In many existing location-based services, a service provider becomes
aware of the location of its customers and can, maybe inadvertently,
leak this information to unauthorized entities. To avoid this
information leak, the provider should be able to offer its services
such that the provider does not learn any information about its
customers' location. We present an architecture that provides this
property and show that the architecture is powerful enough to support
existing location-based services.  Our architecture exploits Trusted
Computing and Private Information Retrieval.  With the help of Trusted
Computing, we ensure that a location-based service operates as
expected by a customer and that information about the customer's
location becomes inaccessible to a location-based service upon a
compromise of the service.  With the help of Private Information
Retrieval, we avoid that a service provider learns a customer's
location by observing which of its location-specific information is
being accessed.