Frameworks for Privacy-Preserving Mobile Crowdsensing Incentive Mechanisms

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018 1851 Frameworks for Privacy-Preserving Mobile Crowdsensing Incentive Mechanisms

Jian Lin, Student Member, IEEE, Dejun Yang , Member, IEEE, Ming Li, Student Member, IEEE, Jia Xu , Member, IEEE, and Guoliang Xue , Fellow, IEEE

Abstract—With the rapid growth of smartphones, mobile crowdsensing emerges as a new paradigm which takes advantage of the pervasive sensor-embedded smartphones to collect data efficiently. Many auction-based incentive mechanisms have been proposed to stimulate smartphone users to participate in the mobile crowdsensing applications and systems. However, none of them has taken into consideration both the bid privacy of smartphone users and the social cost. In this paper, we design two frameworks for privacy- preserving auction-based incentive mechanisms that also achieve approximate social cost minimization. In the former, each user submits a bid for a set of tasks it is willing to perform; in the latter, each user submits a bid for each task in its task set. Both frameworks select users based on platform-defined score functions. As examples, we propose two score functions, linear and log functions, to realize the two frameworks. We rigorously prove that both proposed frameworks achieve computational efficiency, individual rationality, truthfulness, differential privacy, and approximate social cost minimization. In addition, with log score function, the two frameworks are asymptotically optimal in terms of the social cost. Extensive simulations evaluate the performance of the two frameworks and demonstrate that our frameworks achieve bid-privacy preservation although sacrificing social cost.

Index Terms—Mobile crowdsensing, incentive mechanism, differential privacy Ç

1INTRODUCTION OWADAYS, the proliferation of smartphones is chang- mobile crowdsensing applications [34], [47], [53]. However, Ning people’s daily lives. With the advance of high- most of them assume that the smartphone users contribute speed 3G/4G networks and more powerful embedded sen- to the platform voluntarily. In reality, smartphone users con- sors (e.g., camera, accelerometer, compass, etc.), mobile sume their own resources such as battery and sensing time crowdsensing emerges as a new paradigm which takes while completing the sensing tasks. In addition, they might advantage of the pervasive sensor-embedded smartphones suffer from the potential privacy disclosure by sharing their to collect data efficiently. sensed data with personal information (e.g., location tags A typical mobile crowdsensing system consists of a cloud- and bid price). Therefore, smartphone users may be reluctant based platform and a large number of smartphone users. The to participate in a mobile crowdsensing system and applica- platform works as a sensing service buyer who posts the tion, unless they are paid some rewards to compensate their required sensing information and recruits a set of smart- resource consumption or potential privacy leaks. Since the phone users to provide sensing services. Once selected by number of participating smartphone users has a significant the platform, a smartphone user starts to collect the required impact on the performance of the mobile crowdsensing sys- data and sends it back to the platform. The potential effec- tems, it is necessary to stimulate users to join the systems. tiveness of mobile crowdsensing, especially with geographi- Auction is an efficient method to design incentive mecha- cally distributed smartphone users, enables numerous nisms. Many auction-based incentive mechanisms have been proposed for mobile crowdsensing [46], [47], [49], [51]. They are essentially reverse auctions in which the platform J. Lin and M. Li are with the Colorado School of Mines, Golden, CO 80401. is the service buyer and the smartphone users are the bid- E-mail: {jilin, mili}@mines.edu. ders selling sensing services. In these mechanisms, the ser- D. Yang is with the Colorado School of Mines, Golden, CO 80401, and the vice buyer selects bidders according to their submitted task- Jiangsu Key Laboratory of Big Data Security and Intelligent Processing, Nanjing University of Posts and Telecommunications, Nanjing, Jiangsu bid pairs (elaborated in Section 3). The objectives of these 210023, China. E-mail: [email protected]. mechanisms focus on either maximizing the total value J. Xu is with the Jiangsu Key Laboratory of Big Data Security and Intelli- gained by the platform or minimizing the total payment to gent Processing, Nanjing University of Posts and Telecommunications, the selected users. However, none of them takes users’ pri- Nanjing, Jiangsu 210023, China. E-mail: [email protected]. G. Xue is with Arizona State University, Tempe, AZ 85287. vacy into consideration. E-mail: [email protected]. In most of the proposed truthful auction-based incentive Manuscript received 28 Dec. 2016; revised 20 Nov. 2017; accepted 26 Nov. mechanisms, bidders are stimulated to bid their true costs, 2017. Date of publication 7 Dec. 2017; date of current version 29 June 2018. which are private information of smartphone users. For (Corresponding author: Dejun Yang.) transparency, the platform will publish the outcome of the For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference the Digital Object Identifier below. auction mechanism, which consists of winning bidders and Digital Object Identifier no. 10.1109/TMC.2017.2780091 their payments. Ensuring transparency in the procurement

1536-1233 ß 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See ht_tp://www.ieee.org/publications_standards/publications/rights/index.html for more information. 1852 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018 procedure is essential to efficiency, as it enhances the com- is the cardinality of the largest user task set, e is the petitiveness of public procurement [36]. Meanwhile, it has base of the natural logarithm, OPT is the optimal been proven by bid sale dealers for years that transparency social cost, and n is the number of the users. BidG- leads to profit [37]. The FCC uses auctions to sell the licenses uard-M achieves 2m-differential privacy and the to transmit signals over specific bands of the electromag- social cost is at most OPT þ mOðln nÞ with the proba- netic spectrum, and releases the result of each auction bility of at least 1 À 1=nOð1Þ, where m is the number of online for transparency [3]. In recent years, many commer- sensing tasks. cial platforms have put more emphasis on transparency as With log score function, BidGuard achieves ððeÀ well, e.g., Auction.com [1], which is a trusted leader in the 1Þ=e; dÞ-differential privacy and the social cost is at t Àt web-based real estate auction industry, and eBay [2], which most 2 HmOPT with the probability ofP at least 1 À e m is a multinational e-commerce corporation. for any constant t>0, where Hm ¼ j¼1 1=j, and m However, once the true cost of a smartphone user is is the number of sensing tasks. BidGuard-M achieves 1 reported to the platform, other bidders might infer this pri- 2m log 1ð DÞ-differential privacy and the social cost 2 1þ vate information based on the published outcome. This is is at most 2tOPT with the probability of at least known as inference attack [20] (we give two examples in 1 À 1=nOð1Þ, where D is the maximum difference in the Section 3). Inference attack has been analyzed in many areas, bidding price. In addition, both BidGuard and Bid e.g., multilevel secure databases [22], data mining [10], web- Guard-M are proved to be asymptotically optimal. based applications [40] and mobile devices [31]. Protecting We evaluate the performance of BidGuard and users’ bid privacy is important because its disclosure might BidGuard-M through simulations based on a real also incur threats to users’ other private information, such as data set. Extensive numerical results demonstrate location [25],[44]. In this paper, we focus on designing truthful that both frameworks achieve bid-privacy preserva- auction-based mechanisms to protect users’ bid privacy. tion although sacrificing social cost. To formalize the notion of users’ bid privacy, we employ The remainder of this paper is organized as follows. In the concept of differential privacy [12]. Intuitively, a mecha- Section 2, we briefly review the related work. In Section 3, nism provides differential privacy if the change of one user’s we introduce two system models and the objectives. In bid has limited impact on the outcome. We also leverage the Sections 4 and 5, we present frameworks for the two models exponential mechanism [33], a technique to design differen- in detail and prove their properties, respectively. We evalu- tially private mechanisms, to preserve users’ bid privacy. ate the performance of our frameworks in Section 6. We In this paper, we study the problem of designing truthful conclude this paper in Section 7. mechanisms, which achieve computational efficiency, individual rationality, differential privacy, and approximate 2RELATED WORK social cost minimization. We consider the scenario where In recent years, incentive mechanisms in mobile crowdsens- there is one buyer and multiple sellers. Smartphone users ing have been widely studied [16], [38]. As one of the pio- act as bidders and submit their bids to compete for the neering works on designing incentive mechanisms for chance of being selected to perform the corresponding mobile crowdsensing, Yang et al. [48], [49] proposed two tasks. Besides, smartphone users do not want others to incentive mechanisms for both user-centric and platform- know their own bid information. We first consider the sin- centric models using auction and Stackelberg game, respec- gle-bid model in which each user can only submit a set of tively. The objectives of most of the state-of-art incentive tasks. Then we consider the multi-bid model in which each mechanisms are either maximizing the total utility/value of user can submit a bid for each task in its task set. For each of the platform under a certain constraint (e.g., budget) [52] or these two models, we propose a differentially private truth- minimizing the total payment of the platform [32]. ful auction-based framework, named BidGuard and Bid Feng et al. [15] proposed a mechanism called TRAC, which Guard-M, respectively. One important component of both takes into consideration the importance of location informa- frameworks is a platform-defined score function for select- tion when assigning sensing tasks. ing users. As examples, we propose two score functions to Many pieces of works have explored the privacy-pre- realize the frameworks. serving mechanisms in mobile crowdsourcing. Most of The main contributions of this paper are as follows: them [17], [26] apply the spacial and temporal cloaking techniques like K-anonymity to blur users’ locations in a cloaked In this paper, we propose two frameworks, BidGuard area or cloaked time interval to preserve users’ privacy. and BidGuard-M, for privacy-preserving mobile PEPSI [11] and AnonySense [39] focus on anonymous data crowdsensing incentive mechanisms for two differ- collection, which could protect users’ identities when they ent models, which achieve computational efficiency, submit the tasks. individual rationality, truthfulness, differential pri- Some efforts have been specially made to protect users’ vacy, and approximate social cost minimization. Spe- privacy in mobile crowdsensing [8]. Although providing cifically, we design two different score functions, good performance in privacy preservation, the mechanisms linear score function and log score function, to realize in [14], [18], [27], [28], [29], [35], [43], [50] are based on cryp- this two frameworks. tography techniques and do not take into consideration the With linear score function, BidGuard achieves ððeÀ users’ strategic behaviors. Besides, all of the cryptography- 1Þ=e; dÞ-differential privacy and the social cost is at based works are vulnerable to inference attack, since an most gOPT þ Oðln nÞ with the probability of at least attacker can infer users’ private information through the Oð1Þ d 1 1 À 1=n , where >0 is a constant, 2ð0; 2 and g published results. Sun et al. [41] proposed an auction-based LIN ET AL.: FRAMEWORKS FOR PRIVACY-PRESERVING MOBILE CROWDSENSING INCENTIVE MECHANISMS 1853 incentive mechanism which encrypts users’ bids by oblivi- user in U. This assumption is reasonable for mobile crowd- ous transfer. But it does not solve the issue of inference sensing as made in [15]. If a task in T can only be completed attack because one user still can infer others’ bids from the by at most one user in U, we simply remove it from T . received payment. Jin et al. proposed a privacy-preserving At the beginning of this auction, each user i 2Usubmits b G approximately truthful incentive mechanism [23], which a task-bid pair i ¼ð i;biÞ to the platform, where bi is user minimizes the total payment, and a privacy-preserving i’s bid, representing the minimum price user i wants to sell framework [24] for data aggregation. However, none of the its sensing service for. Note that in a truthful auction-based above works has a performance guarantee on social cost. In incentive mechanism, users are stimulated to bid their true this paper, our objectives are preserve users’ bid privacy costs, i.e., bi ¼ ci. Without loss of generality, we assume that from inference attack while achieving approximate social each user’s bid is bounded by ½bmin;bmax, where bmin is nor- cost minimization. malized to 1 and b is a constant. Let D denote the differ- max ! Differential privacy was first introduced by Dwork et al. ence between bmax and bmin. Let b ¼ðb ; b ; ...; b Þ denote 1 2 ! n [12]. The first differentially private auction mechanism was the task-bid profile. Given the task-bid profile b , the plat- proposed by McSherry et al. [33]. They also incorporate form determines the outcome of the auction, which consists exponential mechanism and mechanism design to achieve of selected winning users S and the payment profile !p . differential privacy with different objectives. General meth- ods to design truthful mechanisms while still preserving 3.2 Multi-Bid Model differential privacy have been studied in [7], [21], [45]. How- In the single-bid model, each user submit a bid for a set of ever, our objective is different from above works. Recently, tasks. In the multi-bid model, each user is allowed to submit differential privacy has been used in other applications, a bid for each task in its task set, and each user can be e.g., location-based systems [4] and spatial crowdsouc- assigned to work on multiple tasks. G ! D ing [42]. Zhu et al. [54] proposed the first differentially pri- The definitions of T , U, S, i, p and are the same as in vate spectrum auction mechanism, which achieves strategy- Section 3.1. In the multi-bid model, for each user i 2U, each k G k proofness and approximate revenue maximization. Note task ti in i has an associated cost ci . Each user i submits a b1 b2 bki G that our objective is to minimize the social cost, which dif- set Bi ¼f i ; i ; ...; i g of ki ¼j ij task-bid pairs. Each task- bk k k k fers from that in [54]. bid pair is denoted by i ¼ðti ;bi Þ, where ti is a single task G k from i, and bi is the minimum price user i wants to sell its k 3MODELS AND PROBLEM FORMULATION sensing service for ti . Note that in a truthful auction-based incentive mechanism, users are stimulated to bid their true In this section, we model the mobile crowdsensing system ! costs, i.e., bk ¼ ck. Let B ¼ðB ; B ; ...; B Þ denote the task- as a reverse auction and present two different models. Simi- i i 1 2 n ! bid profile. Given the task-bid profile B , the platform lar to most mobile crowdsensing systems [15], [47], [48], S determinesS the winning task-bid pair set BW i2U Bi such [49], [51], we consider a mobile crowdsensing system con- k bk that bk2B ti ¼T. For each winning task-bid pair i 2BW , sisting of a platform and multiple smartphone users who i W pk i are interested in performing sensing tasks. In the first the platform calculates a payment i . A user is called a win- model, each user can submit only one task-bid pair. Our sec- ner and be added into S if it has at least one winning task-bid pair,P i.e., Bi \BW 6¼;. The payment for each winner i is ond model allows each user to submit multiple task-bid k pi ¼ bk p . The utility of any user i 2Uis pairs and can be assigned to work on multiple tasks. Then 2Bi\BW i i ( P we describe the threat models, which threaten both of the k pi À bk c ; if i 2S; 2Bi\BW i models. At the end of this section, we present some impor- ui ¼ i tant properties and give our design objective. 0; otherwise:

3.1 Single-Bid Model 3.3 Threat Models Threats to Incentive. We assume that users are selfish but The platform first publicizes a set T¼ft1;t2; ...;tmg of m sensing tasks. Assume there is a set U¼f1; 2; ...;ng of n52 rational. Hence user i could report a bid bi differs from its true cost c , i.e., b 6¼ c in the single-bid model or report a smartphone users. Each user i has a task set Gi T, which i i i bid bk 6¼ ck in the multi-bid model to maximize its own util- it can perform. Each Gi is associated with a cost ci, which is i i a private information of user i. The platform selects a subset ity. We also assume that user i does not misreport its task G of users SUto complete all the sensing tasks in T . At last, set i in the single-bid model as in [15], [47], [48], [49], [51], and does not misreport any tk 2 G in the multi-bid model.1 the platform calculates the payment pi for each selected i i ! Other threats to incentive (e.g., collusion among bidders) user i 2S. Let p ¼ðp1;p2; ...;pnÞ denote the payment profile. The utility of any user i 2Uis are out of the scope of this paper. Threats to Privacy. As mentioned earlier, bidders are stim- pi À ci; if i 2S; ulated to bid their true costs in a truthful auction-based ui ¼ 0; otherwise: incentive mechanism, i.e., bi ¼ ci in the single-bid model

In this paper, we model the interactive process between G0 1. In the single-bid model, if user i reports i containing tasks not in G G0 G G0 the platform and the users as a sealed-bid reverse auction, i, i.e., i n i 6¼;, it cannot ﬁnish i when selected. If user i reports G0 G where the platform buys sensing service and the users are i i with ci, the probability of user i being selected will not increase according to our mechanism. The case where user i misreports both Gi bidders who sell sensing service. In order to prevent the G0 G and ci is challenging, because calculating the true cost of i i is monopoly and guarantee the quality of sensing task, we bk still an open question. In the multi-bid model, if user i reports i con- G 0k G 0k assume each task in T can be completed by more than one taining tasks not in i, i.e., ti 2= i, it cannot ﬁnish ti when selected. 1854 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018

TABLE 1 TABLE 2 Example Showing the Inference Attack in Single-Bid Model Example Showing the Inference Attack in Multi-Bid Model

User 123 4 5 User 123 4 5 b bk i i G k i t1;t2 t1 t1;t3 t1;t2 t1;t3 ti t1 t2 t1 t1 t3 t1 t2 t1 t3 k bi $3 $1 $4 $5 $5 bi $1.5 $1.5 $1 $1.6 $2.4 $3 $2 $2.5 $2.5

k k and bi ¼ ci in the multi-bid model. However, one bidder Individual Rationality: A mechanism is individually could infer other bidders’ bid according to the outcome of rational if each user will have a non-negative utility the mechanism. This inference attack can be seen from the when bidding its true cost. following examples. Truthfulness: A mechanism is truthful if any user’s We first consider the single-bid model, suppose there are utility is maximized when bidding its true cost. b G 5 users in the system and their task-bid pairs i ¼ð i;biÞ; Social Cost Minimization: A mechanism achieves i 2½1; 5 are shown in Table 1. The platform publicizes a set social cost minimization if the total cost of the users of 3 sensing tasks T¼ft1;t2;t3g. According to the proposed in S is minimized subject to certain constraints on S. truthful mechanism in TRAC [15], the winning users In addition, we consider users’ bid privacy preservation. S¼f2; 1; 3g. Suppose user 5 is a bidder who want to infer Definition 1 (Differential Privacy [12]). A randomized other bidders’ bid, and it changes its bid b5 from $5 to $3 in function M has -differential privacy if for any two input sets the next auction while the other four bidders do not change A and B with a single input difference, and for any set of out- their task-bid pairs. The winning users of the new auction is comes ORangeðMÞ S¼f2; 1; 5g. Since the platform publishes the outcome of user the mechanism for transparency, 5 could know the Pr½MðAÞ 2 O expðÞÂPr½MðBÞ2O: results and infer that user 3’s bid is between $3 and $5 by the fact that if it bids $5 it will be replaced by user 3 and if it In this paper, the randomized function M is correspond- bid $3 it will replace user 3. We can see that, after many ing to our frameworks, and RangeðMÞ is the outcome space rounds of auction, user 5 might narrow down user 3’s bid of the frameworks. One relaxation of differential privacy is range, and even infer the exact value in some cases. as follows. Next we consider the inference attack in multi-bid model using the example shown in Table 2. According to the pro- Definition 2 (Approximate Differential Privacy [13]). A posed truthful mechanism in TRAC [15], the winning bid- randomized function M gives ð; dÞ-differential privacy if for b1 b2 b2 pairs are BW ¼f 2; 1; 3g, and thus S¼f2; 1; 3g. Suppose any two input sets A and B with a single data difference, and user 5 is a bidder who want to infer other bidders’ bid, and for any set of outcomes ORangeðMÞ 2 it changes its bid b5 from $2.5 to $2 in the next auction while the other four bidders do not change their task-bid pairs. Pr½MðAÞ 2 O expðÞÂPr½MðBÞ 2 O þ d: Then the winning bid-pairs of the new auction are b1 b2 b2 BW ¼f 2; 1; 5g. Based on this outcome, user 5 could infer The truthfulness of an auction mechanism is guaranteed that user 3’s bid for t3 is between $2 and $2.5 by the fact that by the following theorem. if it bids $2.5 it will be replaced by user 3 and if it bids $2 it Theorem 1 ([5]). Let Pr ðzÞ denote the probability that bidder i is will replace user 3. After many rounds of auction, user 5 i ! selected when its bid is z. A mechanism with bids b and pay- might also narrow down user 3’s bid range, and even infer ments !p is truthful in expectation if and only if, for any bidder i, the exact value in some cases. This inference attack is practical in most mobile crowdsens- 1) PrR iðzÞ is monotonically non-increasing in bi; 1 ing applications, e.g., [34], [53], where tasks are publicized 2) 0 PriðzÞdz < 1; periodically for collecting dynamic sensing data. Protecting 3) TheR expected payment satisfies Ep½¼i biPriðbiÞþ 1 users’ bid privacy from such inference attack is important PriðzÞdz. bi because its disclosure might also incur threats to users’ other private information, such as location [25], [44]. For example, Next, we introduce the concept of the exponential mechanism and its properties. In the literature of differential pri- in [25] each user i’s cost of task ci is modeled as a linear func- vacy, the exponential mechanism is often used to design tion of its distance di to the task. In a truthful mechanism, user privacy-preserving mechanisms. A key component of the i’s bid bi ¼ ci. Therefore, an attacker can infer user i’s location f A; o inside a suspicion region, which is the circle centered at the exponential mechanism is the score function ð Þ, which maps the input set A and an outcome o 2Oto a real-valued task with radius di, by inferring its bid bi. Besides, an attacker o can also improve the inference accuracy by narrowing down score. The score represents how good the outcome is for the input set A compared with the optimal outcome. the victim’s bid through many rounds of auction. Exponential Mechanism f ðAÞ. Given an outcome space O, 3.4 Desired Properties an input set A, a score function f and a small constant , the exponential mechanism ðAÞ chooses an outcome o 2O We consider the following important properties. f with probability hi Computational Efficiency: A mechanism is computa- Pr A o exp f A; o : tionally efficient if it terminates in polynomial time. f ð Þ¼ / ðÞð Þ LIN ET AL.: FRAMEWORKS FOR PRIVACY-PRESERVING MOBILE CROWDSENSING INCENTIVE MECHANISMS 1855

Let L denote an upper-bound of the difference of any two 4.2 Design of BidGuard input sets, the exponential mechanism has the following In this section, we will describe BidGuard in detail. As illus- properties. trated in Algorithm 1, BidGuard consists of three phases: user screening, winner selection, and payment determina- Theorem 2 ([33]). The exponential mechanism gives 2L-differ- tion. It executes these three phases iteratively until all the ential privacy. sensing tasks can be completed by the selected users. Theorem 3 ([19]). For any a 0, the exponential mechanism, L when used to select an output o 2O, f ðAÞ yields 2 -differen- Algorithm 1. BidGuard Ã tial privacy, letting O be the subset of O achieving Input: A set of sensing tasks T , a set of users U, submitted ! fðA; oÞ¼maxofðA; oÞ, ensures that task-bid profile b , and differential privacy parame- d 1 ters >0 and 2ð0; 2. Pr fðA; ðAÞÞ < max fðA; oÞÀlnðjOj=jOÃjÞ= À a= Output: A set of winners S and a payment profile !p . f o 1 S ;, T c ;, R U; a expðÀ Þ: 2 foreach i 2Udo pi 0 3 while T c 6¼T do 3.5 Design Objective 4 foreach i 2Rdo The goal of our framework design is to minimize the social 5 if Gi Tc thenR Rnfig cost while achieving computational efficiency, individual 6 end rationality, truthfulness and differential privacy. Specifi- 7 foreach i 2Rdo cally, the minimization problem in the single-bid model is 8 Calculate the probability PriðbiÞ of each user being referred to as the Social Cost Minimization (SCM) problem selected according to the score function; and the minimization problem in the multi-bid model is 9 end 0 referred to as the SCM-M problem. Next, we give the formal 10 Select one user randomly, denoted by i , according to the computed probability distribution; formulation of the SCM problem and the SCM-M problem, 0 0 11 S S[fi g, T T [ G 0 , R Rnfi g; respectively. c c R i 12 end bmax PriðzÞdz SCM Problem. Given a task set T and a user set U, the goal bi 13 foreach i 2Sdo pi bi þ of the SCM-SP problem is to find a subset of usersS SU, such ! PriðbiÞ G 14 return S and p . that CðSÞ ¼ i2S ci is minimized subject to i2S i ¼T. SCM-M Problem. Given a task set T and a user set U, the 1) User Screening Phase. BidGuard will eliminate all the goal of the SCM-M problem is to find a subset of users redundant users, whose task set can be completed by the SU andP their assigned task-bid pairs SBW , such that k k currently selected users. The set of remaining users is CðBW Þ¼ bk2B ci is minimized subject to bk2B ti ¼T. i W i W denoted by R. Note that SCM problem is challenging because it is NP- 2) Winner Selection Phase. BidGuard will assign each user hard (proved by Theorem 4 in [30]), let alone combining i 2Ra probability of being selected as follows. It first com- with computational efficiency, individual rationality, truth- b putes a criterion rð iÞ, which is the bid divided by the num- fulness and differential privacy. Although SCM-M can be ber of tasks that cannot be completed by the currently solved optimally, it is still challenging when combining selected users, i.e., with the other properties. Therefore, we aim to design differentially private truthful frameworks with theoretically b bi rð iÞ¼ G ; (1) guaranteed approximate social cost. j i ÀTcj

where T c is the set of tasks that can be completed by the cur- 4BIDGUARD:DIFFERENTIALLY PRIVATE AUCTION rently selected users. BidGuard selects the user with the FRAMEWORK FOR THE SINGLE-BID MODEL b lowest rð iÞ in each iteration. To apply the exponential In this section, we design and analyze BidGuard, a differen- mechanism, we need to design a score function, which is a b tially private auction framework for the Single-bid Model. non-increasing function of rð iÞ. The probability of each user to be selected is set according to the value of the score 4.1 Design Rationale function. BidGuard integrates the exponential mechanism with the 3) Payment Determination Phase. Let PriðzÞ denote the reverse auction to achieve computational efficiency, indi- probability of user i being selected with bid z. According to vidual rationality, truthfulness, differential privacy and Theorem 1, the payment to winner i is approximate social cost minimization. In this framework, R bmax PriðzÞdz users are selected iteratively. In each iteration, redundant bi pi ¼ bi þ : users are eliminated and each remaining user is assigned a PriðbiÞ probability to be selected. The framework then selects one of them as the winner based on the probability distribution. 4.3 Design of Score Functions Specifically, the probability of a user to be selected is set To apply the exponential mechanism, we need to design a according to a specific criterion. The above processes score function. Specifically, we design two score functions, repeats until all the sensing tasks can be completed by the linear score function and log score function. We will show that selected users. Finally, the framework computes the pay- they have different theoretical bounds on the social cost ment to each winner. (Section 4.4) and performance in simulations (Section 6). 1856 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018

d 1 Linear Score Function. fLIN ðxÞ¼1 À x. For any bidder where >0 and 2ð0; 2 are constants, e is the base of the natu- i 2R, the probability to be selected in each iteration is ral logarithm. In addition, it has social cost at most ( gOPT þ Oðln nÞ with probability at least 1 À 1=nOð1Þ,whereg exp 0ð1 À bi Þ ; if i 2R; bmaxjG ÀT cj OPT PriðbiÞ/ i is the cardinality of the largest user task set, is the optimal 0; otherwise; social cost of the SCM problem, and n is the number of users. where 0 ¼ =ðeD lnðe=dÞÞ. Note that in order to guarantee Proof. We first prove the computational efficiency. The outer the value of the score function is nonnegative, we normalize while-loop (Lines 3-12) will run at most m iterations since b bi there are m tasks. Meanwhile, the two inner for-loops rð iÞ, i.e., b jG ÀT j. Then the probability is max i 8 c (Lines 4-6) and (Lines 7-9) will run at most n iterations > 0 bi > exp ð1À G Þ since there are n users. Therefore, the total computational < bmaxj iÀT cj P ; if i 2R; LIN OðmnÞ PriðbiÞ¼ 0 bj (2) complexity of is . The individual rationality is > exp ð1À G Þ :> j2R bmaxj jÀT cj guaranteedR by the fact that the payment to each winner i is bmax 0; otherwise: PriðzÞdz bi pi ¼ bi þ bi. In order to prove the rest of this PriðbiÞ Log Score Function. fLOGðxÞ¼log 1=2x. For any bidder i 2R, the probability to be selected in each iteration is theorem, we prove the following lemmas. tu ( Lemma 1. LIN is truthful. exp 0 log bi ; if i 2R; 1=2 bmaxjGiÀT cj PriðbiÞ/ Proof. According to (2) and (3), the probability PriðbiÞ of 0; otherwise; user i being selected in BidGuard is monotonically non- 0 d D increasing in its bid bi. In addition, noR bid is greaterR than where ¼ =ðe lnðe= Þlog 1=2ðÞÞ1=ð1 þ Þ . We also normalize 1 b b max the rðb Þ, i.e., i to guarantee the value of the score bmax in our model. Thus we have 0 PriðzÞdz ¼ 0 i bmaxjGiÀT cj function is nonnegative. Then the probability is PriðzÞdz < 1: Furthermore, we have 8 E½pi > b R ! > exp 0 log i < 1=2b jG ÀT j bmax max i c PriðzÞdz P ; if i 2R; bi Pr ðb Þ¼ bj 3 ¼ ðÞÂ1 À Pr ðb Þ 0 þ Pr ðb ÞÂ b þ i i > exp 0 log ( ) i i i i i > j2R 1=2bmaxjG ÀT cj PriðbiÞ : j Z 0; otherwise: 1 ¼ biPriðbiÞþ PriðzÞdz: Throughout the rest of this paper, we denote the BidG- bi uard with linear score function fLIN and log score function Then, according to Theorem 1, the lemma holds. tu fLOG by LIN and LOG, respectively. Illustrating Example. We use the example in Table 1 to d 1 Lemma 2. For any constants >0 and 2ð0; 2, LIN achieves illustrate how LIN works. Assuming bmin ¼ 1, bmax ¼ 6, then ððe À 1Þ=e; dÞ-differential privacy, where e is the base of the D ¼ 5. Let the differential privacy parameters ¼ 0:1 and natural logarithm. d ¼ 0:5, then 0 ¼ 0:1=ðe Â 5lnðe=0:5ÞÞ. At the beginning, ! ! Proof. Let b and b0 be two input task-bid profiles that differ T¼ft1;t2;t3g, S¼;, T c ¼;, R¼U¼f1; 2; 3; 4; 5g. LIN ! !b b0 starts to select users iteratively. In the first iteration, LIN cal- in any user d’s bid, respectively. Let Mð Þ and Mð Þ G G denote the sequences of users selected by LIN with inputs culates j i ÀTcj for each user i 2R. We have j 1 ÀTcj¼2, ! !b b0 jG2 ÀTcj¼1, jG3 ÀTcj¼2, jG4 ÀTcj¼2, and jG5ÀTcj¼2. and , respectively. We show that LIN, even revealing Based on (2), LIN calculates the probability of every user in the order in which the users are chosen, achieves differen- 0 R to be selected in this iteration, e.g., Pr1ð3Þ¼expð0:7 Þ= tial privacy for an arbitrary sequence of users I ¼ i1; 0 0 0 0 0 ðexpð0:7 Þþexpð0:8 Þþexpð0:6 Þþexpð0:5 Þþexpð0:5 ÞÞ. i ; ...;i of arbitrary length l. We consider the relative prob- 2 l ! ! LIN selects a user based on the calculated probability distri- ability of LIN for given task-bid inputs b and b0 bution. Assume LIN selects user 1, then S¼f1g, T c ¼ b ft ;t g R¼f3; 5g ij 1 2 , . At the beginning of the second iteration, exp 0ð1À Þ b jG ÀT j LIN jG ÀT j user max ij c calculates i c for the remaining users 3 and hiP G G ! b user 5. We have j 3 ÀTcj¼1 and j 5 ÀTcj¼1. Then LIN Pr Mð b Þ¼I Yl exp 0ð1À i Þ i2U bmaxjG ÀT cj calculates the probabilities of user 3 and user 5tobe hi¼ j i ! b0 b0 I i selected in this iteration according to (2). We have Pr3ð4Þ¼ Pr Mð Þ¼ j¼1 exp 0ð1À j Þ b jG ÀT j 0 0 0 0 max ij c expð0:2 Þ=ðexpð0:2 Þþexpð ÞÞ and Pr5ð5Þ¼expð Þ=ðexp P b0 0 0 0 i ð0:2 Þþexpð ÞÞ. Assume user 3 is selected in this iteration, exp ð1À G Þ i2Uj bmaxj iÀT cj then LIN terminates since T c ¼T. At last, LIN calculates the b 0 ij payment to allR the selected users, i.e.,R user 1 and user 3. We Yl exp ð1 À G Þ 6 6 bmaxj ij ÀT cj Pr ðzÞdz Pr ðzÞdz 3 1 4 3 ¼ have p1 ¼ 3 þ and p3 ¼ 4 þ . b0 Pr1ð3Þ Pr3ð4Þ j¼1 exp 0ð1 À ij Þ bmaxjGi ÀT cj j 4.4 Analysis of BidGuard P 0 0 bi Yl exp ð1 À G Þ In this section, we first analyze the properties of LIN. i2Uj bmaxj iÀT cj Â P ; bi j¼1 exp 0ð1 À Þ Theorem 4. LIN achieves computational efficiency, individual i2Uj bmaxjGiÀT cj rationality, truthfulness, and ððe À 1Þ=e; dÞ-differential privacy, LIN ET AL.: FRAMEWORKS FOR PRIVACY-PRESERVING MOBILE CROWDSENSING INCENTIVE MECHANISMS 1857

where Uj ¼Unfi1;i2; ...;ijÀ1g and the first equation is The lemma holds. tu based on (2). We then prove this lemma by cases. When Lemma 3. With probability at least 1 À 1=nOð1Þ, LIN has social 0 bd j¼1 2Uj Summing over all w 2W, we have D lnðe=dÞ 4 d. Let O denote the outcome space, where i X X X X each o 2Ois a sequence of users i ;i ; ...;i. We split O 1 2 l P OPT ¼ c ¼ c þ c O0 O00 O0 ¼fo 2Oj l j j j into two sets and , where j¼1 Ã w j Ã 00 0 j2S i2W 2Wi j2S \W Ei2U ½uiD lnðe=dÞg and O ¼OnO. Thus we have X j cw hi i À Oðln nÞ; !b g Pr Mð Þ2O wi2W X hi ! ¼ Pr Mð b Þ¼o where the inequality holds because when n is large, oX2O hiX hi jWj n. ! ! ¼ Pr Mð b Þ¼o þ Pr Mð b Þ¼o Then the lemma holds. tu 0 00 o2O o2O hi For LOG we have the following properties. The proofs X ! expðÞðe À 1Þ0D lnðe=dÞ Pr Mðb0 Þ¼o þ d are similar to those for LIN, and thus omitted. 0 o2O hi ! Theorem 5. LOG achieves computational efficiency, individual expððe À 1Þ0D lnðe=dÞPr Mðb0 Þ2O þ d rationality, truthfulness, and ððe À 1Þ=e; dÞ-differential pri- hi 1 ! vacy, where >0 and d 2ð0; are two constants, e is the base b0 d 2 ¼ expððe À 1Þ=eÞPr Mð Þ2O þ : of the natural logarithm. In addition, it has social cost at most t Àt 2 HmOPT with probability at least 1 À e , for any constant 1858 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018 P m t>0 and Hm ¼ j¼1 1=j, where m is the number of sensing tasks, and OPT is the optimal social cost of the SCM problem. Algorithm 2. BidGuard-M Input: A set of sensing tasks T , a set of users U, submitted Remarks: According to Theorem 4 in [30], the minimum ! task-bid profile B , and differential privacy parame- weighted set cover problem can be reduced to the SCM prob- ter >0. lem. It is well known that the best-possible polynomial time Output: A set of winners S and a payment profile !p . approximation algorithm is an H -approximation algorithm m 1 BW ;, S ;, Bt ;; H m for the weighted set cover problem [9], where m is the th 2 foreach i 2Udo pi 0 t harmonic number. LOG has social cost at most 2 HmOPT , 3 foreach t 2T do where t is a constant, and thus it is asymptotically optimal. 4 foreach i 2Udo bk k Even though LIN cannot be proved to be asymptotically opti- 5 if 9 i 2Bi such that ti ¼ t then bk mal in terms of the social cost, we will show in Section 6 that Bt Bt [f i g it achieves better privacy protection than LOG. 6 end bk 7 foreach i 2Bt do k 5BIDGUARD-M: DIFFERENTIALLY PRIVATE 8 Calculate the probability Priðbi Þ of each task-bid pair AUCTION FRAMEWORK FOR THE MULTI-BID being selected according to the score function; ODEL 9 end M bk0 10 Select one task-bid pair randomly, denoted by i0 , accord- In this section, we design and analyze BidGuard-M, a differ- ing to the computed probability distribution; bk0 entially private auction framework for the multi-bid Model. 11 BW BW [f i0 g, Bt ;; 12 end bk 5.1 Design Rationale 13 foreach i 2BR W do bmax Pr ðzÞdz bk i BidGuard-M integrates the exponential mechanism with the k k i 14 pi bi þ k ; reverse auction to achieve computational efficiency, individ- Priðb Þ 15 end i ual rationality, truthfulness, differential privacy and approx- 16 foreach i 2Udo imate social cost minimization. In this framework, task-bid 17 if Bi \BW 6¼;then pairs are selected iteratively. In each iteration, one task is con- 18 S S[fP ig; sidered. Each of the task-bid pairs with this task is assigned a k 19 pi bk pi ; i 2Bi\BW probability to be selected. The framework then selects one of 20 end them as the winning task-bid pair according to the probabil- 21 end ity distribution. Specifically, the probability of a task-bid pair 22 return S and !p . to be selected is set according to a specific criterion. The above process repeats until all the sensing tasks can be completed by the selected task-bid pairs. Finally, the framework 5.3 Design of Score Functions computes the payment to each winning task-bid pair. Same as the single-bid model, we adopt fLIN and fLOG as score functions. We will show that they have different theo- 5.2 Design of BidGuard-M retical bounds on the social cost (Section 5.4) and perfor- In this section, we will describe BidGuard-M in detail as mance in simulations (Section 6). bk illustrated in Algorithm 2. Linear Score Function. For any task-bid pair i 2Bt, the BidGuard-M selects a winning task-bid pair for each task probability to be selected is in T iteratively until all the tasks can be completed. All the k winning task-bid pairs constitute BW . At the beginning of k bi Priðbi Þ/exp 1 À : each iteration, BidGuard-M first selects for an unassigned bmax k task t 2T a set of task-bid pairs Bt in which ti ¼ t for all bk 2B. BidGuard-M will assign each task-bid pair bk 2B a i t i t Note that in order to guarantee the value of the score func- probability to be selected as follows. It is desired to select bk k tion is nonnegative, we normalize bk, i.e., i . Then the the task-bid pair with the lowest bi from Bt. To apply the i bmax exponential mechanism, we need to design a score function, probability is k which is a non-increasing function of bi . The probability of bk exp 1 À i each task-bid pair to be selected is set according to the value bmax k Priðb Þ¼ : (4) of the score function. At last, BidGuard-M calculates the i P bk k bk j payment pi for each winning task-bid pair i 2BW . Let bk exp 1 À j 2Bt bmax PriðzÞ denote the probability of a task-bid pair being bk selected with bid z. According to Theorem 1, the payment Log Score Function. For any task-bid pair i 2Bt, the to a winning task-bid pair is probability to be selected is R bmax bk PriðzÞdz k pk ¼ bk þ i : k bi i i k Priðbi Þ/exp log 1=2 : Priðbi Þ bmax For each user, if it has at least one winning task-bid pair, it is bk S p ¼ bk i Padded into the winner set and its payment i We also normalize the i , i.e., bmax to guarantee the value of k bk pi . the score function is nonnegative. Then the probability is i 2Bi\BW LIN ET AL.: FRAMEWORKS FOR PRIVACY-PRESERVING MOBILE CROWDSENSING INCENTIVE MECHANISMS 1859

k bk Proof. According to (4) and (5), the probability Priðbi Þ of exp log i bk 1=2 bmax task-bid pair i 2Bt being selected in BidGuard-M is Pr ðbkÞ¼ : 5 k i i P k ( ) monotonically non-increasing in its bid bi . In addition, no bj k exp log b b 2Bt 1=2 bmax bidR is greaterR than max in our model. Thus we have j 1 bmax 0 PriðzÞdz ¼ 0 PriðzÞdz < 1: Furthermore, we have Throughout the rest of this paper, we denote the BidG- k E½pi uard-M with linear score function fLIN and log score func- 0 R 1 bmax tion fLOG by LINÀM and LOGÀM, respectively. ÀÁ bk PriðzÞdz k k @ k i A Illustrating Example. We use the example in Table 2 to ¼ 1 À Priðbi Þ Â 0 þ Priðbi ÞÂ bi þ k Priðbi Þ illustrate how LINÀM works. Let bmin ¼ 1, bmax ¼ 4, and the Z 1 differential privacy parameter ¼ 0:1. At the beginning, k k ¼ bi Priðbi Þþ PriðzÞdz: T¼ft1;t2;t3g, S¼;, BW ¼;, Bt ¼;, and U¼f1; 2; 3; 4; 5g. k bi LINÀM starts to select users for every task in T iteratively. b1 b1 b1 b1 b1 Then, according to Theorem 1, the lemma holds. tu For t1, LINÀM first constructs B1 ¼f 1; 2; 3; 4; 5g. By (4), LINÀM calculates the probability of every task-bid pair in B1 In order to quantify the differential privacy performance b1 to be selected. For example, the probability of 1 to be of LINÀM, we use the following lemmas. selected is Pr1ð1:5Þ¼expð0:0625Þ=ðexpð0:0625Þþexpð0:075Þþ expð0:06Þþexpð0:025Þþexpð0:0375ÞÞ. LINÀM selects one Lemma 5 (Composability [33]). The sequential application of task-bid pair based on the calculated probability distribu- randomized computationP Mi, each giving i-differential pri- b1 b1 vacy, yields ð i iÞ-differential privacy. tion. Assume 2 is selected, then BW ¼f 2g. LINÀM executes b2 b2 the same process for t2. We have B2 ¼f 1; 4g. The probabil- Lemma 6. For any constant >0, LINÀM achieves 2m- b2 b2 ities of 1 and 4 to be selected are Pr1ð1:5Þ¼exp differential privacy, where m is the number of sensing tasks. ð0:0625Þ=ðexpð0:0625Þþexpð0:05ÞÞ and Pr4ð2Þ¼expð0:05Þ= ðexpð0:0625Þþexpð0:05ÞÞ, respectively. Assume LINÀM Proof. Since LINÀM follows the exponential mechanism, it b2 b1 b2 selects a task-bid pair for each task based on (4). Accord- selects 1, then BW ¼f 2; 1g. For t3, LINÀM constructs b2 b2 b2 b2 ing to Theorem 2, for each task LINÀM is 2-differential B3 ¼f 3; 5g. The probabilities of 3 and 5 to be selected are Pr3ð2:4Þ¼expð0:06Þ=ðexpð0:06Þþexpð0:0375ÞÞ and Pr5ð2:5Þ¼ privacy, since the largest difference in the score function L expð0:0375Þ=ðexpð0:06Þþexpð0:0375ÞÞ, respectively. Assume ( )is1.LINÀM selects a task-bid pair for each task in T b2 b1 b2 b2 iteratively until all tasks can be finished. This is a sequen- LINÀM selects 3, then BW ¼f 2; 1; 3g. Once all tasks are assigned, LINÀM calculates theR payment for eachR task-bid tial application of the selection mechanism for one task. 4 4 Pr ðzÞdz Pr ðzÞdz Therefore, according to Lemma 5, LINÀM is 2m-differen- 1 1 2 2 1:5 1 pair in BW . WeR have p ¼ 1 þ , p ¼ 1:5 þ , 4 2 Pr2ð1Þ 1 Pr1ð1:5Þ tial privacy, since there are m tasks. tu Pr3ðzÞdz and p2 ¼ 2:4 þ 2:4 . At last, LINÀM calculates the win- 3 Pr3ð2:4Þ Next, we bound the social cost of LINÀM. ners set S¼f1; 2; 3g and corresponding payments, i.e., 2 1 2 Lemma 7. With probability at least 1 À 1=nOð1Þ, LINÀM has p1 ¼ p1, p2 ¼ p2 and p3 ¼ p3. social cost at most OPT þ mOðln nÞ, where OPT is the opti- 5.4 Analysis of BidGuard-M mal social cost of the SCM-M problem, m is the number of In this section, we first analyze the properties of LINÀM. sensing tasks and n is the number of users. Ã Theorem 6. LINÀM achieves computational efficiency, individ- Proof. Let B denote the optimal solution to the SCM-M ual rationality, truthfulness, and 2m-differential privacy, problem. We denote as BW an arbitrary set of winning where >0 is a constant and m is the number of sensing tasks. task-bid pairs returned by LINÀM. Because only one task- mO ln n bid pair is selected for each task and all tasks need to be In addition, it has social cost at most OPT þ ð Þ with Ã probability at least 1 À 1=nOð1Þ, where OPT is the optimal social completed, we have jB j¼jBW j. Therefore, for any task- bk Ã bk n bid pair j 2B , there exists a task-bid pair i 2BW such cost of the SCM-M problem, and is the number of users. k k that ti ¼ tj , and vice versa. According to Theorem 3, by Proof. We first prove the computational efficiency. The outer taking a ¼ Oðln nÞ, we have while-loop (Lines 4-13) will run at most m iterations since k k there are m tasks. Meanwhile, the two inner for-loops bi bj þ Oðln nÞ; (6) (Lines 4-6) and (Lines 7-9) will run at most n iterations since O 1 there are n users. The payment calculation for the winning with a probability of at least 1PÀ 1=n ð Þ forP each task t 2T. k k task-bid pairs (Lines 13-15) will run at most m iterations Summing (6) over all tasks, bk bi bk Ã bj þ mO i 2BW j 2B Oð1Þ since there are m tasks. The winner selection and payment ðln nÞ with a probability at least 1 À 1=n . ForP truthful n k k k k k calculation (Lines 16-21) will run at most iterations since mechanisms, we have bi ¼ ci and bj ¼ cj .Thus bk bi P i 2BW there are n users. Therefore, the total computational com- k is the social cost of LINÀM,andOPT ¼ bk2BÃ bj . LINÀM OðmnÞ j plexity of is . The individual rationality is This concludes the proof. tu guaranteed by the fact thatR the payment to each winning bmax Pr ðzÞdz bk i For LOGÀM we have the following properties. The k k i k task-bid pair is pi ¼ bi þ k bi . In order to prove LINÀM Priðbi Þ proofs are similar to those for , and thus omitted. the rest of this theorem, we prove the following lemmas. tu Theorem 7. LOGÀM achieves computational efficiency, indi- 1 Lemma 4. LINÀM is truthful. vidual rationality, truthfulness, and 2m log 1ð DÞ-differential 2 1þ 1860 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018

privacy, where m is the number of sensing tasks, D is the maximum difference in the bidding price, and >0 is a constant. In addition, it has social cost at most 2tOPT with probability at least 1 À eÀt, for any constant t>0 and OPT is the optimal social cost of the SCM-M problem. Remarks: LOGÀM has social cost at most 2tOPT , where t is a constant, and thus it is asymptotically optimal. Fig. 1. Impact of the number of sensing tasks on the social cost. 6PERFORMANCE EVALUATION In this section, we evaluate the performance of BidGuard and ½1; 10 for BidGuard-M. Because users in BidGuard bid and BidGuard-M and compare them respectively with for a set of tasks, while users in BidGuard-M bid for a single TRAC [15] and DP-hSRC [23]. TRAC is closest to our work task. We generate users’ bids according to two different dis- in terms of the design objective, but does not protect users’ tributions, i.e., uniform distribution and normal distribu- bid privacy. DP-hSRC considers users’ bid privacy, but min- tion. To evaluate the impact of the number of sensing tasks imizes total payment instead of social cost. on the performance metrics, we set the number of users to 200 and vary the number of sensing tasks from 20 to 60 with 6.1 Simulation Setup a step of 10. To evaluate the impact of the number of users All the evaluation results are based on a real data set of taxi on the performance metrics, we set the number of sensing traces. The dataset consists of the traces of 320 taxi drivers, tasks to 150 and vary the number of users from 100 to 300 who work in the center of Rome [6]. Each taxi driver has a with a step of 50. For the differential privacy parameters, tablet that periodically (every 7s) retrieves the GPS locations we set ¼ 0:1 and d ¼ 0:25 as default. All the results are (latitude and longitude) and sends it with the correspond- averaged over 1,000 independent runs for each setting. ing driver ID to a central server. The mobility pattern of taxi Note that since the performances under both uniform and traces can be used to depict the mobility of smartphone normal distributions follow the same pattern according to users as in [25], [47]. our evaluation, in the following we only show the perfor- We consider a mobile crowdsensing system where the mance under the uniform distribution. task is to measure the cellular signal strength at specific locations. Each user can sense the cellular signal strength 6.2 Evaluation of Social Cost within the area centered at the user’s location with a radius We first compare the social cost of BidGuard and BidGuard- of 30 m. Tasks are represented by GPS locations reported by M with that of TRAC and DP-hSRC. Note that TRAC is opti- taxis. We assume that the driver of each taxi is a user. We mal in the multi-bid model. The impact of the number of preprocess the tasks such that each task can be sensed by at sensing tasks on the social cost of BidGuard and that of BidG- least two users according to our system model. uard-M is shown in Figs. 1a and 1b, respectively. We observe We use three metrics to evaluate the performance: social that the social cost of TRAC, DP-hSRC, BidGuard and BidG- cost, total payment and privacy leakage. The social cost, as uard-M all increase when the number of sensing tasks grows. defined in Section 3, refers to the total cost of all selected This is because with more sensing tasks, the platform may users. The total payment measures the payment paid by the select more users incurring a higher social cost. We also see platform to all selected users. We first compare the social that the social cost of TRAC is lower than those of DP-hSRC, cost and total payment of BidGuard and BidGuard-M with BidGuard and BidGuard-M. This is because, in each itera- TRAC. Then we compare the social cost of BidGuard with tion, TRAC is determinate to select the user with the lowest the optimal social cost. We define privacy leakage to quantita- criterion value (defined in (1)) in the single-bid model and tively measure the differential privacy performance of the user with the lowest bid for each task in the multi-bid BidGuard and BidGuard-M. model. In contrast, since both BidGuard and BidGuard-M ! ! Privacy Leakage. Given a mechanism M, let b and b0 be are randomized, they cannot always guarantee to select the two task-bid profiles, which only differ in one user’s bid. Let user with the lowest criterion value or the lowest bid in each ! ! ! Mð b Þ and Mðb0 Þ denote the outcome of M with input b iteration. DP-hSRC selects users based on a threshold price ! and b0 , respectively. The privacy leakage, denoted by PL, and has no performance guarantee on the social cost. Besides, the social cost of LOG is smaller than that of LIN, is defined as the Kullback-Leibler divergence of the ! !0 and the social cost of LOGÀM is lower than that of LINÀM. two outcome probability distributions based on b and b , 0 hi This is because, both LOG and LOGÀM prefer to select users X hi !b with low bid, as the log score function will give more proba- ! B Pr Mð Þ¼o PL ¼ Pr Mð b Þ¼o ln@ h (7) bility of being selected to low-bid users. 0 ! o2O Pr Mðb Þ¼o : Figs. 2a and 2b depict the impact of the number of users on the social cost of BidGuard and BidGuard-M, respec- Note that the smaller the PL value is, the harder it is to dis- tively. We see that the social cost decreases slightly when tinguish the two task-bid profiles, and thus the better the the number of users increases for TRAC, DP-hSRC, BidG- privacy preserving performance is achieved. uard and BidGuard-M. This is because, with more users, In our evaluation, we randomly select locations as the the platform can find more low-cost users to complete the sensing tasks according to the settings. We assume the bids sensing tasks. The social cost of TRAC is lower than those of of users are randomly distributed over ½1; 50 for BidGuard DP-hSRC, BidGuard and BidGuard-M. The reason is same LIN ET AL.: FRAMEWORKS FOR PRIVACY-PRESERVING MOBILE CROWDSENSING INCENTIVE MECHANISMS 1861

Fig. 2. Impact of the number of users on the social cost. Fig. 4. Impact of the number of sensing tasks on the total payment.

Fig. 3. Comparison of BidGuard, TRAC, DP-hSRC, and OPT. Fig. 5. Impact of the number of users on the total payment. as explained for Fig. 1. Meanwhile, for the same reason as guarantee on the total payment. However, DP-hSRC can above, the social cost of LOG is lower than that of LIN, and only achieve approximate truthfulness, which ensures that the social cost of LOGÀM is lower than that of LINÀM. no user is able to make more than a slight gain in its expected In Fig. 3, we compare the social cost of incentive mecha- utility by bidding untruthfully. In addition, in the next sec- nisms in the single-bid model. Let OPT denote the optimal tion, we will see that the privacy protection of LIN and solution. Since finding the optimal solution takes exponen- LINÀM are better than that of DP-hSRC. tial time, we set the number of the users to 10 for Fig. 3a, and set the number of sensing tasks to 4 for Fig. 3b. We 6.4 Evaluation of Privacy Leakage observe that Figs. 3a and 3b have the same pattern in Next, we evaluate BidGuard and BidGuard-M in terms of Figs. 1a and 2a, respectively. The reason is similar to those privacy leakage. Figs. 6a and 7a plot the impact of the num- explained for Figs. 1a and 2a. Furthermore, we observe that ber of sensing tasks on the privacy leakage for BidGuard BidGuard sacrifices the social cost for the users’ bid privacy, and BidGuard-M, respectively. Figs. 6b and 7b plot the compared to TRAC and the optimal solution. Note that in impact of the number of users on the privacy leakage for OPT Fig. 3b, the social cost of TRAC is very close to that of . BidGuard and BidGuard-M, respectively. H This is because TRAC is an K -approximation algorithm, We observe that the privacy leakage values of BidGuard, H 2:34 where k in this figure. BidGuard-M and DP-hSRC are very small. This is because they all achieve differential privacy. However, the privacy 6.3 Evaluation of Total Payment leakage value of TRAC is positive infinity, which indicates a In Figs. 4 and 5, we plot the impact of the number of sensing bad differential privacy performance. This is because TRAC tasks and the impact of the number of users on the total pay- does not protect users’ bid privacy, and the denominator ment of BidGuard and BidGuard-M, respectively. The could be 0 for TRAC according to (7). results show that the total payment of TRAC, DP-hSRC, In both Figs. 6a and 7a, we see that the privacy leakage of BidGuard and BidGuard-M all follow the same pattern as both LIN and LINÀM are always smaller than that of LOG the social cost. In addition, both LOG and LOGÀM have and LOGÀM, respectively, which indicates that LIN and lower total payment than LIN and LINÀM, respectively. This LINÀM have better privacy protection performance than is because the log score function could select users with LOG and LOGÀM, respectively. This is because the linear lower bids as shown in Figs. 1 and 2. We also observe that score function treats the probability of every outcome uni- the total payment of DP-hSRC is lower than BidGuard and formly, however, the log score function gives more proba- BidGuard-M. This is because DP-hSRC selects and pays bility to the outcome with low social cost. We also observe users according to a single-price, and thus it has performance that the privacy leakage of both LIN and LINÀM are always

Fig. 6. Evaluation of privacy leakage for BidGuard. 1862 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018

Fig. 7. Evaluation of privacy leakage for BidGuard-M. smaller than that of DP-hSRC. This is because DP-hSRC is a sacrifice the social cost and payment for the users’ bid pri- single-price mechanism in which one user’s bid change vacy. Compared with DP-hSRC, BidGuard and BidGuard- may significantly change the outcome of the mechanism, M have better bid privacy preservation and lower social and thus increases PL according to (7). We do not observe a cost in most cases although incurring higher total payment. pattern of the privacy leakage when the number of tasks In addition, BidGuard and BidGuard-M achieve truthful- increases for BidGuard. The reason is, according to the defi- ness while DP-hSRC achieves approximate truthfulness. nition of privacy leakage, the difference between the proba- Besides, LIN and LINÀM outperform LOG and LOGÀM in bilities of two outcomes to be selected is independent of the terms of privacy protection, respectively. However LOG number of sensing tasks. However, the privacy leakage and LOGÀM have lower social cost and payment. value increases when the number of tasks increases for BidGuard-M. This is because, according to Theorems 6 and 7CONCLUSION AND FUTURE WORK 7, the differential privacy performance of BidGuard-M is reversely linear to the number of sensing tasks. In this paper, we have proposed two general frameworks, In both Figs. 6b and 7b, we can see the impact of the num- BidGuard and BidGuard-M, for privacy-preserving mobile ber of users on the privacy leakage of BidGuard and BidG- crowdsensing incentive mechanisms, which achieve uard-M, respectively. Note that the privacy leakage value computational efficiency, individual rationality, truthful- decreases when the number of users increases for both DP- ness, approximate social cost minimization, and differential hSRC, BidGuard and BidGuard-M. This is because the proba- privacy. We designed two score functions, linear and log, to bility of each outcome decreases as the number of users realize the frameworks. Note that, both BidGuard and increases. Specifically, the more users in the system, the more BidGuard-M with log function are asymptotically optimal possible outcomes for DP-hSRC, BidGuard and BidGuard-M, in terms of the social cost. We evaluated the performance of the less difference between the probabilities of two outcomes our frameworks through extensive simulations. to be selected, and thus the better differential privacy perfor- In the future, we plan to design different score functions mance. We also see the privacy protection performance of which might have better performance in terms of differen- LIN and LINÀM are better than that of LOG and LOGÀM, tial privacy or proximate social cost minimization. In addi- respectively. In addition, the privacy protection performance tion, we plan to evaluate our frameworks by using real- of LIN and LINÀM are also better than that of DP-hSRC. The world experiments. reason for this is similar to that discussed before. Figs. 6c and 7c show the impact of the differential privacy ACKNOWLEDGMENTS parameter on the privacy leakage for BidGuard and BidG- This is an extended and enhanced version of the paper [30] uard-M, respectively. The results show that the value of that appeared in IEEE CNS 2016. This research was sup- has more impact on the privacy leakage for LOG and ported in part by US National Science Foundation grants LOGÀM than that of LIN and LINÀM, respectively. This is 1444059, 1461886, 1717315, and 1717197, NSFC grant because the log score function is more sensitive than the lin- 61472193, NSF of Jiangsu Province BK20141429, and CCF- ear score function. For LOG and LOGÀM, the privacy leak- Tencent RAGR20150107. age increases slightly when the value of grows. This is because, theoretically, the larger the is, the worse the dif- REFERENCES ferential privacy is achieved, and thus the higher privacy [1] Auction.com. (2017). [Online]. Available: https://www.auction. leakage. Meanwhile, it is easy to observe that the privacy com/ leakage of LIN and LINÀM are smaller than that of DP- [2] eBay. (2017). [Online]. Available: https://www.ebay.com/ hSRC, LOG and LOGÀM, respectively. This can also be [3] FCC auctions releases. (2017). [Online]. Available: http:// explained by the same reason for Fig. 6a. wireless.fcc.gov/auctions/default.htm?job=archived_releases [4] M. E. Andres, N. E. Bordenabe, K. Chatzikokolakis, and Figs. 6d and 7d illustrate the tradeoff between the C. Palamidessi, “Geo-indistinguishability: Differential privacy for social cost and the privacy leakage of LOG and LOGÀM, location-based systems,” in Proc. ACM SIGSAC Conf. Comput. respectively. We observe that the privacy leakage Commun. Secur., 2013, pp. 901–914. [5] A. Archer and E. Tardos, “Truthful mechanisms for one-parameter decreasesasthedecreasingof.Thereasonissimilarto agents,” in Proc. IEEE Symp. Found. Comput. Sci., 2001, pp. 482–491. that discussed for Fig. 6c. However, this improvement in [6] L. Bracciale, M. Bonola, P. Loreti, G. Bianchi, R. Amici, and privacy comes at a cost of the increased social cost for A. Rabuffi, “CRAWDAD data set roma/taxi (v. 2014-07-17),” both LOG and LOGÀM. Jul. 2014. [Online]. Available: http://crawdad.org/roma/taxi/ [7] Y. Chen, S. Chong, I. A. Kash, T. Moran, and S. Vadhan, “Truthful Remarks: Compared with TRAC, which does not protect mechanisms for agents that value privacy,” in Proc. ACM Conf. users’ bid privacy, both BidGuard and BidGuard-M Electron. Commerce, 2013, pp. 215–232. LIN ET AL.: FRAMEWORKS FOR PRIVACY-PRESERVING MOBILE CROWDSENSING INCENTIVE MECHANISMS 1863

[8] D. Christin, “Privacy in mobile participatory sensing: Current [34] P. Mohan, V. N. Padmanabhan, and R. Ramjee, “Nericell: Rich trends and future challenges,” J. Syst. Softw., vol. 116, pp. 57–68, monitoring of road and traffic conditions using mobile 2016. smartphones,” in Proc. ACM Conf. Embedded Netw. Sens. Syst., [9] V. Chvatal, “A greedy heuristic for the set-covering problem,” 2008, pp. 323–336. Math. Operations Res., vol. 4, no. 3, pp. 233–235, 1979. [35] X. Niu, M. Li, Q. Chen, Q. Cao, and H. Wang, “EPPI: An E-cent- [10] C. Clifton, “Using sample size to limit exposure to data mining,” J. based privacy-preserving incentive mechanism for participatory Comput. Secur., vol. 8, no. 4, pp. 281–307, 2000. sensing systems,” in Proc. IEEE 33rd Int. Perform. Comput. Com- [11] E. De Cristofaro and C. Soriente, “Short paper: PEPSI—privacy- mun. Conf., 2014, pp. 1–8. enhanced participatory sensing infrastructure,” in Proc. ACM [36] H. Ohashi, “Effects of transparency in procurement practices on Conf. Wireless Netw. Secur., 2011, pp. 23–28. government expenditure: A case study of municipal public [12] C. Dwork, “Differential privacy,” in Encyclopedia of Cryptography works,” Rev. Ind. Org., vol. 34, no. 3, pp. 267–285, 2009. and Security. Berlin, Germany: Springer, 2011, pp. 338–340. [37] S. Reporter, “The proof is in the profit. Auction transparency [13] C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating works.” (2017). [Online]. Available: http://dealerbidsale.com/ noise to sensitivity in private data analysis,” in Proc. 3rd Conf. The- the-proof-is-in-the-profit-auction-transparency-works/ ory Cryptography, 2006, pp. 265–284. [38] F. Restuccia, S. K. Das, and J. Payton, “Incentive mechanisms for [14] J. Fan, Q. Li, and G. Cao, “Privacy-aware and trustworthy data participatory sensing: Survey and research challenges,” ACM aggregation in mobile sensing,” in Proc. IEEE Conf. Commun. Trans. Sens. Netw., vol. 12, no. 2, 2016, Art. no. 13. Netw. Secur., 2015, pp. 31–39. [39] M. Shin, C. Cornelius, D. Peebles, A. Kapadia, D. Kotz, and [15] Z. Feng, Y. Zhu, Q. Zhang, L. M. Ni, and A. V. Vasilakos, “TRAC: N. Triandopoulos, “AnonySense: A system for anonymous opportu- Truthful auction for location-aware collaborative sensing in nistic sensing,” Pervasive Mobile Comput., vol. 7, no. 1, pp. 16–30, 2011. mobile crowdsourcing,” in Proc. IEEE Conf. Comput. Commun., [40] A. Stoica and C. Farkas, “Secure XML views,” Res. Directions Data 2014, pp. 1231–1239. Appl. Secur., vol. 128, pp. 133–146, 2003. [16] H. Gao, et al., “A survey of incentive mechanisms for participa- [41] J. Sun and H. Ma, “Privacy-preserving verifiable incentive mecha- tory sensing,” IEEE Commun. Surveys Tuts., vol. 17, no. 2, pp. 918– nism for online crowdsourcing markets,” in Proc. Int. Conf. Com- 943, Apr.–Jun. 2015. put. Commun. Netw., 2014, pp. 1–8. [17] B. Gedik and L. Liu, “Protecting location privacy with personal- [42] H. To, G. Ghinita, and C. Shahabi, “A framework for protecting ized k-anonymity: Architecture and algorithms,” IEEE Trans. worker location privacy in spatial crowdsourcing,” Proc. VLDB Mobile Comput., vol. 7, no. 1, pp. 1–18, Jan. 2008. Endowment, vol. 7, no. 10, pp. 919–930, 2014. [18] S. Gisdakis, T. Giannetsos, and P. Papadimitratos, “Security, pri- [43] Y. Wang, Z. Cai, G. Yin, Y. Gao, X. Tong, and G. Wu, “An incen- vacy, and incentive provision for mobile crowd sensing systems,” tive mechanism with privacy protection in mobile crowdsourcing IEEE Internet Things J., vol. 3, no. 5, pp. 839–853, Oct. 2016. systems,” Comput. Netw., vol. 102, pp. 157–171, 2016. [19] A. Gupta, K. Ligett, F. McSherry, A. Roth, and K. Talwar, [44] T. Wen, Y. Zhu, and T. Liu, “P2: A location privacy-preserving “Differentially private combinatorial optimization,” in Proc. Annu. auction mechanism for mobile crowd sensing,” in Proc. IEEE ACM-SIAM Symp. Discrete Algorithms, 2010, pp. 1106–1125. Global Commun. Conf., 2016, pp. 1–6. [20] T. H. Hinke, H. S. Delugach, and R. P. Wolf, “Protecting databases [45] D. Xiao, “Is privacy compatible with truthfulness?” in Proc. Conf. from inference attacks,” Comput. Secur., vol. 16, no. 8, pp. 687–708, Innovations Theoretical Comput. Sci., 2013, pp. 67–86. 1997. [46] J. Xu, J. Xiang, and Y. Li, “Incentivize maximum continuous time [21] Z. Huang and S. Kannan, “The exponential mechanism for social interval coverage under budget constraint in mobile crowd welfare: Private, truthful, and nearly optimal,” in Proc. IEEE sensing,” Wireless Netw., vol. 23, no. 5, pp. 1549–1562, 2017. Symp. Found. Comput. Sci., 2012, pp. 140–149. [47] J. Xu, J. Xiang, and D. Yang, “Incentive mechanisms for time win- [22] S. Jajodia and C. Meadows, “Inference problems in multilevel dow dependent tasks in mobile crowdsensing,” IEEE Trans. Wire- secure database management systems,” Inf. Secur.: An Integrated less Commun., vol. 14, no. 11, pp. 6353–6364, Nov. 2015. Collection Essays, vol. 1, pp. 570–584, 1995. [48] D. Yang, G. Xue, G. Fang, and J. Tang, “Incentive mechanisms for [23] H. Jin, L. Su, B. Ding, K. Nahrstedt, and N. Borisov, “Enabling crowdsensing: Crowdsourcing with smartphones,” IEEE/ACM privacy-preserving incentives for mobile crowd sensing systems,” Trans. Netw., vol. 24, no. 3, pp. 1732–1744, Jun. 2016. in Proc. IEEE Int. Conf. Distrib. Comput. Syst., 2016, pp. 344–353. [49] D. Yang, G. Xue, X. Fang, and J. Tang, “Crowdsourcing to smart- [24] H. Jin, L. Su, H. Xiao, and K. Nahrstedt, “INCEPTION: Incentiviz- phones: Incentive mechanism design for mobile phone sensing,” ing privacy-preserving data aggregation for mobile crowd sensing in Proc. Annu. Int. Conf. Mobile Comput. Netw., 2012, pp. 173–184. systems,” in Proc. ACM Int. Symp. Mobile Ad Hoc Netw. Comput., [50] B. Zhang, et al., “Privacy-preserving QoI-aware participant 2016, pp. 341–350. coordination for mobile crowdsourcing,” Comput. Netw., vol. 101, [25] X. Jin and Y. Zhang, “Privacy-preserving crowdsourced spectrum pp. 29–41, 2016. sensing,” in Proc. IEEE Conf. Comput. Commun., 2016, pp. 1–9. [51] X. Zhang, G. Xue, R. Yu, D. Yang, and J. Tang, “Truthful incentive [26] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias, “Preventing mechanisms for crowdsourcing,” in Proc. IEEE Conf. Comput. Com- location-based identity inference in anonymous spatial queries,” mun., 2015, pp. 2830–2838. IEEE Trans. Knowl. Data Eng., vol. 19, no. 12, pp. 1719–1733, [52] X. Zhang, Z. Yang, Z. Zhou, H. Cai, L. Chen, and X. Li, “Free mar- Dec. 2007. ket of crowdsourcing: Incentive mechanism design for mobile [27] I. Krontiris and T. Dimitriou, “A platform for privacy protection sensing,” IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 12, of data requesters and data providers in mobile sensing,” Comput. pp. 3190–3200, Dec. 2014. Commun., vol. 65, pp. 43–54, 2015. [53] P. Zhou, Y. Zheng, and M. Li, “How long to wait?: Predicting bus [28] Q. Li and G. Cao, “Providing privacy-aware incentives for mobile arrival time with mobile phone based participatory sensing,” in sensing,” in Proc. IEEE Int. Conf. Pervasive Comput. Commun., 2013, Proc. Int. Conf. Mobile Syst. Appl. Services, 2012, pp. 379–392. pp. 76–84. [54] R. Zhu and K. G. Shin, “Differentially private and strategy-proof [29] Q. Li and G. Cao, “Providing efficient privacy-aware incentives spectrum auction with approximate revenue maximization,” in for mobile sensing,” in Proc. IEEE Int. Conf. Distrib. Comput. Syst., Proc. IEEE Conf. Comput. Commun., 2015, pp. 918–926. 2014, pp. 208–217. [30] J. Lin, D. Yang, M. Li, J. Xu, and G. Xue, “BidGuard: A framework Jian Lin (S’15) received the BS and MS degree for privacy-preserving crowdsensing incentive mechanisms,” in in computer science from Southwest Jiaotong Proc. IEEE Conf. Commun. Netw. Secur., 2016, pp. 439–447. University, Chengdu, China, in 2011 and 2014, [31] X. Liu, Z. Zhou, W. Diao, Z. Li, and K. Zhang, “When good respectively. He has been working toward the becomes evil: Keystroke inference with smartwatch,” in Proc. PhD degree in computer science with Colorado ACM SIGSAC Conf. Comput. Commun. Secur., 2015, pp. 1273–1285. School of Mines, Golden, Colorado, since 2014. [32] T. Luo, H.-P. Tan, and L. Xia, “Profit-maximizing incentive for His research interests include economic and opti- participatory sensing,” in Proc. IEEE Conf. Comput. Commun., mization approaches to networks, mobile crowd- 2014, pp. 127–135. sensing, and mobile computing. He is a student [33] F. McSherry and K. Talwar, “Mechanism design via differential member of the IEEE. privacy,” in Proc. IEEE Symp. Found. Comput. Sci., 2007, pp. 94–103. 1864 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 17, NO. 8, AUGUST 2018

Dejun Yang (M’13) received the BS degree from Guoliang Xue (M’96-SM’99-F’11) received the Peking University, Beijing, China, in 2007 and the BS degree in mathematics and the MS degree in PhD degree in computer science from Arizona operations research from Qufu Normal Univer- State University, Tempe, Arizona, in 2013. Cur- sity, Qufu, China, in 1981 and 1984, respectively, rently, he is the Ben L. Fryrear assistant profes- and the PhD degree in computer science from sor of computer science with the Colorado the University of Minnesota, Minneapolis, Minne- School of Mines, Golden, Colorado. His research sota, in 1991. Currently, he is a professor of com- interests include economic and optimization puter science with Arizona State University, approaches to networks, crowdsourcing, smart Tempe, Arizona. His research interests span the grid, and security and privacy. He has served as areas of Quality of Service provisioning, network a technical program committee member for many security and privacy, crowdsourcing and network conferences, including the IEEE International Conference on Computer economics, RFID systems and Internet of Things, smart city, and smart Communications (INFOCOM), the IEEE International Conference on grids. He is the elected vice president of the IEEE Communications Soci- Communications (ICC), and the IEEE Global Communications Confer- ety for Conferences (2016-2017). He served as a technical program ence (GLOBECOM). He has received Best Paper Awards at IEEE committee (TPC) co-chair for the IEEE International Conference on GLOBECOM (2015), the IEEE International Conference on Mobile Ad Computer Communications (INFOCOM) (2010) and as an editor for the hoc and Sensor Systems (2011), and IEEE ICC (2011 and 2012), as IEEE/ACM Transactions on Networking (2010-2014). He regularly well as a Best Paper Award Runner-up at the IEEE International Confer- serves on the technical program committee of security conferences ence on Network Protocols (2010). He is a member of the IEEE. such as the ACM Symposium on Information, Computer, and Communi- cations Security; the ACM Conference on Computer and Communica- tions Security; and the IEEE Conference on Communications and Ming Li (S’15) received the BS degree in geo- Network Security, as well as networking conferences such as the IEEE chemistry from Peking University, Beijing, China, International Conference on Network Protocols, IEEE INFOCOM, and in 2009 and the MS degree in computer science the ACM International Symposium on Mobile Ad Hoc Networking and from the Colorado School of Mines, Golden, Col- Computing (MobiHoc). He is the area editor of the IEEE Transactions on orado, in 2015. She is currently working toward Wireless Communications, overseeing the wireless networking area. He the PhD degree at the Colorado School of Mines. is a fellow of the IEEE. Her main research interests include game theory, contract theory, crowdsourcing, smartphone- based sensing systems, and visible light commu- " For more information on this or any other computing topic, nication technologies. She is a student member please visit our Digital Library at www.computer.org/publications/dlib. of the IEEE.

Jia Xu (M’15) received the MS degree from the School of Information and Engineering, Yangz- hou University, Jiangsu, China, in 2006 and the PhD degree from the School of Computer Sci- ence and Engineering, Nanjing University of Sci- ence and Technology, Jiangsu, China, in 2010. He is currently a professor in the Nanjing Univer- sity of Posts and Telecommunications. He was a visiting scholar in the Department of Electrical Engineering & Computer Science, Colorado School of Mines from Nov. 2014 to May 2015. His main research interests include crowdsourcing, opportunistic networks, and wireless sensor networks. He is a member of the IEEE.