SoK: differentially private publication of trajectory data

Trajectory analysis holds many promises, from improvements in traffic management to routing advice or infrastructure development. However, learning users’ paths is extremely privacy-invasive. Therefore, there is a necessity to protect trajectories such that we preserve the global properties, useful for analysis, while specific and private information of individuals remains inaccessible. Trajectories, however, are difficult to protect, since they are sequential, highly dimensional, correlated, bound to geophysical restrictions, and easily mapped to semantic points of interest. This paper aims to establish a systematic framework on protective masking measures for trajectory databases with differentially private (DP) guarantees, including also utility properties, derived from ideas and limitations of existing proposals. To reach this goal, we systematize the utility metrics used throughout the literature, deeply analyze the DP granularity notions, explore and elaborate on the state of the art on privacy-enhancing mechanisms and their problems, and expose the main limitations of DP notions in the context of trajectories.We would like to thank the reviewers and shepherd for their useful comments and suggestions in the improvement of this paper. Javier Parra-Arnau is the recipient of a “Ramón y Cajal” fellowship funded by the Spanish Ministry of Science and Innovation. This work also received support from “la Caixa” Foundation (fellowship code LCF/BQ/PR20/11770009), the European Union’s H2020 program (Marie Skłodowska-Curie grant agreement № 847648) from the Government of Spain under the project “COMPROMISE” (PID2020-113795RB-C31/AEI/10.13039/501100011033), and from the BMBF project “PROPOLIS” (16KIS1393K). The authors at KIT are supported by KASTEL Security Research Labs (Topic 46.23 of the Helmholtz Association) and Germany’s Excellence Strategy (EXC 2050/1 ‘CeTI’; ID 390696704).Peer ReviewedPostprint (published version

SoK: Differentially Private Publication of Trajectory Data

Trajectory analysis holds many promises, from improvements in traffic management to routing advice or infrastructure development. However, learning users\u27 paths is extremely privacy-invasive. Therefore, there is a necessity to protect trajectories such that we preserve the global properties, useful for analysis, while specific and private information of individuals remains inaccessible. Trajectories, however, are difficult to protect, since they are sequential, highly dimensional, correlated, bound to geophysical restrictions, and easily mapped to semantic points of interest. This paper aims to establish a systematic framework on protective masking and synthetic-generation measures for trajectory databases with syntactic and differentially private (DP) guarantees, including also utility properties, derived from ideas and limitations of existing proposals. To reach this goal, we systematize the utility metrics used throughout the literature, deeply analyze the DP granularity notions, explore and elaborate on the state of the art on privacy-enhancing mechanisms and their problems, and expose the main limitations of DP notions in the context of trajectories

Approximately Truthful Multi-Agent Optimization Using Cloud-Enforced Joint Differential Privacy

Multi-agent coordination problems often require agents to exchange state information in order to reach some collective goal, such as agreement on a final state value. In some cases, it is feasible that opportunistic agents may deceptively report false state values for their own benefit, e.g., to claim a larger portion of shared resources. Motivated by such cases, this paper presents a multi-agent coordination framework which disincentivizes opportunistic misreporting of state information. This paper focuses on multi-agent coordination problems that can be stated as nonlinear programs, with non-separable constraints coupling the agents. In this setting, an opportunistic agent may be tempted to skew the problem's constraints in its favor to reduce its local cost, and this is exactly the behavior we seek to disincentivize. The framework presented uses a primal-dual approach wherein the agents compute primal updates and a centralized cloud computer computes dual updates. All computations performed by the cloud are carried out in a way that enforces joint differential privacy, which adds noise in order to dilute any agent's influence upon the value of its cost function in the problem. We show that this dilution deters agents from intentionally misreporting their states to the cloud, and present bounds on the possible cost reduction an agent can attain through misreporting its state. This work extends our earlier work on incorporating ordinary differential privacy into multi-agent optimization, and we show that this work can be modified to provide a disincentivize for misreporting states to the cloud. Numerical results are presented to demonstrate convergence of the optimization algorithm under joint differential privacy.Comment: 17 pages, 3 figure