This work addresses the lack of unified privacy protection and data access control mechanisms in urban sensing systems, which often leads to privacy leaks and inconsistent policy enforcement. To this end, the authors propose CityOS, an operating system tailored for urban sensing that introduces a novel three-layer API architecture. By integrating differential privacy, user-level privacy budgets, and edge-side ephemeral container isolation, CityOS enables fine-grained data access control, secure execution of untrusted applications, and transparent accounting of privacy loss. The system has been deployed and validated in real-world scenarios—including pedestrian safety alerts, real-time and predictive parking, traffic dashboards, and subway trajectory measurement—demonstrating both practical utility and strong privacy guarantees.

Cities are rapidly deploying sensing infrastructure -- cameras, environmental sensors, and connected kiosks -- that continuously observe public spaces, yet they lack a system architecture governing how applications access, aggregate, and retain this data, creating privacy risks and preventing consistent policy enforcement. We present CityOS, an operating system for urban sensing that mediates application access to sensor data through a three-tier API inspired by structured, privacy-conscious web interfaces. The tiers expand the spatial scope of data access while imposing progressively stronger privacy constraints: On-Scene supports real-time sensing with raw data confined to the local context; Single-Locality Aggregation enables differentially private longitudinal statistics at a fixed location; and Cross-Locality Aggregation supports citywide analytics via aggregation across locations, with user devices enforcing per-user privacy budgets. CityOS runs as an edge runtime that executes untrusted applications in ephemeral containers, enforcing these policies and providing transparency via broadcasts of differential privacy loss. We implement CityOS and applications across all tiers -- including pedestrian safety alerts, real-time and forecast parking availability, traffic dashboards, and subway trajectory measurement -- and show that it supports practical streetscape applications while enforcing strong privacy.