On the privacy offered by (k, δ)-anonymity

The widespread deployment of technologies with tracking capabilities, like GPS, GSM, RFID and on-line social networks, allows mass collection of spatio-temporal data about their users. As a consequence, several methods aimed at anonymizing spatio-temporal data before their publication have been proposed in recent years. Such methods are based on a number of underlying privacy models. Among these models, (k,δ)-anonymity claims to extend the widely used k-anonymity concept by exploiting the spatial uncertainty δ≥0 in the trajectory recording process. In this paper, we prove that, for any δ>0 (that is, whenever there is actual uncertainty), (k,δ)-anonymity does not offer trajectory k-anonymity, that is, it does not hide an original trajectory in a set of k indistinguishable anonymized trajectories. Hence, the methods based on (k,δ)-anonymity, like Never Walk Alone (NWA) and Wait For Me (W4M) can offer trajectory k-anonymity only when δ=0 (no uncertainty). Thus, the idea of exploiting the recording uncertainty δ to achieve trajectory k-anonymity with information loss inversely proportional to δ turns out to be flawed. ⺠(k,δ)-Anonymity claims to provide trajectory k-anonymity. ⺠It exploits the spatial uncertainty δ of location recording. ⺠It aims to achieve information loss inversely proportional to δ. ⺠We prove that, for any δ>0, (k,δ)-anonymity does not offer trajectory k-anonymity.