Untitled

Integrating people-centric sensing with
social networks: A privacy research agenda
Laboratory for Dependable Distributed Systems Abstract—During the last few years there has been an
Spiekermann and Cranor [1], privacy by policy offers the increasing number of people-centric sensing projects, which
minimum degree of protection and systems utilizing such combine location information with other sensors available on
solutions should make users aware of privacy risks and offer mobile devices, such as the camera, the microphone or the
them choices to exercise control over their personal informa- accelerometer, giving birth to a different dimension in sensing
our environment compared to the existing wireless sensor
tion. For example, Shilton et al. [2] recently proposed design networks approach. In this paper, we envision a new scenario,
principles for urban sensing, engaging the participants in where users develop their own participatory urban sensing
the ethical decision-making and the negotiation of personal projects at a large scale through the use of social networks.
Consequently, users can participate in campaigns created
by other users, according to their sensitivities and interests,
On the other hand, anonymity provides higher levels of exploiting the existing enormous social interconnections offered
privacy, making the system tamper-proof against stronger by existing social networking tools. We place our primary
attackers, who would not be deterred by policies and regula- concern to protecting user privacy and address the need for
tions. Towards this goal, techniques for achieving anonymity new solutions in location anonymity and access control under
both on the network and data level must be combined, this new complex and dynamic communication paradigm.
as there is no real anonymity on the data level, withoutanonymity on the network level.
In this paper we explore the research challenges for Over the last years geo-location chips along with other providing anonymity on the network level. In addition, we sensors, such as camera, microphone or accelerometer are motivate the integration of sensor data with social networks becoming more and more prevalent in mobile devices carried and we discuss the new privacy challenges that arise from by billions of people. This provides us with a substrate this participatory sensing paradigm.
for widespread public participation in data collection inthe urban environment and the chance to create collective intelligence systems to address urban-scale problems, like While the importance of privacy is mentioned by most ur- air pollution, noise, traffic, etc. Such systems, often referred ban sensing projects, there are currently only a few proposed to as “people-centric sensing”, come to complement our solutions towards this direction. One approach is Anony- previous efforts to deploy wireless sensor networks to sense Sense [3], a general-purpose architecture for maintaining our environment and extend our possibilities by taking the privacy of the users in opportunistic urban sensing advantage of the large scale of sensors already existing on applications. The term opportunistic sensing refers to sys- tems where the custodian’s device is utilized by the system Next to the benefits that this new approach has, it also whenever its state (e.g. geographic location) matches the poses new challenges. Exactly because participatory sensing requirements of an application, without the custodian being is based on people, its success, like many crowd-sourcing aware of the sensing activity. Here we focus on participatory services on the web, depends on the willingness of volun- sensing, where the user consciously opts to meet application teers to devote their time to help with the data collection requirements for data out of personal interest.
task and most of the times without direct benefits for them.
An other approach that we also mentioned in the pre- Since people do not get a direct benefit with respect to vious section is privacy by policy. A current research their identity and location, as for example in location-based direction on providing privacy for urban sensing systems services (LBS), retaining their privacy becomes an important attempts to engage participants themselves to answer privacy dilemmas [2]. It has been shown that how people choose One way to deal with privacy is to let users choose the to withhold or disclose information about them depends privacy policies offered by service provider in some form highly on their context, e.g. identity, situation, time, or of contract, which states what data will be collected, for culture. Therefore, the above approach attempts to provide what purpose and how it can be distributed. As argued by the tools to negotiate sharing and discretion according to personal context and preferences. It concentrates on data ultimate goal is to foster research and accelerate innovation level anonymity, i.e., preserving the confidentiality of user in defining novel use cases and applications for the urban data in the application layer. In this paper we concentrate on sensing paradigm. We argue that instead of searching for the network layer anonymity and we are interested in hiding the next killer applications, we must seek incremental so- the network identifiers of the user in the network layer.
lutions where the combination of user-generated data andsocial interconnections of people can lead to a new type of knowledge and thus establishing potentially new use cases.
Our physical world contains more sensory data than we can possibly comprehend. Involving people in the data When designing a privacy protection system, one has to collection process can greatly narrow down observations consider first the privacy risks that the users are subject via critical decisions, reality checks, and inferences. Which to, depending on different attacker models. While there are data is important? How much do we need? Humans can well known mechanisms for understanding security risks, we figure out how to collect public sensing data by making lack mechanisms for evaluating privacy risks, especially in opportunistic choices on the spot, taking into consideration pervasive computing environments. Without the right privacy immediate factors not possible using digital methods. We risk models it is difficult to understand at which extent the can use these dynamics to build systems where people are privacy technologies are needed to address those risks and the main contributors and consumers of the data, given that develop architectures, interaction techniques, and strategies they are motivated by a common cause to offer their sensing for managing them. This section targets to set the ground possibilities. We argue that this participatory model is more for evaluating existing privacy mechanisms for participatory likely to gain the trust of people in future applications, compared to opportunistic sensing, where the custodian’s A. Challenge I: Defining appropriate attacker models device is utilized by the system without the custodian beingaware of the sensing activity.
There are (at least) two network access possibilities for We envision a sensor data-sharing infrastructure, where the user: through a data telecommunications service, like people and their mobile phone devices provide their col- GSM or UMTS and through a (possibly open) WLAN access lected data streams in accessible ways to third parties point. In such a communication paradigm, the behavior of interested in integrating and remixing the data for a specific users leaves a lot of traces. These traces are generated during purpose/campaign. People should be able not only to control data communication due to different commercial, technical the time and place that their personal device measures and and legal requirements and they can occur over the two sends information from their immediate environment, but different communication hops: between the user and the also be aware of what that information is being used for.
access point (mobile operator or Wi-Fi hotspot) or between People should receive a meaningful benefit in exchange the access point and the services provider. Basically, all for sharing data. Meaningful benefits include compelling involved stakeholders can potentially try to upset the users applications based on anonymous learning from “users like privacy, even by colluding with each other.
me”. People should be able to enjoy the benefits of these In the case a user uses his mobile operator to connect to services simply in exchange for their data.
the Internet, information like the IMSI (International Mobile Recruitment of participants in such urban sensing cam- Subscriber Identity) and the IMEI (International Mobile paigns will be a determinant factor for the success of Equipment Identity) can be used to directly identify the user.
their outcome. The organizers of campaigns, either being In case he uses a Wi-Fi spot, the unique MAC address of community groups or simply motivated individuals, should his mobile device is associated to the Access Point. There be able to attract interested and well-suited participants for a are also many stakeholders in the scenario of participatory campaign, based on the needs and specifications of the case sensing: the user, the mobile network operator, the operator they want to make. Web 2.0 has already initiated a new of the WLAN access point, organizations running the In- age of user-created content and participative web. The mass ternet backbone, and finally the social network application adoption of social-networking websites is causing a major provider. Theoretically, all these stakeholders could try to shift in the Internet’s function and design and is turning it spy simultaneously on the users identity when sensing. How- into a tool for connecting people, who can also create content ever, in practice there are usually smaller groups colluding Therefore, we propose leveraging existing open Web 2.0 • Who is actually capable of committing attacks and services like social networks, in order to offer a tool to which are the needed technical capabilities for these the users for recruiting people and creating a user base for goal-based sensing projects, bringing social networks and • What would be the motivation of each stakeholder to the physical world one step closer. On the long run, the • With whom does it make sense for each stakeholder to generally have much lower bandwidth capabilities and more transmission errors than wired networks, a fact that causes From a theoretical point of view, the worst-case individ- ual stakeholder, who could turn malicious, is the mobile The task therefore is to investigate how and whether operator. Because it is necessary for network management privacy can be enhanced in the urban sensing paradigm and billing, the mobile operator directly observes identifying with a reasonable tradeoff between anonymity protection information like the IMSI. It is hard to establish any form of and performance loss. We identify therefore the challenge anonymity against the mobile operator, and this is currently of investigating and evaluating the multitude of anonymity an open problem of research. Another alternative for the user techniques for their suitability in participatory people-centric would be to use other mechanisms of network access, like sensing. In particular, some more concrete research question open WLAN access points. If the WLAN operator is also malicious, things become even harder. Investigating these • How much does latency of anonymizing networks in attacker models therefore lead to interesting and challenging the mobile Internet affect users’ participation in anony- Research directions and related work: We suggest first • How much does this latency affect the provisioning of looking at all combinations of malicious entities and then identifying those that seem appropriate in the participatory • To which extent can we quantify and compare sensing paradigm as well as pose theoretical and practical the security and performance properties of available challenges. In particular, we propose on one hand the anonymity techniques, when applied to the communi- construction of a theoretical attacker model in order to cation paradigm of people-centric sensing? make statements about the security of abstract models of Research directions and related work: In the literature, anonymization networks in participatory urban sensing. This existing solutions for network layer anonymity and unlink- can allow us to find basic statements on security properties ability of user actions are categorized into three groups: even for real systems and explore the limits of privacy proxies, peer-to-peer (P2P) networks and Mix networks.
provision. On the other hand, we should develop more Here we concentrate on the last two groups to find an practical-oriented attacker models, which can be used for appropriate solution for our scenario.
analysis of deployed implementations and provide end-users 1) Tor: The Tor-network is currently the network with with reasonable level of privacy protection.
the most number of users and related research publications.
Before a client can use the network, he has to get the B. Challenge II: Sender Anonymity and Unlinkability network information about the available servers from a cas- Urban sensing is an emerging scenario, where a single caded cache group of dedicated directory servers. Recently infrastructure integrates heterogeneous technologies such as Lenhard et al. [4] made performance measurements of the wired, wireless and cellular networks. One of the main usage of Tor in cellular phone networks and showed that challenges is to allow users to report location-specific sensor the bootstrapping phase has turned out to take significantly data while preserving at the same time their anonymity. The longer than expected in this case (about 232.9 seconds). So, first approximation of the term anonymity for the system downloading the relay descriptors forms the bottleneck in means to provide sender anonymity, i.e. the identity of the sender of a message must be hidden to external parties, 2) AN.ON: Formerly initiated by the German project AN.ON (ANonymity ONline), the project is sometimes also Towards this goal we need to investigate whether the referred to as JAP, which is in fact the name of the client existing solutions for providing anonymity can be applied in side-software. In contrast to Tor, here a cascade is accepted such a complex environment, evaluate them and propose new by the central authority only if the nodes are providing a solutions where needed. Depending on the strength of the fair amount of bandwidth, resulting in a better quality of attacker model, we need to study the appropriate anonymity service. Also AN.ON does not require the downloading of techniques and evaluate the quality of the provided pro- directory information. Even though it does not have forward tection with respect to their anonymity and performance secrecy and does not supports arbitrary TCP traffic (except properties. We expect that posing requirements such as HTTP and HTTPS), we consider it a solution worth being usability, availability and trust will bring up needs for new solutions for this new scenario, which we need to address by proposing the corresponding measures or adjustments to anonymous file exchange and they are based on ant routing The determinant factor here is performance. Performance algorithms for ad-hoc networks. The main representatives plays a much more important role in the mobile Internet than are the anonymizing network Ants and Mute. Even though it does in the traditional wired Internet. Mobile networks they have very limited academic coverage so far and a very small number of users, they are more attractive as a where individuals communicate with each other directly.
research direction for our scenario, in terms of performance.
Furthermore a global passive adversary model is assumed, As these networks are mere peer-to-peer networks, all the where the attacker can observe all the inputs and outputs of participants also act as intermediary nodes. Any new user the anonymous communication network. Generalizing the needs to learn some of these identities in order to connect first and relaxing the second assumption certainly creates an to the network. For this reason, participants only get to interesting but very challenging problem.
know small parts of it upon arrival of a new node and there is no central point where all information is gatheredtogether at any given time.
In this paper we motivate and discuss the integration of social networks into people-centric participatory sensing. We C. Challenge III: Integrating with social networks concentrate more on the privacy challenges in such a setting In the typical situation studied extensively in the bibliog- and emphasize on the importance of first defining the right raphy for anonymous communication, N users send mes- attacker models. Then we elaborate on the suitability of sages to each other through a mix-network and anonymity existing anonymization techniques and we discuss on the is based on creating uncertainty concerning the identity of need to study the effect that social interconnections of users the subject who originated or received a message. As the have on their anonymity. We believe that future pervasive number of users in the system increases, the probability of computing systems that call for people’s participation in being linked to a particular action decreases. The theoretical the interaction with our environment will pose similar chal- analysis is usually based on the assumption that senders lenges and certainly addressing these challenges will lead to choose the receivers of their messages uniformly at random.
a more solid understanding of privacy.
In our scenario, the interconnection of users through social networks creates a different setting for the evaluation of the performance by anonymous communication networks. Here, [1] S. Spiekermann and L. Cranor, “Engineering privacy,” IEEE an attacker, besides her observations at the communication Transactions on Software Engineering, vol. 35, no. 1, 2009.
layer, has also knowledge from the application layer, i.e., the [2] K. Shilton, “Four billion little brothers?: Privacy, mobile identities of the users that participate in the system and how phones, and ubiquitous data collection,” Communications of they are related, through their profiles in the social network.
the ACM, vol. 52, no. 11, pp. 48–53, 2009.
Users organize themselves into groups with a common goal,and these users are expected to send measurements for the [3] C. Cornelius, A. Kapadia, and N. Triandopoulos, “AnonySense: corresponding campaign. There is an a priori knowledge of privacy-aware people-centric sensing,” in Proceeding of the 6thinternational conference on Mobile systems, applications, and user profiles and associations that can be combined with data services (MobiSys ’08). Breckenridge, CO, USA: ACM, June gathered by traffic analysis of the mix-based network.
Clauß and Schiffner argue that an adversary with access to more information is always able to reduce anonymity [5].
[4] J. Lenhard, K. Loesing, and G. Wirtz, “Performance mea- But later, Diaz et al. [6] showed that user profile information surements of Tor hidden services in low-bandwidth accessnetworks,” in Proceedings of the International Conference of does not necessarily lead to a reduction of the attacker’s Applied Cryptography and Network Security (ACNS ’09), June uncertainty. So, the corresponding question of interest is the • Does the knowledge of user profiles and intercon- [5] S. Claußand S. Schiffner, “Structuring anonymity metrics,” in Proceedings of the second ACM workshop on Digital identity nections through social networks reduce the offered anonymity when integrated in the people-centric sens-ing paradigm? [6] C. Diaz, C. Troncoso, and G. Danezis, “Does additional Research directions and related work: To answer the information always reduce anonymity?” in Proceedings of the2007 ACM workshop on Privacy in electronic society (WPES above question we need to evaluate (quantify) the offered anonymity by an anonymous communication network. Thishas been proved a very difficult task so far. One method of [7] A. Serjantov and G. Danezis, “Towards an information the- measuring anonymity is based on the entropy of the prob- oretic metric for anonymity,” in Proceedings of 2nd In- ability distribution linking an action to all possible subjects ternational Workshop on Privacy-Enhancing Technologies.
Springer-Verlag, April 2002.
that may be related to it [7]. However, the combination ofseveral sources of information in entropy-based anonymity [8] C. Diaz, C. Troncoso, and A. Serjantov, “On the impact of social network profiling on anonymity,” in Proceedings Diaz et al. studied the problem of measuring anonymity of the 8th international symposium on Privacy Enhancing based on profile information [6] and social networks [8]. In these papers an 1-to-1 communication paradigm is followed,

Source: http://pi1.informatik.uni-mannheim.de/filepool/publications/2010_SeSoc_UrbanSensingPrivacy.pdf