Abstract
Information and Communication Technology is commonly recognized as one of the key enablers in improving the quality of life in our modern society. By including citizens in the digital world, the efficiency of existing services has already been improved. In a second wave, the technological advances of mobile phones promise to further bridge the gap between physical world and cyberspace. Using sensors embedded in mobile phones, a torrent of data about the physical world can be collected. The inclusion of the gathered data into the digital world contributes to the realization of the vision of so-called smart spaces, ranging from smart homes to smart cities and beyond. These smart spaces can substantially increase the quality of life by leveraging the participation of billions of citizens by, e.g., monitoring traffic congestion and noise pollution. The collection of sensor readings in participatory sensing applications however puts the privacy of the users at risk, as they may reveal sensitive information about themselves, such as the locations they visited. Users aware of such threats may decide to opt out of the application, thus decreasing the quantity and quality of the gathered data. Privacy protection is therefore mandatory to encourage potential contributions.
Most existing privacy-preserving solutions specifically tailored to participatory sensing applications fail to include users in the loop, despite the individual nature of the conception of privacy. They are mainly preconfigured by application administrators and cannot be personalized by users according to their privacy preferences. Moreover, a majority of existing approaches relies on a central entity responsible for the users’ privacy protection. In addition to be a single point of failure, users need to entrust them not to disclose sensitive information to unauthorized third parties. In order to address these shortcomings and ultimately foster the users’ contributions, we propose three privacy-preserving solutions in which users are in control of their privacy protection and can adapt the underlying mechanisms to their own preferences. Furthermore, the provided privacy protection is independent of the trustworthiness of the application server.
In particular, we present a scheme in which users mutually preserve their privacy by physically exchanging sensor readings, along with the time and location of their collection, during opportunistic meetings. By breaking the association between users’ identities and sensor readings, the exchanges prevent curious application administrators from inferring the locations visited by the participants based on the uploaded sensor readings. This scheme, however, relies on the collaboration of all participating users. In order to assess the users’ degrees of collaboration, we therefore propose mechanisms based on user ratings that readily identify and quarantine malicious users. Using both schemes, users are hence able to determine the applied exchange strategy based the assessed trust levels of encountered users as well as their individual preferences. As a result, the collected data are obfuscated prior to their upload to the application server.
Furthermore, we propose an innovative scheme based on periodic pseudonyms that allows the application server to assess the trustworthiness of the contributed sensor readings without endangering the users’ privacy. In addition to rely on blind signatures, our scheme introduces the concept of reputation cloaking in order to prevent curious application administrators from linking consecutive pseudonyms based on an analysis of their reputation. By applying different proposed cloaking schemes, users can control and balance the inherent trade-off between anonymity protection and loss in reputation according to their personal preferences.
In addition to proposing these three schemes, we investigate the degree of privacy protection achieved by the devised solutions by means of extensive simulations under realistic scenarios and conditions. Besides, we assess the applicability of our contributions in participatory sensing applications by using real-world data traces and through prototypical implementation. Based on our thorough evaluation, we provide guidelines for the parametrization of the proposed schemes by considering both the user and application perspectives.