AnonyCast: Privacy-Preserving Location Distribution for Anonymous Crowd Tracking Systems Takamasa Higuchi† Paul Martin‡ Supriyo Chakraborty⇤ Mani Srivastava‡ †Osaka University, Japan ‡University of California, Los Angeles, CA ⇤IBM Research, NY [email protected], [email protected], [email protected], [email protected] ABSTRACT Given the growing popularity of location-based services for Fusion of infrastructure-based pedestrian tracking systems mobile devices, it would be natural to expect that the pow- and embedded sensors on mobile devices holds promise erful measurement capability of such wide-spread sensor in- for providing accurate positioning in large public buildings. frastructures could also benefit individual pedestrians walk- However, privacy concerns regarding handling of sensitive ing in indoor spaces. Accurate indoor positioning for mo- user location data potentially disrupt the adoption of such sys- bile devices has been a long-standing open problem in ubiq- tems. This paper presents AnonyCast, a novel privacy-aware uitous computing. Currently, the most popular positioning mechanism for delivering precise location information mea- solution for consumer mobile products is radio fingerprint- sured by crowd-tracking systems to individual pedestrians’ ing using Wi-Fi [5, 15] and Bluetooth Low Energy (BLE) smartphones. AnonyCast uses sparsely placed Bluetooth Low radios [7, 8, 17]. However, these approaches often suffer Energy transmitters to advertise location-dependent, time- from large position errors in practical indoor environments varying keys. Using location measurements, AnonyCast esti- due to dense multi-path signal propagation and low tempo- mates a subset of keys that each pedestrian’s phone receives ral stability of radio fingerprints [4]. Furthermore, the ac- along its path. By combining a cryptography scheme called curacy of radio-based positioning systems depends consider- CP-ABE with a novel greedy algorithm for key selection, it ably on the density of anchor devices (e.g., BLE transmitters) encrypts each path before publishing, allowing users to de- [8]. Since dense anchor deployments obviously cause non- crypt only their own trajectories. The results from field exper- negligible maintenance costs, positioning accuracy is also of- iments show that AnonyCast delivers accurate locations over ten limited by operational constraints. 84% of time, bounding probability of unauthorized access to The output of crowd tracking systems is typically a set of one’s location below 1%. anonymous trajectories which are not associated with any mo- Author Keywords bile device. Therefore, these systems cannot serve alone to Location privacy; crowd tracking; trajectory identification; provide mobile devices with their own locations. Recent re- ciphertext-policy attribute-based encryption search has bridged this gap by developing trajectory identifi- cation algorithms which find trajectories of individual mobile ACM Classification Keywords users from a set of anonymous trajectories [24, 25, 26]. These C.5.3 Computer System Implementation: Portable devices; approaches assume that the crowd tracking system publishes E.3 Data Encryption: Public key cryptosystems all of the anonymous trajectories obtained by crowd track- ing sensors via a Wi-Fi network. Each mobile device con- INTRODUCTION nects to Wi-Fi access points to obtain the published trajecto- Recent evolution of crowd tracking technologies has en- ries and then identifies its own location based on the consis- abled accurate measurement of occupancy and trajectories for tency between the trajectories and local measurements from pedestrians in indoor spaces using vision [6], radio tomogra- phone-embedded sensors (e.g., accelerometers, gyroscopes, phy [18, 27], and laser range scanners [9, 29]. This in turn has etc.). While these efforts have established an effective way motivated research communities in both academia and indus- of utilizing the crowd tracking infrastructure for indoor local- try to leverage them for marketing [14], crowd management ization, growing awareness of and concern for privacy makes [12], and even optimizing energy expenditures in buildings such unrestricted release of trajectory information a difficult [1, 23]. As a result, an increasing number of public buildings proposition. These systems publish pedestrians’ trajectories are equipped with sensors like cameras or laser range scan- without consent and, although the trajectories themselves are ners and capable of fine-grained crowd behavior analyses. anonymous, it is possible for a malicious user to combine these trajectories with external information (e.g., collected by following an individual for a short period) to deanonymize a Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed desired trajectory. This trajectory can then be used to infer for profit or commercial advantage and that copies bear this notice and the full cita- potentially private information about an individual. tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- In this paper we present AnonyCast, a privacy preserving lo- publish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. cation distribution mechanism for crowd tracking systems. UbiComp ’15, September 7–11, 2015, Osaka, Japan. We assume that sensors capable of accurate trajectory mea- Copyright 2015 c ACM 978-1-4503-3574-4/15/09...$15.00. http://dx.doi.org/10.1145/2750858.2805827 surement (e.g., laser range scanners) are already installed and RELATED WORK operated in a target building for crowd behavior analysis. One of the most popular approaches to crowd tracking uses AnonyCast extends this system to feed the precise trajectory image sensors (i.e., cameras). The current mainstream in measurements to individual mobile phone users in a privacy- vision-based pedestrian tracking systems is to extract the fea- preserving manner. The extension is enabled by a small num- tures that best distinguish pedestrians from images in a train- ber of BLE transmitters, which are sparsely deployed in the ing data set and then to use a pattern matching algorithm to environment and periodically advertise location-dependent, detect human bodies [10, 19, 30]. However, the ethics and time-varying keys. Based on the trajectories measured by acceptability of using images from surveillance cameras in the crowd tracking sensors, the AnonyCast server estimates public spaces for such purposes remains controversial [21], as a set of keys that each pedestrian’s device is likely to have personal identities (e.g., faces) can easily be associated with received. The server then uses these keys to encrypt each tra- trajectories, potentially infringing user privacy. jectory prior to publishing them, ensuring that mobile phone users can gain access to only their own trajectories. As alternative solutions, there have been a variety of ap- proaches that track pedestrian locations in an anonymous Although the proposed mechanism follows as a natural pri- manner. Radio tomography [18, 27, 28] employs received vacy extension, the following aspects present challenges in signal strength between multiple radio stations to detect hu- its implementation as a practical system: (1) Mobile devices man locations, assuming that movement of pedestrians in the may fail to receive advertised keys due to packet loss, even environment causes temporal variations in the signal strength. if they are in close proximity to a BLE transmitter. En- Laser range scanners (LRS) have also been explored as a rea- suring that the system provides reasonable accessibility to sonable option for accurate and anonymous pedestrian track- trajectory information even with such frequent packet loss ing [9, 29]. This sensor provides precise distance measure- is difficult. (2) Decryption keys are publicly broadcasted, ments to surrounding objects, allowing robust crowd tracking making it non-trivial to prevent potential privacy leaks by with sub-meter accuracy. Previous literature has shown that ensuring that people other than true owners cannot decrypt capacitive sensor arrays [24] and low-resolution image sen- the published trajectories. As a solution to these issues, we sors [25] are also suitable for anonymous pedestrian tracking. base our system on the emerging public key cryptography scheme called Ciphertext-Policy Attribute-Based Encryption Trajectory identification technology has bridged the gap (CP-ABE). This allows the sender to specify an access policy between the crowd tracking systems described above and on the secret data in the form of a logical expression over pri- location-dependent mobile applications. Teixeila et al. [25] vate keys, so that users can decrypt the data only if they have effectively combine a vision-based pedestrian tracking sys- a set of keys that satisfy the policy. Upon this scheme, we tem with MEMS inertial sensors in mobile phones to enable build a framework that probabilistically ensures a desired pri- accurate indoor positioning. They find the corresponding tra- vacy level. Finally, we build and deploy a prototype system jectory of each mobile user based on the consistency between upon which we conduct field experiments using real crowd shapes of the anonymous trajectories and measurements from