ChildRescue puts citizens at the center of the search and rescue process. The mobile app enables the public to act as social sensors, allowing them to receive information and provide feedback to the responsible organisations in order to effectively identify the location of a missing person. Preserving user privacy and security in this bi-directional communication is a core need that ChildRescue has recognized and must address so as to ensure that citizens participation will be maintained and expanded. Towards this, privacy preserving location-based alerts and geofencing techniques are applied.
Alerting the community about a missing child via the ChildRescue platform and smartphone app is designed to take place in selected circular areas with a specific radius.
This is defined by the case managers of missing children organisations based on the investigation data that they have for each specific case. For example, issuing an alert in ChildRescue, involves the sharing of an active alert (of a specific case) in a selected area, for a specific time. This means that each user who is within this selected area for that specific timeframe will see the active alert in their mobile ChildRescue app, allowing them to submit information, which will go directly to the case manager to aid the search.
Additionally, the relevant notification mechanism in ChildRescue is implemented using privacy-preserving geofencing methods: the alert is generated for all community users, but, only the users who are in the alert area will receive the relevant notification the time that it is generated. In fact, the installed ChildRescue mobile app will decide whether the notification will be provided to the user or not, without sharing the location of an individual user, preserving their privacy.
When a child alert is deployed, the devices inside the given geographic alerting area will immediately receive the missing child alert deployed. However, determining which devices are in this area in a timely manner is a technical challenge.
Implementing notification geofencing and alerting – differences between iOS and Android
Initially, to achieve real-time location-based alerting, the developer has to decide whether the filtering is going to be implemented on the server or on the device. Implementing it on the server requires that every device’s last known location must be stored on the database and when an alert is to be deployed, all devices that belong inside the designated circular area should be retrieved. This solution requires a significant amount of calculations and storage on the server, which scales with the number of users using the platform. On the other hand, deploying the alert to every device on the platform and having every device check if it situates inside the area allows for a faster deploy and minor calculations on the device – furthermore it adds a higher level of privacy as the device’s location is never stored on the database.
On Android, where ChildRescue was initially implemented, when a new alert is deployed a silent push notification is sent to every ChildRescue device containing the alert information plus the centre of the geographic area and its radius. The push notification is received by the Android operating system which in turn wakes up the ChildRescue application in the background to process the alert. Finally, the ChildRescue application checks the devices last known location against the circular area, and if it lies inside the area the alert notification is displayed. Otherwise, it is discarded without disturbing the user.
Attempting to follow the same approach for iOS, a number of difficulties were faced. Although It is possible to send a silent push notification to an iOS device, there are a number of limitations. Firstly, there is no guarantee by Apple regarding the time that these notifications are going to be delivered or delivered at all. These notifications are of lower priority and their sole intention is updating app data in the background. Secondly, if the application is terminated (e.g. the user removes it from the active applications stack), the application will not re-awake iOS and any silent push notifications will be discarded. Both of these limitations are incompatible with the alerts purpose.
It is certainly possible to send a non-silent notification which will be immediately forwarded to the application for processing by iOS. But in this case, the notification cannot be discarded, only the contents can be altered. Specifically, only the title/description of the notification can be modified. A notification is going to be displayed eventually, thus, a device outside the circular area would have to display a notification stating that it received an irrelevant alert. This scenario would be especially bothersome for the receiving user.
On account of the above limitations, it is clear that the alert cannot be filtered on the device for the iOS platform. Therefore, the filtering of alerts has to be done on the ChildRescue server, and to determine which devices must receive the alert notification, the device location must already be known to the server. To achieve user privacy, since ChildRescue utilizes Firebase to manage the notifications, the device last-known location is stored on the server under the device’s unique FCM (Firebase Cloud Messaging) token. The FCM token is a unique device identifier for delivering notifications to the ChildRescue application and is not linked to the specific user on the ChildRescue server. To improve the calculations required to retrieve the devices located within the given area, an optimized library is used named GeoFire, which stores the location as a geolocation hash, which means it translates a pair of coordinates into a single identifier, grouped into neighbouring locations.
Evidently, implementing the same functionality for these two vastly different platforms may require for vastly different approaches. Android provides more freedom to the developer risking resource abuse, which can potentially slow down the device or annoy the end user. On the other hand, iOS is strictly restrictive attempting to preserve the device’s speed and its users will. Each platform has its own set of rules which it operates within and one has to adapt to these rules to achieve the same results. ChildRescue has applied these rules in a privacy preserving manner to establish a trusted channel of communication between the citizens and the responsible organisations.