Database Reference
In-Depth Information
may be provided directly by the users when they subscribe to the service; and
c) the quasi-identifier may be found by statistical data analysis or data mining.
Given that in the real world the definition of quasi-identifiers in movement
data is not trivial, most anonymization approaches do not use any information
about the quasi-identifiers of trajectories during the anonymization process. In
Section
9.3.1
we present the details of a typical technique of this category.
Anonymization without Quasi-Identifiers
A spatio-temporal technique that does not take into consideration any knowledge
about the quasi-identifier of trajectories implicitly assumes that an adversarymay
identify a user in any location at any time. Clearly, this is a very conservative
setting and under this assumption the anonymized data sets are composed of
anonymization groups, each one containing at least
k
identical or very similar
trajectories. This typically is achieved by the application of clustering-based
approaches.
The application of classical
k
-anonymity notion in spatio-temporal data is
hard because it is necessary to take into account some problems that are specific
in this context. As an example, in the definition of the privacy model one
should consider the inaccuracy of the positioning device that introduces possible
location imprecision in the collection of data. This leads to the definition of a
variant of the
k
-anonymity notion called (
k, δ
)-
anonymity
suitable for moving
objects databases, where
δ
represents the possible location imprecision. This
novel concept is based on colocalization that exploits the inherent uncertainty
of the moving object's whereabouts. Intuitively, the trajectory is considered as
a cylindrical volume with some uncertainty. In other words, the position of a
moving object in the cylinder then becomes uncertain. Figure
9.2
illustrates a
graphical representation of an uncertain trajectory.
Two trajectories moving within the same cylinder are indistinguishable; this
leads to the definition of (
k, δ
)-anonymity model:
Definition 9.1. Given an anonymity threshold
k
and a radius parameter
δ
,a
(
k, δ
)-
anonymity
setisasetofatleast
k
trajectories that are colocalized with
respect to
δ
.
A set of trajectories
S
, with
|
S
|≥
k
,isa(
k, δ
)-anonymity set if and only if
there exists a trajectory
t
c
such that all the trajectories in
S
are possible motion
curves of
t
c
within an uncertainty radius of
2
.Givena(
k, δ
)-anonymity set
S
,
we obtain the trajectory
t
c
by taking, for each
t
∈
[
t
1
,t
n
], the point (
x,y
)that
represents the center of the minimum bounding circle of all the points at time
t
of all trajectories in
S
(Figure
9.3
).
The (
k, δ
)-anonymity framework requires transforming a trajectory database
D
in
D
in such a way that for each trajectory
t
D
a(
k, δ
)-anonymity set
∈
