Mobiscopes for Human Spaces
Tarek Abdelzaher1, Yaw Anokwa2, Péter Boda3, Jeff Burke4, Deborah Estrin5,
Leonidas Guibas6, Aman Kansal7, Sam Madden8, Jim Reich9
Abstract
The proliferation of affordable mobile devices with processing and sensing capabilities, together with the
rapid growth in ubiquitous network connectivity, herald an era of Mobiscopes; networked sensing
applications that rely on multiple mobile sensors to accomplish global tasks. These distributed sensing
systems extend the model of traditional sensor networks, introducing challenges in data management, data
integrity, privacy, and network system design. While several applications that fit the above description
exist in prior literature, they provide tailored one-time solutions to what essentially is the same set of
problems. It is time to work towards a general architecture that identifies common challenges and
provides a generalizable methodology for the design of future Mobiscopes. Towards that end, this paper
surveys a variety of current and emerging mobile, networked, sensing applications; articulates their
common challenges; and provides architectural guidelines and design directions for this important
category of emerging distributed sensing systems.
1. Introduction
A Mobiscope is a federation of distributed mobile sensors into a taskable sensing system that achieves
high-density sampling coverage over a wide area through mobility. Mobiscopes affordably extend into
regions that static sensors cannot, proving especially useful for applications in which data is required only
occasionally from each location. They represent a new type of infrastructure: ‘Virtual’ in the sense that a
given node may participate in forming more than one Mobiscope, but physically coupled to the
environment through carriers including people and vehicles. Public health epidemiological studies of
human exposure using mobile phones and real-time, fine-grained automobile traffic characterization using
sensors mounted on fleet vehicles are both examples of Mobiscope applications. While mobility has
proven critical in many scientific applications, such as NIMS for Science Observatories [Pon-etal05,
Rahimi-etal05], in this paper we focus on the particular challenges and opportunities posed by
Mobiscopes in human spaces.
Mobiscopes complement static sensing systems by addressing the fundamental limitations created by
fixed sensors. Sensing devices cannot always be placed with sufficiently high spatial density to accurately
sample the field of spatially-varying phenomena, making it impossible to satisfy spatial band-limiting
guarantees required by traditional sampling criteria. Coverage of large areas may be made challenging by
the need for long dwell times, the unavailability of wired power, the impracticality of battery replacement,
the inability of any one entity to install devices across the entire area, and the expense of purchasing and
maintaining a sufficient number of devices. Equally importantly, target sensor types may not be available
or affordable in the form of autonomous instruments, further motivating mobile, human-in-the-loop,
instruments. For example, city-scale measurements of air quality – which typically require the use of
1
University of Illinois at Urbana-Champaign, zaher@cs.uiuc.edu
University of Washington, yanokwa@cs.washington.edu
3
Nokia Research Center, Peter.boda@nokia.com
4
University of California, Los Angeles, jburke@cs.ucla.edu
5
University of California, Los Angeles, destrin@cs.ucla.edu
6
Stanford University, guibas@cs.stanford.edu
7
Microsoft, kansal@microsoft.com
8
Massachusetts Institute of Technology, madden@csail.mit.edu
9
Palo Alto Research Center, jreich@parc.com
2
expensive mass spectrometers to measure pollutants – are very expensive when using fixed sensor
infrastructures, but could be made substantially cheaper and cover much larger areas if sensors were
mounted on mobile nodes (e.g., cars.)
This combination of application demand and increasingly powerful wireless and sensing technology
suggest that it is time to consider a general architecture for Mobiscopes. To understand what is needed to
build a unified system, we consider several broad classes of Mobiscope and their commonalities.
1.1 Classes of Mobiscopes
Early Mobiscopes will arise directly from widely available sensing modalities in otherwise networked
devices. Examples today include image sensors in mobile phones, GPS in both phones and vehicles, and
the increasingly diverse telemetry available in vehicles. Here, we consider these as representatives of two
broad categeories of Mobiscope:
Vehicular Mobiscopes: One broad class of Mobiscope is vehicular applications for traffic and
automotive monitoring, such as [Kerner-etal05], where a subset of equipped vehicles sense various
surrounding conditions such as traffic, road conditions, or weather. This takes advantage of the spatial
oversampling often provided by dense vehicle traffic to produce useful information before all vehicles are
equipped to send data, but even when nearly 100% market penetration is achieved, subsampling the data
in an intelligent way will prevent network congestion and saves storage and processing. Initial probe
applications have already been deployed commercially. For example, [inrix] uses anonymous GPS data to
provide real-time traffic measurements for both freeways and local streets. Vehicular mobiscopes can
alternatively query for certain traffic types. For example, the authors of [Zhou-etal05] present EZCab, a
cab-finder application that uses vehicle-to-vehicle communication to find available cabs. The probe-car
concept can be extended into other applications, such as augmenting the small number of NavTeq, or
TeleAtlas vehicles used for street mapping or increasing the update frequency of Microsoft’s street-level
imagery capture for Virtual Earth. Probe cars can also acquire high-density maps of roadways as well as
taking road condition, weather and pollution measurements using sensors built into cars and phones.
Handheld Mobiscopes: A second emerging category of Mobiscopes for human spaces lies in those that
use handheld devices. Course grained location information can inform studies ranging from healthimpacts related to highway-exposure or other spatially-situated toxins, and detailed information on
individuals use of transportation systems (waiting times, noise pollution, etc.) and other public spaces.
Automated image and acoustic capture have been proposed to provide user feedback on diet, exercise,
and personal interaction, as well as for identifying and sharing real time information about civic hazards
and hotspots. An interesting example is civic participation during a crisis [Parker-etal06]. In this case, a
loose form of control could be exercised over sensor placement. Users ranging from policemen to citizens
could utilize their cell phone cameras to capture images about trouble spots in their neighborhood. Such a
civic system may send out requests for policemen to document unexplored areas or intervene in trouble
spots. A similar concept of camera-based mapping can be used in tourism. For example, visitors of the
Taj Mahal might share their tourist pictures in virtual albums that can then be browsed by other potential
visitors to get a current view combining all the perspectives from which it was recently photographed.
Metadata management to facilitate such sharing has received special attention [Davis-etal05].
1.2 Common Requirements
The applications mentioned above share several important requirements that are of particular priority for
Mobiscope operation and acceptance. For example, data persistence must be assured even when sensingnodes leave the data collection area or when no mobile nodes are present. At the same time, data access
will tend to be spatially correlated with the users’ current location and may change rapidly, in a somewhat
predictable manner, as the user moves. Data may be used to make decisions in real-time. The system may
use a human-in-the-loop as an actuator, sensor, or as interpreter or responder. Since the system will take
advantage of sensors and/or mobility sources already existing in the environment, social constraints on
system behavior come into play. Ownership of sensors and the resulting data is likely to be fragmented
among many private and public entities, so trust, coordinated deployment, and respect of privacy by users
cannot be assumed. The needed sensor data may be fragmented across multiple networks and connectivity
and likely user needs may change dynamically with motion. Furthermore, the metadata (e.g. sensor
position, orientation, type, and calibration parameters) will also need to compatibly cross networks.
The commonality of problems across a wide range of envisioned Mobiscope systems calls for a general
architecture and design guidelines for future Mobiscopes. This architecture will not only encourage
component reuse and reduce development cost, but will also promote interoperability among future
mobile sensing systems. Common interfaces are needed to negotiate privacy setting, exchange data feeds,
distill information, and perform coordinated actuation on the physical world. Components of such
architectures have been discussed in prior work, but often focused on a specific type of application. For
example, an architecture for vehicle-to-vehicle live video streaming (V3) is presented in [Guo-etal05,
Dikaiakos-etal05]. Architectural support for heterogeneity is discussed in [Modahl-etal04], based on the
concept of a Media Broker.
The remainder of this paper discusses these common architecture challenges in more detail, drawing on
applications from the literature and our own experience. We also survey some existing solutions and
summarize major areas where work remains to be done. In Sections 2 and 3 we address both the
opportunities and challenges associated with mobility and heterogeneity. Section 4 outlines one of the
greatest differentiating and challenging issues facing Mobiscope design and deployment, namely privacy.
Sections 5 and 6 outline challenges for networking, usability, and social acceptability based on the
Mobiscope characteristics presented.
2. Mobility and Sampling Coordination
Fundamentally, the performance of Mobiscopes depends on mobility patterns of transporters, which are
stochastic and have movement patterns that range from highly structured (e.g., road traffic) to more
unstructured (e.g., foot traffic), and with sensor densities which may vary widely over time and space.
Several challenges arise out of mobility. The network organization can be highly variable, both in terms
of sensing coverage and radio connectivity. Nodes may not have connectivity at all times and locations
when they collect data. Understanding data acquisition and distribution behavior in the network is
therefore non-trivial. Often, uncoordinated mobile nodes re-sense areas that other nodes have already
visited, but do not visit rarely traveled areas frequently enough. For example, in the CarTel project at
MIT [Bret-etal06] (see Figure 1), researchers have equipped cars with small embedded computers,
wireless radios, and GPS sensors and cameras for measuring road speed and imaging of road conditions.
Cars are driven by members of the MIT community who are simply going about their daily business –
unfortunately, user’s daily business often takes them on the same routes, providing relatively sparse
coverage of many of the back roads and outlying communities in the Boston area, while the MIT campus
receives highly redundant coverage.
Mobility also causes challenging dynamic behavior in sensor allocation and network topologies. In a
typical Mobiscope, there is likely to be interest in
particular regions in space, but the motion of
sensors (especially when those sensors are carried
by commuters or pedestrians) may be such that
coverage for locations of interest, or connectivity
via peer-to-peer transmission is poor. For example,
the mid-block regions of roadways with traffic
lights often contain no cars, and hence, no data may
be available from that region, and a hole in the
peer-to-peer network may be created as well. The
availability of the mobile sensing devices can
depend on user behavior and device characteristics.
For example, a user might forget their phone or turn
it off making it unavailable to the Mobiscope, or a
data service might not be available during a
telephone conversation. Solutions are needed to
cope with these challenges. The availability of
sensors may also change drastically with time, as
with cars and pedestrians at rush hour compared to
the low availability of sensors at midnight. In the
Figure 1: CarTel – A typical Mobiscope
remainder of this section, we discuss several
general solutions that Mobiscope designers can
employ to address mobility and coordination challenges.
Application Adaptation:
Applications must adapt to the available communication and sensing characteristics of the network. For
instance, they could buffer data when connectivity is not available, or dynamically adapt their spatial
scope. Mechanisms from disruption-tolerant networks and data muling contexts will be increasingly
important. Analytic foundations are also needed to understand global network behavior and the extent to
which adaptation can help maintain acceptable system performance. Existing work has addressed
adaptation to some extent – for example, summarizing data in low-bandwidth environments [Zhangetal907, Talukdar-etal98] or trading latency for bandwidth by using vehicles to carry large amounts of
data [Brewer-etal05], but substantial questions remain, particularly with respect to global resource
optimization. It is unclear how to best relate diverse resources such as total data transfer bandwidth, data
freshness, data propagation latency, and application-relevant metrics such as traffic conditions or time of
day. We identify several areas for future work that are particularly important for Mobiscope systems.
Actuated Mobility:
In some Mobiscopes, it may be possible to task some or all of the nodes to visit a specific location to
collect information on demand. We call such Mobiscopes “actuated”, and the actuatable nodes
“actuators”. In an actuated Mobiscope, server nodes can keep track of areas that most need to be visited,
and can task actuators to visit those areas either one at a time or as part of a circuit. Actuated Mobiscopes
present a number of interesting research challenges related to determining the value of observing a
particular location or collecting a particular piece of information versus the cost of sending an actuator to
that location. One common way to address these challenges is to formulate them as an optimization
problem, where the objective is to maximize the utility of information collected in a particular period of
time or subject to an energy or cost constraint [Meliou-etal06]. Distributed robotics has also addressed
similar coverage problems [Howard-etal06, Pon-etal05].
Opportunistic Connectivity:
In networks without predictable mobility, opportunistic connectivity – where nodes happen to come into
contact with each other or with network infrastructure (such as an open 802.11 network) – can
substantially improve connectivity over mechanisms that wait until nodes return back to some “home”
location where infrastructure connectivity is known to exist and can be cheaper and potentially more
efficient than solutions that rely on fixed cellular infrastructure (where upstream data rates are typically
highly constrained.) Important techniques worth exploiting include building low-level network protocols
that can quickly identify nearby nodes and associate with them (without, for example, long address
acquisition or channel negotiation delays) [Bret-etal06] and designing routing algorithms that can attempt
to deliver data through such opportunistic connections (for example, by using some form of limited-scope
flooding or by taking advantage of point-to-point long-haul connections within the network.)
Prioritization:
In many Mobiscopes, it is likely that there will be more information captured than can be delivered in real
time. One way to address this is via aggregation [Madden-etal05], but another alternative is to use some
form of prioritization, whereby different pieces of collected data are assigned different priorities, and data
is delivered in priority order. In some cases, simple prioritization, where particular types of data – such as
emergency alerts [Festag-etal05] -- are given greater importance, may be sufficient. However, a more
coordinated form of prioritization is needed when different nodes cover overlapping geographic areas,
since otherwise those nodes are likely to waste valuable bandwidth on redundant data reports. To avoid
such redundant reports, some form of coordination is needed – for example, before sending large
collections of sensor readings to a server responsible for presenting data to the user, a mobile node might
first send a compact summary of the data it has. The server can then look at the summary and determine
which pieces of information are valuable given the data it has received from other mobile nodes. CarTel
[Yang-etal07] employs a similar technique. In addition, many applications have data requirements which
are vary with time, location and vary in their need for frequent and low-latency data delivery. This might
be summarized by a more complex utility function which can radically increase efficiency over fixed
priority approaches [Ghosh-etal05].
3. Challenges and Opportunities of Heterogeneity
Mobiscopes will come into being through many different mechanisms: in some cases, hardware will be
explicitly deployed as a single Mobiscope to achieve a particular data-collection goal; in others, alreadydeployed devices will be federated into an ad-hoc collection through the participation of their owners. In
still different cases, virtual Mobiscopes will be formed by correlating already-gathered data without the
tasking of edge devices.
Mobiscopes will thus take on a variety of topologies and structures, federate devices with different
capabilities, and draw together components with varying levels of trust and credibility. Heterogeneity in
Mobiscopes can be classified across several dimensions: structure and topology, transducer performance,
data ownership, data dissemination qualities (e.g. resolution). Irregular data streams are inevitable due to
the mobile nature of sensors. Applications must be prepared to adapt task allocations and service levels to
the available resources.
Heterogeneity should be viewed as a fundamental and beneficial quality of Mobiscopes, not just a
problem to be overcome. Heterogenous sensing systems are far more immune to weaknesses of any one
sensing modality, and are far more robust against defective, missing, or malicious data sources than even
carefully-designed homogeneous systems. In some cases, the information the application needs is actually
available only by fusing data from several different sensing modalities. Moreover, the same qualities
necessary to support heterogeneous sensors also make the system more able to adapt to new varieties of
sensors that are developed over time or brought from other areas into the sensed space.
Heterogeneity of ownership
Unlike a sensor network that has been assembled by a single entity, such as a corporation or university
laboratory, Mobiscopes must be federated from individually-owned devices, held or worn by owners who
may or may not be trustworthy and may not maintain their devices in good condition. This will expose the
Mobiscope to intentional or accidental injection of incorrect data or biased sampling. It also brings to the
forefront issues of data integrity, trust, security and selective sharing that the architecture should address.
Heterogeneous data resolution and types
Applications may use the available data to derive and maintain metrics at multiple resolutions with
varying coverage in space and time. For instance, in a system of wearable ski-slope monitoring devices
that collect data from poll-mounted sensors [Eisenman-etal06b], coarser granularity measurements may
be available for more area and time instances while finer granularity data is served only for specific
regions (namely, the more populated slopes). Regularized grid interpolations derived from raw data can
be served to applications. Simple interpolations may be sufficient for smoothly-varying data such as
temperature, while more complex known or learned dynamics models fill in the gaps in faster-varying or
sparser data. In addition, buffering data and providing aggregates over multiple time-window sizes may
allow the data from an irregularly sampled world to yield reasonably uniform coverage as data trickles in
over time. There has been some work on the use of model-based techniques to improve the quality of
data despite missing values [Krause-etal05, Deshpande-etal06], but adapting this work to heterogeneous
data of varying types remains a great challenge.
Data heterogeneity also presents challenges when trying to integrate data from many different sensors
together. Projects like Nokia’s SensorPlanet 10 effort (see Figure 2) and the Microsoft SensorMap 11
project, users are invited to submit data from their own sensing deployments. Though these efforts
present a great potential resource, to make effective use of the data, some way to combine and query these
different data sets is needed.
Figure 2: Diagram illustrating the Nokia SensorPlanet initiative. Data from a variety of different data
sources is collected in a central repository that other users can query and process.
10
http://www.sensorplanet.org
http://atom.research.microsoft.com/sensormap/
11
Robustness through data heterogeneity
Observe that heterogeneity is both a difficulty and an asset. Heterogeneity of devices implies that
different transducers are available at different times at the nearby locations (e.g., image, acoustics,
physical sensors, user annotations). However, the nature of Mobiscopes implies that any sensor fusion
algorithm is at the mercy of the transporters and the network to determine when it will receive data, and
what type of data will arrive. This puts additional stress on the design of the sensor fusion and estimation
algorithms. This suggests significant advantages to model-driven approaches such as Kalman filters
[Kalman-85] or particle filters [Arulampalam-etal02], which adapt well to irregular sampling and allow
the use of heterogeneous sensor models and systems dynamics models. In some cases, heterogeneity even
be harnessed to increase robustness of sensing to defective, malicious or unavailable sensors, as seen in
the secure localization literature [Trappe-etal05].
4. Tackling Data Privacy
The topic of privacy hinges on complex policy issues that vary culturally and legally among societies, but
fundamentally, it is about people’s ability to control information flow about themselves. These issues are
especially difficult in Mobiscopes because the connection between the observed party and the sensor
collecting information is implicit in the relationships of the transporters, and because entities collecting
data are often inadvertently revealing information about themselves. The distributed ownership and
control of the nodes makes policies even more difficult to define, let alone enforce.
Policy definition
Beyond data distribution and management, data privacy issues present important trade-offs between the
need for selective sharing and the fidelity, configurability, usability, and verifiability of network
information output. The inability to publicly associate data with sources (for privacy reasons) can
potentially lead to loss of context, which reduces the ability of the network to generate useful information.
Conversely, revealing too much context can potentially thwart anonymity thus violating privacy
requirements. For example, consider sampling of ambient sound from a carried cell phone for purposes of
mapping sound pollution profiles or as a proxy for exposure to intensive highway traffic. Similarly,
consider the use of cell phone cameras as a form of civic engagement where citizens document concerns
such as uneven sidewalks, lack of handicap access, overflowing trashcans, etc. Clearly, these data are
more meaningful if the associated GPS readings are sent along with the primary data. However,
transmission of GPS data may reveal the identity of the user (e.g., if the GPS trace ends up most nights at
a particular address). It can also shed light on user activities. This problem is often termed location
privacy [Li-etal06]. Ensuring location privacy is a cross-cutting challenge that has implications on
services such routing [Kamat-etal05] and energy management [Ozturk-etal04]. Observe that a mobile
node is not restricted to a known private space under a single user’s jurisdiction but passes through
multiple spaces. Further, a mobile node is not part of a dedicated application but may be serving different
applications at different times. Effective user interfaces, and in some cases automatic adaptation, for
privacy settings may thus be required.
Local processing
Related to these concerns regarding sharing is the need for private individuals to keep something from
even becoming data, not just reducing access to data once collected. In many contexts this then means
putting the selectivity/filtering capabilities on the end-user node itself rather than relying on post facto
filtering. Another alternative is to provide the user with a private server space in which to review their
data before release [Parker-etal06], of course at the expense of latency and other aspects of usability.
Verification
A related issue is one of trust and data integrity. It is important to develop systems where the correctness
of data could be verified without violating the privacy of the source. Moreover, since distributed data
management in Mobiscopes relies on user cooperation, a challenge becomes to introduce proper
incentives that promote successful participation and prevent abusive access with the purpose of “gaming
the system”. In some cases, such as those of a peer-to-peer vehicle or handheld device networks,
constraints of privacy, transience of communication between participants and the sheer number of
participants may actually make cryptographic authentication of the user’s identity undesirable or
impractical. In these cases, the correct solution may be to instead rely on redundancy in the sensor data to
validate a data source anonymously [Golle-etal04]. An early account many of the other privacy (and
security) issues in sensor networks is presented in [Chan-etal03].
Privacy preserving data mining
While several privacy challenges can be resolved by employing a trusted authority that guarantees nondisclosure, the need to be trusted increases the barrier to entry for anyone who might want to contribute
aggregation and search functions to the sensor web. This leads to the following question: Can privacypreserving aggregation and search be achieved in the absence of trust in the entity performing these
operations? In this case, a user is not willing to share their data (with the untrusted node) but might be
interested in the result of aggregation over the target community. A field of great importance that solves
this problem is privacy preserving statistics and privacy-preserving data mining [Verykios-etal04].
Typically, additive random noise is used to perturb data without affecting the statistics to be collected.
Perturbed data can then be used, for example, to compute original data distributions [Agrwawal-etal01] or
construct decision-trees for data classification [Agrawal-etal00] without disclosing original values.
To illustrate, consider a trivial example where members of a population want to compute their average
undetected number of speeding violations per month (as measured by speed sensors mounted in their
vehicles that correlate actual speed to the speed limit read from a map at the current GPS location of the
vehicle). A trivial solution is one where each sensor adds a zero-mean random number to the actual
number of violations, sharing the resulting total. The disclosed total does not reveal the actual private
data. Nevertheless, averaging the totals over a large population gives the true population average (as the
added “noise” averages out). The scheme has the additional desirable property that if the population is not
large enough, the computed statistic is not accurate. This is an advantage, because in a small population
(e.g., a society of three), knowing an accurate average can reveal a lot about the individual values. The
choice of the best perturbation algorithm for a data set is a non-trivial problem that received much
attention [Evfimievski-etal02]. The extent to which additive noise improves privacy has also been studied
[Kargupta-etal03], revealing cases where private data can be reconstructed in violation of the intent from
perturbation. For example, it was shown that private data reconstruction is possible in the presence of
high data correlation [Huang-etal05].
A question to be solved is to develop robust solutions (with respect to various attacks on privacy) that
apply to statistical operations such as regression (used in the traffic example) and classification (used in
learning). In general, since the main goal of future Mobiscopes will lie in information distillation from
raw data, theoretical foundations are needed for obfuscating the raw data in a way that reconciles privacy
requirements on individual measurements with ability to compute certain aggregate properties of the
collective.
5. Networking challenges
Integrating sensing-capable mobile devices into the networking infrastructure shifts the network’s main
utility from data communication to information filtering. For humans to make sense of the constantly
increasing flow of data from sensors (and other sources), tools must be available to selectively filter,
aggregate, and disseminate data based on expressed or statistically most likely needs of individual data
consumers. A direct result of this information reduction requirement is the need for network storage as a
key service, as aggregation and filtering both imply a need to buffer information for potentially long
periods of time. Disruption-tolerant protocols [Jain-etal04] and architectures [Fall-03] may need to be
used to diffuse data towards destinations and buffer data when no opportunities exist for making progress.
A host of research challenges arise when considering information reduction in disruption-tolerant
networks. For example, of interest are protocols that integrate opportunistic en-route aggregation
mechanisms with buffering. The interplay between storage and data reduction in Mobiscopes also offers
interesting new directions for rethinking other basic network functions such as congestion control. For
example, information reduction can be performed more aggressively as a congestion control mechanism
to alleviate high storage utilization, or to increase user privacy by keeping data local. A direct
consequence of the need to process (e.g., reduce) data inside the Mobiscope is having to pay more
attention to network programming issues. Hence, a Mobiscope architecture should not only present
communication protocol and data management interfaces but also programming interfaces for in-network
computation. In short, the advent of ubiquitous networks of mobile embedded devices shifts the
fundamental networking paradigm, offering interesting new challenges in network architecture, protocol
design, and exported abstractions to application programmers. Resolving these challenges to shape future
network standards is one of the most interesting tasks of the research community for the next decade.
6. Human factors and social implications
Mobiscopes will be tightly coupled with their users. This presents significant human factors design
challenges and a host of socio-cultural implications that extend beyond limited notions of privacy in data
transmission and storage. Both of these issues, introduced briefly in this section, should become integral
considerations for the design of future Mobiscopes.
Academics considering observing systems for a variety of disciplines, including the social sciences,
public health, the arts and humanities, have considered social issues stemming from the autonomous
observation of individuals by information technology. (See, for example [Rule-04, Levin-etal02,
Agrawal-etal02].) Mobiscopes are part of our maturing ability to silently watch ourselves and others, and
their design and development must consider the related social issues. Traditional responses to these
concerns often postpone serious investigation because the technology is somehow considered immature.
In the case of Mobiscopes, previous sections have made clear that the latter is no longer true today, and so
we propose a few areas in which the community might move into a richer discussion of the social
implications of these observing technologies: (1) explicitly considering broader policy precedents in
information privacy as they apply to Mobiscopes, (2) popular education on information technology’s new
capabilities for observation, (3) facilitating individuals’ participation in sensing their own lives, and (4)
users’ knowledge and auditing of their own data uploads as a significant human factors design challenge.
For example, Agrawal et al. [Agrawal-etal02] explore the application of the Organisation for Economic
Co-operation and Development (OECD) international guidelines for data protection—collection
limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual
participation, and accountability—to databases containing medical records. The authors demonstrate that
implementing or supporting such ideals in technology presents rich research problems with few
immediate solutions to very practical concerns. Similarly, Hochheiser [Hoccheiser-02] compares the
World Wide Web Consortium’s Platform for Privacy Preference (P3P) with United States data privacy
policy. Mobiscope system design should begin with a similarly broad consideration of the existing policy
base and the practical concerns of the people being sensed, rather than focusing solely on narrower
challenges, such as protecting sensitive data during transmission and storage.
Finally, Mobiscope design can utilize the user interface of mobile devices, which have not been present in
traditional embedded systems. This presents significant human factors design challenges. We also
suggest that the presence of a local UI provides a key opportunity for ambient and explicit feedback to the
user on what data uploads are occurring from mobile devices at any given time. It also can afford users
the ability to configure their sensing participation and provide feedback on operational status. An
effective interface might present real-time streams or historical examples of locally collected data to help
the user decide their desired privacy and sharing settings, or present long term features extracted from
local or remote data over some geographic region. For instance, an application providing both upload
feedback and location-based information might display a stream of automobile traffic information from
an aggregation service visually on a map by color or line thickness (instead of actual numbers of passing
cars in a part of a city), or through simple classification such as “avoid”, “heavy traffic”, “easy”,
“practically no traffic” categories on a speech recognition interface. At the same time, an area of its
display might remind the user that their position was being anonymously shared to contribute to the
traffic map and give them the option to disable it. This alone presents many challenges in making end-toend guarantees to the user that the system is actually doing what it says it is doing.
7. Conclusions
This article discussed Mobiscopes, an emerging class of mobile sensor network that arises from the
proliferation of mobile sensors in users’ personal effects, vehicles, and handhelds, together with the
increasing wireless coverage, peer-to-peer communication and Internet connectivity. Mobiscopes
promise to offer distributed information collection services with unprecedented sensory penetration and
network scale that can opportunistically exploit user mobility to collect high-resolution measurements that
would not have been economically feasible with statically-placed sensors. This promise is tempered by a
number of challenges, resulting from the fluid, mobile, heterogeneous, and poorly coordinated nature of
most Mobiscopes. These systems raise a number of important design issues, namely:
1. What are the appropriate system architectures for Mobiscopes? What are the general techniques
that will allow us to build distributed, mobile sensing platforms that can adapt to resource
availability and sensing requirements of users?
2. What are the appropriate network protocols and abstractions for transmitting data across
heterogeneous networks with changing availability and bandwidth?
3. What programming models will make it easy to build Mobiscopes? How are issues like
heterogeneity, limited connectivity and in-network processing exposed to programmers?
4. How do we define “privacy” in the context of Mobiscopes, and how to deal with the new privacy
and security concerns – particularly as related to exposing a user’s location and everyday
activities – while still capturing and providing data that is usable to others? How can we trust the
data?
5. How do we deal with human issues related to the size, weight, and usability of mobile devices
that people involved in a Mobiscope must carry?
6. How can a broader social perspective positively influence the development of architecture for
Mobiscopes?
Some of these challenges have been partially addressed by existing research -- for example, there are a
number of researchers who have addressed privacy in sensor networks [Gruteser-etal03, Kamat-etal05],
or who have looked at network architectures for particular classes of Mobiscopes [Bret-etal06].
Unfortunately, this early work necessarily focused on individual application domains (e.g. car networks)
or research problems (e.g., key exchange in a sensor network) and not the broader architectural issues that
must be considered before Mobiscopes can be deployed on a wide scale. There is a great deal of work
still to be done on platforms and APIs that offer efficient, robust, private and secure networking and
sensory data collection in the face of heterogeneous connectivity and mobility.
References
[Agrawal-etal00] R. Agrawal and R. Srikant, “Privacy Preserving Data Mining,” Proc. ACM SIGMOD
Conf. Management of Data, pp. 439-450, May 2000.
[Agrawal-etal02] Agrawal et al. (2002) “Hippocratic Databases.” Proc. 28th VLDB Conf, Hong Kong,
2002.
[Agrwawal-etal01] D. Agrawal and C. C. Aggarwal, “On the Design and Quantification of Privacy
Preserving Data Mining Algorithms,” Proc. ACM SIGMOD, pp. 247-255, 2001.
[Arulampalam-etal02] Sanjeev Arulampalam, Simon Maskell, Neil Gordon, and Tim Clapp. A tutorial on
particle filters for on-line non-linear/non-gaussian bayesian tracking. IEEE Transactions on Signal
Processing, 50(2):174{188, 2002.
[Biswas-etal06] Subir Biswas, Raymond Tatchikou, Francois Dion,
Wireless
Communication
Protocols
for
Enhancing
Highway
IEEE Communications Magazine, v. 44, n. 1, January, 2006, pp. 74-82.
"Vehicle-to-vehicle
Traffic
Safety,"
[Bret-etal06] Bret Hull, Vladimir Bychkovsky, Kevin Chen, Michel Goraczko, Allen Miu, Eugene Shih,
Yang Zhang, Hari Balakrishnan, and Samuel Madden. CarTel: A Distributed Mobile Sensor Computing
System. SenSys, 2006
[Brewer-etal05] Eric Brewer, Michael Demmer, Bowei Du, Melissa Ho, Matthew Kam, Sergiu
Nedevschi, Joyojeet Pal, Rabin Patra, Sonesh Surana, Kevin Fall. “The Case for Technology in
Developing Regions.” IEEE Computer, 38(6), 2005.
[Chan-etal03] Haowen Chan, Adrian Perrig, “Security and Privacy in Sensor Networks,” IEEE Computer,
Vol. 36, No. 10, October 2003, pp. 103-105.
[Davis-etal05] Marc Davis, Nancy Van House, Jeffrey Towle, Simon King, Shane Ahern, Carrie
Burgener, Dan Perkel, Megan Finn, Vijay Viswanathan, and Matthew Rothenberg, "MMM2: Mobile
Media Metadata for Media Sharing," CHI 2005 (extended abstract).
[Deshpande-etal06] Amol Deshpande, Samuel Madden. “MauveDB: Supporting Model-Based User
Views in Database Systems.” SIGMOD, 2006.
[Dikaiakos-etal05] Marios D. Dikaiakos, Saif Iqbal, Tamer Nadeem, and Liviu Iftode, "VITP: An
Information Transfer Protocol for Vehicular Computing," Vehicular Ad Hoc Networks (VANET),
Cologne, Germany, September 2005.
[Eisenman-etal06b] Shane B. Eisenman and Andrew T. Campbell, “SkiScape Sensing,” (Poster Abstract)
in Proc. of Fourth ACM Conference on Embedded Networked Sensor Systems (SenSys 2006), Boulder,
November 1-3, 2006.
[Evfimievski-etal02] Alexandre Evfimievski, “Randomization in Privacy Preserving Data Mining,” ACM
SIGKDD Explorations Newsletter, Volume 4, Issue 2, Pages: 43-48, December 2002.
[Fall-03] Kevin Fall, “A Delay-Tolerant Network Architecture for Challenged Internets,” SIGCOMM’03,
August 25-29, 2003, Karlsruhe, Germany
[Festag-etal05] A. Festag, R. Schmitz, R. Baldessari. “Inter-Vehicle Communication - Improving Driver
Control and Vehicle Safety.” Demo, MOBICOM, 2005.
[Ganesan-etal05] Deepak Ganesan, Ben Greenstein, Denis Perelyubskiy, Deborah Estrin and John
Heidemann, Multi-resolution Storage and Search in Sensor Networks, ACM Transactions on Storage,
Volume 1, Issue 3, Pages: 277-315, August 2005
[Ghosh-etal05] Arpita Ghosh, Dan Greene, Qingfeng Huang, and Juan Liu. Variable-resolution
information dissemination. In Second Annual IEEE Communications Society Conference on Sensor and
Ad Hoc Communications and Networks (SECON 2005). IEEE, 2005.
[Golle-etal04] Golle, P.; Greene, D. H.; Staddon, J. Detecting and correcting malicious data in VANETs.
Proceedings of the First ACM Workshop on Vehicular Ad Hoc Networks; 2004 October 1; Philadelphia;
PA. NY: ACM; 2004; 29-37.
[Gruteser-etal03] M. Gruteser, D.D. Grunwald. “Anonymous usage of location-based services through
spatial and temporal cloaking.” MobiSys , 2003.
[Guibas-etal04] Leonidas Guibas. Kinetic Data Structures. In Handbook of Data Structures and
Applications, D. Mehta and S. Sahni, Eds, Chapman and Hall/CRC, 2004.
[Guo-etal05] Meng Guo, Mostafa H. Ammar, Ellen W. Zegura, "V3: A Vehicle-to-vehicle Live Video
Streaming Architecture," IEEE PerCom 2005, Kauai, Hawaii, March 2005.
[Hochheiser-02] Hochheiser, H. (2002) “The Platform for Privacy Preference as a Social Protocol: An
Examination Within the U.S. Policy Context.” ACM Trans. Internet Tech 2(4):276-306.
[Howard-etal06] A. Howard, L.. Parker, and G.. Sukhatme, Experiments with Large Heterogeneous
Mobile Robot Team: Exploration, Mapping, Deployment and Detection International Journal of
Robotics Research, Vol. 25, No. 5, pp. 431-447, May 2006.
[Huang-etal05] Z. Huang and W. Du and B. Chen, "Deriving Private Information from Randomized
Data," in Proceedings of the ACM SIGMOD Conference, pp. 37-48, Baltimroe, MD, 2005
[inrix] http://www.inrix.com
[Kalman-85] Kalman Filtering: Theory and Application. IEEE Press, 1985.
[Kamat-etal05] P. Kamat, Y. Zhang, W. Trappe C. Ozturk. “Enhancing source-location privacy in sensor
network routing.” ICDCS, 2005.
[Kansal-etal03] Aman Kansal, William Kaiser, Gregory Pottie, Mani Srivastava, Gaurav S. Sukhatme.
“Reconfiguration Methods for Mobile Sensor Networks.” NESL Technical Report #: TR-UCLA-NESL200601-03, http://nesl.ee.ucla.edu/document/show/182.
[Kerner-etal05] B.S. Kerner, C. Demir, S.L. Klenov et. al. Traffic state detection with floating car data in
road networks. Proceedings of the IEEE International Conference on Intelligent Transportation Systems,
September, 2005
[Krause-etal05] Andreas Krause, Carlos Guestrin, Anupam Gupta, Jon Kleinberg. “Near-optimal Sensor
Placements: Maximizing Information while Minimizing Communication Cost.” IPSN, 2005.
[Levin-etal05] Levin, T.Y., Frohne, U., Weibel, P. (2002) CTRL [SPACE]: Rhetorics of Surveillance
from Bentham to Big Brother. Cambridge, MA: MIT Press.
[Li-etal06] M. Li, K. Sampigethaya, L. Huang, and R. Poovendran, “Swing & Swap: User-Centric
Approaches Towards Maximizing Location Privacy,” ACM Workshop on Privacy in the Electronic
Society (WPES), pp. 19-28, October 2006.
[Huang-etal05] Jonathan Gips, Alex Pentland, "Mapping Human Networks," IEEE PerCom, Pisa, Italy,
March 2006.
[Madden-etal05] Sam Madden, Michael J. Franklin, Joseph M. Hellerstein and Wei Hong. TinyDB: An
Acqusitional Query Processing System for Sensor Networks. ACM TODS, 2005.
[McCurdy-etal05] Jyh-How Huang, Saqib Amjad, Shivakant Mishra, "CenWits: A Sensor-Based
Loosely-Coupled
Search
and
Rescue
System
using
Witnesses,"
Sensys,
San
Diego, CA, November 2005.
[Meliou-etal06] Alexandra Meliou, David Chu, Carlos Guestrin, Joe Hellerstein, and Wei Hong. Data
Gathering Tours in Sensor Networks. IPSN 2006.
[Modahl-etal04 Martin Modahl, Ilya Bagrak, Matthew Wolenetz, Phillip Hutto, and Umakishore
Ramachandran, "MediaBroker: An Architecture for Pervasive Computing," IEEE PerCom, Orlando, FL,
March 2004.
[Nath-etal04] Suman Nath, Phil Gibbons, Srinivasan Seshan, and Zachary Anderson. Synopsis diffusion
for robust aggregation in sensor networks. In Proceedings of the 2nd international Conference on
Embedded Networked Sensor Systems, Baltimore, MD, 2004.
[Ozturk-etal04] Celal Ozturk, Yanyong Zhang, and Wade Trappe, “Source-location privacy in energyconstrained sensor network routing,” Proceedings of the 2nd ACM workshop on Security of ad hoc and
sensor networks, Washington DC, 2004.
[Parker-etal06] Andrew Parker, Sasank Reddy, Thomas Schmid, Kevin Chang, Ganeriwal Saurabh, Mani
Srivastava, Mark Hansen, Jeff Burke, Deborah Estrin, Mark Allman and Vern Paxson. Network System
Challenges in Selective Sharing and Verification for Personal, Social, and Urban-Scale Sensing
Applications, , HotNets V, November 2006.
[Pon-etal05] Richard Pon, Aman Kansal, Duo Liu, Mohammad Rahimi, Lisa Shirachi, Yan Yu, Mark
Hansen, William J Kaiser, Mani B Srivastava, Gaurav Sukhatme, Deborah Estrin, "Networked
Infomechanical Systems (NIMS): Next Generation Sensor Networks for Environmental Monitoring,"
IEEE MTT-S International Microwave Symposium Digest , June 2005.
[Rasanen-etal04] Räsänen, M. and J. M. Nyce. (2006) “A New Role for Anthropology? – Rewriting
‘Context’ and ‘Analysis’ in HCI Research”, Proc. NordCHI 2006, October 14-18, 2006, Oslo, Norway,
pp 175-184.
[Rule-04] Rule, J. (2004) “Toward Strong Privacy: Values, Markets, Mechanisms, and Institutions.”
Univ. of Toronto Law Journal 54(2):183-225.
[5][Shin-etal05] Jaewon Shin, A. Man-Cho So, and Leonidas Guibas. Supporting Group Communication
among Interacting Agents in Wireless Sensor Networks. IEEE Wireless Communications and Networking
Conference (WCNC'05), 2005.
[Talukdar-etal89] Anup Talukdar, B. R. Badrinath, Arup Acharya. “Rate adaptation schemes in networks
with mobile hosts.” MOBICOM, 1998.
[Trappe-etal05] Li, W. Trappe, Y. Zhang, and B. Nath, “Robust statistical methods for securing wireless
localization in sensor networks,” in Proc. IPSN, 2005.
[Verykios-etal04] V.S. Verykios, E. Bertino, I.N. Fovino, L.P. Provenza, Y. Saygin, and Y. Theodoridis,
“State-of-the-Art in Privacy Preserving Data Mining,” ACM SIGMOD Record, vol. 3, no. 1, pp. 50-57,
Mar. 2004.
[Yang-etal07] Yang Zhang, Bret Hull, Hari Balakrishnan, and Samuel Madden. IceDB: Continuous
Query Processing in an Intermittently Connected World. ICDE 2007.
[Zhou-etal05] Peng Zhou, Tamer Nadeem, Porlin Kang, Cristian Borcea, Liviu Iftode, "EZCab: A Cab
Booking Application Using Short-Range Wireless Communications," IEEE PerCom, Kauai, Hawaii,
March 2005.