A risk model for privacy in trajectory data

Preliminaries: trajectory data

A trajectory dataset is a collection of trajectories \(\mathcal {D}_{T} = \{t_{1}, t_{2}, \ldots, t_{m}\}\). A trajectory t=〈x ₁,y ₁,t s ₁〉,…,〈x _n ,y _n ,t s _n 〉, is a sequence of spatio-temporal points, i.e., triples 〈x _i ,y _i ,t s _i 〉, where (x _i ,y _i ) are points in R ², i.e., spatial coordinates, and t s _i (i=1…n) denotes a timestamp such that ∀1<i<n t s _i <t s _i+1. Intuitively, each triple 〈x _i ,y _i ,t s _i 〉 indicates that the object is in the position (x _i ,y _i ) at time t s _i . A trajectory t ^′=〈x1′,y1′,t s1′〉,…,〈x m′,y m′,t s m′〉 is a sub-trajectory of t (t ^′≼t) if there exist integers 1<i ₁<…<i _m ≤n such that \(\forall 1 \leq j \leq m\, \langle x_{j}', y_{j}', ts_{j}'\rangle = \langle {\phantom {\dot {i}\!}{x}_{i_{j}}}, {\phantom {\dot {i}\!}{y}_{{i}_{j}}}, {\phantom {\dot {i}\!}{ts}_{i_{j}}}\rangle \). We refer to the number of trajectories in \(\mathcal {D}_{T}\) containing a sub-trajectory t ^′ as support of t ^′ and denote it by \(N_{\mathcal {D}_{T}}(t') = \left |\{t \in \mathcal {D}_{T} | t' \preceq t\}\right |\).

The k-anonymity framework for trajectory data

A well known method for anonymisation of data before release is k-anonymity [2]. The k-anonymity model was also studied in the context of trajectory data [4–6]. Given an input dataset \(\mathcal {D}_{T} \subseteq T\) of trajectories, the objective of the data release is to transform \(\mathcal {D}_{T}\) into some k-anonymised form \(\mathcal {D}'_{T}\). Without this transformation, the publication of the original data can put at risk the privacy of individuals represented in the data. Indeed, an intruder who gains access to the anonymous dataset may possess some background knowledge allowing him/her to conduct attacks that may enable inferences on the dataset. We refer to any such intruders as an attacker. An attacker may know a sub-trajectory of the trajectory of some specific person and could use this information to infer the complete trajectory of the same person from the released dataset. Given the attacker’s background knowledge of partial trajectories, a k-anonymous version has to guarantee that the re-identification probability of the whole trajectory within the released dataset has to be at most \(\frac {1}{k}\). If we denote the probability of re-identification of the trajectories as Pr(r e_i d|t ^′) based on the trajectory t ^′ known to the attacker then the theoretical k-anonymity framework implies that ∀t ^′∈T, \(\Pr (re\_id | t') \leq \frac {1}{k}\). The parameter k is a given threshold that reflects the expected level of privacy.

Note that, given a trajectory dataset \(\mathcal {D}_{T}\) and an anonymity threshold k>1 we can have trajectories with a support lower than k (\(N_{\mathcal {D}_{T}}(t') < k\)) and trajectories that are frequent at least k times (\(N_{\mathcal {D}_{T}}(t') \geq k\)). The first type of trajectories are called k-harmful because their probabilities of re-identification are greater than \(\frac {1}{k}\). In [6], the authors show that if a k-anonymisation method returns a dataset \(\mathcal {D}'_{T}\) by guaranteeing that for each k-harmful trajectory t ^′ in the original dataset, \(t' \in \mathcal {D}_{T}\), either \(N_{\mathcal {D}'_{T}}(t') = 0\) or \(N_{\mathcal {D}'_{T}}(t') \geq k\), then we have the property that for any trajectory t known by an attacker (harmful or not), \(\Pr (re\_id | t') \leq \frac {1}{k}\).

This fact is easy to verify. Indeed, given a k-anonymous version \(\mathcal {D}'_{T}\) of a trajectory dataset \(\mathcal {D}_{T}\) that satisfies the above condition, and a trajectory t known by the attacker two cases can arise: - t is k -harmful in \(\boldsymbol {\boldsymbol{\mathcal {D}}_{T}}\) : in this case we can have either, \(N_{\mathcal {D}'_{T}}(t) = 0\), which implies Pr(r e_i d|t)=0, or \(N_{\mathcal {D}'_{T}}(t') \geq k\), which implies \(\Pr (re\_id | t) = \frac {1}{N_{\mathcal {D}'_{T}}(t)} \leq \frac {1}{k}\). - t is not k -harmful in \(\boldsymbol {\boldsymbol{\mathcal {D}}_{T}}\) : in this case we have \(N_{\mathcal {D}_{T}}(t) = F \geq k\) and t can have an arbitrary support in \(\mathcal {D}'_{T}\). If \(N_{\mathcal {D'}_{T}}(t)=0\) or \(N_{\mathcal {D'}_{T}}(t)\geq F\), then the same reasoning as in the previous case applies. If \(0 < N_{\mathcal {D'}_{T}}(t) < F\) then the probability to re-identify a user to the trajectory t is the probability that user is present in \({\mathcal {D'}_{T}}\) times the probability of picking that user in \({\mathcal {D'}_{T}}\), i.e., \(\frac {N_{\mathcal {D'}_{T}}(t)}{F} \times \frac {1}{N_{\mathcal {D'}_{T}}(t)} = \frac {1}{F} \leq \frac {1}{k}\).

The aforementioned mathematical condition that any k-anonymous dataset has to satisfy, is explained as follows. Given the attacker’s knowledge of partial trajectories that are k-harmful, i.e., occurring only a few times in the dataset, they can enable a few specific complete trajectories to be selected, and thus the probability that the sequence linking attack succeeds is very high. Therefore, there must be at least k trajectories in the anonymised dataset matching the attacker’s knowledge. Alternatively, there can be no trajectories in the anonymised dataset matching the attacker’s knowledge. If the attacker knows a sub-trajectory occurring many times (at least k times) then this means that it is compatible with too many subjects and this reduces the probability of a successful attack. If the partially observed trajectories lead to no match then it is equivalent to saying that the partially observed trajectories could be in any other dataset except from the one under attack, thus leading to an infinitely large search space. This is, somewhat, equivalent to k→∞. Thus, in this case, \({\lim }_{k \to \infty }{\Pr (re\_id | t')} = 0\).

This is the theoretical worst-case guarantee of the probability of re-identification of a k-anonymised dataset. However, we shall see in the following sub-section that this does not give us a complete picture of the probabilities of re-identification.

Why is the theoretical worst-case guarantee inadequate?

In order to explain the inadequacies of the theoretical worst-case guarantee, let us consider a toy example of trajectories as shown in Fig. 1. Let \(\mathcal {D}_{T}\) be the example dataset. We can choose, as an example, a value of k=3 and obtain the 3-anonymous dataset \(\mathcal {D}'_{T}\), for which the theoretical worst-case guarantee is that ∀t ^′,\(\: \Pr (re\_id | t') \leq \frac {1}{3}\).

Figure 2 illustrates the probability that a given observed trajectory (i.e., attacker’s knowledge) can be uniquely identified in the anonymised dataset, while Fig. 3 shows the cumulative distributions of probabilities with h denoting the number of observations in the attacker’s knowledge. We notice in Fig. 2 and Fig. 3 that the actual probability of re-identification is often much lower than the theoretical worst-case scenario, but this fact is not demonstrated by the theoretical guarantee.

Empirical risk model for anonymised trajectory data

In the last sub-section, we described that the theoretical worst-case guarantee does not demonstrate the distribution of attack probabilities. The worst-case scenario also does not illustrate the fact that a large majority of the attacks have far lower probabilities of success than the worst-case guarantee. Thus, we propose an empirical risk model for anonymised trajectory data. If t ^′ represents attacker’s knowledge; h=|t ^′| denotes the number of observations in the attacker’s knowledge then the intent is to approximate a probability density and a cumulative distribution of Pr(r e_i d|t ^′) for each value of h. This can be achieved by iterating over every value of h=1, …, M where M is the length of the longest trajectory in \(\mathcal {D}_{T}\). For each value of h, we consider all the sub-trajectories \(t' \in \mathcal {D}_{T}\) of length h and compute the probability of re-identification Pr(r e_i d|t ^′) as described in Algorithm 1. In particular, for each value of h a further iteration can be run over each value of t ^′ of length h, in which we compute \(N_{\mathcal {D}'_{T}}(t')\), \(N_{\mathcal {D}_{T}}(t')\) and the probability of re-identification by following the reasoning described in Section “The k-anonymity framework for trajectory data” for the computation of this probability. Algorithm 1 presents the pseudocode of the attack simulation.

The advantages of this approach is that this model supports arguments such as: (a) “98 % of the attacks have at most 10⁻⁵ probability of success”; and (b) “only 0.001 % of the attacks have a probability close to \(\frac {1}{k}\)”. The disadvantages of this model are: (a) a separate distribution plot is necessary for each value of h; and (b) the probability of re-identification increases with the increase in h. The illustration in Fig. 3 demonstrates the aforementioned advantages and disadvantages of the risk model.

For the simulation of the attack we need to select a set of trajectories B K _T from the original dataset of trajectories. The optimal solution would be to take the all possible sub-trajectories in the original dataset and compute the probability of re-identification. Since the set of attack trajectories can be quite large, in order to avoid a combinatorial explosion, two strategies can be adopted. First, we can extract from the original dataset of trajectories a random subset of trajectories that we can use as background knowledge for the attacks to estimate the distributions. In particular, for each each trajectory length value h we extract a random subset of trajectories \(B{K^{h}_{T}}\) and then, the union of all \(B{K^{h}_{T}}\) represents the global background knowledge B K _T used in the attack simulation.

Secondly, we can use a prefix tree to represent in a compact way the original dataset and then, by incrementally visiting the tree we can enumerate all the distinct sequences for using them as an adversary’s background knowledge.

Semantic trajectories

In the previous sections we considered a trajectory as the spatio-temporal evolution of the position of a moving entity that is represented as a discrete sequence of points. An interpolation function between two consecutive points approximates the movements between two sample points. Recently, in [7] a new concept of trajectory has been introduced for reasoning on trajectories from a semantic point of view, called semantic trajectory, that based on the notion of stops and moves. Stops are the important parts of a trajectory where the moving object has stayed for a minimal amount of time. They correspond to the set of x,y,t points of a trajectory which are important from an application point of view. Stops correspond to places and can be different types of geographic locations as hotels, restaurants, museums, etc; or different instances of geographic places, like Ibis Hotel, Louvre Museum, and so on. Moves are the sub-trajectories describing the movements between two consecutive stops. Based on the concept of stops and moves the user can enrich trajectories with semantic information according to the application domain [8].

Semantic Trajectory Given a set of important places \(\mathcal {I}\), a semantic trajectory T=p ₁,p ₂,…,p _n with \(p_{i} \in \mathcal {I}\) is a temporally ordered sequence of important places, that the moving object has visited.

Figure 4 (2) illustrates the concept of semantic trajectory for the trajectory shown in Fig. 4 (1). In the semantic trajectory the moving object first was at home (stop 1), then he went to work (stop 2), later he went to a shopping center (stop 3), and finally the moving object went to the gym (stop 4).

The important parts of the trajectories (stops) are application dependent, and are not known a priori, therefore they have to be computed. Different methods have been proposed for computing important parts of trajectories [9–11].

The C-safety model for semantic trajectories

In [3] authors provide a framework that, given a dataset of semantic trajectories, generates an anonymous semantic trajectory dataset. This new dataset guarantees that it is not possible to infer the identity of a user and the visited sensitive places with a probability greater than a fixed threshold, set by the data owner. The method is based on the generalization, driven by a place taxonomy, of the places visited by a user. A taxonomy of places of interest represents the semantic hierarchy of geographical places of interest. The set of stop places obtained from the computation of semantic trajectories are the leaves of taxonomy. In general, each concept in the taxonomy describes the semantic categories of the geographical objects of interest for a given application domain. For example, we have that Restaurant “Da Mario” is a kind of Restaurant which is a kind of Entertainment. Figure 5 depicts an example of the taxonomy of places of interest in a city. Here, all the places represented by red nodes are sensitive locations. Indeed, to avoid the identification of sensitive places visited by a user, the taxonomy specifies which places are sensitive and which are non-sensitive.

A place is considered sensitive when it allows to infer personal information about the person who has stopped there. For example, a stop at an oncology clinic may indicate that the user has some health problem. Other places (such as parks, restaurants, cinemas, etc) are considered as quasi-identifiers. Note that, any non-sensitive place is assumed to be a quasi-identifier. Given a dataset of semantic trajectories D _T and the privacy places taxonomy Ptax describing the categories of the geographical objects of interest for an application domain, the goal of the data release is to transform D _T in its anonymous version \(D^{\prime }_{T}\) by using a method based on the generalization of places driven by the taxonomy.

An attacker may access the dataset \(D^{\prime }_{T}\) and may know the privacy place taxonomy Ptax, the quasi-identifier place sequence S _Q visited by a specific person and could use this information to infer the sensitive places visited by a that person. Given the attacker’s background knowledge of quasi-identifier places S _Q and c−s a f e version of the semantic trajectories has to guarantee that for each set of sensitive places S the P r(S|S _Q )≤c with c∈ [ 0,1]. Here, the parameter c is a given threshold that reflects the expected level of privacy.

To guarantee c−s a f e t y the approach proposed in [3] generates by generalization (driven by the taxonomy) groups of m trajectories having the same sequence of quasi-identifier places and guaranteeing that for each sensitive place P r(s _i |S _Q )≤c.

Empirical risk model for c-safe semantic trajectories

As in the case of k-anonymity also in this case actual probability of inferring an exact sensitive place is often much lower than the theoretical worst-case scenario. This is due to the fact that the attacker could knows only a subset of the user quasi-identifier places and so, in the c-safe dataset he could find more than one group with m trajectories matching the known quasi-identifier places. Since, each group guarantees that for each sensitive place the probability of inference is at most c then could happen that the protection becomes higher. In the following example we show this point.

Suppose that the privacy transformation create the following two groups of semantic trajectories generalized by the taxonomy in Fig. 5. The transformed dataset is 0.66-safe, that means that for each sensitive place the disclosure probability is at most equal to 0.66. Computing the disclosure probability for different size and composition of quasi-identifiers S _Q we have that only the sensitive place C ₁ we have the worst-case value 0.66, in fact assuming that the attacker knows \(S_{Q} = Station, Restaurant, Park Pr(C_{1}|S_{Q}) = \frac {2}{3} = 0.66\). In the other cases the guarantees is greater that 0.66. In particular, we can note that when we consider the background knowledge S _Q =S t a t i o n,R e s t a u r a n t the guarantee becomes higher. In fact, we decrease also P r(C ₁|S _Q ) that becomes 0.5.

We propose an empirical risk model also for c-safe datasets of semantic trajectories. In this case, the intent of the attacker is to approximate the cumulative distribution of the disclosure probability of sensitive places in a datasets P r(s|S _Q ), knowing a sequence of quasi-identifiers S _Q with length h. This can be achieved by iterating over every value of h=1,…,M where M is the length of the longest quasi-identifier sequence in the background knowledge B K _T . The idea is that for each h value, we select the group of semantic trajectories in \(D^{\prime }_{T}\) containing the sequence of quasi-identifier places known by the attacker, called G. Then, for each sensitive place s in the semantic trajectories in G we compute the disclosure probability P r(s|S Q′) and compute the cumulative distribution (Algorithm 2).

Risk analysis

In order to evaluate the privacy risks on the two anonymised trajectory datasets we applied the methodology described in Section “Empirical risk model for anonymised trajectory data”. Therefore, we estimated the cumulative distribution of the probability of re-identification for each value of h=|t ^′|, which denotes the number of observations in the attacker’s knowledge. We simulated a set of attacks by randomly selecting from the original database a subset of trajectories and using them as background knowledge. In particular, in our experiment for each h, we drew from the original database, 10,000 sub-sequences with length h. We considered h=1,…,5 because the longest sequence in the original data has length 5. Figure 10 shows the results obtained with this attack simulation. The first column of images contains the plots related to the cumulative distributions related to the hour-level dataset while the second column contains the results obtained from the day-level dataset.

Our analyses highlight that the empirical protection guaranteed by the algorithm of anonymisation is much higher than the theoretical protection. Only few attacks have a protection very close to \(\frac {1}{k}\). We observe as an example that when the day-level dataset is anonymised with k=5 our empirical risk analysis shows that 90 % of the attacks have at most a risk of re-identification of \(\frac {1}{10}\). The findings are similar in the other anonymised datasets. Moreover, we note that when the number of observations increases too much the probability of re-identification becomes very low and often zero because these sequences are infrequent in the original database. These long sequences no longer exist in the published database since the process of anonymisation tends to eliminate the outliers (i.e., sequences with a very low frequency). This effect is more evident in the case of the hour-level data.

We also estimated the cumulative distribution of the re-identification probability normalised with the cost of obtaining the background knowledge (see Section “Empirical risk model for anonymised trajectory data”). Figure 11 depicts the cumulative distribution of our single risk indicator obtained considering a sub-linear cost for the acquisition of the attacker’s knowledge. We observe that if we assign a cost to the attack then the protection guaranteed is higher; thus allowing us to express in a very simple way the risk to the individuals if the whole dataset is published. Indeed, as an example Fig. 11 b shows that when the day-level dataset is anonymised with k=5 the probability of re-identification considering also the attack cost is at most about 0.025 \(\left (\frac {1}{20}\right)\) for 90 % of the attacks.

Data quality evaluation

As expected the anonymisation preserves very well the precision of the ODpairs; this means that the data transformation does not introduce noise, while it tends to suppress some ODpairs and this affects the data coverage. This behaviour is more evident in the hour-level dataset. Lastly, we also analysed how the coverage changes by varying the risk in the dataset. Figure 12 outlines the results. In line with our expectations, the coverage increases with the privacy risk. However, we observe that with a risk of re-identification of 0.1 we can have a coverage of about 90 % in the hour-level dataset anonymized with k=5. The situation improves a lot in the day-level dataset. Thus, this is a good tool for managing the trade-off between privacy and data utility.

Another way to evaluate the real effect of the data quality is a visual representation of the ODpairs graph. Figure 13 shows how the graphs degrade increasing the k parameter considering the hour-level and day-level aggregations.

Here, green locations represent vertices of the graph having both in- and out-going edges, on the contrary blue and orange locations represent respectively vertices with only out-going and in-going edges. In the original data all the locations are green and the ODpairs graph is almost complete (see Fig. 8 b) but in the case of hour-level even with k=3 some of the nodes lose their connections becoming blue and orange and the relative graph becomes less dense. Using k=10 the data is completely destroyed. At day-level the situation changes completely and with all the values of k the data remains similar to the original one: the locations do not disappear and the graph remain almost complete.

Risk analysis on null model

In Fig. 14 show the empirical evaluation of the privacy guarantees over the null models. The first column of images contains the plots with the cumulative distributions of the re-identification probability related to the hour-level dataset while, the second column contains the results obtained from the day-level dataset. We observe that in the hour-level dataset (left images), when the number of attacker’s observations is greater than 2 almost 100 % of attacks has a probability of success equal to 0 %, especially for k=5 and k=10. This means that the anonymisation algorithm tends to suppress a lot of information to provide good privacy levels. The curve representing a number of observations equal to 2 (green curve) describes a lower guarantee with respect to the same case in the real-world data (Fig. 10). On the other side, at day-level we can notice how the uniform distribution of the locations frequencies is evident: considering an attacker knowledge equal to 1 observation the dataset is practically safe. Moving towards a richer knowledge of the attacker, i.e. from 2 to 5 observations, the results change dramatically following the same trends seen for the hour-level. This happens because the frequency of a sequences is clearly lower than a single location, therefore when the frequencies become less than k the data will be destroyed by the algorithm.

To better understand this effect of and to prove that the results shown before are due to the density of the generated data, we modified the null model definition varying the number of locations used. The objective is to reduce the density of the ODpairs by means of having more combinations and maintaining the same number of users. The results shown in Fig. 15 confirm our hypothesis, in fact at both levels and for each k when the density reaches a critical value the coverage of the anonymized data decreases drastically destroying completely the data. Here the number of locations are: 64, 144, 256, 400, 576, 784 and 1024.