Providing Privacy-Aware Incentives in Mobile
Providing Privacy-Aware Incentives in Mobile
Mobile sensing relies on data contributed by users through their mobile device (e.g., smart phone) to obtain useful information about people and their surroundings. However, users may not want to contribute due to lack of incentives and concerns on possible privacy leakage. To effectively promote user participation, both incentive and privacy issues should be addressed. Although incentive and privacy have been addressed separately in mobile sensing, it is still an open problem to address them simultaneously.
In this paper, we propose two credit-based privacy-aware incentive schemes for mobile sensing systems, where the focus is on privacy protection instead of on the design of incentive mechanisms. Our schemes enable mobile users to earn credits by contributing data without leaking which data they have contributed, and ensure that malicious users cannot abuse the system to earn unlimited credits.
Specifically, the first scheme considers scenarios where an online trusted third party (TTP) is available, and relies on the TTP to protect user privacy and prevent abuse attacks. The second scheme considers scenarios where no online TTP is available. It applies blind signature, partially blind signature, and a novel extended Merkle tree technique to protect user privacy and prevent abuse attacks. Security analysis and cost evaluations show that our schemes are secure and efficient.
Index Terms – Privacy; Incentive; Mobile Sensing
The ever-increasing popularity of mobile devices such as smart phones and tablets and the rich set of embedded sensors that usually come with them (e.g., GPS, accelerometer and microphone) have created a huge opportunity of sensing. Mobile sensing tries to harness this opportunity by collecting sensing data through mobile devices and utilizing the data to obtain rich information about people and their surroundings. It has many applications in healthcare , , traffic monitoring , and environmental monitoring
. However, the large-scale deployment of mobile sensing applications is hindered by two obstacles. First, there is a lack of incentives for mobile device users to participate in mobile sensing. To participate, a user has to trigger her sensors to measure data (e.g., to obtain GPS locations), which may consume much power of her smart phone.
Also, the user needs to upload data to a server which may consume much of her 3G data quota (e.g., when the data is photos). Moreover, the user may have to move to a specific location to sense the required data. Considering these efforts and resources required from the user, an incentive scheme is strongly desired for mobile sensing applications to proliferate. Second, private information may be derived from a user’s contributed data. Such privacy concern also prevents users from participating. For instance, to monitor the propagation of a new flu, a server will collect information on who have been infected by this flu. However, a patient may not want to provide such information since it is very sensitive. To effectively motivate users to participate, both obstacles should be overcome. Several privacy-protection schemes – have been proposed to provide anonymity for users, and many incentive schemes – have been designed to promote participation by paying credits to users. However, they address privacy and incentive separately. It is nontrivial to simultaneously address incentive and privacy. One may consider simply combining a privacy protection scheme and a credit-based incentive scheme to provide both privacy and incentive, but such combination is not easy since those schemes have been designed under different system models and assumptions. More importantly, a simple combination cannot address the new challenges that only arise when both incentive and privacy are considered and were not addressed by the privacy protection scheme or the incentive scheme. In particular, existing privacy preserving schemes provide anonymity for users. Anonymity may allow a greedy user to anonymously submit unlimited data reports for the same sensing task (which is not always desirable) and earn unlimited credits without being detected.
This will increase the cost of data collection. Moreover, under the protection of anonymity, a malicious user who has compromised other users’ mobile devices can steal those users’ security credentials such as cryptographic keys and anonymously use the stolen credentials to cheat and earn as many credits as possible without being detected. Thus, the key new challenge with designing credit-based privacyaware incentive schemes for mobile sensing is how to prevent various abuse attacks while preserving privacy. This challenge calls for new designs that integratively address
incentive and privacy.
Our previous work  designs a privacy-aware incentive scheme for a special scenario of mobile sensing where each sensing task requires only one data report from each user (such a task is referred to as a single-report task). An example of single-report task is “Report the noise level around you now,” which only requires each user to submit a single data report of his measured noise level. In the real world, however, there are many sensing tasks that require multiple reports submitted at different times from each user (such task is referred to as the multiple-report task)1. An example of multiple-report task is “Report the noise level around you every 10 minutes in the following week.” Many other examples can be found in various mobile sensing systems , . Unfortunately, that work cannot be directly extended to support multiple-report tasks, since its cryptographic construction only allows each user to earn credits from one report. Although it is possible to create one task for each report and then apply that
scheme, this will induce high overhead in computation and communication, and greatly increase the complexity of task management. For example, to collect the same amount of data that the aforementioned multiple-report task can do, one single-report task should be created every 10 minutes, and one set of cryptographic credentials should be computed, distributed, and processed for each task. In this paper, we propose two privacy-aware incentive schemes for mobile sensing that can support multiple-report tasks. We adopt a credit-based approach which allows each user to earn credits by contributing its data without leaking which data it has contributed. At the same time, the approach ensures that malicious users cannot abuse the system to earn unlimited amount of credits. In particular, the first scheme is designed for scenarios where an online trusted third party (TTP) is available. It relies on the TTP to protect privacy and prevent abuse attacks, and has very low computation cost at each user. The second scheme does not require any online TTP. It applies blind signature, partially
blind signature, and an extended Merkle tree to protect privacy and prevent abuse attacks. The remainder of this paper is organized as follows. Section 2 presents system models. Section 3 presents an overview of our solution. Section 4 and Section 5 present our two incentive schemes. Section 6 presents cost evaluations. Section 7 presents discussions. The last two sections review related work and conclude the paper.