IEEE TRANSACTIONS ON MOBILE COMPUTING 1 Personalized

IEEE TRANSACTIONS ON MOBILE COMPUTING 1

Personalized Privacy-preserving Task Allocationfor Mobile Crowdsensing

Zhibo Wang, Senior Member, IEEE, Jiahui Hu, Ruizhao Lv, Jian Wei, Qian Wang, Member, IEEE,Dejun Yang, Member, IEEE, and Hairong Qi, Fellow, IEEE

Abstract—Location information of workers are usually required for optimal task allocation in mobile crowdsensing, which howeverraises severe concerns of location privacy leakage. Although many approaches have been proposed to protect the locations of users,the location protection for task allocation in mobile crowdsensing has not been well explored. In addition, to the best of our knowledge,none of existing privacy-preserving task allocation mechanisms can provide personalized location protection considering differentprotection demands of workers. In this paper, we propose a personalized privacy-preserving task allocation framework for mobilecrowdsensing that can allocate tasks effectively while providing personalized location privacy protection. The basic idea is that eachworker uploads the obfuscated distances and personal privacy level to the server instead of its true locations or distances to tasks. Inparticular, we propose a Probabilistic Winner Selection Mechanism (PWSM) to minimize the total travel distance with the obfuscatedinformation from workers, by allocating each task to the worker who has the largest probability of being closest to it. Moreover, wepropose a Vickrey Payment Determination Mechanism (VPDM) to determine the appropriate payment to each winner by considering itsmovement cost and privacy level, which satisfies the truthfulness, profitability and probabilistic individual rationality. Extensiveexperiments on the real-world datasets demonstrate the effectiveness of the proposed mechanisms.

Index Terms—Mobile Crowdsensing; Task Allocation; Differential Privacy, Personalized Privacy-preserving

F

1 INTRODUCTION

Nowadays, the ubiquity of mobile devices equipped withvarious functional built-in sensors (e.g., camera, micro-phone, accelerometer, GPS) and the increasingly powerfulwireless network have enabled the prosperity of mobilecrowdsensing. The new computing paradigm that lever-ages the power of the crowd supports mobile users toopportunistically perform tasks according to their interestsand schedule. Specifically, the mobile crowdsensing system-s mainly collect spatio-temporal data from environments,social and others. A typical mobile crowdsensing systemconsists of data requesters, a server and mobile users (work-ers), where the server publishes spatio-temporal tasks out-sourced by data requesters to mobile users, and then mobileusers use their mobile devices to complete the publishedtasks and upload the collected data to the server. Mobilecrowdsensing has a wide range applications in environmen-tal sensing [1], journalism [2], crisis response [3] and urbanplanning [4]. As a representative, the commercial app Waze[5], is a popular traffic monitoring and route navigationsystem that collects real-time traffic data from mobile usersin a crowdsourcing way.

• Zhibo Wang, Jiahui Hu, Ruizhao Lv, Jian Wei and Qian Wang arewith Key Laboratory of Aerospace Information Security and TrustedComputing, Ministry of Education, School of Cyber Science and Engineer-ing, Wuhan University, 430072, P.R. China. E-mail: {zbwang, jiahuihu,ruizhaolv, wj9528, qianwang}@whu.edu.cn

• Dejun Yang is with the Department of Computer Science at ColoradoSchool of Mines, CO, USA. E-mail: [email protected]

• Hairong Qi is with the Department of Electrical Engineering and Com-puter Science at the University of Tennessee, Knoxville USA. E-mail:[email protected]

Task allocation is one of the most important problem inmobile crowdsensing, which relies on the distances betweentasks and mobile users to assign tasks appropriately. How-ever, the location information may be disclosed during thetask allocation process, especially when the server cannotbe trusted (e.g., the server may be benefited by sellingthe location information to third parties). Adversaries whoobtain the locations can stage extensive attacks such asphysical surveillance, stalking, identity theft, and breachof sensitive information (e.g., health status, political andreligious views). Hence, disclosing true locations to the serv-er may be harmful to workers, which further discouragesthem from engaging in crowdsensing. This problem is moresevere for the mobile users who are not allocated with anytask at all, since their locations are disclosed to the serverwithout receiving any payoff. Therefore, location privacyshould be carefully considered in task allocation of mobilecrowdsensing systems.

Existing works on mobile crowdsensing mainly focuson maximizing utility of task allocation and designing in-centive mechanisms to improve user participation, whileprivacy protection has not been extensively explored. Re-cently, several works begin to address the problem of taskallocation in mobile crowdsensing with location privacyprotection. Liu et al. [6] applied the economic model forlocation privacy preserving and proposed a mechanism toleave out the bids and tasks assignment processes whichhave a risk of privacy leakage. However, this mechanismcan only protect the location privacy against the eavesdrop-pers and hackers over the communication channel whilethe malicious sever was out of its scope. Spatial cloakingis the most straightforward technique that blurs a user’sexact location into a spatial region in order to preserve the


LaplaceMechanism

Actual Distance

Obfuscated Distance

Data Requester

Server

1. Task Request

2. Task Publish

Fig. 1. The proposed framework of personalized privacy-preserving taskallocation in mobile crowdsensing with obfuscated distance.

location privacy [7]–[9]. However, the privacy guaranteescan be easily downgraded if adversaries hold certain priorknowledge, which is known as inference attack. In contrast,the authors in [10], [11] introduced differential privacy intotask allocation in mobile crowdsensing, providing theo-retically guaranteed location privacy protection regardlessof adversaries’ prior knowledge. However, To et al. [10]assumed that there is a trusted third party (cellular serviceproviders) to play the coordination role between the serverand workers, while in practice the cellular service providershave no motivation to participate. As for [11], the proposedgeo-obfuscation function is related to the task locations andneed to be updated if the task distribution is transformed,which may discourage the workers who need to downloadthe function before obfuscating their actual locations. Mostimportantly, both of them employ the same level of privacyprotection for all workers, which cannot satisfy the differentprivacy demands of workers. Consequently, some workersmay get insufficient privacy protection, while others getover-protected.

In this paper, we propose a personalized privacy-preserving task allocation framework for mobile crowdsens-ing that can allocate tasks effectively while providing per-sonalized location privacy protection. As shown in Figure 1,the basic idea is that, each worker utilizes Laplace Mechanis-m [12] to obfuscate the distances between itself to tasks withits personal privacy protection level, and uploads the obfus-cated distances as well as its personal privacy protectionlevel to the server, instead of uploading its true location ortrue distances to tasks. The server further selects the winnerfor each task and determines the appropriate payment forthe winners. In particular, we propose a Probabilistic WinnerSelection Mechanism (PWSM) to minimize the total traveldistance with the obfuscated information from workers,by allocating each task to the worker who has the largestprobability of being closest to it and eliminating the winnerconflict problem. Moreover, we propose a Vickrey PaymentDetermination Mechanism (VPDM) to determine the appro-priate payment to each winner by considering its movementcost and privacy leakage, which satisfies the truthfulness,profitability and probabilistic individual rationality.

The contributions of this paper are summarized as fol-

lows.

• To the best of our knowledge, this is the first workthat realizes personalized location privacy protectionfor task allocation in mobile crowdsensing, whichenables users to balance the payoff and privacy leak-age, and encourages users to participate in mobilecrowdsensing with theoretical guarantee of locationprivacy preservation.

• We propose a Probability Compare Function (PCF) todetermine which worker has a higher probability ofbeing closer to a task for two workers. Based on thePCF, we further propose the PWSM to minimize thetotal travel distance with the obfuscated informationand personal privacy levels from workers.

• We propose the VPDM to determine the appropriatepayment to each winner by considering its move-ment cost and privacy level, which satisfies the truth-fulness, profitability and probabilistic individual ra-tionality.

• We conduct extensive experiments on the real-worldcheck-ins datasets and compare the proposed PWS-M with two benchmarks. The experimental resultsdemonstrate the effectiveness of the proposed mech-anisms.

The remainder of this paper is organized as follows. Wediscuss the related works in Section 2. We present a high-level overview of our framework and formulate the prob-lems in Section 3. The proposed winner selection mechanismand payment determination mechanism are presented inSection 4 and 5, respectively. We evaluate the performance ofthe proposed mechanisms in Section 7 and finally concludethe paper in Section 8.

2 RELATED WORK

We briefly discuss the related work from the followingaspects: task allocation, location privacy and personalizedprivacy.

2.1 Task AllocationSpatial tasks require the workers to be at a specific placein order to fulfill a task. The locations of the workers playan important role in task allocation as the workers needto travel to locations of interested tasks to perform sensingjobs. There have been several works on minimizing thetravel distance in task allocation. Guo et al. [13] proposeda framework for optimizing tasks allocation considering thetime-sensitive tasks and delay-tolerant tasks, respectively. In[14], the authors proposed a task allocation framework formulti-task environments with the objective of minimizingthe travel distance. Moreover, there are also some worksfocusing on the sensing data quality, rewards, budget andsocial costs. In [15], the authors proposed a novel frameworkcalled CCS-TA to dynamically select a minimum numberof sub-areas for sensing task allocation in each sensingcycle while guaranteeing the quality of sensing data. In[16], the authors considered the sparse crowdsensing andproposed a task allocation framework with the objective ofmaximizing the quality of sensing data. He et al. [17] con-sidered sensing tasks with different requirements of quality


and proposed a mechanism which allocates tasks to mobileusers who are constrained by time budgets with the objec-tive of maximizing total rewards of platform. Wang et al.[18] considered the time-sensitive and location-dependentcrowdsensing systems with random arrivals and proposeda task allocation mechanism for maximizing profits of par-ticipants. In [19] [20], the authors considered the piggybackcrowdsensing and proposed to allocate tasks for maximiz-ing the coverage quality of the sensing task while satisfyingthe incentive budget constraints. A demand-based dynamictask allocation mechanism was proposed in [21] to balancethe participation among location-dependent tasks. Lin etal. [22] considered the bid privacy of users and proposedtwo privacy-preserving task allocation frameworks whichprotect the privacy of bids while achieving approximatesocial cost minimization.

2.2 Location PrivacyOriginating from the spatio-temporal privacy mechanismsin the location based service (LBS), the spatial cloakingtechnique can also be used for privacy-preserving task al-location. Spatial cloaking hides the worker’s location insidea cloaked region so that the adversary cannot attain theactual location of the worker [7]–[9]. In practice, there aremany mobile crowdsensing applications that do not requireexact locations, such as air quality monitoring. However, heprivacy guarantee can be easily downgraded if adversarieshold certain prior knowledge. Regardless of the adversaries’prior knowledge, differential privacy [23] was applied forthe location privacy protection in spatial task allocation. Themethod was adopted in [24] [25] to protect the publishing ofstatistical information about location-based datasets guar-anteeing that individual location information disclose doesnot occur. Andres proposed a location perturbation methodbased on a notion of geo-indistinguishability [26], which is aspecial application of differential privacy. In [27], the authorsused the Markov model to denote the possible locations andprotect the exact location with differential privacy.

Recently differential privacy was adopted for task allo-cation [10], [11] in mobile crowdsensing. In [10], differentialprivacy mainly protected the aggregated number of workersin a location. However, the trusted third party that computesthe aggregated counts of workers has no motivation to par-ticipate in practice. Wang et al. [11] avoided involving anythird party in the process but the proposed geo-obfuscationfunction is related to the task locations and need to beupdated if the task distribution is transformed, which maydiscourage the workers who need to download the functionbefore obfuscate their actual locations. Most importantly,both of them employ the same level of privacy protectionfor all workers, which cannot satisfy the different privacydemands of workers.

2.3 Personalized PrivacyDue to the different data owners have different expecta-tions of privacy protection, personalized privacy has beenconsidered in many privacy-preserving mechanisms, suchas personalized privacy for k-anonymity [28]–[30], whichallows each user to specify the minimum k they are com-fortable with. Recently, Alaggan et al. [31] proposed the

concept of heterogeneous differential privacy to preservethe privacy of personal data by considering users’ differentprivacy expecations. Jorgensen et al. proposed the personal-ized differential privacy to protect the aggregated number ofdatasets (e.g., count and median) [32], which is not suitablefor the location privacy protection.

In this paper, we focus on preserving location privacyof workers in task allocation of mobile crowdsensing, andpropose a personalized privacy-preserving task allocationframework, which can allocate tasks effectively while pro-viding personalized location privacy protection.

3 SYSTEM OVERVIEW AND PROBLEM STATEMENT

In this section, we first introduce the concept of generalizeddifferential privacy, and then present the proposed frame-work of the personalized privacy-preserving task allocationin mobile crowdsensing systems based on the concept ofgeneralized differential privacy. Finally, we describe thekey problems during the task allocation process: the winnerselection problem and the payment determination problem.

3.1 Generalized Differential PrivacyIn [23], the authors proposed that a mechanism K is ε-differential private if for any two adjacent databases x, x′,and any output Z , the probability distributions K(x), K(x′)differ on Z at most by eε, namely, K(x)(Z) ≤ eεK(x′)(Z).Andres et. al [12] generalized the notion of differential pri-vacy with the Euclidean metric and applied it into scenarioswhen x, x′ are not databases at all, but belong to an arbitrarydomain of secrets χ. For instance, it can be applied to dealwith geographic locations, which performs as a probabilisticgeo-obfuscation process that obfuscates the actual locationto another one [26]. For any x, x′, if the Euclidean distanced(x, x′) ≤ r, the difference between the distribution K(x)and K(x′) should be at most εr, where K is the obfuscationmechanism and ε denotes the level of privacy at one unitof distance. In this way, the adversary cannot distinguishthe actual secrete value of individuals even he/she knowsthe obfuscation mechanism K. The definition of dχ-privacymechanism is as follows.

Definition 1. (dχ-privacy [12]) A mechanism K satisfies dχ-privacy iff for all x, x′ ∈ X :

K(x)(Z) ≤ edχK(x′)(Z)

where K(x)(Z) denotes the probability that the reported valuebelongs to the set Z ⊆ Z . dχ = εd(x, x′) and ε is theprivacy budget, the smaller ε, the better privacy protection withind(x, x′).

Definition 2. (Laplace Mechanism [12]) Let X , Z be two setswhere X ⊂ R, Z = R, and let dX be a metric on X ∪ Z .D(x)(z) = ε

2 exp (−dX (x, z)) is a pdf for all x ∈ X wheredX = εdR(x, z) (dR(x, z) = |x − z|). Then the mechanism K:X → P (Z) is called a Laplace mechanism from (X , dX ) to Zand it satisfies dX−privacy.

Intuitively, when X and Z are one-dimensional values,the Laplace Mechanism denotes that the reported value zcan be obtained by adding Laplace noise on xwhere λ = 1/εand µ = 0, and it satisfies dX−privacy where dX = ε|x− z|.


Proposition 1. If dχ ≤ d′χ, dχ-privacy implies d′χ-privacy [12].

That is, for a mechanism K which satisfies dχ-privacy, italso satisfies d′χ-privacy if dχ ≤ d′χ.

3.2 System Overview

We consider mobile crowdsensing applications which lever-age the power of the crowd to collect massive spatio-temporal information. In general, the typical commercialmobile crowdsensing system consists of three parties: theserver, the data requesters and the workers with mobiledevices.

It is worth noting that the worker’s travel distance is animportant metric in task allocation which can be denoted byd(lw, lt), where lw, lt represent the locations of a worker anda task, respectively, and d(lw, lt) is the Euclidean distancebetween the locations lw and lt. Instead of submitting itsactual location, a worker can submit the distance betweenitself and an interested task to the server, so that the servercan accurately and efficiently allocate tasks. However, thelocation privacy can also be leaked by the true distance if theadversary has the prior knowledge about the worker, know-ing that the distribution of places π(x) which denotes thefrequency of worker visiting x. Therefore, in this paper, wepropose that each worker uploads the obfuscated distancesto its interested tasks to the server, instead of uploading itstrue location or the true distances to the interested tasks, toprotect the worker’s location privacy.

Figure 1 shows the proposed personalized privacy-preserving task allocation framework in mobile crowdsens-ing systems with distance obfuscation. The data requesterscreate spatial-temporal tasks on the server which then pub-lishes tasks to workers. Workers can obtain the accuratelocations of tasks so that they can determine whether toapply for tasks. Instead of applying for the interested tasksusing the actual locations or actual distances, the workerscan use Laplace mechanism to obfuscate the distance withtheir personalized privacy budget ε. Note that ε can be dif-ferent for different workers which depends on the privacyprotection requirement of each worker. The server selectsthe winner for each task (winner selection process) and givesthe winners payments once their uploaded data are certified(payment determination process).

Moreover, we assume that each task can be completedonce it is assigned to one worker, unless the worker cannotupload the useful data, which is out of the scope of thispaper. A worker can apply for multiple tasks so that itcan have more opportunities to be selected as a winnerby the server, but it can be assigned at most one task. Itis challenging to select winners for tasks and determinesthe payment for winners as the server is only aware of theobfuscated distances but not the true distances.

3.3 Problem Formulation

We use W = {w1, w2, . . . , wn} to denote the set of workersand T = {t1, t2, . . . , tm} to denote the set of tasks, where nand m are the numbers of workers and tasks, respectively.The data collected by each task tj ∈ T has a value vj forthe data requesters and the payment of the task cannotexceed the value. Moreover, each task is associated with

a geographical publishing region and only those workerswithin the region can receive the task information and canapply for it. The publishing region of task tj is the circularregion with the location of tj as the center and rj as theradius. Let dij denote the actual distance of worker wi totask tj , while dij denotes the obfuscated distance obtainedby adding the Laplace noise to dij . Each worker wi canselect some tasks he/she is interested in and then submitsthe tuples (tj , dij) and its own privacy budget εi to theserver, where tj ∈ Ti is a task in the set of interestedtasks of worker wi. Upon receiving the applications fromworkers, the server needs to select the winner for each taskand determines the payment for each winner wi.

3.3.1 Winner Selection ProblemThe server aims to find the winner for each task, with theobfuscated information, so that the total travel distance forall tasks can be minimized. Let x(wi, tj) denote the state oftask assignment, where x(wi, tj) = 1 means that task tj hasbeen allocated to worker wi, otherwise x(wi, tj) = 0. Hence,the winner selection problem is formulated as follows.

min∑tj∈T

∑wi∈W

x(wi, tj)dij

s.t. x(wi, tj) = {0, 1}∑tj∈T

x(wi, tj) ≤ 1, ∀ i = 1, 2, . . . , n

∑wi∈W

x(wi, tj) = 1, ∀ j = 1, 2, . . . ,m

(1)

The objective is to minimize the total travel distance toall tasks. The second constraint indicates that each workerwill be assigned to at most one task, and the third constraintindicates that each task will be assigned to one worker.

The formulated problem is an Integer Linear Programmingproblem, which could be easily solved if the actual distancesdij is known. However, in order to protect the locationprivacy, only the obfuscated distances dij and personalprivacy protection level are uploaded to the server, whichmakes the winner selection problem difficult to solve.

3.3.2 Payment Determination ProblemThe server needs to determine the appropriate paymentsfor the winners by considering the travel costs and privacyprotection levels.

If worker wi is selected as the winner for task tj . Theutility of worker wi can be denoted by

Uij =

{Pij − Cij , if x(wi, tj) = 1

0, otherwise(2)

where Pij and Cij are the payment and the cost for workerwi performing task tj , respectively. The cost Cij is mainlyincurred by traveling to the location of tj (movement costCmij ) and privacy leakage (privacy cost Cpi ). Intuitively, thelarger of the travel distance dij , the larger of the movementcost Cmij . The larger of the privacy budget εi, the smaller ofthe added noise and the larger of the privacy leakage Cpi .Hence, we have

Cij = Cmij + Cpi= αdij + βεi

(3)


where α and β are coefficients that scale the value ofmovement cost and privacy cost. The proposed paymentdetermination mechanism should satisfy the following threedesirable properties [33]:

• Individual Rationality: A worker will have a non-negative utility when performing a task.

• Profitability: The value of each task should be at leastas large as the payment paid to the winner so that thedata requesters can benefit from the data.

• Truthfulness: A mechanism is truthful if no workercan improve its utility by cheating its travel distance,no matter what others do.

Note that we assume the workers have no motivation tocheat their privacy budget because the Laplace mechanismwill sanitize their travel distance according to their selectedprivacy budget and directly upload the sanitized distanceand privacy budget to server, which makes them cannotget any excessive utility by doing that. It is challenging todesign a payment determination mechanism satisfying theabove three properties simultaneously without knowing theactual distances of workers.

4 PROBABILISTIC WINNER SELECTION MECHA-NISM

In this section, we focus on the winner selection problemand propose the Probabilistic Winner Selection Mechanism(PWSM) to minimize the total travel distance for task allo-cation without knowing the true distances to tasks.

As shown in Figure 2(a), each worker can choose aset of tasks from the published tasks. Let Api denote theuploaded application from work wi that contains the workerID, privacy budget εi and (task-distance) tuples. Anonymityor pseudonym techniques can be used for worker ID toprotect the Identity information of each user. Note thatidentity protection is not the focus of this paper, any suit-able identity protection techniques can be adopted into ourframework. The workers upload the applications as shownin Figure 2(b). Upon receiving Api, the server aims to findthe winner for each task so that the total travel distance canbe minimized.

However, without knowing the true distances, it is d-ifficult to find the optimal task allocation to minimize thetotal travel distance. To solve this problem, we propose asuboptimal solution that finds the winner of a task as theworker who has the largest probability of being closestto the task. In particular, some workers may be selectedas the winners of multiple tasks, so we also propose aconflict elimination algorithm (CEA) to solve the conflicts.In the following, we introduce the proposed mechanismsstarting from the single task scenario, and then moving tothe multiple tasks scenario.

4.1 Single Task Scenario

We start from the single task scenario where the serverpublishes only one task tk and there are multiple workersapplying for it. The objective is to find the closest workerto the task, given the obfuscated distances and personalprivacy budgets, which is difficult as the true distances are

T1

t1 t2 t3

S

tm

T2 T3 Tn-1 Tn

w1 w2 w3 wn-1 wn

T1

S

T2 T3 Tn-1 Tn

w1 w2 w3 wn-1 wn

Ap1

Ap2 Ap3Apn-1

Apn

ID1Ap1

ID2Ap2

SC-server

Tasks

Task sets

Workers

(a) Task Selection (b) Task Application

Fig. 2. The selection and application process of workers in our proposedtask allocation model.

unknown. To solve this problem, we transform the problemto finding the worker with the largest probability of beingclosest to the task.

Let us start from the special case that only two workerswi and wj applying for the task, and then extend it to a moregeneral case. Worker wi uploads εi and dik, and worker wj

uploads εj and djk. The server aims to obtain the probabilityof dik smaller than djk, denoted by P (dik ≤ djk). Theworker wi gets the sanitized distance dik by adding theLaplace noise on dik, hence we have

dik = dik − ηi, ηi ∼ Laplace(0, 1/εi) (4)

Similarly we have

djk = djk − ηj , ηj ∼ Laplace(0, 1/εj) (5)

where ηi and ηj are variables that follow the Laplace distri-bution. Note that the smaller of εi, the larger of the addednoise, and the stronger the privacy protection level. Thenwe have

P (dik ≤ djk) = P (dik − ηi ≤ djk − ηj)

= P (dik − djk ≤ ηi − ηj)(6)

where dik − djk is known by the server. The above equationcan be seen as a probability problem about two-dimensionalcontinuous variables (ηi, ηj) in the plane set D, denoted byP ((ηi − ηj) ∈ D). The plane D can be denoted by

D = {(ηi, ηj) : ηi − ηj ≥ dik − djk} (7)

The double integral operation can be used for solving thisproblem, we have

P (dik − djk ≤ ηi − ηj) = P ((ηi − ηj) ∈ D)

=

∫∫Df(ηi, ηj)dηidηj

(8)

where f(ηi, ηj) denotes the joint probability density functionof (ηi, ηj). Since the variables ηi, ηj are independent fromeach other, we have∫∫

Df(ηi, ηj)dηidηj =

∫∫Df(ηi)f(ηj)dηidηj

=

∫ ∞

−∞(

∫ ηi−(dik−djk)

−∞f(ηi)f(ηj)dηj)dηi

(9)Note that

f(ηi)f(ηj) =εiεj4

e−(εi|ηi|+εj |ηj |) (10)


Equation (9) can be seen as a function, where the inputsof the function are (dik, djk, εi, εj), and the output is theprobability of dik smaller than djk. We call this function asthe Probability Compare Function (PCF). Combining Equation-s (6) and (9), we have

P (dik ≤ djk) = PCF (dik, djk, εi, εj)

=

∫∫Df(ηi, ηj)dηidηj

(11)

If P (dik ≤ djk) > 1/2, we can say that worker wi willbe closer than worker wj with a larger probability. Based onthis principle, we can compare any two workers who applythe task and finally find the worker who has the largestprobability of being closest to the task.

4.2 Multiple Tasks Scenario

Next we focus on the multiple tasks scenario. As shown inFigure 2, we assume there are n workers applying for mtasks. For each task, there are at most n workers applyingfor it. To solve the winner selection problem, for each task,we utilize the proposed PCF to determine which workeris closer and sort them in descending order in terms ofprobability. We use a matrix Am×n to denote the sortedindices of workers for all tasks, which is

Am×n =

a11 a12 · · · a1na21 a22 · · · a2n

......

. . ....

am1 am2 · · · amn

(12)

where aij is the index of a worker, aij ∈ {1, 2, . . . , n}. Forexample, aij = k means that worker wk who applies taskti is ranked at the jth position. If there are only ρ ( ρ ≤ n)workers applying for task ti, aij will be∞ for any j > ρ.

Let Ai denote the ith row of matrix A, which is thesorted indices of workers who apply for task ti. Let S =[s1, s2, . . . , sm] denote the set of winners for all tasks, wheresi denotes the winner for task ti. In general, the expectedwinner should be Ai[1] for task ti, that is, si = Ai[1] = ai1.If each expected winner is allocated with at most one task,the winner selection process is completed.

However, there may exist some workers who are selectedas the winners of multiple tasks, while each worker can beallocated with at most one task. We call this as the winnerconflict problem. Given the vector S, the winner conflicthappens if there exist i and j satisfying S[i] = S[j].

4.2.1 Conflict Elimination Algorithm (CEA)We propose the CEA to solve the winner conflict problem.The key idea is that, for any conflict, say wc is selected asthe winner of ϕ tasks, we allocate only one task to wc andfind another candidate other than wc for each of the restϕ − 1 conflicted tasks, with the objective of minimizing thetotal travel distance. We repeat this process until there is noconflict in the final winner vector S.

In the following, we use an example shown in Figure3 to better explain the conflict elimination process whenworker wc is selected as the winners by ϕ tasks. The bestcandidate beside wc is the one who has the second largestprobability of being closest to the each task. That is, the

candidate for task ti is ai2 if ai1 = c. Note that this exampleonly shows how to eliminate the conflicts of wc, and newconflicts may happen for the new winners, and the proposedCEA will iteratively solve the conflict until no conflict exists.For the example in Figure 3, we present all possible conflictselimination situations for wc as follows.

C1 : Di =D(ai1) +D(aj2) + . . .+D(ak2)

C2 : Dj =D(ai2) +D(aj1) + . . .+D(ak2)

...Cϕ : Dk =D(ai2) +D(aj2) + . . .+D(ak1)

(13)

where D(aij) denotes the actual travel distance for theworker with index aij to task ti. Di denotes the traveldistance for the ϕ conflicted tasks when ti is assigned towc and the other tasks are assigned to the correspondingcandidates who rank behind the winners. The objective isto find the minimum travel distance from all situationsin Equation (13). Hence, we need to compare the traveldistance for any two situations.

Di −Dj = D(ai1) +D(aj2)−D(ai2)−D(aj1) (14)

Since ai1 = aj1 = c, D(ai1) and D(aj1) can be replacedby dci and dcj , respectively. We assume that ai2 denotes theindex of wa, aj2 denotes the index of wb. Then D(ai2) andD(aj2) can be replaced by dai and dbj , respectively. Hencethe above Equation can be represented by

Di −Dj = dci + dbj − dai − dcj (15)

However, the server cannot obtain the actual travel dis-tance of workers and only knows the sanitized distance dci,dbj , dai and dcj . Therefore, the objective to compare Di andDj will be converted to find the probability of Di−Dj ≤ 0.

P (Di −Dj ≤ 0) = P (dci + dbj − dai − dcj ≤ 0)

= P (dci − dcj ≤ dai − dbj)(16)

Based on Equation (6), we have

P (dci − dcj ≤ dai − dbj) = P (dci + dbj − dai − dcj ≤ 0)

= P (dci − ηc1 − dcj + ηc2 ≤ dai − ηa − dbj + ηb)

ηc1 ∼ Laplace(0, 1/εc), ηc2 ∼ Laplace(0, 1/εc)

ηa ∼ Laplace(0, 1/εa), ηb ∼ Laplace(0, 1/εb)(17)

where there exist four variables ηc1 , ηc2 , ηa and ηb, so thatwe cannot get the result until more constraints about thosevariables are known. To solve this problem, we roughlyassume that the difference between the travel distances fordifferent tasks is relatively small if those tasks are appliedfor by the same worker. That is, dci can be thought close todcj . Hence we have

P (Di ≤ Dj) = P (dai − dbj ≥ 0)

= P (dai ≥ dbj)(18)

P (Di ≤ Dj) can be calculated by the proposed PCF. IfP (dai ≥ dbj) ≥ 1/2, Di has a larger probability of beingsmaller than Dj , so task ti should be assigned to wc andtask tj will be assigned to the candidate.

We can see that the problem to compare Di and Dj hasbeen converted to compare dai and dbj , which are travel


ai2 ai31

2

ϕ

aj1 aj2 aj3

ak1 ak2 ak3

ai1 ai2 ai3

aj1 aj2 aj3

ak1 ak2 ak3

Winner

Conflicts EliminationConflicts Happen

ai1

ai1 = aj1 = = ak1= c

ai1 ai2 ai3

aj1 aj2 aj3

ak1 ak2 ak3

ai1 ai2 ai3

aj1 aj2 aj3

ak1 ak2 ak3

Fig. 3. Illustration of the conflict elimination process when worker wc is selected as the winners of ϕ tasks. ai1 denotes the expected winner of taskti after sorting, and ai2 is the candidate with the second largest probability of being closest to ti.

distances of candidates for task ti and task tj , respective-ly. The comparison for all the conflicts can be comparedsimilarly. Note that conflicts would not happen commonlyin practice because tasks are usually distributed sparsely.Moreover, the number of tasks each worker can apply forare limited, which further reduces the occurrence of winnerconflict.

4.2.2 PWSMThe key idea of PWSM is firstly using the PCF to find awinner for each task from workers who apply for it, andthen using the CEA to eliminate the winner conflicts. Theprocedures are descried as follow:

1) Use the PCF to construct the matrix Am×n that denotesthe sorted probabilities of workers for m tasks.

2) Pick up the first element in each row as the winner foreach task, and put them into S.

3) If S contains the same element, winner conflict happensand repeatedly apply the CEA to eliminate conflictsuntil there is no conflict in S.

Theorem 2. The complexity of the proposed PWSM is O(κ2 n2

m +κ2n), where m and n are the number of tasks and workers,respectively, and κ is the largest number of tasks a worker canapply for.

Proof. The PWSM mainly contains the sorting process andthe conflict elimination process. The average number of ap-plications each task has is κn/m, so that sorting the workerswith the typical bubble sorting algorithm takes O((κn/m)2)for each task. For all m tasks, the complexity of obtainingAm×n will be O(κ2 n2

m ). As for the conflict eliminationprocess, the worst-case to eliminate conflicts is that it takesO(κ(κn/m) for each task to eliminate conflicts. Since thereare m tasks, the complexity of CEA will be O(κ2n). Hencethe complexity of PWSM is O(κ2 n2

m + κ2n).

5 VICKREY PAYMENT DETERMINATION MECHA-NISM

In this section, we propose the vickrey payment determi-nation mechanism (VPDM) to determine the appropriate

payment by considering its travel distance and privacylevel, which should satisfy the truthfulness, profitability andprobabilistic individual rationality.

In payment determination, the payment paid to thewinner cannot exceed the value of the task itself. That isthe payment Pij of winner wi for task tj cannot exceed thetask value vj . The server can use the parameters α and βto control the payment and use them to assess the value ofmoving distance and privacy. For example, if the winner wi

applies for task tj with the privacy budget εi and the actualdistance is dij . The cost Cij of wi for performing task tj is

Cij = αdij + βεi (19)

where the larger of εi, the smaller of the added noise and thelarger of the privacy leakage. Since the cost is incurred bytwo aspects, we determine the payment from compensatingthe movement cost and privacy cost, respectively. We have

Pij = Pmij + P l

ij (20)

where Pij is the payment for winner wi performing task tj .Pmij and P l

ij denote the payment for the movement cost andprivacy leakage, respectively.

We use rj to denote the radius of the task publishingregion, hence the true distances of workers who apply fortask tj cannot exceed rj . Let εmax denote the largest privacybudget that workers can use for protecting their locations.Then we have {

αjrj + βjεmax = vj

αj = κβj(21)

where κ is the parameter to scale the difference of αj andβj . In order to guarantee that the cost of all the tasks cannotexceed their values, we have

α = min(αi), β = min(βj), i, j ∈ [1,m] (22)

As for the payment P lij , the server can straightly pay

the winner according to the submitted privacy budget εiand parameter β. It’s simple to see that the P l

ij = βεi willsatisfy the individual rationality and truthfulness, becausethe utility of workers is always 0 and can be non-negative.Moreover, the workers have no motivation to cheat their


privacy budget because the uploaded sanitized distances aregenerated by the selected privacy budget.

While for the determination of the payment Pmij , itis challenging to guarantee the individual rationality andtruthfulness because dij is only known to the worker itself.Hence the server aims to find dij (dij ≥ dij) and thencalculate Pmij = αdij , so that the utility of a worker wouldnot be negative. From Equation (4), we have

P (dij − dij ≥ 0) = P (dij − dij + ηi ≥ 0) (23)

where ηi ∼ Laplace(0, 1/εi). Hence the server can use theabove equation to find dij that guarantees the probability ofdij − dij ≥ 0 at least be P .

Definition (P-Individual Rationality) A Mechanism M sat-isfies P-Individual Rationality if each worker has a non-negative utility with a probability of at least P .

Suppose we find a dij , Pij = αdij + βεi satisfies theP-Individual Rationality, however, it may not satisfy thetruthfulness. Worker wi who applies for task tj can calculatedij using a fake distance dij instead of true distance dij ,where min(d−ij) > dij > dij . d−ij denotes the distanceof other workers who apply task tj except worker wi. Wecan see that worker wi can still be the winner and acquiremore payment by cheating his/her actual distance. Inspiredby the Vickrey Auction (a truthful auction mechanism) wherethe highest bidder wins but the price paid is the second-highest bid, we use the candidate’s distance to determinethe payment for the winner. Suppose the candidate for tasktj is wc, then we can use dcj to replace dij in Equation (23),and we have

P (dij − dcj ≥ 0) ≥ P (24)

where dcj is the actual distance of candidate wc for task tj .According to Equation (4) and the symmetry of Laplace

distribution, we have

dcj = dcj + ηc, ηc ∼ Laplace(0, 1/εc) (25)

Then we have

dcj ∼ Laplace(dcj , 1/εc) (26)

The Equation (24) can be converted to

P (dij − dcj ≥ 0) ≥ P ⇔ P (dcj ≤ dij) ≥ P⇔ F (dij) ≥ P

(27)

where F (x) is the distribution function of dcj and can berepresented by

F (x) =

∫ x

−∞

εc2e−(εc|x−dcj |) (28)

Note that the server needs to give more payment to thewinner for a larger dij . In order to save the cost of the server,dij should be the threshold that satisfies F (dij) = P , whichcan be calculated based on Equation (27) and Equation (28),given that εc and dcj are known by the server. Moreover, dijshould not be larger than rj . If no candidate can be found,we also let dij = rj . Hence the payment Pij of worker wiperforming task tj is

Pij = αdij + βεi (29)

where α and β are calculated from Equation (22), and dij iscalculated from F (dij) = P .

Theorem 3. The proposed VPDM is PP (dcj ≥ dij)-IndividualRationality.

Proof. Based on Equation (3) and Equation (29), the utilityof worker wi for task tj is

Uij = (αdij + βεi)− (αdij + βεi)

= α(dij − dij)(30)

Therefore, the probability of the winner receiving a non-negative utility can be converted to the probability of dijlarger than dij , which is

P (dij − dij ≥ 0) ≥ P (dij − dcj ≥ 0)P (dcj ≥ dij)≥ PP (dcj ≥ dij)

(31)

That is, each winner has a non-negative utility with aprobability of at least PP (dcj ≥ dij), where P (dcj ≥ dij)can be calculated by the PCF.

Theorem 4. The proposed VPDM is truthful.

Proof. The VPDM can be truthful if and only if the winnercannot improve its utility by unilaterally cheating its truedistance (e.g., adds Laplace noise to a fake distance dijinstead of the true distance dij). We discuss the problemfrom the following situations:

• (dij < dij): If dij < min(d−ij), wi is still thewinner and the payment does not change. If dij >min(d−ij) > dij , wi becomes the winner by cheatingbut the payment is decided by min(d−ij), so the liarwill obtain a negative utility.

• (min(d−ij) > dij > dij): Worker wi is still thewinner but his/her utility does not change.

• (dij > min(d−ij)): If dij < min(d−ij), workerwi was the winner but now is not the winner aftercheating, so its utility becomes 0. If dij > min(d−ij),wi is always not selected as the winner.

Based on the above analysis, we can see that workerscannot improve their utility by unilaterally cheating its truedistance, which means that workers will be truthful in theprocess of task allocation.

Theorem 5. The proposed VPDM is profitable.

Proof. We have dij ≤ rj and εi ≤ εmax. According toEquation (21), we have

αj dij + βjεi ≤ vj (32)

Since α ≤ αj and β ≤ βj , we have

pij = αdij + βεi ≤ vj (33)

Therefore, the proposed payment determination mecha-nism is profitable.


6 PRIVACY ANALYSIS

Theorem 6. Let Xi ∈ Rk denote the set of actual distances ofworker wi to its interested tasks Ti where |Ti| = k, and M be amechanism where M(Xi) = Xi +Lap(1/εi). Then, M satisfiesεi∑tj∈Ti rj-privacy where rj is the publishing region of tj .

Proof. For any Xi, X′i ∈ Rk where xij ∈ Xi, x′ij ∈ X ′i

denote the actual distance of worker wi to task tj andd(xij , x

′ij) ≤ rj . Zi ∈ Rk denotes the set of reported dis-

tances of worker wi to tasks in Ti. Zi = Xi+(η1, η2, . . . , ηk)where ηj are i.i.d random variables drawn from Lap(1/εi).Hence we have,

P (Xi = Zi)

P (X ′i = Zi)=

∏tj∈Ti

(exp(−εi|zij − xij |)exp(−εi|zij − x′ij |)

)

=∏tj∈Ti

exp(εi(|zij − xij | − |zij − x′ij |))

≤∏tj∈Ti

exp(εi|xij − x′ij |)

= exp(εi‖Xi −X ′i‖1)

(34)

Note that each task tj is associated with a geographi-cal publishing region with the radius of rj . Hence the‖Xi − X ′i‖1 ≤

∑kj=1 rj . Hence M satisfies εi

∑tj∈Ti rj−

privacy.

From Theorem 6, we can see that different workers canhave different privacy levels and the privacy level of eachworker is related to its selected privacy budget and appliedtasks. The smaller of the privacy budget εi, the better of theprivacy protection. The smaller of the number of appliedtasks and rj , the higher of the privacy protection. This isbecause more information about the location of worker wiwill be exposed with the increase of the number of appliedtasks, which means higher probability of privacy leakage.Moreover, d(xij , x

′ij) will increase with the increase of rj ,

which means higher distinguishability or lower privacyprotection. Note that the location of worker wi would notbe leaked even with a very large rj . For instance, whenrj = 1000 km, dX becomes large so that the sever can inferwhether the worker wi is located in Paris or London with ahigh probability, but it still cannot infer the actual locationof wi in the city.

7 EXPERIMENTAL EVALUATION

In this section, we evaluate the performance of the proposedPWSM and VPDM on a real-world check-in dataset. Weimplement the mechanisms in Python and compare itsperformance with two benchmark mechanisms.

7.1 DatasetWe use the dataset collected from Foursquare in [34], whichincludes long-term (about 10 months) check-in data in NewYork and Tokyo from 12 April 2012 to 16 February 2013.The data of New York contains 227428 check-ins and Tokyocontains 573708 check-ins. The density of check-ins in 10months is shown in Figure 4. We can see that most of thecheck-in events happened in the central urban areas, hencewe distribute the tasks in these areas and users in these areascan be seen as the workers. The tasking area of Tokyo is

(a) Tokyo (b) New York

Fig. 4. The density of check-ins in two cities.

(a) Tokyo (b) New York

Fig. 5. The distribution of tasks on the real map in two cities.

within longitude (139.68, 139.80) and latitude (35.62, 35.74),and the tasking area of New York is within longitude (-74.04,-73.93) and latitude (40.69, 40.80).

7.2 Setup and MetricsIn order to evaluate the winner selection accuracy of theproposed mechanisms, we conduct experiments on datasetsfrom two representative cities Tokyo and New York. Thedata collection scenario can be taking pictures at the subwaystations. We set the locations of tasks based on the subwaystations and the locations of workers based on the officelocations of users in datasets. There are 325 subway stationsin Tokyo and 142 in New York, and there are 503 offices inTokyo and 492 in New York. Note that the number of officesis the result after removing the situation that each user IDhas multiple offices with different locations.

In the experiments, we randomly select a certain numberof subway stations as the locations of tasks and officelocations as the locations of workers. First, we evaluatethe performance of the proposed mechanisms based on thedifferent task distribution shown in Figure 5 when there are100 tasks and 400 workers. Second, we mainly use the Tokyodataset to investigate how our proposed mechanisms per-form when the different key parameters (e.g., task number)vary. The number of tasks ranges from 40 to 140 and thenumber of workers ranges from 400 to 500. The publishingregion ri ranges from 0.8km to 1.8km and the default valueis 1.5km. The privacy budget of workers ranges from 1 to 5.Each worker will apply for at most 3 tasks that are closest tohim/her.

We use two metrics to evaluate the effectiveness of theproposed mechanisms: the average travel distance (ATD) forPWSM and the satisfactory rate (SR) for VPDM.

• ATD: the real total travel distance of the winners di-vided by the number of successfully allocated tasks.


(a) distribution (b) task number (c) worker number (d) publishing region

Fig. 6. Comparison of the winners selection mechanisms on the average travel distance.

(a) task number (b) worker number (c) publishing region (d) parameter P

Fig. 7. The performance of payment determination mechanism on the satisfactory rate.

• SR: the ratio of the number of winners who receivethe non-negative payment to the number of totalwinners.

We compare PWSM with two benchmarks.

• No-Privacy: The optimal winner selection mechanis-m when workers’ real locations are reported to theserver without any privacy protection.

• Same-Privacy (PWSM-Same): The winner selectionmechanism based on the PWSM when the privacybudgets of all workers are the same. We set theprivacy budget ε as 1 for all workers.

7.3 Evaluation on PWSMFigures 6 shows the performance comparison of three win-ner selection mechanisms on the average travel distance(ATD) under different parameters. “PWSM-Pers” meansthat each worker randomly selects its personal privacy levelεi from [1, 5], while “PWSM-Same” means that all workersadopt the same privacy level of ε = 1.

Figure 6(a) shows the ATD of three winner selectionmechanisms against the city when there are 400 workersand 100 tasks. We can see that workers take a larger ATDto finish tasks in Tokyo than New York. This is becausethe task distribution in Tokyo is sparser than that in NewYork. Figure 6(b) shows the ATD of three winner selectionmechanisms against the number of tasks when there are400 workers. We can see that the ATD decreases withthe increase of task number, which is because the averagetravel distance to tasks is smaller with higher density oftasks. Figure 6(c) shows the ATD of three winner selectionmechanisms against the number of workers when thereare 100 tasks. We can see that the ATD does not changesignificantly with the increase of worker number. Figure

6(d) shows the ATD of three winner selection mechanismsagainst the radius of publishing region when there are 400workers and 100 tasks. We can see that the ATD increasesfor larger size of the task publishing regions. This is becausethat, when the size of the publishing region increases, somefar away tasks that were not allocated to any worker arenow allocated to workers. Since the distances between theworkers and far away tasks are large, the ATD of all workersincreases when the size of publishing region increases.

From Figure 6, we can see that the PWSM always has alarger ATD than No-privacy, which is because the latter canoptimally allocate tasks to workers with the true locations ofworkers. However, PWSM provides strongly personalizedlocation privacy protection for workers. We can also observethat the ATD of PWSM with different protection levels issmaller than that of PWSM with the same largest protectionlevel, which is because the true distances are obfuscatedwith larger noise when the strongest protection level isadopted by all workers.

7.4 Experiments for VPDM

Figures 7(a-c) show the performance of the proposed VPDMon the satisfactory rate (SR) when P is 0.9. We can see thatthe VPDM always has a SR higher than 96%, which is largerthan P = 0.9. Figure 7(a) shows the SR against the numberof tasks when there are 400 workers. We can see that the SRincreases from 96% to 99% when task number increases from40 to 60, and thereafter SR does not increase significantly.This is because the number of total winners is small whenthere are 40 tasks so that one or two winner who receivethe negative payment will decrease the SR sharply. Figure7(b) shows the SR against the number of workers whenthere are 100 tasks. We can see that the SR increases slightlywith the increase of the number of workers. This is because


the effect of winners who receive the negative payment willdecrease with the increase of the number of total winners.Figure 7(c) shows the SR against the radius of the publishingregion when there are 100 tasks and 400 workers. We can seethat the SR does not change with the increase of publishingregion size.

Figure 7(d) shows the SR against the parameter P whenthere are 100 tasks and 400 workers. We can see that theSR increases with the increase of parameter P . This is be-cause workers has a larger probability to get a non-negativepayment with the increase of parameter P . We can alsoobserve that SR is always larger than P , which validatesthe correctness of the proposed payment determinationmechanism.

8 CONCLUSIONS

In this paper, we proposed a personalized privacy-preserving task allocation framework for mobile crowdsens-ing systems. Each worker uploads the obfuscated distancesand personal privacy budget to the server instead of upload-ing its true location or true distances to tasks. In particular,we proposed the PWSM that allocates tasks to workers withonly the obfuscated information while minimizing the totaltravel distance. We also proposed the VPDM to determinethe appropriate payment to each winner by considering itsmovement cost and privacy leakage. We proved that theproposed framework provides personalized privacy protec-tion, and satisfies the truthfulness, profitability and proba-bilistic individual rationality. Moreover, we proved that eachworker can have εi

∑tj∈Ti rj-privacy in our framework,

which is related to its personal privacy budget and interest-ed tasks. Extensive experiments on the read-world datasetsdemonstrate the effectiveness of the proposed mechanisms.

ACKNOWLEDGMENTS

This work was supported in part by National Natural Sci-ence of China (Grants No. 61502352, 61772551, U1636219and 61373167), the National Basic Research Program ofChina (Grant 2014CB340600), National Science Foundation(Grants No. 1444059, 1717315), Shandong Provincial KeyProgram of Research and Development (2018GGX101035),Natural Science Foundation of Hubei Province (Grants No.2017CFB503, 2017CFA007 and 2017CFA047), FundamentalResearch Funds for the Central Universities (Grant No.2042018gf0043, 413000035 and 18CX07003A), and State KeyLab. for Novel Software Technology, Nanjing University(Grant No. KFKT2018B09). Qian Wang is the correspondingauthor.

REFERENCES

[1] P. Dutta, P. M. Aoki, N. Kumar, A. Mainwaring, C. Myers,W. Willett, and A. Woodruff, “Common sense: participatory urbansensing using a network of handheld air quality monitors,” inProc. of ACM SenSys, 2009, pp. 349–350.

[2] T. Aitamurto, “The impact of crowdfunding on journalism: casestudy of spot. us, a platform for community-funded reporting,”Journalism practice, vol. 5, no. 4, pp. 429–445, 2011.

[3] S. B. Liu and L. Palen, “The new cartographers: Crisis mapmashups and the emergence of neogeographic practice,” Cartog-raphy and Geographic Information Science, vol. 37, no. 1, pp. 69–90,2010.

[4] D. C. Brabham, “Crowdsourcing the public participation processfor planning projects,” Planning Theory, vol. 8, no. 3, pp. 242–262,2009.

[5] “Waze,” https://www.waze.com/.[6] B. Liu, W. Zhou, T. Zhu, H. Zhou, and X. Lin, “Invisible hand:

a privacy preserving mobile crowd sensing framework basedon economic models,” IEEE Transactions on Vehicular Technology,vol. 66, no. 5, pp. 4410–4423, 2017.

[7] C. Cornelius, A. Kapadia, D. Kotz, D. Peebles, M. Shin, andN. Triandopoulos, “Anonysense: privacy-aware people-centricsensing,” in Proc. of ACM Mobisys, 2008, pp. 211–224.

[8] L. Pournajaf, L. Xiong, V. Sunderam, and S. Goryczka, “Spatialtask assignment for crowd sensing with cloaked locations,” inProc. of IEEE MDM, vol. 1, 2014, pp. 73–82.

[9] I. J. Vergara-Laurens, D. Mendez, and M. A. Labrador, “Privacy,quality of information, and energy consumption in participatorysensing systems,” in Proc. of IEEE PerCom, 2014, pp. 199–207.

[10] H. To, G. Ghinita, and C. Shahabi, “A framework for protectingworker location privacy in spatial crowdsourcing,” Proc. of theVLDB Endowment, vol. 7, no. 10, pp. 919–930, 2014.

[11] L. Wang, D. Yang, X. Han, T. Wang, D. Zhang, and X. Ma, “Lo-cation privacy-preserving task allocation for mobile crowdsensingwith differential geo-obfuscation,” in Proc. of WWW, 2017, pp. 627–636.

[12] K. Chatzikokolakis, M. E. Andres, N. E. Bordenabe, andC. Palamidessi, “Broadening the scope of differential privacyusing metrics,” in Proc. of PETS, 2013, pp. 82–102.

[13] B. Guo, Y. Liu, W. Wu, Z. Yu, and Q. Han, “Activecrowd: A frame-work for optimized multitask allocation in mobile crowdsensingsystems,” IEEE Transactions on Human-Machine Systems, vol. 47,no. 3, pp. 392–403, 2017.

[14] Y. Liu, B. Guo, Y. Wang, W. Wu, Z. Yu, and D. Zhang, “Taskme:multi-task allocation in mobile crowd sensing,” in Proc. of ACMUbicomp, 2016, pp. 403–414.

[15] L. Wang, D. Zhang, A. Pathak, C. Chen, H. Xiong, D. Yang, andY. Wang, “Ccs-ta: Quality-guaranteed online task allocation incompressive crowdsensing,” in Proc. of ACM UbiComp, 2015, pp.683–694.

[16] L. Wang, D. Zhang, Y. Wang, C. Chen, X. Han, and A. M’hamed,“Sparse mobile crowdsensing: challenges and opportunities,”IEEE Communications Magazine, vol. 54, no. 7, pp. 161–167, 2016.

[17] S. He, D.-H. Shin, J. Zhang, and J. Chen, “Toward optimal alloca-tion of location dependent tasks in crowdsensing,” in Proc. of IEEEINFOCOM, 2014, pp. 745–753.

[18] Z. Wang, R. Tan, J. Hu, J. Zhao, Q. Wang, F. Xia, and X. Niu, “Het-erogeneous incentive mechanism for time-sensitive and location-dependent crowdsensing networks with random arrivals,” Com-puter Networks, vol. 131, no. 2, pp. 96–108, 2018.

[19] H. Xiong, D. Zhang, G. Chen, L. Wang, and V. Gauthier, “Crowd-tasker: Maximizing coverage quality in piggyback crowdsensingunder budget constraint,” in Proc. of IEEE PerCom, 2015, pp. 55–62.

[20] D. Zhang, H. Xiong, L. Wang, and G. Chen, “Crowdrecruiter:selecting participants for piggyback crowdsensing under proba-bilistic coverage constraint,” in Proc. of ACM UbiComp, 2014, pp.703–714.

[21] Z. Wang, J. Hu, J. Zhao, D. Yang, H. Chen, and Q. Wang, “Payon-demand: Dynamic incentive and task selection for location-dependent mobile crowdsensing systems,” in Proc. of IEEE ICDCS,2018.

[22] J. Lin, D. Yang, M. Li, J. Xu, and G. Xue, “Frameworks for privacy-preserving mobile crowdsensing incentive mechanisms,” IEEETransactions on Mobile Computing, 2017.

[23] C. Dwork, “Differential privacy: A survey of results,” in Proc. ofTAMC, 2008, pp. 1–19.

[24] G. Ghinita, “Privacy for location-based services,” Morgan & Clay-pool Publishers, vol. 4, no. 1, pp. 1–85, 2013.

[25] Q. Wang, Y. Zhang, X. Lu, Z. Wang, Z. Qin, and K. Ren, “Real-timeand spatio-temporal crowd-sourced social network data publish-ing with differential privacy,” IEEE Transactions on Dependable andSecure Computing, 2016.

[26] M. E. Andres, N. E. Bordenabe, K. Chatzikokolakis, andC. Palamidessi, “Geo-indistinguishability: Differential privacy forlocation-based systems,” in Proc. of ACM CCS, 2013, pp. 901–914.

[27] Y. Xiao and L. Xiong, “Protecting locations with differential priva-cy under temporal correlations,” in Proc. of ACM CCS, 2015, pp.1298–1309.


[28] B. Wang and J. Yang, “Personalized (α, k)-anonymity algorithmbased on entropy classification,” Journal of Computational Informa-tion Systems, vol. 8, no. 1, pp. 259–266, 2012.

[29] X. Xiao and Y. Tao, “Personalized privacy preservation,” in Proc.of ACM SIGMOD, 2006, pp. 229–240.

[30] X. Ye, Y. Zhang, and M. Liu, “A personalized (a, k)-anonymitymodel,” in Proc. of IEEE WAIM, 2008, pp. 341–348.

[31] M. Alaggan, S. Gambs, and A.-M. Kermarrec, “Heterogeneousdifferential privacy,” Journal of Privacy and Confidentiality, vol. 7,no. 2, pp. 127–158, 2016.

[32] Z. Jorgensen, T. Yu, and G. Cormode, “Conservative or liberal?personalized differential privacy,” in Proc. of IEEE ICDE, 2015, pp.1023–1034.

[33] D. Yang, G. Xue, X. Fang, and J. Tang, “Crowdsourcing to smart-phones: Incentive mechanism design for mobile phone sensing,”in Proc. of ACM MobiCom, 2012, pp. 173–184.

[34] D. Yang, D. Zhang, V. W. Zheng, and Z. Yu, “Modeling user activi-ty preference by leveraging user spatial temporal characteristics inlbsns,” IEEE Transactions on Systems, Man, and Cybernetics: Systems,vol. 45, no. 1, pp. 129–142, 2015.

Zhibo Wang received the B.E. degree in Au-tomation from Zhejiang University, China, in2007, and his Ph.D degree in Electrical Engi-neering and Computer Science from Universi-ty of Tennessee, Knoxville, in 2014. He is cur-rently an Associate Professor with the Schoolof Cyber Science and Engineering, Wuhan U-niversity, China. His currently research interest-s include mobile crowdsensing systems, cyber-physical systems, recommender systems andprivacy protection. He is a Senior Member of

IEEE and a Member of ACM.

Jiahui Hu received the B.S. degree in Infor-mation Security from Wuhan University, China,in 2016. She is currently pursuing her Masterdegree at School of Cyber Science and Engi-neering, Wuhan University. Her research interestfocuses on mobile crowdsensing systems.

Ruizhao Lv received the B.S degree in Com-puting Science and Technology from NortheastAgricultural University, China, in 2017. He iscurrently pursuing his Master degree at Schoolof Cyber Science and Engineering, Wuhan Uni-versity. His research interest focuses on mobilecrowdsensing systems.

Jian Wei received the B.S degree in Informationand computing Science from Wuhan Textile U-niversity, China, in 2017. He is currently pursu-ing his Master degree at School of Computer,Wuhan University. His research interest focuseson mobile crowdsensing systems.

Qian Wang received the B.S. degree fromWuhan University, China, in 2003, the M.S. de-gree from Shanghai Institute of Microsystem andInformation Technology, Chinese Academy ofSciences, China, in 2006, and the Ph.D. de-gree from Illinois Institute of Technology, US-A, in 2012, all in Electrical Engineering. He iscurrently a Professor with the School of CyberScience and Engineering, Wuhan University. Hisresearch interests include wireless network se-curity and privacy, cloud computing security, and

applied cryptography. Qian is an expert under “1000 Young TalentsProgram” of China. He is a co-recipient of the Best Paper Award fromIEEE ICNP 2011. He is a Member of IEEE and a Member of ACM.

Dejun Yang received the B.S. degree fromPeking University, Beijing, China, in 2007 andthe Ph.D. degree in computer science from Ari-zona State University, Tempe, AZ, USA, in 2013.Currently, he is the Ben L. Fryrear Assistan-t Professor of computer science with ColoradoSchool of Mines, Golden, CO, USA. His re-search interests include economic and optimiza-tion approaches to networks, crowdsourcing, s-mart grid, and security and privacy. Prof. Yanghas served as a Technical Program Committee

Member for many conferences, including the IEEE International Confer-ence on Computer Communications (INFOCOM), the IEEE InternationalConference on Communications (ICC), and the IEEE Global Communi-cations Conference (GLOBECOM). He has received Best Paper Awardsat the IEEE GLOBECOM (2015), the IEEE International Conference onMobile Ad hoc and Sensor Systems (2011), and the IEEE ICC (2011and 2012), as well as a Best Paper Award Runner-up at the IEEEInternational Conference on Network Protocols (2010).

Hairong Qi received the B.S. and M.S. degreesin Computer Science from Northern JiaoTongUniversity, Beijing, China in 1992 and 1995 re-spectively, and the Ph.D. degree in ComputerEngineering from North Carolina State Univer-sity, Raleigh, in 1999. She is currently the Gon-zalez Family Professor with the Department ofElectrical Engineering and Computer Scienceat the University of Tennessee, Knoxville. Hercurrent research interests are in advanced imag-ing and collaborative processing in resource-

constrained distributed environment, hyperspectral image analysis, andbioinformatics. She is a Fellow of IEEE.

Documents

IEEE TRANSACTIONS ON MOBILE COMPUTING 1 Personalized