YouProve: Authenticity and Fidelity in Mobile Sensing Peter Gilbert Duke University Durham, NC 27708 gilbert@cs.duke.edu Jaeyeon Jung Microsoft Research Redmond, WA 98052 jjung@microsoft.com Kyungmin Lee Duke University Durham, NC 27708 kyungmin.lee@duke.edu Henry Qin Duke University Durham, NC 27708 henry.qin@duke.edu Daniel Sharkey Duke University Durham, NC 27708 daniel.sharkey@duke.edu Anmol Sheth Technicolor Research Palo Alto, CA 94301 anmol.sheth@technicolor.com Landon P. Cox Duke University Durham, NC 27708 lpcox@cs.duke.edu Abstract As more services have come to rely on sensor data such as audio and photos collected by mobile phone users, verify- ing the authenticity of this data has become critical for ser- vice correctness. At the same time, clients require the flexi- bility to tradeoff the fidelity of the data they contribute for re- source efficiency or privacy. This paper describes YouProve, a partnership between a mobile device’s trusted hardware and software that allows untrusted client applications to di- rectly control the fidelity of data they upload and services to verify that the meaning of source data is preserved. The key to our approach is trusted analysis of derived data, which generates statements comparing the content of a derived data item to its source. Experiments with a prototype implemen- tation for Android demonstrate that YouProve is feasible. Our photo analyzer is over 99% accurate at identifying re- gions changed only through meaning-preserving modifica- tions such as cropping, compression, and scaling. Our audio analyzer is similarly accurate at detecting which sub-clips of a source audio clip are present in a derived version, even in the face of compression, normalization, splicing, and other modifications. Finally, performance and power costs are rea- sonable, with analyzers having little noticeable effect on in- teractive applications and CPU-intensive analysis complet- ing asynchronously in under 70 seconds for 5-minute audio clips and under 30 seconds for 5-megapixel photos. Categories and Subject Descriptors C.3 [Special-purpose and Application-based Sys- tems]: Real-time and embedded systems General Terms Design, Security Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SenSys’11, November 1–4, 2011, Seattle, WA, USA. Copyright 2011 ACM 978-1-4503-0718-5/11/11 ...$10.00 Keywords Participatory Sensing, Privacy, Trusted Computing 1 Introduction Mobile phones are fast becoming the eyes and ears of the Internet by embedding digital communication, computation, and sensing within the activities of daily life. The next gener- ation of Internet platforms promises to support services like citizen journalism, mobile social networking [13], environ- mental monitoring [24], and traffic monitoring [17] by pair- ing the ubiquitous sensing provided by mobile phones with the large-scale data collection and dissemination capabilities of the cloud. Data authenticity is crucial for service correctness. Mo- bile social services have already been gamed by partici- pants claiming to be in places they were not [18], and citizen-journalism services have been fooled by falsified im- ages [20, 34]. Correctness is especially important for ser- vices such as Al Jazeera’s Sharek and CNN’s iReport. De- ploying trusted reporters and photographers into events such as those recently experienced in Iran, Haiti, Tunisia, Egypt, and Libya is difficult. Due to logistical obstacles, govern- ment bans, and reprisals against journalists, anonymous lo- cal citizens with camera phones were instrumental in docu- menting these situations. Thus, given the increasingly large role crowd-sourced content plays in world affairs and the dire consequences that dissemination of falsified media could have, verifying the authenticity of this data is paramount. One proposed solution is to equip phones with trustwor- thy sensors capable of signing their readings and to require clients to return unmodified signed data to a service [10]. Unfortunately, requiring clients to send unmodified data is impractical. Mobile clients require the flexibility to trade-off data fidelity for efficient resource usage and greater privacy. This is particularly true for media such as audio and pho- tos. For example, a client may wish to upload a photo with reduced resolution or under lossy compression to improve energy-efficiency and performance [6], or a client may wish to blur faces in a photo to conceal someone’s identity [26]. Resolving the tension between data authenticity and data fi- delity is a key obstacle to realizing the vision of phone-based distributed sensing.