Privacy versus Location Accuracy in Opportunistic Wearable Networks

Future wearable devices are expected to increasingly exchange their positioning information with various Location-Based Services (LBSs). Wearable applications can include activity-based health and fitness recommendations, location-based social networking, location-based gamification, among many others. With the growing opportunities for LBSs, it is expected that location privacy concerns will also increase significantly. Particularly, in opportunistic wireless networks based on device-to-device (D2D) connectivity, a user can request a higher level of control over own location privacy, which may result in more flexible permissions granted to wearable devices. This translates into the ability to perform location obfuscation to the desired degree when interacting with other wearables or service providers across the network. In this paper, we argue that specific errors in the disclosed location information feature two components: a measurement error inherent to the localization algorithm used by a wearable device and an intentional (or obfuscation) error that may be based on a trade-off between a particular LBS and a desired location privacy level. This work aims to study the trade-off between positioning accuracy and location information privacy in densely crowded scenarios by introducing two privacy-centric metrics.


I. INTRODUCTION AND PROBLEM STATEMENT
Opportunistic ad-hoc networks are known to provide seamless and robust wireless connectivity in the scenarios where the traditional infrastructure mode is not continuously available. As an evolution of mobile wireless ad-hoc networks, opportunistic communication can route the data dynamically without collecting the complete information about the network topology [1]. A potential niche for applying such networks can reside in the field of wearable devices. The notion of wearables stands for connected devices carried by users that sense and collect data, track physical activity, and improve user experience across different application domains that altogether form the Internet of Wearable Things (IoWT) [2].
In the case of wearables, opportunistic wireless solutions may offer more benefits to users compared to standalone wearable technologies. For example, no infrastructure is needed to perform the desired functions, due to the properties of devices being interconnected opportunistically to exchange information in a faster, more convenient, and less energy-consuming way than in an infrastructure mode. Such opportunistic networks can improve communications, positioning, and sensing capabilities of one's wearables even in the situations facing a limited power consumption of resource-constrained wearable ecosystems. One of the underlying reasons for such energy reduction is the possibility of computation offloading and distributed processing [3], e.g., by shifting the more demanding tasks to edge devices with higher computing power than one's wearables.
Since progress in wearable device development is driven by miniaturization and reduced energy consumption, products may not be equipped with conventional Global Navigation Satellite System (GNSS) support. One of the opportunistic ways to introduce a GNSS-based positioning is to utilize more advanced devices with known locations, which we call Anchor Nodes (ANs), to provide information to neighbors. ANs can be fixed or mobile. Hence, lower-cost wearables can perform selfpositioning even in the absence of advanced signal processing capabilities or cutting-edge positioning chipsets. The downside of such opportunistic communication and positioning in a wearable scenario is a potential degradation in the privacy levels, especially when the exchange of data pertains to the location information of one's wearables. For example, wearable devices equipped with GNSS modules or more advanced Inertial Measurement Units (IMUs) acting as ANs for their proximate wearables with lower computational resources will have to disclose their locations to nearby nodes. This approach helps the nodes in the ANs' vicinity to self-locate. The process can also run in a cooperative manner, where each node takes turns to act as AN for other nodes in its vicinity, based on its previously computed position. Localization can be performed by relying on distance measurements to the neighboring ANs transmitting their estimated location to the devices within range [4]. Such distance measurements, in their turn, can be obtained from time, angle, or power measurements.
Our proposed system modeling for this opportunistic scenario starts with the assumption that neighboring wearable nodes are, to some extent, trusted and transmit their estimated location without an additional (e.g., intentional) error over proximity-based Device-to-Device (D2D) links [5]. A neigbouring wearable is defined as a gadget within the transmission range of the target device. The user location privacy depends on three main factors: i) how accurately such a location is estimated based on prior knowledge and/or information collected from the nearby nodes, ii) how accurately wearables disclose their estimated location in a futuristic scenario where users have full control of how and at which level of accuracy they can share own location information with other nodes, and iii) how many users with similar locations are there in the area. A relevant parameter to be able to quantify the location privacy in such situations can be the likelihood of mistaking a target user as being in the position of another user inside a specified geographical area, e.g., in a shopping mall, an office building, a transport hub. Clearly, such location privacy metric will depend both on the user density and their distribution in a certain area, as well as on the location estimation errors.
Multiple works focus on diverse aspects of location data privacy. For example, the study in [6] concentrates on developing a Privacy-Preserving Indoor Localization (PPIL) protocol for Received Signal Strength (RSS)-based indoor localization by encrypting the RSS values. In the subject work, the authors do not specify a Key Performance Indicator (KPI) for location privacy, and the paper primarily studies the deterioration of positioning accuracy as a consequence of applying PPIL. It also addresses the complexity of such an approach, which proves to be excessive. Concerning opportunistic wearable networks, a study in [7] considers a scenario where a user is opportunistically targeted and tracked via a dynamic cluster of sensor nodes. The respective algorithm is tested in two situations i) high-node density areas, where the solution proves to enhance the energy efficiency; ii) low-node density areas, where it displays robust performance despite coverage gaps. Another study on location privacy in [8] introduces a unified framework for the concept of privacy-preserving systems. The authors claim that users may adjust the degree of disclosable location information by deliberately misleading or accidentally providing erroneous data, while obfuscation is proposed as a privacy-enhancing solution. Generally, this method assumes intentional degrading of the information quality and thereby results in inaccuracy or imprecision [9].
Based on the reviewed literature, studies with a focus on location obfuscation and privacy-preserving algorithms do not propose location accuracy models. Therefore, the goal of this paper is to investigate the trade-offs between location data privacy and location accuracy in opportunistic wearable networks by evaluating the main factors affecting the levels of user privacy. Our methodology is to model the metrics relevant for location accuracy and location privacy via a Monte-Carlo statistical analysis in various multi-floor indoor scenarios. In particular, we target physical layer data processing and do not focus on the domain of higher-layer privacy protocols, in contrast with past works [4], [6], [10], which emphasize location privacy from another perspective. We also derive numerical results on the accuracy-privacy trade-off in localization under various user distributions inside a building, for different positioning technologies, and mindful of positioning measurements and intentional error models.

II. SELECTED LOCATION-SPECIFIC METRICS A. Location accuracy metrics
In the field of positioning, location accuracy is the primary KPI, which is introduced either as the probability distribution function (PDF) of the error, or, more commonly, as the error mean and is connected with the error variance that characterizes precision. One of the central challenges in the field is to achieve seamless localization with a decrease in the positioning error. The corresponding positioning errors occur due to the positioning algorithm properties as well as due to the environment properties (e.g., indoor versus outdoor, number of multipath components). Hereinafter, we refer to such positioning errors stemming from positioning technique as 'measurement errors', and their mean and variance are denoted in what follows by µ m and σ 2 m , respectively. As a suitable example, the state-of-the-art Ultra-Wideband (UWB)based positioning solutions provide sub-meter accuracy while performing localization indoors [11], [12]. Moreover, different evaluations studied the impact of the wearable placement on the localization accuracy [13]. Therefore, in our scenario, we assume multiple positions of wearable devices on a human body to assess potential positioning errors for specific body alignments in different situations.
Due to the body shadowing effects, the PDF of the positioning or ranging error varies for different on-body placements of wearable devices. Three primary locations for wearable sensors are considered under various conditions: the head or forehead position, the upper-body position, i.e., the chest and hand position and the limbs, i.e., the wrist, arm, ankle, and thigh.
According to [13], for scenarios where wearable sensors are head-mounted, the likelihood of line-of-sight (LOS) situations between the ANs and a wearable is high, and therefore the Gaussian PDF f Gauss ( ) in (1) offers suitable modeling for the 3D range errors , i.e., is the Euclidian distance between the estimated position and the true position. According to the literature [14], Gaussian range-error modeling is valid not only for UWB Time-of-Flight (TOF) but also for positioning via Time of Arrival (TOA), Angle of Arrival (AOA), and RSS measurements for other systems, such as WiFi, Bluetooth Low Energy (BLE), Radio Frequency Identification (RFID), and others. Gaussian PDF f Gauss ( ) is modeled as where µ m is the mean error and σ m is the standard deviation (SD) of the positioning error. The subscript m stands for measurement. As is a distance error, thus always positive, only the positive part of f Gauss ( ) actually characterizes the distance error, namely, According to [12], in the situations where wearables are located in the upper-body area, the PDF f GG ( ) of the positioning error can be modeled by a sum of Gaussian and Gamma distributions as where the ranging errors depend on the relative heading angle (RHA) between the user, wearable sensor, and ANs as well as on the body placement. Therefore, the term δ(RHA) in (2) is a unit Dirac impulse function equal to 0 for RHA ∈ [0°, 112.5°) ∪ (247.5°, 360°]; and equal to 1 in case RHA ∈ [112.5°, 247.5°]. The above σ 1 and µ 1 are the SD and the mean of the Gaussian-distributed part of the overall PDF, while λ and k are the parameters of the Gammadistributed part of the overall PDF. Examples of σ 1 , µ 1 , λ, and k values are provided in [12], based on experimental work with UWB measurements. In the case of f GG (·), it is more likely that both LOS and non-line-of-sight (NLOS) situations between the ANs and the target wearable are present, as compared to the classic LOS case characterized by f Gauss ( ).
The overall measurement errors in terms of mean µ m and SD σ m can then be computed as where and f GG (·) are defined above, see (2). According to [13], when the wearable sensors are located on limbs, and NLOS situations occur with high probability, the Gamma distribution in (5) models the positioning error where b, a, λ, k, and c are the model parameters established experimentally in [13]. The measurement-based mean µ m and SD σ m follow a relationship similar to that in (3), where f GG (·) is replaced by f Gamma (·).
Additionally, as reported in [11], we consider the log-normal distribution f Log−norm ( ) as a possible PDF for modeling the positioning error , The aforementioned PDFs, namely, (1), (2), (5), and (6) are analyzed in the considered scenarios.

B. Location privacy metrics
Privacy is a fundamental right to be preserved, especially in the context of location. As reported in [10], location privacy is a unique type of information privacy which relates to the user decision on how, when, and to which extent one will disclose own location data to others. Therefore, the ability to be in charge of positioning information is crucial in the context of location privacy, and it is one of the main premises of our work to be investigated. As future smart wearables may allow higher user control of the location accuracy, more robust location-obfuscation methods should be implemented to perform privacy-preserving positioning.
In our study, we rely on the systematic survey provided in [15] with a taxonomy for key privacy metrics designed for diverse use cases. As it is known, entropy measures the uncertainty related to predicting the value of a random variable and is considered as a privacy-related metric to express the probability of incorrect user identification. Consequently, we examine two approaches for entropy measurements: Shannon and asymmetric entropy. Shannon entropy as an indicator of uncertainty is mentioned, for example, in [16]. One of our adopted privacy metrics is thus Shannon entropy, which is defined globally over all wearables in the system, as where H stands for what we call further 'Shannon entropy', p ij is the probability of user i to be mistaken for another user j, and N w is the number of wearables in the considered space.
Various stand for all potential positions of wearables.
H essentially determines how likely it is that a wearable device disclosing its position with (intentional or unintentional) errors can be mistaken for another wearable in the crowd. In our simulations, we approximate the integral via sums by splitting the entire continuous space into smaller cells of 0.5m × 0.5m.
Additionally, we define the second privacy metric called asymmetric entropy by following the work in [15] H a reflects a situation where a third party has access to the distribution of user locations with the highest uncertainty at the point α. In our simulations, we set α = 0.5 by following the approach of [17]. In our system model, we use the sum of asymmetric entropy, which is also known as cumulative asymmetric entropy. In the context of location, this metric uses p ij and identifies the attacker's chances to mistake one user for another. We argue that the probability p ij to mistake a wearable i for another wearable j can be further calculated as where f distrib (·) is the positioning-error PDF, namely, one of the distributions given in the previous section, and Π ij is the probability of a cell being at distance away from user i to be occupied by user j. For example, the uniform distribution of users can be represented as where N w is the observed number of wearable devices and N c is the number of cells in the considered space. Similarly, the probability of a cell to be occupied for hotspot distributions, where the number of wearables is more likely to be higher in the vicinity of another wearable than farther away from it, can be modeled with an exponentially decreasing factor where ξ is a constant parameter (e.g, equals 1) and d ij is the distance between wearable i and wearable j.
In the following sections, the metrics introduced above are used for investigating the trade-off between the privacy level and the location accuracy in the considered scenarios.

III. DEFINITION OF SCENARIOS
To illustrate the considered environment, we provide a graphical example of a potential indoor scenario for the opportunistic exchange of positioning information in Fig. 1, and we explain the modeling parameters used in the simulations.

Proximity-based advertisements
Wearable devices We refer to the multi-floor indoor scenario, which introduces a situation where each user has one wearable device with an opportunity to be in charge of own location information, i.e., being able to disclose it at the desired granularity and with the preferred intentional error. Each wearable can thus have particular preferences to which extent to disclose its position to other wearables or access nodes within a specified range. In such a way, the overall location error has a measurement error part (coming from the inherent uncertainty of knowing one's location, e.g., due to the positioning estimation algorithm, such as RSS, TOA, or AOA) and an intentional error part, which is user-defined.
The overall location error's SD is considered to be a sum of the measurement error and the intentional error. The intentional uncertainty is added on top of the measurement uncertainty, which is created by the location estimation algorithm. Further, each wearable can compute its position opportunistically owing to other wearable devices in proximity, which transmit their location information with some uncertainty and based, for instance, on distance measurements. Additionally, wearable location information can be acquired via power, time, or angle measurements using trilateration or triangulation procedures. As an example, the RSS measurements to nearby wearables may be converted into distance measurements subject to suitable path loss models. Another technique takes into account round-trip time measurements, which can be converted into distance measurements by multiplying the results of computations with half of the speed of light.
In our system model, we consider a two-floor densely crowded building (e.g., a shopping mall) with the square size of 150m × 150m. Therein, wearable devices are deployed according to various distributions: • Uniform -wearables are assumed to be uniformly distributed inside the two-floor building. • Queue -the scenario, where we consider that people with wearables stand in a line inside the building. • Hotspot -the allocation with users, who gather within 'hotspots' modeled here as circles with certain radii, as illustrated in Fig. 2.
The entire building is divided into smaller rectangular areas called cells for modeling tractability, as shown with the empty gray circles in Fig. 2. A user can either be present or missing in a specific cell, and the respective flag will define the distribution of wearables inside the building. For clarity, Fig. 2 demonstrates 5m × 5m cell size, but in our simulations, we utilized 0.5m × 0.5m cell size to reduce the possibility that two users are placed precisely in the same cell (i.e., 0.5 m was considered here as the minimum comfort distance between two users in a public space). In our model, we refer to the the World Geodetic System (WGS84) as a reference coordinate system. In terms of the number of wearable devices, we followed the guide in 'Fire and Rescue Service' [18] and estimated the expected number of wearable devices per a shop sales area, i.e., for the spaces where persons reside (corridors, service rooms, and stairways are assumed as unusable space).

IV. PERFORMANCE ANALYSIS
In this section, we assess the main factors affecting the levels of user privacy in the considered scenario with respect to the chosen privacy metrics. In our study, we consider and evaluate two use cases, namely:  Table I. AOA 0m 1-2m [22] • Another use case considers a situation where users deliberately transmit their location with an intentional error. Therefore, we evaluate the performance under an assumption of an obfuscated location in our simulations with cumulative values of µ and σ. Overall, as visible in Figs. 3-6, a higher number of users with wearable devices located inside the building provides better entropy results in comparison with a lower number of users. Moreover, scenarios, where hotspot distributions are assumed, offer better privacy protection than the use cases with uniformly distributed wearable devices inside the building. Additionally, the results shown in Fig. 3 follow the same trend, whereas Fig. 4 displays an increase in the privacy levels for all deployment types due to the value of the parameter α in (8), which equals 0.1 in this case. Therefore, it can be clearly observed that an increase of the uncertainty parameter α up to 0.5 causes a significant improvement in the privacy levels, particularly for the scenario where users are uniformly distributed inside the building.
Furthermore, obfuscating the positions via Gaussian noise proves to be better than obfuscating them via Gamma/Gaussian distributions due to the initial properties. The conventional Gamma distribution was not included for comparison in Fig. 6 as it relies on several parameters that are not directly mapped onto the SD of the positioning error; thus, the comparison would be unfair.
Based on the results in Fig. 6, we achieve around a two-fold increase in the Shannon entropy results for both Gaussian and Gaussian/Gamma distributions of errors and for both uniform and hotspot distributions of wearables inside the building by intentionally doubling the positioning error. The privacy gain with accumulating the positioning error is higher for smaller  positioning errors, and it converges to a 1 : 1 gain when the positioning error increases. As it can be learned from the obtained simulation results, the optimal strategy for users with accurate location estimates for enhancing the levels of privacy in the location domain is to obfuscate deliberately their precise coordinates.

V. DISCUSSION AND FUTURE WORK
In this study, we characterized two metrics for location accuracy and location privacy, as well as described and assessed the levels of entropy in opportunistic wearable networks. The considered concept of transmitting the obfuscated location by adding random noise to the ground-truth coordinates was targeted under the assumption that not all LBSs out of those operating in public spaces require an accurate and precise location information. It may be of particular interest for wearable devices to mitigate the battery drain instead of utilizing sophisticated algorithms to achieve higher privacy.
As an example, there are certain location-based applications, where the granularity level of location accuracy can be ad- justed to offer the actual service to the users without much degradation, e.g., information services, social networks. To understand the simulation results for an opportunistic wearable scenario, we introduced three possible use cases based on various distributions of people inside a building: uniform, hotspot, and queue. As the queue concept shows limited scalability, the aspect is left for assessment and evaluation in the future together with the investigation of significant differences between Shannon entropy and asymmetric entropy results in the second use case.