Preliminary Conclusions

We have outlined a potential solution to the challenge of integrating privacy-enhancing mechanisms into sensor systems. This approach promises to strengthen user privacy protection compared to solutions at the database level because it prevents collection of privacy-sensitive data. From our ongoing work, we draw the following experiences and preliminary conclusions:

• Designing privacy protection into sensor systems seems feasible albeit the current design suffers from a substantial communication overhead to defend against traffic analysis. This is especially concerning, if sensors have a very restricted energy budget.
• Privacy concerns influence system design especially in the area of networking protocols.
• Needed is a formal, likely probabilistic, model for location anonymity that captures the notion of a continuous stream of data. This would enable a better evaluation of the privacy protection afforded by such systems.
• Finally, a better understanding of the location data accuracy requirements for different classes of applications would enable an analysis of the level of anonymity that can be sustained for such applications.