Abstract: An approach is provided for data-preserving trajectory anonymization. The approach involves, for example, processing a plurality of location trajectories to determine one or more exchange twists. The plurality of location trajectories are respectively a sequence of locations points determined by a location sensor of a device, and the one or more exchange twists are one or more locations at which at least two trajectories of the plurality of location trajectories match based on a matching criterion. The approach also involves initiating a swapping of one or more trajectory identifiers among the plurality of location trajectories based on the one or more exchange twists to generate anonymized trajectory data. The approach further involves providing the anonymized trajectory data as an output to a location-based service.

Abstract: The linkability of trajectory data based on similarities to candidate trajectory data is measured and quantified as describer herein. Methods may include: receiving a set of probe data points defining a target trajectory from a probe apparatus; characterizing the trajectory based on features of the target trajectory; identifying a plurality of candidate trajectories sharing at least some features with the target trajectory; calculating, for each of the plurality of candidate trajectories, a similarity score with respect to the target trajectory; calculating a privacy score representing a likelihood of identifying the probe apparatus from the target trajectory based on a number of trajectories in the plurality of candidate trajectories and their respective similarity score; and providing information associated with the target trajectory for location-based services in response to the privacy score satisfying a predetermined value.

Abstract: Embodiments described herein relate estimating a privacy level of an anonymized dataset based on an anonymization strategy selected using parameters of the dataset that form a dataset profile. Methods may include: receiving a dataset defining at least one trajectory; determining parameters of the dataset; generating a profile of the dataset based on the parameters of the dataset to establish a dataset profile; identifying a predetermined profile corresponding to the dataset profile; determining an anonymization strategy corresponding to the predetermined profile; anonymizing the dataset using the anonymization strategy to generate an anonymized dataset; and publishing the anonymized dataset for use with location-based services. According to some embodiments, identifying the predetermined profile corresponding to the dataset profile includes identifying a predetermined profile having parameters within a predefined degree of similarity of the parameters of the dataset.

Abstract: Embodiments described herein relate measuring and quantifying the privacy risk for disclosure of trajectory data based on one or more attributes of the trajectory data. Methods may include: receiving probe data points defining at least one trajectory; identifying attributes of the at least one trajectory, where the identified attributes include values for respective trajectories; calculating a privacy risk associated with the at least one trajectory based, at least in part, on a distribution of values of the identified attributes, where the privacy risk includes a measure of difficulty in identifying a source of the at least one trajectory; and providing information associated with the at least one trajectory for location-based services in response to the privacy risk satisfying a predetermined value.

Abstract: An approach is provided for probe trajectory anonymization using based on a negative gap. The approach involves, for example, receiving a probe trajectory generated from at least one sensor of a probe device. The approach also involves processing the probe trajectory to segment the probe trajectory into a first subtrajectory and a second subtrajectory based on a negative gap between the first subtrajectory and the second subtrajectory. The negative gap specifies an amount of overlap between the end of the first subtrajectory and the beginning of the second subtrajectory. The approach further involves assigning a first pseudonym (e.g., a first new probe identifier) to the first subtrajectory, and a second pseudonym (e.g., a second new probe identifier) to the second subtrajectory. The approach then involves providing the first subtrajectory and the second subtrajectory as a trajectory anonymization output.

Abstract: A method, apparatus, and computer program product are provided for anonymizing the trajectory of a vehicle. Methods may include: receiving a sequence of probe data points defining a trajectory; for a subset of the sequence of probe data points defining the trajectory beginning at an origin: updating a counter value at each probe data point, where the counter value is updated based, at least in part, on properties of a number of road links emanating from each junction through which the trajectory passed to reach a location associated with the respective probe data point; in response to the counter value satisfying a predetermined value after an update relative to a given probe data point, removing probe data points before the given probe data point in the sequence of probe data points to obtain origin-obscured probe data points; and creating a cropped trajectory including the origin-obscured probe data points.

Abstract: An approach is provided for automated purpose limitation and compatibility verification on a data platform. The approach, for example, involves generating metadata that indicates a purpose that has been allowed for processing a dataset. The approach also involves storing the metadata in a metadata catalog to associate the purpose with the dataset. The approach further involves querying the metadata catalog to perform a verification of a compatibility of the purpose with a requested purpose for a new processing activity of the dataset, to perform a limitation of the new processing activity, or a combination thereof.

Abstract: An approach is provided for managing pseudonymous or anonymous user data and relevant data management requests. The approach involves, for example, converting a numerical feature of a data point into a categorical form. The categorical form represents a value range into which a numerical value of the numerical feature falls. The approach also involves determining an identifier of a data contributor associated with the data point. The approach further involves concatenating the identifier with the categorical form. The approach further involves cryptographically hashing the identifier concatenated with the categorical form to generate a mark. The approach further involves associating the mark with the data point to generate marked pseudonymous-anonymous data. The approach further involves transmitting the pseudonymous-anonymous data to a data platform.

Abstract: Embodiments described herein relate to anonymizing of trajectories of mobile devices through the introduction of gaps between sub-trajectories. Methods may include: receiving a set of probe data points defining a trajectory; identifying a temporal length range of sub-trajectories; receiving a mode, where the mode is established based on a preceding set of probe data points defining a trajectory, where the mode includes an indication of whether to generate a sub-trajectory or a gap from the beginning of the received set of probe data points; and establishing at least one sub-trajectory including a sub-set of the set of probe data points, where the at least one sub-trajectory is established to satisfy the temporal length range of sub-trajectories.

Abstract: Embodiments described herein relate to establishing a privacy risk score between two datasets based on features common to the datasets. Methods may include: receiving a first dataset of probe data points defining a trajectory; receiving a second dataset of the probe data points defining the trajectory; identifying a plurality of features common to the first dataset and the second dataset; computing a privacy risk value for the identified features common to the first dataset and the second dataset; and computing an aggregate privacy risk score between the first dataset and the second dataset.

Abstract: A method, apparatus, and computer program product are provided for using confidential computing to execute code on sensitive data in an encrypted area of an apparatus limiting access to data and code to only their respective owners. Methods may include: generating an outer enclave and at least one inner enclave within the outer enclave; providing an outer enclave key and an inner enclave key to a service provider; providing an inner enclave key to a data provider; receiving, from the data provider, a data retrieval location; processing data from the respective retrieval location at the data provider inner enclave using data provider code to generate data provider processed data; providing the data provider processed data to the service provider inner enclave; and processing the data provider processed data with service provider code to generate resultant data; decrypting the resultant data in the outer enclave.

Abstract: An approach is provided for device-side probe trajectory anonymization based on negative gapping. The approach involves, for example, collecting a probe trajectory stream from a sensor of a probe device, wherein the probe trajectory stream comprises a time-sequence of location data points representing a sensed movement of the probe device. The approach also involves generating a plurality of subtrajectory streams from the probe trajectory stream. The approach further involves processing the plurality of subtrajectory streams to create a negative gap between the plurality of subtrajectory streams. The approach further involves providing the plurality of subtrajectory streams as an output in place of the probe trajectory.

Abstract: An approach is provided for providing a privacy-preserving yet targeted delivery of location-based content. The approach involves, for example, initiating a first transmission of content consumer public key(s) associated with content consumer(s) to a content provider. The approach also involves, in response to the transmission, receiving encrypted content encrypted with the content consumer public key(s). The encrypted content is cryptographically signed with a content provider private key associated with the content provider. The approach further involves initiating a second transmission of the encrypted content to a consumer device. A content provider public key for decrypting the encrypted content is made available based on (1) the consumer device scanning the content provider public key at a location designated by the content provider, or (2) detecting that the consumer device is located within a threshold proximity of the location.

Abstract: Embodiments described herein relate measuring and quantifying the privacy risk for disclosure of trajectory data based on one or more attributes of the trajectory data. Methods may include: receiving probe data points defining at least one trajectory; identifying attributes of the at least one trajectory, where the identified attributes include values for respective trajectories; calculating a privacy risk associated with the at least one trajectory based, at least in part, on a distribution of values of the identified attributes, where the privacy risk includes a measure of difficulty in identifying a source of the at least one trajectory; and providing information associated with the at least one trajectory for location-based services in response to the privacy risk satisfying a predetermined value.

Abstract: Embodiments described herein relate to measuring and quantifying the linkability of trajectory data based on similarities to candidate trajectory data. Methods may include: receiving a set of probe data points defining a target trajectory from a probe apparatus; characterizing the trajectory based on features of the target trajectory; identifying a plurality of candidate trajectories sharing at least some features with the target trajectory; calculating, for each of the plurality of candidate trajectories, a similarity score with respect to the target trajectory; calculating a privacy score representing a likelihood of identifying the probe apparatus from the target trajectory based on a number of trajectories in the plurality of candidate trajectories and their respective similarity score; and providing information associated with the target trajectory for location-based services in response to the privacy score satisfying a predetermined value.

Abstract: Embodiments described herein relate to anonymizing of trajectories of mobile devices through the introduction of gaps between sub-trajectories and accommodating endogenous events. Methods may include: receiving a set of probe data points defining a trajectory; receiving a mode, where the mode is established based on a preceding set of probe data points defining a trajectory, where the mode includes an indication of whether a preceding set of probe data points terminated during a sub-trajectory or a gap, and a time at which the sub-trajectory or the gap of the preceding set of probe data points began; receiving an indication of an event occurring at an event time; determining whether to transmit a sub-trajectory including a sub-set of the set of probe data points based on the mode and the event time; and transmitting the event to a service provider for use in providing location-based services.

Abstract: A method, apparatus and computer program product are provided to determine a semantic privacy index that quantifies the risk associated with re-identification of a trajectory following anonymization of the trajectory. In the context of a method, information regarding a trajectory is received. After the trajectory has been map matched to a portion of a road network, the method associates contextual information comprising one or more map features with the trajectory. The method also provides the information regarding the trajectory and the contextual information comprising the one or more map features to a risk estimation model in order to generate the semantic privacy index.

Abstract: Embodiments described herein relate to anonymization of parking events such that parking events may be used by location-based service providers without revealing a target associated with the respective parking events. Methods may include: receiving an indication of a parking event; map-matching the parking event to a parking event road segment; identifying candidate road segments, wherein the candidate road segments are connected directly or indirectly to the parking event road segment; selecting a road segment of the candidate road segments; updating the parking event to be an updated parking event associated with the selected road segment; and providing the updated parking event to a location-based service provider.

Abstract: Embodiments described herein relate to establishing a privacy risk score between two datasets based on features common to the datasets. Methods may include: receiving a first dataset of probe data points defining a trajectory; receiving a second dataset of the probe data points defining the trajectory; identifying a plurality of features common to the first dataset and the second dataset; computing a privacy risk value for the identified features common to the first dataset and the second dataset; and computing an aggregate privacy risk score between the first dataset and the second dataset.

Abstract: Embodiments described herein relate to anonymizing of trajectories of mobile devices through the introduction of gaps between sub-trajectories and accommodating endogenous events. Methods may include: receiving a set of probe data points defining a trajectory; receiving a mode, where the mode is established based on a preceding set of probe data points defining a trajectory, where the mode includes an indication of whether a preceding set of probe data points terminated during a sub-trajectory or a gap, and a time at which the sub-trajectory or the gap of the preceding set of probe data points began; receiving an indication of an event occurring at an event time; determining whether to transmit a sub-trajectory including a sub-set of the set of probe data points based on the mode and the event time; and transmitting the event to a service provider for use in providing location-based services.