Database Reference
In-Depth Information
uses a clustering (micro-aggregation) approach, which is able to preserve
more fine grained information about the location. In this context, the
method of [2] also treats the trajectory of an object as a cylinder in 3-
dimensional space, where the radius of the cylinder is non-zero because
of the uncertainty in the GPS position of the object. The key here is
to understand is that the uncertainty is inherent to the method of col-
lecting the data, since all GPS collection methods have a certain level of
error associated with them. In this context, the work in [2] defines the
concept of (
k,δ
)-anonymity, which is a set
S
of at least
k
trajectories,
such that all of these trajectories lie within a distance of at most
δ/
2
of the average position of these different trajectories. We note that it
may not be possible to create (
k.δ
)-anonymized groups from the original
data set, if some of the trajectories are somewhat isolated. Therefore,
the work in [2] proposes the
Never Walk Alone (NWA)
algorithm, in
which the positions of some of the objects is distorted with
space trans-
lation
, so that it is possible to construct such (
k,δ
)-anonymized groups
from the data. The approach constructs these anonymized groups while
minimizing the total distortion in the data.
Many mobile applications can infer the
context
of a user from GPS
(e.g. whether a user is at home or work). It has become increasingly
common for many mobile applications to aggressively collect such con-
text data [56] for a variety of applications. Such context can sometimes
be very sensitive from a release perspective. For example, a user may
not wish anyone to know whether they are currently in a hospital. The
afore-mentioned
k
-anonymization does not necessarily help protect the
sensitivity of context, if all of the
k
users within a group are at the same
sensitive location. A number of methods use full suppression techniques
[83, 157] in which the location or context of the user is suppressed when
they are at a sensitive location. However, it has been observed in [74]
that the
fact of the suppression itself
can be sensitive information, in the
presence of a powerful adversary with greater background knowledge.
Another issue with mobile sensing applications is that considerable
temporal correlations exist between the different locations of a single
or multiple users. Such correlations can be used in order to perform
privacy attacks which can infer the sensitive locations of different users.
In this context, a number of methods [30, 68, 69, 76, 126] have been
designed which utilize the temporal correlations in the privacy preserva-
tion process. The work in [76] observes that one can use linear interpola-
tion to infer suppressed locations. Therefore, the work in [76] works by
constructing zones which contain multiple sensitive locations, and the
anonymization process introduces a sucient amount of uncertainty in
each zone. It has been observed in [30] that information about the veloc-
