pith. sign in

arxiv: 2606.27936 · v1 · pith:T2GHUNKBnew · submitted 2026-06-26 · 💻 cs.CR · cs.AI· stat.AP

Agentic AI-Powered Re-Identification: An Emerging, Scalable Threat to Mobility Microdata Privacy

Oscar Thees , Roman M\"uller , Matthias Templ This is my paper

Pith reviewed 2026-06-29 04:06 UTC · model grok-4.3

classification 💻 cs.CR cs.AIstat.AP
keywords re-identificationmobility microdataagentic AIlocation privacystatistical disclosure controlGDPRpublic records linkage
0
0 comments X

The pith

Agentic AI can re-identify 72 percent of individuals from mobility traces using only public web sources and no human intervention.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper demonstrates an automated pipeline in which large language model agents search open web sources, cross-reference public records and social media, and match raw coordinate sequences to candidate identities. This process succeeds on simulated location points anchored near true home and work addresses, achieving 72 percent success among the re-identifiable subset and 41.9 percent overall. A sympathetic reader would conclude that re-identification attacks, once limited by manual effort, have become scalable enough to treat as reasonably likely under current privacy standards such as GDPR Recital 26. The work therefore questions the continued reliance on de facto anonymity in statistical disclosure control for mobility microdata.

Core claim

From spatio-temporal data and public sources alone, our agentic AI successfully re-identified 18 of the 25 re-identifiable individuals (72%) and 18 of 43 cases overall (41.9%).

What carries the argument

An end-to-end pipeline in which large language model agents autonomously search the open web, cross-reference public records and social media, and resolve raw coordinate sequences to candidate identities without human intervention.

If this is right

  • Re-identification is reasonably likely by any means under the GDPR Recital-26 standard.
  • Statistical disclosure control practice must anticipate near-future escalation driven by autonomous AI systems.
  • De facto anonymity, an implicit foundation of SDC, is shifting.
  • Re-identification now occurs at costs measured in minutes and dollars per target.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the pipeline generalizes beyond mobility traces, similar autonomous attacks could target other forms of microdata held by data brokers.
  • Data custodians may need to adopt stronger location perturbation or suppression techniques than those calibrated for human analysts.
  • Regulators could treat current AI capabilities as the baseline when assessing whether anonymization meets legal standards.
  • Future evaluations could test whether adding synthetic noise to home and work anchors reduces success rates below 20 percent.

Load-bearing premise

The simulated location points anchored at and around true home and work addresses accurately represent the re-identification difficulty present in real commercial mobility microdata.

What would settle it

Running the same agentic pipeline on actual commercial mobility microdata collected by data brokers and obtaining substantially lower re-identification rates than 41.9 percent overall.

Figures

Figures reproduced from arXiv: 2606.27936 by Matthias Templ, Oscar Thees, Roman M\"uller.

Figure 1
Figure 1. Figure 1: The agentic re-identification pipeline: seven specialist agents (icons) connected by quality gates (barriers). The central orchestrator routes stage outputs, enforces gates, and maintains a running uncertainty ledger; the run halts whenever a gate’s criteria are not met. Agent and gate icons designed with the assistance of Claude Opus 4.7 (Anthropic, 2026) [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Stage 1 grid-based mode finding on a simulated fictitious trace, illustrating the home cluster (left) and the work cluster (right). Grey grid lines mark the 0.001◦×0.001◦ cells the GPS-analyst agent rounds pings into (≈ 111 m × 76 m). The coarse cell with the most pings is highlighted (dashed blue); within it, the agent re-bins pings on a finer 0.0001◦ × 0.0001◦ grid (≈ 11 m × 7.6 m) and picks the densest … view at source ↗
read the original abstract

The widespread collection of fine-grained location data by commercial data brokers creates a re-identification risk that is not widely recognised by the public. While prior research has established that mobility traces are highly unique and that individuals can, in principle, be identified from a handful of spatio-temporal points, such attacks have historically required significant manual effort from skilled analysts, limiting their practical scale. In this feasibility study, we demonstrate in a real world setting that agentic AI fundamentally changes this threat model. We present an end-to-end pipeline in which large language model agents autonomously search the open web, cross-reference public records and social media, and resolve raw coordinate sequences to candidate identities - without human intervention. We evaluate the pipeline on a spatio-temporal dataset containing simulated location points anchored at and around true home and work addresses, focusing on a high-risk disclosure scenario. Our results demonstrate that, from spatio-temporal data and public sources alone, our agentic AI successfully re-identified 18 of the 25 re-identifiable individuals (72%) and 18 of 43 cases overall (41.9%). We discuss implications for Statistical Disclosure Control (SDC) practice and outline the near-future escalation that data custodians and regulators must anticipate. De facto anonymity - an implicit foundation of SDC practice - is shifting. Agentic AI strengthens the case that re-identification is reasonably likely by any means under the GDPR Recital-26 standard, at costs of minutes-and-dollars per target.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper presents a feasibility study of an agentic AI pipeline that autonomously searches public web sources, cross-references records, and re-identifies individuals from raw spatio-temporal coordinate sequences. On a simulated mobility dataset with points anchored at/around true home and work addresses, the system re-identifies 18 of 25 re-identifiable individuals (72%) and 18 of 43 cases overall (41.9%), arguing that this shifts the threat model for commercial mobility microdata and de-facto anonymity assumptions in statistical disclosure control.

Significance. If the simulation reproduces the statistical properties of real commercial mobility traces, the result would demonstrate that agentic AI enables scalable, low-cost re-identification without expert manual effort, strengthening arguments that re-identification is 'reasonably likely' under GDPR Recital 26 and motivating revisions to SDC practice. The end-to-end autonomous pipeline is a concrete empirical demonstration, though its implications hinge on simulation fidelity.

major comments (2)
  1. [Abstract] Abstract and evaluation section: the headline results (72% on the 25 re-identifiable individuals; 41.9% overall) rest entirely on a simulated dataset whose location points are deliberately anchored at and around known home/work addresses. No validation against the sparsity, GPS noise, temporal gaps, or uniqueness statistics of actual broker-collected traces is reported, nor is any sensitivity analysis to added noise or alternative simulation parameters described. This directly undermines the claim that the pipeline poses a scalable threat to production commercial mobility microdata.
  2. [Abstract] Evaluation description: exact definitions of 're-identifiable individuals' and 're-identifiable cases,' controls for false positives, and any error bars or confidence intervals on the 18/25 and 18/43 counts are not provided. Without these, it is impossible to assess whether the reported success rates exceed what would be expected from random or baseline matching.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We appreciate the referee's detailed feedback on our feasibility study of an agentic AI re-identification pipeline. The comments highlight important aspects of our simulation-based evaluation and the need for clearer statistical reporting. We respond to each major comment below, indicating where revisions will be made to the manuscript.

read point-by-point responses

  1. Referee: [Abstract] Abstract and evaluation section: the headline results (72% on the 25 re-identifiable individuals; 41.9% overall) rest entirely on a simulated dataset whose location points are deliberately anchored at and around known home/work addresses. No validation against the sparsity, GPS noise, temporal gaps, or uniqueness statistics of actual broker-collected traces is reported, nor is any sensitivity analysis to added noise or alternative simulation parameters described. This directly undermines the claim that the pipeline poses a scalable threat to production commercial mobility microdata.

    Authors: The manuscript is presented as a feasibility study, and we explicitly note the use of simulated data anchored at home and work addresses to model a high-risk scenario. Prior work has shown that mobility traces are unique even with few points, and our simulation captures this by design. We cannot access or generate real commercial mobility microdata for validation due to privacy regulations and ethical considerations. To address the concern, we will add a dedicated limitations subsection discussing the simulation's assumptions, how it relates to real traces (e.g., real data may have more noise but also more points), and perform a basic sensitivity analysis by varying noise levels in a revision. This will clarify that our results demonstrate the pipeline's potential rather than a direct claim on all production datasets. revision: partial

  2. Referee: [Abstract] Evaluation description: exact definitions of 're-identifiable individuals' and 're-identifiable cases,' controls for false positives, and any error bars or confidence intervals on the 18/25 and 18/43 counts are not provided. Without these, it is impossible to assess whether the reported success rates exceed what would be expected from random or baseline matching.

    Authors: We agree that these details are essential for rigorous evaluation. In the revised version of the manuscript, we will expand the evaluation section to include: (1) precise definitions of 're-identifiable individuals' (those with sufficient public web presence for potential matching) and 're-identifiable cases' (individual trace instances); (2) a description of controls for false positives, including any random baseline matching experiments; and (3) binomial confidence intervals for the reported proportions to quantify uncertainty. These additions will allow readers to better evaluate the results against chance levels. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical success rate is a direct count, not a derived or fitted quantity

full rationale

The paper's central claim is an empirical count (18/25 = 72% re-identifications) obtained by executing the described agentic AI pipeline on a fixed simulated dataset. No equations, parameter fitting, self-citations as load-bearing premises, or renamings of known results appear in the provided text. The simulation anchoring is an explicit modeling choice whose validity can be challenged externally, but it does not create a self-referential reduction where the reported percentage is forced by construction from the inputs. The derivation chain is therefore self-contained as a straightforward experimental measurement.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that the chosen simulation setup with anchored home/work points serves as a valid proxy for real commercial mobility microdata risks and that public records are sufficiently available and matchable.

axioms (1)
  • domain assumption Simulated location points anchored at and around true home and work addresses accurately represent the re-identification difficulty present in real commercial mobility microdata collected by data brokers.
    The evaluation is performed exclusively on this simulated high-risk disclosure scenario.

pith-pipeline@v0.9.1-grok · 5805 in / 1226 out tokens · 69974 ms · 2026-06-29T04:06:31.139174+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

30 extracted references · 20 canonical work pages · 3 internal anchors

  1. [1]

    Journal of Privacy and Confidentiality6(2), 1–20 (2014)

    Acquisti, A., Gross, R., Stutzman, F.: Face recognition and privacy in the age of augmented reality. Journal of Privacy and Confidentiality6(2), 1–20 (2014). https://doi.org/10.29012/jpc.v6i2.638

    work page doi:10.29012/jpc.v6i2.638 2014

  2. [2]

    Anthropic: Claude Code.https://www.anthropic.com/claude- code(2026), accessed May 2026

    2026

  3. [3]

    Court of Justice of the European Union: Press release no 44/24: Judgment in case c-604/22 | iab europe.https://curia.europa.eu/jcms/upload/docs/applicati on/pdf/2024-03/cp240044en.pdf(2024), press release, 7 March 2024

    2024

  4. [4]

    URLhttps://dl.acm.org/doi/10.5555/3666122.3666569

    Dettmers, T., Pagnoni, A., Holtzman, A., Zettlemoyer, L.: QLoRA: Efficient fine- tuning of quantized LLMs. In: Proceedings of the 37th International Conference on Neural Information Processing Systems (NeurIPS 2023). pp. 10088–10115 (2023), https://dl.acm.org/doi/10.5555/3666122.3666563

    work page doi:10.5555/3666122.3666563 2023

  5. [5]

    Journal of Busi- ness & Economic Statistics7(2), 207–217 (1989).https://doi.org/10.1080/07 350015.1989.10509729

    Duncan, G.T., Lambert, D.: The risk of disclosure for microdata. Journal of Busi- ness & Economic Statistics7(2), 207–217 (1989).https://doi.org/10.1080/07 350015.1989.10509729

    work page doi:10.1080/07 1989

  6. [6]

    Official Journal of the European Union, L 119/1 (2016),https://gdpr-info.eu/

    European Parliament and Council of the European Union: Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation), recital 26. Official Journal of the European Union, L 119/1 (2016),https://gdpr-info.eu/

    2016

  7. [7]

    Patterns2(3), 100204 (2021)

    Farzanehfar, A., Houssiau, F., de Montjoye, Y.A.: The risk of re-identification remains high even in country-scale location datasets. Patterns2(3), 100204 (2021). https://doi.org/10.1016/j.patter.2021.100204

    work page doi:10.1016/j.patter.2021.100204 2021

  8. [8]

    In: Proceedings of the 48th IEEE/ACM International Conference on Software Engineering (ICSE-SEIP ’26)

    Fawzy, A., Tahir, A., Blincoe, K.: Vibe coding in practice: Motivations, chal- lenges, and a future outlook – a grey literature review. In: Proceedings of the 48th IEEE/ACM International Conference on Software Engineering (ICSE-SEIP ’26). ACM (2026).https://doi.org/10.1145/3786583.3786866

    work page doi:10.1145/3786583.3786866 2026

  9. [9]

    Federal Trade Commission: FTC takes action against Gravy Analytics, Venntel for unlawfully selling location data tracking consumers to sensitive sites.https: //www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-actio n-against-gravy-analytics-venntel-unlawfully-selling-location-data-t racking-consumers(2024), press release, 3 December 2024

    2024

  10. [10]

    Federal Trade Commission: FTC takes action against Mobilewalla for collecting and selling sensitive location data.https://www.ftc.gov/news-events/news/pre ss-releases/2024/12/ftc-takes-action-against-mobilewalla-collecting-s elling-sensitive-location-data(2024), press release, 3 December 2024

    2024

  11. [11]

    In: Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’25)

    Figueiredo, J., Carvalho, A., Castro, D., Gonçalves, D., Santos, N.: Sounds Vishy: Automating vishing attacks with AI-powered systems. In: Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’25). pp. 407–424. ACM (2025).https://doi.org/10.1145/3708821.3733866

    work page doi:10.1145/3708821.3733866 2025

  12. [12]

    Gadotti, A., Rocher, L., Houssiau, F., Creţu, A.M., de Montjoye, Y.A.: Anonymiza- tion:Theimperfectscienceofusingdatawhilepreservingprivacy.ScienceAdvances 10(29), eadn7053 (2024).https://doi.org/10.1126/sciadv.adn7053

    work page doi:10.1126/sciadv.adn7053 2024

  13. [13]

    In: Pro- ceedings of the 7th International Conference on Pervasive Computing

    Golle, P., Partridge, K.: On the anonymity of home/work location pairs. In: Pro- ceedings of the 7th International Conference on Pervasive Computing. Lecture Notes in Computer Science, vol. 5538, pp. 390–397. Springer (2009).https: //doi.org/10.1007/978-3-642-01516-8_26

    work page doi:10.1007/978-3-642-01516-8_26 2009

  14. [14]

    The Llama 3 Herd of Models

    Grattafiori, A., Dubey, A., Jauhri, A., et al.: The Llama 3 herd of models (2024). https://doi.org/10.48550/arXiv.2407.21783 14 O. Thees, R. Müller, M. Templ

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2407.21783 2024

  15. [15]

    Ko, M., Jeong, J., Thakur, S.S., Kim, G., Jia, R.: From weak cues to real identities: Evaluating inference-driven de-anonymization in LLM agents (2026).https://do i.org/10.48550/arXiv.2603.18382

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2603.18382 2026

  16. [16]

    In: LaMarca, A., Langheinrich, M., Truong, K.N

    Krumm, J.: Inference attacks on location tracks. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive Computing. Lecture Notes in Computer Science, vol. 4480, pp. 127–143. Springer, Berlin, Heidelberg (2007).https://doi.org/10 .1007/978-3-540-72037-9_8

    2007

  17. [17]

    Kumarage, T., Johnson, C., Adams, J., Ai, L., Kirchner, M., Hoogs, A., Garland, J., Hirschberg, J., Basharat, A., Liu, H.: Personalized attacks of social engineering in multi-turnconversations:LLMagentsforsimulation anddetection.In:Proceedings of the COLM 2025 Workshop on AI Agents: Capabilities and Safety (2025).https: //doi.org/10.48550/arXiv.2503.15552

    work page doi:10.48550/arxiv.2503.15552 2025

  18. [19]

    Li, T.: Agentic LLMs as powerful deanonymizers: Re-identification of participants in the anthropic interviewer dataset (2026).https://doi.org/10.48550/arXiv.2 601.05918

    work page doi:10.48550/arxiv.2 2026

  19. [20]

    Luo, W., Lu, T., Zhang, Q., Liu, X., Hu, B., Zhao, Y., Zhao, J., Gao, S., McDaniel, P., Xiang, Z., Xiao, C.: Doxing via the lens: Revealing location-related privacy leakage on multi-modal large reasoning models (2026).https://doi.org/10.485 50/arXiv.2504.19373, accepted as a poster at the 14th International Conference on Learning Representations (ICLR 2026)

    arXiv 2026

  20. [21]

    Meineck, S., Dachwitz, I.: Data broker files: How data brokers sell our location data and jeopardise national security.https://netzpolitik.org/2024/data-bro ker-files-how-data-brokers-sell-our-location-data-and-jeopardise-nat ional-security/(2024), netzpolitik.org and Bayerischer Rundfunk investigation, 16 July 2024

    2024

  21. [22]

    Scientific Reports3, 1376 (2013)

    de Montjoye, Y.A., Hidalgo, C.A., Verleysen, M., Blondel, V.D.: Unique in the crowd: The privacy bounds of human mobility. Scientific Reports3, 1376 (2013). https://doi.org/10.1038/srep01376

    work page doi:10.1038/srep01376 2013

  22. [23]

    IEEE Communications Surveys & Tutorials 21(3), 2772–2793 (2019).https://doi.org/10.1109/COMST.2018.2873950

    Primault, V., Boutet, A., Mokhtar, S.B., Brunie, L.: The long road to compu- tational location privacy: A survey. IEEE Communications Surveys & Tutorials 21(3), 2772–2793 (2019).https://doi.org/10.1109/COMST.2018.2873950

    work page doi:10.1109/comst.2018.2873950 2019

  23. [24]

    In: Proceedings of the Inter- national Conference on Learning Representations (ICLR)

    Staab, R., Vero, M., Balunović, M., Vechev, M.: Beyond memorization: Violating privacy via inference with large language models. In: Proceedings of the Inter- national Conference on Learning Representations (ICLR). ICLR (2024).https: //doi.org/10.48550/arXiv.2310.07298

    work page doi:10.48550/arxiv.2310.07298 2024

  24. [25]

    Ströbl, B., Kapp, A.: Investigating vulnerabilities of GPS trip data to trajectory- user linking attacks (2025).https://doi.org/10.48550/arXiv.2502.08217

    work page doi:10.48550/arxiv.2502.08217 2025

  25. [26]

    https://www.bfs.admin.ch/bfs/en/home/registers/federal-register-build ings-dwellings.html(2026), accessed May 2026

    Swiss Federal Statistical Office: Federal register of buildings and dwellings (GWR). https://www.bfs.admin.ch/bfs/en/home/registers/federal-register-build ings-dwellings.html(2026), accessed May 2026

    2026

  26. [27]

    https://www.nytimes.com/interactive/2019/12/19/opinion/location-track ing-cell-phone.html(2019), new York Times Opinion, 19 December 2019

    Thompson, S.A., Warzel, C.: Twelve million phones, one dataset, zero privacy. https://www.nytimes.com/interactive/2019/12/19/opinion/location-track ing-cell-phone.html(2019), new York Times Opinion, 19 December 2019

    2019

  27. [28]

    https://doi.org/10.48550/arXiv.2508.02034 Agentic AI-Powered Re-Identification 15

    Wang, Z., Yang, S., Lu, J., Chow, K.H.: Protego: User-centric pose-invariant pri- vacy protection against face recognition-induced digital footprint exposure (2025). https://doi.org/10.48550/arXiv.2508.02034 Agentic AI-Powered Re-Identification 15

    work page doi:10.48550/arxiv.2508.02034 2025

  28. [29]

    Journal of Big Data11(39) (2024).https://doi.org/10.1186/s40537-024-00888-8

    Wiedemann, N., Janowicz, K., Raubal, M., Kounadi, O.: Where you go is who you are: A study on machine learning based semantic privacy attacks. Journal of Big Data11(39) (2024).https://doi.org/10.1186/s40537-024-00888-8

    work page doi:10.1186/s40537-024-00888-8 2024

  29. [30]

    ReAct: Synergizing Reasoning and Acting in Language Models

    Yao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., Cao, Y.: Re- Act: Synergizing reasoning and acting in language models. In: Proceedings of the International Conference on Learning Representations (ICLR). ICLR (2023). https://doi.org/10.48550/arXiv.2210.03629

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2210.03629 2023

  30. [31]

    In: Proceedings of the 17th Annual International Conference on Mobile Computing and Networking (MobiCom)

    Zang, H., Bolot, J.: Anonymization of location data does not work: A large-scale measurement study. In: Proceedings of the 17th Annual International Conference on Mobile Computing and Networking (MobiCom). pp. 145–156. ACM (2011). https://doi.org/10.1145/2030613.2030630

    work page doi:10.1145/2030613.2030630 2011