A privacy mechanism for mobile-based urban traffic monitoring

Participatory sensing is a paradigm that allows each participant to sense, collect and transmit information about their surroundings to either other members in the group or to a centralized server. The information that is provided by the community of users is then combined to provide a useful service to all the participants. The focus of this work is one such participatory sensing application, namely mobile traffic monitoring. In this application each participant provides real time update on location and speed of the user’s vehicle to a centralized server; information from multiple participants is then aggregated by the server to provide current traffic conditions to all participants. Successful participation in traffic monitoring application depends on two factors: the information utility of the estimated traffic condition, the amount of private information (speed and position) each participant reveals to the server. Each user prefers to reveal as little private information as possible, but if everyone withholds information, the quality of traffic estimation will deteriorate. We model these opposing requirements by considering each user to have a utility function that combines the benefit of high quality traffic estimate and the cost of privacy loss. Using a novel Markov-based model, we mathematically derive a policy that takes into account the mean, variance and correlation of traffic on a given stretch of road and yields the optimal granularity of information revelation for this stretch of road to maximize user utility. We validate the effectiveness of this policy through real-world empirical traces collected from a day-long 100-vehicle experiment on a highway in Northern California, conducted in 2008. The validation shows that the derived policy yields utilities that are very close to what could be obtained with an oracle scheme that has full knowledge of the ground truth. 1. MOTIVATION FOR PARTICIPATORY SENSING In existing sensor networks, power-constrained sensors are deployed in the targeted area and data is collected till the sensor runs out of battery or the collection time window expires. There are several disadvantages in such traditional sensor networks. First, the size of the sensor network is usually small. Second, most sensors are power constrained and hence may need either replacing or recharging of their batteries; either of these tasks is intrusive to the sensing process and can sometimes be time consuming if the sensing environment is not easily accessible. In order to overcome these shortcomings of current sensor networks, researchers have proposed projects such as MetroSense [2] and Participatory Sensing [27]. This new generation of sensing projects are based on the concept of“people-centric sensing”at a large scale (e.g., campus, town, or metropolis). People are central to the sensing experience and represent the key architectural component in this new paradigm. In this category of sensing, humancarried sensors are brought into the environment that are interested in sensing. The key element of such sensing is that people might be sensing their surroundings as they go about their daily activities without even making any explicit effort to sense. Mobile phones have become a key enabler for such silent sensing. Mobile phones with several integrated sensors, such as GPS, audio, Bluetooth, and Wifi are increasingly being used in such participatory sensing projects. In this paper, we focus on one particular participatory sensing application, namely urban traffic monitoring. In this traffic monitoring application, sensors such GPS are integrated either into a mobile phone or into a user’s vehicle. These sensing systems have the potential to radically improve the accuracy and timeliness of traffic information. In this application, several users driving on various road segments can use their GPS-enabled sensors to accurately determine their speed and position information. The measured information is then transmitted to a backend aggregation server. The aggregator collects segmented traffic reports from individual users and combines the reports to obtain complete traffic condition on the entire road stretch. The global traffic information is in turn used by the aggregator to provide real-time traffic and travel time estimates to all the users in the system. Traffic sensing is an important application class where the accuracy of traffic estimation improves with increasing number of participants. 1.1 Importance of Traffic Sensing Population growth in the U.S. metropolitan areas has outgrown the transportation infrastructure. As a result, freeway congestion is rapidly becoming a major economic hurdle. Estimates show that traffic congestion cost over 10 billion dollars in economic activity in 2003 [3], and burnt over 400 million gallons of excess fuel in Los Angeles metropolitan area alone. Commuters have turned their attention to realtime traffic monitoring and drive time estimation services [4] to avoid congested areas and to find alternate routes. These services all rely on traffic estimation based on loop inductors that are installed below the road surface on major freeways. Inductors provide the speed and density estimates based on vehicles that travel over the inductors. Many freeway inductors are connected to a centralized data server and send information to the server every time a car passes over an inductor. Data from these inductors is aggregated by the server to provide real-time traffic conditions. There are two disadvantages of loop inductors. First, loop inductors are expensive to install and maintain, and hence they are installed only on a few major road segments. Loop inductor installation is estimated to have cost 2.5 billion dollars already in the state of California. Second, majority of the installed inductors, except for those on some freeways, do not provide traffic updates to the data server. These inductors are primarily used for signal activation rather than traffic data collection. In such contexts, we believe that GPS-embedded mobile devices will provide a cost effective alternative to provide real time traffic information, where they can augment inductorbased traffic sensor data by providing precise speed information at any arbitrary location, not just on freeways. In particular, mobile devices can provide traffic information even on secondary and tertiary roads where installing and managing inductor coils may be prohibitively expense. Mobile devices are integrating a variety of system components, such as on-board GPS receivers, that make them uniquely well suited for traffic sensing. They also have enough computing power to process the sensor data to make intelligent local decisions on when and how much traffic sensing information to update to a backend server. Finally, they can use their communication capabilities to instantly transmit that data to a backend data aggregator that can provide customized traffic service to an end user. The combination of device features, near universal availability, and wide coverage create new opportunities to dramatically change traffic sensing, traffic data aggregation, and most importantly realtime traffic estimation. 1.2 Importance of Privacy While the motivation for traffic sensing using mobile phones is clear, the approach described above, where the user reports the speed and position information to the aggregator potentially compromises the participant’s privacy. The simple sense and transmit approach totally ignores the device holder’s privacy. Note that, in traditional sensor networks, since a sensor node is not associated with a particular individual the need for privacy is relatively low. However, in participatory sensing particularly, when a mobile phone is being used as sensor, the sensing device and the participant are closely tied together. A mobile phone identifies the sensor uniquely with a participant’s identify. The data sensed is not only indicative of the participant’s surroundings, but also reveals the participant’s location and speed. Hence, we have to take the device holder’s (application subscriber’s) privacy into account when designing the system. If the accurate location/speed information is eavesdropped by malicious attackers, the attackers can reveal the phone’s identity by investigating the MAC layer packet headers. Once the identity of the device holder is revealed with precise location and speed information, the participant is exposed to the attacker. Imagine the day when an unwary traffic sensing participant gets a speeding ticket as an SMS message! The goal of this paper is to study the privacy risks in traffic sensing. In order to protect users’ privacy, we derived a utility based application method, which lets the users update the system with “just enough” information to the backend server that may tradeoff some data accuracy with improved user privacy. In this research, we consider the location granularity as a mechanism to obfuscate the users’ precise location information. For instance, using a coarse location granularity the user can inform the aggregator that he/she is currently driving somewhere between two exits on a freeway without disclosing the precise location. By coarse location information, privacy is protected while the system can still maintain reasonable service quality. In order to implement such utility based information update policy, we propose a novel Markov model to evaluate the impact of granularity on the accuracy of traffic estimation (i.e., the application service quality). Specifically, in this paper we propose a policy which helps a single user to decide on the optimal information precision. We assume that the input to the policy is the mean, variance, and correlation information for a given road-stretch. A novel Markov-based model formulation is applied to the road traffic estimation accuracy measurement. Based on the Markov model, we propose a particular utility function that considers the tension between traffic estimation error and users’ potential privacy loss. With the utility function, we are able to compute the optimal granularity for traffic information update on the corresponding road section. We validate this policy on a traffic update database. The traffic update database was generated from a recent study involving 10-hour 100-vehicles freeway real traffic experiment which is conducted on Feb 8th 2008 jointly by the Nokia Research Center and the University of California, Berkeley [1]. In this large scale study, the very first of its kind in the United States, 100 drivers provided over one million traffic updates to a backend database server. It worth noting that the inherent trade-off between privacy and traffic estimation precision is the core for application design. One of our novel contributions is to formulate this tension as a utility optimization problem from the perspective of a single user, and derive a near-optimal policy that maps a set of available a-priori knowledge about traffic conditions to a deterministic decision about what spatial granularity the user must send information to the server. This paper makes the following three contributions. First, we propose a Markov-based road model that takes into account the mean, variance, and correlation of traffic on a given stretch of road for traffic conditions. This model allows us to estimate the impact of granularity on estimation accuracy. Second, we formulate the decision making problem for an individual user (to decide the information granularity to contribute to the society) as a utility optimization problem. The optimization problem assumes that the users are intelligent with characteristic of rationality and selfishness. A policy is derived based on the formulation which yields the optimal precision of information revelation for the corresponding road stretch. The information precision is optimal in the sense that if a user uses this granularity to reveal his/her local information, he/she can get optimal utility, which is a trade-off between privacy leak risk and social service quality. Third, extensive performance analysis of our proposed policy has been done on real experiment data consisting of more than one million traffic update records collected during a 10-hour 100-car experiment. Our analysis shows that a) our proposed policy is near optimal in all cases; b) the proposed policy is robust and it still yields good utility gain for users when the three parameters’ estimations have errors. The paper is organized as follows. Section 2 describes the traffic monitoring application. Section 3 and Section 4 depict our novel mathematical formulation of the problem, including the Markov-based road condition model and utility modeling. In Section 5, we propose a practical policy that suggests a near-optimal decision on maximizing user’s utility. Our experiment methodology and encouraging results are presented in section 6 and 7. Finally we present some related works in Section 8 and conclude our work in Section 9. 2. APPLICATION DESCRIPTION As we have discussed in the introduction section, we believe that the mobile based urban traffic monitoring system will help relieve the traffic conditions in future and help application users estimate traffic conditions on the road with privacy reservation concerns. A straightforward version of this urban traffic monitoring application is shown in Figure 1(a). In the simplest version of this application, we envision the virtual trip line (VTL) sensors [22] as replacement for inductive loop sensors mentioned before. Virtual trip lines are GPS coordinates of a line that is virtually drawn on top of any road segment by a traffic administrator, such as US DOT (Department of Transportation). Virtual trip lines are stored in a database clustered by a geographic region. Reads to the database can be done by any mobile device client but updating the database can be done only by the traffic administrators. Any mobile device that enters a geographic region accesses the database and downloads the VTLs over the air. Mobile devices monitor their location using GPS and use the cached VTLs from a region to determine if they are crossing a VTL. When they cross a VTL the device sends a raw update to a backend server with accurate position (VTL id) and speed information. The backend server aggregates the information obtained from multiple devices and uses it to estimate the current traffic conditions and provide an accurate traffic and drive time estimates back to the mobile devices in real time. This information can then be used to alert the vehicle drivers about possible traffic congestions and even suggest alternate routes. However, for the users on the road, the major privacy concerns are focusing on users’ exact location and speed. If the user’s update information is overheard, or maliciously detected by eavesdroppers, the user’s privacy is leaked by revealing the exact location and speed information. Note that although the application may not need the user’s identity when collecting the traffic condition updates, the MAC layer of the mobile devices implicitly reveals user’s identity by using MAC address. In this case, the simplest version for the traffic monitoring application does not preserve the user’s privacy. We need to modify the application to do better privacy protection. Therefore, we propose a utility based privacy preservation model for the traffic monitoring application (see Figure 1(b)). This modified application considers the tradeoff between the users’ desire to protect privacy, and their requirement to have accuracy on traffic estimation error and provides a policy to optimize this tradeoff. That is, the improved traffic monitoring application allow the users to contribute to the system with “just enough” amount of information to preserve privacy and meanwhile, make the use of the traffic estimation with proper precision. This modified traffic monitoring application (which is the focus of the remaining parts of this paper) consists of four message exchanges . • First, application subscribers request an estimation of mean, standard deviation in speeds and road correlation factor for a certain stretch of road in a certain time interval . For example, a user can send queries to backend server by asking “what are the corresponding parameters for highway I-10 exit 31 to exit 33 at 4:00pm-4:30pm, July 4th?”. • Second, the backend server returns those parameter values (also referred as model statistics in this paper) possibly based on the historic data, as well as an estimated number of users. • Third, users send out the optimized local information updates to the backend server. Upon receiving these model and estimated statistics, the application at the user side either computes or uses a look-up table to find an optimized update granularity. Note that in such a community-based application, the quality of collected global information depends on the quality of information contributed by individual end users who have the motivation to protect their privacy. Our proposed utility-based privacy policy formulates the tension between traffic estimation accuracy requirement, and user’s desire about his/her own privacy into a utility function, then maximizes this utility function to obtain the optimal updates. With this modification, instead of reporting exact location information, as in the original simplest version, a user might vague his/her location information into a proper distance length such as “somewhere between VTL 34 and VTL 39”. This information includes an implicit spatial granularity (user’s location information with proper precision) and the user’s current vehicle speed (i.e., traffic flow speed) with a timestamp. These parameters are used in the Markov model we proposed in section 3 to measure the impact of traffic estimation accuracy for the application subscribers. We will discuss these parameters in detail in later sections. (a) Original Application Model (b) Modified Application Model Figure 1: Comparison of the original (intuitive) scheme and modified scheme • Fourth, the backend server returns current traffic conditions on the road stretch to the application subscribers. According to the reported information from all users in the community, the application server is capable of estimating real-time averaged traffic flow speed on the road, which can help users monitor the traffic conditions for the interested road stretch. In the following section, we will focus on how the traffic is modeled, how to obtain the model statistics/parameters at the backend server, how to use the model to calculate the utility for each user, and how to calculate the optimized updates. 3. THE MARKOV ROAD MODEL We propose a Markov-based road model in this research to measure the traffic estimation precision with minimized number of parameters. The main purpose of this Markovbase traffic model is to characterize the impact of granularity on traffic estimation accuracy, so that we can measure the system quality of service as a function of granularity. In this section, we present this novel model after describing the preliminaries, necessary assumptions, and notations used in the paper.