*5.5. Privacy-versus-Utility Tradeoffs*

An illustration of the privacy-versus-utility tradeoff is shown in Figure 10, where the utility is defined as the correct detection probability *Pd* (see Equation (9)).

**Figure 10.** Privacy versus utility tradeoff. Proximity threshold *γ* = 2. The plots illustrate the behavior of the argmin vs argmax metrics against RMSE. (**a**) *Pd* as utility; (**b**) *Pf a* as utility

Figure 11 shows also the impact of the proximity threshold *γ* on the utility (detection probability) and false alarm probability. Two proximity thresholds were considered: *γ* = 2 m, useful for example for a digital contact-tracing service provider and *γ* = 10 m, useful for example for a 'find a friend' application in a shopping center. The proximity threshold choice does not change the main conclusions that *argmax* metric with an  below 1 (i.e., a noise standard deviation above 1 m) offers the best tradeoff between utility and privacy. This threshold provides decent detection probabilities (higher than 90%) and moderately low false alarm probabilities (below 16%). The best tradeoff utility region is also illustrated in Figure 12, this time only for the *argmax* metric and two proximity thresholds.

Figure 13 shows that also the hotspot distribution of users has little bearing on the privacy-utility tradeoff, with best tradeoffs obtained again for *argmax* metric and a low  value, mapping to high perturbed levels due to *argmax* operator. As in the *Margmax*(·) metric, the user perturbed location is mapped to points far away from true user location, it is intuitive that higher RMSE values between the perturbed and true locations are obtained in the case with less users within the building hotspots, as seen in Figure 13 by comparing the 20% and 80% hotspot distributions.

**Figure 11.** Impact of the proximity threshold on (**a**) detection *Pd* and (**b**) false-alarm rates *Pf a*.

**Figure 12.** Privacy versus utility tradeoff. Argmax metric. Proximity thresholds *γ* = 2 m and *γ* = 10 m.

**Figure 13.** Privacy versus utility tradeoff in the presence of different hotspot distribution of users (80% of users within hostpots versus only 20% of users within the building hotspots). Argmax metric and *γ* = 2 m.

The impact of the grid step on the utility and the privacy level is shown in Figure 14. As mentioned above, the grid step influences the matrix **b** ∈ **B** transmitted to the users within a building. For clarity purpose and because the noise type (Laplace versus Gaussian) has low impact, only the Gaussian noise perturbations are shown. Clearly, the impact of the step size is minimal on both the service utility (computed as the correct detection

probability of close-by users within a threshold *γ*) and on the user privacy (computed as the RMSE between the disclosed perturbed location and the true user location). This fact eases the amount of data needed to be transferred from the service provider to the user, as the size of the building grid matrix **b** is decreasing when the grid step Δ*s* is increasing. Nevertheless, the choice of the grid step Δ*s* should take into account the building size (e.g., steps lower than 10% of maximum building length in a certain direction are recommended).

**Figure 14.** The impact of the grid step on the (**a**) utility and (**b**) privacy. A proximity service with *γ* = 2 m.

In Figure 15, the different building sizes are compared for a fixed number of users *Nu*. Here, the added noise in the perturbation yields similar results independent of its type. However, *Pd* levels are high up, as close to 100% for the largest building size, namely 20 × 20 m. Whereas the smallest building considered in the simulation, with the dimensions of 100 × 200 m, shows moderate *Pd* and *Pf a* levels, accordingly. One could translate the situation with a fixed number of users and varying building sizes into the density of the users, where a little space is offered to each user per se.

**Figure 15.** The impact of the building size on the application's utility. A proximity service with *γ* = 2 m, fixed *Nu* = 1000. (**a**) *Pd*and (**b**) *Pfa*.

Last but not least, Figure 16 shows that the number of users in the building has no impact on the utility-privacy tradeoff and the *argmax* metric with any of the two noise types (Gaussian or Laplacian) is able to attain very good tradeoff levels.

**Figure 16.** Privacy versus utility tradeoff in the presence of different number of users. Argmax metric and *γ* = 2 m.
