MetroSense: opportunistic crowd-sourced sensing (2007-15)

This project is no longer active; this page is no longer updated.

Related projects: [Mobility-models]

Related keywords: [privacy], [security], [sensors], [wearable]


Summary

The MetroSense project was a broad project that explored the potential for "opportunistic crowd-sensing": crowd-sourced collection of sensor data from mobile users carrying smartphones or other sensing devices. One of our papers summarized the many challenges [kapadia:metrosec-challenges].

In our group, we developed the AnonySense system, which includes novel mechanisms for the anonymous collection of sensor data from people who volunteer their cell phones as part of a distributed sensing platform, addressing a key challenge in the important area of participatory and opportunistic urban sensing, and developed a novel interface to allow people to specify how sensor data about them might be shared with others. To evaluate this work, we measured system performance in terms of bandwidth and power consumption, conducted a user study, and used large wireless-network traces from the Dartmouth campus. [cornelius:anonysense, kapadia:anonysense, shin:anonysense].

In related work we developed a spatiotemporal blurring mechanism based on tessellation and clustering of space according to the location of access points and the relative density of users in each region [shin:anonytiles].

In related work, a student looked at linkability in activity inference data sets [fielding:thesis].

In a subproject called PLACE (Privacy in Location-Aware Computing Environments) [anthony:pervasive], we also developed a method for access control called virtual walls. By allowing users to deploy 'virtual walls', they can control the privacy of their digital footprints much in the same way they control their privacy in the physical world. We presented a policy framework and model for virtual walls with three levels of transparency that correspond to intuitive levels of privacy. We also described the results of a user study (N=23) that indicated that our model is easy to understand and use. [kapadia:walls].

We also developed DEAMON, an energy-efficient distributed algorithm for long-term sensor monitoring. Our approach assumes only that mobile nodes are tasked to report sensor data under conditions specified by a Boolean expression, and that a network of nearby sensor nodes contribute to monitoring subsets of the task's sensors. Our algorithm to select sensor nodes and to monitor the sensing condition conserves energy of all nodes by limiting sensing and communication operations. We evaluated DEAMON with a stochastic analysis and with simulation results, and show that it should significantly reduce energy consumption [shin:deamon].

People

Denise Anthony, Cory Cornelius, Jeffrey Fielding, Tristan Henderson, Peter Johnson, Apu Kapadia, David Kotz, Dan Peebles, Minho Shin, Nikos Triandopoulos, Patrick Tsang.

Funding and acknowledgements

This research was funded by the Institute for Security Technology Studies (ISTS), supported by the US Department of Justice (Bureau of Justice Assistance) under grant 2005-DD-BX-1091, the US Department of Commerce (NIST) under grant 60NANB6D6130, the US Department of Homeland Security under grant 2006-CS-001-000001.

The views and conclusions contained on this site and in its documents are those of the authors and should not be interpreted as necessarily representing the official position or policies, either expressed or implied, of the sponsor(s). Any mention of specific companies or products does not imply any endorsement by the authors or by the sponsor(s).


Papers (tagged 'metrosense')

[Also available in BibTeX]

Papers are listed in reverse-chronological order; click an entry to pop up the abstract. For full information and pdf, please click Details link. Follow updates with RSS.

2015:
Minho Shin, Cory Cornelius, Apu Kapadia, Nikos Triandopoulos, and David Kotz. Location Privacy for Mobile Crowd Sensing through Population Mapping. Sensors. June 2015. [Details]

Opportunistic sensing allows applications to “task” mobile devices to measure context in a target region. For example, one could leverage sensor-equipped vehicles to measure traffic or pollution levels on a particular street or users’ mobile phones to locate (Bluetooth-enabled) objects in their vicinity. In most proposed applications, context reports include the time and location of the event, putting the privacy of users at increased risk: even if identifying information has been removed from a report, the accompanying time and location can reveal sufficient information to de-anonymize the user whose device sent the report. We propose and evaluate a novel spatiotemporal blurring mechanism based on tessellation and clustering to protect users’ privacy against the system while reporting context. Our technique employs a notion of probabilistic k-anonymity; it allows users to perform local blurring of reports efficiently without an online anonymization server before the data are sent to the system. The proposed scheme can control the degree of certainty in location privacy and the quality of reports through a system parameter. We outline the architecture and security properties of our approach and evaluate our tessellation and clustering algorithm against real mobility traces.

2011:
Minho Shin, Cory Cornelius, Dan Peebles, Apu Kapadia, David Kotz, and Nikos Triandopoulos. AnonySense: A System for Anonymous Opportunistic Sensing. Journal of Pervasive and Mobile Computing. February 2011. [Details]

We describe AnonySense, a privacy-aware system for realizing pervasive applications based on collaborative, opportunistic sensing by personal mobile devices. AnonySense allows applications to submit sensing tasks to be distributed across participating mobile devices, later receiving verified, yet anonymized, sensor data reports back from the field, thus providing the first secure implementation of this participatory sensing model. We describe our security goals, threat model, and the architecture and protocols of AnonySense. We also describe how AnonySense can support extended security features that can be useful for different applications. We evaluate the security and feasibility of AnonySense through security analysis and prototype implementation. We show the feasibility of our approach through two plausible applications: a Wi-Fi rogue access point detector and a lost-object finder.

2010:
Dan Peebles, Cory Cornelius, Apu Kapadia, David Kotz, Minho Shin, and Nikos Triandopoulos. AnonyTL Specification. Technical Report, January 2010. [Details]

We provide a specification of AnonyTL, a domain-specific language that describes sensing tasks for mobile devices in a manner that facilitates automated reasoning about privacy.

2009:
Minho Shin, Patrick Tsang, David Kotz, and Cory Cornelius. DEAMON: Energy-efficient sensor monitoring. Proceedings of the IEEE Communications Society Conference on Sensor, Mesh, and Ad Hoc Communications and Networks (SECON). June 2009. [Details]

In people-centric opportunistic sensing, people offer their mobile nodes (such as smart phones) as platforms for collecting sensor data. A sensing application distributes sensing ‘tasks,’ which specify what sensor data to collect and under what conditions to report the data back to the application. To perform a task, mobile nodes may use on-board sensors, a body-area network of personal sensors, or sensors from neighboring nodes that volunteer to contribute their sensing resources. In all three cases, continuous sensor monitoring can drain a node’s battery.

We propose DEAMON (Distributed Energy-Aware MONitoring), an energy-efficient distributed algorithm for long-term sensor monitoring. Our approach assumes only that mobile nodes are tasked to report sensor data under conditions specified by a Boolean expression, and that a network of nearby sensor nodes contribute to monitoring subsets of the task’s sensors. Our algorithm to select sensor nodes and to monitor the sensing condition conserves energy of all nodes by limiting sensing and communication operations. We evaluate DEAMON with a stochastic analysis and with simulation results, and show that it should significantly reduce energy consumption.


Apu Kapadia, David Kotz, and Nikos Triandopoulos. Opportunistic Sensing: Security Challenges for the New Paradigm. Proceedings of the International Conference on COMmunication Systems and NETworkS (COMSNETS). January 2009. Invited paper. [Details]

We study the security challenges that arise in opportunistic people-centric sensing, a new sensing paradigm leveraging humans as part of the sensing infrastructure. Most prior sensor-network research has focused on collecting and processing environmental data using a static topology and an application-aware infrastructure, whereas opportunistic sensing involves collecting, storing, processing and fusing large volumes of data related to everyday human activities. This highly dynamic and mobile setting, where humans are the central focus, presents new challenges for information security, because data originates from sensors carried by people--- not tiny sensors thrown in the forest or attached to animals. In this paper we aim to instigate discussion of this critical issue, because opportunistic people-centric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new sensing paradigm.

2008:
Cory Cornelius, Apu Kapadia, David Kotz, Dan Peebles, Minho Shin, and Nikos Triandopoulos. AnonySense: Privacy-Aware People-Centric Sensing. Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2008. [Details]

Personal mobile devices are increasingly equipped with the capability to sense the physical world (through cameras, microphones, and accelerometers, for example) and the network world (with Wi-Fi and Bluetooth interfaces). Such devices offer many new opportunities for cooperative sensing applications. For example, users’ mobile phones may contribute data to community-oriented information services, from city-wide pollution monitoring to enterprise-wide detection of unauthorized Wi-Fi access points. This people-centric mobile-sensing model introduces a new security challenge in the design of mobile systems: protecting the privacy of participants while allowing their devices to reliably contribute high-quality data to these large-scale applications.

We describe AnonySense, a privacy-aware architecture for realizing pervasive applications based on collaborative, opportunistic sensing by personal mobile devices. AnonySense allows applications to submit sensing tasks that will be distributed across anonymous participating mobile devices, later receiving verified, yet anonymized, sensor data reports back from the field, thus providing the first secure implementation of this participatory sensing model. We describe our trust model, and the security properties that drove the design of the AnonySense system. We evaluate our prototype implementation through experiments that indicate the feasibility of this approach, and through two applications: a Wi-Fi rogue access point detector and a lost-object finder.


Cory Cornelius, Apu Kapadia, David Kotz, Dan Peebles, Minho Shin, and Patrick Tsang. Poster Abstract: Reliable People-Centric Sensing with Unreliable Voluntary Carriers. Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2008. [Details]

As sensor technology becomes increasingly easy to integrate into personal devices such as mobile phones, clothing, and athletic equipment, there will be new applications involving opportunistic, people-centric sensing. These applications, which gather information about human activities and personal social context, raise many security and privacy challenges. In particular, data integrity is important for many applications, whether using traffic data for city planning or medical data for diagnosis. Although our AnonySense system (presented at MobiSys) addresses privacy in people-centric sensing, protecting data integrity in people-centric sensing still remains a challenge. Some mechanisms to protect privacy provide anonymity, and thus provide limited means for accountability; data integrity becomes even more difficult to protect.

We propose SenseRight, the first architecture for high-integrity people-centric sensing. The SenseRight approach, which extends and enhances AnonySense, assures integrity of both the sensor data (through use of tamper-resistant sensor devices) and the sensor context (through a time-constrained protocol), maintaining anonymity if desired.


Jeffrey Fielding. Linkability in Activity Inference Data Sets. Technical Report, June 2008. Available as Dartmouth Computer Science Technical Report TR2008-623. [Details]

Activity inference is an active area of ubiquitous computing research. By training machine learning algorithms on data from sensors worn by volunteers, researchers hope to develop software that can interact more naturally with the user by inferring what the user is doing. In this thesis, we use the same sensor data to infer which volunteer is carrying the sensors. Such inference could be useful -- for example, a mobile device might infer who is carrying it and adapt to that user's preferences. It also raises some privacy concerns, since an attacker could learn more about a user by linking together several sensor traces from the same user. We develop a model to differentiate users based on their sensor data, and examine its accuracy as well as the potential benefits and pitfalls.

Apu Kapadia, Nikos Triandopoulos, Cory Cornelius, Dan Peebles, and David Kotz. AnonySense: Opportunistic and Privacy-Preserving Context Collection. Proceedings of the International Conference on Pervasive Computing (Pervasive). May 2008. [Details]

Opportunistic sensing allows applications to “task” mobile devices to measure context in a target region. For example, one could leverage sensor-equipped vehicles to measure traffic or pollution levels on a particular street, or users’ mobile phones to locate (Bluetooth-enabled) objects in their neighborhood. In most proposed applications, context reports include the time and location of the event, putting the privacy of users at increased risk---even if a report has been anonymized, the accompanying time and location can reveal sufficient information to deanonymize the user whose device sent the report.

We propose AnonySense, a general-purpose architecture for leveraging users’ mobile devices for measuring context, while maintaining the privacy of the users. AnonySense features multiple layers of privacy protection---a framework for nodes to receive tasks anonymously, a novel blurring mechanism based on tessellation and clustering to protect users’ privacy against the system while reporting context, and k-anonymous report aggregation to improve the users’ privacy against applications receiving the context. We outline the architecture and security properties of AnonySense, and focus on evaluating our tessellation and clustering algorithm against real mobility traces.


2007:
Denise Anthony, Tristan Henderson, and David Kotz. Privacy in Location Aware Computing Environments. IEEE Pervasive. October 2007. [Details]

As location-aware and pervasive computing technologies become more prevalent, privacy concerns are becoming increasingly more important. User preferences about location privacy may depend on place, not only in terms of their physical location but also in terms of their social context: how they define where they are, what they are doing, and whom they are with at the time. Using the experience sampling method, the authors explored the privacy preferences of 25 users during one week. They found that participants were more willing to share location information when at home or alone than when at other locations or with friends. Most participants were consistent in their location privacy preferences across requester categories and regardless of place. Some participants, however, varied in their willingness to share location information depending on where they were, who they were with, and who was requesting the information. Those participants tended to be more concerned about privacy in general. These findings are useful for designing future privacy policies and user interfaces for pervasive computing. This article is part of a special issue on security and privacy.

Apu Kapadia, Tristan Henderson, Jeffrey Fielding, and David Kotz. Virtual Walls: Protecting Digital Privacy in Pervasive Environments. Proceedings of the International Conference on Pervasive Computing (Pervasive). May 2007. [Details]

As pervasive environments become more commonplace, the privacy of users is placed at an increased risk. The numerous and diverse sensors in these environments can record contextual information about users, leading to users unwittingly leaving “digital footprints.” Users must therefore be allowed to control how their digital footprints are reported to third parties. While a significant amount of prior work has focused on location privacy, location is only one specific type of footprint, and we expect most users to be incapable of specifying fine-grained policies for a multitude of footprints. In this paper we present a policy language based on the metaphor of physical walls, and posit that users will find this to be an intuitive way to control access to their digital footprints. For example, users understand the physical privacy implications of conducting a meeting in a room enclosed by physical walls. By allowing users to deploy “virtual walls,” they can control the privacy of their digital footprints much in the same way they control their privacy in the physical world. We present a policy framework and model for virtual walls with three levels of transparency that correspond to intuitive levels of privacy. We also describe the results of a user study (N = 23) that indicates that our model is easy to understand and use.

Peter Johnson, Apu Kapadia, David Kotz, and Nikos Triandopoulos. People-Centric Urban Sensing: Security Challenges for the New Paradigm. Technical Report, February 2007. [Details]

We study the security challenges that arise in people-centric urban sensing, a new sensor-networking paradigm that leverages humans as part of the sensing infrastructure. Most prior work on sensor networks has focused on collecting and processing ephemeral data about the environment using a static topology and an application-aware infrastructure. People-centric urban sensing, however, involves collecting, storing, processing and fusing large volumes of data related to every-day human activities. Sensing is performed in a highly dynamic and mobile environment, and supports (among other things) pervasive computing applications that are focused on enhancing the user’s experience. In such a setting, where humans are the central focus, there are new challenges for information security; not only because of the complex and dynamic communication patterns, but also because the data originates from sensors that are carried by a person---not a tiny sensor thrown in the forest or mounted on the neck of an animal. In this paper we aim to instigate discussion about this critical issue---because people-centric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new paradigm of sensor networks.


[Kotz research]