Privacy vulnerability of published anonymous mobility traces

Mobility traces of people and vehicles have been collected and published to assist the design and evaluation of mobile networks, such as large-scale urban sensing networks. Although the published traces are often made anonymous in that the true identities of nodes are replaced by random identifiers, the privacy concern remains. This is because in real life, nodes are open to observations in public spaces, or they may voluntarily or inadvertently disclose partial knowledge of their whereabouts. Thus, snapshots of nodes' location information can be learned by interested third parties, e.g., directly through chance/engineered meetings between the nodes and their observers, or indirectly through casual conversations or other information sources about people. In this paper, we investigate how an adversary, when equipped with a small amount of the snapshot information termed as side information, can infer an extended view of the whereabouts of a victim node appearing in an anonymous trace. Our results quantify the loss of victim nodes' privacy as a function of the nodal mobility, the inference strategies of adversaries, and any noise that may appear in the trace or the side information. Generally, our results indicate that the privacy concern is significant in that a relatively small amount of side information is sufficient for the adversary to infer the true identity (either uniquely or with high probability) of a victim in a set of anonymous traces. For instance, an adversary is able to identify the trace of 30%-50% of the victims when she has collected 10 pieces of side information about a victim.