Integrating people-centric sensing with social networks: A privacy research agenda Laboratory for Dependable Distributed SystemsAbstract—During the last few years there has been an
Spiekermann and Cranor [1], privacy by policy offers the
increasing number of people-centric sensing projects, which
minimum degree of protection and systems utilizing such
combine location information with other sensors available on
solutions should make users aware of privacy risks and offer
mobile devices, such as the camera, the microphone or the
them choices to exercise control over their personal informa-
accelerometer, giving birth to a different dimension in sensing our environment compared to the existing wireless sensor
tion. For example, Shilton et al. [2] recently proposed design
networks approach. In this paper, we envision a new scenario,
principles for urban sensing, engaging the participants in
where users develop their own participatory urban sensing
the ethical decision-making and the negotiation of personal
projects at a large scale through the use of social networks. Consequently, users can participate in campaigns created by other users, according to their sensitivities and interests,
On the other hand, anonymity provides higher levels of
exploiting the existing enormous social interconnections offered
privacy, making the system tamper-proof against stronger
by existing social networking tools. We place our primary
attackers, who would not be deterred by policies and regula-
concern to protecting user privacy and address the need for
tions. Towards this goal, techniques for achieving anonymity
new solutions in location anonymity and access control under
both on the network and data level must be combined,
this new complex and dynamic communication paradigm.
as there is no real anonymity on the data level, withoutanonymity on the network level.
In this paper we explore the research challenges for
Over the last years geo-location chips along with other
providing anonymity on the network level. In addition, we
sensors, such as camera, microphone or accelerometer are
motivate the integration of sensor data with social networks
becoming more and more prevalent in mobile devices carried
and we discuss the new privacy challenges that arise from
by billions of people. This provides us with a substrate
this participatory sensing paradigm.
for widespread public participation in data collection inthe urban environment and the chance to create collective
intelligence systems to address urban-scale problems, like
While the importance of privacy is mentioned by most ur-
air pollution, noise, traffic, etc. Such systems, often referred
ban sensing projects, there are currently only a few proposed
to as “people-centric sensing”, come to complement our
solutions towards this direction. One approach is Anony-
previous efforts to deploy wireless sensor networks to sense
Sense [3], a general-purpose architecture for maintaining
our environment and extend our possibilities by taking
the privacy of the users in opportunistic urban sensing
advantage of the large scale of sensors already existing on
applications. The term opportunistic sensing refers to sys-
tems where the custodian’s device is utilized by the system
Next to the benefits that this new approach has, it also
whenever its state (e.g. geographic location) matches the
poses new challenges. Exactly because participatory sensing
requirements of an application, without the custodian being
is based on people, its success, like many crowd-sourcing
aware of the sensing activity. Here we focus on participatory
services on the web, depends on the willingness of volun-
sensing, where the user consciously opts to meet application
teers to devote their time to help with the data collection
requirements for data out of personal interest.
task and most of the times without direct benefits for them.
An other approach that we also mentioned in the pre-
Since people do not get a direct benefit with respect to
vious section is privacy by policy. A current research
their identity and location, as for example in location-based
direction on providing privacy for urban sensing systems
services (LBS), retaining their privacy becomes an important
attempts to engage participants themselves to answer privacy
dilemmas [2]. It has been shown that how people choose
One way to deal with privacy is to let users choose the
to withhold or disclose information about them depends
privacy policies offered by service provider in some form
highly on their context, e.g. identity, situation, time, or
of contract, which states what data will be collected, for
culture. Therefore, the above approach attempts to provide
what purpose and how it can be distributed. As argued by
the tools to negotiate sharing and discretion according to
personal context and preferences. It concentrates on data
ultimate goal is to foster research and accelerate innovation
level anonymity, i.e., preserving the confidentiality of user
in defining novel use cases and applications for the urban
data in the application layer. In this paper we concentrate on
sensing paradigm. We argue that instead of searching for
the network layer anonymity and we are interested in hiding
the next killer applications, we must seek incremental so-
the network identifiers of the user in the network layer.
lutions where the combination of user-generated data andsocial interconnections of people can lead to a new type of
knowledge and thus establishing potentially new use cases.
Our physical world contains more sensory data than we
can possibly comprehend. Involving people in the data
When designing a privacy protection system, one has to
collection process can greatly narrow down observations
consider first the privacy risks that the users are subject
via critical decisions, reality checks, and inferences. Which
to, depending on different attacker models. While there are
data is important? How much do we need? Humans can
well known mechanisms for understanding security risks, we
figure out how to collect public sensing data by making
lack mechanisms for evaluating privacy risks, especially in
opportunistic choices on the spot, taking into consideration
pervasive computing environments. Without the right privacy
immediate factors not possible using digital methods. We
risk models it is difficult to understand at which extent the
can use these dynamics to build systems where people are
privacy technologies are needed to address those risks and
the main contributors and consumers of the data, given that
develop architectures, interaction techniques, and strategies
they are motivated by a common cause to offer their sensing
for managing them. This section targets to set the ground
possibilities. We argue that this participatory model is more
for evaluating existing privacy mechanisms for participatory
likely to gain the trust of people in future applications,
compared to opportunistic sensing, where the custodian’s
A. Challenge I: Defining appropriate attacker models
device is utilized by the system without the custodian beingaware of the sensing activity.
There are (at least) two network access possibilities for
We envision a sensor data-sharing infrastructure, where
the user: through a data telecommunications service, like
people and their mobile phone devices provide their col-
GSM or UMTS and through a (possibly open) WLAN access
lected data streams in accessible ways to third parties
point. In such a communication paradigm, the behavior of
interested in integrating and remixing the data for a specific
users leaves a lot of traces. These traces are generated during
purpose/campaign. People should be able not only to control
data communication due to different commercial, technical
the time and place that their personal device measures and
and legal requirements and they can occur over the two
sends information from their immediate environment, but
different communication hops: between the user and the
also be aware of what that information is being used for.
access point (mobile operator or Wi-Fi hotspot) or between
People should receive a meaningful benefit in exchange
the access point and the services provider. Basically, all
for sharing data. Meaningful benefits include compelling
involved stakeholders can potentially try to upset the users
applications based on anonymous learning from “users like
privacy, even by colluding with each other.
me”. People should be able to enjoy the benefits of these
In the case a user uses his mobile operator to connect to
services simply in exchange for their data.
the Internet, information like the IMSI (International Mobile
Recruitment of participants in such urban sensing cam-
Subscriber Identity) and the IMEI (International Mobile
paigns will be a determinant factor for the success of
Equipment Identity) can be used to directly identify the user.
their outcome. The organizers of campaigns, either being
In case he uses a Wi-Fi spot, the unique MAC address of
community groups or simply motivated individuals, should
his mobile device is associated to the Access Point. There
be able to attract interested and well-suited participants for a
are also many stakeholders in the scenario of participatory
campaign, based on the needs and specifications of the case
sensing: the user, the mobile network operator, the operator
they want to make. Web 2.0 has already initiated a new
of the WLAN access point, organizations running the In-
age of user-created content and participative web. The mass
ternet backbone, and finally the social network application
adoption of social-networking websites is causing a major
provider. Theoretically, all these stakeholders could try to
shift in the Internet’s function and design and is turning it
spy simultaneously on the users identity when sensing. How-
into a tool for connecting people, who can also create content
ever, in practice there are usually smaller groups colluding
Therefore, we propose leveraging existing open Web 2.0
• Who is actually capable of committing attacks and
services like social networks, in order to offer a tool to
which are the needed technical capabilities for these
the users for recruiting people and creating a user base for
goal-based sensing projects, bringing social networks and
• What would be the motivation of each stakeholder to
the physical world one step closer. On the long run, the
• With whom does it make sense for each stakeholder to
generally have much lower bandwidth capabilities and more
transmission errors than wired networks, a fact that causes
From a theoretical point of view, the worst-case individ-
ual stakeholder, who could turn malicious, is the mobile
The task therefore is to investigate how and whether
operator. Because it is necessary for network management
privacy can be enhanced in the urban sensing paradigm
and billing, the mobile operator directly observes identifying
with a reasonable tradeoff between anonymity protection
information like the IMSI. It is hard to establish any form of
and performance loss. We identify therefore the challenge
anonymity against the mobile operator, and this is currently
of investigating and evaluating the multitude of anonymity
an open problem of research. Another alternative for the user
techniques for their suitability in participatory people-centric
would be to use other mechanisms of network access, like
sensing. In particular, some more concrete research question
open WLAN access points. If the WLAN operator is also
malicious, things become even harder. Investigating these
• How much does latency of anonymizing networks in
attacker models therefore lead to interesting and challenging
the mobile Internet affect users’ participation in anony-
Research directions and related work: We suggest first
• How much does this latency affect the provisioning of
looking at all combinations of malicious entities and then
identifying those that seem appropriate in the participatory
• To which extent can we quantify and compare
sensing paradigm as well as pose theoretical and practical
the security and performance properties of available
challenges. In particular, we propose on one hand the
anonymity techniques, when applied to the communi-
construction of a theoretical attacker model in order to
cation paradigm of people-centric sensing?
make statements about the security of abstract models of
Research directions and related work: In the literature,
anonymization networks in participatory urban sensing. This
existing solutions for network layer anonymity and unlink-
can allow us to find basic statements on security properties
ability of user actions are categorized into three groups:
even for real systems and explore the limits of privacy
proxies, peer-to-peer (P2P) networks and Mix networks.
provision. On the other hand, we should develop more
Here we concentrate on the last two groups to find an
practical-oriented attacker models, which can be used for
appropriate solution for our scenario.
analysis of deployed implementations and provide end-users
1) Tor: The Tor-network is currently the network with
with reasonable level of privacy protection.
the most number of users and related research publications. Before a client can use the network, he has to get the
B. Challenge II: Sender Anonymity and Unlinkability
network information about the available servers from a cas-
Urban sensing is an emerging scenario, where a single
caded cache group of dedicated directory servers. Recently
infrastructure integrates heterogeneous technologies such as
Lenhard et al. [4] made performance measurements of the
wired, wireless and cellular networks. One of the main
usage of Tor in cellular phone networks and showed that
challenges is to allow users to report location-specific sensor
the bootstrapping phase has turned out to take significantly
data while preserving at the same time their anonymity. The
longer than expected in this case (about 232.9 seconds). So,
first approximation of the term anonymity for the system
downloading the relay descriptors forms the bottleneck in
means to provide sender anonymity, i.e. the identity of the
sender of a message must be hidden to external parties,
2) AN.ON: Formerly initiated by the German project
AN.ON (ANonymity ONline), the project is sometimes also
Towards this goal we need to investigate whether the
referred to as JAP, which is in fact the name of the client
existing solutions for providing anonymity can be applied in
side-software. In contrast to Tor, here a cascade is accepted
such a complex environment, evaluate them and propose new
by the central authority only if the nodes are providing a
solutions where needed. Depending on the strength of the
fair amount of bandwidth, resulting in a better quality of
attacker model, we need to study the appropriate anonymity
service. Also AN.ON does not require the downloading of
techniques and evaluate the quality of the provided pro-
directory information. Even though it does not have forward
tection with respect to their anonymity and performance
secrecy and does not supports arbitrary TCP traffic (except
properties. We expect that posing requirements such as
HTTP and HTTPS), we consider it a solution worth being
usability, availability and trust will bring up needs for new
solutions for this new scenario, which we need to address
by proposing the corresponding measures or adjustments to
anonymous file exchange and they are based on ant routing
The determinant factor here is performance. Performance
algorithms for ad-hoc networks. The main representatives
plays a much more important role in the mobile Internet than
are the anonymizing network Ants and Mute. Even though
it does in the traditional wired Internet. Mobile networks
they have very limited academic coverage so far and a
very small number of users, they are more attractive as a
where individuals communicate with each other directly.
research direction for our scenario, in terms of performance.
Furthermore a global passive adversary model is assumed,
As these networks are mere peer-to-peer networks, all the
where the attacker can observe all the inputs and outputs of
participants also act as intermediary nodes. Any new user
the anonymous communication network. Generalizing the
needs to learn some of these identities in order to connect
first and relaxing the second assumption certainly creates an
to the network. For this reason, participants only get to
interesting but very challenging problem.
know small parts of it upon arrival of a new node and
there is no central point where all information is gatheredtogether at any given time.
In this paper we motivate and discuss the integration of
social networks into people-centric participatory sensing. We
C. Challenge III: Integrating with social networks
concentrate more on the privacy challenges in such a setting
In the typical situation studied extensively in the bibliog-
and emphasize on the importance of first defining the right
raphy for anonymous communication, N users send mes-
attacker models. Then we elaborate on the suitability of
sages to each other through a mix-network and anonymity
existing anonymization techniques and we discuss on the
is based on creating uncertainty concerning the identity of
need to study the effect that social interconnections of users
the subject who originated or received a message. As the
have on their anonymity. We believe that future pervasive
number of users in the system increases, the probability of
computing systems that call for people’s participation in
being linked to a particular action decreases. The theoretical
the interaction with our environment will pose similar chal-
analysis is usually based on the assumption that senders
lenges and certainly addressing these challenges will lead to
choose the receivers of their messages uniformly at random.
a more solid understanding of privacy.
In our scenario, the interconnection of users through social
networks creates a different setting for the evaluation of the
performance by anonymous communication networks. Here,
[1] S. Spiekermann and L. Cranor, “Engineering privacy,” IEEE
an attacker, besides her observations at the communication
Transactions on Software Engineering, vol. 35, no. 1, 2009.
layer, has also knowledge from the application layer, i.e., the
[2] K. Shilton, “Four billion little brothers?: Privacy, mobile
identities of the users that participate in the system and how
phones, and ubiquitous data collection,” Communications of
they are related, through their profiles in the social network. the ACM, vol. 52, no. 11, pp. 48–53, 2009.
Users organize themselves into groups with a common goal,and these users are expected to send measurements for the
[3] C. Cornelius, A. Kapadia, and N. Triandopoulos, “AnonySense:
corresponding campaign. There is an a priori knowledge of
privacy-aware people-centric sensing,” in Proceeding of the 6thinternational conference on Mobile systems, applications, and
user profiles and associations that can be combined with data
services (MobiSys ’08). Breckenridge, CO, USA: ACM, June
gathered by traffic analysis of the mix-based network.
Clauß and Schiffner argue that an adversary with access
to more information is always able to reduce anonymity [5].
[4] J. Lenhard, K. Loesing, and G. Wirtz, “Performance mea-
But later, Diaz et al. [6] showed that user profile information
surements of Tor hidden services in low-bandwidth accessnetworks,” in Proceedings of the International Conference of
does not necessarily lead to a reduction of the attacker’s
Applied Cryptography and Network Security (ACNS ’09), June
uncertainty. So, the corresponding question of interest is the
• Does the knowledge of user profiles and intercon-
[5] S. Claußand S. Schiffner, “Structuring anonymity metrics,” in
Proceedings of the second ACM workshop on Digital identity
nections through social networks reduce the offered
anonymity when integrated in the people-centric sens-ing paradigm?
[6] C. Diaz, C. Troncoso, and G. Danezis, “Does additional
Research directions and related work: To answer the
information always reduce anonymity?” in Proceedings of the2007 ACM workshop on Privacy in electronic society (WPES
above question we need to evaluate (quantify) the offered
anonymity by an anonymous communication network. Thishas been proved a very difficult task so far. One method of
[7] A. Serjantov and G. Danezis, “Towards an information the-
measuring anonymity is based on the entropy of the prob-
oretic metric for anonymity,” in Proceedings of 2nd In-
ability distribution linking an action to all possible subjects
ternational Workshop on Privacy-Enhancing Technologies. Springer-Verlag, April 2002.
that may be related to it [7]. However, the combination ofseveral sources of information in entropy-based anonymity
[8] C. Diaz, C. Troncoso, and A. Serjantov, “On the impact
of social network profiling on anonymity,” in Proceedings
Diaz et al. studied the problem of measuring anonymity
of the 8th international symposium on Privacy Enhancing
based on profile information [6] and social networks [8]. In
these papers an 1-to-1 communication paradigm is followed,
DENOMINATION DU MEDICAMENT Myozyme® 50 mg poudre pour solution à diluer pour perfusion. 2. COMPOSITION QUALITATIVE ET QUANTITATIVE Un flacon contient 50 mg d’alpha alglucosidase. Après reconstitution, la solution contient 5 mg d’alpha alglucosidase* par ml et après dilution, la concentration varie de 0,5 mg à 4 mg/ml. *L’α-glucosidase acide humaine est produite par