**2. Related Work**

As mentioned, a pseudonym can be used in beacon messages, rather than the real identity of a vehicle, as a means to provide privacy. However, some limited knowledge of the whereabouts of a vehicle means that the pseudonym of a vehicle can be identified, and all journeys of that vehicle can be recovered. For this reason, pseudonyms are changed periodically. However, simple pseudonym-exchange schemes may suffer from pseudonym linkability. That is, an adversary can discover the relationship between pseudonyms and hence recover vehicle journeys. Several schemes of pseudonym changing are proposed and tested in the literature; here, we review some of these. A taxonomy of location privacy schemes is shown in Figure 1. Table 1 contains details of a comparative analysis of existing schemes in a vehicular network.

A group navigation, in combination with a random silence period, is proposed in [21]. The vehicle remains silent, not broadcasting beacons in the network for a random period to avoid linkability. The vehicles are restricted to forming groups on the road, and the group leader will broadcast messages while other members of the group remain silent. Similarly, an advanced version is presented in [27] again using the combination of silent periods with the group formation concept. The vehicles remain silent if a certain low-speed threshold is met (below 30 km/h) and should change pseudonyms during this period as given in [28]. This means that a vehicle will not broadcast heartbeat messages at slow speeds, with the justification that the possibility of an accident during lower speeds is low. In [29], a safe-distance metric is used to find an obfuscation radius in which the value of velocity, position, and direction is perturbed to enhance the privacy of vehicles.

In addition, if a vehicle did not find any other vehicle within a safe distance, it remains silent to preclude tracking. An autonomous pseudonym update mechanism is presented in [23], which takes the speed and direction as parameters. If a certain traffic weight threshold is met, the vehicle will update its pseudonym in a silent mode, otherwise the vehicle waits for one more silent period. In the context-based scheme, the vehicle adaptively enters and exits from a silent period, changing the pseudonym based on the number of silent neighboring vehicles [30]. A similar scheme is introduced in [31] in which vehicle changes its pseudonym based on the context of silent neighbors. It also assesses the presence of misbehaving vehicles in the network and checks the success of the pseudonym changing process. Another scheme is based on a silent period that uses the concept of permutation to exchange pseudonyms between vehicles to create confusion for an adversary attempting location identification [32]. Silent period-based schemes have certain limitations, i.e., it impacts road network applications, the management of silent period duration for a vehicle trip is difficult to utilize for location protection: the use of a short silent period can provide one way to measure the effectiveness of a pseudonym linkability attack, while, for a long silence period, the knowledge of spatial and temporal relationship makes it possible for an adversary to track the vehicle [33].

**Figure 1.** Categories of location privacy schemes.

A group communication method with a random encryption period is introduced in [20,34] for location privacy in VANETs. The scheme increases the confusion of the external attacker by creating an encryption zone around a vehicle's OBU. Another synchronized pseudonym changing protocol is proposed in [35] to provide unlinkability of the vehicle location tracks. The main aim is to break the spatial and temporal relationship of the vehicle pseudonyms. A data forwarding protocol is used in [36] for location privacy based on the social behavior of a vehicle driver. The social behavior of vehicles is collected from visiting social spots, i.e., shopping malls, intersections, and museums. If a vehicle visits a social spot, it can retrieve messages from RSU anonymously. The protocol achieves two things in parallel, i.e., preserves the location privacy and provides reliable transmission in the network. In [18], the concept of a cryptographic mix zone is used to hide the location information of vehicles that are based on one-time identity-based authentication. It has no dependency on trusted party, and the keys are updated within the zone. Any vehicle in the group may be a group key distributor in the cryptographic zone. A revocable group

signature scheme is proposed in [37] for location privacy based on the Chinese remainder theorem and digital signature algorithm. It protects the anonymity of the vehicle as well as providing traceability to TA in case of a dispute of signature. However, the group signature method has certain issues regarding the management of signatures in the group. The signature of a large group is difficult to manage, while smaller groups affect the privacy protection level [33]. In [38], a dynamic grouping and virtual pseudonym exchange scheme is proposed in which diverse traffic conditions are utilized to update pseudonyms of vehicles for location protection.

Some techniques employ dummy data or inaccurate data to generate confusion for an adversary to identify the real location of a vehicle. In such a case, a perturbation algorithm is proposed in [39] that utilizes the reported position of two users at proximity and slightly modifies their position to create confusion for an adversary. The inaccurate beacon message is sent in between the periodic actual beacon messages to break the link between various locations of vehicles [40]. Dummy locations are generated in [41] for privacy protection of vehicles. In [42], the location of the neighboring vehicle is taken as a virtual shadow and sends two requests to LBS with two different locations. It will hide the actual location of a target vehicle from the location attacker. Similarly, virtual position points are generated in [43] that bridge between user and LBS. The sensitivitybased pseudonym changing scheme is introduced in [44] that takes regularities in vehicle movements to achieve personalised vehicle location protection. A new concept of multilevel obfuscation scheme is introduced in [45] to protect the location privacy of vehicles while communicating with LBS. The vehicle generates duplicate messages in connection with the surrounding vehicle to increase vehicle identity anonymisation in the vicinity. The concept of differential privacy and pseudonym permutation is used in [46] to hide the location trajectory of the vehicle. The trajectory of the user is divided into coarse-grained and fine-grained under the personalized user privacy requirements. Similarly, a new technique is introduced in [47] that protects the user's semantic location trajectory. It uses the concept of reinforcement learning based on differential privacy that randomizes the locations of the vehicle's trajectory. The optimized obfuscation policy is used in terms of privacy improvement and the loss of quality of the services. The obfuscation and hiding in the crowd concept are combined in [48] to increase confusion for an adversary trying to link vehicles' pseudonyms. The dummy-based location privacy scheme improves the level of privacy to some extent. However, there are certain problems related to these schemes, including management of dummy data being an issue, their impact on the quality of services, and generating overhead in the network.


