PEAR: A Privacy-Enabled Architecture for Crowdsensing

Alfredo J. Perez Sherali Zeadally

Columbus State University University of Kentucky
4225 University Ave. CCT 424 315 Little Library Building
Columbus, GA, USA 31907 Lexington, KY, USA 40506-0224
+1 706 507 81 94 + 1 859 218 22 99
[email protected] [email protected]

ABSTRACT and deployment because the use of consumer devices to collect

Crowdsensing systems are providing solutions to the community in sensor data presents significant privacy risks to all of the
areas such as transportation, security, entertainment and the participants involved. Thus, the use of Internet-connected
environment by citizens who use their consumer devices such as consumer devices in crowdsensing faces a tradeoff: on one hand we
cellphones, wearables, and Internet of Things devices to collect need to collect data as accurately as possible, but on the other hand
various types of sensor data. Privacy is a major issue in these the collection and sharing of crowdsensing data must preserve the
systems because the data collected can potentially reveal aspects privacy of users [1][31].
considered private by the contributors of data. We propose the We present the Privacy-Enabled Architecture (PEAR), a layered
Privacy-Enabled ARchitecture (PEAR), a layered architecture architecture aimed at protecting the privacy of users involved in
aimed at protecting privacy in privacy-aware crowdsensing crowdsensing systems. We describe the main components of the
systems. We identify and describe the layers of the architecture. We architecture, and we evaluate MetroTrack, an implementation of
propose and evaluate the design of MetroTrack, a crowdsensing the proposed PEAR architecture.
system that is based on the proposed PEAR architecture.
2. RELATED WORK
CCS Concepts Crowdsensing systems have been developed during last decade as
• Networks ߡ Layering; Sensor Networks; • Security and an alternative to static wireless sensor networks in urban
Privacy ߡ季 Security Services; • Human-centered computing ߡ季 environments. These systems take advantage of the availability of
the mobile Internet and the ubiquity of powerful, sensor-enabled
Ubiquitous and mobile computing;
consumer devices such as mobile phones, wearables and IoT
Keywords devices [5][30]. Application areas where these systems are being
Privacy; Security; Crowdsensing; Community-based Sensing; deployed include environmental monitoring, transportation,
Participatory Sensing; Opportunistic Sensing; Internet of entertainment, security, among others [17][20][21][22][27][28]. As
Things; Wireless Sensor Networks the devices that collect sensor data in crowdsensing systems are
usually owned by citizens, the protection of privacy becomes an
1. INTRODUCTION important issue for the successful deployment of these systems:
The ubiquity of Internet-connected consumer devices have the collected data could be potentially linked with the identities of
potential to improve issues affecting communities through the participants or data could reveal aspects about individuals that are
crowdsensing paradigm. In crowdsensing systems (also known as considered private [1][6][31][35].
community-based sensing systems), people collect sensor data Figure 1 shows the cycle to collect crowdsensing data. Initially, a
using their own consumer devices such as cellphones, wearables, sensing task is distributed by task organizers. Participants either
and Internet of Things (IoT) devices (e.g., Internet-connected cars) pull the sensing task from a server (second-level integrators), or the
with the goal of helping a community (e.g., a city or town) in areas task is pushed to the participants’ devices (first-level integrators)
such as environmental monitoring, transportation, entertainment, by means of the task distribution process. Once configured at the
security, and healthcare. Recent technological advances in the last participants’ devices, the tasks perform sensing and initial analysis
decade in the miniaturization of sensors, computing power, and the (data collection). Data are then forwarded to the second-level
mobile Internet, along with the ubiquity of these consumer devices
have enabled the implementation and deployment crowdsensing
systems [21][30]. The protection of privacy in crowdsensing
systems plays an important role in their successful development

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. Copyrights for
components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to
post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from [email protected]. Figure 1. Processes for data collection in crowdsensing.
RACS '17 , September 20–23, 2017, Krakow, Poland
© 2017 Association for Computing Machinery.
ACM ISBN 978-1-4503-5027-3/17/09…$15.00
https://doi.org/10.1145/3129676.3129685

166
 O3 CO2
Environmental
Variables
Cloud services

Internet

Wearable
Sensors Server

O3 CO2
Environmental
Variables

First-level Second-level
Sensors Data transport integrator devices
integrator devices

Figure 2. Hardware components of crowdsensing systems.

integrator (data submission). Second-level integrator devices may

release data to external entities either as microdata or aggregated
data (data analysis/sharing). Task organizers may use the collected
Figure 3. A PEAR-enabled system.
data to release new sensing tasks to the participants resulting in a
new data collection cycle. Mechanisms for privacy protection have x Task organizers: They develop the sensing tasks that will
been proposed for each of the processes depicted in figure 1 (i.e., be deployed at first-level integrators.
task distribution, data collection, data submission, and data x Participants: They represent the entities that own or are
analysis/sharing) [6][35]. For task distribution, privacy protection in custody of first-level integrator devices. They may be
mechanisms include beacon-based distribution, attribute-based provided feedback based on the collected data.
authentication [18], and task downloading at crowded spaces [35],
x External entities: They represent third parties whom task
and anonymization schemes [2][14][19]. For the data collection organizers can share data (or information) generated
process, privacy mechanisms include methods for allowing data
from the sensor data.
collection only in particular contexts [15][24] and methods for
denying data collection in specific contexts [7]. Mechanisms for 3.2 Threats to Privacy
data reporting include the utilization of brokers [37], peer to peer Threats to privacy in crowdsensing may be classified as follows:
mechanisms for anonymization [2], group-based signatures [15],
the utilization of pseudonyms [8][10][13][34], data aggregation x Re-identification Attacks: Given the data (or metadata)
[33], and the use of representative samples from data collected in a submitted by participants in crowdsensing systems, re-
region [16][37]. Finally, privacy protection for data sharing identification attacks attempt to discover the identity of
includes the methods created for bulk data release (microdata the participants.
release) [9][23][25][36] and aggregated (summarized, statistical) x Contextual Attacks: Given the data (or metadata)
data release [9][12]. submitted to the system by participants, these attacks
attempt to discover and associate aspects considered
3. CROWDSENSING SYSTEMS private by participants with their identity. Examples in
this category include inferring contexts such as places,
3.1 Hardware Architectures and Actors activities, behaviors, and/or health state based on the
The typical hardware components of crowdsensing systems are collected data.
presented in figure 2, and they include [30]:
These attacks can be performed by internal/external actors and they
x Sensors: These components collect data (e.g., may target the system at any of the processes described in figure 1.
temperature, movement, noise, images) from physical
actions or processes. 4. PROPOSED PRIVACY ENABLED
x First-level integrators: They perform initial data ARCHITECTURE (PEAR)
verification, aggregation and basic analysis (e.g., feature We propose the PEAR architecture which consists of four
extraction) on the data collected by sensors. abstraction layers namely communication, anonymization, security
x Data transport: In crowdsensing systems, data transport and privacy, and processing. First-level and second-level integrator
is provided by the Internet or any communication devices are referred to as integrators in the PEAR architecture, as
network that enables the end-to-end transfer. this abstraction allows second-level integrator devices to become
x Second-level integrators: These components collect and data providers (i.e., first-level integrators) for other crowdsensing
store data sent from first-level integrators. They also systems without having to define new layers to share data. This
provide analytics services and feedback to first-level architecture also manages scalability by creating networks of
integrator devices and to external entities. second-level integrator devices. Figure 3 depicts an example of a
These components are utilized to collect sensor data through PEAR-enabled system.
sensing tasks which are software applications or scripts executed at
first-level integrator devices. There are three major actors that
4.1 Communication Layer
This layer abstracts the communication protocols between
participate in the data collection for crowdsensing systems:
integrator devices. Usually these protocols are implemented by the
TCP/IP protocol stack suite. However given the ubiquity of cellular

167
networks in crowdsensing systems, communication protocols for 5.1 MetroTrack’s Mobile Components
crowdsensing could be implemented over the Multimedia Four applications make up the MetroTrack’s mobile components
Messaging System (MMS) infrastructure, or Short Messaging for the Android OS (figure 4). Each of these components
System (SMS). implements different layers of the proposed PEAR architectural
4.2 Anonymization Layer model.
This layer implements mechanisms that allow integrator devices to 5.1.1 Orbot client
hide network location identifiers (e.g., IP addresses) from other MetroTrack makes use of the Orbot [29] application which is the
integrators and external parties to avoid re-identification attacks. Tor’s network proxy for Android. The Tor network [11] is an
These anonymization mechanisms may be implemented through anonymization network that provides network anonymization to
trusted third parties [37], or by using peer-to-peer anonymization TCP flows. Tor works by having the client to create a path through
networks (e.g., Tor). Systems may bypass anonymization Tor hosts from the client to a server. Messages along this path are
depending on the goals of the system, or if participants give consent encapsulated into layers of encryption (like an onion) at the client,
to include network identifiers as part of the data collected by the and each host along the path removes an encryption layer (like
crowdsensing system. peeling an onion), which allows the current host to know the next
4.3 Security and Privacy Layer host to forward the message. Once the final layer is decrypted, the
This layer implements mechanisms and protocols to encrypt data last host delivers the message to its original destination [11].
between integrator devices, and includes privacy-preserving Android applications can use Orbot to access a server in the Internet
mechanisms for integrator devices. Security mechanisms in this through a local proxy in the device, or can incorporate Orbot as a
layer include symmetric and asymmetric cryptographic methods component within an application. In our current design, Orbot is
and protocols that guarantee end-to-end security between integrator used as a proxy. Orbot is open source and can be downloaded from
devices. Privacy mechanisms in this layer implement the Google Play market. Orbot serves as part of the anonymization
algorithms/procedures to allow participants to handle their and communication layers of the PEAR architecture for
exposure to context privacy attacks (e.g., privacy rules, algorithms MetroTrack.
to handle location privacy) and mechanisms to handle privacy for
second-level integrators when sharing bulk data release (microdata 5.1.2 MetroTrackTaskAgent
release) [9] and aggregated (summarized, statistical) data release The MetroTrackTaskAgent is used by the MetroTrack system to
with external parties. deliver participants’ information about new tasks issued in the
system. The agent can also notify participants about updates on
4.4 Processing Layer previously issued tasks. As shown in figure 4,
This layer includes mechanisms and protocols that collect and MetroTrackTaskAgent uses Orbot to connect to the server
analyze sensor data. These mechanisms may be implemented at components of MetroTrack.
first-level integrator devices to perform initial data analysis (e.g.,
feature extraction, data smoothing) and at second-level integrators The agent retrieves notifications about new tasks available to
to extract information (e.g., outlier detection, machine learning). participants from the MetroTrack server components. Since Orbot
The processing layer may include mechanisms to handle privacy does not provide end-to-end security, the task agent must secure the
implemented by task organizers for integrator devices (e.g. a task requests before using Orbot. Transport Layer Security (TLS)
organizer specifies where sensor data should not be collected) and security provides the security mechanism for the task agent. The
may also include mechanisms to provide incentives for participants. MetroTaskAgent is part of the processing layer of PEAR, with the
The processing layer mechanisms make use of software security components of the task agent being part of the security and
Application Programming Interfaces (e.g., an app development
framework, a server-side framework) for in their implementation.
The processing layer also implements mechanisms to perform
efficient data collection (e.g., power optimization in case of first- MetroTrackMobile
level integrator devices).
SensingTask UserPrivacy
5. MetroTrack: A PROTOTYPE SYSTEM DataCollectionModule
Manager

USING PEAR
PrivacyContentProvider

PrivacyPolicy
TaskPrivacy Manager

We describe the design of a prototype implementation of the PEAR Manager

DataSubmission
Activity

architecture called MetroTrack, a system on which a city Module

Location Sensor
Recognizer

administration (task manager) can issue crowdsensing tasks to its Manager Manager
SecurityManager
citizens (participants) to collect data of interest. In this system, the
citizens participate altruistically in the data collection, and tasks can
be either participatory (e.g., uploading of photos/videos for security MetroTrackTaskAgent SecurityManager
[3]) or opportunistic (e.g., tracking of road congestion, or road
maintenance status [26]). MetroTrack consists of client (participant)
applications executing on Android-enabled devices, and server- Orbot client

side components that are deployed in the cloud using the Java Android OS
Enterprise Edition (EE) framework. Figure 4. MetroTrack’s mobile components.

168
privacy layer of PEAR. Participants can download the task agent MetroTrackServer

from the Google Play market. SensingTaskManager

5.1.3 UserPrivacyManager Data

DataAnalysis
Storage
Through this component, participants can configure their own

TaskManager
Authentication
Security
Servlets
privacy settings for SensingTasks. These privacy settings are
implemented as privacy rules based on sensor and date/time data,
and they can be implemented as simple rules (e.g., “don’t provide
TaskPrivacy
Manager
ExternalPrivacyManager

data to this task if close to a particular location”), or more complex Glassfish Server
contextual rules based on activity recognition (e.g., “don’t provide
data if sleeping”). This module is composed of subcomponents
such as PrivacyPolicyManager which implements the rules, the Figure 5. MetroTrack’s server components.
ActivityRecognizer module which recognizes activities based on
sensor data, and the PrivacyContentProvider which provides sensor SensingTask and offering these on demand. SensingTasks are
data to tasks based on the decisions of the PrivacyPolicyManager. meant to be lightweight, and a background process in the
The SensorManager and LocationManager components are part of SensingTaskManager is constantly compiling and caching the
the Android API and provide information to the SensingTasks. The SensingTaskManager component also provides
PrivacyPolicyManager subcomponent. the mechanisms to handle security, authentication and sets up
The PrivacyContentProvider subcomponent provides raw data to a privacy rules for SensingTasks.
sensing task based on the decision of the privacy rules. In the 5.2.2 DataStorage
current design, the UserPrivacyManager could be downloaded This component abstracts the operations needed to store the data
from Google Play. However this module could become part of received by the SensingTaskManager into database systems.
mobile operating systems as part of the privacy/security settings. Depending of the type of SensingTask, the data may be structured,
5.1.4 SensingTask unstructured, or a combination of both types of data. PostgreSQL,
This component implements the collection of data for the task MySQL and other database management systems (or regular file
manager. Sensing tasks are downloaded from MetroTrack’s servers systems) may be used to store data.
using Orbot. Each download has a unique identifier that is 5.2.3 DataAnalysis
hardcoded when the SensingTask is compiled as an app ready to This component allows a task manager to perform inference,
install. This design allows MetroTrack servers to authenticate the correlation, and data analysis based on the data received from
each of the task installations instead of authenticating participants. SensingTasks. This component can filter outliers, detect trends and
The rationale is that MetroTrack only needs to make sure that the patterns, and perform data analysis that could be only performed at
data is coming from an authorized party, and this can be the server. This module allows a task organizer to have a complete
accomplished by hardcoding IDs into each download of the app. picture of the situation being studied. Task organizers may take
Subcomponents of this module include: the DataCollectionModule measures such as preparing and releasing new tasks, or providing
which collects data from the UserPrivacyManager module and reports to third parties.
performs basic data analysis (e.g., feature extraction), the
TaskPrivacyManager which implements privacy rules established 5.2.4 ExternalPrivacyManager
by the task manager (and also includes mechanisms to show MetroTrack makes use of this component to handle privacy when
consents to participants), the DataSubmissionModule which data is shared with external systems or parties. The algorithms
prepares the data for submission, and the SecurityManager which implemented in this module include mechanisms such as k-
manages authentication, session establishment, and end-to-end anonymity [36], l-diversity [25], t-closeness [23] to handle privacy
encryption with the server. The SecurityManager may use the for bulk data release (microdata release). For aggregated data,
MetroTrackTaskAgent to check if the current task is still valid. The differential privacy mechanisms [12] may be used.
SecurityManager also utilizes the Orbot component to submit data
to the MetroTrackServers.
5.3 Analysis of MetroTrack
5.3.1 Tradeoff between privacy and estimation
5.2 MetroTrack’s Server Components Allowing participants to establish their own privacy rules may
The MetroTrack’s server consists of four major components,
induce noise in the estimation performed by second-level
namely SensingTaskManager, DataStorage, DataAnalysis, and
integrators from first-level integrators’ sensor data. More research
ExternalPrivacyManager. Figure 5 shows the flow of data among
is needed to investigate the tradeoff between the participant’s
these components. Our current design assumes that these
privacy rules versus the information loss in the system [37].
components will execute in a Java EE application server (e.g.,
Glassfish server). 5.3.2 Tor as an anonymization network
The utilization of Tor as the anonymization layer in MetroTrack
5.2.1 SensingTaskManager does not allow to perform UDP transmission because Tor supports
This component handles the management of sensing tasks for
only TCP flows. UDP may be needed when a sensing task needs to
MetroTrack’s mobile components. The SensingTaskManager is
deliver real-time sensor data to second-level integrators. As such,
used by the task organizer to announce new SensingTask apps to
the evaluation of alternative solutions for providing anonymous
participant’s devices. As mentioned in the previous section, each
network transfers from the point of view of privacy protection,
instance of a SensingTask downloaded by participants has its own
quality of service and power consumption are needed.
identifier which allows it to be authenticated by MetroTrack servers.
This is performed by having different compilations of the same

169
5.3.3 Layered architectural issues IEEE Communications Magazine, vol. 44 no. 11.
A layered architecture, as utilized in MetroTrack, may consume DOI=http://dx.doi.org/10.1109/MCOM.2006.248179
more power at first-level integrator devices than a cross-layer [4] Boshell, B. 2017 Average App File Size: Data for Android
design. Static wireless sensor network research has shown reduced and iOS Mobile Apps. Available:
power consumption of cross layer designs over layered designs. https://sweetpricing.com/blog/2017/02/average-app-file-size/
One possible solution to improve power consumption and at the
[5] Campbell, A.T., Eisenman, S.B., Lane, N.D., Miluzzo, E.,
same time enforce privacy is by using cloudlets [32] which are
Peterson, R.A. 2006. People-centric urban sensing. In
software modules that can be deployed in virtual machines in the
Proceedings of the 2nd ACM annual international workshop
cloud to offload processing from a mobile device.
on Wireless internet.
5.3.4 Choice of authentication mechanism DOI=https://doi.org/10.1145/1234161.1234179
The proposed authentication method requires multiple [6] Christin, D. 2016. Privacy in mobile participatory sensing:
compilations for the same task because each of them will have its Current trends and future challenges. Journal of Systems and
own hardcoded identification code. As such, the server may need Software vol. 116, 57-68.
additional storage as well as some type of background processing DOI=https://doi.org/10.1016/j.jss.2015.03.067
to keep enough compiled tasks available. In late 2016, it was found
[7] Christin, D., López, P.S., Reinhardt, A., Hollick, M., Kauer,
that the average Android app size is 15 MB [4]. Using 1TB SSD
M. 2013. Share with strangers: Privacy bubbles as user-
hard drive dedicated for this purpose could hold more than 6 million
centered privacy control for mobile content sharing
of these tasks.
applications. Information Security Technical Report, vol. 17
Assuming that it takes one minute to compile an Android app and no. 3, 105-116.
that task organizers use only a single machine with only one core DOI=https://doi.org/10.1016/j.istr.2012.10.004
to compile for 24 hours, 1440 tasks could be compiled per day. [8] Christin, D., Roßkopf, C., Hollick, M., Martucci, L.A.
Suppose that the task organizer uses a computer with 10 cores and Kanhere, S.S. 2013. Incognisense: An anonymity-preserving
enough RAM to compile tasks simultaneously, up to 10,000 tasks reputation framework for participatory sensing applications.
could be compiled per day. To deploy a sensing task that could be Pervasive and Mobile Computing, vol. 9 no. 3, 353-371.
used by every resident in the New York metropolitan area (~20 DOI=https://doi.org/10.1016/j.pmcj.2013.01.003
million according to the 2015 US Census), a task organizer would
need 100 machines working for 2 full days to generate enough [9] De Capitani Di Vimercati S., Foresti, S., Livraga, G.
sensing tasks for each habitant, which is feasible. Samarati, P. 2012. Data privacy: Definitions and techniques.
International Journal of Uncertainty, Fuzziness and
6. CONCLUSION AND FUTURE WORK Knowledge-Based Systems, vol. 20 no. 6, 793-817. DOI
There has been a growing interest in the development of privacy- =http://dx.doi.org/10.1142/S0218488512400247
preserving architectures for crowdsensing systems in the last few [10] Deng, L., Cox, L.P. 2009. Livecompare: grocery bargain
years. To handle privacy issues when developing crowdsensing hunting through participatory sensing. In Proceedings of the
systems, this work has proposed the PEAR architecture. We 10th workshop on Mobile Computing Systems and
described the components of the architecture and we presented a Applications (HotMobile '09).
prototype system called MetroTrack. Finally, we evaluated DOI=http://dx.doi.org/10.1145/1514411.1514415
MetroTrack and discussed future research issues that require
further attention for the prototype system. [11] Dingledine, R., Mathewson, N. and Syverson, P. 2004. Tor:
The second-generation onion router. Naval Research Lab
7. ACKNOWLEDGMENTS Washington DC.
Alfredo J. Perez was supported by the US National Science [12] Dwork, C. 2008. Differential privacy: A survey of results. In
Foundation and the US Department of Defense’s ASSURE Proceedings of the 5th international conference on Theory
program under award 1560214. Sherali Zeadally’s work was and applications of models of computation (TAMC'08), 1-19.
supported by a University Research Professorship Award from the [13] Gisdakis, S., Giannetsos, T., Papadimitratos, P. 2014.
University of Kentucky in 2016. Sppear: security & privacy-preserving architecture for
participatory-sensing applications. In Proceedings of the
REFERENCES 2014 ACM conference on Security and privacy in wireless &
mobile networks, 39-50. DOI =
https://doi.org/10.1145/2627393.2627402
[1] Aikio, J., Pentikäinen, V., Häikiö, J., Häkkilä, J., Colley, A.
[14] Gruteser, M., Grunwald, D. 2005. Enhancing location
2016. On the Road to Digital Paradise.
privacy in wireless LAN through disposable interface
[2] Al-Muhtadi, J., Campbell, R., Kapadia, A., Mickunas, M.D., identifiers: a quantitative analysis. Mobile Networks and
Yi, S. 2002. Routing through the mist: Privacy preserving Applications, vol. 10 no. 3, 315-325.
communication in ubiquitous computing environments. In DOI=https://doi.org/10.1145/941326.941334
Proceedings. 22nd International Conference on Distributed
[15] Hoh, B., Gruteser, M., Herring, R., Ban, J., Work, D.,
Computing Systems.
Herrera, J.C., Bayen, A.M., Annavaram, M., Jacobson, Q.
DOI=https://doi.org/10.1109/ICDCS.2002.1022244
2008. Virtual trip lines for distributed privacy-preserving
[3] Barbeau, S.J., Labrador, M.A., Winters, P.L., Perez, R. and traffic monitoring. In Proceedings of the 6th international
Georggi, N.L. 2006. A general architecture in support of conference on Mobile systems, Applications and Services,
interactive, multimedia, location-based mobile applications. 15-28. DOI=https://doi.org/10.1145/1378600.1378604

170
[16] Jaimes, L.G., Vergara-Laurens, I.J., Labrador, M.A. 2012. A [27] Mendez, D., Perez, A. J., Labrador, M. A., Marron, J. J.
location-based incentive mechanism for participatory sensing 2011. P-Sense: A participatory sensing system for air
systems with budget constraints. In Proceedings 2012 IEEE pollution monitoring and control," In Proceedings of the
International Conference on Pervasive Computing and 2011 IEEE International Conference on Pervasive
Communications (PerCom), 103-108. Computing and Communications (PERCOM), 344-347.
https://doi.org/10.1109/PerCom.2012.6199855 DOI=http://dx.doi.org/10.1109/PERCOMW.2011.5766902
[17] Kanjo, E., 2010. Noisespy: A real-time mobile phone [28] Mun, M., Reddy, S., Shilton, K., Yau, N., Burke, J., Estrin,
platform for urban noise monitoring and mapping. Mobile D., Hansen, M., Howard, E., West, R., Boda, P. 2009. PEIR,
Networks and Applications, vol. 15 No. 4, 562-574. the personal environmental impact report, as a platform for
DOI=http://dx.doi.org/10.1007/s11036-009-0217-y participatory sensing systems research. In Proceedings of the
[18] Kapadia, A., Kotz, D., Triandopoulos, N. 2009. 7th international conference on Mobile systems, applications,
Opportunistic sensing: Security challenges for the new and services (MobiSys '09), 55-68.
paradigm. In Proceedings of IEEE 1st International DOI=10.1145/1555816.1555823
Conference on Communication Systems and Networks and [29] Orbot: Tor for Android, Available:
Workshops (COMSNETS 2009). https://guardianproject.info/apps/orbot/
https://doi.org/10.1109/COMSNETS.2009.4808850 [30] Perez, A. J., Labrador, M. A., Barbeau, S. J. .2010. G-sense:
[19] Kazemi, L., Shahabi. 2011. A privacy-aware framework for a scalable architecture for global sensing and
participatory sensing. ACM SIGKDD Explorations monitoring. IEEE Network, vol. 24, No. 4, 57-64.
Newsletter, vol. 13 no. 1. 43-51. DOI=http://dx.doi.org/10.1109/MNET.2010.5510920
DOI=https://doi.org/10.1145/2031331.2031337 [31] Perez, A.J., Zeadally, S., Jabeur, N. 2017. "Investigating
[20] Khan, WZ, Aalsalem, M.Y., Arshad, Q. 2013. Mobile phone Security for Ubiquitous Sensor Networks", in Proceedings of
sensing systems: A survey. IEEE Communications Surveys the 8th International Conference on Ambient Systems,
Tutorials, vol. 15 no. 1, 402-427. Networks and Technologies (ANT-2017).
DOI=https://doi.org/10.1109/SURV.2012.031412.00077 [32] Satyanarayanan, M., Lewis, G., Morris, E., Simanta, S.,
[21] Lane, N.D., Eisenman, S.B., Musolesi, M., Miluzzo, E. and Boleng, J., Ha, K. 2013. The role of cloudlets in hostile
Campbell, A.T. 2008. Urban sensing systems: opportunistic environments. IEEE Pervasive Computing, vol. 12 no. 4, 40-
or participatory?. In Proceedings of the 9th workshop on 49. DOI=https://doi.org/10.1109/MPRV.2013.77
Mobile computing systems and applications, 11-16. [33] Shi, J., Zhang, R., Liu, Y., Zhang, Y. 2010. Prisense:
DOI=http://dx.doi.org/10.1145/1411759.1411763 privacy-preserving data aggregation in people-centric urban
[22] Lane, N.D., Miluzzo, E., Lu, H., Peebles, D., Choudhury, T. sensing systems. In Proceedings of IEEE INFOCOM, 1-9.
and Campbell, A.T. 2010. A survey of mobile phone sensing. DOI = https://doi.org/10.1109/INFCOM.2010.5462147
IEEE Communications magazine, vol. 48 No. 9. [34] Shilton, K., Burke, J.A., Estrin, D., Hansen, M., Srivastava,
DOI=https://doi.org/10.1109/MCOM.2010.5560598 M. 2008. Participatory privacy in urban sensing. Center for
[23] Li, N., Li, T., Venkatasubramanian, S.,2007. t-closeness: Embedded Network Sensing.
Privacy beyond k-anonymity and l-diversity. In Data [35] Shin, M., Cornelius, C., Peebles, D., Kapadia, A., Kotz, D.,
Engineering, 2007. In Proceedings IEEE 23rd International Triandopoulos, N. 2011. AnonySense: A system for
Conference on Data Engineering (ICDE 2007), 106-115. anonymous opportunistic sensing. Pervasive and Mobile
DOI=https://doi.org/10.1145/1217299.1217302 Computing, vol. 7. no. 1, 16-30.
[24] Lu, H., Lane, N., Eisenman, S. and Campbell, A. 2008. DOI=https://doi.org/10.1016/j.pmcj.2010.04.001
Bubble-sensing: A new paradigm for binding a sensing task [36] Sweeney, L. 2002. k-anonymity: A model for protecting
to the physical world using mobile phones. In Proceedings of privacy. International Journal of Uncertainty, Fuzziness and
International Workshop on Mobile Devices and Urban Knowledge-Based Systems, vol. 10 no. 05, 557-570.
Sensing. DOI=http://dx.doi.org/10.1142/S0218488502001648
[25] Machanavajjhala, A., Kifer, D., Gehrke, J. and [37] Vergara-Laurens, I.J., Mendez, D., Jaimes, L.G. and
Venkitasubramaniam, M. 2007. l-diversity: Privacy beyond Labrador, M.A. 2016. A-PIE: An algorithm for preserving
k-anonymity. ACM Transactions on Knowledge Discovery privacy, quality of information, and energy consumption in
from Data (TKDD), vol. 1 no1. Participatory Sensing Systems. Pervasive and Mobile
DOI=http://dx.doi.org/10.1145/1217299.1217302 Computing vol. 32, 93-112.
[26] Mednis, A., Strazdins, G., Zviedris, R., Kanonirs, G. and DOI=http://doi.org/10.1016/j.pmcj.2016.06.020
Selavo, L. 2011. Real time pothole detection using android
smartphones with accelerometers. In Proceedings of 2011
International Conference on Distributed Computing in
Sensor Systems and Workshops (DCOSS).
DOI=https://doi.org/10.1109/DCOSS.2011.5982206

171