pith. sign in

arxiv: 2605.26351 · v1 · pith:FXRJRDCWnew · submitted 2026-05-25 · 💻 cs.CR

Context-Aware Metric Differential Privacy for Vehicle Trajectory Data

Pith reviewed 2026-06-29 21:05 UTC · model grok-4.3

classification 💻 cs.CR
keywords metric differential privacycontext-aware privacyvehicle trajectorylocation privacylinear programmingmobility datadifferential privacy
0
0 comments X

The pith

C-mDP achieves higher utility than standard mDP for vehicle trajectories under identical privacy budgets.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Context-aware Metric Differential Privacy (C-mDP) for vehicle location data. It augments each secret with contextual variables such as recent mobility history, then enforces metric indistinguishability over the combined domain while optimizing a linear program that minimizes expected utility loss. Conditional independence between the current location and the context variables yields a reduced program with far fewer variables and constraints. On real vehicle mobility traces the resulting mechanisms release data with measurably higher utility than isolated mDP baselines while meeting the stated privacy bounds. A reader cares because many trajectory-based services lose value when independent perturbation destroys temporal correlations.

Core claim

C-mDP treats the protected secret as a context-augmented record and enforces metric indistinguishability over this augmented domain. Optimal mechanisms are obtained by solving a linear program that minimizes expected utility loss subject to the C-mDP constraints; the program is reduced by exploiting conditional independence between the current location and the contextual variables. On real-world vehicle mobility datasets the resulting mechanisms deliver higher utility than standard mDP baselines at the same privacy budget.

What carries the argument

The context-augmented record together with the reduced linear program that minimizes expected utility loss subject to C-mDP constraints.

If this is right

  • Trajectory services obtain more accurate released data at any fixed privacy budget.
  • The reduced linear program remains tractable for histories of moderate length.
  • Privacy guarantees apply jointly to location and its contextual variables.
  • The same formulation applies to any data whose utility depends on temporal correlations.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach could be tested on synthetic trajectories that deliberately violate the independence assumption to measure the price of the reduction.
  • Released traces that preserve context correlations may improve accuracy of downstream tasks such as destination prediction.
  • The framework may transfer to other sequential data domains where context affects both utility and privacy, such as user session logs.

Load-bearing premise

The conditional-independence structure between the current location and contextual variables can be exploited to derive a reduced linear program without weakening the privacy guarantee.

What would settle it

An explicit pair of context-augmented records whose output distributions violate the metric privacy bound, or an evaluation on the paper's datasets in which C-mDP shows no utility gain over standard mDP.

Figures

Figures reproduced from arXiv: 2605.26351 by Chenxi Qiu, Gaoyi Chen, Yan Huang.

Figure 1
Figure 1. Figure 1: Example: Different context information could cause [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Markov blanket identification framework. [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Heatmap of 𝑝-values returned by the null hypothesis H0 across different regions in Rome, Italy. (a) |𝐵𝑋𝑡 | = 1 and 𝑚 = 1 (b) |𝐵𝑋𝑡 | = 2 and 𝑚 = 2 (c) |𝐵𝑋𝑡 | = 3 and 𝑚 = 3 (d) |𝐵𝑋𝑡 | = 4 and 𝑚 = 4 (e) |𝐵𝑋𝑡 | = 5 and 𝑚 = 5 [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Heatmap of 𝑝-values returned by the null hypothesis H0 across different regions in Porto, Portugal. 0 25 50 75 100 125 150 175 Speed (mile/hour) 0 0.2 0.4 0.6 0.8 1 p-value |BXt| =1 |BXt| =2 |BXt| =3 |BXt| =4 |BXt| =5 0.05 (a) Rome, Italy 0 25 50 75 100 125 150 175 Speed (mile/hour) 0 0.2 0.4 0.6 0.8 1 p-value |BXt| =1 |BXt| =2 |BXt| =3 |BXt| =4 |BXt| =5 0.05 (b) Porto, Portugal [PITH_FULL_IMAGE:figures/f… view at source ↗
Figure 5
Figure 5. Figure 5: Relationship between speeds and 𝑝-values. 𝑝-values are returned by the null hypothesis H0 given differ￾ent speed ranges. notable, indicating that the models are adept at identifying nearly all relevant positive instances, reducing the risk of missed detections. Additionally, we calculate the negative precision, negative recall, and negative F1 score by treating “reject” as a “negative instance”. These metr… view at source ↗
Figure 6
Figure 6. Figure 6: Relationship between time and 𝑝-values in Rome, Italy (returned by testing H0 in different intervals). 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Time 0 0.2 0.4 0.6 0.8 1 p-value threshold = 0.05 (a) |𝐵𝑋𝑡 | = 1 and 𝑚 = 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Time 0 0.2 0.4 0.6 0.8 1 p-value threshold = 0.05 (b) |𝐵𝑋𝑡 | = 2 and 𝑚 = 2 1 2 3 4 5 6 7 8 9 10 11 12 13 … view at source ↗
Figure 7
Figure 7. Figure 7: Relationship between time and 𝑝-values in Porto, Portugal (returned by testing H0 in different intervals). 0 2 4 6 8 10 12 Prediction time (sec) 10-3 100 101 102 103 Frequency Rome Porto [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Markov blanket pre￾diction time distribution. 1 2 3 Markov blanket size 100 101 102 103 Frequency Rome Porto [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗
Figure 11
Figure 11. Figure 11: Computation time of data perturbation. (with the largest gaps observed in Porto under moderate-to-large 𝜖). Moreover, LP+C-mDP performs very close to LP+TrueMB, typically within 1%–2%, indicating that the C-mDP formulation effectively approximates the full Markov blanket dependency structure. In contrast, LP+Markov consistently incurs about 3%–8% higher utility loss than LP+C-mDP, reflecting the limitatio… view at source ↗
Figure 12
Figure 12. Figure 12: PDF of neighbor distance. (a) Rome (b) Porto [PITH_FULL_IMAGE:figures/full_fig_p016_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Ratio of points with count≥threshold vs. Neighbor counts (radius=100m). (a) Rome (b) Porto [PITH_FULL_IMAGE:figures/full_fig_p016_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Distribution of per-point mean-50NN distance. [PITH_FULL_IMAGE:figures/full_fig_p016_14.png] view at source ↗
read the original abstract

Metric Differential Privacy (mDP) generalizes differential privacy by allowing privacy guarantees to be expressed with respect to an arbitrary distance metric over secrets. While mDP has been adopted in geo-location protection, most existing mechanisms perturb each location record in isolation and do not model how contextual information (e.g., recent mobility history) affects the utility of the released data. This mismatch is particularly pronounced for vehicle mobility traces, where service quality often depends on temporally correlated locations. In this paper, we propose Context-aware mDP (C-mDP), a framework for vehicle location privacy that incorporates contextual dependencies into both the utility model and the privacy notion. C-mDP treats the protected secret as a context-augmented record and enforces metric indistinguishability over this augmented domain. We formulate optimal C-mDP mechanism design as a linear program (LP) that minimizes expected utility loss subject to C-mDP constraints. To improve scalability, we exploit conditional-independence structure between the current location and contextual variables to derive a reduced formulation with substantially fewer decision variables and constraints. We evaluate C-mDP on real-world vehicle mobility datasets and compare it with standard mDP baselines. The results show that C-mDP consistently achieves higher utility under the same privacy budget while satisfying the required metric privacy guarantees.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper proposes Context-aware Metric Differential Privacy (C-mDP) for vehicle trajectory data. It treats the secret as a context-augmented record, enforces metric indistinguishability over this domain, and formulates optimal mechanism design as an LP minimizing expected utility loss subject to the C-mDP constraints. Conditional independence between current location and context is exploited to obtain a reduced LP with substantially fewer variables and constraints. Evaluation on real-world mobility datasets is claimed to show that C-mDP achieves higher utility than standard mDP baselines under the same privacy budget while satisfying the guarantees.

Significance. If the reduction is shown to preserve the full privacy constraints, the framework could meaningfully improve the utility-privacy tradeoff for temporally correlated location data in mobility applications. The LP-based optimal mechanism design is a standard technique, but the explicit incorporation of context into both utility and privacy is a targeted extension for trajectory protection.

major comments (1)
  1. [LP formulation and reduction (abstract and the section presenting the reduced program)] The abstract states that the conditional-independence reduction yields a formulation with substantially fewer decision variables and constraints while still satisfying the required metric privacy guarantees, but supplies no argument, lemma, or verification that every pairwise C-mDP constraint over the full (location, context) space is either retained or implied by the reduced program. If any original constraint is dropped or relaxed, the output mechanism can violate C-mDP for some pairs even while satisfying the reduced LP.
minor comments (1)
  1. [Evaluation section] Dataset details (number of traces, sampling rates, metric definitions) and quantitative results (utility values, error bars, statistical significance) are referenced in the abstract but not supplied in the provided text, making it impossible to assess the claimed utility gains.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful and constructive review. The single major comment identifies a missing explicit justification for the conditional-independence reduction; we address it directly below and will revise the manuscript accordingly.

read point-by-point responses
  1. Referee: [LP formulation and reduction (abstract and the section presenting the reduced program)] The abstract states that the conditional-independence reduction yields a formulation with substantially fewer decision variables and constraints while still satisfying the required metric privacy guarantees, but supplies no argument, lemma, or verification that every pairwise C-mDP constraint over the full (location, context) space is either retained or implied by the reduced program. If any original constraint is dropped or relaxed, the output mechanism can violate C-mDP for some pairs even while satisfying the reduced LP.

    Authors: We agree that the current manuscript does not supply a self-contained lemma or verification step showing that every pairwise C-mDP constraint is retained or implied by the reduced program. In the revised version we will insert, immediately after the derivation of the reduced LP, a formal lemma stating that, under the stated conditional independence between the current location and the contextual variables, any feasible solution to the reduced program satisfies the full set of metric-indistinguishability constraints over the augmented (location, context) domain. The lemma will include a short proof that the original constraints factorize and that the omitted constraints are redundant once the independence structure is used; we will also add a brief verification paragraph confirming that the reduction does not relax any required pairwise distance bound. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper presents C-mDP as an LP that minimizes expected utility loss subject to metric indistinguishability constraints over a context-augmented domain, then applies a conditional-independence reduction to obtain a smaller program. This is standard LP machinery for mechanism design and does not reduce any claimed utility gain to a fitted input, self-definition, or self-citation chain. No equations are shown that equate a prediction to its own inputs by construction, and the abstract's description of the reduction does not invoke prior self-citations as load-bearing uniqueness theorems. The derivation remains self-contained against external benchmarks such as standard mDP baselines.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review supplies no explicit free parameters, axioms, or invented entities; the framework is described at the level of a new LP formulation whose internal assumptions remain unstated.

pith-pipeline@v0.9.1-grok · 5752 in / 1124 out tokens · 35308 ms · 2026-06-29T21:05:51.554334+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

47 extracted references · 16 canonical work pages

  1. [1]

    Taxi Service Trajectory - Prediction Challenge, ECML PKDD 2015 Data Set

    2019. Taxi Service Trajectory - Prediction Challenge, ECML PKDD 2015 Data Set. https://archive.ics.uci.edu/ml/datasets/Taxi+Service+Trajectory+- +Prediction+Challenge,+ECML+PKDD+2015. Accessed: 2019-07-22

  2. [2]

    openstreetmap

    2020. openstreetmap. https://www.openstreetmap.org/. Accessed: 2020-04-07

  3. [3]

    2024. PyTorch. https://pytorch.org/. Accessed in January 2024

  4. [4]

    M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. 2013. Geo-indistinguishability: Differential Privacy for Location-based Systems. In Proc. of ACM CCS. 901–914

  5. [5]

    Qasim Ali Arain, Imran Memon, Zhongliang Deng, Muhammad Hammad Memon, Farman Ali Mangi, and Asma Zubedi. 2018. Location Monitoring Approach: Multiple Mix-Zones with Location Privacy Protection Based on Traffic Flow over Road Networks.Multimedia Tools Appl.77, 5 (mar 2018), 5563–5607

  6. [6]

    2019.Conditional Independence Testing Using Generative Adversarial Networks

    Alexis Bellot and Mihaela van der Schaar. 2019.Conditional Independence Testing Using Generative Adversarial Networks. Curran Associates Inc., Red Hook, NY, USA

  7. [7]

    2015.Algorithms: Design and Analysis

    Harsh Bhasin. 2015.Algorithms: Design and Analysis. Oxford Univ Press

  8. [8]

    N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. 2014. Optimal Geo- Indistinguishable Mechanisms for Location Privacy. InProc. of ACM CCS. 251– 262

  9. [9]

    Lorenzo Bracciale, Marco Bonola, Pierpaolo Loreti, Giuseppe Bianchi, Raul Amici, and Antonello Rabuffi. 2014. CRAWDAD dataset roma/taxi (v. 2014-07-17). Down- loaded from https://crawdad.org/roma/taxi/20140717. doi:10.15783/C7QC7M

  10. [10]

    Y. Cao, Y. Xiao, L. Xiong, and L. Bai. 2019. PriSTE: From Location Privacy to Spatiotemporal Event Privacy. InProc. of IEEE ICDE. 1606–1609

  11. [11]

    Yang Cao, Masatoshi Yoshikawa, Yonghui Xiao, and Li Xiong. 2017. Quantifying Differential Privacy under Temporal Correlations. InProc. of 2017 IEEE 33rd International Conference on Data Engineering (ICDE). 821–832. doi:10.1109/ICDE. 2017.132

  12. [12]

    Ricardo Silva Carvalho, Theodore Vasiloudis, and Oluwaseyi Feyisetan. 2021. TEM: High Utility Metric Differential Privacy on Text.ArXivabs/2107.07928 (2021). https://api.semanticscholar.org/CorpusID:236034456

  13. [13]

    Andrés, Nicolás Emilio Bordenabe, and Catuscia Palamidessi

    Konstantinos Chatzikokolakis, Miguel E. Andrés, Nicolás Emilio Bordenabe, and Catuscia Palamidessi. 2013. Broadening the Scope of Differential Privacy Using Metrics. InProc. of Privacy Enhancing Technologies, Emiliano De Cristofaro and Matthew Wright (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 82–102

  14. [14]

    J. Chen, H. Ma, D. Zhao, and L. Liu. 2021. Correlated Differential Privacy Pro- tection for Mobile Crowdsensing.IEEE Transactions on Big Data7, 04 (oct 2021), 784–795. doi:10.1109/TBDATA.2017.2777862

  15. [15]

    Fung, Philip S

    Rui Chen, Benjamin C. Fung, Philip S. Yu, and Bipin C. Desai. 2014. Correlated Network Data Publication via Differential Privacy.The VLDB Journal23, 4 (aug 2014), 653–676. doi:10.1007/s00778-013-0344-8

  16. [16]

    Cynthia Dwork. 2006. Differential Privacy. InProc. of Automata, Languages and Programming, Michele Bugliesi, Bart Preneel, Vladimiro Sassone, and Ingo Wegener (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1–12

  17. [17]

    Emrich, H

    T. Emrich, H. Kriegel, N. Mamoulis, M. Renz, and A. Zufle. 2012. Querying Uncertain Spatio-Temporal Data. InProc. of IEEE ICDE. 354–365

  18. [18]

    Fawaz and K

    K. Fawaz and K. G. Shin. 2014. Location Privacy Protection for Smartphone Users. InProc. of ACM CCS(Scottsdale, Arizona, USA). ACM, New York, NY, USA, 239–250. doi:10.1145/2660267.2660270

  19. [19]

    InProceedings of the 16th International Conference on Mining Software Repositories (MSR)

    O. Feyisetan, T. Diethe, and T. Drake. 2019. Leveraging Hierarchical Represen- tations for Preserving Privacy and Utility in Text. In2019 IEEE International Conference on Data Mining (ICDM). IEEE Computer Society, Los Alamitos, CA, USA, 210–219. doi:10.1109/ICDM.2019.00031

  20. [20]

    Xi He, Ashwin Machanavajjhala, and Bolin Ding. 2014. Blowfish Privacy: Tuning Privacy-Utility Trade-Offs Using Policies. InProc. of the 2014 ACM SIGMOD International Conference on Management of Data(Snowbird, Utah, USA)(SIGMOD ’14). Association for Computing Machinery, New York, NY, USA, 1447–1458. doi:10.1145/2588555.2588581

  21. [21]

    Jacob Imola, Shiva Kasiviswanathan, Stephen White, Abhinav Aggarwal, and Nathanael Teissier. 2022. Balancing utility and scalability in metric differential pri- vacy. InProc. of UAI 2022. https://www.amazon.science/publications/balancing- utility-and-scalability-in-metric-differential-privacy

  22. [22]

    Leahy, and Matthew T

    Austin Jones, Kevin J. Leahy, and Matthew T. Hale. 2018. Towards Differential Privacy for Symbolic Systems.2019 American Control Conference (ACC)(2018), 372–377. https://api.semanticscholar.org/CorpusID:52811575

  23. [23]

    Daniel Kifer and Ashwin Machanavajjhala. 2012. A Rigorous and Customizable Framework for Privacy. InProc. of the 31st ACM SIGMOD-SIGACT-SIGAI Sym- posium on Principles of Database Systems(Scottsdale, Arizona, USA)(PODS ’12). Association for Computing Machinery, New York, NY, USA, 77–88. doi:10.1145/ 2213556.2213571

  24. [24]

    Q. Li, Y. Zheng, X. Xie, Y. Chen, W. Liu, and W. Ma. 2008. Mining User Similarity Based on Location History. InProc. of SIGSPATIAL. Article 34, 10 pages

  25. [25]

    W. Li, H. Chen, W. Ku, and X. Qin. 2017. Scalable Spatiotemporal Crowdsourcing for Smart Cities Based on Particle Filtering. InProc. of ACM SIGSPATIAL

  26. [26]

    L. Liao, D. J. Patterson, D. Fox, and H. Kautz. 2007. Learning and inferring transportation routines.Artificial Intelligence171, 5 (2007), 311 – 331

  27. [27]

    Changchang Liu, Supriyo Chakraborty, and Prateek Mittal. 2016. Dependence Makes You Vulnberable: Differential Privacy Under Dependent Tuples. InProc. of Network and Distributed System Security Symposium

  28. [28]

    Ruiyao Liu and Chenxi Qiu. 2025. PAnDA: Rethinking Metric Differential Privacy Optimization at Scale with Anchor-Based Approximation. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security(Taipei, Taiwan)(CCS ’25). Association for Computing Machinery, New York, NY, USA, 1290–1304. doi:10.1145/3719027.3765042

  29. [29]

    Frank McSherry and Kunal Talwar. 2007. Mechanism Design via Differential Privacy. In48th Annual IEEE Symposium on Foundations of Computer Science (FOCS’07). 94–103. doi:10.1109/FOCS.2007.66

  30. [30]

    Pappachan, C

    P. Pappachan, C. Qiu, A. Squicciarini, and V. Manjunath. 2023. User Customizable and Robust Geo-Indistinguishability for Location Privacy. InProc. of International Conference on Extending Database Technology (EDBT)

  31. [31]

    Shaojie Qiao, Dayong Shen, Xiaoteng Wang, Nan Han, and William Zhu. 2015. A Self-Adaptive Parameter Selection Trajectory Prediction Approach via Hidden Markov Models.IEEE Transactions on Intelligent Transportation Systems16, 1 (2015), 284–296. doi:10.1109/TITS.2014.2331758

  32. [32]

    C. Qiu. 2024. Enhancing Scalability of Metric Differential Privacy via Secret Dataset Partitioning and Benders Decomposition. InProc. of 33rd International Joint Conference on Artificial Intelligence (IJCAI) 2024

  33. [33]

    Chenxi Qiu. 2026. Interpolation-Based Optimization for Enforcing lp- Norm Metric Differential Privacy in Continuous and Fine-Grained Domains. arXiv:2601.09946 [cs.LG] https://arxiv.org/abs/2601.09946

  34. [34]

    C. Qiu, A. C. Squicciarini, Z. Li, C. Pang, and L. Yan. 2020. Time-Efficient Geo- Obfuscation to Protect Worker Location Privacy over Road Networks in Spatial Crowdsourcing. InProc. of ACM CIKM 2024

  35. [35]

    C. Qiu, A. C. Squicciarini, C. Pang, N. Wang, and B. Wu. 2020. Location Privacy Protection in Vehicle-Based Spatial Crowdsourcing via Geo-Indistinguishability. IEEE Transactions on Mobile Computing(2020), 1–1. doi:10.1109/TMC.2020. 3037911

  36. [36]

    Qiu, S Yadav, Y

    C. Qiu, S Yadav, Y. Ji, A. Squicciarini, R. Dantu, J. Zhao, and C. Xu. 2024. Fine- Grained Geo-Obfuscation to Protect Workers’ Location Privacy in Time-Sensitive Spatial Crowdsourcing. InProc. of 27th International Conference on Extending Database Technology (EDBT)

  37. [37]

    C. Qiu, L. Yan, A. Squicciarini, J. Zhao, C. Xu, and P. Pappachan. 2022. Traffi- cAdaptor: An Adaptive Obfuscation Strategy for Vehicle Location Privacy Against Vehicle Traffic Flow Aware Attacks. InProc. of ACM SIGSPATIAL

  38. [38]

    Meyer Scetbon, Laurent Meunier, and Yaniv Romano. 2022. An Asymptotic Test for Conditional Independence using Analytic Kernel Embeddings. InProceedings of the 39th International Conference on Machine Learning (Proceedings of Machine Learning Research, Vol. 162), Kamalika Chaudhuri, Stefanie Jegelka, Le Song, Csaba Szepesvari, Gang Niu, and Sivan Sabato (E...

  39. [39]

    R. Sen, A. Suresh, K. Shanmugam, G. Alexandros Dimakis, and S. Shakkottai

  40. [40]

    InAdvances in Neural Information Processing Systems, Vol

    Model-Powered Conditional Independence Test. InAdvances in Neural Information Processing Systems, Vol. 30

  41. [41]

    Daniel W. Stroock. 2010.Probability Theory: An Analytic View(2nd ed.). Cam- bridge University Press

  42. [42]

    H. To, G. Ghinita, L. Fan, and C. Shahabi. 2017. Differentially Private Location Protection for Worker Datasets in Spatial Crowdsourcing.IEEE Transactions on Mobile Computing(2017), 934–949

  43. [43]

    Tsamardinos, Constantin F

    I. Tsamardinos, Constantin F. Aliferis, and Alexander R. Statnikov. 2003. Algo- rithms for Large Scale Markov Blanket Discovery. InThe Florida AI Research Society. https://api.semanticscholar.org/CorpusID:1930258

  44. [44]

    F. Xu, Z. Tu, Y. Li, P. Zhang, X. Fu, and D. Jin. 2017. Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data. InProc. of ACM WWW. 1241–1250

  45. [45]

    Bin Yang, Issei Sato, and Hiroshi Nakagawa. 2015. Bayesian Differential Privacy on Correlated Data. InProc. of the 2015 ACM SIGMOD International Conference on Management of Data(Melbourne, Victoria, Australia)(SIGMOD ’15). Association for Computing Machinery, New York, NY, USA, 747–762. doi:10.1145/2723372. 2747643

  46. [46]

    L. Yu, L. Liu, and C. Pu. 2017. Dynamic Differential Location Privacy with Personalized Error Bounds. InProc. of IEEE NDSS. Conference’17, July 2017, Washington, DC, USA Trovato et al

  47. [47]

    LP” [35] and (3) “ConstOPT

    Tianqing Zhu, Ping Xiong, Gang Li, and Wanlei Zhou. 2015. Correlated Differen- tial Privacy: Hiding Information in Non-IID Data Set.IEEE Transactions on Infor- mation Forensics and Security10, 2 (2015), 229–242. doi:10.1109/TIFS.2014.2368363 Appendix A Math Notations Table 3: Main notations and their descriptions. Symbol Description 𝑄Perturbation function...