Collaborative and efficient privacy-preserving critical incident management system
Introduction
Critical incident management systems are information systems that deal with day-to-day occurring incidents such as road accidents, wildfire, landslides, burglaries, etc. A critical incident imposes urgency and calls for immediate emergency management that could reduce both societal costs and fatality rates. Traditionally, an emergency service is available countrywide to access emergency services including police, firefighters, and ambulances. In many countries, a caller can call a single emergency telephone number to contact local emergency operators for assistance. The emergency service number is typically a two-digit (15) (Police, 2000) or a three-digit (911) (Tapshield, 2014) number, that provides dispatch and communication support services for police, fire, ambulance, and related services to the caller (Vivacqua & Borges, 2012). On average, the emergency operator requires at least two to three minutes to collect the necessary incident-related information from the caller to ensure that first responder agencies (police, fire and emergency medical departments) have all the data that they need (Tapshield, 2014). A communication lapse at either end can result in a delayed incident response. Therefore, communication plays an important role at the time of emergencies, where the loss of a few seconds can mean the difference between life and death. Thus, an incident response system entails an efficient platform with better communication to ensure a timely response to critical incidents.
Smart devices in the form of mobile phones and tablets are becoming increasingly ubiquitous throughout the world, especially in highly populated urban areas. Given the multitude of sensors (Global Positioning System (GPS), accelerometer, and high-resolution cameras) and Internet connectivity present in modern smartphones, these devices can help in reporting accurate geo-coordinates of the emergency location, and the extent and nature of the incident to the relevant authorities. For example, a 3-layered architecture is proposed in Zambrano, Perez, Palau, and Esteve (2016) that employs a smartphone’s accelerometer as an accelerograph to detect a seismic-peak of an earthquake through a mathematical procedure and then sends the SOS notification to the authority.
Literature shows that the technological advancements in mobile-based communication and information systems have the most significant impact on the growth of the web-based and mobile incident management systems. These systems enable citizens to report location-based incident information to centralized emergency authorities, who, in return, dispatch relevant first responder agencies to the incident’s site. For example, Elerts (ELERTS Corporation, 2010) is an effective and robust public safety communication platform based on smartphones. Using this application, the registered user (name, e-mail address and phone number are required) on the incident site can take a photo of it, which is automatically uploaded to a website, and other Elerts users get the alert regarding such incident along with the location and the photo.
Abuse of emergency services is a common problem that globally affects all emergency service providers and authorities. The emergency service is only meant to provide emergency assistance. A regrettably large proportion of the calls made to the emergency service providers are fake or false emergency calls. A fake call is divided into two categories: unintentional and intentional (Sampson, 2002a). Unintentional false emergency calls occur when a person or phone inadvertently dials the emergency services. This category includes pocket calls from mobile handsets (even with locked keypad), misdials, and automatic false calls (calls made by automatic devices such as alarms, security equipment, etc., which are not functioning well) (EENA Committee, 2011). The intentional false emergency calls include non-emergency calls (when a caller contacts the emergency services just to ask something that is not related to an emergency), prank calls (when a person deliberately calls the emergency service to falsely inform them that there is an emergency when in fact there is not), exaggerated emergency calls (when the situation is not considered an emergency by the emergency services but it is for the caller, e.g., loud music played by a neighbor), immediate hang-up calls, and lonely complainant calls (Sampson, 2002a). The emergency services often release details of received time-wasting false calls in an effort to urge people to think twice before calling. The false calls are a misuse of the system and can either interrupt an emergency call or hinder a caller, who is seeking help, from placing an emergency call. For example, false calls account up to 63% of the total calls made to 112 number in Portugal (EU Communications Committee, 2017). Similarly, seven hours after activation of the 911 hotline in the Philippines, there were more fake calls than there were calls for actual emergency assistance (Philippine Daily Inquirer, 2016). Out of phone calls, only 3% (75) were legitimate calls.
A false call is an expensive problem because it drains the resources of the emergency services since it costs a significant amount of money each time any first responder agency is deployed in response to the call. Thus, there is a need to figure out mechanisms to prevent people from making false calls to emergency services so that the people who are in need of urgent assistance always get a top priority from the emergency service providers. The communities across Europe, UK, and Canada are making efforts to curb false alarms by introducing special non-emergency numbers (EENA Committee, 2011). For example, alternative three-digit numbers have been introduced in the recent years in the UK (101) and Canada (113) to allow the citizens to report minor and non-emergency incidents where immediate or high-priority response is not required, such as reporting a noisy party, drug use, fraud etc. In the United States of America (USA), making false calls to 911 is considered a crime that is punishable with a fine or even prison (Sampson, 2002b).
In the wake of recent developments in information technology, mobile communications, and social network services, many incident reporting systems have been envisioned (Okolloh, 2009, Furtado et al., 2010, Namahoot and Bruckner, 2015). Ushahidi (Okolloh, 2009) is a map-based mash-up platform that allows any citizen to gather distributed data via a text message (SMS), a tweet, an email or web forms, and visualize it on the map. The crowd-sourced information can be mapped, tracked over time, filtered and refined. Ushahidi has been used globally many times over the last years to facilitate the emergency management services in situations where there was little or no support at all from the government or concerned authorities, e.g., for tracing events around the Gaza strip. To prevent false reports, Ushahidi management team manually checks and verifies the reports before publishing them on an online interactive map.
WikiCrimes (Furtado et al., 2010) is a collaborative system where users can register online information about criminal events in a specific geographic location via a map. Anyone can access WikiCrimes to add or consult information from a geo-referenced database. The main goals of WikiCrimes are to disseminate information about criminal incidents (that go unreported by the police) in the community and to allow users to keep track of such locations to make decisions in situations such as visiting an unknown neighborhood. WikiCrimes employs a user registration and a confirmation process to ensure the authenticity of the reported crime. The reporting user should identify at least one person other than him/her, who can confirm that the registered incident is true. Also, the users need to register their names and valid email addresses for reporting the incident.
In Thailand, a location-aware Smart Phone Emergency and Accident Reporting System (SPEARS) is proposed by the authors in (Namahoot & Bruckner, 2015), that allows users of an online social network (Facebook or Twitter) to quickly report emergencies and accidents to the agencies such as police, fire department and hospitals, via an Android smartphone. These agencies can retrieve the current location of the emergency via GPS and send immediate help to the users involved in an emergency situation. Though it is an efficient tool for emergency reporting, it has a few limitations: (1) it can only be used in Thai language, that would not be useful for the foreigners living in Thailand, and (2) SPEARS users must be identified by phone numbers and names before reporting an emergency or incident.
UbAlert (UbAlert LLC, 2008) is a global disaster alert social network that operates to save lives by sharing the knowledge of the world’s citizens with those in danger. UbAlert combines data from global institutions and data providers with crowd-sourced user accounts. Its global emergency warning platform validates the reliability of the reported content and, then, immediately alerts those who may be impacted, depending on the severity and location. Alerts contain basic event details, impact statistics, maps, images, and videos. Users can instantly share alerts with others to get them out of harm’s way via social networks like Facebook and Twitter. However, there is a limitation of UbAlert, i.e., the information reported by the users has to be examined for accuracy, and due to this reason, UbAlert only allows registered users to create and send alerts.
Liu et al. (2011) proposed a mobile + cloud system called Mapster that uses Twitter to help in the event of emergencies in real time. The Mapster users can report specific events with GPS coordinates automatically attached to them by simply tapping on a couple of icons on the Windows Phone 7 platform. A cloud-based semantic data streaming service then fetches and processes these geo-referenced citizen reports and republishes them as geo-referenced streams that can be consumed through a set of Representational State Transfer (REST) Web Services. A map-based spatio-temporal animation tool on Windows Phone 7 allows users to visualize a set of data streams in real time, including the Twitter feeds and radar data, using the web services. However, Mapster has a few limitations: (1) it is not interoperable, (2) it does not provide the user’s current physical location information, that if provided, could enable him/her to send an alert to nearby friends about the current situation on their current locations, and (3) it lacks a mechanism that could check the integrity of citizen-provided data.
Though all the systems referred to above provide effective online platforms for reporting and managing critical incidents nationally or internationally, these systems exhibit at least one of the following limitations: (1) they require manual checking and verification to differentiate between legitimate and fake incident reports; (2) the relevant emergency service provider may fail to take a quick action due to lack of complete information about the incident; and (3) they allow user re-identification. Of all these drawbacks, the re-identification of a user by means of his/her name, email address, phone number or location is the most relevant issue, since in most emergency situations, the witnesses are reluctant to report the incident because they do not want to be identified or reveal their specific location for personal reasons, or because they fear the possibility of being considered as suspects of a crime. For example, in a recent road accidents survey in India, it was revealed that around 74% of witnesses hesitate to report road accidents or help the victim due to legal hassles and fear of police harassment. Repeated questioning by the police, multiple court citations and even prosecution for unintentional accidental deaths prevent the witness from extending a helping hand to people in need, and reporting the accident to the relevant authorities (Jha, 2016). Thus, anonymity is a desired property from the witness point of view. However, complete user anonymity may encourage users to report false incidents, which could result in a collapse of the emergency authority. Thus, the challenge lies in providing revocable privacy, i.e., protection of the witness’s privacy in case of true incident reporting, and revocation of the witness’s anonymity when he/she reports a false incident. Also, a mechanism should be devised to encourage the witness to report legitimate information and discourage from false reporting.
Deriving a co-utility model based on game theory is a possible solution for analyzing the implications of the witness and the members of his/her location-based group in reporting the incident to the Emergency Management System (EMS). The co-utility concept (Domingo-Ferrer & Megías, 2013) can be used to derive a co-utile protocol to promote mutual beneficial collaboration between the witness and the other group members, in the sense that a witness improves his/her utility (anonymity and payoffs) by helping the other group members to increase their utilities (privacy and rewards). In our previous work (Qureshi, Rifà-Pous, & Megías, 2016), we introduced a location-based emergency management system based on a co-utility approach, that allows the witnesses to notify in a timely manner to the EMS about the emergency while preserving their anonymity. Although the co-utility model proposed in Qureshi et al. (2016) provides a “rewards and punishments” mechanism, it does not provide anonymity to the rewarded users (participants of a true incident reporting group), who are required to interact with a third party to obtain their rewards, thus, jeopardizing their privacy. Also, the feasibility of the scheme on smart devices was not demonstrated. Additionally, the security and privacy analysis of the protocols was not provided.
In this paper, we propose a location-based critical incident reporting system, which is based on our previous work (Qureshi et al., 2016). We improve the work of Qureshi et al. (2016) by introducing a “rewards and punishments” mechanism based on cryptocurrency payments such that the awardee does not have to interact with a third party to obtain his/her rewards. Theoretical analysis of the proposed incident reporting protocol is performed in terms of privacy and security properties. The experiments have been performed to carry out the performance evaluation of the reporting protocol. More specifically, the proposed incident reporting system aims to provide the following properties:
- 1.
The system provides anonymity to the witness in such a way that he/she can create a dynamic and location-based group to report the incident-related information to the incident management authority (IMA) without revealing his/her real identity or any other personal information (Section 3.4.2). By using the concept of group, the reports get linked to the groups instead of individual users (witnesses).
- 2.
The system offers revocable privacy to the witness that protects the witness’s anonymity until he/she is found responsible for false reporting. In that case, the witness can be identified by the distinguisher algorithm of the threshold discernible ring signature (Section 2.4.3) used in the proposed incident reporting protocol (Section 3.4.4).
- 3.
In order to prevent misuse of the system by the fake witnesses and promote true incident reporting, a game-theoretic design inspired by the co-privacy (co-utility) approach (Domingo-Ferrer, 2011a, Domingo-Ferrer, 2011b) is employed, which provides a mechanism of rewards and punishments to encourage legitimate information and discourage false reporting (Section 2.5.3). In the case of true reporting, the witness and the group members receive rewards from the City Council (CC) in cryptocurrency. Similarly, on reporting a fake incident, the malicious participants receive punishment from the CC in cryptocurrency (Section 2.6.1).
- 4.
The system enables the user to create dynamic pseudonyms based on a one-way hash function instead of his/her real identity to report the incident to the IMA in an anonymous manner.
- 5.
To ensure anonymous communication between the witness and the IMA, device-to-device (D2D) communication protocol (Section 2.2), and an anonymous key agreement protocol without authentication (Mollin, 2006) are used in the incident reporting protocol (Section 3.4.2).
- 6.
The formal and informal security analyses show that the system exhibits security and revocable privacy to the witness and the group members, respectively (Section 4.1).
- 7.
To show the practicality of the proposed scheme, experiments in a controlled scenario using real smart devices were performed to evaluate the computational costs in terms of the time required to form a group, generate the threshold discernible ring signature, and submit the report to the IMA (Section 4.2).
Outline of the paper: The rest of this paper is organized as follows. Section 2 presents the building blocks of the proposed system. In this section, we discuss in detail the reward and punishment model of the proposal based on game theory. Also, this section presents in detail the proposed bidirectional payment channels. Section 3 discusses the design and the five phases of the proposed incident reporting protocol. Formal proofs and informal security and privacy analysis for the threat model are presented in Section 4.1. Also, this section presents experimental results designed to evaluate the performance of the proposed reporting protocol (Section 4.2). Finally, Section 5 summarizes the conclusions and future research issues.
Section snippets
Building blocks
Our proposed incident reporting system employs an application interface (API) of an online social network, D2D communication, anonymous key exchange, a threshold discernible ring signature (TDS) scheme, game theory-based co-utility model, and blockchain-based cryptocurrency.
Proposed system
This section describes the architecture of the system proposed for the notification of location-based incident-related information to the IMA, which then takes appropriate action to resolve the incident.
Results and discussions
In this section, we provide an analysis of the proposed incident reporting system in terms of security, privacy, and performance.
Conclusions and future work
In this paper, we present a critical incident management system for mobile devices that aims to provide a timely response to those affected by the critical incident, anonymity to the witness, and prevention of fake reporting. The system is designed in such a way that a witness can become indistinguishable in a group of users. The formation of the location-based group is autonomous (the witness does not need the assistance of the system manager), and is only dependent on the proximity of the
CRediT authorship contribution statement
Amna Qureshi: Methodology, Software, Validation, Formal analysis, Investigation, Writing - original draft. Victor Garcia-Font: Methodology, Formal analysis, Writing - original draft. Helena Rifà-Pous: Conceptualization, Methodology, Supervision, Project administration, Writing - review & editing. David Megías: Methodology, Conceptualization, Supervision, Funding acquisition, Writing - review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgment
This work was partly funded by the INCIBEC-2015–02491 “Ayudas para la excelencia de los equipos de investigación avanzada en ciberseguridad”, RTI2018-095094-B-C22 “CONSENT”, and TIN2014-57364-C2-2-R “SMARTGLACIS.”
The authors thank Ms. Alice Keefer Riva for proofreading the manuscript. Also, the authors thank Dr. M. Shahwaiz Afaqui for his valuable contribution in performing the Wi-Di Direct experiments.
References (42)
- et al.
Self-enforcing protocols via co-utile reputation management
Information Sciences
(2016) - et al.
Distributed multicast of fingerprinted content based on a rational peer-to-peer community
Computer Communication
(2013) - et al.
Collective intelligence in law enforcement – the wikicrimes system
Information Sciences
(2010) - et al.
Taking advantage of collective knowledge in emergency response systems
Journal of Network and Computer Applications
(2012) - 802.11u 2011, I.S. (2011). IEEE standard for information technology-telecommunications and information exchange between...
- et al.
Random oracles are practical: a paradigm for designing efficient protocols
- et al.
Social network sites: Definition, history, and scholarship
Journal of Computer-Mediated Communication
(2007) Efficient and generalized group signatures
- et al.
P2p group formation enhancement for opportunistic networks with wi-fi direct
IEEE Wireless Communications and Networking Conference (WCNC)
(2017) Coprivacy: an introduction to the theory and applications of cooperative privacy
SORT-Statistics and Operations Research Transactions
(2011)
Coprivacy: towards a theory of sustainable privacy
Co-utility: Self-enforcing protocols without coordination mechanisms
Security and privacy in device-to-device (D2D) communication: a review
IEEE Communications Surveys Tutorials
Modeling unintended personal-information leakage from multiple online social networks
IEEE Internet Computing
Optimal group formation in dense wi-fi direct networks for content distribution
IEEE Access
Cited by (10)
iPMRSS: An Improved privacy-preserving medical record searching scheme for intelligent diagnosis in IoMT
2024, Expert Systems with ApplicationsOptimal privacy preservation strategies with signaling Q-learning for edge-computing-based IoT resource grant systems
2023, Expert Systems with ApplicationsHyperNet: A conditional k-anonymous and censorship resistant decentralized hypermedia architecture
2022, Expert Systems with ApplicationsCitation Excerpt :For the system proposed in this paper we use threshold discernible ring signatures (TDS), a mechanism formalized in Kumar, Agrawal, Venkatesan, Lokam, and Rangan (2010). In Qureshi, Garcia-Font, Rifà-Pous, and Megías (2020), we use TDS to create an emergency reporting system which, in case of reporting a true emergency, it enables the reporter to remain anonymous and get rewarded in cryptocurrency and, in case of a false emergency, the reporter can be de-anonymized and punished. These three procedures involve using cryptographic mechanisms such as equality signatures (Klonowski, Krzywiecki, Kutyłowski, & Lauks, 2008), knowledge signatures (Camenisch, 1997), and Shamir’s secret sharing scheme (Rivest et al., 2001).
Blockchain in humanitarian operations management: A review of research and practice
2022, Socio-Economic Planning SciencesCitation Excerpt :Blockchain can be particularly effective in sourcing information from crowds, especially when assisted by its ability to reward positive behavior. In Ref. [102], the authors propose a new framework for reporting crisis situations. They employ a cooperative game theoretic model to promote positive participation in the system by maximizing the players’ rewards when delivering accurate and truthful information to the emergency managers.
Privacy preservation using optimized Federated Learning: A critical survey
2024, Intelligent Decision TechnologiesCan the Ebola experience in West Africa help to combat the COVID-19 pandemic? Testing the critical incident management systems model in the COVID-19 context
2023, Information Technology and People