On the privacy offered by (k, δ)-anonymity

The widespread deployment of technologies with tracking capabilities, like GPS, GSM, RFID and on-line social networks, allows mass collection of spatio-temporal data about their users. As a consequence, several methods aimed at anonymizing spatio-temporal data before their publication have been proposed in recent years. Such methods are based on a number of underlying privacy models. Among these models, (k, δ)-anonymity claims to extend the widely used k-anonymity concept by exploiting the spatial uncertainty δ ≥ 0 in the trajectory recording process. In this article, we prove that, for any δ > 0 (that is, whenever there is actual uncertainty), (k, δ)-anonymity does not offer trajectory k-anonymity, that is, it does not hide an original trajectory in a set of k indistinguishable anonymized trajectories. Hence, the methods based on (k, δ)-anonymity, like Never Walk Alone (NWA) and Wait For Me (W4M) can offer trajectory k-anonymity only when δ = 0 (no uncertainty). Thus, the idea of exploiting the recording uncertainty δ to achieve trajectory k-anonymity with information loss inversely proportional to δ turns out to be flawed.