Collaborative and efficient privacy-preserving critical incident management system

https://doi.org/10.1016/j.eswa.2020.113727Get rights and content

Highlights

  • A proof of concept of privacy-preserving incident reporting system is proposed.

  • A co-utility model is used to encourage true reporting and discourage fake one.

  • Group members are rewarded and punished through blockchain-based cryptocurrency.

  • Security analysis of the system under various attacks confirms its security.

  • Operational testing shows the system’s feasibility on light-weight devices.

Abstract

When a critical incident occurs, timely location-based status messages (known as alerts) conveyed by a witness present at the incident site to the competent authority constitute a key part of an effective approach to handle the situation. Details provided by witnesses are of extreme significance, but their collaboration with the authority may make them susceptible to various threats such as loss of anonymity, false implication, unwarranted surveillance, etc. As a solution, an anonymous reporting mechanism can be provided to encourage the witnesses to report the incident to the concerned authority. However, there is a possibility of system collapse in case the anonymous witnesses inundate the authority with multiple fake reports, resulting in delayed response to the critical incident. In this paper, we present a critical incident reporting system that provides privacy to honest witnesses but can disclose the identity and punish the malicious ones. The proposed system facilitates the indistinguishability of the witness among a group of users such that reports are linked to groups of k (or more) users instead of a single user. We use a game-theoretic approach based on the co-utility principle to encourage the users of the system to engage in mutually beneficial collaboration, which leads to a “rewards and punishment” mechanism to encourage legitimate information and discourage false information. The incident management authority rewards honest witnesses with a blockchain-based cryptocurrency, which can be redeemed anonymously by the awardees from the city council. We have analyzed the security and privacy properties of the system, and carried out real-device testing to evaluate the system performance and its feasibility.

Introduction

Critical incident management systems are information systems that deal with day-to-day occurring incidents such as road accidents, wildfire, landslides, burglaries, etc. A critical incident imposes urgency and calls for immediate emergency management that could reduce both societal costs and fatality rates. Traditionally, an emergency service is available countrywide to access emergency services including police, firefighters, and ambulances. In many countries, a caller can call a single emergency telephone number to contact local emergency operators for assistance. The emergency service number is typically a two-digit (15) (Police, 2000) or a three-digit (911) (Tapshield, 2014) number, that provides dispatch and communication support services for police, fire, ambulance, and related services to the caller (Vivacqua & Borges, 2012). On average, the emergency operator requires at least two to three minutes to collect the necessary incident-related information from the caller to ensure that first responder agencies (police, fire and emergency medical departments) have all the data that they need (Tapshield, 2014). A communication lapse at either end can result in a delayed incident response. Therefore, communication plays an important role at the time of emergencies, where the loss of a few seconds can mean the difference between life and death. Thus, an incident response system entails an efficient platform with better communication to ensure a timely response to critical incidents.

Smart devices in the form of mobile phones and tablets are becoming increasingly ubiquitous throughout the world, especially in highly populated urban areas. Given the multitude of sensors (Global Positioning System (GPS), accelerometer, and high-resolution cameras) and Internet connectivity present in modern smartphones, these devices can help in reporting accurate geo-coordinates of the emergency location, and the extent and nature of the incident to the relevant authorities. For example, a 3-layered architecture is proposed in Zambrano, Perez, Palau, and Esteve (2016) that employs a smartphone’s accelerometer as an accelerograph to detect a seismic-peak of an earthquake through a mathematical procedure and then sends the SOS notification to the authority.

Literature shows that the technological advancements in mobile-based communication and information systems have the most significant impact on the growth of the web-based and mobile incident management systems. These systems enable citizens to report location-based incident information to centralized emergency authorities, who, in return, dispatch relevant first responder agencies to the incident’s site. For example, Elerts (ELERTS Corporation, 2010) is an effective and robust public safety communication platform based on smartphones. Using this application, the registered user (name, e-mail address and phone number are required) on the incident site can take a photo of it, which is automatically uploaded to a website, and other Elerts users get the alert regarding such incident along with the location and the photo.

Abuse of emergency services is a common problem that globally affects all emergency service providers and authorities. The emergency service is only meant to provide emergency assistance. A regrettably large proportion of the calls made to the emergency service providers are fake or false emergency calls. A fake call is divided into two categories: unintentional and intentional (Sampson, 2002a). Unintentional false emergency calls occur when a person or phone inadvertently dials the emergency services. This category includes pocket calls from mobile handsets (even with locked keypad), misdials, and automatic false calls (calls made by automatic devices such as alarms, security equipment, etc., which are not functioning well) (EENA Committee, 2011). The intentional false emergency calls include non-emergency calls (when a caller contacts the emergency services just to ask something that is not related to an emergency), prank calls (when a person deliberately calls the emergency service to falsely inform them that there is an emergency when in fact there is not), exaggerated emergency calls (when the situation is not considered an emergency by the emergency services but it is for the caller, e.g., loud music played by a neighbor), immediate hang-up calls, and lonely complainant calls (Sampson, 2002a). The emergency services often release details of received time-wasting false calls in an effort to urge people to think twice before calling. The false calls are a misuse of the system and can either interrupt an emergency call or hinder a caller, who is seeking help, from placing an emergency call. For example, false calls account up to 63% of the total calls made to 112 number in Portugal (EU Communications Committee, 2017). Similarly, seven hours after activation of the 911 hotline in the Philippines, there were more fake calls than there were calls for actual emergency assistance (Philippine Daily Inquirer, 2016). Out of 2,475 phone calls, only 3% (75) were legitimate calls.

A false call is an expensive problem because it drains the resources of the emergency services since it costs a significant amount of money each time any first responder agency is deployed in response to the call. Thus, there is a need to figure out mechanisms to prevent people from making false calls to emergency services so that the people who are in need of urgent assistance always get a top priority from the emergency service providers. The communities across Europe, UK, and Canada are making efforts to curb false alarms by introducing special non-emergency numbers (EENA Committee, 2011). For example, alternative three-digit numbers have been introduced in the recent years in the UK (101) and Canada (113) to allow the citizens to report minor and non-emergency incidents where immediate or high-priority response is not required, such as reporting a noisy party, drug use, fraud etc. In the United States of America (USA), making false calls to 911 is considered a crime that is punishable with a fine or even prison (Sampson, 2002b).

In the wake of recent developments in information technology, mobile communications, and social network services, many incident reporting systems have been envisioned (Okolloh, 2009, Furtado et al., 2010, Namahoot and Bruckner, 2015). Ushahidi (Okolloh, 2009) is a map-based mash-up platform that allows any citizen to gather distributed data via a text message (SMS), a tweet, an email or web forms, and visualize it on the map. The crowd-sourced information can be mapped, tracked over time, filtered and refined. Ushahidi has been used globally many times over the last years to facilitate the emergency management services in situations where there was little or no support at all from the government or concerned authorities, e.g., for tracing events around the Gaza strip. To prevent false reports, Ushahidi management team manually checks and verifies the reports before publishing them on an online interactive map.

WikiCrimes (Furtado et al., 2010) is a collaborative system where users can register online information about criminal events in a specific geographic location via a map. Anyone can access WikiCrimes to add or consult information from a geo-referenced database. The main goals of WikiCrimes are to disseminate information about criminal incidents (that go unreported by the police) in the community and to allow users to keep track of such locations to make decisions in situations such as visiting an unknown neighborhood. WikiCrimes employs a user registration and a confirmation process to ensure the authenticity of the reported crime. The reporting user should identify at least one person other than him/her, who can confirm that the registered incident is true. Also, the users need to register their names and valid email addresses for reporting the incident.

In Thailand, a location-aware Smart Phone Emergency and Accident Reporting System (SPEARS) is proposed by the authors in (Namahoot & Bruckner, 2015), that allows users of an online social network (Facebook or Twitter) to quickly report emergencies and accidents to the agencies such as police, fire department and hospitals, via an Android smartphone. These agencies can retrieve the current location of the emergency via GPS and send immediate help to the users involved in an emergency situation. Though it is an efficient tool for emergency reporting, it has a few limitations: (1) it can only be used in Thai language, that would not be useful for the foreigners living in Thailand, and (2) SPEARS users must be identified by phone numbers and names before reporting an emergency or incident.

UbAlert (UbAlert LLC, 2008) is a global disaster alert social network that operates to save lives by sharing the knowledge of the world’s citizens with those in danger. UbAlert combines data from global institutions and data providers with crowd-sourced user accounts. Its global emergency warning platform validates the reliability of the reported content and, then, immediately alerts those who may be impacted, depending on the severity and location. Alerts contain basic event details, impact statistics, maps, images, and videos. Users can instantly share alerts with others to get them out of harm’s way via social networks like Facebook and Twitter. However, there is a limitation of UbAlert, i.e., the information reported by the users has to be examined for accuracy, and due to this reason, UbAlert only allows registered users to create and send alerts.

Liu et al. (2011) proposed a mobile + cloud system called Mapster that uses Twitter to help in the event of emergencies in real time. The Mapster users can report specific events with GPS coordinates automatically attached to them by simply tapping on a couple of icons on the Windows Phone 7 platform. A cloud-based semantic data streaming service then fetches and processes these geo-referenced citizen reports and republishes them as geo-referenced streams that can be consumed through a set of Representational State Transfer (REST) Web Services. A map-based spatio-temporal animation tool on Windows Phone 7 allows users to visualize a set of data streams in real time, including the Twitter feeds and radar data, using the web services. However, Mapster has a few limitations: (1) it is not interoperable, (2) it does not provide the user’s current physical location information, that if provided, could enable him/her to send an alert to nearby friends about the current situation on their current locations, and (3) it lacks a mechanism that could check the integrity of citizen-provided data.

Though all the systems referred to above provide effective online platforms for reporting and managing critical incidents nationally or internationally, these systems exhibit at least one of the following limitations: (1) they require manual checking and verification to differentiate between legitimate and fake incident reports; (2) the relevant emergency service provider may fail to take a quick action due to lack of complete information about the incident; and (3) they allow user re-identification. Of all these drawbacks, the re-identification of a user by means of his/her name, email address, phone number or location is the most relevant issue, since in most emergency situations, the witnesses are reluctant to report the incident because they do not want to be identified or reveal their specific location for personal reasons, or because they fear the possibility of being considered as suspects of a crime. For example, in a recent road accidents survey in India, it was revealed that around 74% of witnesses hesitate to report road accidents or help the victim due to legal hassles and fear of police harassment. Repeated questioning by the police, multiple court citations and even prosecution for unintentional accidental deaths prevent the witness from extending a helping hand to people in need, and reporting the accident to the relevant authorities (Jha, 2016). Thus, anonymity is a desired property from the witness point of view. However, complete user anonymity may encourage users to report false incidents, which could result in a collapse of the emergency authority. Thus, the challenge lies in providing revocable privacy, i.e., protection of the witness’s privacy in case of true incident reporting, and revocation of the witness’s anonymity when he/she reports a false incident. Also, a mechanism should be devised to encourage the witness to report legitimate information and discourage from false reporting.

Deriving a co-utility model based on game theory is a possible solution for analyzing the implications of the witness and the members of his/her location-based group in reporting the incident to the Emergency Management System (EMS). The co-utility concept (Domingo-Ferrer & Megías, 2013) can be used to derive a co-utile protocol to promote mutual beneficial collaboration between the witness and the other group members, in the sense that a witness improves his/her utility (anonymity and payoffs) by helping the other group members to increase their utilities (privacy and rewards). In our previous work (Qureshi, Rifà-Pous, & Megías, 2016), we introduced a location-based emergency management system based on a co-utility approach, that allows the witnesses to notify in a timely manner to the EMS about the emergency while preserving their anonymity. Although the co-utility model proposed in Qureshi et al. (2016) provides a “rewards and punishments” mechanism, it does not provide anonymity to the rewarded users (participants of a true incident reporting group), who are required to interact with a third party to obtain their rewards, thus, jeopardizing their privacy. Also, the feasibility of the scheme on smart devices was not demonstrated. Additionally, the security and privacy analysis of the protocols was not provided.

In this paper, we propose a location-based critical incident reporting system, which is based on our previous work (Qureshi et al., 2016). We improve the work of Qureshi et al. (2016) by introducing a “rewards and punishments” mechanism based on cryptocurrency payments such that the awardee does not have to interact with a third party to obtain his/her rewards. Theoretical analysis of the proposed incident reporting protocol is performed in terms of privacy and security properties. The experiments have been performed to carry out the performance evaluation of the reporting protocol. More specifically, the proposed incident reporting system aims to provide the following properties:

  • 1.

    The system provides anonymity to the witness in such a way that he/she can create a dynamic and location-based group to report the incident-related information to the incident management authority (IMA) without revealing his/her real identity or any other personal information (Section 3.4.2). By using the concept of group, the reports get linked to the groups instead of individual users (witnesses).

  • 2.

    The system offers revocable privacy to the witness that protects the witness’s anonymity until he/she is found responsible for false reporting. In that case, the witness can be identified by the distinguisher algorithm of the threshold discernible ring signature (Section 2.4.3) used in the proposed incident reporting protocol (Section 3.4.4).

  • 3.

    In order to prevent misuse of the system by the fake witnesses and promote true incident reporting, a game-theoretic design inspired by the co-privacy (co-utility) approach (Domingo-Ferrer, 2011a, Domingo-Ferrer, 2011b) is employed, which provides a mechanism of rewards and punishments to encourage legitimate information and discourage false reporting (Section 2.5.3). In the case of true reporting, the witness and the group members receive rewards from the City Council (CC) in cryptocurrency. Similarly, on reporting a fake incident, the malicious participants receive punishment from the CC in cryptocurrency (Section 2.6.1).

  • 4.

    The system enables the user to create dynamic pseudonyms based on a one-way hash function instead of his/her real identity to report the incident to the IMA in an anonymous manner.

  • 5.

    To ensure anonymous communication between the witness and the IMA, device-to-device (D2D) communication protocol (Section 2.2), and an anonymous key agreement protocol without authentication (Mollin, 2006) are used in the incident reporting protocol (Section 3.4.2).

  • 6.

    The formal and informal security analyses show that the system exhibits security and revocable privacy to the witness and the group members, respectively (Section 4.1).

  • 7.

    To show the practicality of the proposed scheme, experiments in a controlled scenario using real smart devices were performed to evaluate the computational costs in terms of the time required to form a group, generate the threshold discernible ring signature, and submit the report to the IMA (Section 4.2).

Outline of the paper: The rest of this paper is organized as follows. Section 2 presents the building blocks of the proposed system. In this section, we discuss in detail the reward and punishment model of the proposal based on game theory. Also, this section presents in detail the proposed bidirectional payment channels. Section 3 discusses the design and the five phases of the proposed incident reporting protocol. Formal proofs and informal security and privacy analysis for the threat model are presented in Section 4.1. Also, this section presents experimental results designed to evaluate the performance of the proposed reporting protocol (Section 4.2). Finally, Section 5 summarizes the conclusions and future research issues.

Section snippets

Building blocks

Our proposed incident reporting system employs an application interface (API) of an online social network, D2D communication, anonymous key exchange, a threshold discernible ring signature (TDS) scheme, game theory-based co-utility model, and blockchain-based cryptocurrency.

Proposed system

This section describes the architecture of the system proposed for the notification of location-based incident-related information to the IMA, which then takes appropriate action to resolve the incident.

Results and discussions

In this section, we provide an analysis of the proposed incident reporting system in terms of security, privacy, and performance.

Conclusions and future work

In this paper, we present a critical incident management system for mobile devices that aims to provide a timely response to those affected by the critical incident, anonymity to the witness, and prevention of fake reporting. The system is designed in such a way that a witness can become indistinguishable in a group of users. The formation of the location-based group is autonomous (the witness does not need the assistance of the system manager), and is only dependent on the proximity of the

CRediT authorship contribution statement

Amna Qureshi: Methodology, Software, Validation, Formal analysis, Investigation, Writing - original draft. Victor Garcia-Font: Methodology, Formal analysis, Writing - original draft. Helena Rifà-Pous: Conceptualization, Methodology, Supervision, Project administration, Writing - review & editing. David Megías: Methodology, Conceptualization, Supervision, Funding acquisition, Writing - review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgment

This work was partly funded by the INCIBEC-2015–02491 “Ayudas para la excelencia de los equipos de investigación avanzada en ciberseguridad”, RTI2018-095094-B-C22 “CONSENT”, and TIN2014-57364-C2-2-R “SMARTGLACIS.”

The authors thank Ms. Alice Keefer Riva for proofreading the manuscript. Also, the authors thank Dr. M. Shahwaiz Afaqui for his valuable contribution in performing the Wi-Di Direct experiments.

References (42)

  • J. Domingo-Ferrer

    Coprivacy: towards a theory of sustainable privacy

  • Domingo-Ferrer, J., Megías, D., 2016. Co-utility for digital content protection and digital forgetting. In 2016...
  • J. Domingo-Ferrer et al.

    Co-utility: Self-enforcing protocols without coordination mechanisms

  • EENA Committee, 2011. False emergency calls. Operations document 3.1.2. european emergency number association (EENA)....
  • ELERTS Corporation, 2010. ELERTS. http://elerts.com/company/. Accessed on...
  • EU Communications Committee, 2017. Implementation of the European emergency number 112-Results of the tenth...
  • Facebook- ProgrammableWeb, 2017. Facebook api. https://www.programmableweb.com/api/facebook. (Accessed on...
  • M. Haus et al.

    Security and privacy in device-to-device (D2D) communication: a review

    IEEE Communications Surveys Tutorials

    (2017)
  • D. Irani et al.

    Modeling unintended personal-information leakage from multiple online social networks

    IEEE Internet Computing

    (2011)
  • Jha, P. (2016). If no-one helps you after a car crash in india, this is why. http://www.bbc.com/news/magazine-36446652....
  • M.A. Khan et al.

    Optimal group formation in dense wi-fi direct networks for content distribution

    IEEE Access

    (2019)
  • Cited by (10)

    • HyperNet: A conditional k-anonymous and censorship resistant decentralized hypermedia architecture

      2022, Expert Systems with Applications
      Citation Excerpt :

      For the system proposed in this paper we use threshold discernible ring signatures (TDS), a mechanism formalized in Kumar, Agrawal, Venkatesan, Lokam, and Rangan (2010). In Qureshi, Garcia-Font, Rifà-Pous, and Megías (2020), we use TDS to create an emergency reporting system which, in case of reporting a true emergency, it enables the reporter to remain anonymous and get rewarded in cryptocurrency and, in case of a false emergency, the reporter can be de-anonymized and punished. These three procedures involve using cryptographic mechanisms such as equality signatures (Klonowski, Krzywiecki, Kutyłowski, & Lauks, 2008), knowledge signatures (Camenisch, 1997), and Shamir’s secret sharing scheme (Rivest et al., 2001).

    • Blockchain in humanitarian operations management: A review of research and practice

      2022, Socio-Economic Planning Sciences
      Citation Excerpt :

      Blockchain can be particularly effective in sourcing information from crowds, especially when assisted by its ability to reward positive behavior. In Ref. [102], the authors propose a new framework for reporting crisis situations. They employ a cooperative game theoretic model to promote positive participation in the system by maximizing the players’ rewards when delivering accurate and truthful information to the emergency managers.

    View all citing articles on Scopus
    View full text