How Tough Is Location Anonymization? Re-identifying 100K Real-User Trajectories in Japan

TL;DR

This study demonstrates that existing anonymization methods for mobility data in Japan are inadequate, as re-identification is still feasible, emphasizing the need for more robust privacy-preserving techniques.

Contribution

The paper provides a comprehensive analysis of privacy risks in released mobility datasets and evaluates the effectiveness of current sanitization strategies.

Findings

Re-identification is possible using density, urban, and temporal signatures.

Current privacy techniques often compromise data utility or fail to prevent re-identification.

Strong privacy settings significantly reduce data usefulness.

Abstract

Mobility traces are among the most revealing forms of personal data, yet trajectory releases are often protected only by ad hoc transformations. We stress-test such practices on recently-released YJMob100K, an anonymized dataset of 100,000 user trajectories in Japan. First, we show that the applied protection leaves enough spatial and temporal structure to recover both the real-world geographic frame and the actual calendar timeline by exploiting density signatures, urban correlations, and temporal activity profiles. On top of this reconstruction, we quantify privacy risks through trajectory-level metrics that capture spatio-temporal k-anonymity, -point unicity, home-work and multi-anchor uniqueness, and exposure to secluded and sensitive locations. These metrics reveal extensive re-identification surfaces: a small number of observations, anchors, or sensitive venues often suffices to uniquely pinpoint users or their social neighborhoods. Finally, we evaluate representative sanitization strategies: geo-indistinguishability, local differential privacy, and aggressive spatial de-structuring; and observe a consistent pattern: strong privacy parameters destroy downstream utility, while utility-preserving settings leave structural leakage largely intact. Overall, our findings show that current sanitization techniques are insufficient for large-scale mobility data, and they highlight the urgent need for trajectory-aware privacy mechanisms and stronger publication standards.