AnonyCast: Privacy-Preserving Location Distribution for Anonymous Crowd Tracking Systems
Takamasa Higuchi† Paul Martin‡ Supriyo Chakraborty⇤ Mani Srivastava‡ †Osaka University, Japan ‡University of California, Los Angeles, CA ⇤IBM Research, NY [email protected], [email protected], [email protected], [email protected]
ABSTRACT Given the growing popularity of location-based services for Fusion of infrastructure-based pedestrian tracking systems mobile devices, it would be natural to expect that the pow- and embedded sensors on mobile devices holds promise erful measurement capability of such wide-spread sensor in- for providing accurate positioning in large public buildings. frastructures could also benefit individual pedestrians walk- However, privacy concerns regarding handling of sensitive ing in indoor spaces. Accurate indoor positioning for mo- user location data potentially disrupt the adoption of such sys- bile devices has been a long-standing open problem in ubiq- tems. This paper presents AnonyCast, a novel privacy-aware uitous computing. Currently, the most popular positioning mechanism for delivering precise location information mea- solution for consumer mobile products is radio fingerprint- sured by crowd-tracking systems to individual pedestrians’ ing using Wi-Fi [5, 15] and Bluetooth Low Energy (BLE) smartphones. AnonyCast uses sparsely placed Bluetooth Low radios [7, 8, 17]. However, these approaches often suffer Energy transmitters to advertise location-dependent, time- from large position errors in practical indoor environments varying keys. Using location measurements, AnonyCast esti- due to dense multi-path signal propagation and low tempo- mates a subset of keys that each pedestrian’s phone receives ral stability of radio fingerprints [4]. Furthermore, the ac- along its path. By combining a cryptography scheme called curacy of radio-based positioning systems depends consider- CP-ABE with a novel greedy algorithm for key selection, it ably on the density of anchor devices (e.g., BLE transmitters) encrypts each path before publishing, allowing users to de- [8]. Since dense anchor deployments obviously cause non- crypt only their own trajectories. The results from field exper- negligible maintenance costs, positioning accuracy is also of- iments show that AnonyCast delivers accurate locations over ten limited by operational constraints. 84% of time, bounding probability of unauthorized access to The output of crowd tracking systems is typically a set of one’s location below 1%. anonymous trajectories which are not associated with any mo- Author Keywords bile device. Therefore, these systems cannot serve alone to Location privacy; crowd tracking; trajectory identification; provide mobile devices with their own locations. Recent re- ciphertext-policy attribute-based encryption search has bridged this gap by developing trajectory identifi- cation algorithms which find trajectories of individual mobile ACM Classification Keywords users from a set of anonymous trajectories [24, 25, 26]. These C.5.3 Computer System Implementation: Portable devices; approaches assume that the crowd tracking system publishes E.3 Data Encryption: Public key cryptosystems all of the anonymous trajectories obtained by crowd track- ing sensors via a Wi-Fi network. Each mobile device con- INTRODUCTION nects to Wi-Fi access points to obtain the published trajecto- Recent evolution of crowd tracking technologies has en- ries and then identifies its own location based on the consis- abled accurate measurement of occupancy and trajectories for tency between the trajectories and local measurements from pedestrians in indoor spaces using vision [6], radio tomogra- phone-embedded sensors (e.g., accelerometers, gyroscopes, phy [18, 27], and laser range scanners [9, 29]. This in turn has etc.). While these efforts have established an effective way motivated research communities in both academia and indus- of utilizing the crowd tracking infrastructure for indoor local- try to leverage them for marketing [14], crowd management ization, growing awareness of and concern for privacy makes [12], and even optimizing energy expenditures in buildings such unrestricted release of trajectory information a difficult [1, 23]. As a result, an increasing number of public buildings proposition. These systems publish pedestrians’ trajectories are equipped with sensors like cameras or laser range scan- without consent and, although the trajectories themselves are ners and capable of fine-grained crowd behavior analyses. anonymous, it is possible for a malicious user to combine these trajectories with external information (e.g., collected by following an individual for a short period) to deanonymize a Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed desired trajectory. This trajectory can then be used to infer for profit or commercial advantage and that copies bear this notice and the full cita- potentially private information about an individual. tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- In this paper we present AnonyCast, a privacy preserving lo- publish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. cation distribution mechanism for crowd tracking systems. UbiComp ’15, September 7–11, 2015, Osaka, Japan. We assume that sensors capable of accurate trajectory mea- Copyright 2015 c ACM 978-1-4503-3574-4/15/09...$15.00. http://dx.doi.org/10.1145/2750858.2805827� surement (e.g., laser range scanners) are already installed and RELATED WORK operated in a target building for crowd behavior analysis. One of the most popular approaches to crowd tracking uses AnonyCast extends this system to feed the precise trajectory image sensors (i.e., cameras). The current mainstream in measurements to individual mobile phone users in a privacy- vision-based pedestrian tracking systems is to extract the fea- preserving manner. The extension is enabled by a small num- tures that best distinguish pedestrians from images in a train- ber of BLE transmitters, which are sparsely deployed in the ing data set and then to use a pattern matching algorithm to environment and periodically advertise location-dependent, detect human bodies [10, 19, 30]. However, the ethics and time-varying keys. Based on the trajectories measured by acceptability of using images from surveillance cameras in the crowd tracking sensors, the AnonyCast server estimates public spaces for such purposes remains controversial [21], as a set of keys that each pedestrian’s device is likely to have personal identities (e.g., faces) can easily be associated with received. The server then uses these keys to encrypt each tra- trajectories, potentially infringing user privacy. jectory prior to publishing them, ensuring that mobile phone users can gain access to only their own trajectories. As alternative solutions, there have been a variety of ap- proaches that track pedestrian locations in an anonymous Although the proposed mechanism follows as a natural pri- manner. Radio tomography [18, 27, 28] employs received vacy extension, the following aspects present challenges in signal strength between multiple radio stations to detect hu- its implementation as a practical system: (1) Mobile devices man locations, assuming that movement of pedestrians in the may fail to receive advertised keys due to packet loss, even environment causes temporal variations in the signal strength. if they are in close proximity to a BLE transmitter. En- Laser range scanners (LRS) have also been explored as a rea- suring that the system provides reasonable accessibility to sonable option for accurate and anonymous pedestrian track- trajectory information even with such frequent packet loss ing [9, 29]. This sensor provides precise distance measure- is difficult. (2) Decryption keys are publicly broadcasted, ments to surrounding objects, allowing robust crowd tracking making it non-trivial to prevent potential privacy leaks by with sub-meter accuracy. Previous literature has shown that ensuring that people other than true owners cannot decrypt capacitive sensor arrays [24] and low-resolution image sen- the published trajectories. As a solution to these issues, we sors [25] are also suitable for anonymous pedestrian tracking. base our system on the emerging public key cryptography scheme called Ciphertext-Policy Attribute-Based Encryption Trajectory identification technology has bridged the gap (CP-ABE). This allows the sender to specify an access policy between the crowd tracking systems described above and on the secret data in the form of a logical expression over pri- location-dependent mobile applications. Teixeila et al. [25] vate keys, so that users can decrypt the data only if they have effectively combine a vision-based pedestrian tracking sys- a set of keys that satisfy the policy. Upon this scheme, we tem with MEMS inertial sensors in mobile phones to enable build a framework that probabilistically ensures a desired pri- accurate indoor positioning. They find the corresponding tra- vacy level. Finally, we build and deploy a prototype system jectory of each mobile user based on the consistency between upon which we conduct field experiments using real crowd shapes of the anonymous trajectories and measurements from tracking sensors and various smartphone models. The re- inertial sensors in the pedestrians’ mobile phones. Sousa et sults of these experiments show that AnonyCast enables users al. [24] developed a similar localization system using capac- to obtain their own precise locations more than 84% of the itive sensor arrays laid out on a floor. They assume pedes- time, while bounding the probability of unauthorized access trians have wearable accelerometers and detect the timing of to one’s location data below 1%. In addition, we conducted walking steps by both the wearable sensors and the capaci- extensive simulations to better understand AnonyCast’s per- tive sensors on the floor. Thus trajectory identification can formance under a variety of conditions and parameters. be done by comparing the sequence of walking steps on the anonymous trajectories. Wada et al. [26] periodically mea- The contributions of this paper are summarized as follows: sure proximity between neighboring mobile phones by Blue- (i) We analyze privacy risks in trajectory identification sys- tooth radios and evaluate consistency between proximity pat- tems. To the best of our knowledge, this is the first work to terns between phones and distances between the anonymous explore the potential privacy risks in utilizing crowd track- trajectories. These systems assume that the underlying crowd ing infrastructures for localization of mobile devices. (ii) We tracking systems publish all the detected trajectories via a net- design AnonyCast, a novel location distribution mechanism work so that mobile phones can locally perform trajectory that allows mobile users to reliably access accurate trajectory identification to find their own trajectory from a set of anony- measurements from a crowd tracking system without com- mous trajectories. This introduces privacy risks since a pedes- promising location privacy. To this end, we develop a com- trian’s accurate trajectory can be published without consent. putationally efficient greedy algorithm that provides strong probabilistic guarantees on user privacy. (iii) We implement a Some recent work develops mechanisms to prove users’ loca- prototype system and benchmark the performance of Anony- tions, intending to cope with mobile users who report spoofed Cast through experiments with real sensor devices as well locations to mobile systems [16, 22]. They basically assume as extensive simulations. The experimental results show that that mobile devices communicate with the neighboring wire- our system can successfully achieve a specified privacy level less stations to obtain time-varying tokens as location proofs. while providing reasonable accessibility to the trajectory in- Unlike the existing systems, AnonyCast intelligently com- formation by the true owner even with severe packet loss. bines multiple location proofs collected on a path to enable secure delivery of private information (i.e., trajectories). PRIVACY MODELS anonymous human trajectories In this section we describe the threat model and privacy re- quirements for AnonyCast. crowd tracking engine AnonyCast server raw sensor measurements encrypted trajectories Threat Model BLE transmitter Wi-Fi access point This work assumes that a given building has a crowd tracking system capable of tracking the locations of pedestrians in an area of interest in an accurate and anonymous manner. The crowd tracking system then publishes the detected trajecto- Clients receive location-dependent time-varying decryption keys from BLE transmitters ries to mobile users for use in location-dependent mobile ap- plications. However, the users may hesitate to subscribe to networked crowd tracking sensors the service if there is any concern that the system may asso- ciate the anonymous human trajectories with personal identi- Figure 1. A high-level overview of AnonyCast fying information. For example, server operators may try to deanonymize trajectories by associating them with MAC ad- multiple people move together in a group. While this defini- dresses of mobile devices obtained in the process of location tion allows people to obtain trajectories of other members in distribution. This problem is exacerbated if device MAC ad- the same group, this does not introduce any privacy concerns dresses can be linked to other personal attributes (e.g., phone because all members are in proximity to each other and can number, home address, etc.). Although some recent mobile be considered true owners of the group trajectory. operating systems attempt to reduce this kind of privacy risk We define the privacy level of a system by (1 ✓ ), where ✓ by randomly rotating the phone’s Wi-Fi MAC address while pl pl is the probability that published trajectories� are successfully probing for access points, the device’s original MAC address decrypted by non-owners. In AnonyCast, ✓ is given as a is still used once a connection to a specific access point is pl system parameter and should be sufficiently small to prevent established. Our first goal is to cope with this problem by privacy leakage from the published trajectories. designing a mechanism that enables an operator of the crowd deliver tracking system to the precise location information to SYSTEM OVERVIEW mobile users, guaranteeing that this kind of association is not In this section, we outline the architecture and design deci- possible. Thus the users can subscribe to the service even if sions taken to realize privacy-preserving location distribution. they do not fully trust the system operator. A privacy threat may also exist among the users: An attacker, Architecture say Bob, may attempt to use the published trajectory to learn Fig. 1 depicts a high-level overview of the AnonyCast sys- the current location of a specific person, say Alice, without tem. We assume that a sensor infrastructure for anonymous her knowledge. Prior to release, a trajectory is anonymized crowd tracking is deployed in the area of interest, tracking by stripping it of all personal identifiers and only a tempo- locations of pedestrians in the area. For simplicity of dis- ral sequence of two dimensional coordinates is published. cussion, we assume an LRS-based tracking system hereafter. However, the assumption of anonymity no longer holds in Note, however, that the basic mechanism of AnonyCast can the presence of external, identifying information—for exam- be easily extended to other types of sensors provided they can ple, if Bob follows Alice for a short period of time. If Bob anonymously track pedestrians with sufficient resolution. can follow Alice long enough to uniquely identify and asso- In addition to the sensors for anonymous tracking, we ciate Alice with a specific trajectory in the published data, he sparsely deploy BLE transmitters on the walls or ceilings. can continue to track her location as long as her trajectory is Every ⌧ seconds, each transmitter b advertises a location- detected by the crowd sensing system. A similar attack can i dependent, time-varying key, say key(bi,t) for time t. Mo- be possible without physically tracking the target person if bile clients that subscribe to the AnonyCast location service her mobility has characteristic patterns. For example, if Bob probe these BLE beacons using standard Bluetooth device knows that Alice works at a store in a shopping mall and she discovery mechanisms and save the corresponding keys in lo- usually goes to a restaurant for lunch at a specific time, Bob cal storage as evidence that they were within the signal trans- may infer which anonymous trajectory belongs to her. mission range of bi at time t. Privacy Requirement Here we assume that the AnonyCast server (or simply the Let T be a set of anonymous trajectories that are detected by server) maintains the following information: (i) locations of the crowd tracking sensors. We define a pedestrian A as the BLE transmitters, (ii) the keys that are advertised by each true owner of a trajectory tr T if A’s true location has BLE transmitter at each time step, and (iii) the set of anony- j 2 been within d meters of trj for a ratio ✓own of time steps mous trajectories T observed during the recent W time steps. over a recent window W , where d, ✓own and W are system If the server and each BLE transmitter share common seed pa- parameters. Otherwise, A is designated as a non-owner of rameters in an installation phase, they can generate the same trajectory trj. Our privacy requirement is that only true own- keys without the need for communication. For each anony- ers can access each published trajectory. The spatial toler- mous trajectory tr T , the server estimates a set of keys j 2 ance d and the temporal criterion ✓own are introduced to offer Kj that are likely to be received by the owner’s phone. This reasonable accessibility to the trajectory information even if is derived by calculating the probability of beacon reception help people walking around the building to obtain their own precise location information through mobile phones. We will show in the Evaluation section that AnonyCast can enable robust delivery of precise location measurements over the whole simulated exhibition venue of 40m 27m by only 4–6 BLE transmitters. Thus AnonyCast would⇥ provide a strong option if crowd tracking infrastructures are already installed in the environment.
(a) 90 dBm (b) 86 dBm � � PRELIMINARY Figure 2. Beacon reception rates for varying transmission powers This section discusses observations from our feasibility study and the basic idea of the proposed encryption mechanism. based on the Euclidean distance between trj and each BLE transmitter, given an empirical radio signal reception model Characteristics of BLE beacons (discussed in the next section). The server then encrypts trj In order to meet our privacy requirement, all trajectories are with a subset of the keys in Kj and publishes all the en- encrypted prior to their release so that users can only decrypt crypted trajectories via the Wi-Fi network. their own trajectories. To facilitate this decryption, Anony- Cast broadcasts location- and time- dependent keys using Subscribers to the location distribution server connect to a BLE beacons. Thus, BLE propagation characteristics play Wi-Fi access point nearby and receive all encrypted trajecto- an important role in the design and feasibility of our system. ries. Each client can then recover its own trajectory only if it To explore the characteristics of BLE, we conducted recep- has the keys that are requested by the server. Thus each tra- tion rate experiments in an 8m 15m-sized room using a com- jectory is delivered only to its true owner as long as the server mercial BLE transmitter [20]⇥ and several models of Android selects the appropriate set of keys for trajectory encryption. smartphones (Nexus 4 and Nexus 5 from LG Electronics, and Decentralized Location Servers Nexus 7 from ASUSTeK). The transmitter was positioned at a height of 1m and programmed to periodically transmit ad- The AnonyCast location distribution system is based on a de- vertisement beacons every 0.5 seconds. Smartphones were centralized architecture in which the system publishes all tra- placed at distances varying from 1-10m away from the trans- jectories via a local network so that trajectory identification mitter and continuously probing for beacons for 300 seconds. can be performed locally on mobile phones. This is in con- trast to a centralized architecture where each mobile device Fig. 2 (a)–(b) show the beacon reception rate for signal trans- periodically uploads feature values for trajectory identifica- mission powers of 90 dBm and 86 dBm, respectively. tion to a server, allowing the server to find and send back the Due to hardware variations� across phone� models and Blue- user’s own trajectory via a secure communication channel. A tooth chipsets, the beacon reception rate differs for each of basic assumption behind this scheme is that the server is trust- the devices evaluated. In addition, because of multipath and worthy, which may not always hold in practical use cases. By fading effects, the reception rate does not always degrade adopting a decentralized architecture, AnonyCast eliminates monotonously with distance. Nevertheless, beacon reception the need for a trusted central server. rates clearly tend to decrease with distance, falling to zero when the distance exceeds a certain value. Comparison with Purely BLE-based Localization Readers may wonder why the BLE transmitters broadcast Trajectory Encryption by CP-ABE keys rather than their own locations: if they advertise the ref- As a basic cryptography scheme for our location data dis- erence positions, mobile devices can receive these beacons to tribution mechanism, we harness the emerging concept of locally record their own trajectory. Although this approach Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [3]. does not incur any privacy issues, accuracy of such position- CP-ABE is a type of public key cryptography that allows flex- ing systems depends considerably on density of transmitters. ible access control to the encrypted data based on attributes The recent literature [8] analyzes the accuracy of BLE-based that each client owns. It assumes that clients have a set of indoor positioning systems under a variety of configurations, keys, each of which is associated with a specific attribute and reports that 6-8 beacons should be available within the such as name, title, affiliation, etc. In the encryption process, signal reception range of smartphones to achieve sub-meter a party wanting to send a secret message specifies an access positioning accuracy. This means that we need to deploy tens policy described in the form of a logical expression over these of transmitters to cover, e.g., a wide exhibition venue. attributes. The access policy is then embedded in the cipher- text so that only people who have those attributes, and thus As we discussed in the Introduction section, the recent ma- have the corresponding private keys, can decrypt it to access jor trends for cyber-physical systems, together with the rapid the original data. The private keys corresponding to each at- technological advancements in big data analytics, have been tribute are distributed beforehand via a secure channel. continuously encouraging building managers to consider in- troducing sensor infrastructures for path analysis. The ba- In AnonyCast, each attribute is no longer associated with an sic motivation behind our work is to extend the anonymous individual person. Instead, each BLE transmitter has an ID crowd tracking systems, which are already installed in pub- attribute bi and a time attribute t, advertising the correspond- lic indoor space for crowd behavior analysis, so that they can ing private keys at the corresponding time. In encrypting The goal of access policy generation is to specify a set of ac- ceptable private key combinations such that the system can
b1 b2 probabilistically ensure that a client is the true owner of a tr1 b3 given trajectory if it has received a valid combination of the tr0 requested keys. In order to make this guarantee, we have to t1 t2 t3 calculate the probability that any other clients in the target
(b2,t3) (b1,t1) (b1,t2) t4 t5 field can receive the requested keys in any of the allowable tr2 (b3,t4) (b3,t5) combinations, and check that the probability is sufficiently Figure 3. An example scenario smaller than that of the true owner. Since the number of pos- K sible combinations of private keys is 2| |, computational cost K each trajectory, the server builds an access policy based on for the probability calculation amounts to ( T 2| |) in the the probabilities that the owner has received each key. Con- worst case. Although CP-ABE allows forO an| arbitrary|· logi- sider the example scenario shown in Fig. 3, where three cal formula for an access policy, we limit each access policy BLE transmitters periodically advertise location-dependent, by the following rules in order to bound the search space for time-varying keys. During the time window from t1 to t5, access policy generation. crowd tracking sensors detect three anonymous trajectories, Rule 1 An access policy C is defined in a conjunctive normal namely tr0, tr1 and tr2. Without loss of generality we con- form as follows: sider an access policy for the trajectory tr0. Based on the distance between tr0 and each BLE transmitter at each time C = C1 C2 Cm (1) step, the server estimates that the owner of tr0 is likely to ^ ^ ···^ have received key(b1,t1) and key(b1,t2) from transmitter b1, where each clause Ck is defined as: key(b2,t3) from b2, and key(b3,t4) and key(b3,t5) from b3. In this case, a possible access policy would be “(key(b1,t1) C = key key key . _ k k,1 k,2 k,n (2) key(b1,t2) key(b2,t3)) (key(b3,t4) key(b3,t5)).” The _ _ ···_ idea behind_ this policy is that^ the three keys_ in the first clause Rule 2 Each private key in K appears in at most one clause serve as evidence that a pedestrian is the owner of tr0 rather in an access policy C. than tr , since the owner of tr does not likely have any 2 2 m n of these keys. In the same way, the two keys in the second The subscripts and are the number of clauses in the ac- C C clause serve as evidence that the pedestrian is the owner of cess policy and the number of keys in a clause k, respec- key tr rather than tr . By concatenating these two clauses by tively. Each k,l in a clause is a private key which is adver- 0 1 tised by any of the BLE transmitters during the recent W time an AND operator, the server can ensure that the owner of tr0 is uniquely identified against other pedestrians. Obviously, steps. Rule 1 does not reduce the description capability of ac- generating such a reasonable access policy becomes much cess policies, because any logical formula can be converted harder as the number of trajectories, pedestrians, and beacons to such a conjunctive normal form. While the Rule 2 lim- increases. We design an algorithm to solve this problem in its the types of access structures that a policy can describe, the following sections. it drastically reduces the computational cost for probability calculation to ( T K 2) in return. O | |·| | ALGORITHM DESIGN For simplicity of notation, we represent each clause Ck in an This section provides detailed discussions on problem formu- access policy by a set of keys in it, say Sk. An access policy is lation and algorithm design for the AnonyCast system. then denoted by S = S , S ,...,S , where each element { 1 2 m} Sk corresponds to Ck in Eq. (1). Problem Formulation We denote a set of anonymous trajectories obtained by Consider access policy generation for a specific trajectory tr , and assume that a certain pedestrian has received a the crowd tracking sensors by T . Each trajectory trj 0 T is a time series of up to W locations of a single2 private key key(bi,t). The probability that she is the true pedestrian, where W is the window size for trajectory owner of tr0 rather than another trajectory trj (denoted by tr tr ) can be defined as: encryption. Thus a trajectory is denoted by trj =< 0 � j trj,t, trj,t ⌧ ,...,trj,max(t0,t (W 1)⌧) >, where t0 is the � � � Pid(tr0 trj key(bi,t)) = time when trj first appeared in the sight of the sensors, and � | trj,t is the estimated location of the pedestrian at time t. The prcv(tr0,t,key(bi,t)) (3) server also knows the location of each BLE transmitter bi and prcv(tr0,t,key(bi,t)) + prcv(trj,t,key(bi,t)) the set of all keys K that have been advertised during the re- cent W time steps. We assume that the probability that the We term the probability in Eq. (3) the pair-wise identification owner of trj receives a private key key(bi,t) (denoted by probability of key(bi,t) for tr0 against trj. prcv(trj,key(bi,t))) is a function of the distance between each point on trajectory tr and each BLE transmitter b . In the same manner, we consider the pair-wise identification j i probability of a given access policy S, assuming that a certain Based on the reception probabilities for the keys advertised pedestrian has received a set of keys that satisfy S during the during the recent W time steps, the server generates an access recent W time steps. In this case, the probability that she policy for each trajectory tr T . is the owner of tr rather than another trajectory tr can be j 2 0 j lower bounded as: T 0 -dimensional feature vector for each key key(bi,t) in K0, whose| | elements are its pair-wise identification probabilities Pid(tr0 trj S) prcv(tr0,key0(tr0, trj, Sk))/ � | � for tr0 against each of other trajectories trj:
Sk S Y2 reward(S )= P (tr tr S S ) k { id 0 � j| [ { k} trj T 0 (9) Thus, the location distribution server must find an access pol- X2 icy S that maximizes the probability Psat(S) while satisfying Pid(tr0 trj S) the privacy condition in Eq. (5). � � | } cost(Sk)= 1 prcv(tr0,key) (10) Building Access Policies for Trajectory Encryption { � } key S At each time step, the AnonyCast server builds access poli- Y2 k S cies for each trajectory through the following steps. where is the set of clauses in the current access policy. The reward is defined by the marginal gain in the pairwise iden- Step 1: Estimating the subset of all received keys K0. The tification probability obtained by putting Sk into the access server first extracts a set of all the keys K0 that the owner policy, while the cost is defined by the probability that the of a target trajectory tr0 is likely to have received during the true owner of tr0 does not receive any of the keys in Sk. recent W time steps. For that purpose, it calculates the prob- S = � ability that the owner of tr received each private key (i.e., The server begins with an empty access policy , and 0 S p (tr ,key)), and then adds into K all the keys whose sequentially adds the clause k that maximizes the reward rcv 0 0 reward(S )/cost(S ) reception probability is greater than a threshold ✓ : per unit cost (i.e., k k ). Since the reward rcv of the remaining candidate clauses change by adding a new K0 = key(bi,t) prcv(tr0,key(bi,t)) > ✓rcv (8) clause to the access policy, the server updates the rewards for { | } each clause before selecting the next clause to add. This is Step 2: Clustering the keys in K0. The server clusters the repeated until the access policy S meets the privacy require- extracted keys based on similarity in their pairwise identifi- ment in Eq. (5), after which the server encrypts the target tra- cation probability to form candidates of clauses. We define a jectory tr0 with the resulting policy. If the server cannot meet AnonyCast server AnonyCast client (1) random AES key generator Wi-Fi Wi-Fi {(encrypted AES key, location-based network network encrypted trajectory, encrypted AES key mobile apps AES key access policy)} anonymous (1) + CP-ABE keys (2) trajectory (2) encrypted trajectory trajectory encryption by AES filtering based on access policy decrypting AES key AES key (3) (4) (5) AES key (3) access policy generation encrypting AES key by CP-ABE decrypting trajectory access policy access policy encrypted trajectory trajectory + CP-ABE keys + encrypted AES keys - received CP-ABE keys - locations of BLE transmitters - public parameters for CP-ABE - master key for CP-ABE Figure 5. Steps performed at clients for trajectory decryption Figure 4. Steps involved in trajectory encryption at the server the privacy requirement even after all the candidate clauses are added into the access policy, it suppresses publication of tr0 at the current time step.
Trajectory Publication and Decryption At each time step, the AnonyCast server publishes all the en- Figure 6. Custom BLE transmitters, top and bottom. crypted trajectories via a local Wi-Fi network. The access policies are also published along with the trajectories to no- first compares the set of decryption keys that has been re- tify the clients of the decryption requirements, where the keys ceived from BLE transmitters over the recent W time steps in each policy are replaced by key identifiers generated by a with the published access policies, which are associated with one-way hash function. The clients use the same hash func- each encrypted trajectory, to quickly find decryptable trajec- tion to locally calculate the key identifiers for each private tories ((1) in Fig. 5). It then (2) decrypts the AES key with key that they have collected. Then each client downloads all the received CP-ABE keys so that it can (3) decrypt the cor- of the published trajectories and finds its own trajectory by responding trajectory. We employed the Charm library on the checking whether their private keys satisfy the access policy client application as well. The library is also supported on of any of the encrypted trajectories. This process can be done Android, enabling us to run the client on smartphones. by a series of set membership tests, in which the client checks if it has at least one key among those requested in each clause. BLE Transmitters for Decryption Key Distribution Once it finds a match, it uses the corresponding private keys For key distribution, we developed a custom BLE transmit- to decrypt the data and finally obtains its own trajectory. ter as shown in Fig. 6, in which the advertisement payloads, transmit frequencies, and transmit powers can be changed dy- PROTOTYPE IMPLEMENTATION namically. Many commercial BLE transmitters place limita- As a proof of concept, we implemented a prototype system on tions on the size of user-configurable data that can be placed top of an LRS-based crowd tracking system. In this section, in a single advertisement packet (e.g., iBeacon devices allow we briefly discuss the implementation of each component. for 8–20 bytes of configurable data, while the BLE specifi- cation allows for up to 31 bytes of payload). Additionally, commercial BLE transmitters do not typically allow for dy- AnonyCast Server namic payload or power configuration without manual user Fig. 4 depicts the steps involved in the generation of the en- intervention. Our custom transmitter is equipped with a Texas crypted trajectory at the server. Technically, the plain text in Instruments CC2540 BLE chipset and provides 28 bytes of CP-ABE is limited to an element in a group on an elliptic customizable payload out of the 31 byte data field to dis- curve and cannot directly represent the trajectory data. In- tribute the private keys (3 bytes must be reserved to specify stead, we use Advanced Encryption Standard (AES) for tra- advertisement type and length as per the spec). Dynamically jectory encryption, and randomly sample an AES key from configurable transmission power and frequency allow for im- the group on an elliptic curve ((1)–(2) in Fig. 4). The Anony- proved flexibility of transmitter deployment strategies. Cast server then (3) builds an access policy using the algo- rithm in the previous section, (4) encrypts the AES key us- Crowd Tracking Sensors & Engine ing CP-ABE based on the access policy, and (5) publishes For crowd tracking, we deployed UTM-30LX LRS sensors the encrypted AES key and the access policy along with the [11] at the height of 1m to track the waists of pedestrians. The encrypted trajectories. Note that different AES keys are gen- UTM-30LX has a maximum measurement range of 30m, hor- erated for each trajectory, and thus only the clients that can izontal scan angle of 270�, angular resolution of 0.025�, and decrypt the AES key can access the original trajectory. This scan frequency of 40 Hz. Thus, every 0.025 seconds, the sen- two-phase mechanism allows us to deliver arbitrary secret sor outputs distance to the nearest objects in each direction. data from the server to mobile phones. We implemented the The sensors are connected to the server via a local area net- modified CP-ABE scheme for trajectory encryption in Python work to report sensor measurements, which are subsequently by extending the Charm cryptography library [2]. analyzed by the Java-based crowd tracking engine.
AnonyCast Client EVALUATION Fig. 5 shows steps performed at the AnonyCast client. Upon We evaluated the performance of the AnonyCast system receiving the published data via a Wi-Fi network, the client through field experiments and computer simulations. 40m
(8) (9)
(11) BLE transmitter (4) (14) (1) LRS sensor (13) 27m
33.5m (6) (7) (10) (15) (12) (3)
(2) 63m (5) Figure 8. Accessibility by each client (16) Figure 7. Field experiment Figure 9. Simulated exhibition hall
Field Experiment number of false trajectories that non-owners can decrypt, re- We deployed three LRS sensors (UTM-30LX [11]) in corri- spectively. The recall is defined by TP/(TP + FN), where dors of our department building, covering the 63m 33.5m FN is the number of true trajectories that true owners cannot region depicted in Fig. 7. The shaded fan-shaped⇥ regions decrypt. Note that the precision can be interpreted as the pri- around the sensors indicate their angular coverage (i.e., 270�), vacy level of the location distribution system, while the recall in which the sensors can measure the distance to surround- reflects each user’s accessibility to one’s own trajectory. ing objects within a 30m range. The sensors were connected The time chart in Fig. 8 shows each client’s accessibility to a server machine (Apple Macbook Pro) via Ethernet and to the published trajectories. The red markers represent the USB cables, and our Java-based server program analyzed the times when the client successfully decrypted its own trajec- measurements to derive a set of anonymous trajectories. Due tory, while blue markers show the times when a client de- to limited quantities of custom BLE transmitters, we alterna- crypted another pedestrians’ trajectory. As shown, all clients tively used commercial BLE transmitters (RadBeacon USB could almost continuously access their own trajectories after [20]) in this experiment. The transmitters were deployed at initial startup delays of 9–81 seconds. In terms of privacy, six locations, as indicated by icons in Fig. 9, and periodically 4 of the 5 clients could never decrypt other pedestrians’ tra- advertised radio beacons every 0.5 seconds with transmission jectories throughout the experiment. The only false positive power of 90 dBm. Since RadBeacons do not allow for dy- occurs when client N7-1 could access the trajectory of client namic payload� configuration, we simply recorded the bea- N7-2 around the 40–50 second marker, when it had been con- con’s MAC address and the corresponding timestamp when tinuously in close proximity to N7-2 for a few tens of sec- each client received a beacon, analyzing the beacon reception onds. Since AnonyCast employs a probabilistic access con- logs offline to evaluate the accessibility and privacy of the trol mechanism to handle uncertainty in radio signal propaga- published trajectories. Five student volunteers walked around tion, it is difficult to perfectly avoid such unexpected access. the field freely for 6 sessions of 300 seconds each, holding Nevertheless, the AnonyCast system achieved an overall pre- different smartphone and tablet models (Nexus 4 (N4), Nexus cision of 0.99 and a recall of 0.84, which would be reasonable 5(N5), Nexus 7 (N7-1 / N7-2), and Galaxy Note 2 (GN)) and acceptable performance in most practical scenarios. Note in hand. The client application on the phones continuously as well that precision can be improved by increasing the sys- probed the BLE radio beacons, collecting beacon reception tem privacy parameter (1 ✓ ) at the cost of recall. logs and storing them into local storage for offline analysis. � pl We set the system privacy parameter (1 ✓ ) to 0.95, while � pl Simulations the spatial tolerance d, temporal criterion ✓own, and window size W are set to 3m, 0.8, and 90 seconds, respectively. We have also conducted simulation experiments assuming a virtual exhibition venue in Fig. 9 to clarify performance of To estimate the clients’ beacon reception probability at the AnonyCast under a variety of scenarios and system configu- server side, we provided the AnonyCast server with a slightly rations. The field is composed of 17 exhibition booths (repre- modified version of the experimental model in Fig. 2 (a). sented by shaded areas) and passages that are modeled by 31 Since the server does not know which type of mobile de- line segments (indicated by dotted lines). Initially, all pedes- vice each user has, it considers the most sensitive device trians stay in a random location in a random booth in the field. (in this case the Nexus 4) as a reference. On top of this Then each pedestrian randomly selects a destination booth model, we introduced a safety margin to conservatively over- and moves towards a random location in that booth using the estimate reception probabilities. This is done such that the shortest path along the passages. The speed of the pedestri- expected beacon reception probability becomes no less than ans is chosen randomly, ranging from 0.5 m/s to 1.5 m/s. By 0.5 (20.0 d)/20.0, were d is distance from the transmit- default, we set the number of pedestrians to 30. After arriv- ter.⇥ This helps� cope with cases in which clients unexpectedly ing at the destination booth, the pedestrian remains there for a receive BLE beacons from distant transmitters. random duration between � 10 seconds and then leaves for the next booth. � is the average± idle duration of pedestrians For performance metrics, we consider precision and recall of and is set to 30 seconds in the default configuration. decryption under the following definitions. The precision is defined by TP/(TP+FP), where TP and FP are the num- We simulate BLE transmitters in a subset of the exhibition ber of correct trajectories that true owners can decrypt and the booths, as indicated by the icons in Fig. 9. Unless otherwise Figure 10. Radio attenuation by hu- Figure 11. Performance for varying Figure 12. Performance for varying Figure 13. Performance for varying privacy levels (1 ✓pl) d temporal criterion ✓own man bodies � spatial tolerance
. Figure 14. Impact of human mobil- Figure 15. Performance for varying Figure 16. Varying the number of Figure 17. Varying the number of ity window size W pedestrians BLE transmitters noted, we deploy the transmitters only at the locations (1)–(8) follow a zero-mean Gaussian distribution with a diagonal co- and instruct them to transmit private keys every second (i.e., variance matrix �2I, where I is a two-dimensional identity ⌧ =1second). In order to take variations in BLE receiver matrix. By default, we set the standard deviation � to 0.2m. sensitivity into consideration, we randomly choose the model of each pedestrian’s mobile device from Nexus 4, Nexus 5, Unless otherwise noted, we set the system privacy parameter (1 ✓ ) to 0.95, the spatial tolerance d to 3m, temporal cri- and Nexus 7, and employ the corresponding radio reception pl terion� ✓ to 0.8, and window size W to 90 seconds in the models in Fig. 2 (b). We further assume that the beacon own following experiments. We ran simulations of 1,000 seconds reception probability decreases by 10-20% when the direct each and evaluated the precision and recall as a function of signal is obstructed by partitions between the booths. various system parameters. The simulations were conducted To faithfully take radio attenuation by human bodies into ac- 10 times for each parameter configuration, and we show av- count, we also conducted the following preliminary measure- erage performance over all of these trials. ment campaign. We deployed a RadBeacon USB at the height of 1.2m, and configured it to repeatedly transmit advertise- Performance with Different Privacy Levels ment packets with transmission power of 86 dBm. We then � We assume that the desired privacy level (i.e., 1 ✓pl) is spec- placed a receiver smartphone (Nexus 5) at the same height ified as a system parameter. Fig. 11 shows the� resulting re- and 1–10 meters away from the transmitter to measure bea- call when the privacy level is varied from 0.9 to 0.98. While con reception rates at each distance. We conducted the ex- the recall slightly declines if a stricter privacy requirement is periments above in both a Line-of-Sight scenario, in which imposed, it still remains around 0.7 even with a privacy re- there was no obstacle between the transmitter and the receiver quirement of 0.98. This is an encouraging result, because it phone, and two Non-Line-of-Sight scenarios, where 1–2 per- shows that we can achieve higher privacy requirements with- sons stood between the devices. Fig. 10 shows beacon re- out significantly sacrificing accessibility to the published tra- ception rates under each configuration. The reception rate jectories. Although we have found that recall falls to zero decreases by about 20% when the line-of-sight is obstructed when we require perfect privacy (i.e., ✓pl =0), the system by human bodies, due to attenuation of direct signals. Based could asymptotically achieve near-optimal privacy level. on the results above, we simulate the impact of human bodies as follows: we model each pedestrian by a cylinder with ra- We also analyzed system performance, varying spatial toler- dius of 0.124 m and the height of 1.6 m, and assume that they ance d from 3m to 24m and the temporal tolerance ✓own from hold a phone at 0.3 m away from their body. We deploy BLE 0.1 to 0.9. Figures 12 and 13 show results of these analy- transmitters at 1.2 m height, and also assume that simulated ses, respectively. Note that our privacy requirement allows beacon reception rates are further decreased by 20% if the the clients who have been within d meters from a person of line-of-sight between a transmitter and a phone is obstructed interest for a certain ratio of time ✓own over the recent time by any human bodies. window to access her trajectory. Thus larger d and smaller ✓own both alleviate the privacy requirements for AnonyCast. For crowd tracking, we assume that the position information As a result, both precision and recall tend to increase as the in each anonymous trajectory contains random errors which parameter d gets larger or the parameter ✓own gets smaller. Human Mobility and Window Size DISCUSSION Fig. 14 shows the performance characteristics when the aver- AnonyCast assumes that clients establish a communication age idle duration of pedestrians at the booths (i.e., �) is var- link with nearby Wi-Fi hotspots to download encrypted tra- ied from 0 to 90 seconds. Both precision and recall become jectories. In this process, the server can learn the MAC ad- the maximum when people continuously move without stop- dress of the client devices. However, the server still cannot ping at any booths, because the difference in the set of private associate these MAC addresses with a specific trajectory: The keys that have been collected by each client is maximized only knowledge it gains is that a client belongs to one of many in this case. Since clients staying at neighboring booths are anonymous trajectories within transmission range of the Wi- expected to receive similar sets of private keys during that Fi access points. Additionally, a malicious user attempting period, it becomes harder for the server to distinguish these to learn the trajectory of a specific person must obtain all the clients when the average idle duration exceeds a certain level. keys that are required by the (ever-changing) access policy for Consequently, the location distribution performance tends to that trajectory. To do so, the attacker must continually follow decrease as � becomes larger. To cope with such performance the person of interest, obviating the need to learn the trajec- degradation, we can set the window size W to be sufficiently tory in the first place. Note however that an attacker may larger than the typical pedestrian idle duration. Fig. 15 shows still deploy a dense arrangement of BLE receivers in order the performance of AnonyCast when W is varied from 30 to remotely collect private keys for trajectory decryption, in- to 180, while fixing the average idle duration at 30 seconds. tending to decrypt other pedestrians’ trajectories. The current As seen, the recall starts to converge when W is 90 seconds version of AnonyCast does not have any measure to prevent (i.e., 3 times larger than the average idle duration). This win- such brute force sniffing attacks. One possible solution to dow size provides a reasonable tradeoff between computa- overcome this vulnerability would be to leverage additional tional cost and location distribution performance. features extracted from pedestrians’ motion in the decryption process. Based on the accurate trajectories from crowd track- Varying the Number of Pedestrians ing systems, the server could robustly detect motion charac- Fig. 16 shows the precision and recall when the number of teristics of pedestrians such as sudden stops, turns, etc. This pedestrians is varied from 10 to 90. As pedestrian density could then be used to generate encryption keys based on the increases, their trajectories have a greater chance of appear- temporal sequence of these motion events and employed for ing similar to the trajectory of another person. This leads the trajectory encryption in addition to the BLE-based keys. Mo- server to build stricter access policies to maintain the desired bile phones could capture the same motion events with built- privacy level and consequently the recall gradually decreases. in motion sensors to locally generate the same keys indepen- In exchange for the reduced accessibility, the system main- dently of the server. This would effectively improve the se- tains almost constant precision regardless of the pedestrian curity of the system, since potential attackers would need to density. Thus AnonyCast can adaptively control accessibility continuously and reliably estimate these motion features. We to the trajectories to ensure the desired privacy level. In Fig. leave this possible extension for future work. 16 we also plot the recall values, which are achieved when we set the window size W to 120 seconds. The longer time CONCLUSION windows increase the opportunity for mobile devices to re- In this paper, we presented AnonyCast—a privacy-preserving ceive a unique set of keys, and thus effectively mitigate the location distribution mechanism for crowd tracking systems. degradation of accessibility to the published trajectories. AnonyCast uses anonymous crowd tracking sensors along with BLE beacons to distribute time- and location-dependent keys to location subscribers. AnonyCast then encrypts each Varying the Number of BLE Transmitters trajectory with these keys before publishing them, ensuring In order to illustrate how the density of BLE transmitters af- that only true owners of each trajectory can gain access. fects location distribution performance, we also conducted The results from extensive simulations and field experiments simulations with different numbers of transmitters. In each show that AnonyCast can robustly provide accurate trajecto- scenario, we deployed transmitters at locations (1)–(n) in Fig. ries to the corresponding users 84% of the time, while pre- 9, where n is the total number of transmitters. Fig. 17 shows venting unauthorized access to one’s location data by other the precision and recall when n is varied from 2 to 16. Again people with a probability greater than 99%. we also plot the recall values with the larger window size of 120 seconds. As expected, the recall becomes larger as the number of transmitters increases, since the clients have more ACKNOWLEDGEMENTS opportunities to receive private keys that help to distinguish This work was supported in part by the U.S. ARL, U.K. Min- them from other clients. Even if the number of BLE trans- istry of defense (MoD) under Agreement Number W911NF- mitters is limited, we can effectively avoid significant degra- 06-3-0001, and by the NSF under awards CNS-1136174 and dation in the recall by setting a longer time window. For this CNS-1213140. Any findings in this material are those of the scenario, AnonyCast can provide reasonable accessibility to author(s) and do not reflect the views of any of the above the published trajectories with only 4–6 transmitters in total, funding agencies. The U.S. and U.K. Governments are autho- which is much fewer than the BLE-based positioning systems rized to reproduce and distribute reprints for Government pur- discussed earlier. This makes AnonyCast a strong indoor lo- poses notwithstanding any copyright notation hereon. This calization solution for a growing number of smart buildings, work was also supported in part by JSPS KAKENHI Grant for which crowd tracking capabilities already exist. Numbers 26220001 and 15K15980. REFERENCES 14. Larson, J. S., Bradlow, E. T., and Fader, P. S. An 1. Agarwal, Y., Balaji, B., Gupta, R., Lyles, J., Wei, M., exploratory look at supermarket shopping paths. and Weng, T. Occupancy-driven energy management for International Journal of Research in Marketing 22,4 smart building automation. In Proceedings of the 2nd (2005), 395 – 414. ACM Workshop on Embedded Sensing Systems for 15. Lim, H., Kung, L.-C., Hou, J. C., and Luo, H. Energy-Efficiency in Building (BuildSys ’10) (2010), Zero-configuration, robust indoor localization: Theory 1–6. and experimentation. In Proceedings of the 25th 2. Akinyele, J., Garman, C., Miers, I., Pagano, M., Conference on Computer Communications (INFOCOM Rushanan, M., Green, M., and Rubin, A. Charm: a ’06) (2006), 1 –12. framework for rapidly prototyping cryptosystems. 16. Luo, W., and Hengartner, U. Veriplace: A privacy-aware Journal of Cryptographic Engineering 3, 2 (2013), location proof architecture. In Proceedings of the 18th 111–128. SIGSPATIAL International Conference on Advances in 3. Bethencourt, J., Sahai, A., and Waters, B. Geographic Information Systems (GIS ’10) (2010), Ciphertext-policy attribute-based encryption. In 23–32. Proceedings of the 2007 IEEE Symposium on Security 17. Martin, P., Ho, B.-J., Grupen, N., Munoz,˜ S., and and Privacy (SP ’07) (2007), 321–334. Srivastava, M. An ibeacon primer for indoor 4. Chen, Y., Lymberopoulos, D., Liu, J., and Priyantha, B. localization: Demo abstract. In Proceedings of the 1st FM-based indoor localization. In Proceedings of the ACM Conference on Embedded Systems for 10th International Conference on Mobile Systems, Energy-Efficient Buildings (BuildSys ’14) (2014), Applications, and Services (MobiSys ’12) (2012), 190–191. 169–182. 18. Moussa, M., and Youssef, M. Smart devices for smart 5. Chintalapudi, K., Padmanabha Iyer, A., and environments: Device-free passive detection in real Padmanabhan, V. N. Indoor localization without the environments. In Proceedings of the 7th IEEE pain. In Proceedings of the 16th Annual International International Conference on Pervasive Computing and Conference on Mobile Computing and Networking Communications (PerCom ’09) (2009), 1–6. (MobiCom ’10) (2010), 173–184. 19. Okuma, K., Taleghani, A., Freitas, N., Little, J., and 6. Enzweiler, M., and Gavrila, D. Monocular pedestrian Lowe, D. A boosted particle filter: Multitarget detection detection: Survey and experiments. IEEE Transactions and tracking. In Proceedings of the 8th European on Pattern Analysis and Machine Intelligence 31, 12 Conference on Computer Vision (ECCV ’04) (2004), (2009), 2179–2195. 28–39. 7. Estimote, Inc. estimote. http://estimote.com. 20. Radius Networks, Inc. RadBeacon USB. http: //www.radiusnetworks.com/ibeacon/radbeacon/. 8. Faragher, R., and Harle, R. An analysis of the accuracy of bluetooth low energy for indoor positioning 21. Rosenbloom, S. In bid to sway sales, cameras track applications. In Proceedings of the 27th International shoppers. Technical Meeting of the Satellite Division of the http://www.nytimes.com/2010/03/20/business/ Institute of Navigation (ION GNSS+ ’14) (2014), 20surveillance.html?pagewanted=all&_r=0. 201–210. 22. Saroiu, S., and Wolman, A. Enabling new mobile 9. Fod, A., Howard, A., and Mataric, M. A laser-based applications with location proofs. In Proceedings of the people tracker. In Proceedings of the 2002 IEEE 10th Workshop on Mobile Computing Systems and International Conference on Robotics and Automation Applications (HotMobile ’09) (2009), 3:1–3:6. (ICRA ’02), vol. 3 (2002), 3024–3029. 23. Scott, J., Bernheim Brush, A., Krumm, J., Meyers, B., 10. Giebel, J., Gavrila, D., and Schnorr, C. A bayesian Hazas, M., Hodges, S., and Villar, N. Preheat: framework for multi-cue 3D object tracking. In Controlling home heating using occupancy prediction. Proceedings of the 8th European Conference on In Proceedings of the 13th International Conference on Computer Vision (ECCV ’04) (2004), 241–252. Ubiquitous Computing (UbiComp ’11) (2011), 281–290. 11. Hokuyo Automatic Co., LTD. Scanning range finder, 24. Sousa, M., Techmer, A., Steinhage, A., Lauterbach, C., UTM-30LX. and Lukowicz, P. Human tracking and identification using a sensitive floor and wearable accelerometers. In 12. Jacques Junior, J., Raupp Musse, S., and Jung, C. Crowd Proceedings of the 11th IEEE International Conference analysis using computer vision techniques. IEEE Signal on Pervasive Computing and Communications (PerCom Processing Magazine 27, 5 (2010), 66–77. ’13) (2013), 166–171. 13. Jain, A. K., Murty, M. N., and Flynn, P. J. Data 25. Teixeira, T., Jung, D., and Savvides, A. Tasking clustering: A review. ACM Computing Surveys 31,3 networked CCTV cameras and mobile phones to (1999), 264–323. identify and localize multiple people. In Proceedings of the 12th ACM International Conference on Ubiquitous Computing (UbiComp ’10) (2010), 213–222. 26. Wada, Y., Higuchi, T., Yamaguchi, H., and Higashino, T. Accurate positioning of mobile phones using laser range scanners. In Proceedings of the 9th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob ’13) (2013), 441–446. 27. Wilson, J., and Patwari, N. See-through walls: Motion tracking using variance-based radio tomography networks. IEEE Transactions on Mobile Computing 10, 5 (2011), 612–621. 28. Youssef, M., Mah, M., and Agrawala, A. Challenges: Device-free passive localization for wireless environments. In Proceedings of the 13th ACM International Conference on Mobile Computing and Networking (MobiCom ’07) (2007), 222–229. 29. Zhao, H., and Shibasaki, R. A novel system for tracking pedestrians using multiple single-row laser-range scanners. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans 35, 2 (2005), 283–291. 30. Zhao, T., and Nevatia, R. Tracking multiple humans in crowded environment. In Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR ’04), vol. 2 (2004), 406–413.