ABSTRACT
A growing number of applications and services include among their parameters a spatial and temporal characterization of some of the objects that they store and process. These applications are enabled by technologies, like GPS, WiFi positioning, or cellular network based methods, that can provide real-time data about the position of moving objects. Some applications do not permanently store location data that is just re-
ceived, processed, and deleted. This is sometimes enforced as a privacy preserving policy in the provisioning of location based services (LBS). However, in most cases, location data are permanently stored as any other data, to provide a better service (e.g., to understanding direction and speed of objects,
or even trajectories) as well as for historical records and accounting purposes. The huge amount of spatio-temporal data collected by these applications is currently stored in many different ways, since a standard has not emerged yet; Moving-object databases and spatial extensions of standard database management systems are the main options. A very active research area is investigating the efficient storage, processing, and retrieval of trajectory data. Most of this data is acquired in the form of transactions. Examples are peri-
odic location updates from GPS-monitored vehicles, spatial nearest-neighbor requests, ATM transactions with location and timestamp, georeferenced emergency calls. Privacy issues arise both in the acquisition of this data, and in the subsequent release from the repositories where the data is stored. If we consider that an adversary may be able to obtain one or more transactions at the time they are acquired, a defense technique must be applied at each transaction, as proposed in the case of requests to LBS. The situation is analogous to having a stream of data in which each element coming from the stream must be transformed in order to prevent privacy threats. We call these techniques online privacy preserving techniques. Depending on the adversary model, the transformation function should take into account different knowledge, including, for example, how the previous elements of the stream have been transformed. On the contrary, offline techniques operate a transformation on a whole dataset of transactions acquired in a given time window. Many of the trajectory privacy preserving techniques proposed in data mining are offline techniques, considering the one-shot release of the whole dataset. A less investigated privacy problem is the sequential release of subsets of the transactions dataset covering different and possibly overlapping time windows. In this case, offline techniques have to take into account the possible correlations among published data. Note that the extreme case in which a release occurs for each time window containing a single time instant degenerates to the problem requiring online defense techniques. This chapter provides a brief survey of proposals for both classes of tech-
niques, further classifying them accordingly to their specific goal, reference architecture, and evaluation methods. A technically deeper discussion is devoted to online anonymization when the adversary can recognize traces of requests from the same user, and to online location obfuscation in proximity services, like friend-finder services. A detailed survey of offline techniques has been proposed by Bonchi et
al. [9], while another survey covering some online and offline techniques has been written by Ghinita [15]. An independent line of research has investigated context-based access control systems and privacy policy based approaches with specific reference to location and trajectory data. Two surveys of results from these approaches have been written recently by Verykios et al. [40], and by Ardagna et al. [2].
