The ubiquitous collection of environmental, ambient and contextual data to monitor, control and optimize the most diverse processes is a long-cherished vision of the modern digital information society. Recently, above all the increasing proliferation of smart phones and various Internet-of-Things initiatives have advanced this vision. However, two problems still prevent this vision from becoming a reality: (1) Many applications require a huge number of sensors to achieve adequate spatial coverage and density. Having each application deploy their own sensors is often technically or financially infeasible and most of all a waste of resources. (2) The collected data potentially enables extraction of information that greatly supersedes the application requirements and can harm users' privacy. Primarily aiming at functionality, many applications neglect these privacy issues (for lack of awareness or expertise in protection mechanisms). Current political discussions, e.g. about collection of image, video and WiFi data in public spaces, shows the importance of this topic.

The goal of the PREserv project is to design and implement a flexible basis for privacy-preserving collection, processing and visualisation of (sensor-) data in public spaces. The system will allow for spontaneous collection of heterogeneous data based on a small set of sensors with manifold capabilities. Unlike existing applications, the PREserv architecture seperates applications from data collection, thus allowing multiple diverse applications to be deployed on the same network of sensors. In order to protect privacy of data subjects, PREserv defines a data model that allows abstracting raw data to higher level information, which is annotated with different access and privacy levels. Any requesting application gets access only to the abstracted information based on its individually granted access and privacy level. PREserv will thus enable fast and easy deployment of novel applications, which were hitherto prohibitive due to privacy concerns and data protection legislation.

The PREserv architecture achieves theses goals by rigorously following four design paradigms:

  • Flexibility: PREserv defines the concept of Virtual Sensors, which can be flexibly arranged in a hierarchy to collect, process and communicate data from a set of actual sources (native sensors) to the data-consuming application. Virtual Sensors can implement different functionalities, aggregation mechanisms or privacy protection. The functionality of a Virtual Sensor can be modified and extended at run time.
  • Data Parsimony: Any raw data as collected by native sensors is abstracted to information as early as possible, i.e. as close to the source as possible. The requesting application gets access only to the information that is required for its functionality and nothing else. Abstraction levels can be defined considering the semantics of the data item or using general PETs such as k-anonymity or Differential Privacy.
  • Decentralization: PREserv is designed as a distributed and decentralized architecture, allowing the integration of different administrative domains, sensor owners and applications. Data is never centrally collected and no central entity holds complete control. Permissions and identities as well as cross-domain collaboration is handled via certificates and corresponding public key infrastructures.
  • Transparency and Accountability: A request by an application is potentially processed by many Virtual Sensors, each of which may need to alter the original request. Any such modification and processing step is visible to both the requester and data subject. E.g., a data subject is assured that her data is indeed passed through a Virtual Sensor that applies a k-anonymous masking, while a requesting application is assured that information was extracted from the correct sensors.

The following three applications scenarios show how the PREserv system will work:

  • Smart City: The PREserv architecture could be deployed in an urban environment to supply a citizen information portal with real-time information about traffic, air quality, noise and crowds. To protect privacy, such information is aggregated in its granularity and visualised in a virtual 3D model of the city. An example request to this system could be the number of persons at a particular place. According to the requesters access level, this request would be answered with the exact number, an interval (e.g., 50 - 60 persons) or a threshold (e.g. over 100 persons) as well as a fine or less granular position of them.
  • Smart Buildings: The PREserv architecture could be deployed in a (public) building to collect information about the work climate (noise pollution, activity, temperature, light, ...) or to build usage profiles for different rooms in order to optimise resource allocation. PREserv could here be integrated with the existing building management systems and its sensors. Since the raw data allows also to violate employee privacy, e.g. by using it for surveillance, PREserv spatially and temporally aggregates the data already in the network before it can be collected by a central (potentially malicious) entity.
  • Smart Employee: Mobile, wearable sensors (e.g. Smart Phones) can be integrated into the PREserv architecture, which allow employees to localize themselves and be localized inside buildings. In order to prevent employee surveillance, the positions of employees are only made accessible based on different granularity levels (e.g., exact, room, floor, k-anonymous,..) based on the requester's access privileges.



  • Patrick Marx
  • Joel Pepper
  • Shahrooz Afsharipour
  • Alexander Paulus
  • Sam Nikobonyadrad

Project Partners


For questions and inquiries regarding the PREserv project, please contact:

   Jan Henrik Ziegeldorf
   Security and Privacy Research Group

   E-Mail: ziegeldorf at
   Phone: 0049 241 80 21411




- Impressum | Datenschutz -