Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Yajin Zhou,Kapil Singh,Xuxian Jiang

DOI: https://doi.org/10.1007/978-3-319-08593-7_4

2014-01-01

Abstract:Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an user's geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an app's interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including user's banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data. In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owner's policies at strategic exit points. Based on this approach, we design and implement a system, called <Literal>DataChest</Literal>. We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.

Chao Wu,Yike Guo

DOI: https://doi.org/10.1109/bigdata.2013.6691688

2013-01-01

Abstract:Personal data collection is becoming pervasive these days, these data has the risk of being abused by current application and application marketplace model, because only the price of application is explicitly indicated without clear agreement on usage of data, and the granularity of data access authentication is not enough to protect users privacy. In this short paper, we propose a new model of user data privacy. Data usage of the application is explicitly shown, and controlled by an authentication service, to protect users from the abuse of their data, especially in mobile application.

Mohammad Malekzadeh,Richard G. Clegg,Andrea Cavallaro,Hamed Haddadi

DOI: https://doi.org/10.1145/3195258.3195260

2018-06-20

Abstract:There is growing concern about how personal data are used when users grant applications direct access to the sensors of their mobile devices. In fact, high resolution temporal data generated by motion sensors reflect directly the activities of a user and indirectly physical and demographic attributes. In this paper, we propose a feature learning architecture for mobile devices that provides flexible and negotiable privacy-preserving sensor data transmission by appropriately transforming raw sensor data. The objective is to move from the current binary setting of granting or not permission to an application, toward a model that allows users to grant each application permission over a limited range of inferences according to the provided services. The internal structure of each component of the proposed architecture can be flexibly changed and the trade-off between privacy and utility can be negotiated between the constraints of the user and the underlying application. We validated the proposed architecture in an activity recognition application using two real-world datasets, with the objective of recognizing an activity without disclosing gender as an example of private information. Results show that the proposed framework maintains the usefulness of the transformed data for activity recognition, with an average loss of only around three percentage points, while reducing the possibility of gender classification to around 50\%, the target random guess, from more than 90\% when using raw sensor data. We also present and distribute MotionSense, a new dataset for activity and attribute recognition collected from motion sensors.

Machine Learning

Xiangying Zhang,Pai Zheng,Tao Peng,Dai Li,Xujun Zhang,Renzhong Tang

DOI: https://doi.org/10.1016/j.future.2023.05.023

IF: 7.307

2023-01-01

Future Generation Computer Systems

Abstract:Developing a human activity recognition (HAR) system for employees is essential to incorporate intelligence into smart office environments, enabling various human-centered applications to enhance employees’ well-being. Although remarkable progress has been made for the HAR in the smart office, several issues still exist, including lacking a privacy-preserving and unobtrusive method and demanding enhanced generalization performance across users. Therefore, a novel privacy-preserving HAR method based on multimodal sensors is investigated in this study, containing an infrared array sensor, a sensing chair, and a triaxial accelerometer built in a smartphone. The effectiveness of different multimodal combinations is examined. Moreover, a deep learning model is developed for multimodal data fusion to enhance the generalization performances across users. The model contains a residual 3D convolutional neural network (CNN) and 1D CNN for learning spatial–temporal feature representation of different modalities. Additionally, external memory units and an adaptive decision fusion operation are utilized for multimodal data fusion. Finally, extensive experiments are conducted to examine the performance of the proposed model using a self-collected dataset and the leave-one-subject-out cross-validation approach. The results verify the effectiveness of the proposed model.

Dalin Zhang,Lina Yao,Kaixuan Chen,Zheng Yang,Xin Gao,Yunhao Liu

DOI: https://doi.org/10.1109/tmc.2021.3078086

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:Ubiquitous mobile sensors on human activity recognition pose the threat of leaking personal information that is implicitly contained within the time-series sensor signals and can be extracted by attackers. Existing protective methods only support specific sensitive attributes and require massive relevant sensitive ground truth for training, which is unfavourable to users. To fill this gap, we propose a novel data transformation framework for prohibiting the leakage of sensitive information from sensor data. The proposed framework transforms raw sensor data into a new format, where the sensitive information is hidden and the desired information (e.g., human activities) is retained. Training can be conducted without using any personal information as ground truth. Meanwhile, multiple attributes of sensitive information (e.g., age, gender) can be collectively hidden through a one-time transformation. The experimental results on two multimodal sensor-based human activity datasets manifest the feasibility of the presented framework in hiding users’ sensitive information (inference MAE increases $\sim$ 2 times and inference accuracy degrades $\sim$ 50%) without degrading the usability of the data for activity recognition (only $\sim$ 2% accuracy degradation).

Kongyang Chen,Dongping Zhang,Sijia Guan,Bing Mi,Jiaxing Shen,Guoqing Wang

2024-06-20

Abstract:Wearable data serves various health monitoring purposes, such as determining activity states based on user behavior and providing tailored exercise recommendations. However, the individual data perception and computational capabilities of wearable devices are limited, often necessitating the joint training of models across multiple devices. Federated Human Activity Recognition (HAR) presents a viable research avenue, allowing for global model training without the need to upload users' local activity data. Nonetheless, recent studies have revealed significant privacy concerns persisting within federated learning frameworks. To address this gap, we focus on investigating privacy leakage issues within federated user behavior recognition modeling across multiple wearable devices. Our proposed system entails a federated learning architecture comprising $N$ wearable device users and a parameter server, which may exhibit curiosity in extracting sensitive user information from model parameters. Consequently, we consider a membership inference attack based on a malicious server, leveraging differences in model generalization across client data. Experimentation conducted on five publicly available HAR datasets demonstrates an accuracy rate of 92\% for malicious server-based membership inference. Our study provides preliminary evidence of substantial privacy risks associated with federated training across multiple wearable devices, offering a novel research perspective within this domain.

Cryptography and Security

Dalin Zhang,Lina Yao,Kaixuan Chen,Zheng Yang,Xin Gao,Yunhao Liu

DOI: https://doi.org/10.1109/tmc.2021.3078086

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:Ubiquitous mobile sensors on human activity recognition pose the threat of leaking personal information that is implicitly contained within the time-series sensor signals and can be extracted by attackers. Existing protective methods only support specific sensitive attributes and require massive relevant sensitive ground truth for training, which is unfavourable to users. To fill this gap, we propose a novel data transformation framework for prohibiting the leakage of sensitive information from sensor data. The proposed framework transforms raw sensor data into a new format, where the sensitive information is hidden and the desired information (e.g., human activities) is retained. Training can be conducted without using any personal information as ground truth. Meanwhile, multiple attributes of sensitive information (e.g., age, gender) can be collectively hidden through a one-time transformation. The experimental results on two multimodal sensor-based human activity datasets manifest the feasibility of the presented framework in hiding users' sensitive information (inference MAE increases <span class="mjpage"><svg xmlns:xlink="http://www.w3.org/1999/xlink" width="3.933ex" height="2.176ex" style="vertical-align: -0.338ex;" viewBox="0 -791.3 1693.5 936.9" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg"><g stroke="currentColor" fill="currentColor" stroke-width="0" transform="matrix(1 0 0 -1 0 0)"> <use xlink:href="#MJMATHI-73" x="0" y="0"></use> <use xlink:href="#MJMATHI-69" x="469" y="0"></use> <use xlink:href="#MJMATHI-6D" x="815" y="0"></use></g></svg></span>∼ 2 times and inference accuracy degrades <span class="mjpage"><svg xmlns:xlink="http://www.w3.org/1999/xlink" width="3.933ex" height="2.176ex" style="vertical-align: -0.338ex;" viewBox="0 -791.3 1693.5 936.9" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg"><g stroke="currentColor" fill="currentColor" stroke-width="0" transform="matrix(1 0 0 -1 0 0)"> <use xlink:href="#MJMATHI-73" x="0" y="0"></use> <use xlink:href="#MJMATHI-69" x="469" y="0"></use> <use xlink:href="#MJMATHI-6D" x="815" y="0"></use></g></svg></span>∼ 50%) without degrading the usability of the data for activity recognition (only <span class="mjpage"><svg xmlns:xlink="http://www.w3.org/1999/xlink" width="3.933ex" height="2.176ex" style="vertical-align: -0.338ex;" viewBox="0 -791.3 1693.5 936.9" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg"><g stroke="currentColor" fill="currentColor" stroke-width="0" transform="matrix(1 0 0 -1 0 0)"> <use xlink:href="#MJMATHI-73" x="0" y="0"></use> <use xlink:href="#MJMATHI-69" x="469" y="0"></use> <use xlink:href="#MJMATHI-6D" x="815" y="0"></use></g></svg></span>∼2% accuracy degradation).<svg xmlns="http://www.w3.org/2000/svg" style="display: none;"><defs id="MathJax_SVG_glyphs"><path stroke-width="1" id="MJMATHI-73" d="M131 289Q131 321 147 354T203 415T300 442Q362 442 390 415T419 355Q419 323 402 308T364 292Q351 292 340 300T328 326Q328 342 337 354T354 372T367 378Q368 378 368 379Q368 382 361 388T336 399T297 405Q249 405 227 379T204 326Q204 301 223 291T278 274T330 259Q396 230 396 163Q396 135 385 107T352 51T289 7T195 -10Q118 -10 86 19T53 87Q53 126 74 143T118 160Q133 160 146 151T160 120Q160 94 142 76T111 58Q109 57 108 57T107 55Q108 52 115 47T146 34T201 27Q237 27 263 38T301 66T318 97T323 122Q323 150 302 164T254 181T195 196T148 231Q131 256 131 289Z"></path><path stroke-width="1" id="MJMATHI-69" d="M184 600Q184 624 203 642T247 661Q265 661 277 649T290 619Q290 596 270 577T226 557Q211 557 198 567T184 600ZM21 287Q21 295 30 318T54 369T98 420T158 442Q197 442 223 419T250 357Q250 340 236 301T196 196T154 83Q149 61 149 51Q149 26 166 26Q175 26 185 29T208 43T235 78T260 137Q263 149 265 151T282 153Q302 153 302 143Q302 135 293 112T268 61T223 11T161 -11Q129 -11 102 10T74 74Q74 91 79 106T122 220Q160 321 166 341T173 380Q173 404 156 404H154Q124 404 99 371T61 287Q60 286 59 284T58 281T56 279T53 278T49 278T41 278H27Q21 284 21 287Z"></path><path stroke-width="1" id="MJMATHI-6D" d="M21 287Q22 293 24 303T36 341T56 388T88 425T132 442T175 435T205 417T221 395T229 376L231 369Q231 367 232 367L243 378Q303 442 384 442Q401 442 415 440T441 433T460 423T475 411T485 398T493 385T497 373T500 364T502 357L510 367Q573 442 659 442Q713 442 746 415T780 336Q780 285 742 178T704 50Q705 36 709 31T724 26Q752 26 776 56T815 138Q818 149 821 151T837 153Q857 153 857 145Q857 144 853 130Q845 101 831 73T785 17T716 -10Q669 -10 648 17T627 73Q627 92 663 193T700 345Q700 404 656 404H651Q565 404 506 303L499 291L466 157Q433 26 428 16Q415 -11 385 -11Q372 -11 364 -4T353 8T350 18Q350 29 384 161L420 307Q423 322 423 345Q423 404 379 404H374Q288 404 229 303L222 291L189 157Q156 26 151 16Q138 -11 108 -11Q95 -11 87 -5T76 7T74 17Q74 30 112 181Q151 335 151 342Q154 357 154 369Q154 405 129 405Q107 405 92 377T69 316T57 280Q55 278 41 278H27Q21 284 21 287Z"></path></defs></svg>

computer science, information systems,telecommunications

Minghui Yang,Junqi Guo,Ziyun Zhao,Tianyou Xu,Ludi Bai

DOI: https://doi.org/10.1016/j.procs.2020.06.095

2020-01-01

Procedia Computer Science

Abstract:In recent years, the fitness problems of adolescents have attracted increasing attention from all walks of life. It has become an irreversible trend to use new technical means to supervise and guide young students’ behaviour. Smart wearable devices have become a better choice because of its simple usage and convenient wearing. But its lightness also brings the shortcoming of being vulnerable to attack. This research proposes a scheme to protect the privacy of smart wearable users. There are two main aspects: (1) Perturb the data collected by smart wearing devices before sending information to prevent third-party servers from leakage of users’ privacy; and a scheme of data reconstruction is proposed using SVD (Singular Value Decomposition) method to decompose eigenvalues; (2) During data publishing, we proposed a personalized k-anonymity publishing scheme based on entropy weight method, which has brilliant adaptability as well as preventing privacy leakage. Experiments show that the proposed method can effectively improve the safety of smart wearable devices, so that adolescents and parents can use it safely.

Yuhong Nan,Xueqiang Wang,Luyi Xing,Xiaojing Liao,Ruoyu Wu,Jianliang Wu,Yifan Zhang,XiaoFeng Wang

2023-01-01

Abstract:Recent research has highlighted privacy as a primary concern for IoT device users. However, due to the challenges in conducting a large-scale study to analyze thousands of devices, there has been less study on how pervasive unauthorized data exposure has actually become on today's IoT devices and the privacy implications of such exposure. To fill this gap, we leverage the observation that most IoT devices on the market today use their companion mobile apps as an intermediary to process, label and transmit the data they collect. As a result, the semantic information carried by these apps can be recovered and analyzed automatically to track the collection and sharing of IoT data. In this paper, we report the first of such a study, based upon a new framework IoTProfiler, which statically analyzes a large number of companion apps to infer and track the data collected by their IoT devices. Our approach utilizes machine learning to detect the code snippet in a companion app that handles IoT data and further recovers the semantics of the data from the snippet to evaluate whether their exposure has been properly communicated to the user. By running IoTPro-filer on 6,208 companion apps, our research has led to the discovery of 1,973 apps that expose user data without proper disclosure, covering IoT devices from at least 1,559 unique vendors. Our findings include highly sensitive information, such as health status and home address, and the pervasiveness of unauthorized sharing of the data to third parties, including those in different countries. Our findings highlight the urgent need to regulate today's IoT industry to protect user privacy.

Yaru Wang,Ning Zheng,Ming Xu,Tong Qiao,Qiang Zhang,Feipeng Yan,Jian Xu

DOI: https://doi.org/10.3390/s19143052

2019-07-11

Abstract:Mobile payment apps have been widely-adopted, which brings great convenience to people's lives. However, at the same time, user's privacy is possibly eavesdropped and maliciously exploited by attackers. In this paper, we consider a possible way for an attacker to monitor people's privacy on a mobile payment app, where the attacker aims to identify the user's financial transactions at the trading stage via analyzing the encrypted network traffic. To achieve this goal, a hierarchical identification system is established, which can acquire users' privacy information in three different manners. First, it identifies the mobile payment app from traffic data, then classifies specific actions on the mobile payment app, and finally, detects the detailed steps within the action. In our proposed system, we extract reliable features from the collected traffic data generated on the mobile payment app, then use a series of well-performing ensemble learning strategies to deal with three identification tasks. Compared with prior works, the experimental results demonstrate that our proposed hierarchical identification system performs better.

Minghui Yang,Junqi Guo,Ludi Bai

DOI: https://doi.org/10.1109/dasc-picom-cbdcom-cyberscitech49142.2020.00021

2020-01-01

Abstract:Nowadays, physical fitness of young people has been widely concerned by all fields of research. Using smart wearable devices to monitor students' physical fitness level is a good choice. However, due to its limited computing performance, the use of smart wearable devices faces the risk of privacy disclosure. We propose a privacy-preserving framework for smart wearable devices, and an improved algorithm based on differential privacy according to the characteristics of smart wearable devices. Through a shielding condition, we choose the appropriate data to publish, which reduces the possibility of attackers to obtain users' privacy. In the following tests, we take approximate entropy as the indicator to reflect the security of results, and it finally conclude that compared with the traditional method, the algorithm proposed in this paper has a better ability of privacy preserving.

Junqi Guo,Minghui Yang,Boxin Wan

DOI: https://doi.org/10.3390/sym13061043

2021-06-09

Symmetry

Abstract:With the rapid development of the Internet of Things (IoT), wearable devices have become ubiquitous and interconnected in daily lives. Because wearable devices collect, transmit, and monitor humans’ physiological signals, data privacy should be a concern, as well as fully protected, throughout the whole process. However, the existing privacy protection methods are insufficient. In this paper, we propose a practical privacy-preserving mechanism for physiological signals collected by intelligent wearable devices. In the data acquisition and transmission stage, we employed existing asymmetry encryption-based methods. In the data publishing stage, we proposed a new model based on the combination and optimization of k-anonymity and differential privacy. An entropy-based personalized k-anonymity algorithm is proposed to improve the performance on processing the static and long-term data. Moreover, we use the symmetry of differential privacy and propose the temporal differential privacy mechanism for real-time data to suppress the privacy leakage while updating data. It is proved theoretically that the combination of the two algorithms is reasonable. Finally, we use smart bracelets as an example to verify the performance of our mechanism. The experiment results show that personalized k-anonymity improves up to 6.25% in terms of security index compared with traditional k-anonymity, and the grouping results are more centralized. Moreover, temporal differential privacy effectively reduces the amount of information exposed, which protects the privacy of IoT-based users.

Yuanchun Li,Fanglin Chen,Toby Jia-Jun Li,Yao Guo,Gang Huang,Matthew Fredrikson,Yuvraj Agarwal,Jason I. Hong

DOI: https://doi.org/10.1145/3130941

2017-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:Smartphone app developers often access and use privacy-sensitive data to create apps with rich and meaningful interactions. However, it can be challenging for auditors and end-users to know what granularity of data is being used and how, thereby hindering assessment of potential risks. Furthermore, developers lack easy ways of offering transparency to users regarding how personal data is processed, even if their intentions are to make their apps more privacy friendly. To address these challenges, we introduce PrivacyStreams, a functional programming model for accessing and processing personal data as a stream. PrivacyStreams is designed to make it easy for developers to make use of personal data while simultaneously making it easier to analyze how that personal data is processed and what granularity of data is actually used. We present the design and implementation of PrivacyStreams, as well as several user studies and experiments to demonstrate its usability, utility, and support for privacy.

Seyed Ali Osia,Ali Shahin Shamsabadi,Sina Sajadmanesh,Ali Taheri,Kleomenis Katevas,Hamid R. Rabiee,Nicholas D. Lane,Hamed Haddadi

DOI: https://doi.org/10.1109/jiot.2020.2967734

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet-of-Things (IoT) devices and applications are being deployed in our homes and workplaces. These devices often rely on continuous data collection to feed machine learning models. However, this approach introduces several privacy and efficiency challenges, as the service operator can perform unwanted inferences on the available data. Recently, advances in edge processing have paved the way for more efficient, and private, data processing at the source for simple tasks and lighter models, though they remain a challenge for larger and more complicated models. In this article, we present a hybrid approach for breaking down large, complex deep neural networks for cooperative, and privacy-preserving analytics. To this end, instead of performing the whole operation on the cloud, we let an IoT device to run the initial layers of the neural network, and then send the output to the cloud to feed the remaining layers and produce the final result. In order to ensure that the user's device contains no extra information except what is necessary for the main task and preventing any secondary inference on the data, we introduce Siamese fine-tuning. We evaluate the privacy benefits of this approach based on the information exposed to the cloud service. We also assess the local inference cost of different layers on a modern handset. Our evaluations show that by using Siamese fine-tuning and at a small processing cost, we can greatly reduce the level of unnecessary, potentially sensitive information in the personal data, thus achieving the desired tradeoff between utility, privacy, and performance.

computer science, information systems,telecommunications,engineering, electrical & electronic

Luoyang Fang,Xiang Cheng,Liuqing Yang,Haonan Wang

DOI: https://doi.org/10.1007/s41650-018-0028-z

2018-01-01

Journal of Communications and Information Networks

Abstract:Mobile big data collected by mobile network operators is of interest to many research communities and industries for its remarkable values. However, such spatiotemporal information may lead to a harsh threat to subscribers’ privacy. This work focuses on subscriber privacy vulnerability assessment in terms of user identifiability across two datasets with significant detail reduced mobility representation. In this paper, we propose an innovative semantic spatiotemporal representation for each subscriber based on the geographic information, termed as daily habitat region, to approximate the subscriber’s daily mobility coverage with far lesser information compared with original mobility traces. The daily habitat region is realized via convex hull extraction on the user’s daily spatiotemporal traces. As a result, user identification can be formulated to match two records with the maximum similarity score between two convex hull sets, obtained by our proposed similarity measures based on cosine distance and permutation hypothesis test. Experiments are conducted to evaluate our proposed innovative mobility representation and user identification algorithms, which also demonstrate that the subscriber’s mobile privacy is under a severe threat even with significantly reduced spatiotemporal information.

Jin Qian,Mingchen Zheng,Ying Yu,Chuanpeng Zhou,Duoqian Miao

DOI: https://doi.org/10.1016/j.ins.2024.121316

IF: 8.1

2024-01-01

Information Sciences

Abstract:Data anonymization is one of the common techniques for ensuring data security and privacy. However, the existing anonymization techniques often suffer lower execution efficiency and unnecessary information loss when dealing with complex data. Therefore, we propose a dynamic anonymity privacy-preserving model based on hierarchical sequential three-way decisions. Specifically, we first divide the data into multiple granularity spaces by attributes and dynamically process the data in the granularity spaces. Then, in a single granularity space, we construct a generalization hierarchy for the data based on the attributes generalization trees and divide it into the positive, negative and boundary regions based on anonymous parameter. Next, we can acquire the positive and boundary regions by generalization and dynamically update the processed data at the next granularity. After that, we suppress the data in the final negative and boundary regions while releasing the positive region. To further improve data availability, we combine the idea of differential privacy by adding noise data to the final boundary region enabling its release and propose an enhanced anonymity model. Finally, we compare our proposed algorithms with other methods on six datasets. Experimental results show that our method effectively reduces processing costs, improves data usability and protects data privacy.

Xue Jiang,Yu Huang,Hengfeng Wei

DOI: https://doi.org/10.1109/uic-atc-scalcom-cbdcom-iop-smartworld.2016.0057

2016-01-01

Abstract:Rich contexts enable the provision of context-aware services on mobile smart phones, but they also introduce threats of privacy leakages. It is widely held that the key to privacy preservation is to achieve efficient tradeoffs between the utilization of contexts, the preservation of privacy. Götz et al. present δ privacy that exploits temporal relation to decide the release/suppression, this technique achieves a good tradeoff. However, δ privacy does not consider the hierarchy of different layers of contexts. In this paper, we propose FDH which provides fine-grained suppression over the context hierarchy, integrates δ privacy. Our experiments on real smart phone context traces show that FDH can release a few suppression contexts in δ privacy with limited cost, obtain relatively high utility while preserving strong privacy.

Jianbing Ni,Kuan Zhang,Qi Xia,Xiaodong Lin,Xuemin Shen

DOI: https://doi.org/10.48550/arXiv.1806.04057

2018-06-11

Abstract:Mobile crowdsensing engages a crowd of individuals to use their mobile devices to cooperatively collect data about social events and phenomena for special interest customers. It can reduce the cost on sensor deployment and improve data quality with human intelligence. To enhance data trustworthiness, it is critical for service provider to recruit mobile users based on their personal features, e.g., mobility pattern and reputation, but it leads to the privacy leakage of mobile users. Therefore, how to resolve the contradiction between user privacy and task allocation is challenging in mobile crowdsensing. In this paper, we propose SPOON, a strong privacy-preserving mobile crowdsensing scheme supporting accurate task allocation from geographic information and credit points of mobile users. In SPOON, the service provider enables to recruit mobile users based on their locations, and select proper sensing reports according to their trust levels without invading user privacy. By utilizing proxy re-encryption and BBS+ signature, sensing tasks are protected and reports are anonymized to prevent privacy leakage. In addition, a privacy-preserving credit management mechanism is introduced to achieve decentralized trust management and secure credit proof for mobile users. Finally, we show the security properties of SPOON and demonstrate its efficiency on computation and communication.

Cryptography and Security

Shuai Li,Zhemin Yang,Nan Hua,Peng Liu,Xiaohan Zhang,Guangliang Yang,Min Yang

DOI: https://doi.org/10.1145/3548606.3559371

2022-01-01

Abstract:ABSTRACTRecent years have witnessed the interesting trend that modern mobile apps perform more and more likely as user-to-user platforms, where app users can be freely and conveniently connected. Upon these platforms, rich and diverse data is often delivered across users, which brings users great conveniences and plentiful services, but also introduces privacy security concerns. While prior work has primarily studied illegitimate personal data collection problems in mobile apps, few paid little attention to the security of this emerging user-to-user platform feature, thus providing a rather limited understanding of the privacy risks in this aspect. In this paper, we focus on the security of the user-to-user platform feature and shed light on its caused insufficiently-studied but critical privacy risk, which is brought forward by cross-user personal data over-delivery (denoted as XPO). For the first time, this paper reveals the landscape of such XPO risk in wild, along with prevalence and severity assessment. To achieve this, we design a novel automated risk detection framework, named XPOChecker, that leverages the advantages of machine learning and program analysis to extensively and precisely identify potential privacy risks during user-to-user connections, and regulate whether the delivered data is legitimate or not. By applying XPOChecker on 13,820 real-world popular Android apps, we find that XPO is prevalent in practice, with 1,902 apps (13.76%) being affected. In addition to the mere exposure of diverse private user data which causes serious and broad privacy infringement, we demonstrate that the XPO exploits can invalidate privacy preservation mechanisms, leak business secrets, and even restore the sensitive membership of victims which potentially poses personal safety threats. Furthermore, we also confirm the existence of XPO risks in iOS apps for the first time. Last, to help understand and prevent XPO, we have responsibly launched two notification campaigns to inform the developers of the affected apps, with the conclusion of five underlying lessons from developers' feedback. We hope our work can make up for the deficiency of the understandings of XPO, help developers avoid XPO, and motivate further researches.