Location Guard is a browser extension that allows to protect your location while using location-aware websites, by adding controlled noise to it. It supports the followng browsers:
- Google Chrome / Chromium (install)
- Mozilla Firefox (install)
- Microsoft Edge (install)
- Opera (install)
Location Guard is available under either the MIT/X11 or the CeCILL-B license.
Websites can ask the browser for your location (via JavaScript). When they do so, the browser first asks your permission, and if you accept, it detects your location (typically by transmitting a list of available wifi access points to a geolocation provider such as Google Location Services, or via GPS if available) and gives it to the website.
Location Guard is a browser extension that intercepts this procedure. The permission dialog appears as usual, and you can still choose to deny. If you give permission, then Location Guard obtains your location and adds "random noise" to it, creating a fake location. Only the fake location is then given to the website.
To see Location Guard in action use this demo, a geolocalized weather forecast, or go to Google Maps and press the button. When the website asks for your location you will see the the icon in the address bar (which also provides configuration options).
Location Guard provides privacy within a certain protection area by ensuring that all locations within this area look plausible for being the real one. This is achieved by adding random noise in a way such that all locations within the protection area can produce the same fake location with similar probability. As a consequence, the fake location provides no information to the website for distinguishing between locations within the protection area.
Warning: background knowledge can still be used by websites to guess the real location within the protection area. For instance, if the protection area is in the middle of a lake containing only a small island, it will be easy to infer that the real location is on the island. In scenarios like this you should choose a higher privacy level or deny disclosing your location at all.
The privacy level determines the amount of noise added to your real location. A higher level adds more noise, so the fake location will be further away from the real one. This offers protection within a larger area, but it might make the service provided by the website less useful.
By default all websites use the "medium" level (this can be changed from the extension's options). You can select a different level for a specific website using the icon. For instance, you could select a lower privacy level for websites that need an accurate location (eg. maps), and a higher one for websites that only need approximate information (eg. weather forecast).
For more flexibility, each level can be configured from the Privacy Levels tab. The red circle is the protection area: locations in this area look plausible to be the real one (see "What kind of privacy does Location Guard provide?" above). The blue circle is the accuracy: the fake location will be inside this circle with high probability (note that the noise is random). Use the slider to adapt the two areas to your needs.
The privacy level can be set to "Use fixed location". In this case Location Guard always reports to the website a predefined fixed location that never changes (instead of generating a fake location by adding noise to the real one). This offers the highest privacy, since the reported location is completely independent from the real one, at the cost of very low accuracy.
You can modify the fixed location from the extension's options (Fixed Location tab).
When using a fixed location, the browser's geolocation is not performed at all. This offers better privacy, since the list of wifi access points is not transmitted to Google's servers. However, it has the side effect that the permission dialog is not displayed at all. This behaviour is usually acceptable when the fixed location is dummy, but it can be modified if you wish.
Some websites detect your location based on your IP address (a numerical label associated with every device on the Internet), which is visible to all websites you visit. However, most of the time this type of geolocation is not accurate and is limited to the city or postal/zip code level. Examples of such websites are iplocation.net and tracemyip.org.
Location Guard does not protect your IP address; it hides the location revealed by the browser through the JavaScript API, which is usually very accurate. More information about how the browser obtains your location can be found here.
To hide your IP address you need to use some anonymous communication system such as Tor. Note, however, that even if your IP address is hidden, your browser can still reveal your location through JavaScript, so you need to also use Location Guard.
Location Guard takes your privacy seriously! First, the extension itself has no "special permission" to access your location, it can obtain it only when a website asks for it and only if you allow access in the permission dialog.
Location Guard runs locally in your browser and sends no information whatsoever to the network. It only communicates your fake location to the website that asks for it.
Location Guard also never stores your real location. The fake location is cached for a small period of time; if a website asks for your location during this time the cached fake location will be returned. This improves privacy by avoiding to generate too many fake locations which would be centered around the real one. The cache period can be configured from the extension's options (Privacy Levels tab) and there is also a button to delete the cache.
Location Guard is a product of research carried out at the Ecole Polytechnique of Paris, CNRS and Inria. It is based on work by Miguel Andrés, Nicolás Bordenabe, Kostas Chatzikokolakis, Catuscia Palamidessi and Marco Stronati.
Location Guard implements a location obfuscation technique based on adding noise from a 2-dimensional Laplace distribution. This method can be formally shown to provide a privacy guarantee which is a variant of Differential Privacy. More details can be found in the CCS'13 paper, or in the PhD thesis of Nicolas Bordenabe.
-
Measuring Privacy with Distinguishability Metrics: Definitions, Mechanisms and Application to Location Privacy.
N. Bordenabe. PhD dissertation, École Polytechnique, Paris, 2014. SIGSAC Doctoral Dissertation Award 2015. [pdf] -
Designing Location Privacy Mechanisms for flexibility over time and space. M. Stronati. PhD dissertation, École Polytechnique, Paris, 2015. [pdf]
- Geo-Indistinguishability: Differential Privacy for Location-Based Systems.
M. Andres, N. Bordenabe, K. Chatzikokolakis and C. Palamidessi.
Proc. of CCS '13, ACM, pp. 901-914, 2013. [report] - Broadening the Scope of Differential Privacy Using Metrics.
K. Chatzikokolakis, M. Andres, N. Bordenabe and C. Palamidessi.
Proc. of PETS '13, Springer, LNCS 7981, pp. 82-102, 2013. [report] - A Predictive Differentially-Private Mechanism for Mobility Traces.
K. Chatzikokolakis, C. Palamidessi and M. Stronati.
Proc. of PETS '14, Springer, LNCS 8555, pp. 21-41, 2014. [report] - Optimal Geo-Indistinguishable Mechanisms for Location Privacy.
N. Bordenabe, K. Chatzikokolakis and C. Palamidessi.
Proc. of CCS '14, ACM, pp. 251-262, 2014. [report] - Geo-indistinguishability: A Principled Approach to Location Privacy.
K. Chatzikokolakis, C. Palamidessi and M. Stronati.
Proc. of ICDCIT '15, Springer, LNCS 8956, pp. 49-72, 2015. [report] - Constructing elastic distinguishability metrics for location privacy.
K. Chatzikokolakis, C. Palamidessi and M. Stronati.
PETS'15 / PoPETs, De Gruyter Open, 2015(2): 156-170, 2015. [report]