SeRaNDiP: How can we leverage Inherent Sensor Noise for ensuring privacy guarantees in Wearable community sensing applications?
Co-authors: Ayanga Kalupahana , Ananta Narayanan Balaji, Xiaokui Xiao, Li-shiuan Peh
Wearables for Community Sensing Applications
Wearables have been constantly evolving from wrist-worn smart watches/fitness trackers to other form factors such as earbuds, glasses, rings, insoles, gloves, textiles, etc. The wearable market has also been booming with new devices from tech giants like Apple, Google, Samsung, etc. Wearables are enriched with a multitude of sensors to measure parameters like heart rate, calories, body temperature, location, sound exposure, etc.
Since wearables provide a great source of sensory information, Organizations around the world have incentive-based community sensing programs like 10,000 Steps Australia, National Step Challenge Singapore, Memorable Steps — 2020, and MantraCare. The goal of such community sensing programs is to understand the behavior, and activity patterns of the community. Community sensing programs generally collect sensor data from each user and analyze them at the community sensing server to generate statistical insights on the community.
Are Community Sensing Servers Trustworthy?
Wearable sensors can also reveal unintended private information about an individual’s health as well as behavior. For instance, Accelerometer reveals a person’s height and emotions, Barometer identifies a user’s driving patterns and transportation modes, Temperature sensor reveals information related to female infertility and depression. Therefore, preserving the privacy of wearable sensor data being sent to the community sensing server is a challenge. Recent reports question the privacy guarantee provided by community sensing organizations. In 2020, it was found that Samsung had been releasing Samsung Pay data to a third party for years without the user’s knowledge. To avoid such privacy violations at the community sensing server, Distributed Differential Privacy (DDP) technique is commonly used.
What is Distributed Differential Privacy?
Distributed Differential Privacy (DDP) is a data distortion method that perturbs the raw sensor data (being sent from the user’s wearables to the community sensing servers) by the addition of statistical noise so that attackers cannot infer information about any specific user record. In 2017, Apple implemented local differential privacy (a variant of distributed differential privacy) in Mac OS Sierra and iOS 10 — to gain insights into usage patterns. DDP is also recently adopted to the Exposure Notification Privacy-preserving Analytics (ENPA) introduced by Apple and Google to enable automated alerts to users with potential exposure to COVID-19.
With wearables intimately worn on users throughout the day, they provide substantially more personal sensor information than smartphones, so DDP is even more critically needed. But wearables such as smartwatches, fitness trackers, and smart glasses have very limited computing and battery resources. In our research, we thus focus on lowering the power and computation overheads involved in realizing DDP on today’s wearables with constrained hardware resources.
How much is the Overhead Associated with Wearable DDP Implementation?
We studied the power and latency overheads(at the wearable device) associated with the state-of-the-art DDP implementation. With the Samsung Galaxy smartwatch, the Random white Gaussian noise generation step (involved in DDP) introduces a 1.3ms delay for each sampling of the accelerometer sensor. This constitutes about 33% of the total end-to-end latency — from the sampling of the sensor, through the noise generation and computation, transmission to the server, and server computation. Further, noise generation and perturbation of the sensor data consume 20% additional power.
To further categorize the latency and energy consumption into four stages — sensing, random noise generation, encryption, and BLE communication, we implemented DDP on a low-power ESP32 microcontroller with an MPU-9250 accelerometer sensor which acts as the wearable device. A Raspberry Pi 3b development board simulated the community sensing server.
As shown in Figure 1, the random noise generation step in the state-of-the-art DDP implementation introduces up to 1.5x delay as well as 1.3x power overheads to the wearable.
Can We skip the Random Noise Generation required for DDP?
Sensor data is continuously obtained from Wearables and the acquired sensor data is inherently noisy due to the electrical/mechanical properties of the sensor as well as the inherent variance in the biological data sensed from the person wearing the wearable. Hence, we explore whether the inherent sensor noise observed can be used in place of the generated random noise, thus lowering the runtime and power overheads for differential privacy preservation in wearable community sensing applications.
Our Solution: SeRaNDiP
We propose SeRaNDiP (Sensor Random Noise for Differential Privacy) which utilizes the sensor’s inherent noise to meet differential privacy requirements under distributed differential privacy, thus removing the need for noise generation (Figure 2). We make use of the state-of-the-art noise profiling mechanism, Allan Deviation (AD) to characterize and estimate noise components required to satisfy differential privacy requirements for wearable community sensing applications.
Further, SeRaNDiP leverages various hardware configurations — sampling rate, sensing range, filter cut-off frequency of the sensors, etc. to introduce different amounts of inherent noise depending on the application-specific differential privacy requirements.
Technical Validation of SeRaNDiP
How Different Differential Privacy Requirements can be provided with Hardware Configurations
Firstly, we varied the sensor hardware configuration- sampling rate and observed inherent noise produced by the sensors: accelerometer, barometer, and temperature sensor. As observed in Figure 3, the standard deviation of white Gaussian noise decreases with increasing sampling rate regardless of the sensor manufacturer or the sensor type. We can thus conclude that the sampling rate can be varied to produce the desired amount of inherent noise in the observed sensor readings with the highest sensor noise produced at the lowest sampling frequency.
On the other hand, the standard deviation of inherent sensor noise required from each user for a given differential privacy guarantee (𝜖) also decreases as the number of users increases (Figure 4).
Since various sensor configurations can result in different amounts of inherent white Gaussian noise, the community sensing application can set the user’s wearable device’s sensor hardware configuration based on the amount of inherent sensor noise required from each user. Thereby, SeRaNDiP guarantees differential privacy requirements for different population sizes whilst ensuring low power and compute requirements on wearables.
Robustness to Temperature Changes
We have also validated the robustness of SeRaNDiP by studying inherent sensor noise at varied temperatures. As shown in Figures 5 and 6, the SD of the Random white Gaussian noise produced by sensors does not change significantly with respect to temperature variations. Hence, the results validate the robustness of SeRaNDiP to temperature variations in the environment.
Applicability of SeRaNDiP to Current Smartwatches
SD of white Gaussian noise produced by the accelerometer sensor in the Fitbit Sense and Samsung Galaxy smartwatch decreases when the sampling rate is increased, just like ESP32, as shown in Figure 7. Hence SeRaNDiP can be readily applied to today’s wearables, smartwatches, and smartphones.
If you are interested in knowing more about SeRaNDiP and its applicability to other wearable sensors, please check out our complete paper and project page. We will present our work at the coming UbiComp/ISWC 2023.
