Location Privacy for Vehicle-to-Grid Interaction through Battery Management

Mark Stegelmann∗ and Dogan Kesdogan∗,†∗Centre for Quantifiable Quality of Service in Communication SystemsNorwegian University of Science and Technology, Trondheim, Norway

Email: mark.stegelmann@q2s.ntnu.no†Research Group for IT Security, FB5, University of Siegen, 57068 Siegen, Germany

Email: kesdogan@uni-siegen.de

Abstract—Vehicle-to-grid research explores the possibility ofcentrally coordinating the charging behaviour of electric-drivevehicles and of employing such vehicles as a distributed grid re-source. As such, they could be used both to improve the powergrid’s reliability and to store excess renewable energy. Theinformation observable by the central coordination instance,however, can be a threat to the privacy of vehicle owners. Inthis work, we investigate when the observed information allowsfor vehicles to be distinguished and traced between stops andwhen not so that vehicles will mix with each other. Specifically,we analyse the role of battery information and reveal howit can influence vehicle mixing. Furthermore, we considerinformation minimisation, suppression, and generalisation anddiscuss their effects both on vehicle mixing and on servicefunctionality. Lastly, we show that parking lots and garagesnaturally provide the conditions necessary for vehicle mixingand give an evaluation of mixing for this context.

Keywords-Information Security, Privacy, Smart grids, Elec-tric vehicles, Batteries.

I. INTRODUCTION

Electric-drive vehicles can be recharged using energy

from the power grid. Vehicle-to-grid (V2G) research ex-

plores using such vehicles as a distributed grid resource

[1]–[3]. As such, they could help both to stabilise the power

grid, e.g., by adjusting their energy flows on notice, and

to temporarily store excess renewable energy. Accordingly,

energy would flow not only from the grid to vehicles but

also vice versa. A central management instance, called

aggregator, would coordinate the energy flows for different

vehicles at the same time and abstract away from resource

fluctuations, e.g., due to individual travel behaviours.

The communication of the vehicles’ locations and statuses

to the aggregator is of key importance here. However, such

information can potentially reveal a vehicle’s movements

throughout a day and thus sensitive details about the personal

life of its owner. Allowing for anonymous and unlinkable

V2G interactions is important, yet, not sufficient by itself

[4]. In practice, vehicles need, e.g., a certain time to travel

between two charging stations. An aggregator can thus relate

“Centre for Quantifiable Quality of Service in Communication Sys-tems, Centre of Excellence” appointed by The Research Council ofNorway, funded by the Research Council, NTNU and UNINETT.http://www.q2s.ntnu.no

knowledge on needed travel times to observed disconnection

and reconnection events to reduce vehicle anonymity.

In this work, we focus both on how to achieve V2G loca-

tion privacy and to which extent this is possible. Our main

contributions can be summarised as follows. We analyse

the effect of battery information, revealed as part of V2G

interactions, on privacy both by itself and in combination

with prior adversary knowledge. For this, we investigate the

conditions necessary for vehicle mixing and formally show

that there exist four cases in which an aggregator is unable

to gain additional insights from battery information. We

consider information minimisation, suppression, and gener-

alisation to improve location privacy and discuss how these

approaches influence both privacy and service functionality.

Leveraging on our analysis, we reveal commonalities be-

tween the identified cases and parking lots and show that

the latter naturally fulfil the conditions for vehicle mixing

before we provide an evaluation of mixing for this context.

The remainder of this work is structured as follows. In

Sect. II, we provide the reader with the necessary back-

ground before discussing the related literature in Sect. III.

Thereafter, in Sect. IV, we analyse how battery information

can be used to limit vehicle location privacy and investigate

the conditions for vehicle mixing. Based on these results, we

use Sect. V to consider how to improve vehicle mixing. In

Sect. VI, we evaluate the important case of vehicle mixing

at parking lots before finally concluding in Sect. VII.

II. BACKGROUND

We build both on the model and the architecture proposed

in [4]. Here, when a vehicle owner parks his electric-drive

vehicle, he connects it to a charging station as depicted in

Fig. 1. The vehicle then determines at which location it is

connected to the grid and sets up communication with the

responsible aggregator. While anonymity on the network-

layer is achieved by employing an anonymity network, for

the application-layer, different privacy-enhancing technolo-

gies are suggested to guarantee cryptographic unlinkability.

The adversary considered against the provided anonymity

are honest but curious aggregators [4]. They adhere to

protocols but collude with each other and pool their observa-

tions from the charging stations. The adversary’s goal is to

2012 Ninth International Conference on Information Technology- New Generations

978-0-7695-4654-4/12 $26.00 © 2012 IEEE

DOI 10.1109/ITNG.2012.93

373

2012 Ninth International Conference on Information Technology - New Generations

978-0-7695-4654-4/12 $26.00 © 2012 IEEE

DOI 10.1109/ITNG.2012.93

373

aggregator

chargingstation

anonymity network

communication

Figure 1. Simplified V2G interaction model based on [4]

identify vehicles at locations. He can do so either directly or

by correlating distinct V2G connections, meaning by tracing

a vehicle from location to location. If he can achieve the

latter, he can perform a re-identification attack on the trace

by identifying home and work locations to identify vehicles

[4]. Thus, anonymity does not only depend on network-layer

anonymity but also on the unlinkability of V2G instances.

III. RELATED WORK

Anonymity on the network-layer is commonly achieved

using so-called mixes. Though recent mix research considers

the effect of application-layer knowledge, e.g., from social

network profiles, on anonymity [5], V2G specific context

information and vehicle mixing have not been investigated

so far. In database privacy, data sets containing sensitive

information are transformed to make records unlinkable to

individuals while preserving data utility. Five approaches are

found in the literature to achieve this for relational databases:

generalisation, suppression, anatomisation, permutation, and

perturbation [6]. Though these techniques cannot readily be

applied here, in Sect. V, we will consider possible adaptions.

Location privacy research is also closely related to this

work. Both measuring the anonymity of location information

and methods for establishing, e.g., k-anonymity, are being

investigated. Proposed approaches rely on data perturbation,

dummy generation, and location hiding [7]. We regard these

techniques as an adapted subset of those of database privacy.

In [8], the mix zone model for ubiquitous computing is pro-

posed. Users can either access location-based services in an

application zone or move between such zones through a mix

zone. The mix zones, however, are evaluated by simulation

rather than an analysis of the conditions for mixing. Ve-

hicular Ad hoc Network (VANET) privacy research focuses

on the unlinkability of messages sent from vehicles to the

road infrastructure and to other nearby vehicles. Vehicular

mix zones (e.g., at intersections) adapt the mix zone model

approach to achieve message unlinkability [9]. The effect

of application-layer information such as on vehicle batteries

has, however, until now not been considered.

IV. BATTERY INFORMATION AND ANONYMITY

A. Battery model

Before we analyse how battery information can affect

privacy, let us first discuss which information we need to

C0 SoCc SoCd

SoCmaxSoCmin

SoCu_min

Figure 2. Battery model

consider. In theory, we can characterise a battery using two

values, its capacity C and its state of charge (SoC). The

latter, SoC ∈ [0, 1] indicates the charge left relative to C.

In practice, however, as shown in Fig. 2, a battery’s SoC is

commonly restricted by both an upper and a lower limit

which we denote by SoCmin and SoCmax respectively.

Ensuring that SoCmin ≤ SoC ≤ SoCmax at all times can

reduce battery wear and improve battery lifetime [3].

For battery-electric vehicles, owners may additionally

specify a minimum mobility range for unanticipated trips,

e.g., to a hospital [2]. We model this by SoCu min with

SoCu min ≥ SoCmin. An aggregator must never reduce a

battery’s SoC below this value. If the SoC is below this level

at connection time, it must be charged up to SoCu min first.

Moreover, note that measuring a battery’s SoC is a non-

trivial task [10]. Continuous monitoring of relevant battery

parameters increases both applicable measurement methods

and accuracy in this context. Therefore, vehicles are com-

monly equipped with a battery management system (BMS)

that monitors battery parameters and performs the necessary

calculations. Accordingly, a vehicle’s BMS must reveal such

battery information to the aggregator as needed.

For a charging service, we need two parameters: the

required amount of energy and the intended departure time.

With SoCc being the SoC at connection and SoCd the de-

sired SoC at disconnection time td, the parameters revealed

to the aggregator are td, SoCc, SoCd, and C. The aggregator

determines the needed energy as min(0, (SoCd−SoCc)C).For a V2G service (i.e., providing a vehicle as a resource)

in turn, we need the departure time td, the energy available

for consumption, and the battery available for storage. Ac-

cordingly, a vehicle reveals td, SoCmin, SoCu min, SoCc,

SoCmax, and C. For both services, we have td, SoCmin,

SoCu min, SoCc, SoCd, SoCmax, and C.

From a privacy-perspective, for anonymity, a subject [i.e.,

a vehicle] must not be identifiable within a set of subjects

[11]. Thus, the information observable by the adversary

should both be minimal and identical for as many vehicles

as possible. We explore how to achieve this in Sect. V. For

clarity, let us initially focus on vehicles with identical battery

capacities and with battery limits that are constant for the

considered observation time frame.

B. The effect of battery information on anonymity

The question we want to answer is what the adversary,

i.e., honest but curious aggregators, can deduce about a

374374

l1

l2

l3

l4

S3

S4

D1

D2

Figure 3. Limits of anonymity due to battery information

vehicle’s movements from the observed battery information.

Remember that, as explained in Sect. II, aggregators can try

to identify vehicles either directly or by tracing them from

location to location and performing a re-identification attack.

Let us consider the example depicted in Fig. 3 comprising

four locations and two vehicles for our analysis. During

the time frame T = (t1, t2, t3, t4), the adversary observes

four events. At t1, one vehicle is observed disconnecting

from location l1 and at t2 a second one from l2. Later,

at t3, a vehicle connects at location l3 and at t4 a second

one at l4. The adversary does, however, not know which

vehicle moved to which location. Under which conditions

can battery information then falsify a hypothesis of a certain

vehicle having moved to a certain destination?

We begin by looking at the first event at starting location

l1.1 Here, the aggregator learns amongst others both the

vehicle’s charge SoCd at t1, SoCmin, and C. From this, he

can calculate (SoCd−SoCmin)C and estimate the mobility

range of the vehicle leaving l1. The vehicle cannot move

beyond this limit without reconnecting and recharging which

would lead to a new observation. Without loss of generality,

let us denote this vehicle by v1 and the other vehicle by v2.

The aggregator can thus identify v1’s candidate destination

charging stations. We denote this set by D1, as shown

in Fig. 3. Analogously, for v2 leaving from l2, he can

identify a set D2. Formally, let li be a location with a

disconnect event, then a destination location lj ∈ Di iff

SoCd ≥ e(li, lj)/C +SoCmin with SoCd being the SoC at

disconnection time, SoCmin as defined above, and e(li, lj)the minimal amount of energy needed to travel from lito lj . Note that these sets include all possible destinations

independent of detours or unscheduled stops.

Similarly, at the destinations l3 and l4, the aggregator

observes SoCc, SoCmax, and C. From the respective values,

he can calculate (SoCmax − SoCc)C, the energy a vehicle

can have used to drive to a charging station. The potential

starting locations form the sets S3 and S4 (see Fig. 3)

which, again, describe absolute mobility limits. Formally,

let lj be a location with connect event, then li ∈ Sj iff

1Though events happens at points in time, we refrain from addingaccording indices to every variable. Instead, where unclear from the context,we will explicitly state the event and point in time of a variable.

SoCc ≤ SoCmax − e(li, lj)/C with SoCc the SoC when

connecting at lj and SoCmax and e(li, lj) as defined above.We can see that the adversary is unable to determine the

individual vehicle trips if certain conditions hold. Formally,

for the destinations l3 and l4 it has to hold that they are in the

intersection of the sets of possible destinations D1 and D2,

as in Fig. 3. Moreover, for the starting locations l1 and l2 it

has to hold that they are in the intersection of the possible

starting locations S3 and S4. Conversely, an adversary candetermine the respective trips for the two vehicles if any of

these conditions is not fulfilled.In practice, if visualised on a map, mobility ranges resem-

ble contour maps, such as the ones found in cartography,

rather than circles. Their exact shape depends on factors

such as street type and elevation. Moreover, note that the

sets capture possible movements according to the battery

model of Fig. 2 without any assumptions regarding vehicle

charging or travel behaviour. If the adversary has additional

knowledge, e.g., he knows that vehicles charge exactly to

the amount of energy needed for the next trip and take only

known routes, he can greatly reduce the candidate stations.The mobility range sets identify all potential sources and

destinations. However, we can find a tighter bound. In fact,

for two specific events to be potentially related it must hold

that SoCc ≤ SoCd − e(li, lj)/C. In cases of SoCd being

strictly less than SoCmax or SoCc being strictly greater

than SoCmin, this tighter bound can rule out event relations.

An adversary can thus use this equation to determine if

battery information observed at li and lj falsifies an initial

hypothesis of a vehicle having moved from li to lj .A correlation of disconnect and connect events solely

based on battery information and the order of events, how-

ever, leads to monotonically increasing set sizes. Since the

adversary does not know when a prior disconnection event

happened, without further assumptions, he has to include

every potential prior disconnect event. As the observation

time frame grows, so will the number of such events.

C. Combining adversary knowledgeHowever, the adversary’s observations are not limited

to battery information [4]. He can, e.g., also exploit that

vehicles need a certain time to travel from one charging

station to another and can compare such times to the

observed events. Therefore, let us now investigate, what he

can learn by combining battery with such prior information.As in Fig. 3, let the adversary have obtained initial, yet,

inconclusive hypotheses about vehicle movements using the

algorithm of [4]. At t4, let him have obtained the two

hypotheses sets ht4(v1) = {l3, l4} and ht4(v2) = {l3, l4}describing the potential locations of the two vehicles at t4.

For clarity, let us exclude detours and intermittent stops so

that, for our prior equation and li ∈ {l1, l2} and lj ∈ {l3, l4},we get

SoCc = SoCd − e(li, lj)C

(1)

375375

From (1), we can see that both the expected energy usage

and the observed SoCs are important here. As discussed in

Sect. IV-B, the basic case for an adversary to exploit battery

information is to check if (1) is not fulfilled for any trip. If

this is the case, he can falsify the hypothesis of the according

vehicle taking this trip and, in the example, deduce that the

vehicle must have driven to the remaining location. Consider

the remaining trip to be (l1, l3), meaning from l1 to l3. Since

only one vehicle can be connected to a charging station at a

time, the hypothesis (l2, l3) of v2 traveling to l3 cannot be

part of a valid solution and we can thus conclude that (l1, l3)and (l2, l4). An algorithm that can remove such hypotheses

not part of any valid solution is discussed in detail in [4].

However, let us investigate further under which conditions

the adversary is able to distinguish vehicles or not. If we

assume that (1) is not trivially violated for any of the four

trips, then we can analyse how the energy usages of the trips

can relate to each other and what such relations imply.

There exist five possible ways how the four trips and their

respective energy usages can relate. First, there exists a case

in which the same amount of energy is required for all four

trips. In case two, the same holds true for only three out of

the four trips. Case three covers the situation of two pairs

of equal energy requirements. In a fourth case, only a single

hypotheses pair has an equal energy usage. Lastly, in case

five, every trip requires a different amount of energy. These

cases cover all possible relations. However, for cases three

and four it is important how the respective sets are chosen.

We will analyse these sub cases in the following as well.

Case 1: Let us begin with case 1 for which one example

is shown in Fig. 4a. Here, every hypothesis requires having

observed the same amount of energy use between a starting

and a destination location. The four instances of (1), for the

individual trips, can only be fulfilled if the vehicles do share

both their starting and destination SoCs. Conversely, we can

deduce that here the aggregator can distinguish vehicles iff

the individual starting and destination SoCs do not coincide.

Case 2: For case 2, we have three trips with equal energy

use and one with a differing one. In this case, the adversary

is always able to falsify at least one hypothesis and thus to

obtain a solution. Let us investigate why this is the case.

Let any three trips have the energy requirement e1 and

the remaining trip have e2 with e1 �= e2. Without loss of

generality, we can choose any trip to have the requirement

e2. Remember that the starting and destination SoCs need

to be in a relation satisfying (1). Thus, this must also hold

for the trips with requirement e1. Furthermore, it holds that

for one trip the energy use differs. However, with both

this being true, it is no longer possible to satisfy (1) for

the remaining trip with energy usage e2. Accordingly, there

exists no instance of this case in which the aggregator cannot

falsify a hypothesis and distinguish the two vehicles.

Case 3: In case 3, there exist two sets of trips

with equal energy requirements. These sets can be ei-

(a) Common start anddestination (case 1)

(b) Common start (case3a)

(c) Common destination(case 3b)

l1

l2

l3

l4

(d) Pairwise distinct trips(case 5)

Figure 4. Instances of the cases with vehicle mixing

ther {(l1, l3), (l1, l4)} and {(l2, l3), (l2, l4)} (case 3a),

{(l1, l3), (l2, l3)} and {(l1, l4), (l2, l4)} (case 3b), or

{(l1, l3), (l2, l4)} and {(l1, l4), (l2, l3)} (case 3c). An exam-

ple for case 3a is shown in Fig. 4b. Here, the energy re-

quirements to both destinations are equal for each individual

vehicle, yet, different for the distinct vehicles. Accordingly,

the battery information at the destination must differ to

distinguish vehicles. In case 3b, the energy use to the distinct

destinations are equal (as in Fig. 4c). Analogously to case

3a, here, the SoCs at the start need to differ. For case 3c, it

is impossible to construct a solution in which the aggregator

is unable to distinguish the vehicles. They can neither share

their starting nor their destination SoC, since this would lead

to a violation of (1) with the differing energy requirements.

It is similarly impossible to find a solution not violating (1)

if the starting respectively destination SoCs differ.

Case 4: In case 4, with equal energy use for only two of

the trips, there exist three possible sub cases for choosing

this pair, namely {(l1, l3), (l1, l4)}, {(l1, l2), (l2, l3)}, and

{(l1, l2), (l2, l4)}. For all of these cases, it is impossible to

construct a solution not violating (1). In other words, the

aggregator can always distinguish the vehicles.

Case 5: In case 5, every trip has a different energy

requirement. Given this and any of the four SoCs, (1)

uniquely defines the remaining SoCs. The starting SoCs and

destination SoCs cannot be shared. Thus, with (1) satisfied,

the aggregator can never distinguish the vehicles.

Summing up, we have identified four cases in which

the aggregator is unable to distinguish vehicles based on

battery information when no hypothesis is trivially falsified.

These cases of potential vehicle mixing are 1, 3a, 3b, and

5. Considering these requirements, we might suspect that

vehicle mixing rarely happens. Interestingly enough, we can

find instances for several of these cases that commonly

occur in practice. Examples for cases 3a and 3b are vehicles

leaving from respectively driving to a common place (Fig. 4b

and Fig. 4c). In practice, such a place can, e.g., be a parking

garage or a parking lot. Before we evaluate how vehicles mix

here, let us consider ways to improve vehicle mixing.

376376

V. APPROACHES TO LOCATION PRIVACY

A. Data minimisation

Let us begin by investigating if the information revealed

can be reduced without affecting service functionality. In

Sect. IV-A, we have seen that the aggregator obtains several

values from which he can determine the necessary service

parameters. However, these calculations could also be car-

ried out by the vehicle and only the results be revealed.

For charging, the vehicle can calculate and reveal

min(0, (SoCd − SoCc)C) together with td. For V2G ser-

vices, the vehicle can transmit the results of (SoCc −SoCu min)C and (SoCmax − SoCc)C and td. If SoCc <SoCu min then the first result is strictly less than 0 and the

vehicle will only accept energy as explained in Sect. IV-A.

However, assuming that vehicle owners will not routinely

adjust the size of their reserve tank SoCu min, even with

the reduced information, the aggregator can determine both

the range in which the SoC can vary and the vehicle’s SoC.

Accordingly, he can either distinguish vehicles based on

SoCmax − SoCu min or its SoC as discussed in Sect. IV.

B. Suppression

In database privacy, suppression denotes selectively not

disclosing certain database values. In V2G, service parame-

ters could be suppressed. However, going beyond what we

discussed in Sect. V-A, implies that service functionality

will be affected. Accordingly, we can distinguish three

suppression cases: the suppression of charging parameters,

of V2G parameters, and of both services’ parameters.

If a vehicle opts for charging only and not making

itself available as a grid resource, only the information

as discussed in Sect. V-A are needed. However, this also

implies that the vehicle owner will not get any payments

or other benefits for providing his vehicle as a resource or

may even violate contracts. Furthermore, as we have seen

in Sect. IV, such information can still reveal details about a

vehicle’s next trip, e.g., if the charging strategy is known.

Suppressing charging but not V2G services requires a

charging strategy that ensures that energy needed for later

trips is charged before charging is suppressed. In addition,

limiting factors such as battery capacities need to be consid-

ered and, as we have seen in Sect. V-A, suppressing charging

information does not provide a privacy advantage.

Last but not least, suppressing both charging and V2G in-

formation equals intermediate stops without grid connection.

In this case, the adversary obtains no observations. As for

the second case, the charging strategy needs to be adapted

accordingly. Though this strategy can increase privacy, this

approach both suffers from the possible losses of the first

case and has to take into account the technical limitations.

C. Generalisation

Generalisation can improve privacy without excluding

vehicles from services. For numerical values, generalisation

commonly refers to replacing a value by a range of val-

ues containing the original value. Here, by increasing the

granularity both the accuracy of adversary observations is

reduced and the probability of shared values is increased.

An interesting question is thus which granularity induces

which probability of shared ranges? To answer this, consider

a SoC’s total range to be generalised into d disjunct, equal

sized ranges so that a SoC can lie in one of d distinct ranges.

For case 1 of Sect. IV-C, we can then determine the

probability of the adversary not being able to distinguish

vehicles. For this, we need to know the probability of both

the starting and the destination SoCs to match. In case 1,

these are not stochastically independent. In fact, it holds

that if one side matches, the other one will match as well.

Therefore, it suffices to determine the probability of the

SoCs of one side to match. The conditional probability

of the other side matching if one side matches is 1. The

sought-after probability can thus be specified for n vehicles

as Pmatch(d, n) = 1dn . Note that we assume uniformly

distributed SoCs here. This is equal to a worst case scenario

from a privacy perspective and is thus a lower bound.

In cases 3a and 3b, we are looking for the probability of

a vehicle’s charge being equal to another vehicle’s charge

when arriving at respectively departing from a location. This

probability is equal to Pmatch as determined for case 1.

For case 5, it is interesting to observe that the probability

of the adversary not being able to distinguish the vehicles

is 1 since any solution not trivially falsifying one of the

hypotheses does not provide any insights on the invalidity of

any part. Accordingly, any benefit of increasing d is limited

to reducing the accuracy of the adversary’s observations.

Though increasing the granularity of the parameters does

not prevent vehicles from using services, it does affect

service performance. Charging in bigger increments can

induce additional costs. Reducing usable V2G ranges can

limit potential benefits for the vehicle owner. Our now

following analysis of how to choose the different parameters

is therefore not only interesting from a privacy-perspective.

VI. EVALUATION

Let us look at those cases that are influenced by changing

the parameter of granularity d, meaning cases 1, 3a, and 3b.

For this, we consider a basic parking lot scenario. The cases

then can be seen as driving to, from, and between parking

lots as shown in Fig. 4c, respectively Fig. 4b, and Fig. 4a.

As discussed in Sect. V-C, the probability of n = 2 vehicles

mixing at a parking lot is given by the probability of their

battery information being indistinguishable meaning Pmatch.

For d = 10, e.g., we obtain Pmatch(10, 2) = .01.

In practice, however, more than one other vehicle can mix

with a vehicle. That means we have to investigate cases

of n vehicles potentially mixing. However, from a vehicle

owner’s perspective, it is of interest to know his probability

of mixing with any other vehicle rather than of mixing with

377377

�

�

�

�

�

����������

����

�����

�����������

��������������

����

����

����

����

����

����

�����

������

������

������

��

������

������

������

������

�������

��������

��������

��

������������������������

�������������������������

0 10 20 30 40 500.0

0.2

0.4

0.6

0.8

1.0

n number of vehicles

probabilityofmixingPmix

� d�500� d�100� d�50� d�10

Figure 5. Individual probability of mixing

all other vehicles. This probability of mixing with at least

one out of n−1 vehicles arriving respectively departing with

him can be calculated as

Pmix(d, n) = 1−(

d− 1d

)n−1

For every parking lot use, vehicles have two such possibili-

ties of mixing (potentially with different n), one when they

arrive and one when they leave.

We can see that two parameters influence mixing, the

battery information granularity and the number of vehicles

indistinguishable based on other observations. In Fig. 5, we

plot these probabilities for d ∈ {10, 50, 100, 500} and n ∈[2, . . . , 50] vehicles. The graphs show that smaller values of

d mean increased probabilities of mixing. Yet, such values

imply coarser service parameters as well. Future battery

technologies and mobility ranges of, e.g., 500km could lead

to the desire to specify charges at a kilometre granularity.

However, as we can see, this comes with a privacy tradeoff.

More specifically, while Pmix(10, n) > .5, meaning that the

probability of mixing for d = 10 becomes greater than .5, for

n ≥ 7 vehicles, Pmix(50, n) > .5 for n ≥ 36. These results

suggest that generalisation is a necessary measure for vehicle

mixing. Yet, if future developments demand for fine-grained

measurements, additional measures, e.g., allowing vehicles

to coordinate locally may be needed.

VII. CONCLUSIONS AND FUTURE WORK

In this work, we discussed the effect of battery informa-

tion on V2G location privacy. We analysed how an aggrega-

tor can deduce vehicle mobility ranges and we identified four

cases in which battery information allows for vehicle mixing.

As we showed, parking garages and parking lots are practical

examples for three of these cases and can therefore have

beneficial effects on privacy. We discussed three approaches

to increasing vehicle mixing and their effects on privacy

and service functionality. Lastly, we explored the mixing

probabilities for parking lots.

For clarity and due to space limitations, we had to

limit our model and discussions to battery-electric vehicles.

However, due to the similar role of petrol for V2G services,

analogous extensions of our model could be obtained for

plug-in hybrid electric vehicles. Furthermore, the require-

ments for mixing, which we identified, could be applied

to the travel time based analysis proposed in earlier work.

Here, instead of increasing SoC granularity, increasing time

granularity could improve vehicle mixing. In the future, it

could also be interesting both to perform simulations using

real world datasets and to investigate how to improve vehicle

mixing by allowing local vehicle coordination.

REFERENCES

[1] C. Guille and G. Gross, “A conceptual framework forthe vehicle-to-grid (V2G) implementation,” Energy Policy,vol. 37, no. 11, pp. 4379 – 4390, 2009.

[2] W. Kempton and S. E. Letendre, “Electric vehicles as a newpower source for electric utilities,” Transportation ResearchPart D: Transport and Environment, vol. 2, no. 3, pp. 157 –175, 1997.

[3] J. Tomic and W. Kempton, “Using fleets of electric-drivevehicles for grid support,” Journal of Power Sources, vol.168, no. 2, pp. 459 – 468, 2007.

[4] M. Stegelmann and D. Kesdogan, “Design and Evaluationof a Privacy-Preserving Architecture for Vehicle-to-Grid In-teraction,” in EuroPKI 2011, ser. LNCS, S. Petkova-Kikova,A. Pashalidis, and G. Pernul, Eds., no. 7163. Springer Verlag,2012, pp. 75–90.

[5] C. Diaz, C. Troncoso, and A. Serjantov, “On the impact ofsocial network profiling on anonymity,” in Privacy EnhancingTechnologies, ser. LNCS, N. Borisov and I. Goldberg, Eds.Springer Verlag, 2008, vol. 5134, pp. 44–62.

[6] B. C. M. Fung, K. Wang, R. Chen, and P. S. Yu, “Privacy-preserving data publishing: A survey of recent developments,”ACM Computing Surveys, vol. 42, pp. 14:1–14:53, June 2010.

[7] R. Shokri, J. Freudiger, and J. P. Hubaux, “A unified frame-work for location privacy,” in Proceedings of the 9th Interna-tional Symposium on Privacy Enhancing Technologies, 2010,pp. 203–214.

[8] A. R. Beresford, “Location privacy in ubiquitous computing,”University of Cambridge, Tech. Rep. UCAM-CL-TR-612,January 2005.

[9] J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, andJ.-P. Hubaux, “Mix-zones for location privacy in vehicularnetworks,” in Proceedings of the First International Work-shop on Wireless Networking for Intelligent TransportationSystems, 2007.

[10] V. Pop, H. J. Bergveld, P. H. L. Notten, and P. P. L. Regtien,“State-of-the-art of battery state-of-charge determination,”Measurement Science and Technology, vol. 16, no. 12, 2005.

[11] A. Pfitzmann and M. Hansen, “A terminologyfor talking about privacy by data minimization:Anonymity, unlinkability, undetectability, unobservabil-ity, pseudonymity, and identity management,” Aug.2010, v0.34. [Online]. Available: http://dud.inf.tu-dresden.de/literatur/Anon Terminology v0.34.pdf

378378