Mario Gerla

Josh Joy, Dylan Gray, Ciaran McGoldrick et al.

Future autonomous vehicles will generate, collect, aggregate and consume significant volumes of data as key gateway devices in emerging Internet of Things scenarios. While vehicles are widely accepted as one of the most challenging mobility contexts in which to achieve effective data communications, less attention has been paid to the privacy of data emerging from these vehicles. The quality and usability of such privatized data will lie at the heart of future safe and efficient transportation solutions. In this paper, we present the XYZ Privacy mechanism. XYZ Privacy is to our knowledge the first such mechanism that enables data creators to submit multiple contradictory responses to a query, whilst preserving utility measured as the absolute error from the actual original data. The functionalities are achieved in both a scalable and secure fashion. For instance, individual location data can be obfuscated while preserving utility, thereby enabling the scheme to transparently integrate with existing systems (e.g. Waze). A new cryptographic primitive Function Secret Sharing is used to achieve non-attributable writes and we show an order of magnitude improvement from the default implementation.

Josh Joy, Mario Gerla

In this paper we present the Sampling Privacy mechanism for privately releasing personal data. Sampling Privacy is a sampling based privacy mechanism that satisfies differential privacy.

Sean Rowan, Michael Clear, Mario Gerla et al.

Autonomous and self-driving vehicles are appearing on the public highways. These vehicles commonly use wireless communication techniques for both vehicle-to-vehicle and vehicle-to-infrastructure communications. Manufacturers, regulators and the public are understandably concerned about large-scale systems failure or malicious attack via these wireless vehicular networks. This paper explores the use of sensing and signalling devices that are commonly integrated into modern vehicles for side-channel communication purposes. Visible light (using a CMOS camera) and acoustic (ultrasonic audio) side-channel encoding techniques are proposed, developed and evaluated in this context. The side-channels are examined both theoretically and experimentally and an upper bound on the line code modulation rate that is achievable with these side channel schemes in the vehicular networking context is established. A novel inter-vehicle session key establishment protocol, leveraging both side-channels and a blockchain public key infrastructure, is then presented. In light of the limited channel capacity and the interoperability/security requirements for vehicular communications, techniques for constraining the throughput requirement, providing device independence and validating the location of the intended recipient vehicle, are presented. These reduce the necessary device handshake throughput to 176 bits for creating symmetric encryption and message authentication keys and in verifying a vehicle's certificate with a recognised certification authority.

Joshua Joy, Mario Gerla

In this paper, we introduce the family of Anonymized Local Privacy mechanisms. These mechanisms have an output space of three values "Yes", "No", or "$\perp$" (not participating) and leverage the law of large numbers to generate linear noise in the number of data owners to protect privacy both before and after aggregation yet preserve accuracy. We describe the suitability in a distributed on-demand network and evaluate over a real dataset as we scale the population.

Dylan Gray, Joshua Joy, Mario Gerla

When dealing with privatized data, it is important to be able to protect against malformed user inputs. This becomes difficult in MPC systems as each server should not contain enough information to know what values any user has submitted. In this paper, we implement an MPC technique to verify blinded user inputs are unit vectors. In addition, we introduce a BGW circuit which can securely aggregate the blinded inputs while only releasing the result when it is above a public threshold. These distributed techniques take as input a unit vector. While this initially seems limiting compared to real number input, it is quite powerful for cases such as selecting from a list of options, indicating a location from a set of possibilities, or any system which uses one-hot encoding.

Joshua Joy, Ciaran McGoldrick, Mario Gerla

Smart cities rely on dynamic and real-time data to enable smart urban applications such as intelligent transport and epidemics detection. However, the streaming of big data from IoT devices, especially from mobile platforms like pedestrians and cars, raises significant privacy concerns. Future autonomous vehicles will generate, collect and consume significant volumes of data to be utilized in delivering safe and efficient transportation solutions. The sensed data will, inherently, contain personally identifiable and attributable information - both external (other vehicles, environmental) and internal (driver, passengers, devices). The autonomous vehicles are connected to the infrastructure cloud (e.g., Amazon), the edge cloud, and also the mobile cloud (vehicle to vehicle). Clearly these different entities must co-operate and interoperate in a timely fashion when routing and transferring the highly dynamic data. In order to maximise the availability and utility of the sensed data, stakeholders must have confidence that the data they transmit, receive, aggregate and reason on is appropriately secured and protected throughout. There are many different metaphors for providing end-to-end security for data exchanges, but they commonly require a management and control sidechannel. This work proposes a scalable smart city privacy-preserving architecture named Authorized Analytics that enables each node (e.g. vehicle) to divulge (contextually) local privatised data. Authorized Analytics is shown to scale gracefully to IoT scope deployments.

Joshua Joy, Minh Le, Mario Gerla

Today, mobile data owners lack consent and control over the release and utilization of their location data. Third party applications continuously process and access location data without data owners granular control and without knowledge of how location data is being used. The proliferation of IoT devices will lead to larger scale abuses of trust. In this paper we present the first design and implementation of a privacy module built into the GPSD daemon. The GPSD daemon is a low-level GPS interface that runs on GPS enabled devices. The integration of the privacy module ensures that data owners have granular control over the release of their GPS location. We describe the design of our privacy module and then evaluate the performance of private GPS release and demonstrate that strong privacy guarantees can be built into the GPSD daemon itself with minimal to no overhead.

Josh Joy, Mario Gerla

In today's digital world, personal data is being continuously collected and analyzed without data owners' consent and choice. As data owners constantly generate data on their personal devices, the tension of storing private data on their own devices yet allowing third party analysts to perform aggregate analytics yields an interesting dilemma. This paper introduces PAS-MC, the first practical privacy-preserving and anonymity stream analytics system. PAS-MC ensures that each data owner locally privatizes their sensitive data before responding to analysts' queries. PAS-MC also protects against traffic analysis attacks with minimal trust vulnerabilities.We evaluate the scheme over the California Transportation Dataset and show that we can privately and anonymously stream vehicular location updates yet preserve high accuracy.

Joshua Joy, Sayali Rajwade, Mario Gerla

In our study, we seek to learn the real-time crowd levels at popular points of interests based on users continually sharing their location data. We evaluate the benefits of users sharing their location data privately and non-privately, and show that suitable privacy-preserving mechanisms provide incentives for user participation in a private study as compared to a non-private study.

Joshua Joy, Eric Chung, Zengwen Yuan et al.

This paper presents a secure communication application called DiscoverFriends. Its purpose is to securely communicate to a group of online friends while bypassing their respective social networking servers under a mobile ad hoc network environment. DiscoverFriends leverages Bloom filters and a hybrid encryption technique with a self-organized public-key management scheme to securely identify friends and provide authentication. Additionally, DiscoverFriends enables anonymous location check-ins by utilizing a new cryptographic primitive called Function Secret Sharing. Finally, to the best of our knowledge, DiscoverFriends implements and evaluates the first Android multi-hop WiFi direct protocol using IPv6.

Fabio Angius, Cedric Westphal, Mario Gerla et al.

Social network companies maintain complete visibility and ownership of the data they store. However users should be able to maintain full control over their content. For this purpose, we propose WARP, an architecture based upon Information-Centric Networking (ICN) designs, which expands the scope of the ICN architecture beyond media distribution, to provide data control in social networks. The benefit of our solution lies in the lightweight nature of the protocol and in its layered design. With WARP, data distribution and access policies are enforced on the user side. Data can still be replicated in an ICN fashion but we introduce control channels, named \textit{thread updates}, which ensures that the access to the data is always updated to the latest control policy. WARP decentralizes the social network but still offers APIs so that social network providers can build products and business models on top of WARP. Social applications run directly on the user's device and store their data on the user's \textit{butler} that takes care of encryption and distribution. Moreover, users can still rely on third parties to have high-availability without renouncing their privacy.