IEEJ TRANSACTIONS ON ELECTRICAL AND ELECTRONIC ENGINEERING

IEEJ Trans 2024

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI:10.1002/tee.24254

Paper

Practical Trajectory Anonymization Method Using Latent

Space Generalization
Yuiko Sakuma* , Non-member
Hiroaki Nishi**,a , Member

The global positioning system (GPS) data are commonly used for location-based services such as traffic flow prediction. However,
such data contain considerable sensitive information and thus, they must be anonymized before being published. In this study,
we investigate trajectory anonymization. Previous methods have limitations in that they cannot be applied for different load
network sparseness and cannot preserve the trajectory information. Thus, we propose a DNN-based method that can anonymize
trajectories with different load network sparseness and also preserve the trajectory information. Specifically, the trajectories are
projected to the latent space using the pre-trained encoder-decoder model, and the latent variables are generalized. Furthermore,
to reduce the information loss, we propose a segment-aware trajectory modeling and study the effectiveness of assuming the
normal distribution to the latent space. The experimental results using real GPS data show the effectiveness of the proposed
method, presenting the improvement in the data reservation rate by approximately 3% and reducing the reconstruction error by
approximately 31%. © 2024 The Author(s). IEEJ Transactions on Electrical and Electronic Engineering published by Institute
of Electrical Engineers of Japan and Wiley Periodicals LLC.

Keywords: trajectory anonymization; k -anonymization; spatial–temporal representations

Received 14 August 2024; Revised 2 November 2024; Accepted 28 November 2024

1. Introduction generalization-based method faces difficulty in anonymizing tra-

The personal location data are sensed and collected extensively
by mobile service providers, owing to the prevalence of smart-
phones. A trajectory is a series of time-ordered location data used
for various location-based services, such as traffic flow prediction,
content delivery, and personalized advertising. The global position-
ing system (GPS) senses high-resolution spatial–temporal personal
data with a spatial resolution of a few meters with sub-second
sampling time [1]. Disclosing informative personal location data
reveals sensitive user information, such as residential places and
behavioral patterns. Identifying a user from trajectory data (i.e., a
set of spatial–temporal sequences) is known as the identity linkage
attack [2,3] and is a major privacy issue. Data anonymization pro-
tects user’s privacy during data publication. k -anonymization [4] is
one of the most widely studied and implemented privacy standards.
k -anonymity ensures that at least k records in a database have the
same quasi-identifiers. Thus, the data is protected from identity
linkage attacks because each person in the published database
cannot be distinguished from at least k − 1 of other individuals.
Recently, trajectory k -anonymization methods have been
proposed. Generalization-based methods [5–8] group trajectories
and generalize them by minimizing the spatial–temporal dis-
tances of the original and anonymized trajectories. However, the
a Correspondence to: Hiroaki Nishi. E-mail:
jectories recorded in sparse street networks. For instance, a sparse
street network is more likely to exist in rural areas including moun-
tains and rivers where no street networks exist. In such areas, the
trajectories in the database are far apart. When the generalization-
based method is applied in such sparse areas, the trajectories
that are far apart are grouped together for generalization to be
anonymized. This operation makes the anonymized trajectory to
contain segments that do not exist in the original database. Here,
a segment represents the breaking of the pathing data. This causes
the loss of information on traffic/pedestrian distribution and makes
the secondary use of the anonymized trajectories difficult such
as urban design. The information on traffic/pedestrian distribution
indicates the exact locations where traffic jam occurs and people
stop by. To address this issue, the segment-based method [9]
processes trajectories into segments, and then segments with
larger than k records in the database are published. However, the
anonymized segments cannot be used as trajectories; because the
trajectories are split into segments, the trajectory characteristics
(e.g., length and number of nodes) are lost.
In this paper, we propose a practical trajectory anonymization
method that can be used for load networks with any sparseness
and preserves trajectory information as well. Recently, deep
neural network (DNN)-based methods [10,11] have achieved
promising performance in k -anonymizing facial images. The
authors in Refs. [10,11] use StyleGAN’s latent variables [12], the

[email protected] projection of input images, as quasi-identifiers, and then average
* School of Science and Technology, Keio University 3-14-1, Hiyoshi, them. Subsequently, the averaged latent variables are decoded to
Kohoku-ku Yokohama 223-8522, Japan synthesize the anonymized images. Because the decoder learns the
** Department of System Design, Faculty of Science and Technology, Keio projection of the latent variables onto the original data distribution,
University 3-14-1, Hiyoshi, Kohoku-ku Yokohama 223-8522, Japan the anonymized data maintains the quality and attributes of the

© 2024 The Author(s). IEEJ Transactions on Electrical and Electronic Engineering published by Institute of Electrical Engineers of Japan and Wiley Periodicals LLC.
This is an open access article under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs License, which permits use and distribution in any medium,
provided the original work is properly cited, the use is non-commercial and no modifications or adaptations are made.
 Y. SAKUMA, AND H. NISHI
original facial images. We assume that by applying the DNN-
based method for trajectories, the anonymized trajectories maintain
the characteristics (e.g., length or number of nodes) of original
trajectories and the traffic/pedestrian distribution within the map
as well. However, DNN-based k -anonymization has not yet been
explored for trajectories.
Our contribution can be summarized as follows:
1. We propose the trajectory k -anonymization method
that addresses the different load network sparsity. Prior
generalization-based methods often generate unrealistic
anonymized trajectories especially where loads are sparse.
We propose to generalize the trajectories in the latent space
(summarized in Fig. 1). By decoding the generalized latent
variables using the pre-trained DNNs, the anonymized
trajectories successfully preserve the original segment
distributions even for sparse load networks.
2. We propose two approaches to improve the quality of
anonymized trajectories using DNNs. Naı̈ve integration
of [5,13] presented two challenges. First, Ref. [13] only
anonymizes the location information, and the temporal
information is omitted. Second, generalizing the latent space
of the autoencoder (AE) used in Ref. [13] incurs a large
information loss because the latent space is not continuous.
To address these issues, first, we propose the segment-
aware trajectory model which retains the segment infor-
mation while handling the temporal information. Second,
we demonstrate the effectiveness of assuming a probabilis-
tic distribution to the latent space of the trajectory model
by using the variational autoencoder (VAE) to reduce infor-
mation loss. This makes the latent space more continuous
and reconstructs more realistic trajectories for the general-
ized latent variables. Although VAE has been widely used,
some trajectory models [14] use VAE and some [15,16]
do not, and it is not clear which model is appropriate for
k -anonymization; the impact of latent space distributions
has not been studied in the previous methods.
3. The proposed method is evaluated using real GPS data
obtained in the locations with different load network spar-
sity The data reservation rate is improved by approximately
3% and the reconstruction error is reduced by approximately
31% on average for the generalization-based method that
does not use DNNs.
2. Related Works
2.1. Trajectory data anonymization k -anonymization
and differential privacy (DP) are mainstream methods for
anonymization. DP methods aim to provide accurate statistical
information about trajectory data while preserving trajectories
private. A prior study [13] achieves this by adding noise to the
data. However, when the privacy criteria are strict and a large
noise is added, the trajectory moves to another location and
loses its utility. Moreover, the privacy issue still exists; although
the noise clutters the original trajectory, it can be inferred by
averaging them. In this paper, we focus on the k -anonymization.
For trajectory k -anonymization, generalization-based methods
define each trajectory in the database as the identifier that needs to
be anonymized and should not be distinguishable from other k − 1
records. Generalization-based methods [5,7] aim to reduce spatial
2 IEEJ Trans (2024)
Clustering
Input trajectories Grouped trajectories
Generalize
Encoder by Decoder
averaging
Latent space
Pre-trained DNN Anonymized trajectories
Fig. 1. The proposed DNN-based trajectory anonymization. The
trajectories are clustered and the grouped trajectories are gener-
alized in the latent space which is the projection of the original
trajectory. The generalized latent variables are decoded by the pre-
trained decoder
and temporal information loss by clustering k trajectories from
the databases. To publish the anonymized trajectories, the closest
nodes in a cluster are linked to generate a bounding box represent-
ing k passing. Abul et al. [17] extended the generalization-based
method by defining (k , δ)-anonymity, where a trajectory is repre-
sented as a cylindrical shape with radius δ location imprecision.
WINR2D [8] and GLOBE [6] improve privacy levels by using
perturbation. Although generalization-based methods successfully
reduce the spatial and temporal information loss of trajectories,
their practicality is limited. Because the trajectory is given as a
sequence of bounding boxes, the passing probability of a spe-
cific segment is not preserved, thereby losing the practicality of
map-based services such as traffic jam forecasts. For preserving
map information, the segment-based method [9] splits the origi-
nal trajectory into segments. Segments with larger than k passes
are published. However, because the segment-based method splits
the trajectories into segments, it cannot preserve trajectory infor-
mation, thereby losing the practicality of trajectory-based services
such as trajectory prediction. Our method is practical because it
preserves both the map and trajectory information.
Recently, DNNs have been incorporated for trajectory
anonymization methods that use DP [13,18] and data
synthesis; [14]. The authors of [13] propose to add noise to
the latent variables to make anonymized trajectories realistic. The
encoder-decoder model with the long-short term memory (LSTM)
[19] was used. They apply explicit trajectory modeling, in which
the latitude and longitude coordinates are directly used and
requires a large data size compared to implicit modeling, which
represents the coordinates as IDs. Only the location information
was anonymized, and the anonymization of temporal information
has not been explored. Furthermore, the k -anonymization of
DNN-based methods has not been discussed in previous studies.
2.2. Trajectory modeling by DNNs DNN-based tra-
jectory models can be categorized into explicit and implicit
methods. Most studies [20,21] use explicit methods that directly
 PRACTICAL TRAJECTORY ANONYMIZATION METHOD
model trajectories using latitude/longitude coordinates. Implicit
methods [15,16,22] do not use accurate location information;
instead, they utilize location IDs, which may be a random number
or a unique identifier, to represent the locations. TrajBERT [15]
proposes a trajectory reconstruction method using a bi-directional
Transformer-based model that predicts the missing nodes of a
sparse implicit trajectory. Similarly, AttnMove [16] addresses tra-
jectory reconstruction by using intra- and inter-trajectory attention
mechanisms. The implicit method is more practical because its
data size is smaller than that of the explicit method. Furthermore,
it is more suitable for representing segments because if a unique
ID is assigned to each node, the trajectory can be presented as
a sequence of segments. Therefore, our proposed method focuses
on implicit methods. Recent studies on implicit methods [15,16]
adopt a Transformer [23] to encode trajectories into latent space.
Similarly, we use a Transformer for trajectory modeling. The dif-
ference from prior implicit methods lies in temporal modeling, as
discussed in the Introduction.
3. Preliminaries
The raw trajectory data consists of a sequence of lati-
tude/longitude coordinates with noises. Map-matching was used
to format the raw trajectories. Here, the terms for the trajectory
modeling are defined.
3.1. Definition 3.1 (map-matching) GPS data are not
precise because of measurement errors. Map matching projects
a sequence of raw latitude/longitude coordinates onto the road
map. We follow the map-mapping-to-node method as described in
Ref. [9], which maps the coordinates to the nearest nodes. The
nodes are then connected to generate passing data. The shortest
path between the nodes is obtained to interpolate the missing
segments.
3.2. Definition 3.2 (implicit trajectory) An
implicit trajectory traj is defined as a time-ordered
sequence of location loci and timestamp tsi , represented as
traj = {(loc0 ts0 ) , (loc1 ts1 ) , · · · , (locn tsn )}, where loci is the
unique ID assigned to a coordinate of latitude lati and longitude
loni , (lati , loni ), where n is the total number of recorded tra-
jectory points. Here, n variates such that each trajectory has a
different length. We use relative time such that the timestamps
start at 00:00.
In Fig. 2(a), the example of two timestamp resampling methods
for a map-matched trajectory with a resampling rate of 1 min is
presented. The definitions are provided as follows.
3.3. Definition 3.3 (-sampling trajectory [15,16])
An -sampling trajectory is represented as traj  =
{loc0 , loc1 , · · · , locm } where m is the total number of sampling
intervals and  is the fixed sampling interval (Fig. 2(b)).
3.4. Definition 3.4 (segment-aware trajectory) We
propose a segment-aware trajectory that is agnostic to the sampling
interval. A segment-aware trajectory is represented as traj seg =
{(loc0 ts0 ) , (loc1 ts1 ) , · · · , (locn tsn )} , where loci and loci are nodes
of a segment, and tsi is the timestamp when a user passed loci
(Fig. 2(c))). As presented in Fig. 2(b), the -sampling trajectory
3 IEEJ Trans (2024)
(a)
(b) (c)
Fig. 2. Different resampling methods for map-matched trajectory
in (a). While the -sampling trajectory skips some segments such
as {loc0 , loc1 } and {loc1 , loc2 } (b), the segment-aware trajectory
keeps all segments (c). (a) Map-matched trajectory, (b) -sampling
trajectory, and (c) Segment-aware trajectory
skips some segments (i.e., {loc0 , loc1 } and {loc1 , loc2 }) when the
resampling resolution is not small enough. On the contrary, as in
Fig. 2(c), the segment-aware trajectory preserves all segments.
4. Proposed Method
4.1. Problem statement The trajectory data is sequences
of location data collected by GPS on devices such as smartphones
and is collected by various companies such as Agoop [24]. We
assume the same adversary capabilities defined for the complete
and static database in [5]. We define k -anonymization for trajec-
tories as follows.
4.1.1. Definition 4.1 (DNN-based trajectory k -
anonymization) A database is k -anonymous if each record
with the same quasi-identifier appears at least k times. The
attribute is each dimension of latent variables, the projection of
the original trajectory. An identifier is the original trajectory,
which can be directly connected to the unique personal informa-
tion of an individual. The quasi-identifier is the latent variable.
The sensitive data are the attributes that should not be lined with
the identifiers. This is typically specified by users, and in this
study, it is the latent variable as well.
The proposed method guarantees that the probability of re-
identification from some portion of trajectories or latent variables
is at most 1/k and smaller. Since the k -anonymization is performed
against the VAE latent space, assuming a normal distribution over a
multidimensional space, the summation of k latent variables would
be less than one. This makes the re-identification risk even smaller
than the typical k -anonymization of the data space.
4.1.2. Overview of the proposed method First, the input
trajectories are clustered as the method of [5] which greedily
clusters the trajectories to minimize the spatial and temporal
distances in each cluster. Subsequently, the quasi-identifiers for
the grouped trajectory are unified by generalization (Fig. 1).
Specifically, grouped trajectories are projected onto the latent space
using the pre-trained encoder and generalized by averaging the
latent variables. Finally, the averaged latent variables are decoded
by the pre-trained decoder to generate anonymized trajectories.
We develop an encoder-decoder model for trajectory anonymiza-
tion based on Ref. [13] and briefly explain in Section 4.2. As
discussed in the Introduction and in Section 3, we identified two
challenges in anonymizing trajectories using DNNs. First, the -
sampling Transformer model in TrajBERT [15] cannot accurately
 Y. SAKUMA, AND H. NISHI
Table I. Notation definitions
Notation Definition
loci , tsi Location and timestamp at the i -th node
traj, traj  , traj seg Implicit, -sampling, and segment-aware
trajectories
femb , fenc , fdec , frec The embedding, encoding, decoding, and
reconstruction functions
z The latent variable
y The output feature of the proposed DNN
model
LCE , LMSE , Lvar The cross entropy, MSE, and variational
losses
Fig. 3. The proposed encoder-decoder model. The input trajectory
traj is projected to the latent variables z . Then, z is decoded and
reconstructed
represent the segments and the anonymized map includes unrealis-
tic segments. Thus, we propose segment-aware trajectory modeling
(Definition 3.4) and explain in Section 4.3. Second, anonymized
trajectories are often spatially and temporally distant from the orig-
inal trajectories. We hypothesize that this is due to sparsity in the
latent space and propose assuming a normal distribution in the
latent space as explained in Section 4.4. The notation definitions
are summarized in Table I.
4.2. Encoder-decoder model for trajectories Fol-
lowing the prior method [13], we adopt an encoder-decoder model
for trajectories as shown in Fig. 3. While Sakuma et al. [13] use the
LSTM, we use the Transformer [23] which has been the state-of-
the-art of time-series modeling performance. We follow the typical
encoder-decoder formulation. First, the input trajectory traj is pro-
jected to the latent variable z such that:
 
z = fenc (femb (traj)) , z ∼ N μ, σ 2 (1)
where femb and fenc denote the embedding function and the
Transformer encoder, respectively. The latent variable z follows
the normal distribution with mean μ and variance σ . Then, the
reconstructed trajectory traj  is calculated from z such that:
traj  = frec (fdec (z ))
where fdec and frec are the Transformer decoder and reconstruction
function, respectively.
4.3. Segment-aware trajectory modeling The
embedding (femb ) and reconstruction function (frec ) are designed
specifically for the proposed segment-aware trajectory modeling.
We provide the formulation as follows.
4.3.1. Embedding function The input to the embedding
function is a segment-aware trajectory traj seg . The location and
timestamp sequences are processed separately to enable segment-
aware modeling. For the location sequence ({loc0 , loc1 , · · · , locn }),
following BERT [25], it is formatted by attaching it to the
start-of-sentence and end-of-sentence tokens. Subsequently, it
is fed into the embedding layer. For the timestamp sequence
({ts0 , ts1 , · · · , tsn }), it is fed into the sine-cosine encoding followed
by the fully-connected (FC) layer to align the feature dimension.
The timestamp sequence is padded to align its length with
the location sequence. The location and timestamp features are
concatenated with the positional encoding.
4.3.2. Reconstruction function The output feature y =
fdec (z ) is converted to the reconstructed trajectory traj  . Different
from the -sampling trajectory, a multitask head, which is an FC
layer that predicts the sequences of the reconstructed nodes, is
employed to compute the output feature for location (yloc ) and
timestamps (yts ) separately. Here, yloc is the probability of the
location IDs. The details of decoding from yts is provided bellow.
4.3.3. Timestamp decoding The naı̈ve way to decode
the timestamp from yts is to directly predict the normalized
timestamp. However, this does not guarantee the timestamp
order; the timestamp is always incremental but the naı̈ve method
generates timestamps independently and the order may not be
kept. Thus, we propose representing yts as speed and decoding

them to timestamps. Specifically, yts,i is the normalized speed
for the passing segment {loci , loci +1 } and the cumulative sum
of time between each node is the reconstructed timestamp trajts
calculated as:

n
 dist(i ,i +1)
trajts,i = (3)
yts × max_speed
i =0
where dist(i ,i +1) is the distance of the segment {loci , loci +1 }. The
sigmoid activation was used to convert yts into the 0–1 range.
4.3.4. Sequence decoding process The decoding process
for the Transformer differs in terms of training and inference.
During training, the model decodes the output trajectory in parallel
by masking the location tokens after the end-of-sentence (EOS)
token. During inference, decoding is performed sequentially and
the generation process stops when the EOS token is generated.
Among several decoding strategies such as greedy search and beam
search [26], we used the top-K sampling method where K most
likely next location IDs are filtered and the probability mass is
redistributed among only the K nodes. We set K as five.
4.4. Trajectory reconstruction training The recon-
struction error can be calculated from the cross-entropy (CE) loss
for node prediction (4) and the mean squared error (MSE) for
speed prediction (5), such that:
(2)
1 
n n_nodes

LCE = − pj log yloc,j (4)
n
i =0 j =0
1 
n

2
LMSE = vi − yts,i (5)
n
i =0
where p is the probability of the trajectory passing each node and
vi is the speed passing between nodes loci and loci +1 .
4 IEEJ Trans (2024)
 PRACTICAL TRAJECTORY ANONYMIZATION METHOD
4.4.1. Assuming a normal distribution in the latent
space When the model is trained with only the reconstruction
error (the weighted sum of (4) and (5), which is the same
setting as training AE), the anonymized trajectories are often
unrealistic. This is caused by the sparsity in the latent space of
the AE; since one-to-one mapping is performed by the AE, some
subspace in the latent space is left empty. When the generalized
latent variables are mapped to such empty space, the decoded
trajectory may be broken because the decoder is not trained
for such latent variables. The VAE [27] addresses this issue by
introducing normal distribution into the latent space to make it
continuous [28]. Although more complex latent space modeling
(e.g., Gaussian Mixture Models or normalizing flows) can be used,
the improvement is considered to be marginal [29]. Thus, we train
the VAE such that z is sampled from the normal distribution with
mean μ and variance σ as follows:
Lvar = Eq [ln p(traj|z )] − KL[q(z |traj)  p(z ))] (6)
LKL = KL[q(z |traj)  p(z ))]
1 
D
 48GB of memory. The Adam optimizer [33] was used for training.
= 1 + log σ2 − σ 2 − μ2 (7)
2
d =1
where p and q are prior and posterior distributions, respectively.
The first term of (7) is the reconstruction error. The reparameteri-
zation trick is used to allow backpropagation during training. The
total training loss Ltotal can be formulated as:
Ltotal = LCE + λMSE LMSE + λKL LKL (8)
where λMSE and λKL are balancing weights. The proposed
anonymization method is summarized in Algorithm 1.
Algorithm 1 Proposed DNN-based anonymization method
Require: a set of trajectories TRAJ, a trajectory model with femb ,
fenc , fdec , and frec . Anonymization level k .
Ensure: a set of anonymized trajectories TRAJ .
1: for maximum training epochs do
2: Optimize femb , fenc , and fdec to minimize Ltotal
3: end for
4: Cluster TRAJ into groups of k trajectories G using the
greedy matching method of [5]
5: for all groups g ∈ G do
6: for all traji ∈ g do
7: zi = fenc (femb (traji . ))
8: end for
9: Generalize z1 , z2 , . . . zi , . . . zk to acquire z  .
10: Acquire the anonymized trajectory
 
traj  = frec fdec z  , traj  ∈ TRAJ .
11: end for
5. Experiments
5.1. Implementation details The proposed method was
evaluated using real trajectory data collected in the cities with
different load network sparsity. The datasets used in this study
were collected by Agoop [24]. We used data from two cities (e.g.,
Saitama and Tsurumi, Japan) with different network sparsity. The
5 IEEJ Trans (2024)
dataset was collected from January to August 2017 and January
to November 2019 for Saitama and Tsurumi, respectively. For
Saitama, the load network is relatively dense, such that the target
area is busy, having both residential and commercial areas. For
Tsurumi, the load network is relatively sparse such that the target
area is residential. The raw data were organized into a set of daily
GPS points, with each user assigned a unique ID for each day.
The datasets contain the timestamp, latitude, longitude, accuracy,
departure/arrival, and direction data for each GPS point. Only the
timestamps, latitudes, and longitudes were used in the experiment.
Because this study assumes a moving trajectory, we excluded tra-
jectories with over 25% of the nodes that exhibited a spontaneous
speed of zero. The minimum and maximum numbers of nodes
were 3 and 200, respectively. The timestamps for each node were
resampled to every 30 s. The trajectories were map-matched using
the OpenStreetMap [30] API, and split into sequences of 1 h.
The Transformer architecture was designed based on BERT-
small [31,32], which uses an embedding layer with 512 dimensions
and four transformer encoder/decoder layers (with four head self-
attention layers and an FC layer with 512 dimensions). The model
was trained for 100 epochs using an NVIDIA RTX8000 GPU with
The proposed method was compared to the generalization-
based method [5] which directly anonymizes the trajectories
(denoted as “direct”) and the segment-based [9] (denoted as
‘segment’) methods. For all methods, the trajectories were greedily
grouped to minimize the dynamic time warping (DTW, detailed in
Section 5.2) within a group of k trajectories. For the direct method,
the nodes on two trajectories were greedily matched to minimize
the DTW between them. Then, the center of each bounding box
was used as an anonymized node. For the segment method, first,
the trajectories were split into segments. Then, the segments with
more than k overwraps were preserved to be published.
5.2. Evaluation metrics To evaluate the ability to pre-
serve the trajectory distribution over a map, the segment reserva-
tion rate used in [9] is calculated as follows:
Reserved unique segments
Segment reservation rate =
Total number of unique segments
(9)
Trajectory information loss was evaluated by the recon-
struction error for spatial (location), temporal (timestamp), and
spatial–temporal (speed) distances. Specifically, for evaluating
the distance between variant-length trajectories, DTW [34] was
selected. DTW measures the distance between variant-length
sequences, such as time-series analysis and trajectories. For eval-
uating the timestamp reconstruction error, the mean absolute error
(MAE) was calculated. For evaluating timestamp MAE, we used
the same node matching calculated for location DTW. For evalu-
ating speed reconstruction error, the instantaneous speed at each
node is calculated.
5.3. Qualitative analysis The proposed method was
compared to the prior methods, the generalization-based method
[5] (denoted as ‘direct’) and the segment-based [9] (denoted as
‘segment’) method for k = 2, 4, 8, 16, 32, 64, 128. The balancing
weight λKL of the variational loss was 0.1.
The anonymized trajectories are presented in Fig. 4 for the
Saitama and Tsurumi datasets when k = 4. The proposed method
achieved to preserve the original trajectory distribution for load
 Y. SAKUMA, AND H. NISHI

Fig. 4. Original (black) and anonymized (blue) trajectories for load networks with different sparsity when k = 4. The anonymized
trajectories generated by the direct method [5] pass unrealistic segments especially for sparse load networks in Tsurumi (bottom). The
segment method [9] splits the trajectories into segments and the trajectory information is lost. The proposed DNN-based method generates
realistic trajectories for locations with dense and sparse load networks

networks with different sparsity and preserves the trajectory infor- Direct
mation. When the load network was sparse (e.g., Tsurumi), the 0.8 Segment
Proposed
Seg reserv rate ↑

anonymized trajectories were unrealistic for the direct method; 0.6

it often generated zigzag trajectories. Because the direct method
greedily groups the nodes to minimize DTW, the anonymized seg- 0.4
ments are likely to be mapped to locations where traffic/pedestrians 0.2
do not pass by when the nearest nodes are far away. Losing
such information misses the passing probability of specific streets 0.0
and degrades the accuracy of services, such as traffic jam fore- 21 22 23 24 25 26 27
casts. The segment method lost trajectory information because only k (log scale)
segments with k passes are preserved, making the anonymized (a)
trajectory shorter than the original ones. Information loss was
more significant when k is larger as discussed in Section 5.2. Direct
The proposed method better preserved both segment and tra- 0.8 Segment
Proposed
Seg reserv rate ↑

jectory information than the direct and segment methods. For 0.6
instance, the proposed method generated a realistic trajectory that
0.4
passes through broader streets for both the Saitama and Tsurumi
datasets and preserved the segment information of the original 0.2
map. Furthermore, the length and direction of the trajectory were
0.0
similar to those of the original trajectories, preserving trajectory
information well. 21 22 23 24 25 26 27
k (log scale)
5.4. Evaluation on segment reservation rate (b)
Segment information loss was evaluated using the segment
Fig. 5. Segment reservation rate. The proposed method presents
reservation rate as presented in Fig. 5. The proposed method
larger segment reservation rate for larger k , and thus better
outperformed the direct method when k ≥ 16 and k ≥ 8 for the
preserves trajectory distribution than the direct and segment-based
Saitama and Tsurumi datasets, respectively. As presented in the
method. ↑ denotes that the performance is better when the value
qualitative analysis (Section 5.3), the direct method tends to lose
is larger. (a) Saitama and (b) Tsurumi
segment information because it greedily generates an anonymized
trajectory that only reduces the spatial and temporal distances. The
segment method preserved segments better when k was smaller; segment methods by 3.06% and 1.66% on average, respectively,
however, when k was larger, the information loss became larger. for Saitama (Fig. 5(a)).
The proposed method preserved segment information well, even The proposed method performed well for sparse trajectory data
for large k values. The proposed method outperformed direct and for Tsurumi (Fig. 5(b)). While the target area was both commercial

6 IEEJ Trans (2024)

 PRACTICAL TRAJECTORY ANONYMIZATION METHOD

Table II. Trajectory reconstruction errors for location, timestamp, the direct method often generates unrealistic segments in which
and speed for Saitama dataset nodes are spatially far. On the other hand, the proposed method
has the advantage of generating realistic segments. We observed
Reconstruction error ↓ the same characteristics for both the Saitama and Tsurumi datasets.
Location Timestamp Speed
k Method (km) (s) (ms−1 ) 5.6. Effectiveness of the proposed segment-aware tra-
16 Direct 10.96 164.98 9.82 jectories From Table III, the proposed segment-aware method
Proposed 11.76 219.66 6.42 presents a better segment reservation rate than the -sampling
32 Direct 19.21 197.33 10.09 method by about 30.0%. The -sampling method failed to preserve
Proposed 13.41 226.16 6.54 the segment information because it generated anonymized trajec-
64 Direct 36.67 223.97 9.62 tories from maps without considering the segment information.
Proposed 16.78 225.16 6.51 Thus, the proposed segment-aware method is more suitable for pre-
128 Direct 66.75 256.95 8.61 serving map information. Furthermore, the location reconstruction
Proposed 19.96 226.54 6.59 error was smaller than 4.53%. However, the -sampling method
Note: The proposed method’s reconstruction error is kept small when k presented a smaller timestamp reconstruction error (24.3% better).
becomes larger. ↓ denotes that the performance is better when the value is Timestamp reconstruction is more difficult for our segment-aware
smaller. The bold value presents the better method between the direct and method because the speed of each segment needs to be accurately
proposed methods. predicted. Because the evaluation dataset included trajectories with
different moving speeds, reconstruction error was large when the
and residential in Saitama, it was residential in Tsurumi and the prediction was inaccurate. We leave this issue for future works and
recorded data was sparser. The direct and segment methods lost discuss the advantages and disadvantages of the -sampling and
more segment information than in the dense area (i.e., Saitama). segment-aware methods in Section 6.
Notably, the segment reservation rate dropped more for the Next, different timestamp decoding methods were applied to
segment method when k was large, because when the amount confirm the effectiveness of using speed. Notably, the naı̈ve
of recorded data is small, most segments need to be removed to method that directly uses time (denoted as ‘segment-aware
meet the privacy criteria. The proposed method outperformed both [time]’), suffered from reconstructing the timestamp, resulting in
methods for most k values (15.6% and 8.57% better than the direct a loss increase approximately 60 times greater compared to the
and segment methods, respectively). speed-decoding method (denoted as ‘segment-aware (speed)’). It
was observed that ‘segment-aware (time)’ was not robust for
5.5. Evaluation on trajectory information loss Tra- decoding errors, and when anonymized via latent space, the recon-
jectory information loss was evaluated using the reconstruction struction error tended to be large. By using speed, ‘segment-aware
error for the location and timestamp and is presented in Table II. (speed)’ was more robust to errors and successfully reduced the
The reconstruction error for the segment method cannot be cal- reconstruction error compared to time-decoding. This robustness
culated and is not shown in Table II; it splits a trajectory into also improves the segment reservation error. We observed the same
segments and trajectory information is not kept. The location characteristics for both the Saitama and Tsurumi datasets.
reconstruction error of the proposed method was smaller than that
of the direct method when k is greater than 32 (30.5% smaller, on 5.7. Effectiveness of assuming the Normal distribu-
average). When k was large, the direct method often generated a tion in the latent space From Table III, by using λvar , the
spatially distant anonymized trajectory. This is because the direct location reconstruction error was successfully reduced by 30.8%.
method is not robust when an outlier is present, and greedily gen- The effectiveness of using variational loss in the latent space is
erates an anonymized trajectory at the center of the grouped trajec- shown in Fig. 6. The latent variables of the clustered trajectories for
tories. In contrast, the proposed method generated an anonymized k = 32 were projected to the two-dimensional space using t-SNE
trajectory based on the distribution of the original trajectories and [35]. The eight clusters were randomly selected for visualization.
is more robust for outliers. While the proposed method’s times- When the variational loss was not used (Fig. 6(a)), each cluster
tamp reconstruction error is mostly larger than that of the direct was sparsely scattered. It can be observed that as the balancing
method, it is kept constant when k gets larger. Although the pro- weight λKL became larger, the latent space became more continu-
posed method can generate reasonable timestamps, reconstruction ous (Fig. 6(b)–(d)). When λKL was larger, although the segment
loss tends to be large. The analysis and discussion are provided in reservation rate slightly dropped, the location reconstruction loss
Sections 5.6 and 6. The speed reconstruction error is smaller for the decreased. The segment reservation rate and location information
proposed method than the direct method for all k . This is because loss stroked the good balance when λKL = 0.1.

Table III. The effectiveness of the trajectory modeling, timestamp decoding, and variational loss in the proposed method

Trajectory Timestamp Segment Reconstruction Reconstruction

modeling decoding With Lvar reservation rate ↑ error, location (km) ↓ error, timestamp (s) ↓
-sampling [15,16] – – 0.27 18.24 177.06
Segment-aware Time – 0.33 15.51 13 455.84
Segment-aware Speed – 0.57 17.45 220.14
Segment-aware Speed  0.52 12.08 223.23
Note: The average of k = 2, 4, 8, 16, 32, 64, 128 for Saitama dataset is presented. The second-best results are denoted with blue font. The bold value presents
the better method between the direct and proposed methods.

7 IEEJ Trans (2024)

 Y. SAKUMA, AND H. NISHI

10
10

Dim1

Dim1
0 0
–10 –10

–20 –10 0 10 –15 –10 –5 0 5 10 15

Dim2 Dim2
(a) (b)

5.0
10 2.5
Dim1

Dim1
0 0.0
–10 –2.5

–15 –10 –5 0 5 10 15 –2 0 2 4
Dim2 Dim2
(c) (d)
Fig. 6. The latent space of trained models for different balancing weights (λKL ) of the variational loss (Lvar ). When λKL = 0.1, the location
reconstruction error (LRE) is the smallest while the segment reservation rate (SRR) does not drop significantly. (a) λKL = 0 (without
Lvar ), SRR = 0.78, LRE = 12.25 km, (b) λKL = 0.01, SRR = 0.76, LRE = 7.99 km, (c) λKL = 0.1, SRR = 0.76, LRE = 7.65 km, and (d)
λKL = 1, SRR = 0.73, LRE = 8.49 km

6. Discussion
Although the proposed method successfully reduces the spa-
tial information loss, it incurs a larger temporal information loss
than prior methods because of the difficulty in predicting the
timestamps. Each timestamp sampling method has advantages and
disadvantages. For instance, while the -sampling method can
accurately model timestamps, it loses the segment information.
Although our segment-based method preserves the location infor-
mation better, the reconstruction error for the timestamps is larger.
Thus, the trajectory modeling method should be selected based on
applications on their spatial or temporal sensitiveness.
As discussed in previous studies [5], k -anonymization does
not guarantee the protection of sensitive data. Although this is
beyond the scope of this study, the proposed method can be
extended to l -diversity by comparing the trajectories with similar
latent variables. Another future direction is to study the acceptable
information loss criteria on the use side. There is always a trade-off
between information loss and privacy performance and studying
the acceptable balance is an important research topic.
7. Conclusion
We proposed a practical trajectory anonymization method that
can be used for any load network sparseness and preserves
trajectory information. We introduced the DNN-based method in
which the trajectories are projected onto the latent space and the
latent variables are generalized for anonymization, and present
the effectiveness to anonymize the trajectory data with different
load network sparsity. To better preserve the segment information,
we propose segment-aware trajectory modeling. Furthermore, to
reduce reconstruction error, the effectiveness of assuming the
normal distribution in the latent space was studied. The proposed
method was evaluated using real GPS data, and its practicality over
prior methods was presented. Thus, our method builds a foundation
for applying DNNs to trajectory anonymization.
Acknowledgments
This work was supported by the JST CREST Grant Number
JPMJCR19K1. The authors also express their gratitude to the JST CSTI
SIP (the 3rd period of SIP, ‘Smart Energy Management System’), the
MAFF Commissioned project study (Grant Number JPJ009819), and
the MOE Demonstration Project ‘FY2022 Technology Development
and Demonstration Project for Regional Symbiosis and Cross-Sectoral
Carbon Neutrality (Second Round)’, and the commissioned research
(No. JPJ012368C08001) by National Institute of Information and
Communications Technology (NICT), Japan.
References
(1) Al-Hussaeni K, Fung BC, Iqbal F, Dagher GG, Park EG. SafePath:
Differentially-private publishing of passenger trajectories in trans-
portation systems. Computer Networks 2018; 143:126–139.
(2) Zang H, Bolot J. Anonymization of location data does not work: A
large-scale measurement study. In Proceedings of the 17th Annual
International Conference on Mobile Computing and Networking. Las
Vegas, Nevada: ACM; 2011; 145–156.
(3) De Montjoye Y-A, Hidalgo CA, Verleysen M, Blondel VD. Unique in
the crowd: The privacy bounds of human mobility. Scientific Reports
2013; 3(1):1–5.
(4) Sweeney L. k-anonymity: A model for protecting privacy. Interna-
tional Journal of Uncertainty, Fuzziness and Knowledge-Based Sys-
tems 2002; 10(5):557–570.
(5) Nergiz ME, Atzori M, Saygin Y. Towards trajectory anonymization:
A generalization-based approach. In Proceedings of the SIGSPATIAL
ACM GIS 2008 International Workshop on Security and Privacy in
GIS and LBS . Irvine, CA: ACM; 2008; 52–61.
(6) Gramaglia M, Fiore M, Furno A, Stanica R. GLOVE: Towards
privacy-preserving publishing of record-level-truthful mobile phone
trajectories. ACM/IMS Transactions on Data Science (TDS) 2021;
2(31–36):1–36.
(7) Domingo-Ferrer J, Martı́nez S, Sánchez D. Decentralized k-
anonymization of trajectories via privacy-preserving tit-for-tat.
Computer Communications 2022; 190:57–68.

8 IEEJ Trans (2024)

 PRACTICAL TRAJECTORY ANONYMIZATION METHOD
(8) Mahdavifar S, Deldar F, Mahdikhani H. Personalized privacy-
preserving publication of trajectory data by generalization and distor-
tion of moving points. Journal of Network and Systems Management
2022; 30(1):10.
(9) Hashimoto M, Morishima R, Nishi H. Low-information-loss
anonymization of trajectory data considering map information. In
2020 IEEE 29th International Symposium on Industrial Electronics
(ISIE). Delft: IEEE; 2020; 499–504.
(10) Nakamura T, Sakuma Y, Nishi H. Face-image anonymization as
an application of multidimensional data k-anonymizer. International
Journal of Networking and Computing 2021; 11(1):102–119.
(11) Le M-H, Khan MSN, Tsaloli G, Carlsson N, Buchegger S. Anonfaces:
Anonymizing faces adjusted to constraints on efficacy and security.
In Proceedings of the 19th Workshop on Privacy in the Electronic
Society. Virtual: ACM; 2020; 87–100.
(12) Karras T, Laine S, Aittala M, Hellsten J, Lehtinen J, Aila T. Analyz-
ing and improving the image quality of stylegan. In Proceedings of the
IEEE/CVF Conference on Computer Vision and Pattern Recognition.
Seattle, Washington: IEEE; 2020; 8110–8119.
(13) Sakuma Y, Tran TP, Iwai T, Nishikawa A, Nishi H. Trajectory
anonymization through Laplace noise addition in latent space. In
2021 Ninth International Symposium on Computing and Networking
(CANDAR). Matsue, Japan: Institute of Electrical and Electronics
Engineers Inc.; 2021; 65–73.
(14) Kim JW, Jang B. Privacy-preserving generation and publication of
synthetic trajectory microdata: A comprehensive survey. Journal of
Network and Computer Applications 2024; 230:103951.
(15) Si J, Yang J, Xiang Y, Wang H, Li L, Zhang R, Tu B, Chen X.
TrajBERT: BERT-based trajectory recovery with spatial-temporal
refinement for implicit sparse trajectories. IEEE Transactions on
Mobile Computing 2023; 23:4849–4860.
(16) Xia T, Qi Y, Feng J, Xu F, Sun F, Guo D, Li Y. Attnmove:
History enhanced trajectory recovery via attentional network. Pro-
ceedings of the AAAI Conference on Artificial Intelligence 2021; 35:
4494–4502.
(17) Abul O, Bonchi F, Nanni M. Anonymization of moving objects
databases by clustering and perturbation. Information Systems 2010;
35(8):884–910.
(18) Chen S, Fu A, Shen J, Yu S, Wang H, Sun H. RNN-DP: A
new differential privacy scheme base on recurrent neural network
for dynamic trajectory privacy protection. Journal of Network and
Computer Applications 2020; 168:102736.
(19) Hochreiter S, Schmidhuber J. Long short-term memory. Neural
Computation 1997; 9(8):1735–1780.
(20) Mao W, Xu C, Zhu Q, Chen S, Wang Y. Leapfrog diffusion model
for stochastic trajectory prediction. In Proceedings of the IEEE/CVF
Conference on Computer Vision and Pattern Recognition. Vancouver,
Canada: IEEE; 2023; 5517–5526.
(21) Li R, Li C, Ren D, Chen G, Yuan Y, Wang G. BCDiff: Bidirectional
consistent diffusion for instantaneous trajectory prediction. Advances
in Neural Information Processing Systems 2024; 36:14400–14413.
(22) Ren H, Ruan S, Li Y, Bao J, Meng C, Li R, Zheng Y. Mtrajrec:
Map-constrained trajectory recovery via seq2seq multi-task learning.
In Proceedings of the 27th ACM SIGKDD Conference on Knowledge
Discovery & Data Mining. New York: ACM; 2021; 1410–1419.
9 IEEJ Trans (2024)
(23) Vaswani A, Shazeer N, Parmar N, Uszkoreit J, Jones L, Gomez
AN, Kaiser L, Illia P. Attention is all you need. Advances in Neural
Information Processing Systems 2017; 30.
(24) Agoop. https://agoop.co.jp [Accessed August 11, 2024]
(25) Devlin J, Chang M-W, Lee K, Toutanova K. Bert: Pre-training of
deep bidirectional transformers for language understanding. arXiv
preprint arXiv:1810.04805 . 2018.
(26) Fan A, Lewis M, Dauphin Y. Hierarchical neural story generation.
arXiv preprint arXiv:1805.04833 . 2018.
(27) Kingma DP. Auto-encoding variational Bayes. arXiv preprint
arXiv:1312.6114 . 2013.
(28) Davidson TR, Falorsi L, De Cao N, Kipf T, Tomczak JM. Hyper-
spherical variational auto-encoders. CoRR. 2018.
(29) Tamczak J, Welling M. VAE with a VampPrior. International
Conference on Artificial Intelligence and Statistics 2018:1214–1223.
(30) OpenStreetMap. https://www.openstreetmap.org/. [Accessed August
11, 2024]
(31) Bhargava P, Drozd A, Rogers A. Generalization in NLI: Ways (not)
to go beyond simple heuristics. arXiv preprint arXiv:2110.01518 .
2021.
(32) Turc I, Chang M-W, Lee K, Toutanova K. Well-read students learn
better: The impact of student initialization on knowledge distillation.
arXiv preprint arXiv:1908.08962 , Vol. 13, No. 3. 2019.
(33) Kingma DP, Ba J. Adam: A method for stochastic optimization. arXiv
preprint arXiv:1412.6980 . 2014.
(34) Velichko V, Zagoruyko N. Automatic recognition of 200 words.
International Journal of Man-Machine Studies 1970; 2(3):223–234.
(35) Van der Maaten L, Hinton G. Visualizing data using t-SNE. Journal
of Machine Learning Research 2008; 9(11):2579–2605.
Yuiko Sakuma (Non-Member) received her B.E., M.E., and
Ph.D. degrees from Keio University, Japan,
in 2018, 2020, and 2024, respectively. Her
research interests are energy management
systems and deep learning.
Hiroaki Nishi (Member) received his B.E., M.E., and Ph.D.
degrees from Keio University, Japan, in
1994, 1996, and 1999, respectively. The
main theme of his current research is
building a total network system including
the development of hardware and software
architecture. He places great importance on
considering the requirements of the future
highly-networked information society. He
has expertise in researching Next generation IP router architec-
ture, Data Anonymization Infrastructure, and the Smart City/Smart
Community.