Document is current

Article History

Received: 4 August 2025

Accepted: 17 October 2025

First Online: 21 November 2025

Declarations

:

: The authors declare no competing interests.

: The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

: This study was conducted in accordance with ethical standards and received approval from the Institutional Review Board of East China Normal University (Ethics Committee Reference: ECNU-IRB-2024-078). All data collection activities in public urban spaces were conducted with appropriate permissions from municipal authorities and property management entities.

: A municipal data trust was established to oversee sensor data collection, storage, and usage policies. The trust includes representatives from the municipal planning department, privacy advocacy organizations, academic institutions, and community members. Quarterly audits conducted by an independent ethics board (Shanghai Data Ethics Commission) review data handling practices, assess compliance with privacy regulations, and evaluate public concerns. Data access is tiered according to sensitivity levels: aggregate statistics (e.g., daily visitor counts, average dwell times) are publicly available via open data portal; de-identified behavioral data (e.g., movement trajectories, activity patterns) are accessible to approved researchers under data use agreements; individual-level tracking is strictly prohibited with technical safeguards preventing re-identification.

: Visual data undergoes real-time processing with immediate source deletion to minimize privacy risks. Facial features are automatically blurred using OpenCV Haar Cascade classifiers before any storage or transmission; only skeletal movement vectors (17 body keypoints without facial features) are retained for crowd analysis; original high-resolution footage is purged within 48 h and never stored in retrievable formats. Acoustic data is processed exclusively for activity signature detection (spectral energy patterns, sound event classification)—speech content is never transcribed, stored, or analyzed. Audio recordings are downsampled to 8 kHz (insufficient for speech intelligibility) and filtered to remove frequency ranges containing human voice information (300–3400 Hz), retaining only ambient noise signatures for activity level assessment. Environmental sensor data is inherently non-personally-identifiable.

: Eight community consultation sessions (April-June 2024, N  = 127 total attendees) incorporated feedback from privacy advocates, disability rights organizations, elderly community groups, and local residents before system deployment. Key concerns raised included: (1) perceived surveillance and lack of transparency; (2) potential for discriminatory algorithmic bias; (3) accessibility of system benefits for diverse populations. In response, the following modifications were implemented: “privacy zones” were established in 3 designated areas where all visual/acoustic sensors are hardware-disabled, providing surveillance-free spaces (clearly marked with signage); an opt-out mechanism was developed via smartphone application (Bluetooth beacon broadcasting allows individuals to signal opt-out status, triggering automatic blurring in their vicinity); algorithmic fairness audits examined design interventions for disparate impacts across demographic groups (age, mobility status), with corrective weighting applied to ensure equitable access; public feedback channels were established (dedicated email, physical suggestion boxes, monthly community meetings) enabling ongoing input into system operations.

: System design adheres to GDPR Article 25 (privacy by design and by default) principles despite deployment in China, anticipating future international deployment. Data minimization ensures only essential information is collected; purpose limitation restricts data use to urban design optimization (prohibiting secondary uses such as law enforcement or commercial profiling); storage limitation enforces automatic deletion after retention periods (behavioral data after 90 days, aggregate statistics after 5 years). Municipal ordinance (Shanghai Urban Planning Regulation § 12.7.4, enacted May 2024) requires annual public reporting on system data usage, performance metrics, and privacy incident logs. Independent privacy impact assessments are conducted biennially by external auditors.

: Despite comprehensive safeguards, inherent ethical tensions remain unresolved. The system creates potential for “function creep”—existing sensing infrastructure could be repurposed for more invasive surveillance applications beyond original design intent, particularly if governance structures weaken or political contexts change. Long-term retention of any behavioral data, even de-identified, poses cumulative re-identification risks as external datasets proliferate and linkage attacks become more sophisticated. Public space monitoring inherently constrains individual privacy expectations, creating a chilling effect where people may alter behaviors knowing they are observed, potentially undermining the authentic usage patterns the system aims to understand. Clear governance structures, strong legal protections, robust community oversight, and ongoing ethical review are essential safeguards against misuse, though they cannot eliminate all risks inherent in ubiquitous sensing environments.