Privacy-Aware Task Assignment for IoT Audit Applications on Collaborative Edge Devices

To meet the rapidly increasing demand for Internet of Things (IoT) applications, edge computing, as a novel computing paradigm, can combine devices at the edge of the network to collaboratively provide computing resources for IoTapplications. However, the dynamic, heterogeneous, distributed, and resource-constrained nature of the edge computing paradigm also brings some problems, such as more serious privacy leakages and performance bottlenecks. Therefore, how to ensure that the resource requirements of the application are satisﬁed, while enhancing the protection of user privacy as much as possible, is a challenge for the task assignment of IoT applications. Aiming to address this challenge, we propose a privacy-aware IoT task assignment approach at the edge of the network. Firstly, we model the resource and privacy requirements for IoTapplications and evaluate the resource satisfaction and privacy compatibility between edge devices and tasks. Secondly, we formulate the problem of privacy-aware IoTtask assignment on edge devices (PITAE) and develop two solutions to the PITAE problem based on the greedy search algorithm and the Kuhn–Munkres (KM) algorithm. Finally, we conduct a series of simulation experiments to evaluate the proposed approach. The experimental results show that the PITAE problem can be solved eﬀectively and eﬃciently.


Introduction
With the development of the Internet of ings (IoT), various IoT applications emerge as the times require, such as disaster relief, public safety, and face recognition [1][2][3]. According to Garner [4], the global IoT-enabled applications and infrastructure market will represent a 33 billion US dollar opportunity in 2025. IoT applications usually have a large amount of data that need to be processed in time. Hence, they have strict requirements on computing resources, response time, and privacy [5][6][7]. e traditional cloud-centric task processing model fails to meet these requirements, because it often needs to transmit a large amount of data to the cloud, which increases network transmission delay and network traffic [8].
To address the shortcomings of the cloud model, researchers have proposed edge computing [9,10]. As a novel computing paradigm, edge computing can combine the resources of multiple devices at the edge of the network to provide task processing for IoT applications [11,12]. With the wide adoption of wireless sensing and communication technology, a large number of IoT devices are emerging at the network edge, such as closed-circuit television (CCTV) cameras, smartphones, tablets, smart watches, smart home devices, and smart vehicles. Due to limited resources, these devices are generally only responsible for data collection and preprocessing, while complex data analysis work is offloaded to edge servers or cloud servers.
Supported by the advances in hardware and networking technologies, IoT devices are constantly increasing in resources and processing capabilities. ey communicate with each other to collect and share data, and immediately process tasks near the data source [13,14]. Edge computing has recently moved beyond the initial principle of utilizing IoT devices to collect and preprocess sensory data and is now able to combine and coordinate multiple IoT devices to provide processing for IoTapplications [1,14,15]. erefore, the advantages of edge computing such as low latency and local data processing are further highlighted [2,16]. In this paper, we refer to these resource-constrained IoT devices with data collection and task processing capabilities as edge devices.
Due to the dynamic, heterogeneous, and distributed nature of the edge computing paradigm, edge devices are generally owned by individuals with different interests and affiliations [17]. As a result, the owner of edge devices may illegally use and disclose the user privacy information hidden in IoT data, e.g., faces, motions, locations, etc., resulting in serious privacy leakages [18,19].
Consider a data-intensive IoT application consisting of multiple interrelated tasks, where each task has different resource requirements, e.g., CPU, memory, storage, bandwidth, etc. To protect user privacy, each private data in the task specify a set of privacy requirements. Correspondingly, each edge device has a set of available resources and provides a set of privacy policies. An important prerequisite for an edge device to be qualified to execute an IoT task is that it must satisfy the resource and privacy requirements of the task. Moreover, a single edge device is difficult to process relatively complex computations due to limited resources. Consequently, multiple tasks of an IoT application need to be assigned to multiple edge devices for execution. In summary, how to assign tasks to multiple edge devices that satisfy resource and privacy requirements is an important challenge in task assignment for IoT applications.
In the research of task assignment for IoT applications, some useful approaches were proposed to offload tasks to cloud, fog, and edge [1,[20][21][22]. However, most of them regard the task assignment from the perspective of resources and quality of service (QoS), while ignoring the privacy requirements of the users. Moreover, some researches focus on the privacy-aware IoT task assignment. ey mainly adopt various privacy technologies like differential privacy, data generalization, task fragmentation, and privacy conflict avoidance to control data access [23][24][25][26], but they are inadequate to address the issue of how private data will be used after being accessed, such as the purpose of using the data, the retention time of the data, and the operations executed on the data.
Inspired by these works, in this paper, we propose a privacy-aware IoT task assignment approach at the edge of the network, which assigns IoT tasks to multiple edge devices close to the data source. ese devices do not rely on a central coordinator and collaborate to process IoT tasks in a distributed manner. Specifically, we first model the resource and privacy requirements of the IoT tasks and evaluate whether the edge devices can satisfy these requirements. en, we formulate the problem of privacyaware IoT task assignment on edge devices (PITAE) as an optimization problem to maximize the privacy compatibility degree between IoT tasks and edge devices. Furthermore, we develop two solutions based on the greedy search algorithm and the KM algorithm [27,28] to solve the problem.
e main contributions of this paper are as follows: (1) An integer programming optimization model is used to formulate the PITAE problem considering both the resource and privacy constraints. (2) A privacy model is presented to specify the privacy requirements and privacy policies, and the weighted Euclidean distance is employed to measure the privacy compatibility degree between edge devices and tasks. (3) Two solutions based on greedy search and KM algorithm are developed to solve the PITAE problem. e experimental results demonstrate that the proposed approaches can significantly improve the privacy compatibility degree of the solution compared with the benchmark approach. e rest of this paper is structured as follows. Section 2 describes the motivation and framework of the PITAE problem. Section 3 formally specifies the PITAE problem. Section 4 presents two solutions to solve the PITAE problem. e experiments and results are illustrated in Section 5. e related work is reviewed in Section 6. Finally, the conclusion and further works are given in Section 7.

Motivation and Framework
In this section, we show an audit example of emergency supply distribution in a disaster relief scenario. In such a scenario, emergency supplies are usually ample in quantity and variety, and the distribution time is urgent. erefore, it is a very complicated task for traditional manual audit methods to handle. An IoT-based audit application can quickly and automatically execute this process. Such a process captures emergency supply distribution videos stored in CCTV cameras and uses nearby edge devices to analyze the videos to automatically identify some violations, e.g., fake or erroneous emergency supply distribution.
As shown in Figure 1, the workflow of the IoT audit application includes six tasks (t 0 -t 5 ): data collection, object detection, face recognition, supply recognition, violation analysis, and alarm and report. Firstly, task t 0 collects data required for subsequent tasks, e.g., supply distribution video, supply distribution location, and supply application form. Secondly, t 1 uses video data as input to execute object detection and sends the detected face and supply images to t 2 and t 3 , respectively. irdly, t 2 recognizes the face image to obtain personal identity information (PII), t 3 recognizes the type and quantity of supplies, and t 4 conducts violation analysis based on the recognition results, location, and supply application form. Finally, t 5 issues an alert based on the violation result and generates an audit report. In Figure 1, the rectangular boxes represent tasks, the arrows represent the invocation of the tasks within the application workflow, the vertical solid lines mean that all the previous tasks should be accomplished before the next task is initiated, and the workflow starts from the left and ends at the right.
is example is a typical data-intensive IoT application. e input data of each task may involve the user's private data, e.g., face, location, application form, etc. In addition, each task needs to be assigned to edge devices with different available resources, e.g., CPU, memory, storage, bandwidth, etc. e resources and private data required for each task are shown in Table 1. ere are 10 available edge devices (d 0 -d 9 ) in the demonstration scenario, and the available resources of each device are shown in Table 2.
Before assigning IoT tasks to edge devices, it is necessary to evaluate whether these devices can satisfy the resource requirements of the tasks [29,30]. As shown in Tables 1 and 2, d 0 only satisfies the resource requirements of t 5 , while d 9 can satisfy the resource requirements of all the tasks.
According to the General Data Protection Regulation (GDPR) [31], data consumers can only collect private data for legal purposes. At the same time, the GDPR also requires data consumers not to use the collected data for other purposes, and the retention time of the data and the operations executed on the data must be consistent with those necessary for the stated purpose. To comply with GDPR, private data in Table 1 have a set of privacy requirements, e.g., the sensitivity of the data, the purpose of using the data, the retention time of the data, and the operations executed on the data. Correspondingly, each edge device also provides a set of privacy policies. erefore, another prerequisite for assigning tasks to edge devices is that the privacy policies of the edge devices should be compatible with the privacy requirements of the tasks. e higher the privacy compatibility degree between the edge device and the task, the more suitable the edge device is to undertake the task.
For example, a privacy requirement of the video data in task t 0 is <video, 0.8, data collection, {read, transfer}, 1>. It means that the sensitivity degree of video is 0.8, and an edge device can only execute read and transfer operations on the video for the purpose of data collection. At the same time, it also requires that the trust degree of the device must be greater than or equal to 0.8 (sensitivity degree), and video cannot be retained more than 1 month. Correspondingly, a privacy policy of edge device d 2 for the video data is <video, 0.6, data collection, {read, write, transfer, profiling}, 12>. It indicates that the trust degree of d 2 is 0.6, d 2 will execute read, write, transfer, and profiling operations on the video for the purpose of data collection, and d 2 will retain the video for at least 12 months. As can be seen from this example, the privacy policy of d 2 is incompatible with the privacy requirement of t 0 in terms of sensitivity degree, operations executed, and retention time.
In summary, the task assignment problem of IoT audit applications is to assign multiple tasks to suitable edge devices, so as to satisfy the resource requirements of the tasks while maximizing the overall privacy compatibility of the assigned edge devices. Based on the above example, the privacy-aware IoT task assignment framework at the edge of the network is shown in Figure 2. In Figure 2, the developer designs an IoT application based on resource requirements, privacy requirements, tasks, and their dependencies. e tasks of the IoT application need to be deployed to qualified edge devices for execution. Each edge device contains an available resource description file, a privacy policy description file, and is equipped with a task assignment manager responsible for device discovery, qualification evaluation, task assignment, and coordination. e framework in Figure 2 does not depend on a central coordinator and supports distributed task assignment. erefore, each participating edge device of IoT applications can generally play the role of coordinator or collaborator. To protect privacy and reduce network transmission, all edge devices participating in the application should be as close as possible to the data source. e IoT application shown in Figure 1 is a typical stream data processing application, and the data collection device (e.g., CCTV camera) is the data production source of the application. erefore, the application developer selects it as the coordinator of the application, which delivers offloading requests to nearby edge devices. If there are multiple data collection devices (i.e., multiple data sources) in an application, the application developer will select an edge device with large data volume and high privacy protection requirements from these devices as the coordinator. e coordinator is responsible for discovering a set of qualified edge devices from nearby and forming a collaborative group with these devices as its collaborators, and offloading tasks to these collaborators at the same time. Specifically, once the coordinator receives the deployment request of an IoT application, it will advertise the task processing request to nearby edge devices. e edge devices that are willing to participate in the collaboration accept the request and reply their available resources status and privacy policies to the coordinator. en, the coordinator evaluates the resource satisfaction and privacy compatibility of each collaborative device. More specifically, the application developer sets a privacy compatibility threshold for tasks. During the privacy evaluation process, if the privacy compatibility between the task and all its candidate devices fails to satisfy the threshold constraints, the coordinator will request the application developer to relax the privacy threshold to ensure that the task has enough devices to perform its function. Finally, the coordinator assigns tasks to the most suitable set of devices according to the evaluation Security and Communication Networks results to maximize the overall privacy compatibility degree of the collaboration group.
After the collaboration group is established, each device starts to execute the assigned tasks. e coordinator is responsible for managing and coordinating the execution of all tasks, and periodically scanning the network to discover new edge devices. Once an edge device leaves the collaboration group, the coordinator will invite a new device to join the collaboration group and assign a task to it. Considering that a task may have multiple candidate new devices, the coordinator first evaluates the resource satisfaction and privacy compatibility between these devices and the task, and then selects the one with the highest privacy compatibility degree for the task from the qualified devices.

Application Model.
A typical IoT application is defined by the developer at design time. It specifies the functional and nonfunctional requirements. Formally, it is described by a directed acyclic graph G � (T, E), nodes T � {t 0 , t 1 , ..,t n-1 } represent a set of tasks where t j (0 ≤ j < n) is the jth task, and edges E � {(t g , t h )|t g , t h ∈ T} are a set of links between tasks, which represent data and task dependencies. Each task t j is characterized by a set of inputs IN j � in 0 j , in 1 j , . . . , a set of outputs OUT j � out 0 j , out 1 j , . . . , and a set of resource and privacy requirements.
(1) Resource requirements RR j : RR j represents a set of resources required to execute task t j , such as CPU, memory, storage, and bandwidth.
is the requirement of task t j for the cth resource.
(2) Privacy requirements PR j : Let PD be a set of private data of the user in an IoT application. PR j � {pr 0 j , pr 1 j , . . ., pr p j } specifies a set of privacy requirements for task t j , where pr k j (0≤j < n, 0≤k < p) is the kth privacy requirement of t j , it is defined as a tuple <pd k j , sd k j , pu k j , OP k j re k j >, where pd k j ∈PD is a private data item of the user, sd k j ∈ [0, 1] is the sensitivity degree of pd k j , it specifies the trust degree that an edge device must have when it uses pd k j , sd k j � 0 indicates the lowest sensitivity and 1 the highest, pu k j specifies the purpose for which the pd k j can be used, OP k j specifies a set of operations that can be executed on the pd k j , and re k j specifies the longest time that the edge device can retain pd k j .  Figure 2: Privacy-aware IoT task assignment framework.  (1) Available resources AR i :

System
where 0 indicates complete notrust and 1 complete trust, the larger the value of td l i , the stronger is the privacy protection provided by the d i , pu l i is the purpose for d i using pd l i , OP l i is a set of operations executed by d i on the pd l i , and re l i is the time for d i to retain pd l i .
Example 1. Figure 3 demonstrates a privacy-aware IoT task assignment model including 3 tasks and 6 edge devices. at is, Figure 3, circles represent IoT tasks, rectangles represent edge devices, and dashed lines represent potential assignments between tasks and edge devices. e dashed rectangles show the resources requirements and privacy requirements of each task, and the available resources and privacy policies of each device. e prerequisite for whether a task can be assigned to an edge device is that the device can satisfy the resource and privacy requirements of the task.

Qualification Evaluation Model.
To determine whether the edge device d i is qualified to execute the task t j , it is necessary to evaluate the resource satisfaction and privacy compatibility between d i and t j .
e specific evaluation process is as follows: (1) Resource satisfaction evaluation. Considering that RR j is a set of minimum resources required to fulfill task t j , if the edge device d i is a qualified edge device for t j , then the available resources AR i of d i must satisfy the requirements RR j . e resource satisfaction evaluation f R i,j is obtained by (2) Privacy compatibility evaluation. e privacy compatibility degree between the edge device d i and the task t j is measured by the average compatibility degree of the privacy requirements of t j with the corresponding privacy policies in d i , and it is evaluated by where f k i,j ∈[0, 1]; it represents the privacy compatibility degree between the kth privacy requirement pr k j of t j and the corresponding privacy policy pp l i in d i , and p expresses the number of privacy requirements of t j , which is an integer greater than or equal to 0.
To evaluate the compatibility degree between pr k j and pp l i , firstly, it is necessary to ensure that the private data and its usage purpose are consistent, e.g., pd k j � pd l i , pu k j � pu l i ; secondly, it is necessary to measure the compatibility degree between pr k j and pp l i in terms of the sensitivity attribute, operation attribute, and retention time attribute. Accordingly, we express pr k j 's privacy attributes sd k j , OP k j , and re k j and pp l i 's privacy attributes td l i , OP l i , and re l i as two threedimensional vectors. e work in [32] adopts Euclidean distance to evaluate the Security Service-Level Agreement (Security-SLA) between cloud users and cloud service providers. Inspired by this work, we employ the Euclidean distance to measure the compatibility degree between the two privacy attribute vectors. More specifically, considering that the different privacy attributes play different roles in the measurement process, we use the weighted Euclidean distance to reflect the difference in the importance of different attributes. Based on the above analysis, the privacy compatibility degree f k i,j is calculated by where w 1 , w 2 , and w 3 are three weight parameters, i,j , and f k,re i,j are the compatibility degrees of the sensitivity attribute, operation attribute, and retention time attribute, respectively. e compatibility degree of sensitivity attribute is obtained by e compatibility degree of operation attribute is obtained by Security and Communication Networks e compatibility degree of retention time attribute is obtained by Example 2. Assume that the evaluation results of resource satisfaction and privacy compatibility between tasks and edge devices in Figure 3 are shown in Figures 4(a) and 4(b), respectively. Figure 4(c) shows the potential task assignments that satisfy qualification requirements, where the values on the dotted line represent the degree of privacy compatibility.

Problem Definition.
Despite the ever-increasing resources of edge devices, they are still considered resourceconstrained and often unable to execute complex data processing workflow [1]. Hence, the tasks of an IoT application need to be assigned to multiple edge devices for execution. During the task assignment process, if multiple tasks are assigned to an edge device, the available resources of the device may not be able to meet the resource requirements of these tasks. Furthermore, when the device undertakes multiple tasks at the same time, it will collect multiple pieces of private data from different tasks and may infer more privacy information through data mining and machine learning techniques [33]. To meet resource constraints and protect user privacy, in this paper, we assign only one task to each edge device. Due to the dynamic and distributed nature of edge environments, unpredictable link/device failures and churn of mobile and portable devices often result in IoT applications that are not able to run stably and reliably [34,35]. To enhance the reliability of the IoTapplications, we consider assigning each task to multiple edge devices. that is, the task is backed up to multiple edge devices. When a device that undertakes the task cannot work, the backup device can also ensure the task is executed properly.
In summary, whether a task can be assigned to an edge device is a big issue. If and only if the device satisfies the task's resource requirements and privacy compatibility degree constraint, then the task can be assigned to this device. Given n tasks and m edge devices, the PITAE problem aims to find a solution with maximum privacy compatibility degree by assigning IoT tasks to qualified edge devices. To illustrate the PITAE problem, specific data structures can be formalized as follows: (1) Lower bound vector of tasks B: It is an n-dimensional vector, where B[j] (0 ≤ j < n) expresses how many edge devices must be assigned to task t j . B[j] > 1 means that t j requires multiple edge devices for execution. It is worth noting that the application developer does not know the failure and churn rates of edge devices when designing applications. Hence, how to properly set B[j] is nontrivial, which is out of the scope of this paper. We may need to conduct a thorough investigation of this topic in the future. Here, we point out a few initial considerations that require attentions.
To enhance the reliability of the IoT applications, each task generally needs to create 2-3 instances: a main task and 1-2 task replicas, and the main task and task replicas are assigned to different edge devices, i.e., B[j] ≤ 3. We present a B[j] setting scheme as follows: firstly, the application developer preliminarily estimates the average failure and churn rates of edge devices based on experience. Secondly, the application developer determines B[j] by comprehensively considering the average failure and churn rates of the devices, and the criticality of the task t j . irdly, during the task assignment process, if a feasible task assignment solution cannot be found due to some tasks being restricted by B, the application developer will adjust B for these tasks and start a new round of task assignment.
Available resources: Privacy policies: Resources requirements: Privacy requirements: IoT tasks: Edge devices: Figure 3: An illustration of the privacy-aware IoT task assignment model.
(2) Privacy compatibility matrix C : It is an m × n matrix, denotes the privacy compatibility degree between the edge devices d i and the task t j .
where th∈[0, 1] is the privacy compatibility threshold, which specifies the minimum privacy compatibility degree that the edge devices must have when executing tasks. Given B, C, and E, the PITAE problem is to find a matrix A to Max: subject to where Constraint (9) specifies that the decision variables are binary; Constraint (10) guarantees that each task is assigned B[j] edge devices; Constraint (11)ensures that each edge device can only be assigned to one task; and Constraint (12) ensures that each assigned edge device satisfies the resource and privacy compatibility threshold constraints.

Example 3.
In an IoT audit application, the resource requirements of tasks and the available resources provided by edge devices are shown in Tables 1-2. Assume that the privacy compatibility threshold th is specified as 0.3, the lower bound vector of tasks B � [1, 1, 2, 2, 1, 1], and the privacy compatibility matrix is shown in Figure 5(a). e evaluation matrix is obtained by Equation (7), as shown in Figure 5

Solutions to the PITAE Problem
e PITAE problem is a typical one-to-many task assignment problem. If the exhaustive search method is used to solve this problem, the solution space can be up to O (m n ) [36]. erefore, we first develop a task assignment solution based on the greedy search to solve this problem. en, to improve the effectiveness of task assignment, we propose a task assignment solution based on the KM algorithm to find the optimal solution to the PITAE problem.

Greedy Search-Based Task Assignment (GSTA) Solution.
e GSTA solution selects B[j] the most qualified edge devices for each task in the task set Taccording to the privacy compatibility matrix C and the evaluation matrix E. Specifically, for each t j belonging to T and d i belonging to D, it first evaluates whether d i satisfies the resource requirements and privacy compatibility threshold constraints of task t j , e.g., E[i, j] � 1.
en, it determines whether d i has been assigned a task, e.g., S[i] � 1. If yes, it skips d i and examines the next edge device; otherwise, it adds the privacy compatible degree C[i, j] to the candidate edge device vector V of t j . Subsequently, it reversely sorts all candidate edge devices in V according to their privacy compatibility degrees and selects top B[j] candidate edge devices for t j from sorted candidate edge device vector SV. Finally, it sets the assignment A[i, j] corresponding to the edge device d i and task

KM Algorithm-Based Task Assignment (KMTA) Solution.
In a data-intensive IoT application, its workflow is usually composed of tens of tasks, rarely hundreds or thousands [1]. e IoT audit application is a typical data-intensive IoT application, and we estimate its number of tasks to be on the order of tens of magnitudes. Moreover, to enhance the reliability of the application, each task generally needs to be assigned to 2-3 edge devices, e.g., B[j] ≤ 3. erefore, the total number of edge devices required for an IoT audit application should be around tens to two hundred. On the other hand, with the widespread application of the IoT technology, there are often hundreds of IoTdevices connected to the edge network near the data source. Based on the above considerations, in the PITAE scenario, we believe that the number of edge devices can meet the needs of IoT tasks, e.g., m > n, and each task requires B[j] edge devices to execute it, but each edge device can only be assigned to one task. e well-known KM algorithm can quickly solve standard task assignment problems, i.e., one-to-one task assignment problems, and the time complexity is O(m 3 ) [27,28]. In addition, the KM algorithm always finds the solution with the smallest sum [29]. However, the PITAE problem needs to find a solution with the maximum privacy compatibility degree. Furthermore, the KM algorithm can always find a result for the PITAE problem, but the result may not be a feasible solution. For example, when the edge device d i cannot satisfy the resource requirements or the privacy compatibility threshold constraints of t j , i.e., E[i, j] � 0, the KM algorithm may produce incorrect task assignments, leading to an infeasible solution.
To deal with the limitations of the KM algorithm, the KMTA solution improves the KM algorithm to solve the PITAE problem by adding virtual tasks and adjusting the privacy compatibility degrees between tasks and edge devices. Concretely, first of all, for each d i belonging to D and t j belonging to T, it evaluates whether d i satisfies the resource requirements and privacy compatibility threshold constraints of t j , and adjusts the privacy compatibility value C [i,j]    Output: A: the task assignment matrix. (1) for each task t j in T do (2) for each edge device if S[i] � 1 then; (5) skip it and examine the next edge device; end if (10) end for (11) SV ← sorting V based on privacy compatibility degree; (12) Select Top-B[j] edge devices from SV; (13) Update end if (8) end for (9) end for (10) for each edge device d i in D do (11) cindex ← 0; (12) for each task t j in T do (13) while

Experiments
In this section, we conducted four sets of simulation experiments to evaluate the effectiveness and efficiency of KMTA and GSTA. As far as we know, there is no other research directly related to our study. Hence, we implement a "Random (RNDM)" approach as a benchmark to compare with KMTA and GSTA. Given a set of tasks and a set of edge devices, RNDM randomly assigns each task to B[j] edge devices that satisfy the resource requirements and privacy compatibility threshold constraints. All the experiments are performed on a Windows platform equipped with Intel Core i7-4790 @ 3.60 GHz and 8 GB RAM.

Experimental Setting.
To comprehensively evaluate GSTA and KMTA, we have simulated various PITAE scenarios by changing the following parameters: (1) the number of edge devices (m); (2) the number of tasks (n); and (3) the privacy compatibility threshold (th). Specifically, in set #1, m changes from 30 to 300 with a step of 30, n � m/3, and th is set to 0.1. In set #2, m changes from 50 to 500 with a step of 50, n � m/5, and th is set to 0.1. In set #3, m and n are fixed at 150 and 50, respectively, and th changes from 0.1 to 0.5 with a step of 0.1. In set # 1.4, m is fixed at 250, and the other parameters are set as in set # 1.3. Each experiment is repeated 100 times, and the results are averaged. e detailed experimental settings are shown in Table 3.
In sets #1-4, B[j] is randomly assigned from 1 to 3, and the resource requirements of each task and the available resources provided by each edge device are randomly generated following the uniform distribution. e details are shown in Table 4.
In sets #1-4, each task is randomly assigned 0-10 pieces of private data, and the privacy requirements and the privacy policies are randomly generated for private data. Specifically, for a privacy requirement pr k j � <pd k j , sd k j , pu k j , OP k j , re k j >, sd k j is assigned randomly with a value in [0.00, 1.00], pu k j is assigned randomly from 10 different purposes, OP l j is randomly generated from an operation set containing 5 different operations, and re l j is assigned randomly from 1 to 12 months. For a privacy policy pp l i � < pd l i , td l i , pu l i , OP l i , re l i >, the td l i , pu l i , OP l i , and re l i are the same as the setting of corresponding privacy attributes in pr k j .

Effectiveness Evaluation.
rough comparison with RNDM, Figures 6 and 7 show the effectiveness of KMTA and GSTA in experiment sets #1-4 and the influence of three parameters, i.e., n, m, and th. On the whole, KMTA can find the optimal solution for the PITAE problem, and with the changes of n, m, and th, KMTA is significantly better than GSTA and RNDM in terms of privacy compatibility degree. Compared to KMTA, GSTA's privacy compatibility degree is lower than that of KMTA, especially in the case of stricter th constraints, but it is still significantly higher than RNDM in all cases. Figure 6 illustrates the effect of increasing m on privacy compatibility degree. As shown in Figure 6(a), as m increases, the privacy compatibility degrees of all the approaches increase rapidly. In all cases, KMTA shows the highest privacy compatibility degree, RNDM shows the lowest privacy compatibility degree, and GSTA's privacy compatibility degree is slightly lower than that of KMTA. e reason is that KMTA always assigns B[j] qualified edge devices to each task globally to obtain the highest privacy compatible solution. Hence, it can find the optimal solution to the PITAE problem. GSTA always assigns B[j] qualified edge devices with the highest privacy compatibility for each task locally, resulting in the privacy compatibility degree of the solution it finds slightly lower than that of KMTA. However, RNDM always randomly assigns each task to B[j] qualified edge devices. Consequently, the solution it finds has the lowest privacy compatibility degree. For example, in Figure 6(a), the average privacy compatibility degrees of KMTA, GSTA, and RNDM are 75.59, 74.33, and 42.28, respectively.
In Figure 6(b), as m/n increases from 3 to 5, the average range of candidate edge devices for each task also enlarges. As a result, the privacy compatibility degrees of all the approaches have improved to varying degrees, and KMTA is still higher than GSTA and RNDM. For example, comparing Figure 6(b) with Figure 6(a), the average privacy compatibility degrees of KMTA, GSTA, and RNDM increase by 4.11%, 3.87%, and 1.31%, respectively. Figure 7 demonstrates the effect of th on the privacy compatibility degree after fixing m and n. It can be seen from Figure 7(a) that when th increases from 0.1 to 0.5, the privacy compatibility degrees of KMTA and RNDM remain basically unchanged, but the privacy compatibility degree of GSTA shows a clear downward trend. It is because as th increases, the number of qualified edge devices for each task decreases. Due to that GSTA always selects edge devices locally for each task, it is most affected by th. For example, in Figure 7 Figure 8 shows the times taken by KMTA, GSTA, and RNDM to find a solution. Since the solving time of the PITAE problem is mainly affected by n and m, we only compare the average execution time of all the approaches in experiment sets #1-2. In general, because KMTA is an optimal approach to solve the PITAE problem, it takes more execution time than GSTA and RNDM. Especially, when m and n are relatively large, this trend becomes more obvious. As shown in Figure 8(a), when m is relatively small, e.g., m < 120, all the approaches consume basically the same time and increase slowly. However, when m ≥ 120, KMTA consumes more time than GSTA and RNDM, and the consumed time by KMTA increases rapidly. For example, when m rises from 120 to 300, the execution time of KMTA increases from 10.91 ms to 320.77 ms, while the execution time of GSTA and RNDM is less than KMTA and remains below 15 ms. e results observed from Figure 8 [10,30] relatively small, all the approaches consume basically the same time and increase slowly, while when m ≥ 200, KMTA consumes more time than GSTA and RNDM, and the consumed time by KMTA increases rapidly. For example, in Figure 8(b), when m rises from 200 to 500, the time taken by KMTA increases from 29.29 ms to 840.79 ms, while GSTA and RNDM take less time than KMTA and keep the consumed time below 40 ms.

Discussion.
From the above experimental results, we can make the following conclusions.
(1) In terms of effectiveness, KMTA and GSTA have significant advantages over RNDM. In addition, in all cases, KMTA can find a solution with a higher privacy compatibility degree than GSTA, especially in cases with stricter privacy constraints; e.g., th is relatively large, and the advantages of KMTA are more obvious. (2) In terms of performance, the execution time of GSTA and RNDM is basically the same in all cases. In the case where m and n are relatively small, the execution time of KMTA is basically the same as that of GSTA and RNDM. However, in the case where m and n are relatively large, the execution time of KMTA is much longer than that of GSTA and RNDM. (3) Although expanding m/n can improve the privacy compatibility degrees of all the approaches, it also brings more time consumption. (4) In cases where m and n are relatively small or th is relatively large, KMTA outperforms GSTA and RNDM significantly. However, when m and n are relatively large, the overall performance of GSTA is better than that of KMTA and RNDM. In short, KMTA and GSTA can beat RNDM in different cases. erefore, we can choose KMTA or GSTA to assign tasks according to different m, n, and th scenarios.

Related Work
With the emergence of a large number of edge devices with sensing, actuation, and computing capabilities in the urban environment, it has become more complicated to assign IoT tasks to edge devices for execution [8,12]. Many research efforts have been focusing on task assignment based on vertical offloading technology and horizontal offloading technology. e former relies on a centralized coordinator to place simple task processing on local edge devices, while offloading complex data analysis tasks to fog/cloud nodes. e latter offloads tasks to multiple edge devices that are as close as possible to the data source, and these devices execute tasks in a distributed manner.
To serve IoT applications at the edge, Farhadi et al. [22] proposed a joint optimization method for service placement and request scheduling, and developed polynomial time algorithms to solve the placement and scheduling problems. Aiming at the task allocation problem in collaborative edge and cloud environment, Long et al. [21] proposed a noncooperative game model between multiple agents and solved the task allocation problem with QoS constraints through a series of algorithms. Considering the latency and bandwidth requirements of IoT applications, Antonio et al. [20] proposed a QoS-aware application deployment method in fog computing. e proposed method models the deployment requirements of IoT applications, describes the available resources and quality of fog nodes, and develops optimization algorithms for the application deployment problem. Cheng et al. [37] proposed a task assignment method in a data sharing mobile edge computing system and designed three algorithms to deal with the holistic and divisible task assignment problem. e above work uses vertical offloading technology to assign tasks for IoT applications. Recently, some new work has also emerged in the aspect of horizontal task offloading. e work in [1] clusters heterogeneous edge devices to process data-intensive IoT applications. e proposed method first decomposes an IoT application into a set of simple tasks, then automatically discovers qualified edge devices, and finally assigns tasks to appropriate edge devices. Similarly, Avasalcai et al. [2] proposed a decentralized resource management framework for deploying delay-sensitive IoT applications at the edge of the network and found deployment solutions that meet the requirements through satisfiability modulo theory (SMT) technology. e above work mainly focuses on the task allocation problem of resource and QoS constraints, and rarely considers user privacy requirements. With the widespread adoption of IoT applications, users are increasingly concerned about the privacy of their personal data. Some research contributions focus on the privacy-aware task assignment for IoT applications.
Aiming at the privacy protection problem in socially aware edge computing, Zhang et al. [23] proposed a privacy-aware task allocation method. e proposed method uses generalization techniques to reduce the accuracy of private data and develops a game theory model to optimize the QoS of the application while ensuring that the user's privacy requirements are satisfied. To protect user privacy in IoT data, Mian et al. [24] proposed a privacy-aware task offloading method in fog computing. e method first divides the IoT tasks into different small fragments according to the security requirements of the data, then these task fragments are offloaded to multiple fog nodes that meet security requirements, and finally a dynamic programming algorithm is used to obtain the task offloading solution that meets the security and delay requirements. Considering the privacy leakage of sensing data in mobile crowd sensing systems, Dai et al. [25] proposed a privacy preservation task assignment scheme and designed a user location privacy protection algorithm based on the differential privacy method. To avoid the privacy disclosure of the datasets due to data acquisition by different operators, Xu et al. [26] took the privacy conflict of different datasets as the optimization goal, formulated the application deployment problem in cyber-physical cloud systems as a multi-objective optimization problem, and used an improved differential evolution technology to solve it.
Although the above work has advantages, the privacyaware task assignment for IoT applications is still an open issue. e above work employs various privacy technologies to control access to private data, but does not consider how the data will be used after being accessed, such as the purpose of data use, the retention time of the data, and the operations executed on the data. Our approach can fully support these requirements and can also measure the compatibility degree between privacy requirements and privacy policies.
Group Role Assignment (GRA) [29,30,36,38,39] has been proposed for modeling general assignment problems by solving different engineering problems. e solution to the GRA provides inspiration to this research. e creation of a qualification matrix of GRA is a prerequisite way to model various assignment problems in edge computing.

Conclusion
e edge computing paradigm has a great potential to support a wide variety of IoT applications. In this paper, we propose a privacy-aware task assignment approach for IoT applications, which assigns tasks to edge devices close to the data source in a distributed manner, thereby reducing latency and effectively protecting user privacy. Firstly, we model the resource and privacy requirements of the tasks and assess whether the edge devices satisfy the resource and privacy constraints. Secondly, we formalize the PITAE problem as an integer programming optimization problem and propose two task assignment solutions to solve the PITAE problem. Finally, we compare the proposed approaches with the baseline approach. Experimental results show that (1) when m and n are relatively small or th is relatively large, KMTA outperforms GSTA and RNDM significantly; and (2) when m and n are relatively large, the overall performance of GSTA is better than that of KMTA and RNDM. In short, KMTA and GSTA can beat RNDM in different cases.
For future work, we intend to extend our work with QoS constraints, such as response time (communication latency between edge devices and processing latency on edge devices) and energy consumption (transmission energy between edge devices and processing energy on edge devices), in order to provide a more effective task assignment solution that can meet diverse requirements. In addition, considering the privacy protection requirements of edge devices for various resource information and willingness to undertake tasks, we also plan to integrate these requirements into our current privacy model, so as to achieve privacy protection for users and edge devices at the same time.
Another direction is to specify and solve problems related to privacy protection in edge computing along with the development of GRA with constraint (GRA+) model [36,38,39], which provides different ways in modeling various constraints, such as time, space, and coupling between agents (resources) and roles (tasks).

Data Availability
e data used to support the findings of this study are available from the corresponding authors upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.