CityOS: Privacy Architecture for Urban Sensing

TL;DR

CityOS is a privacy-focused operating system for urban sensing that manages data access and privacy policies across different spatial scopes, enabling practical applications while safeguarding individual privacy.

Contribution

It introduces a three-tier API architecture for urban sensing data access, enforcing privacy constraints and supporting diverse applications in city environments.

Findings

Supports real-time and longitudinal urban sensing applications.

Enforces differential privacy with user-controlled budgets.

Demonstrates practical deployment across multiple city sensing scenarios.

Abstract

Cities are rapidly deploying sensing infrastructure -- cameras, environmental sensors, and connected kiosks -- that continuously observe public spaces, yet they lack a system architecture governing how applications access, aggregate, and retain this data, creating privacy risks and preventing consistent policy enforcement. We present CityOS, an operating system for urban sensing that mediates application access to sensor data through a three-tier API inspired by structured, privacy-conscious web interfaces. The tiers expand the spatial scope of data access while imposing progressively stronger privacy constraints: On-Scene supports real-time sensing with raw data confined to the local context; Single-Locality Aggregation enables differentially private longitudinal statistics at a fixed location; and Cross-Locality Aggregation supports citywide analytics via aggregation across locations, with user devices enforcing per-user privacy budgets. CityOS runs as an edge runtime that executes untrusted applications in ephemeral containers, enforcing these policies and providing transparency via broadcasts of differential privacy loss. We implement CityOS and applications across all tiers -- including pedestrian safety alerts, real-time and forecast parking availability, traffic dashboards, and subway trajectory measurement -- and show that it supports practical streetscape applications while enforcing strong privacy.