Database Reference
In-Depth Information
All this makes mobility data very sparse and in this setting, it is clearly difficult to
identify and to group together trajectories for enforcing, for example, traditional
k
-anonymity.
The next section shows how the basic data privacy notions presented in
Section
9.2
have been adapted to address the new challenges posed by spatio-
temporal data in offline data analysis. We present three categories of PETs:
PETs for mobility data publishing, PETs for distributed mobility data mining,
and PETs for knowledge hiding in mobility data.
9.3.1 PETs for Publishing of Trajectory Data
Mobility data publishing includes sharing the mobility data with specific recip-
ients such as data miners and releasing the data for public download. In both
cases, the recipients could potentially be adversaries who try to associate sen-
sitive information in the published data with a known person. The privacy-
preserving techniques for mobility data publishing have the goal to transform
spatio-temporal data to make them anonymous; in other words, they provide
suitable formal safeguards against reidentification of individuals represented in
the data by their movements.
In the literature, most of the proposed PETs for mobility data publishing use
privacy models that are suitable variants of the classical
k
-anonymity model.
They consider adversaries that use location-based knowledge for the reidentifi-
cation of users. As explained in Section
9.2
, an adversary can use
quasi-identifier
attributes (e.g., age, gender, and ZIP code) representing public knowledge and
can use them as key elements for the reidentification of individuals. Similarly, in
spatio-temporal databases the attackers could identify the person corresponding
to a given trajectory by using pairs of locations and timestamps that work as
quasi-identifiers. In this context the challenge often is the definition of realistic
and reasonable quasi-identifiers. Two important questions need to be answered
when we have to consider quasi-identifiers in spatio-temporal databases: (1)
Can we assume the same set of quasi-identifiers for all the individuals in the
database?
(2)
Where and how should the knowledge of quasi-identifiers be
obtained?
Concerning the first question, in the literature some works argue that, unlike
in relational microdata, where every tuple has the same set of quasi-identifier
attributes, in spatio-temporal data it is very likely that various individuals have
different quasi-identifiers and clearly this fact should be taken into consideration
in modeling adversary knowledge. Unfortunately, allowing different sets of
quasi-identifiers for different individuals makes the anonymization problem
more challenging because the anonymization groups may not be disjoint.
Concerning the second question typically we have different possibilities: (a)
the quasi-identifiers may be part of the users' personalized settings; (b) they
