Protecting Privacy in Sensor-Protecting Privacy in Sensor-

Enriched Internet ServicesEnriched Internet Services

Presenter:

Yan Ke, CMU

In collaboration with:Phillip B. Gibbons, Brad Karp, Rahul Sukthankar, Intel

Srinivasan Seshan, Suman Nath, CMU

March 28, 2003 CMU Aladdin Data Privacy Workshop

Parking Space Finder ServiceParking Space Finder Service

Parking Space Finder ServiceParking Space Finder Service

Irisnet: The Big PictureIrisnet: The Big Picture

User

Sensing Agent

Sensing AgentInternet

Organizing Agents

Sensing Agent

Irisnet: The Big PictureIrisnet: The Big Picture

User

Sensing Agent

Sensing AgentInternet

Organizing Agents

Sensing Agent

Privacy Goal:

To prevent someone from using Irisnet to automatically collect private information.

Example Webcam ServicesExample Webcam Services

• Parking Space Finder• Find me the cheapest available parking spot within 2 blocks of CMU

• Waiting time monitors• Which restaurants have the shortest long lines?

• Historical camera views• I left my umbrella somewhere today. Show all views of me from today.

• Silent witness• Who hit my parked car?

• Triggered event monitor• Notify me when the 61C bus is coming down the street

Organizing Agents (OA)Organizing Agents (OA)

• Distributed XML Database

• Distributed Query Processing (XPath)

• Caching to improve performance

• Redundancy to reduce failures

Internet

Organizing Agents

Intelligent Sensing Agents (SA)Intelligent Sensing Agents (SA)

• PC-class machines, running Linux

• Shared by different services.

• Collect data from attached sensor(s)

• Filter sensor data to protect privacy

• Execute senselets (code) uploaded by OAs

• Send gathered data back to OAs

Internet

Organizing Agents

Current SA ImplementationCurrent SA Implementation

Privacy Filters

Sensor Buffer

Senselets OA’s

•Hide Face•Low resolution•Edges only•Color histogram

Can be dynamicallyloaded and updated

SA

System Issues – Example ProblemSystem Issues – Example Problem

• CPU is fully loaded.• Filter produces frames faster than any of the senselets can consume

them.• Default Linux process scheduler produces suboptimal scheduling of

filter and senselets.

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

Face Removal Filter Parking 1 Parking 2 Parking 3

Fra

mes

/ Sec

ond

Naïve Scheduler

Flow Controlled

Flow ControlFlow Control

• Rate matching of privacy filter to fastest senselet.

• Coalesce requests from senselets, preferring already

used frames.

00.050.1

0.150.2

0.25

0.30.350.4

0.450.5

Face Removal Filter Parking 1 Parking 2 Parking 3

Fra

mes

/ Sec

ond

Naïve Scheduler

Flow Controlled

DemoDemo

Future WorkFuture Work

• Privacy checks at other places of infrastructure

Internet

Organizing Agents

•Authentication•Access Control •Low data rate output

•Check conformance

to XML Schema

•Multiple filter types•Senselets with

different levels of

privacy certification

Ability to recover hidden information for

post mortem analysis.

ConclusionsConclusions

• Protecting privacy without degrading performance and

utility in real sensor deployments is a challenging

problem.

• We built initial privacy protection mechanisms into Irisnet.

• Ability to download arbitrary privacy filters, leveraging the

latest image processing algorithms.

• Open to suggestions to other potential problems and

solutions…