Database Reference
In-Depth Information
for the privacy-aware publication of movement data enabling clustering analysis
useful for the understanding of human mobility behavior in specific urban areas.
The released trajectories are made anonymous by a suitable process that realizes
a generalized version of the original trajectories. The second framework is
suitable when it is required that the released data set of trajectories contains the
real locations contained in the original data. In fact, this framework applies to
the original data a process of transformation capable of maintaining unchanged
this information, even if the data become anonymous.
The application of this methodology requires one to understand: the specific
properties of the trajectories to be protected; which characteristics it is necessary
to preserve to guarantee a good quality of the analyses that have to be performed
on these data; and which adversary's knowledge the attacker may use for the
user reidentification. Clearly, this information is fundamental for the design of
a data transformation technique.
9.4.1 Trajectory Anonymization by Spatial Generalization
In this section, we show the design of a privacy-preserving framework for the
publication of movement data, while preserving clustering analysis. The frame-
work is based on a data-driven spatial generalization of the data set of trajectories.
The results obtained with the application of this framework show how trajec-
tories can be anonymized to a high level of protection against reidentification
while preserving the possibility of mining clusters of trajectories, which enables
novel powerful analytic services for infomobility or location-based services.
Attack Model
In this framework the
linkage attack model
is considered, that is, the ability
to link the published data to external information, which enables some respon-
dents associated with the data to be reidentified. In relational data, linking is
made possible by
quasi-identifiers
, that is, attributes that, in combination, can
uniquely identify individuals, such as birth date and gender (see Section
9.2
).
The remaining attributes represent the respondent's private information, which
may be violated by the linkage attack. In privacy-preserving data publishing
techniques, such as
k
-anonymity, the goal is precisely to find countermeasures
to this attack, and to release person-specific data in such a way that the ability
to link to other information using the quasi-identifier(s) is limited. In the case of
spatio-temporal data, where each record is a temporal sequence of locations vis-
ited by a specific person, the dichotomy of attributes into quasi-identifiers (QI)
and private information (PI) does not hold any longer: here, a (sub)trajectory
can play both the role of QI and the role of PI. To see this point, consider that
the attacker may know a sequence of places visited by some specific person
P
: for example, by shadowing
P
for some time, the attacker may learn that
P
