1. Introduction
Location-based services (LBSs) have become integral to modern mobile computing thanks to the ubiquity of smartphones and social networks. These services provide essential functionality from navigation assistance to location-aware recommendations. However, increasing reliance on LBSs raises significant privacy concerns, as each query potentially exposes sensitive user information. Recent studies have shown that even seemingly innocent requests for public data can lead to privacy breaches when aggregated over time [
1,
2]. For example, analyzing patterns of LBS queries can reveal sensitive details about a user’s lifestyle, health conditions, or daily routines, which is information that could be exploited by malicious entities or commercial interests like insurance companies.
The evolution of privacy protection in LBSs has seen several major developments. Early research established fundamental techniques such as
k-anonymity, which builds cloaking areas to hide the exact location of a user among
k-1 other possible locations [
3]. This foundation was extended through
l-diversity approaches that protect query privacy by generating multiple plausible queries [
4,
5]. More recent work has explored the combination of these techniques with advanced caching mechanisms [
6] and continuous privacy protection schemes [
7]. Although these approaches provide crucial privacy protections, they face a fundamental limitation. All are based on centralized LBS systems that accumulate significant amounts of user data over time. Even with privacy protections in place, this centralization enables comprehensive user profiling through long-term data analysis [
8].
Researchers have attempted to address this centralization vulnerability through various distributed approaches using mobile ad hoc networks (MANETs). Some solutions leverage MANETs with cellular network infrastructure [
9], while others focus on distributed query processing without considering caching efficiency [
10]. Recent work has explored privacy protection through distributed storage [
2] but still relies on stationary infrastructure in fixed locations. This gap between existing privacy-preserving techniques and the need for truly distributed LBS solutions motivates our work. Previous distributed approaches either depend too heavily on fixed infrastructure or fail to adequately address the unique challenges of maintaining privacy in a fully mobile environment.
To address these limitations, we propose a novel approach that fundamentally re-imagines how location-based services can operate in a privacy-preserving manner. Our solution draws inspiration from a time-honored practice: seeking information from nearby individuals who are likely to have relevant local knowledge. Consider how travelers traditionally consulted locals about nearby amenities: Although the local person learns something about the inquirer, their limited capacity and different purpose make it unlikely that they would capture a comprehensive user profile, which requires storing user history over time. This observation guides our development of a distributed LBS system that prioritizes user privacy while maintaining service utility.
We implement this concept through a fully distributed LBS functionality operating directly between users in a MANET, minimizing reliance on centralized and potentially untrusted LBS servers. This approach complements existing privacy-preserving techniques by adding another layer of protection through peer-to-peer data sharing. By distributing queries among MANET peers before resorting to a centralized LBS, we can significantly reduce data exposure while maintaining service quality.
To quantify the privacy benefits of our approach, we have developed a novel mathematical model that measures the loss of location privacy when users resolve queries in the LBS versus the mobile ad hoc network. This accumulated privacy loss (APL) metric is, to our knowledge, the first proposed to evaluate privacy loss in the context of a distributed MANET-based LBS system. Our model considers the LBS as the main adversary seeking to compromise location privacy while acknowledging that users in the MANET could also potentially compromise privacy—albeit to a lesser extent due to their limited storage and computing capabilities compared to an LBS server.
Unlike existing privacy metrics that focus solely on k-anonymity levels or query diversity, our APL metric provides a comprehensive measure of privacy loss across both centralized and distributed components of the system. It explicitly accounts for the differential privacy implications of data exposure to limited-capacity MANET peers versus a centralized LBS server with extensive data aggregation capabilities. This allows us to quantitatively assess the privacy benefits of our hybrid approach and guide the development of effective privacy preservation strategies. Our mathematical foundation for APL builds on information theory principles while incorporating practical considerations such as node mobility, cache obsolescence, and query patterns.
Our approach has two main goals: (1) to develop a decentralized peer-to-peer LBS architecture for mobile users that complements traditional LBS servers and (2) to design a storage-efficient collaborative caching scheme to protect user privacy and conserve LBS resources.
To provide a framework for our approach, we consider the following aspects:
The LBS is the main adversary, as it has all data, which compromises the information of users who access the services.
The queries submitted by users underlie geographical proximity (i.e., these queries are well-known location-based queries, LBQs), and they are not confidential; queries such as “What is the nearest hotel?” or “What is the nearest major tourist center to my location?” correspond to queries of this type.
In MANET, users are constantly moving into and out of service ranges. Some users within the service range act as caches, forming a collaborative caching scheme.
Our model operates at the application layer of the OSI model; details about the operation of the physical layer are not considered in this paper.
Implementing distributed geographic caching and LBS functionality in MANET introduces several challenges.
Maintaining location-relevant data near a corresponding geographic area is difficult when mobile users are constantly moving. To address this, we propose a dynamic data exchange strategy that considers both geographic proximity and user mobility patterns.
Disconnections in ad hoc networks cause delays; therefore, users must have latency tolerance thresholds aligned with their privacy risk aversion profiles.
The efficient use of limited storage across nodes is critical, as excessive redundancy reduces the space for new data, eventually pushing users back to the LBS server when the collective storage capacity is exceeded.
More data exchange helps coordination and reduces redundancy, but it consumes energy and bandwidth. The solution must balance response time, energy efficiency, and location privacy.
Data obsolescence in caches can lead to undesired access to the LBS and unnecessary storage consumption. We study the effect of data becoming obsolete and propose strategies for the timely removal of outdated information from caches.
Balancing privacy protection with system usability requires a careful consideration of when to utilize MANET peers versus accessing the LBS server, particularly when dealing with time-sensitive queries or sparse network conditions.
To our knowledge, no previous work has focused on implementing a privacy-aware location-based service directly in a MANET, particularly considering the challenges of data redundancy, privacy loss, and obsolescence in a distributed caching system. Moreover, the lack of a suitable metric to evaluate privacy loss in this context highlights the novelty of our approach. Although some research has explored MANETs with cellular network infrastructure [
1,
9] or distributed query processing [
10], they have not addressed the critical aspects of cache management and privacy preservation in a fully distributed environment. Although recent studies have investigated distributed approaches to privacy protection [
2,
6], they continue to rely on stationary infrastructure at fixed locations, limiting their applicability in truly mobile scenarios.
The main contributions of this study are outlined below:
We present a novel mathematical model and metric (APL) to quantify location privacy loss in both centralized LBSs and our proposed MANET-based system. Our theoretical framework provides a rigorous foundation for evaluating privacy benefits, incorporating factors such as data exposure patterns, node mobility, and cache dynamics.
We propose a location-aware LBS architecture on MANETs that enables users to resolve spatial queries through peer collaboration before accessing centralized servers. Our experimental evaluation demonstrates significant reductions in LBS queries while maintaining acceptable response times and system overhead.
We develop spatial query processing strategies based on two-tier caching: local caching maintained by each user and neighbor caching based on proximity. Our comprehensive comparison shows this approach substantially enhances user privacy by minimizing the exposure of location data to centralized entities.
We introduce two location-based data storage strategies that maximize the proximity of stored data to their corresponding geographic locations. These strategies effectively balance communication costs against redundancy, ensuring relevant data are cached only in users located within the referenced geographic area.
We provide the first comprehensive analysis of data obsolescence impact on cache performance and privacy loss in distributed LBS systems, including mechanisms for identifying and removing outdated information to maintain cache relevance and accuracy.
Our approach is particularly valuable in scenarios where central infrastructure is unreachable or untrusted, such as during a disaster response, in crowded public gatherings, or in areas with limited network facilities. By giving users greater control over their information while increasing awareness of privacy risks, our method advances the development of privacy-respecting location-based services that maintain utility without compromising user privacy.
The remainder of this paper is structured as follows.
Section 2 presents related work and positions our contributions within the existing literature.
Section 3 defines key terms and introduces the system architecture.
Section 4 details our implementation approach including data obsolescence handling and privacy loss metrics.
Section 6 presents experimental results and performance evaluation, and
Section 7 concludes with key findings and future work directions.
3. System Overview
We consider a system called M-LBS that consists of a fully distributed LBS implemented in a MANET, as shown in
Figure 1.
The system model is divided into three layers:
Mobile user: The end user is aware of its location and needs to solve a public location-based query (LBQ). Users can request details from restaurants or hotels near their location. A user or node moves in any direction in the service area without restrictions. It has storage, energy, and a limited transmission range to communicate with other users moving around. It can also communicate directly with the Internet using any existing cellular network if necessary. Without loss of generality, it is assumed that the hardware and software capabilities of the users are homogeneous.
Neighbor users: The geographical space where mobile users move is divided into disjoint square cells of
, as shown in
Figure 2. While a node-density-based division might seem intuitive, we chose this grid-based structure for several key advantages:
Predictable privacy guarantees independent of node density fluctuations;
Simplified and stable mapping between physical locations and cache responsibilities;
Reduced system overhead by eliminating the need for continuous boundary recalculation;
Direct compatibility with existing LBS spatial indexing systems and location cloaking approaches.
Within this structure, a group of users is identified as
neighbors if their geographical location places them in the same cell. These neighbors collaborate to store and respond only to queries related to the cells that contain them. Neighbors are assumed to be honest, and the transmission model of a user is free-space and isotropic. The size of the diagonal of a cell is
to ensure that when a mobile transmits, its neighbors hear it. See
Figure 2, where the red circle, centered at a specific user’s location, represents the user’s transmission or coverage area. We assume that any neighbor within this region will receive the user’s broadcasts. There are various link-layer protocols to regulate wireless communication within a cell. This study assumes no particular protocol because the distributed LBS implementation is performed at the application layer level.
LBS server: This server is located on the Internet and provides location-based information. It is considered the highest level of consultation that a user only wants to access as a last resort when it does not find a response from its neighbors. The LBS server provides reliable information but can compromise its users’ location and query privacy.
Throughout this manuscript, we will use the terms “node” and “user” interchangeably; as in the jargon used in MANETs, the term “node” refers to a mobile user who carries a wireless device to communicate with others or with the cellular telephone network.
When a mobile user needs to answer an LBQ, the node first queries its local cache. If the data in the local cache satisfy the user’s query, we say that the user is successfully answered and that the service is considered complete. Otherwise, the user broadcasts its query to all its neighbors who search for answers in their respective caches. If at least one of the nodes has a response, then the response is transmitted to the querying user, assuming that the user is satisfied with it. If the node does not receive a response after a maximum waiting time, it may attempt to expand its query to neighbors in other nearby cells. As proposed in [
10], if the network has disconnections between nodes due to low density, we propose that the user waits first some time to retry processing the query in the MANET (among neighboring nodes) and, when the MANET connection failed, can choose to access the LBS server on the Internet (compromising its privacy). In the latter case, the connection is assumed to have no delay.
4. Proposed M-LBS Scheme
In this section, we present details of the design of the M-LBS architecture. Then, we describe cell exit protocols that aim to reduce data redundancy within a cell. In addition, we explain the two-level caching management mechanism that stores the most relevant data within resident nodes. We also introduce the role of cell master along with privacy considerations for this role.
4.1. Design Details
Mobile users are always aware of their position and therefore know which cell they are in. When a user detects that it has crossed into a new cell, it broadcasts a greeting to all users in this cell to discover who the cell master is. The cell master is essentially a user who resides in the cell and collects statistics about the cell, such as the number of nodes present, the number of historical queries resolved in the cell, the frequency of query types, and the number of historical queries sent to the LBS. The new node can identify itself with the cell master by a pseudonym, which it maintains while moving within the cell.
Suppose that the cell master does not respond to a mobile user. In this case, the user concludes that the cell is empty, becomes the new cell master node, and attempts to locate the cell retention node (this is a former cell master node that is not present in the cell and maintains the cell statistics until the new master node is reached) using successive geocasts, following a protocol similar to that proposed in [
10]. For our purposes, a geocast is a communication primitive that allows sending a message to all mobile users present in a geographical location, and it is not relevant to our system to determine the routing protocol under which it is implemented. To perform a geocast, we only need to identify the origin and destination cells of a message that is understood to be directed to all nodes located in the destination cell.
When a mobile user detects that they have left their current cell, a
cell exit protocol is executed to distribute cache content among users who are within the previous cell. This data distribution maintains relevant information while minimizing redundancy within the cell. If the node is the latest node in the cell or the current nodes lack available cache storage, the user carries this information to the new cell. We propose two optimization-focused exit protocols in
Section 4.4. Upon entering a new cell, the user sends a greeting message to establish their presence. If the mobile user was a cell master, they must first transfer this role to another node in their previous cell.
When a user moves within a cell, they can create an LBQ (location-based query), which is defined as a circular-range query centered on the user’s position. This query seeks to determine the details of all public points of interest (POIs) in a specific category within the range. For example, a user looking for breakfast might query the menus and prices of restaurants in their neighborhood. The user determines which cells intersect with their query range, as shown in
Figure 2 (where a red circle centered on the user intersects cells 13, 14, 18 and 19) and checks their cache for relevant data. For cells without cached data, they send a geocast requesting information. Users store all received data, implementing cache replacement policies as needed (detailed in
Section 4.2).
If a user receives no response within the maximum waiting time, they prepare to access the LBS. This intention is communicated to the
cell master for recording. Users concerned about privacy can also contact an anonymizer to obscure both their position and query [
4,
7]. When a node receives an LBQ, it searches its cache for responses. If found, it notifies its
cell master and sends the grouped responses in a single geocast to the requesting cell.
4.2. Caching Management in M-LBS
In this work, we employ a two-level cache management system. The first level corresponds to the individual cache management performed by each mobile user. Since these users have limited cache memory available, we propose and evaluate various cache management techniques in our study. When the cache reaches its capacity and the user needs to insert new data, one of the following policies is implemented.
First-In-First-Out Elimination (FIFO): The element that was first added to the cache is removed, following an FIFO policy.
Random elimination (RAN): A random element is selected and deleted to free up space in the cache.
Distance Elimination (DIST): The distance between each element in the cache and the user’s current location is calculated. The element with the longest distance is prioritized for deletion.
Popularity Elimination (POP): For each element in the cache of the node, a popularity score is calculated. This score is obtained by maintaining a counter that is incremented when an element is part of a response. The element with the lowest score is deleted.
Elimination of the minimum popularity/distance ratio (MINPD): For each element in the cache of a node, the popularity score is calculated and divided by the distance between the location of the element and the user. The element with the smallest ratio is deleted.
Reset of the cache when changing cells (RST): When the user changes cells, all the elements in the cache are deleted.
By implementing these cache management policies, we anticipate improved space utilization within the cache. The performance of these techniques is evaluated and compared in
Section 6.
The second level of caching corresponds to the cell level. Here, we seek to maintain as much data as possible about POIs in the cell among the mobile users residing in that cell. Through managing the use of the cell exit protocol, we aim to reduce the search time for a response to a location-based query and increase the probability of finding a response in one or more user neighbors.
In this work, when measuring cache efficiency, we calculate the cache hit rate, which refers to the number of times the same location is queried, and its response is found either in the local cache memory of the user or in one of the neighbors (nodes in the querying user’s cell) of the querying user. This idea is grounded on the observation that individuals’ living habits are consistently regular, whereas their questioning habits frequently change at a steady rate.
One aspect is the data redundancy in a cell, which is measured in terms of how many replicas of metadata (extra data describing a location, for a restaurant, its menu, prices) about a POI are stored in the cache memory of the cell’s users. While high redundancy allows one to reduce the search times for a response to a location-based query, it does not allow the storage of a wide variety of cell data, which could mean that the user has to access the LBS to resolve their query. Undoubtedly, a balance between response time and redundancy must be found to protect the location or query privacy of the mobile user.
4.3. Cache Freshness and Reset
A significant consideration in cache management is the period of validity or freshness of the cached data. This duration represents when the data are still considered valid before it should be removed from the cache. Different factors can influence the freshness such as dynamism in location-based services, user mobility, and data updates/maintenance from LBS providers, among others, also depending on what type of knowledge is being represented by a cache entry. For instance, details about a menu for a restaurant may only last a few hours, while availability/pricing information for rooms in hotels could be relevant up to several days with reference to particular times during the year; without any doubt, longer obsolescence periods equate higher hit rates. In order to deal with stale caches, we need some mechanism to reset them.
Commonly known as TTL or time-to-live (cache expiration time), past research works have shown (such as [
2,
11,
13,
14,
29]) that cached items become stale or lose their freshness after staying in storage for a specific period of time after which they should be deemed no good and deleted either manually or automatically. If this does not happen, then subsequent requests will keep getting served outdated contents; hence, it such should never be allowed to happen.
The cache reset process can be implemented using various approaches, such as the following:
Time-based Reset: Cached data are assigned a TTL value, and the cache is flushed or invalidated after the TTL expires. The TTL can be set based on the expected freshness requirements of the LBS data or the user mobility patterns [
2].
Event-based Reset: The cache is reset or invalidated in response to specific events, such as data updates from the LBS provider [
13] or significant changes in user locations or context [
14].
Hybrid Approach: A combination of time- and event-based reset mechanisms can be employed, where the cache is reset based on which condition is first met (TTL expiration or relevant event occurrence) [
11,
29].
In this work, we use a hybrid approach that combines the cache expiration time and event-based scheme (when a user moves into a new cell).
4.4. Cell Exit Protocol
When a node leaves its current cell, it must execute a cell exit protocol to preserve data availability while minimizing redundancy. For example, when a user moves from cell 19 to cell 14 (
Figure 2), the protocol ensures the efficient distribution of its cached data to the remaining nodes. Before describing the protocols, we establish their common elements:
Common Protocol Elements:
Goal: Maintain data availability while minimizing redundancy;
Participants: Departing node and remaining nodes (referred to as node N);
Prerequisites List of current cell nodes from cell master;
Termination: The protocol ends when either all the data are distributed or all the nodes are contacted.
We propose two protocols that prioritize different optimization goals:
Exit Protocol 1: Redundancy-Optimized
This protocol prioritizes minimizing data redundancy by checking for duplicate data before considering cache availability.
Data Inventory: Departing node sends its data list to node N;
Redundancy Check: Node N reports which data it already has;
Duplicate Removal: Departing node removes redundant data from transfer list;
Availability Check: Node N reports its available cache space;
Data Transfer: Departing node sends non-redundant data within availability limits;
Confirmation: Node N confirms successful data receipt.
Exit Protocol 2: Communication-Optimized
This protocol prioritizes minimizing message exchanges by checking cache availability before considering data redundancy.
Availability Check: Departing node requests node N’s cache space
Space Verification: Node N reports available cache space
Data Inventory: If space available, departing node sends its data list
Redundancy Check: Node N reports which data it already has
Data Transfer: Departing node sends non-redundant data within availability limits
Confirmation: Node N confirms successful data receipt
Protocols differ primarily in their optimization priorities. Protocol 1 ensures minimal redundancy but may require more messages when cache space is limited. Protocol 2 minimizes communication overhead but may result in greater redundancy when cache space is scarce.
Before executing any of these cell exit protocols, the departing node must verify whether it is the current cell master of the cell it leaves. If this is the case, the departing node sends a message to all nodes in the cell indicating that they must elect a new cell master. Each node interested in becoming a new cell master waits a time proportional to its distance from the center of the cell. The first node that exhausts its time informs the others that it will be the new cell master and receives all the information collected about cell statistics and the historical query frequency table for all cells.
4.5. Cell Master Privacy Considerations
The cell master role introduces potential privacy implications that must be carefully considered. While the cell master collects valuable system statistics, this information could be misused by an adversarial cell master. To mitigate this risk, we implement several privacy-preserving measures.
Limited Data Collection: Cell masters only maintain aggregate statistics (node count, query frequencies) without individual user identifiers;
Temporal Restriction: Historical data are periodically purged to prevent long-term pattern analysis;
Pseudonym Rotation: Users regularly change their pseudonyms when entering new cells;
Distributed Trust: Cell master role rotates among nodes to prevent prolonged data accumulation;
Query Anonymization: Statistics record only query types not specific query content or user locations.
Even if a cell master becomes adversarial, their ability to compromise user privacy is limited because of the following:
They cannot link queries across cells due to pseudonym changes;
They only see aggregate patterns, not individual behaviors;
Their view is temporally and spatially limited to their current cell;
They cannot access the actual content of cached data in other nodes.
5. Data Security and Privacy Considerations
The LBS scheme we designed is distributed and has a dual purpose: protecting location privacy as well as increasing user consciousness on possible privacy infringement. This method ensures the security of private details while at the same time educating people about how their actions with the system can affect their privacy. In this part, we will discuss those important components of the scheme that need to be analyzed or considered so that effectiveness reliability and user friendliness are achieved. Our aim is to let users know more about their loss of privacy, making them have knowledge-based sharing decisions concerning data while appreciating features of our system that preserve anonymity.
In our model, MANET users are considered honest but curious, while LBS providers are viewed as potentially malicious. Mobile nodes face significant limitations in compromising user privacy due to the following:
Limited storage and processing capacity;
Restricted communication with users in other cells;
Need to frequently erase cache for resource management.
These constraints make extensive user profiling difficult within the MANET. In contrast, centralized LBS providers can collect and analyze large amounts of data over time, posing greater risks to user privacy through potential data exploitation or vulnerability to hacking.
The queries considered in our scheme are range queries with respect to public places (e.g., restaurants, ATMs, banks, hotels, parks, hospitals). Although a single query might not reveal much information about an user, the collection of data over time could potentially reveal the user’s lifestyle.
Our technique is intended to protect privacy at the application layer. To protect users’ privacy, other techniques can add other protection layers, such as MAC address spoofing, to prevent tracking or identification of the user’s device. The communication between users and the LBS server is protected by cryptographic techniques (e.g., TLS, transport layer), and sensitive data are stored in encrypted form. Our application layer privacy approach is orthogonal to other privacy techniques, such as VPNs (network layer), and so on.
Location Privacy Analysis
We consider a network system consisting of
m disjoint spatial cells, each cell of size
as shown in
Figure 2, containing
n equally probable positions that represent the minimum location resolution. The probability of a cell being queried is proportional to its query frequency. To protect their privacy, users can select
k cells to form a k-anonymity set when submitting location-based queries. We assume that a total of
U users are moving within the network, and a fraction of them are located within each cell
j.
The entropy of a single cell,
, is given by
, which is based on the uniform probability distribution of the location of a user within the cell [
31]. Before a user enters a cell or submits a query, the cell’s master has no knowledge of the user’s location, and the entropy is
. After the query is broadcast to the cell, the cell’s master (and other users in the cell) learns that the user is within its cell, reducing the entropy to
. The privacy loss for the cell’s master is thus
.
Similarly, the LBS server’s entropy before the query is . After receiving a query with k-anonymity, the LBS server learns that the user is within one of the k cells in the anonymity set, resulting in an approximate entropy of . The privacy loss for the LBS server is .
The accumulated privacy loss (APL) is proposed to capture the cumulative privacy loss across all users in the system. The formulation for APL is based on the following considerations.
For cell-based queries, the APL is defined as
where
is the number of queries based on cell
j issued by users in cell
j, and
is the total number of nodes in cell
j. This formulation accounts for the fact that all nodes in the cell potentially receive the query information, not just the master node. The privacy loss is thus multiplied by the number of nodes in the cell, as each of these nodes could potentially compromise the privacy of the querying users.
For LBS-based queries with k-anonymity, the APL is defined as
where
is the number of queries sent to the LBS server, and
is a weighting factor to account for the LBS server’s ability to maintain and accumulate historical information from all cells over time. In contrast to the cells’ master node, the LBS server is a centralized entity that collects information from all cells over time, potentially leading to a higher cumulative privacy loss. The weighting factor
(
) can be chosen based on the desired level of privacy protection and the relative importance of the comprehensive view of the LBS server compared to the limited view of cell nodes. For simplicity, in this work, we assume
.
The average APL across all cells is given by
For APL(LBS) to be greater than the average APL(cell), the following condition should be satisfied:
This condition depends on multiple factors: the number of queries sent to the LBS (), the number of cells in the k-anonymity set (k), the number of queries issued within each cell (), and the total number of nodes in each cell (). The inclusion of in the cell-based privacy loss calculation reflects the potential for all nodes in a cell to access query information, not just the cell master. This comprehensive approach provides a more accurate representation of the privacy implications in our distributed MANET-based LBS system.
The relative magnitude of privacy loss between LBS-based and cell-based scenarios will depend on the specific values of these parameters in a given implementation. For example, if cells typically contain many nodes ( is large) and a significant number of queries are issued within cells ( is large), the loss of privacy based on cells could be substantial. Conversely, if the LBS is frequently queried ( is large) or if the k-anonymity sets are small, the loss of privacy based on LBSs could dominate.
Therefore, we may say that the total privacy loss of the system is
Thus, the complete equation for the system’s APL is
This formulation provides a comprehensive view of the privacy implications in the entire system, clearly showing how the total system privacy loss is composed of two components: the privacy loss from LBS queries and the privacy loss from cell-based queries. Importantly, it highlights that a user who needs to access the LBS experiences a cumulative privacy loss, encompassing both the cell-based loss (from interactions within their local MANET cell) and the LBS-based loss (from querying the centralized LBS). This loss of privacy in the dual layer reflects the reality of our hybrid system, where users first attempt to resolve queries within their local cell before resorting to using LBSs.