Patent Application
20240403469
This application claims priority to European Patent Application No. EP 22150434.3, filed on Jan. 6, 2022 with the European Patent and Trademark Office. This application also claims priority to European Patent Application No. EP 22150435.0, filed on Jan. 6, 2022 with the European Patent and Trademark Office. The contents of the aforesaid patent applications are incorporated herein for all purposes.
This background section is provided for the purpose of generally describing the context of the disclosure. Work of the presently named inventor(s), to the extent the work is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
The disclosure is related to a method for dynamic spatial anonymization of vehicle data in a cloud environment. Further, the disclosure is related to a corresponding computer program product. Furthermore, the disclosure is related to a corresponding device, especially backend device.
Real-time vehicular data plays a key role in current data driven projects. Typical use cases concerned with the analysis of vehicular information extracted from installed sensors include, e.g., the creation of maps providing parking or weather information. The displayed information thereby may be a result of advanced analytics including, in particular, forecasts that can be in return consumed by the vehicle.
Due to in-car computational constraints, advanced analytics usually take place in a cloud environment. Thus, the sensor data is extracted and shared with a cloud platform. This approach requires, however, the anonymization of the extracted data due to data protection requirements. The sensitive data content for the considered use cases is represented by the tuple of temporal and spatial data which un-anonymized allows for the exact location of the data creator at an exact point in time. Present state of the art technologies, therefore, shift the extracted data by an additive constant with respect to time or space. The goal, thereby, is to decouple the time and space tuple and further hide the identity of the data creator in an anonymization group that aggregates data from several sources/creators. The amount of the applied temporal or spatial shift can depend on the traffic density. The shift may be increased with decreasing traffic density and vice versa decreased with increasing traffic density.
Although the anonymization approach of pure temporal shifts has undergone several iterations improving, e.g., the quality of the resulting anonymized data, current state of the art spatial anonymization techniques lack optimization.
Presently, spatial anonymization is based on static grid structures with predefined grid sizes which do not allow for arbitrary dynamic adjustments based on the underlying traffic density. This circumstance usually results in less accurate applications as the required level of data granularity is mostly not met in such a framework, finally ruling out certain use cases.
On the other hand, the static grid spatial anonymization approach also neglects sparsely populated areas which typically imply small traffic densities. This is due to the predefined grid sizes that do not exceed a certain limit. As a result, data extracted in such areas usually is bound to deletion as anonymization fails.
Furthermore, current spatial anonymization techniques lack runtime optimization. Besides, current spatial anonymization techniques have to process big data loads. Since most use cases in consideration rely on big vehicle fleets, the state of the art spatial anonymization struggles to meet this requirement.
A need exists to provide an improved method for dynamic spatial anonymization of vehicle data in a cloud environment.
The need is addressed by the subject matter of the independent claim(s). Embodiments of the invention are described in the dependent claims, the following description, and the drawings.
The details of one or more embodiments are set forth in the accompanying drawings and the description below. Other features will be apparent from the description, drawings, and from the claims.
In the following description of embodiments of the invention, specific details are described in order to provide a thorough understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail to avoid unnecessarily complicating the instant description.
In some embodiments, a flexible and/or adaptive method for dynamic spatial anonymization of vehicle data in a cloud environment is provided, which allows for arbitrary sizes and locations of the anonymization areas and does not rely on underlying static grid structures and which serve for enhanced privacy protection, even for sparsely covered areas. In some embodiments, an improved method for dynamic spatial anonymization of vehicle data in a cloud environment is provided, which enhances aggregation techniques and which increases the quality and the reliability of the anonymized data. Moreover some embodiments provide an improved method for dynamic spatial anonymization of vehicle data in a cloud environment, which reduces computational runtime, in particular, in case of big data loads. In some embodiments, a device is provided, especially a backend device, for dynamic spatial anonymization of vehicle data in a cloud environment.
According to the first aspect, embodiments provide a method for dynamic spatial anonymization of vehicle data in a cloud environment with the features of the independent method claim. According to the second aspect, embodiments provide a corresponding computer program product for a respective method with the features of the independent product claim. According to the third aspect, embodiments provide a corresponding device, especially backend device, for dynamic spatial anonymization of vehicle data in a cloud environment with the features of the independent device claim. Details and features disclosed on individual aspects also apply to the other aspects and vice versa.
According to the first aspect, embodiments of the invention provide a method for dynamic spatial anonymization of vehicle data in a cloud environment, the method comprising:
The method may be executed by an external device, such as a backend device in the cloud, in order to save computational power on the vehicle's side and to provide enhanced computational resources for dynamic spatial anonymization of vehicle data.
The actions of the method may be carried out in the given order or in a modified order. Individual actions of the method may be carried out simultaneously and/or repeatedly to allow a flowing process.
For collecting vehicle data, a plurality of participating vehicles may send vehicle data, for example in the form of records and/or measurements, for example comprising sensor data, such as environmental data, temperature values, humidity values, rain intensity, slipping coefficient, etc., and spatial data, such geographical coordinates, to the external device. The vehicle data may also comprise time stamps.
The collecting of vehicle data may be done periodically, for example over a time interval. The time interval may be determined by a performing device, for example individually for different vehicle services, such as navigation services, map services and/or forecast services etc. Each time, after collecting vehicle data within one time interval, the vehicle data will be anonymized before further use, for example for storing, processing and/or providing vehicle services.
The spatial partitioning within the meaning of the present disclosure may also be explained as splitting over geographical areas. The spatial partitioning of the vehicle data may be for example used for reducing the amount of records intended to be anonymized in one execution.
Vehicle data aggregation within the meaning of the present disclosure may also be explained as compiling of vehicle data with intent to prepare aggregated (or combined) data sets for further data processing. The spatial aggregation may be for example used for anonymization of the vehicle data, especially within a current time interval, within a corresponding data subset and/or within an associated geographical area.
The presented method solves the above-mentioned problems of static grid sizes and handling of great amounts of data by spatial anonymization approaches. The presented method may be based on a dynamic approach that allows for both dynamic adjustment of grids and dynamic partitioning of big data loads.
In the case of vehicle application, there are massive amounts of geo-related data, which cannot be efficiently anonymized all in one execution. To overcome this challenge, the vehicle data may be splitted spatially by applying geospatial indexing. Geospatial indexing will be described in the following.
Geospatial indexing is the process of partitioning areas of the earth into identifiable grid cells. Geospatial indexing may be faster than indexing to areas with static grid sizes.
For spatial partitioning within the present disclosure, especially using geospatial indexing, the world and/or a geographical region of interest may be divided into geographical areas with different resolutions, for example starting from 0 until 15. Resolution may be defined as a number of records over a geographic extent of the area. Each area for each resolution gets its own unique ID. Thus, each data subset within an associated geographical area gets the same ID.
For spatial partitioning within the present disclosure, especially using geospatial indexing, following conditions may be provided for splitting the records into subsets:
For spatial partitioning within the present disclosure, especially using geospatial indexing, following actions may be executed:
The dynamic spatial anonymization follows for example a two level aggregation approach.
Vehicle data aggregation may further for example use the information advantage that is available for non-anonymized data prior to anonymization.
Vehicle data aggregation provides a combination of multiple vehicle data, records and/or measurements aggregated to a lower number of values, and thus providing anonymization,
Thus, the amount of vehicle data to be anonymized in one execution may be considerably reduced with the help of spatial aggregation.
By assuming that the information measured from a single vehicle does not vary significantly in a certain time interval, and the sensor sampling frequency is higher than needed, it is possible to aggregate the data coming from a single vehicle without losing significant information. Thus, the relevant information may be reliably maintained.
For example, by collecting temperature measurements in a certain area, the temperature sampling frequency on the vehicle may be 1 Hz. It may be possible to aggregate together the temperature information provided from a single vehicle in the same time interval, e.g. 10 s, without losing relevant information. The temperature usually does not change significantly within in 10 s. Also, the vehicle displacement in such a time interval may be neglected for the specific use-case, but the amount of data to process is 10 times smaller.
For example, while collecting rain intensity measurements, it may happen that the vehicle passes under some roof, bridge or tree. In this case these unusual measurements may be considered as an outlier in the 10 s time window. The data aggregation may for example filter out the effects of such outliers.
The data aggregation may also highlight some uncommon measurements. For example, by collecting the slipping coefficient of the road in a certain area, in a certain time, due to ice slabs on the street, it is possible to take into account each single ice slab on the road, even if small.
Aggregated data in this case will contain the information about the “ice”, even if for most of the 10 s time interval there was no ice on the road.
Thus, the data quality may be improved with the help of filtering and/or highlighting the vehicle data.
In general for each sensor type, signal source and/or data type, a different aggregation methodology may be applied that has proven to be valuable for the specific cases. Aggregation methodologies comprehend statistical indicators (mean, max, n-th percentile, etc. . . . ), a combination of them, or functions implemented ad hoc for the specific use-case.
Thus, quality and reliability of data can be improved prior to anonymization.
A second level of aggregation may be then performed between measurements coming from a set of several vehicles in the same time interval and in the same area. This second step of aggregation allows to reach the anonymization goal, because from the aggregated data it would be extremely unlikely to go back to the single vehicle that contributed to the aggregated data.
Still on the other hand, spatial anonymization approach which may use dynamic spatial anonymization may lead to overlapping of spatial aggregated data sets. With other words a single vehicle contributing to more than one spatial aggregated data set may then be re-identified with some probability.
Therefore, in some embodiments, the spatial aggregated data sets can be modified (and/or distorted) in order to reduce overlapping of the spatial aggregated data sets.
As a result, in such embodiments, the method is improved with regard to enhanced privacy protection, especially for geographical areas in which vehicles may be multiply arranged to different anonymization groups, so that vehicles may contribute for more than one spatial aggregated data set. It may for example occur during second level aggregation, so that the spatial aggregated data sets may obtain overlapping portions.
The inventors have recognized that the second level aggregation may cause scenarios in which the anonymization groups may obtain common participants. Common participants within the anonymization groups may result in unauthorized tracing of these participants. The anonymity of such participants may be at risk. More precisely, overlapping portions of the spatial aggregated data sets may be assigned with higher probability of data creation than other portions, resulting in a potential privacy risk.
The aforementioned embodiments address this circumstance to avoid such scenarios allowing for unauthorized tracing of vehicles as data sources. As a result, the method optimizes privacy and ensures uniform probability distribution for locating data within the groups of vehicles during second level aggregation, that is during aggregation data points.
To protect the vehicles within the anonymization groups with higher probability, the aforementioned embodiments provide a technique to resolve potentially overlapping portions of spatial aggregated data sets. In such embodiments, the presented method may modify or with other words distort the spatial aggregated data sets by changing the sizes, shapes and/or location of their groups, for example in a random way. The modification of the spatial aggregated data sets prevents privacy risks, since potentially overlapping portions within the spatial aggregated data sets with higher localization probabilities may be destroyed. In particular, the occurrence of potential consecutive series of portions within the spatial aggregated data sets with high localization probabilities may be almost prevented due to this method. At the same time, the anonymization of the data content is still guaranteed as the randomized spatial aggregated data sets contain substantially information aggregated within an almost non-overlapping anonymization group.
Furthermore, it may be beneficial in some embodiments, if the modification of the spatial aggregated data sets may be performed randomly. Thus, a computationally beneficial way to resolve the overlapping may be provided.
Moreover, it may be beneficial in some embodiments, if the modification of the spatial aggregated data sets will be performed through changing size, shape and/or location of the corresponding groups. Thus, for example techniques to modify and/or distort the groups may be provided.
In some embodiments, the vehicle data may for example be collected periodically within a time interval. For example, the time interval may be chosen depending on vehicle service, sensor type, signal source and/or data type. Thus, the properties and requirements of vehicle services and/or evaluable vehicle data may be beneficially taken into account by adapting the dynamic of the spatial anonymization.
The spatial partitioning may be used for reducing the amount of records intended to be anonymized in one execution. The spatial aggregation may be used for anonymization of the vehicle data, especially within a current time interval, within a corresponding data subset and/or within an associated geographical area.
Further, the spatial aggregation may be provided using the k-anonymity methodology. For example, a spatial aggregated data set aggregates data points coming from different vehicles arranged into groups using the k-nearest neighbor method. In this way, effective data protection may be provided with simple techniques and without much computational effort.
Furthermore, it may be beneficial in some embodiments, if a spatial aggregated data set multiply aggregates data points coming from different vehicles, wherein especially some vehicles will be arranged to more than one group. Thus, overlapping groups of vehicles may be provided within an associated geographical area of the corresponding data subset. This allows using data from one vehicle multiple times, thus enlarging the value of data significantly.
For example, the vehicle data may comprise sensor data and spatial data. Hereby the sensor data may comprise environmental data, temperature values, humidity values, rain intensity, slipping coefficient, etc. Therefore, a data point coming from a single vehicle comprises aggregated sensor data and aggregated spatial data for the single vehicle. Thus, a spatial aggregated data set coming from a group of vehicles comprises aggregated sensor data and aggregated spatial data for the group of vehicles.
Vehicle data within a data point may be filtered in order to exclude unusual measurements. Thus, the quality and reliability of the data may be achieved.
Vehicle data within a data point may be highlighted in order to detect environmental effects, such as ice slabs on the street, in highly restricted areas within a particular geographical area. Thus, restricted effects that may not be registered by all participants can still be detected by the method. Therefore, the value of the data may be significantly increased.
For increased functionality and suitability of the method, the spatial aggregation may be performed using different aggregation methodologies for different vehicle services, sensor types, signal sources and/or data types. Hereby, a particular aggregation methodology may be chosen depending on vehicle service, sensor type, signal source and/or data type.
Beneficially, the spatial partitioning may be provided using a method of geospatial indexing. Thus, dynamic adjustment of grids and dynamic partitioning of big data loads may be provided.
Further, it may be possible that the spatial partitioning may be provided using an iterative splitting of an incoming set of records into geographical areas having different resolution levels. Thus, a reduction of big data loads may be provided in an iteratively way.
Furthermore, it may be possible that the spatial partitioning may be provided until a data subset comprises an amount of records lower than the maximal amount of records. Thus, the computational constrains of a performing device may be addressed.
For example, the maximal amount of records may be chosen according to computational capacity of a performing device.
According to a further example aspect, a computer program product is provided, comprising instructions which, when the program is executed by a computer, cause the computer to carry out a method as described above. With the help of the computer program product, the same benefits may be achieved as described above in the context of the method. Full reference is made to these benefits in the present case.
According to a further example aspect, a device, especially backend device, is provided, comprising a memory device in which program code is stored, and a computing device configured to execute the program code, wherein when executing the program code, a method may be performed as described above. With the help of the device, the same benefits may be achieved as described above in the context of the method. Full reference is made to these benefits in the present case.
For example, the memory device may comprise a database for spatial aggregated data sets. With the help of the database, the anonymized vehicle data may be stored und easily used, especially combined with a goal that the individual vehicles cannot be re-identified, while the data remains useful for vehicle services.
Beneficially, the computing device may be configured to provide vehicle services, comprising navigation services, map services and/or forecast services etc., to participating vehicles using the aggregated data sets. Also for example, the computing device may be configured to provide different vehicle services depending on service type, signal source and/or data type. Thus, the different vehicle services may be provided with more quality and increased functionality.
the method comprising:
The method may be executed by an external device 20, such as a backend device in the cloud, in order to save computational power of the vehicle's side and to provide enhanced computational resources for providing improved vehicle services.
The present method provides variable grid sizes and handles great amounts of data in an effective manner. The presented method is based on a dynamic approach that allows for both dynamic adjustment of grids and dynamic partitioning of big data loads.
In the case of vehicle application, there are massive amounts of geo-related data, which cannot be efficiently anonymized all at the same time and/or in one execution. To overcome this challenge, the vehicle data D(t) may be splitted spatially, for example by applying geospatial indexing, as explained in the following and represented in
For spatial partitioning within the present disclosure, especially using geospatial indexing, the world and/or a geographical region (s. the first representation a in
For spatial partitioning/geospatial indexing following conditions may be provided for splitting the vehicle data D(t) into subsets DZ(t):
As
Representation of data partitioning using geospatial indexing shown in
This approach results in dynamic grid sizes that may span in reality from less than 0.01 km2 to 100 km2, as shown in
The dynamic spatial anonymization follows for example a two level i, j aggregation approach.
Vehicle data aggregation may use the information advantage that is available for non-anonymized vehicle data D(t) prior to anonymization in action II.
Vehicle data aggregation II provides a combination of multiple vehicle data D(t), that is records and/or measurements and/or pints in the view of
Thus, the amount of vehicle data D(t) to be anonymized (Dj_mean) in one execution may be considerably reduced with the help of spatial aggregation II.
A first level i of aggregation is illustrated in
By assuming that the vehicle data Di(t) from a single vehicle 10 does not vary significantly in a certain time interval dt, and the sensor sampling frequency is higher than needed, it is possible to aggregate the vehicle data Di(t) coming from a single vehicle 10 without losing significant information. Thus, the relevant information may be reliably maintained within a corresponding data point Di_mean.
For example, by collecting temperature measurements in a certain area Z, the temperature sampling frequency on the vehicle may be 1 Hz. It may be possible to aggregate together the temperature information provided from a single vehicle 10 in the same time interval, e.g. 10 s, without losing relevant information. The temperature usually does not change significantly within in 10 s. Also, the vehicle displacement in such a time interval dt may be neglected for the specific vehicle service, but the amount of data to process by anonymization is 10 times smaller.
For example, by collecting the rain intensity measurements, it may happen that the vehicle 10 passes under some roof, bridge or tree. In this case these unusual measurements may be considered as an outlier in the 10 s time window. The vehicle data D(t) aggregation may for example filter out the effects of such outliers.
The data aggregation may also highlight some uncommon measurements. For example by collecting the slipping coefficient of the road in a certain area, in a certain time, due to ice slabs on the street, it is possible to recognize each single ice slab on the road, even if small. Aggregated data in this case will contain the information about the “ice”, even if for most of the 10 s time-interval there was no ice on the road.
Thus, the data quality may be improved with the help of filtering and/or highlighting the vehicle data D(t).
In general for each sensor type, signal source and/or data type, a different aggregation methodology may be applied that has proven to be valuable for the specific cases. Aggregation methodologies comprehend statistical indicators (mean, max, n-th percentile, etc. . . . ), a combination of them, or functions implemented ad hoc for the specific use-case.
Thus, improving quality and reliability of data prior to anonymization.
In the first step i, time series data Di(t) from single vehicles 10 will be recorded over a time interval dt, comprising positional information (spatial data P) along the trajectory of a vehicle 10 together with recorded information (sensor data V) of the vehicle sensors. As illustrated in
A second level j of aggregation is illustrated in
A second level j of aggregation is thus performed within a set of vehicles 10 in the same time interval dt and in the same geographical area Z. This second step j of aggregation allows to reach the anonymization goal, because from the aggregated data it would be extremely unlikely to go back to the single vehicle 10 that contributed to the aggregated data set Dj_mean.
In the second step j of the spatial anonymization following the k-anonymity methodology, multiply aggregated data points Di_mean coming from different vehicles 10 will be arranged in groups G of k vehicles 10, for example using the k nearest neighbor method. Data of these groups G of k vehicles 10 (for example k=3) are then aggregated again leaving only information about the portion of the geographical area Z where the group G of vehicles were located in and aggregate values. The number of groups G may be smaller than the number of vehicles 10 in the corresponding geographical area Z.
By following the dynamic spatial anonymization, vehicle data D(t) may be fully anonymized within flexible determined geographical areas Z following the methodology of k-anonymity and for example the k-nearest neighbor grouping/classification.
The dynamic feature of spatial partitioning I allows for arbitrary sizes and locations of the anonymization areas Z.
With the help of the integrating spatial aggregation II, the data quality enhancing aggregation techniques, the reliability of the anonymized data output may be increased.
Furthermore, the presented method, combining both techniques: spatial partitioning I and spatial aggregation II, reduces computational runtime, in particular, in case of big data loads and results in an enhanced privacy protection, even for sparsely covered areas that may now be incorporated within the dynamic grid approach.
The present method, especially the action III of the method, is improved with regard to enhanced privacy protection, especially for geographical areas Z having a relative high number of data sources. In such areas Z a single vehicle 10 may be multiply arranged to different groups G. In this case, the spatial aggregated data sets Dj_mean may overlap. The overlapping of the spatial aggregated data sets Dj_mean may result in unauthorized tracing of overlapping portions and thus of vehicles 10 contributing as data sources. The anonymity of vehicles 10 may be endangered. More precisely, the overlapping portions of the spatial aggregated data sets Dj_mean may be tracked with higher probability than other portions in the groups G, resulting in a potential privacy risk for contributing vehicle 10.
Such a scenario is illustrated in
The present method addresses this circumstance to avoid such scenarios allowing for unauthorized tracing of vehicles 10. The present method optimizes privacy and ensures uniform probability distribution for locating data within the groups of vehicles during the second level aggregation j, that is during aggregation data points Di_mean.
As
In detail, the modification of the spatial aggregated data sets Dj_mean may be provided as follows:
Let v be a vector describing a specific anonymization group G, e.g. v may be composed of the geo-coordinates of the corners of the anonymization group G:
Let further M be a 2×2 Matrix of the form:
with r1 and r2 being random numbers in a certain interval, e.g. [−1, 1]. Then, M will perform a modification of length, shape and/or orientation when applied to a vector (x, y) depending on the values r1 and r2.
If a modifying matrix:
will be applied to v, which describes an anonymization group G, it will result in a squeezed or stretched anonymization group G*. Thus, the modified spatial aggregated data set D*j_mean is created.
To also shift the group G, a shift vector tshift may be added to v, for example as:
The shift vector t may be a random vector. However, it may be for example, if the shift vector t may be chosen within predefined thresholds, e.g. in an interval between 0 and 500 meters. The choice of the shift vector tshift may be made for example depending on the resolution of the current geographical area Z. Also, the requirements of the current use-case may be considered by the choice of the shift vector t.
Therefore, privacy within the dynamic spatial anonymization framework may be enhanced. The present method serves for example for dynamic anonymization of the provided data content and at the same time ensures maximal protection of the identity of each data creator. The presented method may for example utilize a randomization approach.
A computer program product comprising a program code for carrying out a method as described above provides an aspect of the invention.
Also, a device 20, especially backend device, provides an aspect of the invention. The device 20 is only shown schematically in
The above description of the figures describes the present invention only in the context of examples. Of course, individual features of the embodiments may be combined with each other, provided it is technically reasonable, without leaving the scope of the invention.
The invention has been described in the preceding using various exemplary embodiments. Other variations to the disclosed embodiments may be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single processor, module or other unit or device may fulfil the functions of several items recited in the claims.
e functions of several items recited in the claims.
The term “exemplary” used throughout the specification means “serving as an example, instance, or exemplification” and does not mean “preferred” or “having advantages” over other embodiments. The term “in particular” and “particularly” used throughout the specification means “for example” or “for instance”.
The mere fact that certain measures are recited in mutually different dependent claims or embodiments does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims should not be construed as limiting the scope.
| Number | Date | Country | Kind |
|---|---|---|---|
| 22150434.3 | Jan 2022 | EP | regional |
| 22150435.0 | Jan 2022 | EP | regional |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2023/050245 | 1/6/2023 | WO |
