Matching Anonymized and Obfuscated Time Series to Users' Profiles

TL;DR

This paper establishes theoretical limits on user privacy when anonymization and obfuscation are used to protect time series data, revealing conditions under which privacy can be fully preserved or entirely compromised.

Contribution

It derives fundamental bounds on privacy in anonymized and obfuscated time series, extending previous location privacy work to broader data types and models.

Findings

Privacy bounds depend on the number of users and data models.

As user count increases, privacy regions become distinctly separated.

Complete privacy is achievable or impossible depending on the obfuscation-anonymization parameters.

Abstract

Many popular applications use traces of user data to offer various services to their users. However, even if user data is anonymized and obfuscated, a user's privacy can be compromised through the use of statistical matching techniques that match a user trace to prior user behavior. In this work, we derive the theoretical bounds on the privacy of users in such a scenario. We build on our recent study in the area of location privacy, in which we introduced formal notions of location privacy for anonymization-based location privacy-protection mechanisms. Here we derive the fundamental limits of user privacy when both anonymization and obfuscation-based protection mechanisms are applied to users' time series of data. We investigate the impact of such mechanisms on the trade-off between privacy protection and user utility. We first study achievability results for the case where the time-series of users are governed by an i.i.d. process. The converse results are proved both for the i.i.d. case as well as the more general Markov chain model. We demonstrate that as the number of users in the network grows, the obfuscation-anonymization plane can be divided into two regions: in the first region, all users have perfect privacy; and, in the second region, no user has privacy.