government College Women University
Sialkot, Pakistan
Rida Qayyum
Department of Computer Science
Government College Women University
Sialkot, Pakistan
Hina Ejaz
Department of Computer Science
Government College Women University
Sialkot, Pakistan
Abstract: Nowadays, Location-based services (LBS) System is commonly used by Mobile users worldwide due to the immense growth of the
Internet and Mobile devices. A mobile user uses LBS to access services relevant to their locations. LBS usage raises severe privacy concerns. A
secure LBS system is required to protect three fundamentals metrics such as temporal information, user identity, and spatial information.
Different models are being used to deal with such privacy metrics such as TTP and NTTP. In current study, we have conducted a comprehensive
survey on TTP privacy protecting techniques which are being used in LBS systems. Primarily, it would be facilitating the mobile users with full
privacy when they interact with the LBS system. Moreover, it is aimed to provide a promising roadmap to research and development
communities for right selection of privacy approach.
Keywords: Location-based services (LBS), Trusted Third Party (TTP), Privacy, Protection goals, k-anonymity, Mix Zone, Position Dummy
I. INTRODUCTION
Location-based services (LBS) gaining popularity due to
the high availability of smartphone having position sensor in
it. Smartphone’s GPS technology use in Location-Based
Services (LBS) system to trace the location. It currently
attracts millions of mobile users. Location Based Services
(LBS) are also used in numerous situations such as health,
commercial, work, emergency, entertainment, and personal
life. For instance, as shown in Figure. 1, LBS can be used to
trace the nearest restaurant/hospital or desired destination
from your location according to shortest route [1].
Figure 1. An example of LBS
Location-based services (LBS) architecture is shown in
Figure. 2, where the mobile user uses internal hardware to
get the location information from the network. This collected
information (latitude and longitude) is sent to LBS service
provider for computation. The service provider receives a
request from the LBS user, processed it and send a response
to the LBS user correlated to the request [20].
Figure 2. A common LBS architecture
There are five components in Location-Based Service
(LBS) System: The Mobile device of LBS user, Application
software that provides services, a Content provider that
supplies with location information to mobile users, Mobile
internet to generate a query for services and receive the
requested service, a global positioning system (GPS). The
strength of Location-based Services (LBS) system is to sense
each other's location and communicate accordingly. LBS
must provide an accurate location as well as suitable
information for use required by the corresponding services.
Extensive adoption of Location-based Services (LBS)
raises many issues for the user like the privacy of the user,
availability of data, location information certainty, and
pricing. But the most critical issue is “Privacy” when a
mobile user uses the LBS System. The user sends their
actual location to a location server (LS) which stores and
manages location related information of the mobile device.
Here LBS user’s itself doesn’t need to preserve its location
because he relies on the TTP LBS System. When a user
request for the services from the Location Based Services
(LBS) System at the same time the user must reveal its

2. Muhammad Usman Ashraf et al, International Journal of Advanced Research in Computer Science, 10 (2), March-April 2019, 68-75
© 2015-19, IJARCS All Rights Reserved 69
location information. At that time, its personal information
is at a risk. The main privacy issues regarding Location-
based services (LBS) are disclosing the user current
location, his personal information and the time of the query.
The attributes of a mobile user that should be protected are
Time, Identity, and Position.
Location-based services (LBS) uses two ways to provide
privacy by using TTP (Trusted Third Party) and NTTP
(Non-Trusted Third Party). TTP guarantee the privacy of
their users. In the Trusted Third Party (TTP) Location-based
services (LBS) System, LBS providers has no idea of the
actual locations and real identities of the mobile users. Non-
Trusted Third Party is also used to provide privacy but not
fully dependent on the third party for providing privacy. In
our study, we have to provide privacy for TIP (Time,
Identity, & Position) attributes in the Trusted Third Party
(TTP) Location Based Services (LBS) Systems.
The remaining paper is structured as follows, Protection
goals of Location-Based services (LBS) are discussed in
Section II. Section III presented the techniques for
provisioning privacy in TTP (Trusted Third Party) Location-
based services (LBS) system. Section IV consists of
comparative analysis while Section V has highlighted
discussions and recommendations for most suitable privacy
preserving approaches. Section VI contains the conclusion
of the conducted work.
II. PRIVACY PROTECTION GOALS
In Location-based services (LBS) system, there are some
attributes that need to be protected in order to preserve the
privacy of a user. Since, there are many privacy-preserving
approaches, before these approaches we have to clarify what
protection goals are there in order to achieve the privacy of
an LBS user. The attributes which have to be protected are
spatial (position), identity, and temporal (time) information.
These protection goals of the mobile user define which
attributes of the information need to be protected to provide
full privacy to the user and which can be revealed that have
no negative impact on user’s privacy. Before discussing the
mentioned protection goals in detail, we illustrate examples
of three protection goals and their application context.
In an application context, assume the user that uses
navigation system would provide their current location for
services. As a result, the system allots real-time information
and points of interest (POI) information related to the
current user position. Consider that the user provision
anonymized based location information to the service
provider of a navigation system. On this Point, according to
the anonymization based concept, it preserves the identity
attribute but keeping in mind the exposure of location
information can also reveal the user's identity. Such as,
based on the repeatedly visited home, hospitals, and work
locations. For that reason, the position attribute should be
protected.
In another context, consider that the non-anonymous
route is shared by the LBS user but that user does not wish
to reveal they are on the GT Road and drive speedily
because exposure of such information does not have a
positive effect on the privacy of the LBS user. Location
Server (LS) can misuse such kind of information and gave
that user’s personal information to unauthorized persons. In
such case, to prevent the calculation of the maximum speed
the position and time attribute have to be protected. [2]
In current study, privacy means “To hide from everyone
i.e. conceal the private information from
unauthorized/unknown persons”. Whereas, the definition of
Location privacy is the potential to prevent the actual
location of the LBS user from other malicious parties in such
a way that everyone is unable to learn one's past or current
location. The privacy of user identity means that a malicious
party has access to a location database that contains the
actual location of each user but is unable to infer the
information about the user from the record because the user
is hidden from these untrusted parties. The privacy of LBS
user time of the query is to conceal the temporal information
of the user from an attacker so that from time factor actual
location of the user could not be disclosed.
A. User Identity
When a user is making the request to Location-based
services (LBS) System, the user will get benefited by hiding
their identity from non-trusted parties. Basically, the aim is to
conceal the information that is related to the user's identity
whereas the Location-Based Services (LBS) System knows
the current location of the LBS user. The LBS user identity-
related information can be his unique name, his registered
account name at the LBS, or maybe anything else that
uniquely identify the LBS user. If the location information of
the LBS user is revealed but identity-related information not,
still an attacker can infer the personal information of the user
by analyzing the given location information and additional
visited objects.
B. Spatial Information
The user desired to conceal their current location while
making the request for services. The primary objective is to
preserve the user’s position where they are right now and that
current user location has to send to Location-Based Services
(LBS) System. The issue arises from the location information
contained in the query of the LBS user is that from this
location information it can be inferred that where a user can
be accurately located. For instance, a student is tired from
university hectic schedule. Such as, he wants to enjoy the
latest movie that has been released. For this purpose, he
posted a query to Location-based services (LBS) system
“What is the nearest cinema from my current location”.
Meanwhile, user wants to preserve its actual location which
he has been sent to location anonymizer. So, protection of
spatial information preserves an LBS user from personal
information disclosure.
C. Temporal Information
The intention is to hide the time information when a user
making a request to Location-Based Services (LBS) system.
There is a possibility that known time when the Location
Server (LS) received the information from the user and
update in user location information that caused exposure of
update user personal information. For example, Bob is not
feeling well and he wants to visit a medical hospital that is
nearest to its current location. Thus, he posted a query to
Location-based services (LBS) system “What is nearest
medical hospital from my current location”. Meanwhile,
user wants to hide its actual location, real identity as well as
the time of a query from the adversary. So, protection of
time information can also save an LBS user from personal
information disclosure.
It is assumed that with a single message containing
location information L. It is not possible to draw
conclusions about the user. This means that the sender of the
message cannot be identified due to L. Other information
like a username or metadata carried by the messages sent
from the user to the LBS may depending on the application,
identify the user.

3. Muhammad Usman Ashraf et al, International Journal of Advanced Research in Computer Science, 10 (2), March-April 2019, 68-75
© 2015-19, IJARCS All Rights Reserved 70
Golle et.al [3] show that user identity can be drawn from
several disclosed locations. If an application is able to link
several queries containing location information and some of
the locations correspond to the user's home or work-place
they might be easy to identify. In those cases, where the
identity of a user is willingly or unwillingly revealed, it
would not be possible to relate subsequent location updates
to the LBS user.
To achieve these three protection goals, it would aim to
rely on Trusted Third Party (TTP) in which Location-based
Services (LBS) System preserve the privacy of the user fully
where they lives and make impossible for an attacker to
track the that user[4]. With the intermediate entity,
Location-based services (LBS) preserving the privacy of the
user by the TTP architecture that holds up different types of
queries [7]. Since, the database server in which the query is
stored and managed has no idea about the actual location
information of the mobile user. The LBS user receives a set
with multiples answers that include the real answer. This
answer set doesn’t contain the user actual position. Only
users know its true position and he infers the correct answer
according to its query from the given set.
III. PRIVACY PROVISIONING TECHNQIUES IN
TTP LOCATION BASED SERVICES
SYSREM
This section illustrates many existing approaches that has
been proposed by many authors. Each framework has
preserving the privacy of the mobile user in its own way.
There are several Trusted third party (TTP) based techniques
that objective is to preserve the privacy of the LBS users.
Location Cloaking [5] uses a trusted location anonymizer
in which cloaking region is created and it contains the
position of a user and other k-1 neighbors. Such type of
anonymizer protects the user's identity and location. To know
the nearest hospital the user generate requests and send to the
Middleware through a mobile network. Then the trusted
anonymizer which knows the real locations of all users using
LBS, Firstly perform authentication so as to authenticate the
requester and then create a Cloaking region (CR) containing
the user actual position and position of its k-1 neighbors, this
cloaking region is sent to the location server which acts as a
trusted anonymizer. Since, location server (LS) is answering
the whole CR. Permanent conversation and remote checking
of the user is required to let the anonymizer frequently
update the current position of all the subscribed users of
LBS, which obliviously the violation of the users' privacy.
Anonymizer needs to protect query time of user along with
his identity and location.
Gruteser and Grunwald [6] present the concept of K-
Anonymity technique. In k-anonymity, an obfuscation region
is determined by the mobile user that containing their true
position and other k-1 users. The user protected their current
location by a pseudonym. Here, Location Server act as a
trustworthy entity that computes obfuscation region that
contains mobile user position and set of k users. As
exemplified in Figure. 3, Bob is in his home and post a query
to location-based services (LBS) for the nearest dental clinic.
Here, the intermediate entity could not reveal the Bob true
position as well as the medical problem he has. Through this
framework, Bob is not able to identify as a real user and the
attacker is unable to associate the provided locations to the
Bob current location. K-anonymity preserve user identity in a
very well way but it does not provide adequate protection
against attribute disclosure.
There are several techniques that are based on the
framework of the k-anonymity in order to preserve the
privacy of the LBS user. Mokbel et al. [7] compute the
obfuscation region based on the user-defined k values in the
Casper scheme which define that the user wants to conceal
their location related information within a region. Clique
Cloak technique [8, 9] proposed by Gedik et al. For
calculating k-anonymity set which implements the temporal
and position cloaking.
Figure 3. A user scenario for K-Anonymity
Strong k-anonymity technique proposed by Zhang et al.
[10]. By using the concept of generalization and suppression
k-anonymity can be achieved. In generalization, there is a
change in semantically dependable value but it is less
specific. In suppression, the tuples allow reducing the
generalization amount to achieve k-anonymity. This
technique assurance of strong k-anonymity with less
distorted results. A value is exchanged by a trustworthy that
is more general, less specific to the original value. For
example, the authenticate ZIP codes {03136, 03137} it can
be generalized to 0313*. Thereby, stripping the rightmost
digit and it indicating a semantically larger geographical
area. So, strong k-anonymity is not always satisfied by
generalization even though all Datafly generalizations do
satisfy k-anonymity. For making this heuristic-based
approach more work is required.
Bamba et al. proposed the concept of l-diversity [11]. In
this approach, there is a set of different l physical positions
such as hospitals, universities, cinema, shopping malls etc.
This approach assures the user location is indistinguishable
from the set of k users as well as the position of each is
located at a sufficient distance from each other. In
obfuscation area, there are hundreds of users that are
uniformly distributed while remaining k users arbitrary send
their message about aggregation. We set l = k/2 to make sure
the privacy in l-diversity. Consider that user A in arbitrary
position sends only one request to Location Server (LS). This
technique needs much effort to preserve user privacy. So,
this requires a better privacy level because there is symbolic
logic between the attributes have distinct values and each
value have different sensitivity level.
Li et al present the concept of t-closeness [12]. This
technique extends the concept of l-diversity. Parameter t
represents the distance between attribute disclosure within
the cluster of k users and a total set of user, over same
distribution. The distance should not be minimum than an
assured threshold. For example, Disease and salary are two
sensitive attributes. One knows that Bob’s salary is in the
range of [4K–6K] then they can conclude that Bob’s salary
in comparatively less. Attacker not only attacks on numeric
value like salary but also to categorical values like disease
enables an attacker to infer that Bob has cancer. 0.176-

4. Muhammad Usman Ashraf et al, International Journal of Advanced Research in Computer Science, 10 (2), March-April 2019, 68-75
© 2015-19, IJARCS All Rights Reserved 71
closeness w.r.t Salary and 0.878-closeness w.r.t. Disease.
Now Trudy cannot conclude that bob has less salary and
cancer. Using distance measure t-closeness principle can be
applied, to measure it Earth mover's distance (EMD) is the
best measure but certainly not perfect.
The concept of p-sensitivity [13] presented by Domingo-
Ferrer et al. In p-sensitivity, 1/k is the probability of
authentically identify an individual user and 1/p is the
probability of the reveal sensitive information of an
individual user. One method to protect each user from
location attack could be de-linked each user request form its
creator to confusing attacker with more than one user present
in the Cloaking region (CR). For instance, all k users of a
Cloaking region (CR) have diabetes. In this shell, an
adversary certainly knows that the actual person also has flu
infection.
Mascetti et al. [14] guarantee historical k-anonymity. In
this technique, the system retains track of each user
movement and effectively use this piece of information to
make the anonymity area. For this, the mobile user sends the
request for services to that anonymity area. Suppose the
location server covered the region that is Point of Interests
for each user in the system. Each point of interest can be
linked to securely fix temporal interval and cover a location
to some extent. It is obvious that the user is continuously
moving from one location to another. It constitutes the most
visited location by the user and approximate time of visit
based on his movement history in the system. This regularly
and habitually visits of the user can put their privacy in
danger. As mobile user posting query to LBS to request for
the services their movement track in the system can easily
disclose their identity. Therefore, a better and suitable
approach needs regarding k-anonymity framework to
preserve the user position as well as user query content.
Kido et al. [15] presented the Position dummies
technique which is used to protect the actual user position
by sending Location Server (LS) multiple false locations
called "dummies" along with the user’s true position. But at
the same time it is a challenge to create non-distinguished
dummies from the actual user position, In particular, if an
attacker is able to track the user for a longer time and has
context information about the user. A user sends a new
query once he changes their position from point A to B and
sends their current location with new multiple false
positions related to new place. The working of Dummy
based approach is illustrated in Figure. 4.
Figure 4. Example of Position Dummy
Shankar et al. [16] proposed the SybilQuery approach.
SybilQuery is an advanced method to generate dummies. In
this technique, it is considered that the historic traffic
database is known by the user which allow them to generate
dummies that cannot be distinguished from the actual
mobile user location. Sybil Query is helpful for the user who
wants to create dummies.
Mix Zone proposed by Beresford et al. [17]. In this
approach defines areas are called mix zones where user
position is mixed with these zones such that LBS users
actual position is not known to others within these mix
zones where all user positions are protected. As shown in
Figure. 5, when the user entered in this special zone their
identity is mixed with other users and in this zone, the user
identity is protected by changing pseudonyms. Hence, an
adversary cannot differentiate between distinct pseudonyms
of the user even after knowing the arrival and departure of
the user in the mix zone. Moreover, Mix zones are replacing
the concept of Spatial Cloaking technique and provide
protection against location privacy.
Figure 5. An example of Mix Zone
Palanisamy and Liu. [18] Proposed MobiMix. This
technique follows the mix zone based concept over the road
network. By analysis, various context information attacker
can conclude detailed information like position and temporal
information. Timing information of the user when they enter
and exit in mix zone and non-uniformly changeover take at
the road junction that information helps the attacker to easily
distinguish between the new and old pseudonyms. But it
assures that there is unlinkability between the new and old
pseudonyms when a user spends random time in a mix zone.
However, mix zone usually exposes information of the user,
it does not ensure random duration for its users. In the
future, there is a need to consider more practical attack
models based on travel presence and background knowledge
to examine mix zone placing and manufacturing problems.
Policy-based schemes proposed by Jiang et al. [19] in
which policies are made to protect the mobile user privacy
while using the LBS System. These policies are statements
that specify at what extent service provider can do with
mobile user private information. These privacy policies are
issued by service providers. Now, it’s up to the mobile user
to decide such policies are sustainable for them or not. The
policies statements are based on many extensively used
languages and concepts. User agreement with the service
provider to ensure what happened with the data that is
collected by them. Moreover, through this agreement user
come to know that what data is collected, with whom it will
share and how data can be dispensed to third parties? In this
scheme, control to protect data is in the user's hand as he
decides what, when and how information about him is

5. Muhammad Usman Ashraf et al, International Journal of Advanced Research in Computer Science, 10 (2), March-April 2019, 68-75
© 2015-19, IJARCS All Rights Reserved 72
disclosed to the unknown person. The mobile user has a
number of policies. They can select the policy carefully that
fulfill his privacy need. The user can save some amount of
money by relying on the adopted policy but as response
service providers can hand over the user data to others in
exchange for money.
Pseudonymisers [19] is a trusted third party among
service providers and mobile users. Its main function is to
receive the user request and further send it to the service
provider. Meanwhile, it replaces the user true identity with
the fake one. Hence, the service provider is unaware of user
real identity. It just stores the user true identity with matched
pseudonyms so that its response to the mobile user with a set
of answers. Basically, LBS user can rely on this framework
and can fully trust that their personal information is not
disclosed with others. For example, Alice is a neighbor of
Bob and she frequently meets him. Alice knows bob age, his
ZIP code. She also knows that bobs data is saved in the file.
By only knowing the Bob identity, she can infer the disease
the bob has which is stored in the hospital record.
Route Server [20] handover the authentic and efficient
results for position queries. To post a route query there are
queries of Q set {q1, q2, q3 ….. Qn} and here each query
(q) belongs to set Q, it allows an attacker to generate some
wrong information by acknowledging the user’s actual
location information. Hence, the important challenge for
Route Server was provisioning privacy to mobile users from
an attacker who will conclude the wrong data in actual data
when LBS user wants to send a query to system from any
other Point of Interest (POI). In Route Server (RS)
algorithm to improve the privacy, have presented a new
accurate approach/technique which is AES-RS architecture.
AES-RS architecture [20] is an enhanced version of
Route Server algorithm. It is based on position dummy
approach in which a number of dummy (fake) positions are
generated along with a single user request. This architecture
mainly preserves the LBS users’ true position from the
attacker. It determines Lower limit (L) and Upper Limit (U)
coordinates which makes the partition of the Grid (G) into
the equal numbers of cells before posting a query to
Location-based Services (LBS) system. Here, each
individual cell (E, V) ∈ C showing that an equal number of
cells belongs to the set of Edges (E) and Vertices (V). In
order to create position dummies (fake positions), vertices
are computed far away from each cell and LBS users’ real
location is attached to one cell. In the end, dummy (fake)
locations of k users are kept in an array along with an index
of mobile users’ true location. This is proposed in the
dummy data array Algorithm. AES-RS system performance
enhances and reduces after a particular time interval. This
change raises the usage of LBS system as one server. A
change in Delay is preserved by appealing distributed
approach for maximum utilization of LBS Servers.
IV. COMPARATIVE ANALYSIS
We have studied all previous approaches, now we are going to critically analyze these approaches/techniques that are used to
provide privacy for TIP (Time, identity, position) attributes in Trusted Third Party (TTP) Location Based Services (LBS) system.
The limitations and future perspective direction of the existing approaches utilized by others are illustrated in Table 1.
Table I. Approaches for TTP Location Based Services System
Trusted Third Party (TTP) based approaches
Techniques/Approaches Short Description Privacy Level Limitations Future Work
1
Location Clocking Location Cloaking uses a trusted
location anonymizer and cloaking
region is created which contain the
location of a user and other k-1
neighbors.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
Remote checking of the user is
required to let the anonymizer
frequently update the current
position of all the subscribed
users of LBS, which is the
violation of the user’s privacy.
Anonymizer needs to protect
query time of user along with
his identity and location.
2
Gruteser and Grunwald,
k-Anonymity
This approach is based on the concept
where a mobile user describe an
obfuscation region that containing his
true position and k-1 other users.
Identity: Yes
Spatial Info: No
Temporal Info: No
K-anonymity protect identity of
the LBS user but does not
provide protection against
attribute disclosure.
Protect user location and time
information along with identity.
3
Zhang et al. strong k-
anonymity
K-anonymity can be achieved using
generalization and suppression. This
technique assurance of strong k-
anonymity with less distorted results.
Identity: Yes
Spatial Info: No
Temporal Info: No
By using generalization and
suppression, less its
computational efficiency.
For making this heuristic-based
approaches more work is
required.
4
Bamba et al. l-diversity There is a set of different l physical
positions. This approach assures the
user location is indistinguishable from
the set of k users as well as the
position of each is located at a
sufficient distance from each other.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
l-diversity may be unnecessary
to achieve. It is unsatisfactory
to avoid attribute disclosure
There is a semantic relationship
between the values of the
attribute so various levels of
privacy are required.

6. Muhammad Usman Ashraf et al, International Journal of Advanced Research in Computer Science, 10 (2), March-April 2019, 68-75
© 2015-19, IJARCS All Rights Reserved 73
5
Li et al. t-closeness This technique extends the concept of
l-diversity. Parameter t represents the
distance between attribute disclosures
within the cluster of k users.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
Basically, the Earth mover's
distance (EMD) is not a perfect
principle for measuring other
distance in t-closeness.
It may be beneficial to use both
k-anonymity and t-closeness
together to protect both identity
and attribute disclosure.
6
Domingo-Ferrer et al. p-
sensitivity
The method is to protect each user
from location attack could be de-
linked each user request form its
creator to confusing attacker with
more than one user present in the
Cloaking region (CR).
Identity: Yes
Spatial Info: Yes
Temporal Info: No
Information loss is higher when
p-sensitive is enforced on a
dataset compared to when the
dataset is masked according to
k‐ anonymity only.
This approach presents a
Greedy Algorithm that protects
against both identity disclosure
and attributes disclosure.
7
Mascetti et al. historical
k-anonymity
In this technique, the system retains
track of each user movement and
effectively use this piece of
information to make the anonymity
area.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
In historical k-anonymity
Regularly and habitually visits
of user can put his privacy in
danger.
Regarding K–anonymity
methodologies there is a need
for extended research that
preserves the information of the
user request in addition to the
user’s actual location.
8
Kido et al. Position
Dummies
Dummy Position technique is used to
protect a user’s actual position by
sending Location Server (LS) multiple
false locations called "dummies"
along with the user’s true position.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
It is a great challenge to create
non-distinguished dummies
from the actual user position.
This approach preserves
privacy to user identity and
location. Time factor also needs
to protect.
9
Beresford et al. Mix
Zone
In this approach defines areas are
called mix zones, user position is
mixed with these zones in such away
user position is not recognized within
these mix zones where all user
positions are protected.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
Existing mix-zone idea fail to
provide impressive mix-zone
construction algorithms that are
effective for mobile users
moving on road networks.
This approach preserves
privacy to user identity and
location. Time factor also needs
to protect.
10
Palanisamy and Liu,
MobiMix
This technique follows the mix zone
based concept over the road network.
By analysis, various context
information attacker can conclude
detailed information like position and
temporal information.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
MobiMix zone usually exposes
information of users, there is
unlinkability between the new
and old pseudonyms when user
spend random time in a mix
zone.
In the future, there is a need to
consider more practical attack
models based on travel
presence and background
knowledge to examine mix
zone placing & manufacturing
problems.
11
Policy-based schemes Policies are made to protect the
mobile user privacy while using the
Location-based services (LBS)
System. These privacy policies are
issued by service providers.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
According to the selected
policy, User can save some
amount of money by relying on
the adopted policy but as
response service providers can
hand over the user data to
others in exchange for money.
There is a need to make a more
and better policy-based scheme
for preserving user personal
data.
12
Jiang et al.
Pseudonymisers
Pseudonymisers is a trusted third
party among service providers and
mobile users. Its main function is to
receive the user request and further
send it to the service provider.
Meanwhile, it replaces the user true
identity with the fake one.
Identity: No
Spatial Info: Yes
Temporal Info: No
The main problem of this
technique is that the Service
provider can infer the actual
identity of the LBS user by
linking the location of the user.
There is a need to
make impossible to identify the
data subject by analyzing the
related data.
13
Route Server Route Server handover the authentic
and efficient results for position
queries.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
The important challenge for RS
was provisioning privacy to the
mobile users from an attacker
In Route Server (RS) algorithm
to improve privacy, have
proposed a new accurate

7. Muhammad Usman Ashraf et al, International Journal of Advanced Research in Computer Science, 10 (2), March-April 2019, 68-75
© 2015-19, IJARCS All Rights Reserved 74
who will conclude the wrong
data in actual data when LBS
user posted a query to the
system.
approach which is AES-RS
architecture.
14
AES-RS architecture AES-RS is based on position dummy
approach in which a number of
dummy (fake) positions are generated
along with a single user request.
Identity: Yes
Spatial Info: Yes
Temporal Info: No
AES-RS system performance
enhance and reduce after a
particular time interval. This
change raises the usage of LBS
system as one server.
Delay variation might be
possible to maintain by the
distributed approach in which
multiple LBS server is used.
Table 1: gives the information regarding trusted third party based approaches/techniques that include description, privacy level, limitation and future work.
V. DISCUSSION AND RECOMMENDATION
The current study highlighted three attributes such as time,
identity and position to preserve user privacy in a Trusted
Third Party (TTP) Location Based Services (LBS) system.
Several approaches has been studied for this purpose. Location
Cloaking technique uses a trusted location anonymizer and
replace the actual location of a user with a cloaking region
(CR) and this type of anonymizer protect user’s identity and
location. Pseudonymisers’ framework is the plain
intermediate entity between LBS users and location server
(LS). It accepts the user requests, and before forwarding them
to the service provider, there is a replacement between original
IDs of the user and the fake ones. Pseudonyms to protect user
identity.
K-anonymity approach in which Location server (LS) act
as anonymizer which protects against identity disclosure.
There are some enhance versions of k-anonymity which
protect against attribute disclosure but does not protect identity
disclosure properly and some of them protect attribute and
identity disclosure at the same time. Thus, it may be beneficial
to use both k-anonymity and t-closeness (the latest version of
k-anonymity) together to protect both identity and attribute
disclosure. Then p-sensitivity approach present Greedy
Algorithm that protects against identity and attributes
disclosure both.
Position Dummies is an approach in which LBS user send
its actual position along with multiple fake positions. This
approach preserves privacy to user identity and location.
Another approach that is Mix Zone which is used to preserve
privacy for user identity and location. In this approach, there is
a special area defined by the trusted third-party Location
Server (LS) where mobile users change their pseudonyms so
that within these defined areas the user actual position is not
known. The MobiMix approach implements the mix zone
concept over road networks.
Route Server (RS) approach provide LBS system with
efficient results for spatial queries. To improve the privacy
factor in Route Server algorithm, have proposed a new
security approach i.e. AES-RS. AES-RS technique uses the
concept of dummy position technique when a user query is
generated users position is mixed with the dummy positions.
This was an improvement of the Route Server (RS) algorithm
and protects the location related information of LBS users
from any attack.
Position dummy, t-closeness, and mix zone approaches are
protecting only user identity and Position information.
Temporal information also needs to be protected along with
user identity and spatial information to provide privacy for
LBS user. If we work on these approaches it would be possible
to achieve our protection goals i.e. Time, Identity, Position in
Trusted Third Party (TTP) Location Based Services (LBS)
system.
VI. CONCLUSION
There are Millions of mobile users currently using the
Location-Based Services (LBS) System. These services
making information available based on the geographical
location of the user. But the improper use of location
information put the user privacy at the risk. Current research
focuses the user privacy in the LBS system. In detail, it is
distinguished between the identity attribute, position attribute,
and temporal attribute. This paper presented an absolute
survey of different well-suited privacy approaches in the
Trusted Third Party (TTP) Location-Based Services (LBS)
system. The main fundamental of the conducted survey was to
provide a proper environment to the location-based services
system and reduce the privacy issues between the user and
Location Server (LS). In future, if we work more on Position
Dummy, t-closeness and mix zone we can provide the full
privacy to the user and achieve protection goals together.
VII. ACKNOWLEDGMENT
This work was performed under auspices of Department of
Computer Science and Information Technology, Govt. College
Women University, Sialkot, Pakistan by Heir Lab-78. The
Authors would like to thank Dr. Muhammad Usman Ashraf for
his insightful, and constructive suggestions throughout the
research.
VIII. REFERENCES
[1] Hidetoshi Kido, Y. Y., & Satoh, T. (2005). Protection of
Location Privacy using Dummies for Location-based Services.
Proceedings of the 21st International Conference on Data
Engineering (ICDE ’05).
[2] Marius Wernke, P. S., & Frank Du¨rr, K. R. (n.d.). A
Classification of Location Privacy Attacks and Approaches. 1-
24.
[3] P. Golle and K. Partridge. On the anonymity of home/work
location pairs. In H. Tokuda, M. Beigl, A. Friday, A. J. B.
Brush, and Y. Tobe, editors, Pervasive computing, volume 5538
of Lecture Notes in Computer Science, pages 390–397. Springer,
Berlin, 2009.
[4] Chi-Yin Chow, M. F. (n.d.). Privacy in Location-based Services:
A System Architecture Perspective. 23-27.
[5] Neeta B. Bhongade, G. P. (2015). A Review of Privacy
Preserving LBS: Study of Well-Suited Approaches.
International Journal of Engineering Trends and Technology
(IJETT), 62-65.
[6] Gruteser, M., Grunwald, D.: Anonymous usage of location-
based services through spatial and temporal cloaking. In:
Proceedings of the 1st international conference on Mobile

8. Muhammad Usman Ashraf et al, International Journal of Advanced Research in Computer Science, 10 (2), March-April 2019, 68-75
© 2015-19, IJARCS All Rights Reserved 75
systems, applications and services (MobiSys ’03), New York,
NY, USA, ACM (2003) 31–42.
[7] Mokbel, M.F., Chow, C.Y., Aref, W.G: The new casper: query
processing for location services without compromising privacy.
In: Proceedings of the 32nd international conference on Very
large data bases (VLDB ’06), VLDB Endowment (2006) 763–
774.
[8] Gedik, B., Liu, L: Location privacy in mobile systems: A
personalized anonymization model. In: International Conference
on Distributed Computing Systems (ICDCS 2005). (2005) 620–
629.
[9] Gedik, B., Liu, L: Protecting location privacy with personalized
k-anonymity: Architecture and algorithms. IEEE Transactions
on Mobile Computing 7(1) (January 2008) 1–18.
[10] Zhang, C., Huang, Y: Cloaking locations for anonymous
location based services: a hybrid approach. Geoinformatica
13(2) (June 2009) 159–182
[11] Bamba, B., Liu, L., Pesti, P., Wang, T: Supporting anonymous
location queries in mobile environments with privacygrid. In:
Proceeding of the 17th international conference on World Wide
Web (WWW ’08), New York, NY, USA, ACM (2008) 237–246
[12] Li, N., Li, T., Venkatasubramanian, S.: t-closeness: Privacy
beyond k-anonymity and l-diversity. In: Proceedings of the IEEE
23rd International Conference on Data Engineering (ICDE
2007). (April 15–20, 2007) 106–115
[13] Solanas, A., Seb´e, F., Domingo-Ferrer, J.: Micro-aggregation-
based heuristics for p sensitive k-anonymity: one step beyond.
In: Proceedings of the 2008 international workshop on Privacy
and anonymity in information society (PAIS ’08), New York,
NY, USA, ACM (2008) 61–69
[14] Mascetti, S., Bettini, C., Wang, X.S., Freni, D., Jajodia, S:
Providenthider: An algorithm to preserve historical k-anonymity
in lbs. In: IEEE International Conference on Mobile Data
Management (MDM 2009). Volume 0, Los Alamitos, CA, USA,
IEEE Computer Society (2009) 172–181. DOI
10.1109/MDM.2009.28
[15] Kido, H., Yanagisawa, Y., Satoh, T.: An anonymous
communication technique using dummies for location-based
services. In: Proceedings of the International Conference on
Pervasive Services (ICPS ’05). (July 11–14, 2005) 88–97.
[16] Shankar, P, Ganapathy, V., Iftode, L.: Privately querying
location-based services with sybilquery. In: International
Conference on Ubiquitous Computing (UbiComp 2009). (2009)
31–40.
[17] Beresford, A.R, Stajano, F: Mix zones: User privacy in location-
aware services. In: PerCom Workshops. (2004) 127–131.
[18] Palanisamy, B., Liu, L: Mobimix: Protecting location privacy
with mix-zones over road networks. In: Proceedings of the 2011
IEEE 27th International Conference on Data Engineering. ICDE
’11, Washington, DC, USA, IEEE Computer Society (2011)
494–505.
[19] Agusti Solanas, J. D.-F.-B. (n.d.). Location Privacy in Location-
Based Services: Beyond TTP-based Schemes.
[20] Mohamad Shady Alrahhal, A. A., & Muhammad Usman Ashraf,
S.A. (17). AES-Route Server Model for Location based services
in Road Network. (IJACSA) International Journal of Advanced
Computer Science and Applications, 361-368. DOI:
10.12569/IJCSA.2007.080847.