Database Reference
In-Depth Information
techniques is that, unfortunately, obtaining privacy protection is becoming more
and more difficult because of the complex nature of movement data: it is easy
to show that privacy cannot simply be accomplished by deidentification (i.e., by
removing the direct identifiers contained in the data). As an example, consider
the deidentified GPS trajectory of a user driving in a city for a specific period.
Using simple analytical tools, capable of visualizing the trajectory with its
geographical context, it is possible to infer important and sensitive information
about the user, such as the regions most commonly visited by the user. Moreover,
analyzing the timeline with respect to the different regions it is possible to infer
which region, among the most frequent locations, corresponds to the user's home
since he or she usually stays there for the night, and the region corresponding to
the work place, because he or she usually goes there every day at the same time,
and stays there all the day. Clearly, by discovering the group of people living in
the identified home and those working in that identified work place it is possible
to identify the user as the person who belongs to both groups. This is possible
checking publicly available information such as web pages.
In general, the data privacy problem requires finding an optimal trade-off
between privacy and data utility. From one side, one would like to transform the
data in order to avoid the reidentification of individuals and/or locations. Thus,
one would like to publish safely the data for mining analysis or to communicate
locations for receiving an online service without risks (or with negligible risk)
for each data subject. From the other side, one would like to minimize the loss
of information that can reduce the effectiveness of the underlying data when
it is given as input to data mining methods and can cause bad quality of the
received location-based service. Therefore, the goal is to maintain the utility of
the data as much as possible. In order to measure the information loss introduced
by the data transformation process it is necessary to define measures of utility;
analogously, it is necessary to quantify the risks of privacy violation. Privacy
by design, in the research field of privacy-preserving data analysis, is a recent
paradigm that promises a quality leap in the conflict between data protection and
data utility (Section
9.4
). Recent applications of this paradigm for the design of
privacy-preserving frameworks for movement data prove that it is possible to
achieve reasonable and measurable privacy guarantees and a good quality of the
analytical results.
9.2 Basic Concepts for Data Privacy
The analysis and disclosure of personal information to the general public or
to third parties such as data miners is subject to the limitations imposed by the
regulations for privacy protection. Nevertheless, if this information was rendered
anonymous, these limitations would not apply, hence making it possible to share
and analyze the information without explicit user agreement. In the last ten years,
