Differential Privacy Preservation for Continuous Release of Real-Time Location Data

Abstract

Continuous real-time location data is very important in the big data era, but the privacy issues involved is also a considerable topic. It is not only necessary to protect the location privacy at each release moment, but also have to consider the impact of data correlation. Correlated Laplace Mechanism (CLM) is a sophisticated method to implement differential privacy on correlated time series. This paper aims to solve the key problems of applying CLM in continuous location release. Based on the finding that the location increment is approximately stationary in many scenarios, a location correlation estimation method based on the location increment is proposed to solve the problem of nonstationary location data correlation estimation; an adaptive adjustment model for the CLM filter based on parameter quantization idea (QCLM) as well as its effective implementation named QCLM-Lowpass utilizing the lowpass spectral characteristics of location data series is proposed to solve the problem of output deviations due to the undesired transient response of the CLM filter in time-varying environments. Extensive simulations and real data experiments validate the effectiveness of the proposed approach and show that the privacy scheme based on QCLM-Lowpass can offer a better balance between the ability to resist correlation-based attacks and data availability.

1. Introduction

With the prevalence of intelligent terminal devices equipped with high-precision positioning capabilities, people can access location-based services (LBSs) whenever and wherever they want. As a result, large amounts of individuals’ location data are collected, stored, and analyzed, which has become an important resource for business analysis and academic research. However, location data is inherently sensitive and can be linked to data from other sources since space brings particular constraints [1,2], which enables an attacker to infer individual private information such as home address, company, lifestyle habits, etc. Privacy concerns hinder users’ willingness to share location data. Therefore, location privacy protection is one of the important issues in the big data era.

A variety of location-privacy-preserving mechanisms (LPPMs) have been proposed in the literature, and some works [2,3,4] provide a systematic review of them. Among the existing privacy definitions, differential privacy [5] based on the idea of indistinguishability in cryptography provides a rigorous mathematical proof of the privacy strength, which guarantees that the actual privacy strength is not affected by the attacker’s background knowledge, and thus is widely used in location-based services [6,7,8]. Early works on differential privacy assumed the presence of trusted third-party administrators, but as application environments have become more complex, many untrustworthy servers can also easily access large amounts of users’ data. To solve this problem, local differential privacy (LDP) [9] has been proposed. It perturbs the user’s data locally before sending the data to any entity. Only the data owner can fully access the original data, which provides stronger privacy protection. In the field of location privacy, geo-indistinguishability [10] extended the idea of indistinguishability to continuous geographic space, enabling local privacy protection for individual locations in snapshot publishing.

However, the privacy problem is more serious in scenarios of continuous location data publishing [2]. The continuously observed location data is usually correlated, which may make it difficult for differential privacy mechanisms to achieve the expected privacy-preserving effect [11,12]. Some existing works for correlated location data publishing mainly take advantage of a model to describe the correlation between locations, and thereby adapt the location perturbation approach. Jiang et al. [13] considered time-space constraints between locations according to a basic kinematics model, and used an exponential mechanism to generate azimuths and distances which are more consistent with the motion pattern, thus avoiding irrationally perturbed locations. Chatzikokolakis et al. [14] used a prediction function to characterize the correlation between locations, and privately determined whether to allocate a privacy budget to generate noise for the current location based on the error of the prediction. Instead, Al-Dhubhani et al. [15] adaptively adjusted the privacy budget at each moment based on the level of linear prediction error. In addition, Xiao et al. [16] constructed the “$\delta$-location set” based on a Markov model to account for the temporal correlations in location data and proposed a planar isotropic mechanism (PIM) for location perturbation. Based on this work, Xiong et al. [17] improved data usability by applying a generalized randomized response mechanism (GRR) to the “$\delta$-location set” for privacy protection. Unfortunately, these works lacked an exhaustive explanation for why data correlation would lead to a reduction in the privacy strength of differential privacy mechanisms.

Wang and Xu [18] argued that the primary cause of the reduction in privacy strength is the discrepancy in data correlation between the noise and original series. This can be used by an attacker to launch a correlation-distinguishability attack (CDA) [12], such as Weiner filtering, to filter out some of the perturbation noise and thus remove some of the privacy effect. To remedy this problem, the work [18] proposed the notion of series-indistinguishability to guarantee that the correlation between the noise and original series is indistinguishable, and designed the Correlated Laplace Mechanism (CLM) to generate a correlated Laplace noise series to satisfy series-indistinguishability, which provided an effective differential privacy-preserving scheme for correlated time-series data publication. Naturally, it is desirable to apply CLM to protect privacy in continuous location data release.

However, there are some challenges in the implementation of CLM, which mainly include the following two aspects:

• How to accurately estimate the data correlation. A prerequisite for the effective application of CLM is that the autocorrelation function of the data series is known or can be accurately estimated. However, the time series consisting of continuously observed location data is usually non-stationary, and its autocorrelation function changes over time, which makes it difficult to obtain accurate estimates based on time averaging.
• How to make CLM dynamically track the time-varying data correlation. CLM based on the filter approach is performed by setting the filter parameters so that the steady-state response satisfies the given autocorrelation function. To track the time-varying data correlation, the CLM filter should be dynamically adjusted, which may cause the undesired transient response to be non-negligible, resulting in a deviation of the actual output from the target.

The above challenges make CLM unsuitable for continuous real-time location data release. This paper presents practical solutions to these challenges. First, the stationarity of the location data series is analyzed, and results imply that the location increment is approximately stationary in many scenarios, from which a location data correlation estimation method using the location increment is derived. Second, an adaptive adjustment model of the CLM filter based on parameter quantization, called Quantized Correlated Laplace Mechanism (QCLM), is proposed, and based on the lowpass spectral characteristics of the location data series, an effective implementation named QCLM-Lowpass is designed. Our main contributions are summarized as follows:

• A location data correlation estimation method based on the location increment is proposed, in which the problem of correlation estimation of a nonstationary location data series is converted into the problem of estimating real location increments. Thereby, the correlation of nonstationary location data can be accurately estimated in many practical scenarios.
• An adaptive adjustment model of the CLM filter (QCLM) and its effective implementation (QCLM-Lowpass) are proposed. The CLM filter is adjusted only at the necessary moments to reduce the generation of undesired transient responses, thus producing an output that satisfies series-indistinguishability as much as possible in time-varying environments.
• Extensive simulations and real data experiments validate the effectiveness of the proposed approaches, and the results show that the privacy scheme based on QCLM-Lowpass outperforms the other schemes compared in terms of data usability and the ability to resist the correlation-based attack.

The remainder of the paper is organized as follows: Section 2 introduces the continuous real-time location data release model and relevant privacy theories and gives the privacy goals in this paper. The Dynamic Correlated Laplace Mechanism (DCLM) and problem statement are presented in Section 3. The location data correlation estimation method and QCLM are proposed in Section 4. We report the experimental evaluation in Section 5 and give the conclusion in Section 6.

2. Preliminaries

In this section, the continuous real-time location data release model is introduced, and then several relevant privacy theories are reviewed, followed by the privacy-preserving goals in this paper.

2.1. Continuous Real-Time Location Data Release Model

Before introducing the continuous location data release model, the location data ecosystem is presented in Figure 1. There are three important roles: the data provider, the data collector, and the data user, each with different demands. Data users expect accurate location data for application analysis, while data providers are reluctant to provide raw data for privacy reasons. The role of privacy protection is to balance these requirements, protecting user privacy while ensuring the usability of published data. Therefore, privacy protection is vital to the healthy and sustainable development of the location data ecosystem.

All spatial data is created in a coordinate system. This paper involves two coordinate systems, denoted as GEO and XOY. In GEO, a location record is expressed as $loc(t)=\{ID,t,<lon(t),lat(t),alt(t)>\}$, where ID denotes the user identity, and $t$ denotes the time stamp, $lon(t),lat(t),alt(t)$ indicate longitude, latitude, and altitude information, respectively. Given that the user usually moves within a limited area where altitude changes can be ignored, a Cartesian coordinate system, XOY, is introduced. Specifically, the coordinate $<lon(t_0),lat(t_0)>$ at the certain moment $t_0$ is used as the origin, O, and XOY can be constructed with the east direction as the positive direction of X-axis, the north direction as the positive direction of Y-axis, and the scale in meters. Thereby, a location at time $t$ can be expressed by the vector $l(t)={[x(t),y(t)]}^T$, where the superscript $T$ denotes the matrix transpose and $x(t),y(t)$ are the coordinates on the X and Y axes, respectively. An example for such two coordinate systems is shown in Figure 2.

In practice, many applications require the user to continuously share real-time location data. In a typical scenario, the user releases location data with a fixed time interval, $\Delta t$, starting from a certain moment, $t_0$. For convenience, the i-th release time is $t_i=t_0+i\times \Delta t$, and the corresponding location data is denoted as $l(i)={[x(i),y(i)]}^T$. In the local privacy model shown in Figure 1, the user does not directly release the original location $l(i)$ but releases a perturbed location, $\tilde{l}(i)={[\tilde{x}(i),\tilde{y}(i)]}^T$, which is the output of the privacy mechanism $\mathcal{M}$:

$$\tilde{l}(i)=\mathcal{M}[l(i)]=l(i)+n(i)$$

(1)

where $n(i)={[n_X(i),n_Y(i)]}^T$ is the noise vector and $n_X(i),n_Y(i)$ are the noise on the X and Y directions, respectively.

Suppose that there have been $I$ releases until now, then the data series formed by original locations can be denoted as $L(I)=[X(I),Y(I)]={[l(0),\cdots ,l(I)]}^T$, where the column vectors $X(I)={[x(0),\cdots ,x(I)]}^T$ and $Y(I)={[y(0),\cdots ,y(I)]}^T$ are the data series in the X and Y directions. Similarly, the noise series and the perturbed location series are denoted as $N(I)=[N_X(I),N_Y(I)]={[n(0),\cdots ,n(I)]}^T$ and $\tilde{L}(I)=[\tilde{X}(I),\tilde{Y}(I)]={[\tilde{l}(0),\cdots ,\tilde{l}(I)]}^T$ respectively. The major notations in this paper are summarized in

Table 1. The definition of major notations.

Variable	Definition
$l(t)={[x(t),y(t)]}^T$	a location data in XOY at time $t$
$\Delta t$	the time interval for data release
$t_i$	the time of i-th data release
$l(i)={[x(i),y(i)]}^T$	the simplified representation of $l(t_i)$ in time discretization
$L(I)=[X(I),Y(I)]$	the location data series up to I-th data release
$R_L(i,i-\tau )$	the autocorrelation function matrix of $L(I)$, $R_L(i,i-\tau )=E[l(i)l^T(i-\tau )]$
$n(i)={[n_X(i),n_Y(i)]}^T$	the perturbation noise added to $l(i)$ at time $t_i$
$N(I)=[N_X(I),N_Y(I)]$	the noise series up to I-th data release
$\tilde{l}(i)={[\tilde{x}(i),\tilde{y}(i)]}^T$	the perturbed location data at time $t_i$
$\tilde{L}(I)=[\tilde{X}(I),\tilde{Y}(I)]$	the perturbed location data series up to I-th data release
$R_{\tilde{L}}(i,i-\tau )$	the autocorrelation function matrix of $\tilde{L}(I)$, $R_{\tilde{L}}(i,i-\tau )=E[\tilde{l}(i){\tilde{l}}^T(i-\tau )]$
$v(i)={[v_X(i),v_Y(i)]}^T$	the location increment at time $t_i$, $v(i)=l(i)-l(i-1)$
$|v(i)|,\phi (i)$	the modulus $|v(i)|$ and azimuth $\phi (i)$ of $v(i)$
$V(I)$	the location increment series up to I-th data release

.

To protect privacy, it should be guaranteed that the attacker cannot accurately infer true location information based on the published data, including the following demands,

• The attacker cannot accurately infer the original location $l(i)$ from $\tilde{l}(i)$ at each moment.
• The attacker cannot accurately extrapolate the true location $l(i)$ based on the historically published series $\tilde{L}(I)$.

2.2. Privacy Theories

For this privacy problem, we first review several important privacy theories.

2.2.1. Differential Privacy

Differential privacy [5] is based on the concept of indistinguishability in cryptology and is a state-of-the-art privacy preservation model. It ensures that the output of a private algorithm is not strongly dependent on any one record in the input dataset. Thus, differential privacy provides strict privacy protection, even if the attacker knows all information except the target record. Its formal definition is given below.

Definition 1

(differential privacy [5]). Considering two neighboring datasets, $\mathcal{D},{\mathcal{D}}^{\prime }$, which have the same cardinality but differ in only one record, a random perturbation mechanism, $\mathcal{M}$, satisfies $(\epsilon ,\delta )$-differential privacy if for all possible outcomes $\mathcal{O}\subseteq Range(\mathcal{M})$ and for any pair of $\mathcal{D},{\mathcal{D}}^{\prime }$:

$$Pr[\mathcal{M}(\mathcal{D})\in \mathcal{O}]\le e^{\epsilon }\cdot Pr[\mathcal{M}({\mathcal{D}}^{\prime })\in \mathcal{O}]+\delta$$

(2)

where $Range(\mathcal{M})$ denotes the value range of $\mathcal{M}$, and $Pr(\cdot )$ denotes the probability. If $\delta =0$, we say that $\mathcal{M}$ is $\epsilon$-differentially private. The parameter $\epsilon$ is considered as the privacy budget which indicates the privacy strength. A small $\epsilon$ is associated with better privacy.

A popular $\epsilon$-differentially private algorithm for numeric queries is the Laplace mechanism. The definition of the Laplace mechanism is given below.

Definition 2

(Laplace mechanism [19]). Let $Lap(\lambda )$ denote the Laplace distribution with mean 0 and scale $\lambda$. For any numeric-valued function $f:\mathcal{D}\to {ℝ}^k$, the Laplace mechanism ${\mathcal{M}}_L$ is defined as follows:

$${\mathcal{M}}_L(\mathcal{D},f(\cdot ),\epsilon )=f(\mathcal{D})+<N_1,\cdots ,N_k>$$

(3)

where $<N_1,\cdots ,N_k>$ are i.i.d. random variables drawn from $Lap(\Delta f/\epsilon )$. The sensitivity function $\Delta f$ is the maximum effect a single record has on the result of $f(\cdot )$:

$$\Delta f=\underset{\mathcal{D},{\mathcal{D}}^{\prime }}{\max }{\Vert f(\mathcal{D})-f({\mathcal{D}}^{\prime })\Vert }_1$$

(4)

2.2.2. Geo-Indistinguishability

The idea of indistinguishability is the basis of differential privacy, geo-indistinguishability [10] extends it to the continuous geographic space, which can be formally defined as follows.

Definition 3

(geo-indistinguishability [10]). A mechanism $\mathcal{M}$ satisfies $\epsilon$-geo-indistinguishability if for any two locations $l,l^{\prime }$ in the protection region and for any output location $\tilde{l}\in Range(\mathcal{M})$:

$$Pr[\mathcal{M}(l)=\tilde{l}]\le e^{\epsilon \cdot d_L(l,l^{\prime })}\cdot Pr[\mathcal{M}(l^{\prime })=\tilde{l}]$$

(5)

where $d_L(\cdot ,\cdot )$ denote the distance between two locations, such as Euclidean distance.

Geo-indistinguishability ensures that it is difficult for an attacker to distinguish the true location from its surroundings according to the perturbed location, and thus provides privacy protection for the single location. Its privacy strength is controlled by the parameter $\epsilon$.

2.2.3. Series-Indistinguishability

Continuously observed location data will constitute a correlated time series, which is vulnerable to correlation-based attacks. To solve this problem, series-indistinguishability [18] has been proposed to complement differential privacy preservation on correlated time-series data. Its formal definition is given as follows.

Definition 4

(series-indistinguishability [18]). Let $X,\tilde{X}$ denote the original and perturbed data series. If the autocorrelation functions of them, $R_X(\tau )$ and $R_{\tilde{X}}(\tau )$, satisfy the following:

$$R_{\tilde{X}}(\tau )/R_{\tilde{X}}(0)=R_X(\tau )/R_X(0)$$

(6)

then $X,\tilde{X}$ are series-indistinguishable to an adversary, where $\tau \in \mathbb{Z}$ denotes the lag of the auto-correlation function.

In practice, however, it is difficult to achieve absolute series-indistinguishability due to various factors such as estimation errors. A more robust extension with noise tolerant interval $[-\upsilon ,\upsilon ]$ was presented, which requires the autocorrelation functions to satisfy the following condition:

$$-\upsilon \le \frac{R_{\tilde{X}}(\tau )}{R_{\tilde{X}}(0)}/\frac{R_X(\tau )}{R_X(0)}\le \upsilon$$

(7)

Series-indistinguishability makes it difficult for an attacker to filter out some of the perturbation noise by exploiting the data correlation, so that the effective privacy protection of the correlated time series can be achieved without increasing the noise intensity.

2.2.4. Correlated Laplace Mechanism

To achieve series-indistinguishability, the privacy mechanism $\mathcal{M}$ needs to generate a noise series whose autocorrelation function is consistent with that of the original data series. For this purpose, CLM [18] was proposed to generate a correlated Laplace noise series with the given autocorrelation function. It includes the following two steps:

• Generate four Gaussian distributed random numbers independently, $g_m^{\prime }(i)~N(0,{\sigma }_{G^{\prime }}^2)$, $m=1, 2, 3, 4$, where $i\in \mathbb{N}$ denotes the timestamp. Thereby, four Gaussian noise series are generated over time, denoted as $G_m^{\prime },m=1, 2, 3, 4$. Each of them satisfies the same autocorrelation function $R_{G^{\prime }}(\tau )$, but are independent from each other.
• Generate the Laplace distributed random number $n(i)~Lap(2{\sigma }_{G^{\prime }}^2)$, which can be calculated as follows:

  $$n(i)={[g_1^{\prime }(i)]}^2+{[g_2^{\prime }(i)]}^2-{[g_3^{\prime }(i)]}^2-{[g_4^{\prime }(i)]}^2$$

  (8)

  Thereby, the correlated Laplace noise series can be generated over time, where the autocorrelation function of the Laplace and Gaussian noise series, $R_N(\tau )$ and $R_{G^{\prime }}(\tau )$, satisfy the following equation:

  $$R_N(\tau )=8{[R_{G^{\prime }}(\tau )]}^2$$

  (9)

Figure 3 illustrates the generation of the correlated Laplace noise in CLM at a certain moment. There are four independently operating filters. They have the same parameters but different inputs and outputs. The filter used to generate the correlated Gaussian noise series with the input of Gaussian white noise is known as the CLM filter. It can be characterized by the following system function:

$$H_{CLM}(z)=\frac{{\displaystyle {\sum }_{q=0}^Q{b}_q{z}^{-q}}}{{\displaystyle {\sum }_{u=0}^U{a}_u{z}^{-u}}}$$

(10)

where the complex variable $z=e^{\sigma +j\omega }$, and $Q,U$ denote the order of zeros and poles, respectively. Let $a_0=b_0=1$ by default and let $A_{CLM}=[a_1,\cdots ,a_U]$, $B_{CLM}=[b_1,\cdots ,b_Q]$ denote the parameter vectors. In addition, there is a gain coefficient ${\kappa }_{CLM}$ in the calculation of the Laplace noise $n~Lap(\lambda )$, which can be calculated as follows:

$${\kappa }_{CLM}=\pi /{\displaystyle {\int }_{-\pi }^{\pi }{\Vert H_{CLM}(z){|}_{z=e^{j\omega }}\Vert }_2^{2}d\omega }$$

(11)

To clearly describe the dynamic adjustment problem of the CLM filter, this paper considers CLM as a program object, and redescribes its implementation from a programming perspective.

Table 2. Main attributes and methods of the CLM object.

CLM
Attributes
$Q,U$	integer	the order of zeros and poles of the CLM filter
$B=[b_1,\cdots ,b_Q]$	$1\times Q$ vector	$b_q,q=1,\cdots ,Q$ are coefficients of the numerator of $H_{CLM}(z)$, where $b_0=1$
$A=[a_1,\cdots ,a_U]$	$1\times U$ vector	$a_u,u=1,\cdots ,U$ are coefficients of the denominator of $H_{CLM}(z)$, where $a_0=1$
$\kappa ,\lambda$	real	$\kappa$: the gain coefficient; $\lambda$: the scale of Laplace distribution
$S=[s_{m,k}]$	$4\times Q$ matrix	the input state of four CLM filters, and each row corresponds to one filter
$S^{\prime }=[s_{m,k}^{\prime }]$	$4\times U$ matrix	the output state of four CLM filters and each row corresponds to one filter
$G={[g_1,g_2,g_3,g_4]}^T$	$4\times 1$ vector	$g_m~N(0,1),m=1, 2, 3, 4$ are the input of four CLM filters
$G^{\prime }={[g_1^{\prime },g_2^{\prime },g_3^{\prime },g_4^{\prime }]}^T$	$4\times 1$ vector	$g_m^{\prime },m=1, 2, 3, 4$ are the output of four CLM filters
Methods
$Initialization(Q,U,B,A,\kappa ,\lambda )$:    Set $Q,U,B,A,\kappa ,\lambda$;    Set $S$: $4\times Q$ zeros matrix, $S^{\prime }$: $4\times U$ zeros matrix.
$\{g_1,g_2,g_3,g_4\}=GaussianGenerator( )$:    Generate four i.i.d random numbers $g_1,g_2,g_3,g_4~N(0,1)$.
$UpdateParam(B,A)$: Update $B,A$.
$UpdateGainCoeff(\kappa )$: Update $\kappa$.
$n=LaplaceGeneration( )$:    Generate the Laplace distributed noise $n$.

lists the main attributes and methods of the CLM object.

At the beginning of the application, the method $Initialization$ is called to assign initial values to the parameters and clear the state of filters. The methods $UpdateParam$ and $UpdateGainCoeff$ are used to update the parameters when it is necessary. During each iteration, the method $LaplaceGeneration$ is called to generate the Laplace noise, where the output of $GaussianGenerator$ is used as the input of the CLM filter.

This paper focuses on the generation of correlated Laplace noise, and the specific steps of the method $LaplaceGeneration$ are given in Algorithm 1.

Algorithm 1. CLM: $LaplaceGeneration( )$
1	Generate four i.i.d random numbers,
	$\{g_1,g_2,g_3,g_4\}=GaussianGenerator( )$
	Set $G={[g_1,g_2,g_3,g_4]}^T$
2	Calculate four correlated Gaussian noise,
	$G^{\prime }=-S^{\prime }{A}^T+G+S{B}^T$
3	Update the input state matrix S,
	$\begin{array}{cc}{s}_{m,k+1}\leftarrow s_{m,k}& k=1,\cdots ,Q-1,m=1,2,3,4\\ s_{m,1}\leftarrow g_m& m=1,2,3,4\end{array}$
4	Update the output state matrix S′,
	$\begin{array}{cc}{s}_{m,k+1}^{\prime }\leftarrow s_{m,k}^{\prime }& k=1,\cdots ,U-1,m=1,2,3,4\\ s_{m,1}^{\prime }\leftarrow g_m^{\prime }& m=1,2,3,4\end{array}$
5	Calculate the noise $n~Lap(\lambda ),$
	$n=[{(g_1^{\prime })}^2+{(g_2^{\prime })}^2-{(g_3^{\prime })}^2-{(g_4^{\prime })}^2]\cdot \kappa \cdot \lambda$
6	return n

In line 1, the method $GaussianGenerator$ is called to generate i.i.d random numbers $g_1,g_2,g_3,g_4~N(0,1)$, which are used as the inputs of the four filters. In lines 2–4, the outputs $g_1^{\prime },g_2^{\prime },g_3^{\prime },g_4^{\prime }$ are calculated and the states of filters are updated. In lines 5–6, the noise $n~Lap(\lambda )$ is generated and returned.

2.3. Privacy Protection Goals

Based on the above privacy theories, the privacy requirements presented in Section 2.1 can be expressed as follows,

• At each release moment, if the privacy mechanism $\mathcal{M}$ satisfies $\epsilon$-geo-indistinguishability as defined in Equation (12), then the attacker cannot easily and accurately infer the original location $l(i)$ from the published location $\tilde{l}(i)$:

  $$\frac{Pr\{\mathcal{M}[l(i)]=\tilde{l}(i)\}}{Pr\{\mathcal{M}[l^{\prime }(i)]=\tilde{l}(i)\}}\le \exp \{\epsilon \cdot d_E[l(i),l^{\prime }(i)]\}$$

  (12)

  where $l^{\prime }(i)={[x^{\prime }(i),y^{\prime }(i)]}^T$ is a location near $l(i)$ with a Euclidean distance $d_E[l(i),l^{\prime }(i)]$.
• As for the original and perturbed location series, $L(I),\tilde{L}(I)$, if they are series-indistinguishable, then the attacker cannot easily use data correlation to accurately infer $l(i)$ from $\tilde{L}(I)$. This requires that their autocorrelation function matrices, $R_L(i,i-\tau ),R_{\tilde{L}}(i,i-\tau )$, satisfy the following condition:

  $$R_L(i,i-\tau )\oslash R_L(i,i)=R_{\tilde{L}}(i,i-\tau )\oslash R_{\tilde{L}}(i,i)$$

  (13)

  where $\oslash$ denotes the Hadamard division (element-wise division), and $R_L(i,i-\tau ),R_{\tilde{L}}(i,i-\tau )$ are defined as follows:

  $$R_L(i,i-\tau )=E[l(i)l^T(i-\tau )]=\left[\begin{array}{cc}{R}_{XX}(i,i-\tau )& R_{XY}(i,i-\tau )\\ R_{YX}(i,i-\tau )& R_{YY}(i,i-\tau )\end{array}\right]$$

  (14)

  $$R_{\tilde{L}}(i,i-\tau )=E[\tilde{l}(i){\tilde{l}}^T(i-\tau )]=\left[\begin{array}{cc}{R}_{\tilde{X}\tilde{X}}(i,i-\tau )& R_{\tilde{X}\tilde{Y}}(i,i-\tau )\\ R_{\tilde{Y}\tilde{X}}(i,i-\tau )& R_{\tilde{Y}\tilde{Y}}(i,i-\tau )\end{array}\right]$$

  (15)

Naturally, it is considered that CLM can be applied to achieve the above privacy goals, but this will face some challenges in the practical implementation.

3. Problems of Dynamic Correlated Laplace Mechanism

For streaming data publishing, the Dynamic Correlated Laplace Mechanism is presented, and then its practical problems in continuous location data release are described.

3.1. Dynamic Correlated Laplace Mechanism

In the continuous location data release application, location data is dynamically generated and its correlation changes over time. To achieve series-indistinguishability, the CLM filter must be dynamically adjusted to track the time-varying data correlation. This scheme is called Dynamic Correlated Laplace Mechanism (DCLM).

Let us first consider the one-dimensional data series and take $X(I)$ as an example, DCLM can be implemented with a sliding window model. At the moment $t_i$, the data in the window with size $M_L$, denoted as $X_W(i)={[x(i-M_L+1),\cdots ,x(i)]}^T$, can be used to estimate the autocorrelation function vector $R_X(i)={[R_{XX}(i,i),\cdots ,R_{XX}(i,i-\Upsilon )]}^T$, where $R_{XX}(i,i-\tau )=E[x(i)\cdot x(i-\tau )]$, $\tau =0,\cdots ,\Upsilon$, and $\Upsilon$ is the maximum lag. Then, the CLM filter is adjusted so that the autocorrelation function of the Laplace noise series can be matched to $R_X(i)$.

Similarly, this paper considers DCLM as a program object in which CLM is a member. The attributes of DCLM include the CLM filter’s parameter vectors, $B,A$, and the adjustment step ${\mu }_{DCLM}$. In addition, there are two main methods in DCLM: one is used to initialize the attributes as well as CLM, and the other is used to dynamically adjust the CLM filter to generate Laplace noise, denoted as $Iteration$, which is described in Algorithm 2.

Algorithm 2. DCLM: $Iteration$
Input: the autocorrelation function vector $R$
Output: the Laplace noise $n$
1	Calculate the CLM filter’s estimated parameter vector $\widehat{B},\widehat{A}$ according to $R$;
2	Update the CLM filter’s parameter vector,
	$\begin{array}{c}B=B+(\widehat{B}-B)\cdot {\mu }_{DCLM}\\ A=A+(\widehat{A}-A)\cdot {\mu }_{DCLM}\end{array}$
3	Calculate the gain coefficient $\kappa$ according to $B,A$;
4	Update the parameters of the CLM filter
	$\begin{array}{l}CLM.UpdateParam(B,A)\\ CLM.UpdateGainCoeff(\kappa )\end{array}$
5	Generate the Laplace noise $n=CLM.LaplaceGeneration( )$;
6	return n;

In line 1, the autocorrelation function vector is used to compute the estimated parameter vectors of the CLM filter, which can be referred to the work [18]. Lines 2–3 update the parameter vectors and the gain coefficient. Lines 4–6 call the methods of the CLM object to adjust the CLM filter and to generate the Laplace noise to return.

From the above steps, it can be found that DCLM can be effectively applied when $X(I)$ satisfies stationary or short-time stationary, in which case $R_X(i)$ can be accurately estimated and ${\mu }_{DCLM}$ can be smaller to ensure that the CLM filter’s output is as expected. However, there are some challenges in implementing DCLM in the continuous location data release application.

3.2. Problems of DCLM in Continuous Location Data Release

In fact, location data series usually do not satisfy the stationary conditions, which makes it difficult to accurately estimate the autocorrelation function. In addition, the dynamic adjustment of the CLM filter causes the unwanted transient response. This results in a deviation between the actual output and the desired output.

3.2.1. Correlation Estimation

As for the dynamically generated location data series $L(I)$, the data in the window with size $M_L$, denoted as $L_W(i)={[l(i-M_L+1),\cdots ,l(i)]}^T$, is used to calculate the estimate of autocorrelation function matrix, ${\widehat{R}}_L(i,i-\tau )$,

$${\widehat{R}}_L(i,i-\tau )=\frac{1}{M_L}{\displaystyle \sum _{k=0}^{M_L-\tau -1}l(i-k)l^T(i-\tau -k)}$$

(16)

From the above equation, the estimation accuracy depends on the stationarity of $L(I)$. If the following stationary conditions are satisfied, the window size $M_L$ can be larger to ensure the accurate estimation,

$$E[l(i)]=E[l(i-k)]$$

(17)

$$R_L(i,i-\tau )=R_L(i-k,i-k-\tau )$$

(18)

where $k\in \mathbb{Z}$. However, this requires the user must stay at a certain location, which results in an excessively limited application scenario.

A real location data series is shown in Figure 4a, and Figure 4b presents the data series $X(I)$ on the X direction. As the user moves, $X(I)$ shows a corresponding trend and thus no longer satisfies the stationary conditions. Therefore, it is difficult to accurately estimate the autocorrelation function directly from the original location data series.

3.2.2. Transient Response in Dynamic Adjustment

Based on the knowledge of filter theory, the actual output of the CLM filter, ${\mathcal{R}}_{CLM}(i)$, consists of two parts: the steady-state response, ${\mathcal{R}}_S(i)$, and the transient response, ${\mathcal{R}}_T(i)$:

$${\mathcal{R}}_{CLM}(i)={\mathcal{R}}_S(i)+{\mathcal{R}}_T(i)$$

(19)

where $i\in \mathbb{N}$ is the timestamp. The former is determined by the input and the filter parameters $B_{CLM},A_{CLM}$, while the latter is determined not only by these two factors but also by the initial state of the filter. If $B_{CLM},A_{CLM}$ remain unchanged, then ${\mathcal{R}}_T(i)$ will decays over time and eventually only ${\mathcal{R}}_S(i)$ will remains. Therefore, to ensure the validity of the final result, $B_{CLM},A_{CLM}$ are adjusted to allow ${\mathcal{R}}_S(i)$ to satisfy the given correlation, where ${\mathcal{R}}_T(i)$ is the undesired part.

However, when $B_{CLM},A_{CLM}$ are changed, the previous steady state will be destroyed, and a new undesired transient response will be generated. This implies that a transition phase is required for the filter to return to steady state. Here, a second-order all-pole filter is taken as an example to illustrate this transition phase, its system function is as follows:

$$H_{AP}(z)=\frac{1}{{(1-\zeta z^{-1})}^2}$$

(20)

where $\zeta$ denotes the second-order pole, and we allow the Gaussian white noise $G~N(0,1)$ as the input. Figure 5a shows the change of the filter’s normalized power spectrum in three adjustments, and Figure 5b presents the output variance over time, where the results are normalized according to the corresponding steady-state response.

As shown in Figure 5b, the filter’s adjustment produces the new transient response highlighted in red, which makes the actual results deviate from expectations. It takes some time for the filter to return to the steady state. Therefore, the undesired transient response needs to be suppressed in the implementation of DCLM.

4. Methodology

For the aforementioned practical problems, our solution idea includes the following two aspects:

• Location data correlation estimation based on the location increment. The autocorrelation function of the location data is expressed in terms of true location increments. Thus, if the location increment series satisfies stationary conditions, the location data correlation can be calculated indirectly using the estimated location increments.
• Quantized Correlated Laplace Mechanism (QCLM). On the one hand, the CLM filter should remain unchanged to suppress the transient response; on the other hand, it needs to be adjusted to track the time-varying data correlation. To balance these two requirements, this paper proposes an adaptive adjustment method based on parameter quantization. It adjusts the CLM filter only at the necessary moments, so that series-indistinguishability can be satisfied as much as possible.

4.1. Location Data Correlation Estimation Based on The Location Increment

In practice, it is desirable to find a more stationary intermediate variable to compute the autocorrelation function estimate for the non-stationary location data series. As illustrated in Figure 4c, the increments of $X(I)$ show approximate stationarity in the time segments highlighted in red. Our analysis reveals that the location series with approximately stationary increments account for more than 27% of the real dataset (details are given in Section 5.1.3). Moreover, the location series and its increments can be mutually transformed with the given starting point. Therefore, we employ location increments to compute the autocorrelation function estimate for the location data.

For the locations $l(i-1),\hspace{0.33em}l(i)$, their increment is denoted as $v(i)=l(i)-l(i-1)={[v_X(i),v_Y(i)]}^T$, and then the increment series of $L(I)$ is denoted as $V(I)=[V_X(I),V_Y(I)]={[v(1),\cdots ,v(I)]}^T$, where $V_X(I)$ and $V_Y(I)$ are the increments in the X and Y directions. Similarly, stationarity require that $E[v(i)]$ is constant over time, which means that the user remains at rest or in uniform linear motion, covering a wider range of scenarios.

Here, we describe the location data correlation estimation method based on location increments. To eliminate the effect of the coordinate origin, the location data correlation is characterized by the autocorrelation function matrix ${\tilde{R}}_L(i,i-\tau )$ after removing the center of $L_W(i)$:

$${\tilde{R}}_L(i,i-\tau )=E\{[l(i)-O(i)]{[l(i-\tau )-O(i)]}^T\}$$

(21)

where the center $O(i)$ is defined as follows:

$$O(i)=\frac{1}{M_L}E[{\displaystyle \sum _{k=0}^{M_L-1}l(i-k)}]$$

(22)

In fact, $l(i)$ is composed of two parts: the true value $l_{tr}(i)=E[l(i)]$ and the error $l_{er}(i)$, where $tr,er$ denote the truth and error, respectively. In this paper, it is considered that the error series $L_{er}(I)={[l_{er}(0),\cdots ,l_{er}(I)]}^T$ is a zero-mean white noise, then Equation (21) can be further expressed as follows:

$${\tilde{R}}_L(i,i-\tau )=[l_{tr}(i)-O_{tr}(i)]{[l_{tr}(i-\tau )-O_{tr}(i)]}^T$$

(23)

where $O_{tr}(i)={\displaystyle {\sum }_{k=0}^{M_L-1}{l}_{tr}(i-k)}/M_L$. Furthermore, if $l(i-M_L)$ is considered as the observation origin, then $l_{tr}(i-k)$ can be expressed as follows:

$$l_{tr}(i-k)=l_{tr}(i-M_L)+{\displaystyle \sum _{m=k}^{M_L-1}{v}_{tr}(i-m)}$$

(24)

where the true increment $v_{tr}(i)=l_{tr}(i)-l_{tr}(i-1)$. By substituting Equation (24) into Equation (23), the following equation can be obtained:

$${\tilde{R}}_L(i,i-\tau )=[{\displaystyle \sum _{m=0}^{M_L-1}{v}_{tr}(i-m)}-O_V(i)]{[{\displaystyle \sum _{m=\tau }^{M_L-1}{v}_{tr}(i-m)}-O_V(i)]}^T$$

(25)

where $O_V(i)={\displaystyle {\sum }_{m=0}^{M_L-1}(m+1)\cdot v_{tr}(i-m)}/M_L$.

By the above steps, the autocorrelation function of the location data is expressed in terms of true location increments. When $V(I)$ satisfies the stationary conditions, the true location increments $v_{tr}(i)$ can be accurately estimated, and thus the location correlation ${\tilde{R}}_L(i,i-\tau )$ can be calculated according to Equation (25).

4.2. Quantized Correlated Laplace Mechanism

As for the dynamic adjustment of the CLM filter, an adaptive adjustment based on parameter quantization is proposed to achieve a balance between the suppression of transient response and the dynamic tracking of the time-varying correlations.

4.2.1. Adaptive Adjustment Based on Parameter Quantization

To suppress the transient response, the CLM filter should be kept unchanged to reach the steady state. A simple strategy is to control the time interval for parameter adjustment. For example, consider the filter with the system function given in Equation (20). As shown by the results highlighted in blue in Figure 6, the filter is adjusted at the set time interval. However, this method faces the following two problems,

• It is difficult to determine the appropriate adjustment time. The CLM filter needs to be adjusted in time when the correlation of the output noise series does not match that of the original data. However, the time-varying data correlation is unpredictable, which makes it difficult to set the adjustment time interval in advance.
• It is difficult to compute the appropriate parameters of the CLM filter. To reduce the effects of estimation errors or transient changes of data, it is necessary to determine the final adjustment based on the correlation estimate over a period of time. However, the computation of the filter parameters is non-linear, which makes it difficult to solve for the optimized results.

To this end, an adaptive adjustment strategy is desired. The basic idea is to constantly perceive the difference between the output of CLM and the target data series in terms of data correlation, and the CLM filter is only adjusted when the difference exceeds a certain threshold. As shown by the results highlighted in red in Figure 6, it adjusts the filter only when necessary, ensuring that the filter remains as unchanged as possible.

In this paper, we consider an adaptive adjustment scheme of the CLM filter based on parameter quantization, called Quantized Correlated Laplace Mechanism (QCLM). Let $H_{CLM}=[B_{CLM},A_{CLM}]$ denote the CLM filter’s parameter vector, and $\mathcal{H}$ denote the space including all possible value of $H_{CLM}$. In QCLM, $\mathcal{H}$ is divided into $QNum$ mutually exclusive subspaces ${\mathcal{H}}_1,\cdots ,{\mathcal{H}}_{QNum}$, which are mapped as different vectors $H_1,\cdots ,H_{QNum}$ respectively. Thereby, the adjustment is realized as the following steps:

• Calculated the estimated parameter vector ${\widehat{H}}_{CLM}$ according to the autocorrelation function vector $R_X(i)$;
• Identify the corresponding subspace ${\widehat{H}}_{CLM}\in {\mathcal{H}}_q,q=1,\cdots ,QNum$, and set $H_{CLM}=H_q$.

The above parameter quantization inevitably introduces errors into the series-indistinguishability, which affects the actual privacy-preserving performance. To ensure the effectiveness of QCLM, the following requirements should be satisfied:

• For any subspace ${\mathcal{H}}_q,q=1,\cdots ,QNum$, it should be guaranteed that the actual privacy strength does not change significantly when replacing $H_{CLM}\in {\mathcal{H}}_q$ with $H_q$;
• It is not trivial to determine $QNum$. The larger the value of $QNum$, the smaller the quantization error, but it causes the CLM filter to change more frequently. Conversely, a smaller $QNum$ introduces a larger quantization error, but it allows the CLM filter to remain unchanged for a longer period of time.

Obviously, it is very difficult to quantize $H_{CLM}$ without any constrains. To implement QCLM, a basic idea is to map $H_{CLM}$ to a feature parameter, and thus the parameter quantization can be achieved by dividing the definition domain of this feature parameter.

4.2.2. QCLM Based on Lowpass Characteristic

Given that the autocorrelation function and the power spectrum form a Fourier pair, the power spectrum characteristics of the data series in the X and Y directions were analyzed. The results indicated that the power spectrum energy is mainly concentrated in the low frequencies (details are given in Section 5.1.4).Therefore, it is considered that series-indistinguishability can be approximated by constructing noise series with the same lowpass characteristics as the data series, and this method is called CLM-Lowpass.

In the case of the series $X(I)$, let $S_X(\omega )$ denote the power spectrum at a certain moment, where $\omega \in [-\pi ,\pi ]$ is the normalized angle frequency, and its lowpass cutoff frequency ${\omega }_X$ can be calculated by the following equation:

$$\underset{{\mathcal{C}}_{ILF}\in ℝ,\hspace{0.33em}{\omega }_X\in [0,\pi ]}{\arg \min }{\displaystyle {\int }_{-\pi }^{\pi }{[{\mathcal{C}}_{ILF}\cdot S_{ILF}(\omega |{\omega }_X)-S_X(\omega )]}^{2}d\omega }$$

(26)

where ${\mathcal{C}}_{ILF}$ denotes the amplitude factor and $S_{ILF}(\omega |{\omega }_X)$ denotes the power spectrum of an ideal lowpass filter with cutoff frequency at ${\omega }_X$, which is defined as follows:

$$S_{ILF}(\omega |{\omega }_X)=\left\{\begin{array}{lll}1& & \left|\omega \right|\le {\omega }_X\\ 0& & {\omega }_X<\left|\omega \right|\end{array}\right.$$

(27)

To approximate series-indistinguishability, the CLM filter is constructed to generate the Laplace noise series $N_X(I)$, whose power spectrum cutoff frequency, ${\omega }_{N_X}$, is also at ${\omega }_X$. The detailed calculation of the CLM filter’s parameters is discussed in Section 4.3.2.

As an example, the normalized power spectrum of the data and noise series, $S_X(\omega ),S_{N_X}(\omega )$, are shown in Figure 7a. Approximate series-indistinguishability does not require $S_{N_X}(\omega )$ to exactly match $S_X(\omega )$, but rather ensures that they have the same lowpass characteristics. Extensive experiments verified that, compared to original CLM, the changes in actual privacy strength induced by CLM-Lowpass are acceptable (details are given in Section 5.3.1).

In CLM-Lowpass, $H_{CLM}$ can be determined by the cutoff frequency of the noise power spectrum, ${\omega }_N$, so that the quantization of $H_{CLM}$ can be achieved by dividing ${\omega }_N$. Specifically, a basic quantization model is illustrated in Figure 7b, the normalized angular frequency interval $[0,\hspace{0.33em}\pi ]$ is divided into $QNum$ mutually exclusive subintervals $\{{\Omega }_1,{\Omega }_2,\cdots ,{\Omega }_{QNum}\}$, which are respectively mapped to $0<{\omega }_1<\cdots <{\omega }_{QNum}<\pi$. It can be defined as follows:

$$Quantize({\omega }_N)=\left\{\begin{array}{cc}{\omega }_1& {\omega }_N\in {\Omega }_1\\ ⋮& ⋮\\ {\omega }_{QNum}& {\omega }_N\in {\Omega }_{QNum}\end{array}\right.$$

(28)

In this way, the adaptive adjustment of the CLM filter can be implemented through the following steps:

• Estimate the power spectrum $S_X(\omega )$ from the autocorrelation function vector $R_X(i)$ and calculate its lowpass cutoff frequency ${\omega }_X$.
• Identify the corresponding subinterval ${\omega }_X\in {\Omega }_q,q=1,\cdots ,QNum$, and set ${\omega }_N={\omega }_q$, from which $H_{CLM}$ can be determined.

Thereby, QCLM is successfully implemented based on the lowpass characteristics of the data power spectrum, and this specific scheme is called QCLM-Lowpass. Next, we analyze the feasibility of applying QCLM-Lowpass for privacy preservation in continuous location data release.

4.2.3. Feasibility Analysis of QCLM-Lowpass

As for the two-dimensional location data series $L(I)=[X(I),Y(I)]$, the privacy mechanism $\mathcal{M}$ in this paper is implemented by applying QCLM-Lowpass separately in the X and Y directions. Specifically, it contains two independently operating QCLM-Lowpass components, denoted as ${\mathcal{M}}_X,{\mathcal{M}}_Y$, and the privacy process is as follows:

• At the release moment $t_i$, the Laplace noise $n_X(i),n_Y(i)~Lap(\lambda )$ are generated independently by ${\mathcal{M}}_X,{\mathcal{M}}_Y$, and then the perturbed location can be obtained $\tilde{l}(i)=l(i)+[n_X(i),n_Y(i)]$.
• During the continuous location data release, the CLM filters in ${\mathcal{M}}_X,{\mathcal{M}}_Y$ are separately adjusted by QCLM-Lowpass, so that the autocorrelation functions of $N_X(I)$,$X(I)$, and $N_Y(I)$, $Y(I)$ satisfy the following condition:

  $$\begin{array}{l}{R}_{N_X}(i,i-\tau )/R_{N_X}(i,i)=R_{XX}(i,i-\tau )/R_{XX}(i,i)\\ R_{N_Y}(i,i-\tau )/R_{N_Y}(i,i)=R_{YY}(i,i-\tau )/R_{YY}(i,i)\end{array}$$

  (29)
  Here, we analyze whether $\mathcal{M}$ can satisfy the privacy goals presented in Section 2.3.

a. 

The requirement of geo-indistinguishability.

Theorem  1.

The privacy scheme $\mathcal{M}$ satisfies $\sqrt{2}/\lambda$-geo-indistinguishability at each moment.

Proof of Theorem 1. 

In this scheme, the left side of Equation (12) can be expressed as follows:

$$\begin{array}{l}\frac{Pr\{\mathcal{M}[l(i)]=\tilde{l}(i)\}}{Pr\{\mathcal{M}[l^{\prime }(i)]=\tilde{l}(i)\}}=\frac{Lap[\tilde{x}(i)-x(i)|\lambda ]\cdot Lap[\tilde{y}(i)-y(i)|\lambda ]dxdy}{Lap[\tilde{x}(i)-x^{\prime }(i)|\lambda ]\cdot Lap[\tilde{y}(i)-y^{\prime }(i)|\lambda ]dxdy}\\ =\exp \{\frac{1}{\lambda }[\left|\tilde{x}(i)-x^{\prime }(i)\right|-\left|\tilde{x}(i)-x(i)\right|+\left|\tilde{y}(i)-y^{\prime }(i)\right|-\left|\tilde{y}(i)-y(i)\right|]\}\\ \le \exp \{\frac{1}{\lambda }[\left|x(i)-x^{\prime }(i)\right|+\left|y(i)-y^{\prime }(i)\right|]\}\\ \le \exp \left\{\frac{\sqrt{2}}{\lambda }\sqrt{{[x(i)-x^{\prime }(i)]}^2+{[y(i)-y^{\prime }(i)]}^2}\right\}\end{array}$$

Hence, the following result can be obtained:

$$\frac{Pr\{\mathcal{M}[l(i)]=\tilde{l}(i)\}}{Pr\{\mathcal{M}[l^{\prime }(i)]=\tilde{l}(i)\}}\le \exp \{\frac{\sqrt{2}}{\lambda }{d}_E[l(i),l^{\prime }(i)]\}$$

 □

b. 

The requirement of series-indistinguishability.

Theorem 2.

The privacy scheme $\mathcal{M}$ achieves series-indistinguishability if the correlation between $X(I)$ and $Y(I)$ can be ignored.

Proof of Theorem 2. 

In this situation, the series $X(I),Y(I),N_X(I),N_Y(I)$ are independent of each other, then the following cross-correlation functions can be obtained:

$$\begin{array}{l}{R}_{XY}(i,i-\tau )=R_{YX}(i,i-\tau )=0\\ R_{\tilde{X}\tilde{Y}}(i,i-\tau )=R_{\tilde{Y}\tilde{X}}(i,i-\tau )=0\end{array}$$

According to Equation (29), the normalized autocorrelation functions of $\tilde{X}(I),\tilde{Y}(I)$ satisfy the following:

$$\begin{array}{l}\frac{R_{\tilde{X}\tilde{X}}(i,i-\tau )}{R_{\tilde{X}\tilde{X}}(i,i)}=\frac{R_{XX}(i,i-\tau )+R_{N_X}(i,i-\tau )}{R_{XX}(i,i)+R_{N_X}(i,i)}=\frac{R_{XX}(i,i-\tau )}{R_{XX}(i,i)}\\ \frac{R_{\tilde{Y}\tilde{Y}}(i,i-\tau )}{R_{\tilde{Y}\tilde{Y}}(i,i)}=\frac{R_{YY}(i,i-\tau )+R_{N_Y}(i,i-\tau )}{R_{YY}(i,i)+R_{N_Y}(i,i)}=\frac{R_{YY}(i,i-\tau )}{R_{YY}(i,i)}\end{array}$$

Thus, the autocorrelation function matrix of $\tilde{L}(I)$ satisfies the following:

$$\begin{array}{ll}{R}_{\tilde{L}}(i,i-\tau )\oslash R_{\tilde{L}}(i,i)& =\left[\begin{array}{cc}{R}_{\tilde{X}\tilde{X}}(i,i-\tau )/R_{\tilde{X}\tilde{X}}(i,i)& 0\\ 0& R_{\tilde{Y}\tilde{Y}}(i,i-\tau )/R_{\tilde{Y}\tilde{Y}}(i,i)\end{array}\right]\\ & =\left[\begin{array}{cc}{R}_{XX}(i,i-\tau )/R_{XX}(i,i)& 0\\ 0& R_{YY}(i,i-\tau )/R_{YY}(i,i)\end{array}\right]\\ & =R_L(i,i-\tau )\oslash R_L(i,i)\end{array}$$

Thus, $L(I),\tilde{L}(I)$ are series-indistinguishable. □

c. 

The analysis of quantization errors.

This paper considers the more robust series-indistinguishability defined by Equation (7) and analyzes the effect of quantization errors introduced by QCLM-Lowpass on series-indistinguishability.

In some works [20,21], the location data series was described using a low-order autoregressive model. Consequently, this paper assumed that the noise series $N$ satisfies a second order autoregressive model, and its system function can be expressed as follows:

$$H_N(z)=\frac{1}{(1-{\xi }_1{z}^{-1})(1-{\xi }_2{z}^{-1})}$$

(30)

where ${\xi }_1,{\xi }_2$ are the poles. It is considered that the cutoff frequency of the noise power spectrum ${\omega }_N\in (0.05\pi ,0.8\pi )$, and ${\xi }_1,{\xi }_2$ can be calculated by the following function:

$$\underset{\left|{\xi }_1\right|,\left|{\xi }_2\right|\le 1,\hspace{0.33em}{\mathcal{C}}_N\in ℝ}{\arg \min }{\displaystyle {\int }_{-\pi }^{\pi }{[{\mathcal{C}}_N\cdot {‖H_N(z){|}_{z=e^{j\omega }}‖}_2^2-S_{ILF}(\omega |{\omega }_N)]}^{2}d\omega }$$

(31)

where ${\mathcal{C}}_N$ denotes the amplitude coefficient. It is found that the results of Equation (31) are conjugate complex poles with the modulus and azimuth, $\gamma ,\theta$, which can be approximated in terms of ${\omega }_N$:

$$\begin{array}{l}\gamma =\sqrt{{\xi }_1{\xi }_2}\approx 0.0487{{\omega }_N}^2-0.3544{\omega }_N+0.9802\\ \theta =\arccos (\frac{{\xi }_1+{\xi }_2}{2\sqrt{{\xi }_1{\xi }_2}})\approx -0.1058{{\omega }_N}^2+0.7907{\omega }_N-0.0222\end{array}$$

(32)

In this case, the normalized autocorrelation function, ${\overline{R}}_N(\tau |{\omega }_N)$, can be expressed as follows:

$${\overline{R}}_N(\tau |{\omega }_N)={\gamma }^{\tau }[\frac{1-{\gamma }^2}{1+{\gamma }^2}\cot (\theta )\sin (\tau \theta )+\cos (\tau \theta )]$$

(33)

where $\tau \in \mathbb{N}$ denotes the lag of the autocorrelation function. As shown in Figure 8a, the larger the value of ${\omega }_N$, the faster ${\overline{R}}_N(\tau |{\omega }_N)$ decays to 0.

Hence, the difference in autocorrelation function caused by the quantization error $\Delta \omega$ can be expressed as follows:

$$\Delta {\overline{R}}_N(\tau |{\omega }_N,\Delta \omega )={\overline{R}}_N(\tau |{\omega }_N+\Delta \omega )-{\overline{R}}_N(\tau |{\omega }_N)={\overline{R}}_N^{\prime }(\tau |{\tilde{\omega }}_N)\cdot \Delta \omega$$

(34)

where the mean value theorem is utilized, $\left|{\tilde{\omega }}_N-{\omega }_N\right|\le \left|\Delta \omega \right|$, and ${\overline{R}}_N^{\prime }(\tau |{\omega }_N)$ is defined as follows:

$$\begin{array}{r}{\overline{R}}_N^{\prime }(\tau |{\omega }_N)=\frac{d{\overline{R}}_N(\tau |{\omega }_N)}{d{\omega }_N}={\gamma }^{\tau -1}[\tau \cos (\tau \theta )-\frac{\tau {\gamma }^4+4{\gamma }^2-\tau }{{(1+{\gamma }^2)}^2}\cot (\theta )\sin (\tau \theta )]\frac{d\gamma }{d{\omega }_N}\\ +{\gamma }^{\tau }[\frac{1-{\gamma }^2}{1+{\gamma }^2}\frac{\tau \sin (2\theta )\cos (\tau \theta )-2\sin (\tau \theta )}{2{\sin }^2(\theta )}-\tau \sin (\tau \theta )]\frac{d\theta }{d{\omega }_N}\end{array}$$

(35)

By substituting Equation (32) into Equation (35), the approximation of ${\overline{R}}_N^{\prime }(\tau |{\omega }_N)$ can be obtained as shown in Figure 8b. Thereby, the following conclusions can be drawn:

• $\Delta {\overline{R}}_N(\tau |{\omega }_N,\Delta \omega )$ is bounded with respect to $\Delta \omega$.
• $\Delta {\overline{R}}_N(\tau |{\omega }_N,\Delta \omega )$ is not linearly related to $\Delta \omega$ and shows a tendency to decay to 0 as ${\omega }_N$, $\tau$ increase.

Based on the same analytical approach, the above conclusions can be generalized to higher-order models.

In summary, the impact of the quantization error in QCLM-Lowpass on series-indistinguishability is controllable. Based on this quantitative relationship, the deviation of series-indistinguishability can be kept within the expected range by setting the quantization scheme. In addition, the division of ${\omega }_N$ should not be uniform. Intuitively, the granularity of the division is finer in the low-frequency part, while the high-frequency part can be relaxed.

4.3. Algorithmic Implementation

There are some problems in the application of QCLM-Lowpass that should be discussed, and then the algorithmic implementation is given.

4.3.1. Quasi-Stationary State Identification

The correlation estimation method proposed in Section 4.1 is applicable only if the location increments satisfy the stationary conditions. Therefore, it is necessary to identify the stationary state of the location increments.

In this paper, the stationary conditions are relaxed to allow the mean and autocorrelation function to vary within a reasonable range, called the quasi-stationary state, denoted as $QS$. Considering that $V(I)$ is stationary when the user is moving in uniform linear motion, the quasi-stationary state is identified based on the change of the location increments’ modulus $\left|v(i)\right|$ and azimuth $\phi (i)$:

$$\left\{\begin{array}{c}\left|v(i)\right|=\sqrt{{[v_X(i)]}^2+{[v_Y(i)]}^2}\\ \phi (i)=\arctan [v_Y(i)/v_X(i)]\end{array}\right.$$

(36)

For the data in window with size $M_V+1$, $V_W(i)={[v(i-M_V),\cdots ,v(i)]}^T$, let ${|v|}_i^{\prime },\hspace{0.33em}{|v|}_i^{″}$ denote the minimum and maximum modulus and $\Delta {\phi }_i$ denote the maximum change in azimuth:

$${|v|}_i^{\prime }=\underset{k\in [0,M_V]}{\min }[|v(i-k)|]$$

(37)

$${|v|}_i^{″}=\underset{k\in [0,M_V]}{\max }[|v(i-k)|]$$

(38)

$$\Delta {\phi }_i=\underset{k,m\in [0,M_V]}{\max }angle[\phi (i-k)-\phi (i-m)]$$

(39)

where $angle({\theta }_k,{\theta }_m)$ is the angle between two azimuths:

$$angle({\theta }_k-{\theta }_m)=\left\{\begin{array}{cc}\left|{\theta }_k-{\theta }_m\right|& \left|{\theta }_k-{\theta }_m\right|\le \pi \\ 2\pi -\left|{\theta }_k-{\theta }_m\right|& other\end{array}\right.$$

(40)

In the quasi-stationary state, ${|v|}_i^{\prime },\hspace{0.33em}{|v|}_i^{″},\hspace{0.33em}\Delta {\phi }_i$ should satisfy the following conditions:

$$\Delta {\phi }_i\le {\Phi }_{QS}$$

(41)

$${|v|}_i^{″}-{|v|}_i^{\prime }\le {\eta }_{QS}^{\prime }\cdot {\displaystyle \sum _{m=1}^{M_V}|v(i-m)|}$$

(42)

$${({|v|}_i^{″})}^2-{({|v|}_i^{\prime })}^2\le {\eta }_{QS}^{″}\cdot {\displaystyle \sum _{m=1}^{M_V}{[|v(i-m)|]}^2}$$

(43)

where ${\Phi }_{QS},{\eta }_{QS}^{\prime },{\eta }_{QS}^{″}$ are the thresholds for relative changes in azimuth, modulus, and squared modulus, respectively. Intuitively, the smaller the value of ${\Phi }_{QS},{\eta }_{QS}^{\prime },{\eta }_{QS}^{″}$, the more stationary the series $V(I)$.

To reduce the effects of estimation errors or transient changes in the data, the actual state is determined based on the estimated results over a period of time. Let $\widehat{\mathcal{S}}(i)$ denote the estimated state from Equations (41)–(43) at the moment $t_i$, and $\mathcal{S}(i)$ denote the actual state. As for the estimated results in the window with the size of $M_{\widehat{\mathcal{S}}}$, if any of the following conditions hold:

$$\forall k\in [0,M_{\widehat{\mathcal{S}}}-1]:\widehat{\mathcal{S}}(i-k)=QS$$

(44)

$$\mathcal{S}(i-1)=QS\hspace{0.33em}and\hspace{0.33em}\exists k\in [0,M_{\widehat{\mathcal{S}}}-1]:\widehat{\mathcal{S}}(i-k)=QS$$

(45)

then the actual state $\mathcal{S}(i)=QS$.

In addition, there are inevitable errors in $V(I)$, which affect the accuracy of the quasi-stationary state identification and the location correlation estimation. Therefore, the noise reduction is necessary to estimate the true location increments. However, how to achieve the adaptive filtering for $V(I)$ is not the focus of this paper and is not discussed in detail here.

4.3.2. CLM Filter Design

The CLM filter is constructed by an all-pole filter, and the system function is as follows:

$$H_{CLM}(z)=\frac{1}{{\displaystyle \sum _{m=0}^{O_{CLM}}{a}_m{z}^{-m}}}=\frac{1}{{\displaystyle \prod _{m=0}^{O_{CLM}}(1-{\xi }_m{z}^{-1})}}$$

(46)

where $O_{CLM}$ denotes the filter order, the parameter vector $A_{CLM}=[a_1,\cdots ,a_{O_{CLM}}]$ while $a_0=1$. Let ${\Xi }_{CLM}={[{\xi }_1,\cdots ,{\xi }_{O_{CLM}}]}^T$ denote the pole vector. To ensure the stability of the filter, it should be satisfied that $|{\xi }_m|<1,\hspace{0.33em}m=1,\cdots ,O_{CLM}$.

According to Equation (9) with the convolution theorem, it can be seen that the Laplace noise series’ power spectrum $S_N(\omega )$ is the result of the convolution of the correlated Gaussian noise’ power spectrum $S_{G^{\prime }}(\omega )$ with itself. In the interval $[0,2\pi ]$, it behaves as a circular convolution, which can be expressed as follows:

$$S_N(\omega )=\frac{4}{\pi }{\displaystyle {\int }_0^{2\pi }{S}_{G^{\prime }}(\upsilon )\cdot S_{G^{\prime }}[{(\omega -\upsilon )}_{mod\hspace{0.33em}2\pi }]}d\upsilon$$

(47)

and $S_{G^{\prime }}(\omega )$ can be calculated as follows:

$$S_{G\prime }(\omega )={\sigma }_G^2\cdot {‖H_{CLM}(z){|}_{z=e^{j\omega }}‖}_2^2$$

(48)

Similar to Equation (26), the poles vector ${\Xi }_{CLM}$ can be computed by allowing $S_N(\omega )$ to approximate $S_{ILF}(\omega |{\omega }_N)$, which can be expressed as follows:

$$\underset{{\mathcal{C}}_N\in ℝ,\hspace{0.33em}{\Xi }_{CLM}}{\arg \min }{\displaystyle {\int }_{-\pi }^{\pi }{[{\mathcal{C}}_N\cdot S_N(\omega |{\Xi }_{CLM})-S_{ILF}(\omega |{\omega }_N)]}^{2}d\omega }$$

(49)

where ${\mathcal{C}}_N$ denotes the amplitude coefficient, and the CLM filter is limited to a lowpass filter. In this way, the parameter vector $A_{CLM}$ can be determined by the cutoff frequency ${\omega }_N$.

In QCLM-Lowpass, the CLM filter is set with different levels by parameter quantization, and these levels, corresponding to ${\omega }_N={\omega }_1,{\omega }_2,\cdots ,{\omega }_{QNum}$, are respectively denoted as $\mathcal{L}=1,2,\cdots ,QNum$. Intuitively, the correlation of the Laplace noise series will decrease as $\mathcal{L}$ increases. In practice, a matrix with size $QNum\times O_{CLM}$, denoted as $Param$, is used to store the parameters of the CLM filter in different levels, where each row corresponds to one level. The level $\mathcal{L}$ can be used as the index to obtain corresponding parameter vector $A_{CLM}=Param(\mathcal{L})$.

4.3.3. Quantization Scheme

Recalling the basic requirements presented in Section 4.2.1 and the conclusions on quantization error in Section 4.2.3, based on experiments with real data, it is empirically found that the following quantization scheme achieves a better privacy-preserving effect,

$$Quantize({\omega }_N)=\left\{\begin{array}{cc}0.1\pi \hfill & {\omega }_N\in \left(0,0.1\pi \right]\hfill \\ 0.125\pi \hfill & {\omega }_N\in \left(0.1\pi ,0.15\pi \right]\hfill \\ 0.175\pi \hfill & {\omega }_N\in \left(0.15\pi ,0.2\pi \right]\hfill \\ 0.25\pi \hfill & {\omega }_N\in \left(0.2\pi ,0.3\pi \right]\hfill \\ 0.35\pi \hfill & {\omega }_N\in \left(0.3\pi ,0.4\pi \right]\hfill \\ 0.45\pi \hfill & {\omega }_N\in \left(0.4\pi ,\pi \right]\hfill \end{array}\right.$$

(50)

Note that the value of $Quantize({\omega }_N)$ is limited between $0.1\pi$ and $0.45\pi$. This is because when ${\omega }_N$ is less than $0.1\pi$, the poles of the CLM filter are close to the unit circle, and it takes longer for the filter to return to the steady state after adjustment. This affects the real-time processing performance of the scheme and also tends to make the filter unstable. In addition, due to the limited filter order, there is a trailing phenomenon in the noise power spectrum. As ${\omega }_N$ increases, there will be some high-frequency noise that can be easily filtered out. Therefore, considering the power spectrum characteristics of real data, ${\omega }_N$ is limited to no more than $0.45\pi$.

4.3.4. Level Identification

To satisfy the demands of real-time processing, it is necessary for the privacy mechanism to quickly determine the level $\mathcal{L}$ of the CLM filter. Given that $R_N(\tau )$ and $S_N(\omega )$ are Fourier transform pairs, there is a certain correspondence between them in the shape of the curves. Intuitively, the steeper the curve of $R_N(\tau )$, the flatter the curve of $S_N(\omega )$. Therefore, a linear regression is performed on $R_N(\tau )$ and the opposite of its slope, denoted as $\chi$, is considered as the feature parameter for level identification:

$$\chi =\frac{6\Upsilon {\displaystyle \sum _{\tau =0}^{\Upsilon }{R}_N(\tau )}-12{\displaystyle \sum _{\tau =0}^{\Upsilon }\tau \cdot R_N(\tau )}}{\Upsilon (\Upsilon +1)\left(\Upsilon +2\right)R_N(0)}$$

(51)

where $\Upsilon$ denotes the maximum lag of $R_N(\tau )$. The larger the value of $\chi$, the steeper the curve of $R_N(\tau )$ and the lower the correlation of the noise series, requiring a higher level of the CLM filter.

Based on extensive real data, the distribution of $\chi$ corresponding to different quantized intervals in Equation (50) is analyzed, where $\Upsilon =3$. The details are given in Section 5.3.3. The following level identification method $\mathcal{L}=Identify(\chi )$ is empirically obtained:

$$Idenfity(\chi )=\left\{\begin{array}{cc}1& \chi \in [0,0.1055)\\ 2& \chi \in [0.106,0.1855)\\ 3& \chi \in [0.1855,0.2235)\\ 4& \chi \in [0.2235,0.3595)\\ 5& \chi \in [0.3595,0.4705)\\ 6& \chi \in [0.4705,1)\end{array}\right.$$

(52)

Similar to the quasi-stationary state identification, the actual level of the CLM filter is determined based on the estimated results over a period of time. Let $\widehat{\mathcal{L}}(i)$ denote the estimated level from Equation (52) at the moment $t_i$, and the estimated level change is denoted as $\psi (i)=\mathrm{sgn}[\widehat{\mathcal{L}}(i)-\widehat{\mathcal{L}}(i-1)]$, where $\mathrm{sgn}(\cdot )$ is sign function. Then, the results in the window with the size of $M_{\Psi }+1$ are used to determine the actual level $\mathcal{L}(i)$. Specifically, the CLM filter is adjusted only if $\forall m\in [0,M_{\Psi }-1]:\psi (i-m)=0$:

$$\mathcal{L}(i)=\mathcal{L}(i-1)+\psi (i-M_{\Psi })$$

(53)

In this way, the CLM filter can only be adjusted between adjacent levels to avoid drastic changes.

4.3.5. Gain Coefficients

As described in Section 3.2.2, due to the transient response, the actual output cannot be normalized based on the steady-state response during the transition phase. Therefore, it is necessary to set the gain coefficient vector $K={[{\kappa }_0,\cdots ,{\kappa }_{M_T}]}^T$ for the transition phase, where $M_T$ is the window size of the transition phase, while ${\kappa }_m,m=0,\cdots ,M_T$ denotes the gain coefficient at the $m$-th moment after adjustment; in particular, let ${\kappa }_{M_T}={\kappa }_{CLM}$ given in Equation (11).

Due to the parameter quantization, $K$ can be easily obtained. More specifically, by simulating the CLM filter switched between different levels, the Laplace scales of the actual output at different moments can be estimated, so that the reasonable value of $M_T$ and $K$ can be determined.

A matrix with size $QNum\times QNum\times (M_T+1)$, denoted as $GainCoeff$, is used to store the gain coefficients in different level shifts, and $({\mathcal{L}}_1,{\mathcal{L}}_2)$ is used to as the index to obtain the gain coefficient vector, $K=GainCeoff({\mathcal{L}}_1,{\mathcal{L}}_2)$, which corresponds to the CLM filter switching from level ${\mathcal{L}}_1$ to level ${\mathcal{L}}_2$.

4.3.6. Implementation of QCLM-Lowpass

Similar to DCLM, QCLM-Lowpass is considered to be a program object in which CLM is a member. The main attributes and methods are given in

Table 3. Main attributes and methods of the QCLM-Lowpass object.

QCLM-Lowpass
Attributes
$Param$	$QNum\times O_{CLM}$ matrix	the parameter vectors at different levels, defined in Section 4.3.2
$GainCoeff$	$QNum\times QNum\times (M_T+1)$ matrix	the gain coefficients in different level shifts, defined in Section 4.3.5
$K=[{\kappa }_m]$	$1\times (M_T+1)$ vector	the gain coefficient vector
$\iota$	integer	the index of the gain coefficient vector
$\Psi =[{\psi }_m]$	$1\times (M_{\Psi }+1)$ vector	${\psi }_m,m=1,\cdots ,M_{\Psi }+1$ is the estimated level change, defined in Section 4.3.4
$\widehat{\mathcal{L}},\mathcal{L}$	integer	$\widehat{\mathcal{L}},\mathcal{L}$ denote the estimated and actual level of the CLM filter
Methods
$Initialization(Param,GainCoeff,{\Psi }_W,\widehat{\mathcal{L}},\mathcal{L},CLM)$:    Set $Param,GainCoeff$;    Set $\Psi$: $1\times (M_{\Psi }+1)$ zeros vector, and $\widehat{\mathcal{L}}=\mathcal{L}=QNum$;    Set $K=GainCoeff(QNum,QNum)$, and the index $\iota =1$;    Initialize the member $CLM$;
${\widehat{\mathcal{L}}}_{CLM}=Identify(\chi )$:    Determine the estimated level ${\widehat{\mathcal{L}}}_{CLM}$ according to the feature parameter $\chi$, defined in Section 4.3.4.
$n=Iteration(R)$:    Adjust the CLM filter based on the autocorrelation function vector $R$, and generate the Laplace noise $n$.

.

At the beginning of the application, the method $Initialization$ is used to set the attributes of QCLM-Lowpass and initialize CLM. By default, the CLM filter’s initial level is set as $QNum$, and its parameter vector and gain coefficient are set accordingly. At each moment, the method $Iteration$ is called to adjust the CLM filter and generate the Laplace noise, and its technical description is given in Algorithm 3.

Algorithm 3. QCLM-Lowpass: $Iteration$
Input: the autocorrelation function vector $R$
Output: the Laplace noise $n$
1	Calculate the feature parameter $\chi$ according to $R$;
2	Calculate the estimated level ${\widehat{\mathcal{L}}}_{CLM}$ according to $\chi$,
	${\widehat{\mathcal{L}}}_{CLM}=Identify(\chi )$
3	Update $\Psi$,
	$\begin{array}{cc}{\psi }_{m-1}\leftarrow {\psi }_m& m=2,\cdots ,M_{\Psi }+1\\ {\psi }_m\leftarrow \mathrm{sgn}({\widehat{\mathcal{L}}}_{CLM}-\widehat{\mathcal{L}})& m=M_{\Psi }+1\end{array}$
4	if $\iota \le M_T$ then
5	Keep the actual level unchanged ${\mathcal{L}}_{CLM}=\mathcal{L}$;
6	Update the index $\iota =\iota +1$;
7	Set the gain coefficient $\kappa =K(\iota )$;
8	Update the gain coefficient of CLM
	$CLM.UpdateGainCoeff(\kappa )$
9	elseif ${\psi }_1\ne 0$ and ${\displaystyle {\sum }_{m=2}^{M_{\Psi }+1}\left|{\psi }_m\right|}=0$ then
10	Calculate the actual level ${\mathcal{L}}_{CLM}=\mathcal{L}+{\psi }_1$;
11	Calculate the parameter vector $A=Param({\mathcal{L}}_{CLM})$;
12	Calculate the gain coefficient vector $K=GainCoeff(\mathcal{L},{\mathcal{L}}_{CLM})$;
13	Set $\iota =1$, and the gain coefficient $\kappa =K(\iota )$
14	Update the parameters of CLM
	$\begin{array}{l}CLM.UpdateParam([],A)\\ CLM.UpdateGainCoeff(\kappa )\end{array}$
15	else
16	Keep the actual level unchanged ${\mathcal{L}}_{CLM}=\mathcal{L}$;
17	end if
18	Update $\widehat{\mathcal{L}},\mathcal{L}$,
	$\begin{array}{l}\widehat{\mathcal{L}}\leftarrow {\widehat{\mathcal{L}}}_{CLM}\\ \mathcal{L}\leftarrow {\mathcal{L}}_{CLM}\end{array}$
19	Generate the Laplace noise $n=CLM.LaplaceGeneration( )$
20	return n

Lines 1–3 calculate the feature parameter $\chi$, from which the estimated level ${\widehat{\mathcal{L}}}_{CLM}$ is obtained, and then update the estimated level change record. In lines 4–8, when the CLM filter is in the transient phase, only the gain coefficient is updated without adjusting the parameter vector. When the CLM filter is in the steady state, the estimated level change record is used to determine whether a parameter adjustment is required, and the conditions are shown in line 9. If it is, then the actual level of the CLM filter is calculated, and its parameters and the gain coefficient are updated in lines 10–14; otherwise, the filter is left unchanged in line 15. Finally, CLM is called to generate the Laplace noise and return in lines 19–20.

5. Experimental Evaluation

In this study, we conducted experiments on real-life datasets to evaluate QCLM-Lowpass. First, the stationarity and the power spectrum characteristics of the actual location data were analyzed. Then, the effectiveness of QCLM-Lowpass was verified. Finally, its performance in privacy protection and data availability were evaluated. All experiments were performed using MATLAB 2023a on a computer with the Intel(R) Xeon(R) CPU E3-1240 v5 @ 3.50GHz and 16GB of memory.

5.1. Experimental Datasets

5.1.1. Real Datasets

The following three real-life datasets were used in experiments:

• GeoLife [22,23,24]. The dataset contains trajectory data from 182 volunteers between April 2007 and August 2012, containing 17,621 trajectories with a total distance span of 1,292,951 km.
• T-Drive [25,26]. This dataset collects the trajectories of 10,357 taxis in Beijing between 2 February 2008 and 8 February 2008, and contains more than $1.5\times {10}^7$ location points with a total distance of $9\times {10}^6$ km.
• OpenStreetMap(OSM) (https://www.openstreetmap.org/traces, accessed on 17 July 2022). It is a collaborative online mapping project that allows users to share their trajectories. We downloaded 406,399 trajectories with more than $1.7\times {10}^9$ locations between May 2016 and May 2022, including location data with high-frequency sampling (less than 1 s) and high accuracy (less than 1 m).

5.1.2. Data Preprocessing

Since increased time interval $\Delta t$ leads to decreased data correlation and the appearance of spectral aliasing, this paper required that $1\le \Delta t\le 10$. The location series satisfying this condition were extracted from real datasets with linear interpolation, which was constrained by two conditions: (1) consecutive interpolations cannot exceed two times; (2) total interpolations cannot exceed 20% of the current data series length. After applying a length threshold of 200, a total of 177,089 location series were retained for analysis.

Figure 9 presents the distribution of sampling intervals and velocity in different datasets. In OpenStreetMap, approximately 92.3% of the data is collected with a sampling interval of 1 s, with 38.25% of these observations corresponding to low-velocity conditions (0–1.5 m/s). In the GeoLife dataset, the sampling intervals predominantly occurred at 1 s (40.55%), 2 s (31.89%), and 5 s (23.51%), covering a range of motion scenarios with varying velocities. Conversely, the T-Drive dataset exhibited sampling intervals chiefly at 5 s (62.30%) and 10 s (29.44%), which are typically associated with low-velocity conditions. These results demonstrate the diversity of the experimental data and reflect the applicability of the experimental conclusions in this paper.

5.1.3. Stationary Analysis

Recall from Section 4.3.1 that the location series whose increments satisfy the quasi-stationary state conditions were screened out, where the quasi-stationary state thresholds were set as ${\Phi }_{QS}=5\pi /36,\hspace{0.33em}{\eta }_{QS}^{\prime }={\eta }_{QS}^{″}=0.1$ and the window size for estimation and state identification were $M_V=⌊60/\Delta t⌋$ and $M_{\widehat{\mathcal{S}}}=⌊30/\Delta t⌋$.

Figure 10a presents the results in different sampling intervals. In the real datasets covered in this paper, the data series with quasi-stationary increments occupy 27.46%, where the results in the sampling intervals of 1 s, 2 s, and 5 s are higher than 25%. This indicates that the correlation estimation method proposed in this paper has a wider range of applicable scenarios.

Afterwards, segments with lengths less than 200 were filtered out, resulting in 134,691 location series for subsequent experiments.

5.1.4. Power Spectrum Characterization

Based on the correlation estimation method in Section 4.1, the power spectrum characteristics of real location data were analyzed using a third order AR model, where the estimation window size was set as $M_L=⌊60/\Delta t⌋$. The power spectrum of each sliding window in the X and Y directions was estimated and its 6 dB, 12 dB, and 20 dB attenuation frequency were counted, and the cumulative distribution are shown in Figure 10b. Results reveals that the energy of the power spectrum is mainly concentrated in the low frequency part, where the 20 dB attenuation frequency is mainly distributed below 0.04 Hz. To achieve series-indistinguishability, the noise power spectrum should also satisfy this lowpass characteristics, which is the basis of QCLM-Lowpass.

5.2. Experimental Configurations

5.2.1. Competitors

To evaluate the performance of QCLM-Lowpass, we compare it with several CLM filter adjustment schemes and a representative privacy scheme based on the Markov model:

• IID. This is the classical Laplace mechanism that adds independently and identically distributed Laplace noise to the data series, which is used as the basic reference in this paper.
• DCLM. Recall from Section 3.1 that this scheme calculates the CLM filter parameter directly based on the estimated data correlation, and thus dynamically adjusts the filter. In the experiments, the adjustment step is set as $u_{DCLM}=0.01$.
• NonQCLM. In contrast to QCLM-Lowpass, this scheme dynamically adjusts the noise power spectrum cutoff frequency ${\omega }_N$ instead of quantizing it, with the adjustment step being set as ${\mu }_{\omega }=0.01$ in experiments.
• Markov-GRR, which was proposed in [17]. The setup is described in Section 5.4.

In DCLM, NonQCLM, and QCLM-Lowpass, the CLM filter was implemented using a third order all-pole filter, with initial parameter values set according to the highest level in QCLM-Lowpass. The window size of correlation estimation was set as $M_L=⌊60/\Delta t⌋$. The window size of level identification and transition phase in QCLM-Lowpass were set as $M_{\Psi }=⌊30/\Delta t⌋$ and $M_T=30$ respectively.

5.2.2. Evaluation Metrics

The following metrics were used to evaluate the effectiveness of the privacy scheme with respect to data availability and privacy protection.

The data availability was measured by the mean perturbation distance (MPD):

$$MPD=\frac{1}{|L|}{\displaystyle \sum _{l\in L}{d}_E(l,\tilde{l})}$$

(54)

where $|L|$ denotes the num of locations, $l,\tilde{l}$ denote the original and perturbed location, respectively. This metric is independent of the specific application and can therefore be considered a generalized availability evaluation metric [16]. Intuitively, the larger the MPD value, the more the data is disturbed, resulting in a greater loss of data availability.

To measure the privacy protection strength for the single location $l$, we calculated the ${\epsilon }_l$-geo-indistinguishability achieved by the privacy scheme within the region $Area=\{l^{\prime }|d_E(l^{\prime },l)\le r_{eff}\}$, i.e., for $\forall \tilde{l},{\tilde{l}}^{\prime }\in Area$, the privacy scheme $\mathcal{M}$ satisfies the following inequation:

$$\frac{Pr[\mathcal{M}(l)=\tilde{l}]}{Pr[\mathcal{M}(l)={\tilde{l}}^{\prime }]}\le \exp [{\epsilon }_l\cdot d_E(\tilde{l},{\tilde{l}}^{\prime })]$$

(55)

where $r_{eff}$ denotes the radius of the focus area.

In addition, for the location dataset, $L_{Set}$, we characterized its overall privacy strength, ${\mathcal{E}}_{\varphi },0\le \varphi \le 1$, using the privacy strength satisfied by most locations in it, that is, for $\forall l\in L_{Set}$:

$$Pr({\epsilon }_l\le {\mathcal{E}}_{\varphi })\ge 1-\varphi$$

(56)

Specifically, ${\mathcal{E}}_0$ indicates the worst-case privacy loss. In this way, the impact of individual statistical results on the overall evaluation results can be reduced.

In the experiment, each privacy mechanism was repeated 500,000 times and the distribution of the noise at each moment was counted, from which MPD and the privacy strength was calculated.

5.2.3. Filtering Attack

The filtering attack [12] was used to evaluate the actual effectiveness of the privacy scheme. The difference in privacy strength before and after the attack indicates the ability to resist the correlation-based attack.

Specifically, the 20 dB attenuation frequency of the data power spectrum is considered the cutoff frequency, and a fourth order Butterworth model is adopted to design the lowpass filter to implement the attack, where the minimum normalized cutoff frequency is set as $0.1\pi$. For the time-varying data correlation, it is necessary to adjust the lowpass cutoff frequency accordingly, and the adjustment step was set to 0.05 in the experiment.

5.3. Validity Analysis of QCLM-Lowpass

There are two simplified operations in QCLM-Lowpass: CLM-Lowpass and parameter quantization. First, the effectiveness of CLM-Lowpass was analyzed, and then the effect of parameter quantization on privacy strength was analyzed. Finally, the performance of QCLM-Lowpass was demonstrated in continuous location data release.

5.3.1. Effectiveness of CLM-Lowpass

To validate the CLM-Lowpass, extensive stationary one-dimensional data series with different power spectra were simulated based on the results in Section 5.1.4, and then the privacy strength of original CLM and CLM-Lowpass were compared under the filtering attack.

Figure 11 illustrates the results of one simulation experiment, with the power spectrum of the target data and noise series shown in Figure 11a, where the lowpass characteristic is marked by the dashed line.

In this experiment, the length of simulated data series was 1000 and the privacy budget and sensitivity were set as $\epsilon$ = 0.2, 0.4, 0.6, and 0.8 and $\Delta f=10$, while $\delta =0.05$ in the calculation of differential privacy strength ${\epsilon }^{\prime }$ under filtering attack. Figure 11b presents the results of different privacy schemes. The results of original CLM and CLM-Lowpass are very close, and the maximum relative percentage difference between them is 4.03%. This indicates that there is no significant difference between the two methods with the significance criterion of 5%. And this conclusion was supported by all simulation experiments. Therefore, CLM-Lowpass is feasible in the scenarios covered in this paper.

5.3.2. Effectiveness of Parameter Quantization

To analyze the effect of parameter quantization on the privacy strength, we compared the privacy strength achieved by noise series with different lowpass cutoff frequencies under the filtering attack.

In the experiment, the lowpass cutoff frequency of the data power spectrum, ${\omega }_X$, was simulated to vary from $0.05\pi$ to $0.5\pi$ with the interval $0.05\pi$. The corresponding lowpass filters were constructed for the filtering attack, and the noise series with the same cutoff frequency were generated by CLM-Lowpass while IID was considered as a reference, resulting in 110 different combinations. The length of the simulated data series was 1000, the scale of Laplace distribution and sensitivity were $\lambda =20$ and $\Delta f=10$, and $\delta =0.05$ in the calculation of differential privacy strength ${\epsilon }^{\prime }$ under filtering attack.

Here, the combination where the noise series has the same cutoff frequency as the data series is referred to as the series-indistinguishable scheme, denoted as $\mathcal{S}\mathcal{I}$. Under the same filtering attack, we computed the absolute value of the relative percentage difference, $|RPD|$, between different combinations with $\mathcal{S}\mathcal{I}$ in terms of privacy strength ${\epsilon }^{\prime }$, which can be calculated as follows:

$$|RPD|=\frac{|{\epsilon }^{\prime }-{\epsilon }_{\mathcal{S}\mathcal{I}}^{\prime }|}{{\epsilon }_{\mathcal{S}\mathcal{I}}^{\prime }}\times 100$$

(57)

where ${\epsilon }_{\mathcal{S}\mathcal{I}}^{\prime }$ denotes the privacy strength in $\mathcal{S}\mathcal{I}$ after the filtering attack.

As shown in Figure 12, only the results in the same row can be compared, where $|RPD|=0$ corresponds to $\mathcal{S}\mathcal{I}$ under the current filtering attack. There are some combinations close to $\mathcal{S}\mathcal{I}$ that have absolute percentage differences of less than 5%, which are acceptable in practical applications. This indicates that the actual privacy strength can be acceptably maintained despite variations in the noise power spectrum induced by the parameter quantization. These results also provide a basis for the parameter quantization scheme given in Equation (50).

5.3.3. Feature Parameter in Level Identification

Recall from Section 4.3.4 that the feature parameter $\chi$ defined in Equation (51) is used to identify the CLM filter’s level in QCLM-Lowpass. Based on the real dataset, the distribution of $\chi$ corresponding to different levels was analyzed. The autocorrelation function and the power spectrum are estimated as in Section 5.1.4, while the max lag of the autocorrelation function was set as $\Upsilon =3$.

As can be seen from Figure 13, there are obvious differences between the cumulative distributions of $\chi$ corresponding to different levels. This indicates that $\chi$ is effective for level identification. Taking the ratio of 0.95 as a criterion, the level identification method given in Equation (52) was determined.

5.3.4. The Effectiveness of QCLM-Lowpass for Continuous Location Data Publishing

To demonstrate the performance of QCLM-Lowpass, we simulated a continuous publishing scenario using a randomly selected location series with a sampling interval of 5 s. Figure 14a,b show the location series and the velocity–time curve in the X and Y directions, respectively. Figure 14c demonstrates the cutoff frequency of the noise power spectrum in the QCLM-Lowpass and NonQCLM in the X and Y directions. It can be seen that both methods can track the changes of the data power spectrum, but QCLM-Lowpass based on parameter quantization allows the CLM filter to remain in the steady state for a longer time.

Under the setting of the Laplace distribution scale $\lambda =20$, radius of protected area $r_{eff}=50$ m, we compared the degree of geo-indistinguishability ${\epsilon }^{\prime }$ achieved by these mechanisms at each moment after the filtering attack. As shown in Figure 14d, the expected privacy strength is indicated by the dashed line $\sqrt{2}/\lambda$, and the results of DCLM, NonQCLM, and QCLM-Lowpass are close to it, demonstrating their effectiveness against the filtering attack. However, QCLM-Lowpass’s results are more consistent with expectations, while the other two show fluctuations due to the undesired transient response. In addition, CLM-Lowpass in NonQCLM may exacerbate variations of the filter parameter, resulting in greater fluctuations in the privacy strength.

In summary, QCLM-Lowpass has good performance both in terms of the stability of privacy protection for location series and the capability of resisting the filtering attack, and thus it is feasible to apply in continuous location data release.

5.4. Performance Evaluation

The actual performance of the privacy scheme was evaluated on real datasets, considering two main aspects: the privacy performance and the data availability.

• For privacy performance, this paper focuses on the ability to resist correlation-based attacks, which was evaluated by comparing the change in privacy strength before and after the filtering attack.
• For data availability, this paper evaluated the ability to balance privacy protection and data availability by comparing the data availability at the same level of privacy strength under the filtering attack.

These methods based on CLM in this paper were compared with the method based on a Markov model, called Markov-GRR [13]. Referring to the setup of that work, all trajectories within the second ring of Beijing (116°35′05″ E–116°45′59″ E, 39°87′36″ N–39°95′71″ N) were extracted from the GeoLife dataset to train the probability transfer matrix of the Markov model, i.e., the public matrix, and the region was divided into $200\times 200$ grids, where each grid was approximately $44\times 44 {\mathrm{m}}^2$.

From the datasets with $\Delta t=1\hspace{0.33em}\mathrm{s}$ and $\Delta t=5\hspace{0.33em}\mathrm{s}$ in Section 5.1.2, we randomly selected 10 location series within the second ring of Beijing as the experimental dataset. Considering that the noise cannot be too large in practical applications, the scale of Laplace distribution was set as $\lambda =20,\hspace{0.33em}30,\hspace{0.33em}40,\hspace{0.33em}50,\hspace{0.33em}60$, the parameter of general random response in Markov-GRR was set as ${\epsilon }_{GRR}=1.5,\hspace{0.33em}2,\hspace{0.33em}2.5,\hspace{0.33em}3,\hspace{0.33em}3.5,\hspace{0.33em}4$ with ${\delta }_{GRR}=0.01$ for the “$\delta$-location set”, and the radius of the focused area was $r_{eff}=50$ m. The privacy strength of location dataset before and after the filtering attack, ${\mathcal{E}}_{0.05},\hspace{0.33em}{\mathcal{E}}_{0.05}^{\prime }$, were compared.

5.4.1. Privacy Evaluation

Figure 15 shows the privacy strength achieved by different privacy schemes before and after the filtering attack, and the black dashed line ${\mathcal{E}}_{0.05}^{\prime }={\mathcal{E}}_{0.05}$ indicates the case where the privacy strengths do not change. As can be seen from Figure 15a,c, the Markov-GRR is located above the curve of ${\mathcal{E}}_{0.05}^{\prime }={\mathcal{E}}_{0.05}$, which implies that the actual privacy strengths are significantly lower than the expected results. This is because the scheme independently selects a perturbed location from the “$\delta$-location set” at each moment, which is still an independent perturbation method, and thus struggles to resist correlation-based attacks.

In addition, as shown in Figure 15b,d, the results of DCLM, NonQCLM, and QCLM-Lowpass are close to the curve of ${\mathcal{E}}_{0.05}^{\prime }={\mathcal{E}}_{0.05}$, which illustrates their capabilities against the filtering attack.

Table 4. Relative percentage difference in privacy strength under the filtering attack (%).

λ		20	30	40	50	60
$\Delta t=1$	IID	150.17	107.02	74.25	44.85	20.33
	DCLM	27.54	14.40	2.35	−6.41	−8.07
	NonQCLM	33.77	4.54	−5.52	−9.61	−11.88
	QCLM-Lowpass	11.54	1.12	−4.18	−6.77	−5.63
$\Delta t=5$	IID	52.47	30.37	8.14	−5.10	−9.52
	DCLM	7.80	0.38	−5.07	−6.30	−5.65
	NonQCLM	4.04	−2.64	−6.79	−7.70	−6.78
	QCLM-Lowpass	1.67	−1.69	−2.42	−3.13	−2.58

gives the relative changes in privacy strength, where QCLM-Lowpass exhibits lower changes in most cases, reflecting its better performance in privacy preservation.

5.4.2. Usability Evaluation

First, MPD defined in Equation (54) was used to evaluate the generalized data availability. In Figure 16, as the actual privacy strength decreases, i.e., ${\mathcal{E}}_{0.05}^{\prime }$ becomes larger, MPD decreases correspondingly, resulting in better data availability. The performance of Markov-GRR is affected by the grid granularity; Figure 16a,c present the results under the gridding scheme in this paper. As shown in Figure 16b,d, QCLM-Lowpass is essentially located below the rest of the schemes, which implies that QCLM-Lowpass induces less data availability loss at the same level of privacy strength. In contrast, DCLM and NonQCLM induce unwanted transient responses during filter adjustment, which leads to increased loss of data availability.

Furthermore, we clustered all location series within the second ring of Beijing using DBSCAN [27], and evaluated the data availability achieved by the privacy scheme using homogeneity, completeness, and V-measure [28], as shown in Figure 17. In Markov-GRR, the perturbed locations are scattered over the grid, which leads to an increase in the cluster number and worse performance in terms of completeness. In the CLM-based schemes, the results of QCLM-Lowpass are located above other schemes at the same privacy strength, indicating that it can achieve better data availability in clustering application.

To summarize the above experimental results, it can be obtained that all of DCLM, NonQCLM, and QCLM-Lowpass can effectively resist the correlation-based attack, but QCLM-Lowpass can achieve a better balance between the actual privacy protection performance and the data availability.

6. Discussion and Conclusions

In this paper, the correlation Laplace mechanism was applied to ensure differential privacy protection for continuous release of real-time location data. To solve the problem of nonstationary location data correlation estimation, this paper analyzed the stationarity of real location data series and found that more than 27% of the real location series have approximately stationary increments. Therefore, a location data correlation estimation method based on the location increment was proposed, which provides support for CLM to track the time-varying data correlation. In addition, by exploiting the lowpass spectral characteristic of the location data series, CLM-Lowpass was proposed, in which series-indistinguishability is approximated by constructing a noise series with the same lowpass characteristics. This method simplifies the calculation process of CLM filters. Finally, an adaptive adjustment scheme for CLM filters based on parameter quantization, QCLM-Lowpass, was proposed to suppress the unwanted transient response when tracking time-varying data correlation. Extensive experiments show that the privacy scheme based on QCLM-Lowpass can provide a better balance between the ability to resist correlation-based attacks and data usability.

Although QCLM-Lowpass is effective, there are still some aspects to be improved in the future. First, there are opportunities to further optimize the parameter settings, such as quasi-stationary thresholds, quantization scheme, etc. Second, this paper ignores the inter-correlation between the data in the X and Y directions, which can be exploited by attackers to launch attacks on privacy preservation, and needs to be investigated in subsequent work on privacy preservation of 2D location data series.

Future work would consider more personalized privacy preservation, i.e., allowing the user to specify the degree of series-indistinguishability between the original and noise series, thus enabling a trade-off between location privacy and motion state privacy.