Anonymization of moving objects databases by clustering and perturbation

Abstract

Preserving individual privacy when publishing data is a problem that is receiving increasing attention. Thanks to its simplicity the concept of k-anonymity, introduced by Samarati and Sweeney [1], established itself as one fundamental principle for privacy preserving data publishing. According to the k-anonymity principle, each release of data must be such that each individual is indistinguishable from at least k−1 other individuals.

In this article we tackle the problem of anonymization of moving objects databases. We propose a novel concept of k-anonymity based on co-localization, that exploits the inherent uncertainty of the moving object's whereabouts. Due to sampling and imprecision of the positioning systems (e.g., GPS), the trajectory of a moving object is no longer a polyline in a three-dimensional space, instead it is a cylindrical volume, where its radius $\delta$ represents the possible location imprecision: we know that the trajectory of the moving object is within this cylinder, but we do not know exactly where. If another object moves within the same cylinder they are indistinguishable from each other. This leads to the definition of $(k,\delta )\text{-anonymity}$ for moving objects databases. We first characterize the $(k,\delta )\text{-anonymity}$ problem, then we recall $\mathcal{NWA}$ ($\mathcal{N}\mathit{ever}\mathcal{W}\mathit{alk}\mathcal{A}\mathit{lone}$), a method that we introduced in [2] based on clustering and spatial perturbation. Starting from a discussion on the limits of $\mathcal{NWA}$ we develop a novel clustering method that, being based on EDR distance [3], has the important feature of being time-tolerant. As a consequence it perturbs trajectories both in space and time. The novel method, named $\mathcal{W}4\mathcal{M}$ ($\mathcal{W}\mathit{ait}\mathit{for}\mathcal{M}e$), is empirically shown to produce higher quality anonymization than $\mathcal{NWA}$, at the price of higher computational requirements. Therefore, in order to make $\mathcal{W}4\mathcal{M}$ scalable to large datasets, we introduce two variants based on a novel (and computationally cheaper) time-tolerant distance function, and on chunking.

All the variants of $\mathcal{W}4\mathcal{M}$¹ are empirically evaluated in terms of data quality and efficiency, and thoroughly compared to their predecessor $\mathcal{NWA}$.² Data quality is assessed both by means of objective measures of information distortion, and by more usability oriented measure, i.e., by comparing the results of (i) spatio-temporal range queries and (ii) frequent pattern mining, executed on the original database and on the $(k,\delta )\text{-anonymized}$ one.

Experimental results over both real-world and synthetic mobility data confirm that, for a wide range of values of $\delta$ and k, the relative distortion introduced by our anonymization methods is kept low. Moreover, the techniques introduced to make $\mathcal{W}4\mathcal{M}$ scalable to large datasets, achieve their goal without giving up data quality in the anonymization process.

Introduction

With today's pervasiveness of mobile phones and other location-aware devices, the amount of traces left by moving objects and daily collected by service providers, is continuously increasing. The wealth of space–time trajectories left by these personal devices and their human companions is expected to enable novel classes of applications, where the discovery of consumable, concise, and applicable knowledge is the key step. These mobile trajectories contain detailed information about personal and vehicular mobile behavior, and therefore offer interesting practical opportunities to find behavioral patterns, to be used for instance in traffic and sustainable mobility management, e.g., to study the accessibility to services.

Clearly, in these applications privacy is a concern, since location data enable intrusive inferences, which may reveal habits, social customs, religious and sexual preferences of individuals, and can be used for unauthorized advertisement and user profiling. As an example, consider a traffic control application that collects vehicle movements. In a naïve tentative of preserving anonymity, the car identifiers are not disclosed but instead replaced with pseudonyms. However, as shown in [4] such operation is insufficient to guarantee anonymity, as location is a property that in some circumstances can lead to the identification of the individual. If one is known to follow almost every morning the same route, it is very likely that the starting point is the home of the individual and the ending point is the working place. Joining this information with some telephone directories we can easily link the trajectory to its owner.

In this paper we study the problem of preserving privacy when publishing data from moving objects databases. We extend the classical concept of k-anonymity [1] to deal with this particular form of data, and to exploit its inherent uncertainty [5], [6], [7]. In fact the energy in a mobile device is very limited, so it is impossible for a mobile object to continuously send out its location information. To reduce the energy consumption, many methods [8], [9] are developed for predicting an expected location of a mobile object at a given time t, using some predictive model, e.g., Kalman filter, linear model, etc. If the actual location of the mobile object differs more than an uncertainty threshold $\delta$ from the predicted location, then the mobile object reports the new location, otherwise it does not. The threshold $\delta$ is defined by an agreement between the server and the moving object. For sake of presentation, in the following we assume a common $\delta$, although our framework can easily handle different $\delta \text{'s}$, as discussed in Section 9.

The basic idea underlying our proposal is to exploit this inherent position uncertainty in moving objects data, in order to keep low the distortion needed for anonymizing such data before their release.

Following Trajcevski et al. [6] an uncertain trajectory is defined as a cylindrical volume of radius $\delta$.

Definition 1 Uncertain trajectory [6]

A trajectory of a moving object is a polyline in three-dimensional space represented as a sequence of spatio-temporal points: $(x_1,y_1,t_1),(x_2,y_2,t_2)\dots (x_n,y_n,t_n)(t_1<t_2<\cdots <t_n)$. During the time segment [t_i,t_i+1] the object is assumed to move along a straight line from (x_i,y_i) to (x_i+1,y_i+1) at a constant speed. Given a trajectory $\tau$ between times t₁ and t_n, and an uncertainty threshold $\delta$, the pair $〈\tau ,\delta 〉$ defines an uncertain trajectory. For each point (x,y,t) along $\tau$, its uncertainty area is the horizontal disk (i.e., circle and its interior) with radius $\delta$ and centered at (x,y,t), where (x,y) is the expected location at time $t\in [t_1,t_n]$. The trajectory volume of $〈\tau ,\delta 〉$, denoted $\mathit{Vol}(\tau ,\delta )$ is the union of all such disks for all $t\in [t_1,t_n]$. A possible motion curve of $\tau$ is any continuous function $f_{{\mathit{PMC}}^{\tau }}:\mathit{Time}\to {\mathbb{R}}^2$ defined on the interval [t₁,t_n] such that for any $t\in [t_1,t_n]$, the spatio-temporal point $(f_{{\mathit{PMC}}^{\tau }}(t),t)$ is inside the uncertainty area at time t: we also adopt the notation $f_{{\mathit{PMC}}^{\tau }}\subset \mathit{Vol}(\tau ,\delta )$.

Definition 1 is graphically represented in Fig. 1. Intuitively two trajectories are indistinguishable if they are defined in the same time interval, and they follow almost the same route w.r.t. the uncertainty threshold.

Definition 2 Co-localization

Two trajectories ${\tau }_1$, ${\tau }_2$ defined in [t₁,t_n] are said to be co-localized w.r.t. $\delta$, iff for each point (x₁,y₁,t) along ${\tau }_1$ and (x₂,y₂,t) along ${\tau }_2$ with $t\in [t_1,t_n]$, it holds that $\mathit{Dist}((x_1,y_1),(x_2,y_2))\le \delta$, where Dist is the Euclidean distance: $\mathit{Dist}((x_1,y_1),(x_2,y_2))=\sqrt{(x_1-x_2{)}^2+(y_1-y_2{)}^2}$. We write ${\mathit{Coloc}}_{\delta }({\tau }_1,{\tau }_2)$ omitting the time interval [t₁,t_n].

Note that the definition above requires two trajectories to be defined exactly in the same time interval in order to be co-localized. Although in real-world data it is quite unusual to have two trajectories starting and ending at the exact same time instants, in practice this problem can be tackled by allowing small time gaps, or by selecting coarser time samplings, or more in general, by introducing small information loss. We will discuss later how we deal with this constraint.

Another way to express the co-localization of trajectories is to say that each one is a possible motion curve of the other.

Proposition 1

$${\mathit{Coloc}}_{\delta }({\tau }_1\text{,}{\tau }_2)⟺{\tau }_1\subset \mathit{Vol}({\tau }_2\text{,}\delta )⟺{\tau }_2\subset \mathit{Vol}({\tau }_1\text{,}\delta )$$

It is worth noting that co-localization does not induce a partition of a set of trajectories.

Proposition 2

${\mathit{Coloc}}_{\delta }({\tau }_1,{\tau }_2)$ is a reflexive and symmetric relation. For $\delta >0$, it is not transitive, and thus it does not induce equivalence classes; while for $\delta =0$, ${\mathit{Coloc}}_{\delta }({\tau }_1,{\tau }_2)$ is also transitive and thus it is an equivalence relation.

Given an anonymity threshold k, we can define an anonymity set as a set of at least k trajectories that are co-localized.

Definition 3 Anonymity set of trajectories

Given an uncertainty threshold $\delta$ and an anonymity threshold k, a set S of trajectories is a $(k,\delta )\text{-anonymity}$ set iff $\left|S\right|\ge k$ and $\forall {\tau }_i,{\tau }_j\in S.{\mathit{Coloc}}_{\delta }({\tau }_i,{\tau }_j)$.

The following properties further characterize an anonymity set of trajectories.

Proposition 3

A set of trajectories S, with $\left|S\right|\ge k$, is a $(k,\delta )\text{‐}\mathit{anonymity}$ set iff there exists a trajectory ${\tau }_c$ such that all the trajectories in S are possible motion curves of ${\tau }_c$ within an uncertainty radius of $\delta /2$: i.e., $\forall \tau \in S.\tau \subset \mathit{Vol}({\tau }_c,\delta /2)$.

Given a $(k,\delta )\text{‐}\mathit{anonymity}$ set S, the trajectory ${\tau }_c$ is obtained by taking, for each $t\in [t_1,t_n]$, the point(x,y) that is the center of the minimum bounding circle of all the points at time t of all trajectories in S.

Therefore, an anonymity set of trajectories can be bounded by a cylindrical volume of radius $\delta /2$. In Fig. 2, we graphically represent this property.

The problem we study in this article is that of $(k,\delta )\text{-anonymizing}$ a database of trajectories of moving objects.

Problem 1

Given a dataset of trajectories $\mathcal{D}$, an uncertainty threshold $\delta$ and an anonymity threshold k, the problem of $(k,\delta )\text{-anonymity}$ requires to transform $\mathcal{D}$ in a dataset ${\mathcal{D}}^{\prime }$, such that for each trajectory $\tau \in {\mathcal{D}}^{\prime }$ there exists a $(k,\delta )\text{-anonymity}$ set $S\subseteq {\mathcal{D}}^{\prime }$, $\tau \in S$; and the distortion between $\mathcal{D}$ and ${\mathcal{D}}^{\prime }$ is minimized.

In this article we study the problem of anonymity preserving data publishing in moving objects databases, as formally defined above. In the next section we collocate our contribution within a heterogeneous literature ranging from anonymity and data publishing to moving objects databases and location based services.

In Section 3 we introduce the basic technique that we use to enforce $(k,\delta )\text{-anonymity}$, we develop a suitable measure of the information distortion introduced by space translation, and we prove that the problem of achieving $(k,\delta )\text{-anonymity}$ with minimum distortion is NP-hard.

Therefore, we propose a two-step greedy method: in the first step by means of k-member constrained clustering we group trajectories in clusters having at least k elements; in the second step we perform the minimum space translation needed to push all the trajectories of a cluster within a cylindrical volume of radius $\delta /2$ (according to Proposition 3), making them a $(k,\delta )\text{-anonymity}$ set.

During a preliminary investigation (not reported in this article but available in our technical report [10]) we adapted many classical clustering methods to deal with the k-member constraint and to handle trajectories data. Through an experimental comparison we selected greedy clustering as a good trade-off between minimization of information distortion and efficiency. Such simple method is at the basis of all the algorithms that we present in this paper.

In Section 4 we recall our previous method, namely $\mathcal{NWA}$ ($\mathcal{N}\mathit{ever}\mathcal{W}\mathit{alk}\mathcal{A}\mathit{lone}$) [2]. $\mathcal{NWA}$ is obtained by enhancing the basic greedy clustering algorithm by equipping it with ad hoc pre-processing, and techniques to produce compact clusters at the price of suppressing some outlier trajectories.

Starting by a discussion on the limits of $\mathcal{NWA}$, in Section 5 we develop a novel method that, being based on EDR distance [3] (instead of the Euclidean distance as it was $\mathcal{NWA}$), it has the important feature of being time-tolerant. The novel method is named $\mathcal{W}4\mathcal{M}$ ($\mathcal{W}\mathit{ait}\mathit{for}\mathcal{M}e$). To the best of our knowledge our algorithm is the first to use EDR as distance function within a trajectory clustering framework, thus providing further assessment of the merits of this distance.

Another novel idea that we introduce, is to exploit the EDR computation also as a guide on how to perform the last step of the anonymization process. After having clustered trajectories we need to modify each cluster to make it an anonymity set. Being an edit distance, it is EDR itself to suggest us how to do this spatio-temporal editing: this means that we are able to reuse the computation done during the clustering phase also in the points translation phase. The technical details on how to do spatio-temporal editing efficiently are reported in Section 5.2.

Our experiments in Section 6 confirm that $\mathcal{W}4\mathcal{M}$ produces higher quality $(k,\delta )\text{-anonymized}$ data than $\mathcal{NWA}$. However, it might be prohibitively expensive for large and complex datasets. Thus, in Section 7 we develop techniques to make $\mathcal{W}4\mathcal{M}$ scalable. In particular, in Section 7.1 we introduce a novel O(n) spatio-temporal distance function, named LSTD (linear spatio-temporal distance). Being linear, LSTD has the same computational cost of Euclidean distance, but it has not the same limits: in fact LSTD is time-tolerant, can be applied to trajectories of different length, and it is tolerant to outliers. In practice, it represents a good trade-off between Euclidean distance and EDR. In Section 8 all the variants of $\mathcal{W}4\mathcal{M}$ are empirically evaluated in terms of data quality and efficiency, and compared to their predecessor $\mathcal{NWA}$. Data quality is assessed both by means of objective measures of information distortion, and by more usability oriented measure, i.e., by comparing the results of (i) spatio-temporal range queries and (ii) frequent pattern mining, executed on the original database and on the $(k,\delta )\text{-anonymized}$ one.

The experiments show that the new techniques make $\mathcal{W}4\mathcal{M}$ scalable to very large datasets, without giving up quality of the anonymization.