Urban data analysis is a process of collecting, protecting the data and analyzing the data to improve the city living. Even though the traditional methods of data collection such as surveys conducted through person provide detailed information it is time consuming and cost in- efficient [ 1 ]. In recent years crowdsourcing, crowd sensing or mobile crowdsourcing are found to be efficient methods [ 2 ] of populating the data, on which Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). the researchers and analyst can work upon and come up with some decision or create policies.

Mobile crowdsourcing is one of the main strategies to carry out real time urban planning tasks such as municipal monitoring, smart city construction and last mile logistics by coordinating with mobile users. However, the success of such outsourcing depends upon how well the crowd workers response and their commitments. Micro Workers [ 3 ], Amazon Mechanical Turk [ 4 ], crowd SPRING [ 5 ] and Google consumer surveys [ 6 ] are some of the crowdsourcing tools, they make the task of data collection simpler for individuals as well as business organizations. The advantage of mobile crowdsourcing lies in converting the time-consuming tasks that is expensive and difficult to complete. The tasks are broken down into more manageable tasks and are outsourced to the crowd across the internet, called as microtasks. Figure 1 shows the process of crowdsourced data collection and management system for urban data analysis.

The crowd maybe human beings or the mobile applications that get involved in conducting various surveys of health care, political data, property information and mobility/transport data. The data thus collected gets stored in a fog/cloud/internet and is utilized for various purposes- planning and decision making, analysis, building models, urban planning and urban mobility, by various users such as researcher, statistician, analyst or an intruder.

Data requestor’s job is to publish the task, monitor the task and to collect the answers. The task types may be single choice, multiple choices, fill in the blanks or collection of information. The workers participate in the tasks that are published and sends answers. When series of such tasks are participated by the workers there may be chances of identifying them. For example, in task 1 the survey may be conducted on astrology/horoscope services and hence the date of birth, time and place of birth gets collected. In the next task the survey may be on market survey of a specific product, here the age, workplace and salary of the person is collected. Now when we take the common people who have participated in both surveys and assign an identifier to them, we clearly get the date of birth, salary and age information of the specific person. Table 1 presents the applications of mobile crowdsourcing and the information collected in such application that may result in disclosure.

Every crowdsourcing marketplace has its own policies (for example Amazon Turk machine’s policies [ 4 ]) that prevent the requestor to collect the personally identifiable information (PII) from the workers that disclose the identity of the workers directly. The attributes like age, zip code, salary information that gets collected as a part of survey may not directly identify the individual (such attributes are called quasi identifiers.) but when combined with other data set, there is high probability of individual disclosure. Despite of policies restrictions, it is not possible to prevent the mis use or combination of information. Hence there is a high need for an anonymization technique to protect the individual’s disclosure in any form. The basics of any anonymization technique is presented here.

Let A be the original mobile crowdsourced data table, the identifiers (if present) are removed and anonymization methods are applied on Quasi-Identifier’s. The anonymized table A` consist of (Quasi-Identifier’s and Sensitive Attributes). From the literature, the attributes can be classified and defined as follows:

1. QuasiIdentifiers also called as (QIDs)- Used to identify the individuals but not uniquely for example- person’s age, zip code and place of work. This is shown in Table 2.

2. Confidential/sensitive attributes (SA)- Person’s sensitive information which needs to be secured and anonymized, for example disease, salary information, political interest etc. as shown in Table 2.

The objective of any anonymization technique is to prevent any third party from identifying an individual Contribution of the paper- The paper discusses role of privacy attacks and utility metrices by presenting various attacks that may occur in the mobile crowdsourced data and at the same time various available metrices for measuring the information loss that happens due to anonymization. The paper is organized as follows Section 2 presents the existing system. Section 3 provides details of privacy attacks in crowdsourcing. Section 4 discusses the utility metrices for measuring the information losses incurred during the process of anonymization. Section 5 presents conclusion and future work. 2

There is always a tradeoff between data utility and privacy. If we preserve more information without disclosing it in its original form, it leads to less data utility. If the data is disclosed in original form, complete data is utilized which in turn may lead to privacy breach. Data Anonymization uses one or more techniques to make it impossible or difficult to identify a particular individual in the stored data. In order to enhance the utility of the collected data and to preserve the privacy many techniques are available in the literature [ 7-14 ]. These techniques use either generalization, suppression or data swapping mechanisms to achieve privacy. For example, consider Table 2, here the zip code and the age are quasi-identifiers, the values are suppressed to prevent further disclosures. K- anonymity [ 15 ], is a privacy preserving method that groups similar QID valued attributes into k group, hence Table 3 is 3-anonymous version of table 2.

ID 1 2 3 Anonymous

Disease Heart Disease Heart Disease Heart Disease

Gastritis Heart Disease

Cancer Heart Disease

Cancer Cancer version of original table Here k=3, indicates number of records grouped into one class where, QID values are same in all three records leading to 3-anonymity.

Differential Privacy (DP) [ 16 ][ 17 ] was initially developed for interactive query and response system. The query results are randomized using the distributions like the Laplace, Gaussian or Geometric distributions. The variant of DP is non interactive DP, here the sanitized dataset is released to for public use regardless of type of the requestor. Such non interactive DP measures [ 18 ][ 19 ] suffer badly with ‘curse of dimensionality’ which means as the number of dimensions increases with applications of privacy techniques to the individual attributes having high correlations gets weakened [ 20 ], [ 21 ], this increases the threats as well as reduces the utility. Even worse, the privacy guarantee of DP degrades exponentially when multiple correlated queries are processed. Xuebin Ren et.al [ 22 ] uses a Local Differential Privacy (LDP) technique for high dimensional crowd sourced data publication. It is particularly useful in crowdsourced data, where each user contributes the single private data record to an untrusted server. LDP has its own practical applications in collecting user statistics without harming user privacy. For example, RAPPOR [ 23 ], it is a Chrome extension. It collects Windows process names and Chrome Homepages from user devices in an LDP manner. Microsoft has deployed a data collection mechanism that is LDP-enabled in Windows Insiders program to collect application usage statistics. Therefore, the users as well as the software companies gets benefitted from the LDP usage because users obviously need of privacy, the appreciation of preserving user privacy may gains positive reputation for companies. Lastly, the intruders may be able to retrieve or even steal the user data, that violates user privacy.

Privacy is major concern in mobile crowdsourcing. The essential entities of mobile crowdsourcing are the data requestors/end users – these entities request the data through the tasks and then utilizes the data provided by the participants. Data workers/ Participants- provides the response by participating in the surveys/collecting the data of their interest. The tasks are the entities that are distributed or shared across the participants. The privacy threat may occur on the participant or an individual may be disclosed on the data provided by the participant. Many privacy attacks have been researched in the literature [ 49 ] with respect to different domains. This section provides the overview of the possible privacy attacks in mobile crowdsourced environment. 3.1 Task tracing attack [ 24 ][ 25 ] occurs on the crowd workers, the crowd workers pulls the tasks from the market place or distribution servers based on their interest. When the tasks are downloaded the worker shares some of the sensitive attributes such as age, location, time, preferences and the type of sensing device. The tasks pulled by the workers include details of traffic information, political surveys, real time weather information etc. By studying the type and preferences of tasks pulled by the worker there is possibility of leakage of the sensitive information of the participants such as age, location, race, organization, location and other related attributes of the participants. However, tracing more than one tasks pulled by the worker and collecting the information about the participant may disclose the sensitive attributes and lead to privacy threat. For example, consider table 4, the crowd worker is an engineering undergraduate student with his original information in university database. Table 5 and Table 6 contain the information of the tasks pulled by the participant and the list of accepted tasks. The tasks may be are related to traffic, weather conditions and recommendation system. Task_1 Task_2 Task_3 26 26 25

M M F

Mobile crowdsourcing has many advantages like it helps to collect large amount of data samples, speed of data collection, inexpensiveness of data collections and better quality of data collected. The collected data is published for monetary purpose or it is utilized for making decisions and to carry out research. Such a data contains sensitive attributes and quasi identifiers and when published it may result in individual disclosures. Hence there is a need to anonymization techniques that balances between the privacy and utility of the published data. This section discusses the metrics to quantify the information loss that is incurred when carrying out the anonymization. These metrices can be classified into two categories based on the objectives of anonymization. Privacy level measuring metrices measures the privacy level like how well the technique safeguards the privacy from known privacy breaches. Information loss metrices measures the amount of information loss incurred when the data is processed. In former case higher the value better is the technique, in latter case lower the value better is the technique. 4.1

Privacy Metrices It is essential to measure the amount of privacy that is preserved by a specific technique. Most of the existing techniques for anonymization are either based on discretization or randomization. In discretization the values of attributes are partitioned into intervals, for example the age attribute with value =8, can be anonymized as interval data [1020]. In randomization the original value xi is returned as xi+r, where r is the random value drawn from some distribution. The first proposed metric to measure privacy level is confidence level [ 30 ]. The metric is used for technique that uses discretization for anonymization, it measures how the original values can be estimated from the anonymized values. If it can be estimated with c% confidence that the original value x lies in the interval [x1,x2], then the width of the interval (x2-x1) defines the amount of privacy at c% confidence level. For example, for the age attribute, if width of interval is 10, the level of privacy for such technique is 10% confidence.

For randomization-based methods, the distribution of random variable is taken into consideration. Average conditional entropy [ 31,32 ] is the metric based on the concept of information entropy is used to measure the level of privacy.

Let X be original data distribution and Z be noisy distribution, the average conditional privacy of X given Z is P(X|Z)= 2p(X|Z) (1) The level of privacy may also be measured using variance between the original data and the anonymized data [ 33 ]. If x is the original variable and y is the distorted variable variance(x-y)/ variance(x) expresses how closely one can estimate original values using the distorted data. Privacy preserving techniques reduce the quality of the data, that leads to information loss. Information loss metrices quantify this loss of utility.

Definition: Given two values v and v` where v is original value and v` is treated value, the deviation of v` from v is the information loss.

Loss Metric[ 34 ] was proposed to determine the amount of loss incurred when generalizations are applied on the categorical data. For example, consider the hierarchy for work class, the ontology of work class tree is shown in Figure 2.

Un Employed No pay

Not worked (2) (3) where, i is the attribute and j are the value of the attribute for an individual record. For Table 3 (anonymous form of table 2), loss for each equivalence class is 0.3, 0.6 and .3 respectively. It can be further computed that total information loss incurred is 13%. Per record information loss metric [ 35 ]- The probabilities of generalized to original are considered to determine the information loss. If a variable B is place of residence that is generalized to B` that could be a state or country then the information loss is given by ∑. ɛ0 (, `, 1, 2), where r1 is value taken by B in record r of F and Self Employed workclass

Government inc not inc

State Govt

Local

Federal Let Q denote number of leaf nodes in the hierarchy tree T and let Qp denote number of leaf nodes in subtree rooted at P. With generalization, the loss is given by (Qp-1)/(Q1) For example if the attribute value is State govt and if this attribute is generalized to Government, the amount of loss incurred is computed to be = 2/6. For numeric attributes the loss metric compares the size of generalized domain to the total domain size of attribute.

Here m is the maximum attribute value and ‘n’ is the generalized or suppressed attribute value in the anonymous table. For the domain of attribute there exist maximum(max) and minimum(min) values. For example, if age is considered as an attribute then the domain range is 1-100. Total loss is summation of loss incurred for individual records.

LM i, j= (m-n)/ (maxj- minj)

LM(T)= ∑|iT=|1 (LM i,j) r2 is value taken by B` in record r of G.For Example: If the place of residence in a record is Madhya Pradesh or Bhopal, it could be generalized to India. P (B=Bhopal | B`= India) < P (B= Madhya Pradesh | B` =India). Since population of India is 1300 million, Madhya Pradesh is 72.6 million and Bhopal is 17.9 million. PRIL scores for P (B=Bhopal | B`= India) = 0.013 and P (B= Madhya Pradesh | B` =India) = 0.055. Lesser this value there is more data loss.

Discernibility Metric (DM) [ 36 ] measures number of records that are identical to a given record. The higher the value, the more information that is lost. For example, in the k-anonymity, k −1 record is identical to any given record, therefore the discernibility value will be at least k −1 for any record. More the value k, will increase generalization and suppression, and consequently the discernibility value. For this reason, this metric is considered to be the opposite concept of the k-anonymity. The metric is mathematically represented as

DM(m,k)=∑∀89 ;.=|89|@? ||4 + ∑∀89 ;.=|89|>?|||| EQ represents the equivalence class generated by anonymization method m and T represents total number of tuples. The first sum computes penalties for each non suppressed or generalized records and second sum for the suppressed records. In anonymized Table 3, since age attribute of all records are generalized, information loss using discernibility metric is 3*9=27. This indicates that with increase in equivalence class size the information loss also increases.

Many other privacy and information loss metrices are discussed in the literature [ 48 ] however the discussed metrics are suitable and easy to evaluate for crowdsourced data. Table 11 shows the summary of privacy loss and information loss metrices. (4)

The essential feature of mobile crowd sourcing is collecting large amount of data efficiently and in a cost-effective manner. Diverse and large work force contribute in performing the task. Hence mobile crowdsourcing finds its applications in problem solving, decision making and wisdom sharing. The privacy of the crowd workers may be at stake and they may be subjected to any of the attacks as discussed in this paper. Therefore, there is a great need of robust privacy preserving technique which is not vulnerable to existing attack. Added to this there is requirement of an efficient privacy preserving technique that protects the privacy and also does not harm the utility of the data. In future, the aim of this study is to explore emerging privacy attacks, evolving existing attacks, to mitigate these attacks by proposing and developing an efficient privacy preserving technique for mobile crowdsourcing.