On the privacy offered by (k, δ)-anonymity

The widespread deployment of technologies with tracking capabilities, like GPS, GSM, RFID and on-line social networks, allows mass collection of spatio-temporal data about their users. As a consequence, several methods aimed at anonymizing spatio-temporal data before their publication have been proposed in recent years. Such methods are based on a number of underlying privacy models. Among these models, (k,δ)-anonymity(k,δ)-anonymity claims to extend the widely used k  -anonymity concept by exploiting the spatial uncertainty δ≥0δ≥0 in the trajectory recording process. In this paper, we prove that, for any δ>0δ>0 (that is, whenever there is actual uncertainty), (k,δ)-anonymity(k,δ)-anonymity does not offer trajectory k-anonymity, that is, it does not hide an original trajectory in a set of k   indistinguishable anonymized trajectories. Hence, the methods based on (k,δ)-anonymity(k,δ)-anonymity, like Never Walk Alone (NWA) and Wait For Me (W4M) can offer trajectory k  -anonymity only when δ=0δ=0 (no uncertainty). Thus, the idea of exploiting the recording uncertainty δδ to achieve trajectory k  -anonymity with information loss inversely proportional to δδ turns out to be flawed.

► (k,δ)-Anonymity(k,δ)-Anonymity claims to provide trajectory k  -anonymity. ► It exploits the spatial uncertainty δ of location recording. ► It aims to achieve information loss inversely proportional to δδ. ► We prove that, for any δ>0δ>0, (k,δ)-anonymity(k,δ)-anonymity does not offer trajectory k-anonymity.