Introduction

Sensor network technology promises a vast increase in automatic data collection capabilities through efficient deployment of tiny sensing devices. Arrays of sensors could be deployed alongside roads to monitor traffic patterns or inside buildings to sense contextual information for adaptive computing services. In particular, there is great interest in location tracking systems, which determine the position of users for location-based services. We foresee that sensor network technology decreases the cost of such systems by replacing cables with multi-hop radio communications and allowing in-network processing of data. While these technologies offer great benefits to users, they also exhibit significant potential for abuse.¹ Particularly relevant are privacy concerns, since sensor network technology provides greatly expanded data collection capabilities. A common approach addresses privacy concerns at the database or location server layer--after data has been collected. For example, privacy policies govern who can use an individual's data for which purposes [2,3,4]. Furthermore, data perturbation [5] or anonymity mechanism [6,7] provide access to data without disclosing privacy sensitive information. However, data is difficult to protect once it is stored on a system. In the past, private data has been inadvertently disclosed over the Internet and companies have distributed data in violation of their own privacy policies. In addition, data theft and distribution through company insiders poses a serious challenge. Such approaches also do not address the risks that an adversary circumvents the location server and directly collects data from the location tracking system. This paper leverages sensor nodes' data processing capabilities to enhance privacy through distributed, in-network anonymity mechanisms. These mechanisms are applied before data leaves the sensor network and can be stored in a location server; thus, databases and locations servers are removed from the trusted computing base, meaning users only need to trust the sensor network itself. A third party, independent from the data consumers, could install and service the network to establish user trust. The paper concentrates on location sensor networks, since location information is especially privacy sensitive and potentially specific enough to reveal the identity of individuals. Specifically, the paper contributes the following key ideas:

• a discussion of privacy risks and attacks for location sensor networks
• a distributed privacy algorithm that cloaks location information to preserve anonymity
• a complimentary routing scheme and election algorithm that chooses leaders for hierarchically organized entities in physical space