pith. sign in

arxiv: 2605.15246 · v1 · pith:BD6QRVPDnew · submitted 2026-05-14 · 💻 cs.LG

Privacy Evaluation of Generative Models for Trajectory Generation

Stavros Bouras , Ioannis Kontopoulos , Chiara Pugliese , Francesco Lettich , Emanuele Carlini , Hanna Kavalionak , Chiara Renso , Konstantinos Tserpes This is my paper

Pith reviewed 2026-05-19 16:17 UTC · model grok-4.3

classification 💻 cs.LG
keywords privacy evaluationgenerative modelstrajectory generationmembership inference attackssynthetic datamobility patterns
0
0 comments X

The pith

Generative models do not guarantee privacy for synthetic trajectory data

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper investigates privacy in generative models for creating synthetic trajectory data from sensitive mobility information. It shows that the assumption of inherent privacy protection due to the generative process is incorrect. By implementing membership inference attacks on models like GANs, VAEs, and diffusion models, the authors demonstrate that it is possible to infer if specific trajectories were used during training. This is important because trajectory data is used in urban intelligence applications where individual privacy must be protected. The work fills a gap by applying empirical privacy evaluation methods to this domain.

Core claim

Although generative models for trajectory data are assumed to preserve privacy by producing synthetic outputs, this does not hold in practice as membership inference attacks can successfully determine membership of individual trajectories in the training set.

What carries the argument

Membership inference attacks used as an evaluation tool to measure privacy leakage in generative models trained on trajectory datasets.

If this is right

  • Privacy evaluation using attacks should be included when developing generative trajectory models.
  • Synthetic data from these models may still pose risks to individual privacy in mobility analysis.
  • The generative nature alone is not sufficient to eliminate privacy concerns in trajectory generation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar privacy evaluation approaches could be tested on generative models for other types of sensitive sequential data.
  • Integrating privacy-preserving techniques like differential privacy with these generative models might address the identified risks.
  • Urban planners relying on synthetic trajectories should verify privacy guarantees beyond the generation method itself.

Load-bearing premise

Standard membership inference attacks work effectively on trajectory data without special adjustments for its spatial and temporal characteristics.

What would settle it

A demonstration that membership inference attacks fail to outperform random guessing on these generative trajectory models would disprove the existence of privacy leakage.

read the original abstract

Trajectory data is fundamental to modern urban intelligence, yet its sensitivity raises significant privacy concerns. Generative models such as Generative Adversarial Networks, Variational Autoencoders, and Diffusion Models have been developed to generate realistic synthetic trajectory data by capturing underlying spatiotemporal distributions and mobility patterns. Although these models are often assumed to preserve privacy due to their generative nature, this assumption does not necessarily hold. In this work, we investigate the intersection of generative trajectory modeling and privacy evaluation. By identifying applicable empirical methods for assessing privacy preservation in trajectory generation tasks, we demonstrate a significant gap in the evaluation of privacy for generative trajectory models. Motivated by this gap, we implement Membership Inference Attacks against representative models, demonstrating the feasibility of using such empirical privacy evaluation methods and showing that their generative nature does not eliminate privacy risks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that generative models (GANs, VAEs, Diffusion Models) for synthetic trajectory data are often assumed to preserve privacy due to their generative nature, but this assumption does not hold. It identifies a gap in privacy evaluation methods for trajectory generation tasks and demonstrates the feasibility of Membership Inference Attacks (MIA) on representative models, concluding that generative modeling does not eliminate privacy risks.

Significance. If the reported MIA results hold after controlling for confounding factors, the work would be significant for challenging privacy assumptions in mobility data synthesis and for motivating empirical privacy audits in urban intelligence applications. It could help shift evaluation practices away from reliance on generative properties alone.

major comments (2)
  1. [Abstract] Abstract: The central claim of successful attacks and a demonstrated gap rests on feasibility of MIA, yet the abstract supplies no methodological details, quantitative results, baselines, or error analysis. This leaves the data unable to verify support for the claim that generative nature does not eliminate privacy risks.
  2. [Experimental section] Experimental section: The reported MIA success may reflect memorization, limited model capacity, small training sets, or trajectory-specific spatiotemporal autocorrelation rather than properties of the generative modeling process itself. Without ablations (e.g., comparison to non-generative baselines, shuffled-data controls, or capacity-matched models), the result does not establish a general privacy leakage risk across generative trajectory approaches.
minor comments (2)
  1. [Methodology] Clarify the exact MIA implementation details, including attack model architecture, training procedure, and success metrics (e.g., precision-recall or AUC), to allow reproducibility.
  2. [Introduction] Add explicit definitions or references for the 'representative models' chosen and the trajectory datasets used, including any preprocessing steps that might introduce correlations.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each major comment below and have revised the paper to strengthen the presentation of our results and controls.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim of successful attacks and a demonstrated gap rests on feasibility of MIA, yet the abstract supplies no methodological details, quantitative results, baselines, or error analysis. This leaves the data unable to verify support for the claim that generative nature does not eliminate privacy risks.

    Authors: We agree that the abstract would be strengthened by including key quantitative results and methodological highlights. In the revised version we have updated the abstract to report representative MIA success rates (with standard deviations), the specific attack methodology employed, and the main baseline comparisons used in the experiments. revision: yes

  2. Referee: [Experimental section] Experimental section: The reported MIA success may reflect memorization, limited model capacity, small training sets, or trajectory-specific spatiotemporal autocorrelation rather than properties of the generative modeling process itself. Without ablations (e.g., comparison to non-generative baselines, shuffled-data controls, or capacity-matched models), the result does not establish a general privacy leakage risk across generative trajectory approaches.

    Authors: The referee correctly notes that additional controls are needed to isolate effects of the generative process. While our original experiments already used standard-capacity models and realistic dataset sizes drawn from the literature, we acknowledge the value of explicit ablations. The revised manuscript now includes (i) comparisons against non-generative baselines, (ii) shuffled-trajectory controls to assess autocorrelation, and (iii) capacity-matched model variants. These additions support that the observed leakage is not solely attributable to the factors listed. revision: yes

Circularity Check

0 steps flagged

No significant circularity in empirical MIA evaluation of trajectory generators

full rationale

The paper conducts an empirical study by applying standard Membership Inference Attacks to representative generative models (GANs, VAEs, Diffusion) for trajectory data. The central claim—that generative nature does not eliminate privacy risks—is supported directly by reported attack success rates on chosen models rather than by any derivation, equation, or self-referential construction. No load-bearing steps reduce to fitted parameters, self-citations, or ansatzes; the work identifies a gap in prior evaluation and fills it with experiments. This is a self-contained empirical demonstration against external benchmarks with no circular reduction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no identifiable free parameters, axioms, or invented entities; the work rests on the applicability of empirical privacy methods to this domain.

pith-pipeline@v0.9.0 · 5686 in / 1090 out tokens · 73084 ms · 2026-05-19T16:17:43.836005+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

48 extracted references · 48 canonical work pages · 3 internal anchors

  1. [1]

    Unique in the crowd: The privacy bounds of human mobility,

    Y .-A. De Montjoye, C. A. Hidalgo, M. Verleysen, and V . D. Blondel, “Unique in the crowd: The privacy bounds of human mobility,”Scientific reports, vol. 3, no. 1, p. 1376, 2013

    work page 2013

  2. [2]

    Trajectory generation: a survey on methods and techniques,

    X. Chen, C. Huang, C. Wang, and L. Chen, “Trajectory generation: a survey on methods and techniques,”GeoInformatica, vol. 29, no. 3, pp. 351–376, 2025

    work page 2025

  3. [3]

    The secret sharer: Evaluating and testing unintended memorization in neural net- works,

    N. Carlini, C. Liu, Ú. Erlingsson, J. Kos, and D. Song, “The secret sharer: Evaluating and testing unintended memorization in neural net- works,” in28th USENIX security symposium (USENIX security 19), 2019, pp. 267–284

    work page 2019

  4. [4]

    Sok: Can trajectory generation combine privacy and utility?

    E. Buchholz, A. Abuadbba, S. Wang, S. Nepal, and S. S. Kanhere, “Sok: Can trajectory generation combine privacy and utility?”arXiv preprint arXiv:2403.07218, 2024

    work page arXiv 2024

  5. [5]

    Mobility trajectory generation: a survey,

    X. Kong, Q. Chen, M. Hou, H. Wang, and F. Xia, “Mobility trajectory generation: a survey,”Artificial Intelligence Review, vol. 56, no. Suppl 3, pp. 3057–3098, 2023

    work page 2023

  6. [6]

    Auto-Encoding Variational Bayes

    D. P. Kingma and M. Welling, “Auto-encoding variational bayes,”arXiv preprint arXiv:1312.6114, 2013

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  7. [7]

    Generative adversarial networks,

    I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial networks,” Communications of the ACM, vol. 63, no. 11, pp. 139–144, 2020

    work page 2020

  8. [8]

    Deep unsupervised learning using nonequilibrium thermodynamics,

    J. Sohl-Dickstein, E. Weiss, N. Maheswaranathan, and S. Ganguli, “Deep unsupervised learning using nonequilibrium thermodynamics,” in International conference on machine learning. pmlr, 2015, pp. 2256– 2265

    work page 2015

  9. [9]

    Denoising diffusion probabilistic models,

    J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion probabilistic models,” Advances in neural information processing systems, vol. 33, pp. 6840– 6851, 2020

    work page 2020

  10. [10]

    Score-Based Generative Modeling through Stochastic Differential Equations

    Y . Song, J. Sohl-Dickstein, D. P. Kingma, A. Kumar, S. Ermon, and B. Poole, “Score-based generative modeling through stochastic differ- ential equations,”arXiv preprint arXiv:2011.13456, 2020

    work page internal anchor Pith review Pith/arXiv arXiv 2011

  11. [11]

    Denoising Diffusion Implicit Models

    J. Song, C. Meng, and S. Ermon, “Denoising diffusion implicit models,” arXiv preprint arXiv:2010.02502, 2020

    work page internal anchor Pith review Pith/arXiv arXiv 2010

  12. [12]

    A survey and experimental study on privacy-preserving trajectory data publishing,

    F. Jin, W. Hua, M. Francia, P. Chao, M. E. Orlowska, and X. Zhou, “A survey and experimental study on privacy-preserving trajectory data publishing,”IEEE Transactions on Knowledge and Data Engineering, vol. 35, no. 6, pp. 5577–5596, 2022

    work page 2022

  13. [13]

    An overview of proposals towards the privacy-preserving publication of trajectory data: À. miranda-pascual et al

    À. Miranda-Pascual, P. Guerra-Balboa, J. Parra-Arnau, J. Forné, and T. Strufe, “An overview of proposals towards the privacy-preserving publication of trajectory data: À. miranda-pascual et al.”International journal of information security, pp. 1–37, 2024

    work page 2024

  14. [14]

    A survey of privacy attacks in machine learning,

    M. Rigaki and S. Garcia, “A survey of privacy attacks in machine learning,”ACM Computing Surveys, vol. 56, no. 4, pp. 1–34, 2023

    work page 2023

  15. [15]

    Membership inference attacks against machine learning models,

    R. Shokri, M. Stronati, C. Song, and V . Shmatikov, “Membership inference attacks against machine learning models,” in2017 IEEE symposium on security and privacy (SP). IEEE, 2017, pp. 3–18

    work page 2017

  16. [16]

    Privacy in pharmacogenetics: An{End-to-End}case study of person- alized warfarin dosing,

    M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart, “Privacy in pharmacogenetics: An{End-to-End}case study of person- alized warfarin dosing,” in23rd USENIX security symposium (USENIX Security 14), 2014, pp. 17–32

    work page 2014

  17. [17]

    Model inversion attacks that exploit confidence information and basic countermeasures,

    M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, 2015, pp. 1322–1333

    work page 2015

  18. [18]

    Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers,

    G. Ateniese, L. V . Mancini, A. Spognardi, A. Villani, D. Vitali, and G. Felici, “Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers,”International Jour- nal of Security and Networks, vol. 10, no. 3, pp. 137–150, 2015

    work page 2015

  19. [19]

    Stealing machine learning models via prediction{APIs},

    F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing machine learning models via prediction{APIs},” in25th USENIX security symposium (USENIX Security 16), 2016, pp. 601–618

    work page 2016

  20. [20]

    Calibrating noise to sensitivity in private data analysis,

    C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” inTheory of cryptography conference. Springer, 2006, pp. 265–284

    work page 2006

  21. [21]

    The algorithmic foundations of differential privacy,

    C. Dwork and A. Roth, “The algorithmic foundations of differential privacy,”Foundations and trends® in theoretical computer science, vol. 9, no. 3-4, pp. 211–487, 2014

    work page 2014

  22. [22]

    Deep learning with differential privacy,

    M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang, “Deep learning with differential privacy,” in Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, 2016, pp. 308–318

    work page 2016

  23. [23]

    How to dp- fy ml: A practical guide to machine learning with differential privacy,

    N. Ponomareva, H. Hazimeh, A. Kurakin, Z. Xu, C. Denison, H. B. McMahan, S. Vassilvitskii, S. Chien, and A. G. Thakurta, “How to dp- fy ml: A practical guide to machine learning with differential privacy,” Journal of Artificial Intelligence Research, vol. 77, pp. 1113–1201, 2023

    work page 2023

  24. [24]

    Sok: Differentially private publication of trajectory data,

    À. Miranda-Pascual, P. Guerra-Balboa, J. Parra-Arnau, J. Forné, and T. Strufe, “Sok: Differentially private publication of trajectory data,” Proceedings on privacy enhancing technologies, 2023

    work page 2023

  25. [25]

    Re- construction attack on differential private trajectory protection mecha- nisms,

    E. Buchholz, A. Abuadbba, S. Wang, S. Nepal, and S. S. Kanhere, “Re- construction attack on differential private trajectory protection mecha- nisms,” inProceedings of the 38th annual computer security applications conference, 2022, pp. 279–292

    work page 2022

  26. [26]

    Publishing trajectories with differential privacy guarantees,

    K. Jiang, D. Shao, S. Bressan, T. Kister, and K.-L. Tan, “Publishing trajectories with differential privacy guarantees,” inProceedings of the 25th International conference on scientific and statistical database management, 2013, pp. 1–12

    work page 2013

  27. [27]

    Deep learning-based privacy-preserving framework for synthetic trajectory generation,

    J. W. Kim and B. Jang, “Deep learning-based privacy-preserving framework for synthetic trajectory generation,”Journal of Network and Computer Applications, vol. 206, p. 103459, 2022

    work page 2022

  28. [28]

    Geo-indistinguishability: Differential privacy for location-based sys- tems,

    M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi, “Geo-indistinguishability: Differential privacy for location-based sys- tems,” inProceedings of the 2013 ACM SIGSAC conference on Com- puter & communications security, 2013, pp. 901–914

    work page 2013

  29. [29]

    Identifying human mobility via trajectory embeddings

    Q. Gao, F. Zhou, K. Zhang, G. Trajcevski, X. Luo, and F. Zhang, “Identifying human mobility via trajectory embeddings.” inIjcai, vol. 17, 2017, pp. 1689–1695

    work page 2017

  30. [30]

    Trajectory-based spatiotemporal entity linking,

    F. Jin, W. Hua, T. Zhou, J. Xu, M. Francia, M. E. Orlowska, and X. Zhou, “Trajectory-based spatiotemporal entity linking,”IEEE Transactions on Knowledge and Data Engineering, vol. 34, no. 9, pp. 4499–4513, 2020

    work page 2020

  31. [31]

    Structured sparsity model based trajectory tracking using private location data release,

    M. Shao, J. Li, Q. Yan, F. Chen, H. Huang, and X. Chen, “Structured sparsity model based trajectory tracking using private location data release,”IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 6, pp. 2983–2995, 2020

    work page 2020

  32. [32]

    Quantifying location privacy,

    R. Shokri, G. Theodorakopoulos, J.-Y . Le Boudec, and J.-P. Hubaux, “Quantifying location privacy,” in2011 IEEE symposium on security and privacy. IEEE, 2011, pp. 247–262

    work page 2011

  33. [33]

    Dp-ltgan: Differentially private trajectory publishing via locally-aware transformer- based gan,

    R. Zhang, W. Ni, N. Fu, L. Hou, D. Zhang, and Y . Zhang, “Dp-ltgan: Differentially private trajectory publishing via locally-aware transformer- based gan,”Future Generation Computer Systems, vol. 166, p. 107686, 2025

    work page 2025

  34. [34]

    T. M. Cover,Elements of information theory. John Wiley & Sons, 1999

    work page 1999

  35. [35]

    Lstm-trajgan: A deep learning approach to trajectory privacy protection,

    J. Rao, S. Gao, Y . Kang, and Q. Huang, “Lstm-trajgan: A deep learning approach to trajectory privacy protection,”arXiv preprint arXiv:2006.10521, 2020

    work page arXiv 2006

  36. [36]

    Lgan-dp: A novel differential private publication mechanism of trajectory data,

    Z. Zhang, X. Xu, and F. Xiao, “Lgan-dp: A novel differential private publication mechanism of trajectory data,”Future Generation Computer Systems, vol. 141, pp. 692–703, 2023

    work page 2023

  37. [37]

    Dp-trajgan: A privacy-aware trajectory generation model with differential privacy,

    J. Zhang, Q. Huang, Y . Huang, Q. Ding, and P.-W. Tsai, “Dp-trajgan: A privacy-aware trajectory generation model with differential privacy,” Future Generation Computer Systems, vol. 142, pp. 25–40, 2023

    work page 2023

  38. [38]

    Learning to simulate human mobility,

    J. Feng, Z. Yang, F. Xu, H. Yu, M. Wang, and Y . Li, “Learning to simulate human mobility,” inProceedings of the 26th ACM SIGKDD international conference on knowledge discovery & data mining, 2020, pp. 3426–3433

    work page 2020

  39. [39]

    Difftraj: Generating gps trajectory with diffusion probabilistic model,

    Y . Zhu, Y . Ye, S. Zhang, X. Zhao, and J. Yu, “Difftraj: Generating gps trajectory with diffusion probabilistic model,”Advances in Neural Information Processing Systems, vol. 36, pp. 65 168–65 188, 2023

    work page 2023

  40. [40]

    Diff-rntraj: A structure-aware diffusion model for road network- constrained trajectory generation,

    T. Wei, Y . Lin, S. Guo, Y . Lin, Y . Huang, C. Xiang, Y . Bai, and H. Wan, “Diff-rntraj: A structure-aware diffusion model for road network- constrained trajectory generation,”IEEE Transactions on Knowledge and Data Engineering, vol. 36, no. 12, pp. 7940–7953, 2024

    work page 2024

  41. [41]

    Gan-leaks: A taxonomy of membership inference attacks against generative models,

    D. Chen, N. Yu, Y . Zhang, and M. Fritz, “Gan-leaks: A taxonomy of membership inference attacks against generative models,” inPro- ceedings of the 2020 ACM SIGSAC conference on computer and communications security, 2020, pp. 343–362

    work page 2020

  42. [42]

    Membership inference attacks from first principles,

    N. Carlini, S. Chien, M. Nasr, S. Song, A. Terzis, and F. Tramer, “Membership inference attacks from first principles,” in2022 IEEE symposium on security and privacy (SP). IEEE, 2022, pp. 1897–1914

    work page 2022

  43. [43]

    Privacy risk in machine learning: Analyzing the connection to overfitting,

    S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha, “Privacy risk in machine learning: Analyzing the connection to overfitting,” in2018 IEEE 31st computer security foundations symposium (CSF). IEEE, 2018, pp. 268–282

    work page 2018

  44. [44]

    Membership inference attacks against diffusion models,

    T. Matsumoto, T. Miura, and N. Yanai, “Membership inference attacks against diffusion models,” in2023 IEEE Security and Privacy Workshops (SPW). IEEE, 2023, pp. 77–83

    work page 2023

  45. [45]

    Membership inference of diffusion models,

    H. Hu and J. Pang, “Membership inference of diffusion models,”arXiv preprint arXiv:2301.09956, 2023

    work page arXiv 2023

  46. [46]

    Modeling user activity preference by leveraging user spatial temporal characteristics in lbsns,

    D. Yang, D. Zhang, V . W. Zheng, and Z. Yu, “Modeling user activity preference by leveraging user spatial temporal characteristics in lbsns,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 45, no. 1, pp. 129–142, 2014

    work page 2014

  47. [47]

    Marc: a robust method for multiple-aspect trajectory classification via space, time, and semantic embeddings,

    L. May Petry, C. Leite Da Silva, A. Esuli, C. Renso, and V . Bogorny, “Marc: a robust method for multiple-aspect trajectory classification via space, time, and semantic embeddings,”International Journal of Geographical Information Science, vol. 34, no. 7, pp. 1428–1450, 2020

    work page 2020

  48. [48]

    Geolife: A collaborative social networking service among user, location and trajectory

    Y . Zheng, X. Xie, W.-Y . Maet al., “Geolife: A collaborative social networking service among user, location and trajectory.”IEEE Data Eng. Bull., vol. 33, no. 2, pp. 32–39, 2010

    work page 2010