Differentially Private Task Allocation Algorithm under Preference Protection

Mobile crowdsensing has been widely applied as a kind of perception paradigm, and task allocation is a fundamental research issue in mobile crowdsensing. Existing task allocation algorithms under differential privacy are not suitable for preference protection scenarios as they may inject too much noise. To this end, in this paper, we propose a differentially private task allocation algorithm with preference protection, referred to as SLEPT. In SLEPT, we divide privacy budget into three parts. Specifically, we first use one part of privacy budget to perturb the location of each worker. Then we use another part of privacy budget to perturb the preference information of him. In particular, to relieve the problem that perturbation may lead to that tasks will not be allocated, we propose a two-phase preference collection mechanism called TPC. Finally, we propose a task allocation sequential updating mechanism TASU using the remaining privacy budget. It aims to reduce the travel distance of workers and improve the success rate of task allocation. Theoretical analysis shows that SLEPT satisfies differential privacy. Time complexity analysis shows that it is linearly related to the number of tasks. The results on two public datasets verify the effectiveness of SLEPT. It is worth noting that although SLEPT is proposed for task allocation, its idea is also applicable to other crowdsensing scenarios, such as high-dimensional data collection.


I. INTRODUCTION
Mobile crowdsensing is a kind of perception paradigm with excellent application prospects. It makes full use of the processing power of smartphones with multiple sensors. It enables ordinary people to complete tasks that had to be done by professionals in the past [1]. Due to the advantages of crowdsensing, it has attracted extensive attention from the academia and the industry. It has a wide range of applications in the real world, such as environmental monitoring [2] and intelligent transportation [3]. As a typical example, WAZE, an application for traffic monitoring and route navigation, has obtained more than 100 million downloads on Google Play, with a user score of 4.6 (5 grades in total) [4].
The running process of a typical crowdsensing system is as follows. First, participants are registered as candidate workers. When a new task arrives, each worker first selects the task he wants to do and submits his location to the server. Then the platform selects an appropriate subset of candidate workers to complete the task. Finally, these workers go to the target location to complete the task and submit the perceived result values to the initiator of crowdsensing. The task allocation [5] from the process is a core step and the basis of crowdsensing. In particular, the travel distance of workers to the task location and the number of tasks successfully allocated are essential issues to be considered in task allocation. If the travel distance is too long, a worker may not be willing to perform the task. It needs the consumption of lots of material resources. For the initiators of crowdsensing, increasing travel distance will reduce their stickiness to the crowdsensing platform, such as high salary expenditure and large delay of sensing results. Moreover, a low number of successful task allocations will lead to the initiators of crowdsensing being unwilling to allocate tasks on the platform again. Therefore, according to the previous work, we use travel distance and the number of successfully assigned tasks as the utility measures of task allocation.
Suppose the platform knows the location of the candidate workers. In that case, directly allocating tasks to nearby workers can minimize the travel distance. However, the leakage of workers' locations often leads to the leakage of home addresses, work units and other information, which leads to workers' unwillingness to participate in the crowdsensing system. Moreover, the preference information of workers (that is, the set of tasks that workers want to do) will also reveal the location information of workers from the side. The reason is that workers may first choose the tasks as the candidate task whose locations are close to their homes or work unit [6]- [8].
The existing privacy protection technology based on Cloaking [9] is often vulnerable to background knowledge attacks. For example, suppose the adversary foresees that the user is a student. Then he can safely infer that the user is in the school area when the Cloaking area includes schools and government offices. Furthermore, some existing solutions need the participation of users and crowdsensing platforms, and the support of additional trusted platforms, which make them challenging to deploy. For example, the cellular service provider which needs workers plays an important coordinating role between the user and the crowdsensing platform to protect privacy. However, in practice, the cellular service provider may lack the motivation to participate. In addition, there is no scheme to protect workers' preferences [10].
To this end, differential privacy (DP) [11] has emerged as the gold standard for privacy protection recently. Compared with the traditional Cloaking-based technology, it provides a quantifiable privacy protection effect that has nothing to do with background knowledge. Primarily, local differential privacy (LDP) [12] and Geo-Indistinguishability (Geo-I) [13] are used to protect workers' preference information and location privacy. Both of them do not need trusted server settings. They can provide users with quantifiable privacy protection strength as the same as DP. Typical LDP and Geo-I implementation mechanisms are random response (RR) [14] and Planar Laplacian (PL) [13], respectively.
Data are perturbed locally before the system uploads them to the server, fundamentally protecting user privacy. At present, the LDP model has been used in many software to provide privacy protection, such as Google's Chrome Browser [14], Apple's iOS [15], and Microsoft's Windows Insiders [16]. Geo-I model has been applied to many software to provide location privacy protection, such as LP-Guardian [17] and LP-Doctor [18]. Therefore, this paper will use Geo-I and LDP to protect workers' location privacy and preference privacy.
However, the direct adoption of LDP and Geo-I to task allocation under preference protection will face two technical obstacles: 1) Perturbing whether a task is in a worker's preference set requires a lot of privacy budget segmentation. For example, suppose that the system allocates 100 tasks, and a worker u has 60 tasks left after eliminating the tasks he can't do. Then, to protect u's preference information, the privacy budget  needs to be divided into 60 parts. Then using the existing LDP implementation mechanism, such as RR, may make the collected tasks in preference not required by u.
2) Suppose that a task t is only in the preference sets of workers u1 and u2. After protecting workers' preferences, it may not be in the preference set of any workers. Then the system will never allocate the task t .
To overcome these two obstacles, we propose SLEPT (taSk aLlocation prEference ProTection) algorithm. In SLEPT, we divide the privacy budget into three parts: 1  , 2  , and 3  . First, the PL and the part 1  are used to perturb the position of each worker. Then, the part 2  is used to collect the distribution of preference information of each worker. Next, each worker uses the part 3  to perturb his preference set. Finally, the system allocates the tasks according to the perturbed preference sets and location information.
In summary, the main contributions of this paper are as follows: 1) A novel differentially private task allocation algorithm SLEPT is proposed. We formally give its privacy and complexity. The main idea is that the server adaptively allocates the privacy budget, collects the preference set information of each worker. And then, it needs to assign tasks serially and more to ensure that the travel distance is as small as possible. SLEPT is not only suitable for task allocation but also high-dimensional data collection.
2) In SLEPT, we design a two-phase preference collection (TPC). In TPC, the server adaptively allocates the privacy budget according to the number of times each task appears in the preference set.
3) In SLEPT, we develop a mechanism of task allocation updating serially (TASU). In TASU, each worker chooses the nearest task until the system assigns all tasks or traverses all workers. 4) Privacy analysis shows that the proposed SLEPT algorithm satisfies differential privacy. Experimental results on two real datasets demonstrate the effectiveness of the proposed scheme.
The other parts of this paper are arranged as follows. Section 2 describes the related work involved in this paper. Section 3 analyzes the details of SLEPT. Section 4 verifies the effectiveness. We summarize this paper in Section 5.

A. Geo-INDISTINGUISHABILITY
Andres et al. [12] extended the traditional differential privacy for processing numerical data to location protection scenarios and proposed Geo-Indistinguishability (Geo-I). In particular, they implemented Geo-I using planar Laplacian (PL). VOLUME XX, 2021 3 Bordenabe et al. [19] explored constructing a mechanism to minimize the loss of service quality. They used linear programming technology to obtain the optimal noise function.
Yu et al. [20] considered Geo-I and expected reasoning error to be two complementary concepts of location privacy and conducted formal research on them. Oya et al. [21] studied other aspects of privacy to avoid "error" choices. They further proposed a new mechanism and proved its effectiveness, which is optimal in terms of comparing adversaries' average errors.
Pyrgelis et al. [22] evaluated the impact of releasing aggregate location time-series on the privacy of individuals contributing to the aggregation. Chatzikokolakis et al. [23] studied these methods to improve the utility of location obfuscation. They provided such solutions for both infinite (continuous or discrete) and large but finite domains of locations, using a Bayesian remapping procedure as a key ingredient. ElSalamouny et al. [24] proposed the noise functions to satisfy a generic location privacy notion, obfuscating a user's location. Wang et al. [25] proposed a method to protect the location in mobile crowd sensing using local differential privacy preference. Takagi et al. [26] found the additional privacy loss of Geo-I for LBSs over road networks. They further proposed a new privacy concept to protect location privacy and designed a graph index mechanism. Oya et al. [27] provided an alternative formulation of Geo-I as an adversary error. They used it to show the tradeoff between privacy and utility.

B. LOCAL DIFFERENTIAL PRIVACY
In recent years, the research on local differential privacy has received great attention. Duchi et al. [28] proposed a data collection framework that satisfied the local differential privacy (LDP) mean calculation and statistical risk minimization based on information theory. Erlingsson et al. [14] proposed the RAPPOR mechanism based on randomized response, collecting binary attribute values by LDP. Based on RAPPOR, Fanti et al. [29] extended it to more complex statistical tasks based on expectationmaximization algorithm, such as joint distribution statistics and association testing. They expanded the scope of RAPPOR to classification attributes containing a large number of unknown values (such as the homepage data of user's browser). However, when the data dimension is high, the mechanism has high time complexity and slow convergence speed. Kairouz et al. [30] proposed an LDP mechanism for frequency estimation of binary single attribute data and proved that it is optimal in the case of low privacy. After that, they further studied how to deal with categorical data with any number of values [31]. Bassily and Smith [32] proposed an asymptotically optimal privacy scheme, which can construct a concise histogram of classification attributes under the condition of LDP.
Nguyê n et al. [33] proposed a data collection method called Harmony. In particular, for each piece of high-dimensional data, the way randomly selects a dimension of the data. If the dimension corresponds to continuous data, the collection method is based on continuous value. If the dimension corresponds to discrete data, it is collected based on the discrete collection method. To obtain the frequent items of multidimensional data, Qin et al. [34] proposed a two-phase data collection method called LDP Miner. In the first phase, the candidate space of frequent items is initially determined from noise data based on a concise histogram mechanism. In the second phase, the method obtains accurate frequent items based on RAPPOR mechanism. Wang Ning et al. [35] proposed an optimized LDP implementation mechanism for collecting numerical single attribute data, and gave their multi-attribute extension schemes.

C. TASK ALLOCATION BASED ON DIFFERENTIAL PRIVACY
To et al. [36] introduced a private framework of differential privacy to enable workers to participate without compromising their location privacy. In particular, they proposed an analysis model to measure the probability of task completion. They found the appropriate partition to ensure a high success rate task allocation in the case of uncertain worker location. Wang et al. [37] used the Geo-I method to protect the location and privacy of workers and mixed integer nonlinear programming to minimize the expected travel distance of selected workers. Wang et al. [38] provided a personalized probabilistic winner selection mechanism considering the number of workers with different protection needs. It assigned each task to a maximum probability with the closest task location. Wang et al. [39] proposed a method to maximize the work efficiency of mobile workers and a future location coverage protection scheme under location privacy guarantee. To et al. [40] proposed a three-stage framework to compromise the location privacy of staff and tasks. They designed three techniques to quantify the probability of realizability between tasks and workers. Gong et al. [41] proposed a new framework to achieve high task coverage through evaluation. In addition, there was an incentive pricing mechanism to guide workers to collect sensing data in low worker density areas. For the first time, Tao et al. [42] tried to carry out differential private online task allocation competition ratio under the premise of ensuring security. Song et al. [43] used the SAT model to solve the task assignment problem requiring multiple skilled workers. The task assignment result had the shortest worker travel distance and the least cost of employing workers, and proposed two greedy algorithms for task allocation. Bé ziaud et al. [44] solved the problem of privacy protection in a task assignment scenario requiring workers with different skills. Perturbing the worker's skill vector was in the way of satisfying differential privacy, so that the crowdsourcing platform could assign tasks without knowing the exact skill points of workers. VOLUME XX, 2021 4 Alamer et al. [45] aimed at privacy-preserving task recommendation from Lagrange Interpolating Polynomial with encryption technologies. Alamer et al. [46] proposed a novel secure and privacy-preserving scheme for enhancing security in vehicular cloud based on tasks announcement. Huang et al. [47] designed an efficient and privacypreserving proximity testing scheme for location-based services mainly based on encryption technologies to transfer obfuscated locations. Generally, these three excellent papers explored different scenarios from us and adopted different technologies from us. That is, they focused on security issues of workers' location privacy without considering preference privacy. Moreover, they need an additional trust management server due to the adoption of encryption technologies. On the contrary we focused on task allocation with preference protection while guaranteeing location privacy and preference privacy with differential privacy rather than encryption technologies, with only one server.
To sum up, no existing researches can conduct task allocation with high utility while protecting workers' locations and preference information as they could inject too much noise and result in many tasks cannot be assigned. Table Ⅰ shows the frequent notations which may be used in this paper.

A. TASK ALLOCATION
As shown in Eq. (1), given the worker set U and task set T, this paper needs to minimize the sum of the distances from workers to tasks, where I indicates whether a task is allocated to a worker. The first restrictive condition demonstrates that a task can only be done by one worker. The second restrictive condition shows that each worker can only do one task at most. The third restrictive condition indicates that each task is expected to be allocated as much as possible. Suppose the server knows the actual location of each worker. In that case, it knows the distance from each worker to each task, so we can directly use the existing linear programming tools to solve the problem.  Fig. 1 presents an overview of the system in this paper. The sequence number represents the steps to be executed. This system includes a worker set, a task set, and a server. The server receives the information from the workers and then allocates the tasks. In particular, the server first accepts the task set and starts to allocate the tasks. Then the server receives the candidate worker set and the related information of the workers. Then the server allocates the tasks. Finally, the server notifies the related workers to do their corresponding tasks.
In this paper, we assume a semi-trusted environment and entities. All entities will honestly execute the algorithm process, but will steal the privacy of workers during execution. The attackers of the system are workers and servers. In addition, third-party attackers can observe the geographic location information uploaded by workers to the server (by packet capture methods in computer network, etc.). It mains that it can obtain almost the same information as that obtained by the server.

C. GEO-INDISTINGUISHABILITY
The formal definition of Geo-Indistinguishability (Geo-I) is as follows: where r and θ denote radius and angle, respectively. We obtain the boundary integral for r and θ respectively by calculation: Then the generation method of radius r is as follows: ( )

D. LOCAL DIFFERENTIAL PRIVACY
The formal definition of Local Differential Privacy (LDP) is as follows：

E. COMBINATORIAL PROPERTIES
For some complex privacy protection problems, the RR or PL algorithm usually needs to be applied many times, and the privacy budget needs to be allocated reasonably. Specifically, we have the following theorems to guarantee these complex algorithms also satisfy differential privacy [11]: Theorem 1 (Sequential Compositionality): Suppose that there are the random algorithms 12   . Each task has its twodimensional position coordinates (longitude and latitude). Each worker has its position coordinates and preference task set Si. Si is a collection of tasks that worker i want to do. In particular, the location of tasks is open to the public, and the workers' locations and the set of preference tasks need to be protected.
Moreover, we need to satisfy Geo-I for the location of workers and LDP for the preference set of workers. The goal of the server is to allocate all tasks on a minimal total travel distance. We assume that each worker can only do one task, and each task can only be selected by one worker. Fig. 2 shows the overview of the SLEPT. As can be seen, SLEPT includes the following five stages: Stage 1: Each worker uses the privacy budget 1  to call Planar Laplacian (PL) to perturb his location and submit the obfuscated location to the server; VOLUME XX, 2021 6 Stage 2: Each worker uses private budget 2  to call Random Response (RR) to perturb the tasks in his own preference set; Stage 3: The server conveys statistics over the distribution of tasks after perturbation and sends statistical information to each worker (i.e., the dotted line in the figure indicates the feedback information from the server); Stage 4: Based on the statistical information, each worker perturbs his own preference set unevenly by using privacy budget 3  , and then selects a task nearest to him until all tasks are allocated, or all workers are traversed;

FIGURE 2. Overview of SLEPT
Stage 5: The server informs the selected worker to go to the task location to do the task.

B. TWO-PHASE PREFERENCE COLLECTION
To collect preference information of workers and facilitate the task allocation, we design a Two-phase Preference Collection (TPC).
In the first phase of TPC, each worker uses privacy budget 2  to perturb the tasks in his preference set S through calling the RR mechanism. For each task in S, the privacy budget is 2 S  . After he perturbed preference set task is sent to the server, the server invokes Eq. (9) to get the unbiased estimation after perturbation. In this paper, Q is used to represent the unbiased estimation array. , , , t t t t , and the preference information of each worker is shown in Table 2. The privacy budget of each worker for each task in the preference set is 2 2  . After calling the RR mechanism, the preference task of u1 may become t2 and t3. In this way, each worker sends the perturbed preference set to the server to get the count information of each task. Such as Q={2,1,3,2}, it means that task t1 appears in the preference set of two workers. Then the server calls Eq.   Fig. 3 is the schematic diagram of the second phase of TPC. In addition to uneven privacy budget allocation, this paper combines the task allocation sequential updating (TASU) mechanism (introduced in the next part) to further avoid the segmentation of privacy budget. In particular, if a task has been allocated to the previous worker ui-1, then for the following worker ui, if the allocated task is still in the preference set of ui. We don't split the privacy budget for this task allocated. As shown in Fig.3, task t2 (indicated in red) is not necessary to split the privacy budget. In the second phase of TPC, we find that the fundamental reason why some tasks are not allocated is that they become preference tasks less frequently. In order to protect the preference, the perturbed preference tasks may not be in any worker's preference set, or a task may be in a worker's preference set who has been allocated to other tasks. As a result, the task can never be allocated. Based on this observation, this paper proposes that when the preference set of workers is perturbed, we can allocate a higher privacy budget should be allocated to the tasks with a lower frequency to avoid the above situation as far as possible. Therefore, this paper allocates the privacy budget according to the F array. Pseudocode 1 describes the two-phase preference collection (TPC) approach.

C. TASK ALLOCATION UPDATING
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3161544, IEEE Access VOLUME XX, 2021 7 To further reduce the segmentation of privacy budget when collecting preference sets, we develop the Task Allocation Sequential Updating method (TASU).

FIGURE 4. Overview of TASU
In particular, as shown in Fig. 4, this paper traverses workers one by one. Each worker first calls PL to perturb their location using the privacy budget 1  . He needs to partition 3  using the F array, perturb their preference set, and then selects the task closest to their perturbed position. Particularly, suppose task t1 has been allocated to u1. In that case, it does not need to split the privacy budget for task t1 even if it is in the preference set of u2. The traversal process continues until all tasks are allocated, or all workers are traversed. Finally, suppose some tasks are not allocated, and some workers are not selected, then, they will be allocated to workers closest to them in this paper. Pseudocode 2 describes the task allocation sequential updating method (TASU). If tj has been allocated, then no privacy budget is split for it; 8: Workers choose the nearest task to do; 9: end 10: end 11: The server marks the non-allocated task set as TT; 12: The server marks the unselected worker set as UU; 13: for tj in TT do 14: for ui in UU do 15: If tj is in Si, then tj is allocated to ui; 16: Remove the worker who has been allocated from UU; 17: end 18: end 19: return R;
Proof: In SLEPT, only Stage 1, Stage 2 and Stage 4 need to contact the original locations or preference information.
According to Theorem 2, the overall system satisfies differential privacy.

E. COMPLEXITY ANALYSIS
From the part of Ⅳ.A, we can see that the algorithm consists of five stages in total. In Stage 1, each worker uses the PL mechanism to add noise and consumes . We can see that SLEPT algorithm is linearly related to the number of tasks through the time complexity.

A. DATASET
We use two publicly available datasets collected from Foursquare to assign tasks: New York (NYC), and Tokyo (TKY). In particular, NYC contains 227428 check-in points and TKY has 573708 check-in points. In this paper, 300 check-in points are randomly selected as task locations and 500 check-in points as workers' positions for task allocation.

B. EXPERIMENTAL SETUP
We generally use Average Travel Distance (ATD), and Unassigned Number of Tasks (UNT) to evaluate the utility of the final noise task allocation results.
Eq. (10) shows that it is ATD, and the experimental results are expressed in km. where R represents the number of tasks successfully allocated, and d(R) represents the travel distance of the corresponding task of a worker path in R. As shown in Eq. (11), it is UNT, where N represents the number of tasks.

C. BASELINES
According to the analysis of related work, we find that the existing schemes are inapplicable to solve the problem of this paper. To verify the effectiveness of the proposed scheme, we compare the SLEPT algorithm with the following design scheme.
1) NoPriv: to verify the utility loss of privacy protection, we give this comparative method. The server uses the existing solving tools, combines with the actual information of workers to solve the Eq. (1), and gets the final task allocation result directly; 2) LPA (Linear Programming Approach) [38]: In this method, each worker first uses half of his privacy budget to perturb his preference information and send it to the server. The server can get the task allocation result by calling the algorithm in [38]. In particular, according to the original author's suggestion, the size of each grid is set as 1km * 1km; 3) PBA (Probability-based Approach) [41]: In this method, each worker calls the method in [40] when calculating the distance from the perturbation position to the task position. When the probability of the distance value obtained more than the distance threshold (such as the distance from other tasks) is > 0.5, other tasks are allocated to the worker; 4) TSA (Two-Server Approach) [37]: In this method, each worker first uses half of his privacy budget to perturb his preference information and send it to the server, and then the server calls the algorithm in [36] to get the task allocation result; 5) TBA (Tree-based Approach) [43]: In this method, each worker first uses half of his privacy budget to perturb the preference information and sends it to the server. And then, the server calls the algorithm in [42] to get the task allocation result.  Fig. 5. Fig. 5 (a) and Fig. 5 (b) separately show the changes of ATD (Average Travel Distance) corresponding to the NYC data set and the TKY data set. Fig. 5 (c) and Fig. 5 (d) separately show the changes of UNT (Unassigned Number of Tasks) corresponding to the NYC data set and the TKY data set.

D. PERFORMANCE COMPARISON
As can be seen from Fig. 5, the utility of all algorithms become better with the increase of  ,. That is, ATD is smaller and UNT is also smaller. This is because with the increase of  , the total noise in all algorithm examples becomes to be reduced. In addition, the SLEPT algorithm performs best. That's because the two-phase preference collection (TPC) algorithm and the task allocation sequential updating method (TASU) in this paper can significantly reduce the noise in the algorithm. As for LPA, PBA, TSA and TBA algorithms, the improper collection of preference tasks leads to many tasks being allocated to non-optimal workers. So their ATD values are large. At the same time, incorrect collection of preference tasks will lead to a mismatch between the preference set and the worker's preference. In such a case, even if the server assigns them to such workers, they will refuse to perform tasks in the final task execution stage.
2) The Effectiveness of TPC To verify the effectiveness of the proposed TPC module, we set this part of experiments. The experimental results are shown in Fig. 6. The horizontal ordinate represents the total privacy budget, and the vertical ordinate represents the ATD or UNT. In addition, SLEPT+ is used to describe the method when not executing the TPC module. That is to say, it uses one-half of the privacy budget to perturb the locations of workers. It uses the other half to collect the preference information of each worker and then traverses each worker for task allocation. 3) The Effectiveness of TASU To verify the effectiveness of the TASU module, we set these comparative experiments. The experimental results are shown in Fig. 7. The horizontal ordinate represents the total privacy budget, and the vertical ordinate represents the ATD or UNT. SLEPT-is used to represent the method when not executing the TASU module. That is, it uses 1  to perturb the locations of each worker and adopts TPC to collect the preference information. Then, the server performs the greedy task allocation based on the locations and preference information.
As Fig. 7 shown, the SLEPT algorithm is significantly better than SLEPT-. By sequential updating, we can allocate the task to the corresponding worker who is really preferred it. At the same time, greedy allocation will cause tasks not to be allocated to the proper workers. In such cases, on the one hand, if tasks are not allocated to the optimal workers, ATD will increase. On the other hand, if there are no workers who prefers to do the leaved tasks, UNT will increase.

VI. CONCLUSION
Focusing on the task allocation problem under preference protection, we propose a task allocation algorithm SLEPT while satisfying differential privacy. We show it satisfies differential privacy. In particular, to improve the success rate of task allocation as much as possible, we design a two-phase preference collection mechanism TPC. To reduce the travel distance of workers and improve the success rate of task allocation, we develop a task allocation sequential updating mechanism TASU. Experimental results on two public datasets verify the effectiveness of SLEPT. In addition, the idea of SLEPT can be used for other applications in the context of crowdsensing scenarios with privacy protection.