SPACE PARTITIONING FOR PRIVACY ENABLED 3D CITY MODELS

Due to recent technological progress, data capturing and processing of highly detailed (3D) data has become extensive. And despite all prospects of potential uses, data that includes personal living spaces and public buildings can also be considered as a serious intrusion into people’s privacy and a threat to security. It becomes especially critical if data is visible by the general public. Thus, a compromise is needed between open access to data and privacy requirements which can be very different for each application. As privacy is a complex and versatile topic, the focus of this work particularly lies on the visualization of 3D urban data sets. For the purpose of privacy enabled visualizations of 3D city models, we propose to partition the (living) spaces into privacy regions, each featuring its own level of anonymity. Within each region, the depicted 2D and 3D geometry and imagery is anonymized with cartographic generalization techniques. The underlying spatial partitioning is realized as a 2D map generated as a straight skeleton of the open space between buildings. The resulting privacy cells are then merged according to the privacy requirements associated with each building to form larger regions, their borderlines smoothed, and transition zones established between privacy regions to have a harmonious visual appearance. It is exemplarily demonstrated how the proposed method generates privacy enabled 3D city models.


INTRODUCTION
As a result of the rapid ongoing developments in the field of sensor, analysis, and internet technologies, there is a continuous increase in the acquisition, presentation, and dissemination of geographical data.Especially for urban areas, there have been large-area photorealistic 3D city and street view models available on the internet, for quite some time.The technological trend is inevitably towards a greater amount of detail and higher (image) resolutions.There have also been initiatives to systematically capture indoor environments.Nevertheless, despite all technological possibilities, it is easily forgotten that the systematic data acquisition of our surroundings and the derived products can also be perceived as an intrusion into personal privacy.This holds true especially if the deployed sensor platforms allow for viewing perspectives that overcome natural visibility barriers, enabling views into private living spaces.Furthermore, national security agencies and government representatives consistently express concern regarding the presentation of security-relevant locations (government buildings, nuclear power plants, schools, churches, medical facilities, etc.) on the internet, which often results in the blurring or blacking out of relevant areas beyond recognition.These kinds of masking techniques, however, often make their visualization useless and lower the overall applicability of 3D city models.This perspective demonstrates that 3D city modeling has to simultaneously deal with two conflicting objectives: technological progress and privacy.When privacy and security issues are of concern, an acceptable compromise needs to mediate between realistic and informative representations on the one hand and anonymized representations on the other.Therefore, we propose to apply cartographic abstraction and obfuscation techniques in order to protect privacy and obscure security-relevant areas when modeling and presenting 3D city data.Here, the key question is how to handle personal privacy concerns without restricting the usage of such models.Within the scope of the conflicting task at hand, we particularly focus in this paper on the generation of appropriate 2D base maps, which can be projected onto digital terrain models, and which surround 3D building models that possibly feature different requirements as to their levels of anonymization.For example, the 3D building models are depicted in a level of detail that is appropriate for their privacy level; the 2D base map should then be conformant to it.The open spaces between buildings can, for example, be depicted with aerial or satellite images if privacy is of no concern or otherwise by cartographic representation.As each building within a city should be given the same possibility to convey its privacy properties, it is essential to clearly define the influence area of each building by a 2D space subdivision of the urban area.

Privacy Protection
Privacy protection, in relation to locational and geographical data, has received significant attention over the past several years, resulting in the Location Privacy Protection Act in the USA and a number of EU directives.The related scientific work is almost entirely dedicated to the protection of user locations within location-based services and spatial database queries.However, Bertino et al. (2008) indicate that research dealing with access control and security as well as the protection of privacy, particularly with regard to interoperable GIS applications, is so far insufficient.Thus, any technical or scientific efforts regarding privacy protection in the area of virtual 3D city modelling is seldom seen.
Only as a result of public and occasionally controversial discussion surrounding the systematic data capturing of street view data and their availability on various internet platforms, the German IT association Bitkom developed a data protection codex in 2011, which represents a voluntary commitment of the economic sector to privacy issues.It, however, does not go beyond the well-known obscuring of faces and license plates, opening the possibility for objection; and the regulation concerning the deletion of raw data.At the European level, a draft for basic regulation was presented in 2012 unifying data protection laws in EU member states.It aims to balance the required range of data on one hand and the limitation of the data processing to prevent their possible misuse on the other hand.Due to the complexity and multi-faceted nature of the topic, this initiative has not been adopted and still remains open to future discussion.

Generalization of 3D Building Models
In regard to privacy protection, particular for 3D geographical information, several techniques have been explored using cartographic generalization (Kada et al., 2009;Siemoneit et al., 2009).At present, 3D geographical data mostly consists of city models.The current state of research related to their generation is given, for example, by Brenner (2010) as well as Haala and Kada (2010).
A growing number of available 3D city models provided by open data initiatives and commercial map products are covered with aerial imagery to give a photorealistic appearance.Nevertheless, Meng (2002) notes that this is not necessarily ideal with regard to spatial perception, scene analysis and understanding, and knowledge discovery in comparison to nonphotorealistic representations.The users of geovisualization applications strive to reach a conspicuous naturalism, for example, by integrating realistic views with cartographic representations, which can result in a so called carto-realistic or map-realistic impression.Döllner and Kyprianidis (2010) for example, introduce image-based rendering techniques in the field of 3D city modelling in order to convey the uncertainties of the underlying data, to filter and emphasize element details, as well as to more clearly encode the depicted complex spatial information.Whereas, Mao and Ban (2013) use image compression techniques and regularized coloring to abstract façade textures.
During cartographic typification, a set of geometrically and semantically similar data is thinned while also retaining its original spatial arrangement.The typification of a set of buildings is considered foremost a 2D problem which can be solved, for example, with the help of Kohonen feature maps (Sester, 2000) where the recognition of building patterns occurs in 2D (Zhang et al., 2012) or 3D (Raheja, 2005) depending on the objects' dimensions.Furthermore, typification has also been applied to parts of a single building including repeating roof (Guercke et al., 2012) and façade (Jahnke et al., 2009) elements.The formal description of building elements, using Grammars (Becker, 2009;Dehbi and Plümer, 2011;Ripperda and Brenner, 2009) promises an outstanding suitability for typification, however, there is a lack of corresponding work concerning their practical application.

Space Subdivision Approaches
The task of 2D space subdivision in relation to some predefined attributes, in our case a privacy level, has also been in use in the field of urban planning and modeling.Shen et al. (2012), for example, discuss the notion of land use patterns and perspectives of land readjustment.While Kelly (2013) demonstrates techniques for automated parcel subdivision using split by straight lines, Voronoi diagram, and a modification thereof based on oriented bounding boxes.Furthermore, the usage of skeleton-based space partitioning is demonstrated and characteristics of techniques, such as linear and medial axis, straight skeleton, as well as its weighted version are thoroughly analyzed and compared with each other.Haunert and Sester (2007) examine different types of skeletons and their applications for various cartographical purposes within urban areas.Because straight skeletons accurately reflect the form of initial objects and do not produce surplus edges, they are well suited to urban space partitioning in relation to man-made objects, such as buildings.A procedural approach, based on straight skeleton, for automated parcel generation within city blocks is proposed by Vanegas et al. (2012).It allows for further influence on the created regions based on criteria such as street access, shape compactness, spatial extent, and orientation.

CONCEPT
The central issue within the scope of this work is the automated generation of conflict-free spatial partitioning of base maps with regard to privacy enabled (real-time) visualizations of 3D city models.Therefore, in our privacy supporting approach, an initial 2D space partitioning of an urban area is determined from a set of building footprints.Although the resulting privacy zones are in principle 2D, they mark the preliminary privacy zones of 3D buildings as their extent is assumed to be given by their footprint (including potential overhangs).In the case that there are neutral areas present, such as along a street network which divides zones of different privacy concerns, the areal representation of these features is added to the space partitioning.
Neighboring faces with similar privacy requirements are then identified and subsequently united to form larger regions of homogeneous anonymity.During this aggregation process, the privacy characteristics can be loosened or tightened within a predefined tolerance in order to minimize the number of regions and to avoid areas that would end up being too small for their reasonable representation.
Depending on the used algorithm, the resulting partitioning may exhibit angular shapes as it originated from angular footprints.Therefore, the borderlines between privacy zones are smoothed, for example, by using parametric or subdivision curves.The final privacy zones are geometrically well-formed hulls embedded in their surrounding environment.So far, the 2D space partitioning defines an abrupt borderline between regions of differing privacy zones.Because of their presentation with different generalized base maps, for example, in the form of aerial photos and cartographic maps, the change of appearance between these zones is aggravated leading to a rather unaesthetic impression of the scene as a whole.Thus, a continuous transition between the generated 2D zones is proposed to make the base map and entire 3D city model appear visually more pleasing and harmonious.Therefore, additional transition zones need to be established between adjacent privacy zones by generating buffer areas along the borderline of the privacy zones.To avoid that these buffer areas overlap with the buildings, their width should be adjusted on the availability of open space.Finally, image based blending techniques can be used to realize a smooth change of representation.
For privacy enabled 3D visualizations, we propose to show both the base map and the buildings in different levels of abstraction according to the privacy level of their particular zone.

METHODOLOGY
In this section, the methodology that implements the described concept for generating privacy-enabled space partitioning base maps is described.It consists of four steps: initial space partitioning (4.1), privacy zone aggregation (4.2), borderline smoothing (4.2), and borderline transition (4.4).

Initial Space Partitioning
As stated above, the first step is to generate an initial 2D space partitioning in which each zone encloses exactly one building.This is accomplished by a straight skeleton (Aichholzer et al., 1996) which spans a topological network of vertices and edges around the building footprints and preliminarily marks the presumed privacy zones.The generated space units (or faces) can be uniquely associated with a particular footprint as they all contain an edge of a footprint in their boundary.To limit the spatial extent of the skeleton, a rectangular frame is additionally used as a border of the building set.It serves as the outer boundary of the polygonal object whereas the building footprints can be considered as its holes.An example for a small test area is shown in Figure 1a), where the initial footprints and the corresponding straight skeleton are depicted in red and green, respectively.Afterwards, all faces belonging to the same footprint are combined into bigger cells which represent the influence area of each building (cf. Figure 1 b)).

Privacy Zone Aggregation
Next, the number of cells, which is initially equal to the number of footprints, is reduced by their aggregation into larger privacy regions.Based on similarities regarding their privacy properties the cells are merged by the Boolean union operation.Here only a pre-defined privacy level is considered as a privacy property.This step produces areas of homogeneous levels of anonymity.
Conceptually, the privacy zone aggregation could be extended to consider and meet further geometric, topologic, or semantic conditions, for example, to fulfill certain spatial or thematic requirements.For instance, to avoid small isolated islands within larger regions leading to an unwanted fragmentation of the base map.Another important issue is to prevent borderlines that feature a large difference in privacy levels between incident zones.An example of two aggregated privacy zones is shown in Figure 2a).Here, three levels of anonymity are depicted (also counting the surrounding region) which correspond to different levels of detail representations for the included 3D building models within our privacy concept.

Borderline Smoothing
Due to the mainly rectangular shapes of building footprints, the generated straight skeleton also exhibits angular shapes.Therefore, the boundaries of the privacy cells are smoothed using quadratic B-spline subdivision in order to keep the smoothed version as close as possible to the original (see Figure 2b)).Here, an adaptive subdivision approach is used implementing the de Casteljau's algorithm (see e.g.Farin and Hansford, 2000).

Borderline Transition
As mentioned before, the privacy zones are visually represented at different levels of anonymity; in our case with traditional (topographic) maps for zones with higher and satellite or aerial image for zones with lower privacy levels respectively.For a visually pleasing outcome, a smooth transition area between these privacy zones are needed.
To generate such a transition area, a buffer is computed around each borderline.For simplicity, we currently use a buffer of fixed width.But generally, a buffer with continuously changing width should be used to avoid buildings lying within transition zones.The width of the buffer is then dependent on the distances from the borderline to the building footprints: smaller buffers are used if buildings are close by and larger buffers if buildings are further away from the borderline.
The actual transition of the maps from one zone to the other is then accomplished by alpha blending.For this, the buffer areas are triangulated, e.g., by a Delaunay triangulation (Delaunay, 1934), and the vertices of the resulting triangles given an alpha value.The alpha values are then interpolated over the area of each triangle to give a blending mask.Finally, the two maps are combined according to this mask.
The described blending step is depicted in Figure 3. Here, the two different levels of anonymity are represented by a map and a satellite image (see Figure 3a)).Then, the generated alpha blending mask (see Figure 3b)) is used to combine the two input images to receive the final base map as shown in Figure 3c).

RESULTS AND DISCUSSION
To demonstrate the proposed approach for a larger scene, a test area was chosen that coincides with the ISPRS benchmark area of Vaihingen, Germany.The reason is that the area consists of many residential and free-standing buildings and that many data sets like 3D point clouds, images, and footprint data sets were already available for this region for usage and reference.The particular cutout of the test area (see Figure 4a) is located in the northeast corner of the overall benchmark area and contains 147 building footprints.
The resulting 2D space partitioning that includes three different levels of anonymity, as indicated with different colors, is shown in Figure 4b).Next, the individual cells were merged to larger homogeneous regions, the outlines smoothed, and the result embedded within the remaining data set (cf. Figure 4c)).It was assumed that the surrounding region has the same privacy level as the outer region and is therefore colored green.Figure 5a) shows an even smaller part of our test area located in the upper left corner of our cutout and conceptually depicts a smooth transition between the different levels of anonymity.
Here, a 4 m buffer was used to define the transition zones which subsequently were processed with alpha blending to generate a visually pleasing representation without abrupt changeovers between the different privacy regions.
The final privacy enabled 2D base map was generated using two different levels of anonymity to better differentiate between the privacy zones (Figure 5b)).Here, the matching colors of the aerial image and map intensifies the overall impression of a smooth transition between the two zones making the entire scene appear very natural and holistic.A corresponding 3D scene using the generated 2D privacy map as its background is shown in Figure 6.

CONCLUSION AND FUTURE WORK
In this work, an approach is proposed for the automatic generation of 2D base maps which can be used as a background for privacy enabling 3D city models.As demonstrated, our approach is particularly suitable for areas consisting of residential and free-standing buildings.The resulting maps are visually pleasing and do not possess unnatural abrupt transition from one privacy region to another.Furthermore, privacy regions with limited information in the generated map is still valuable for certain applications that do not require high level of details (e.g.navigation purposes).
In future work, we will investigate how the partitioning of the 2D space can be improved for privacy maps.Here, different alternatives (e.g.medial axis transform, Voronoi diagram, etc.) and their characteristics need to be investigated as well as the incorporation of neutral areas (e.g.street networks) in the partitioning process.For visualization purposes, a situation and context dependent size adjustment of the transition zone needs to be developed to meet today's demand on privacy protecting maps.This becomes particularly relevant for dense areas where only narrow spaces between buildings are present.Furthermore, the extension of the space partitioning for privacy enabled 3D city models to the third dimension needs to be investigated so that, for example, areas of a building or parts of a street furniture can be represented in different levels of detail.

Figure 1 .
Figure 1.Straight skeleton (green) of an urban region including building footprints (red) (a) and resultant cells (blue) representing their influence area (b).

Figure 3 .
Figure 3. Map and image (© Google) representations of the test area (a), corresponding alpha blending mask (b), and combined representation with a smooth transition area between the two different privacy regions (c).

Figure 4 .
Figure 4.The initial test area (dark gray foot prints) (a), regions with three different anonymity levels (green, yellow and orange) with the indicated privacy cells (b), final privacy map (c).
Figure 5.A conceptual privacy map with a smooth transition between three anonymity levels (a), final privacy map with corresponding blended representations between map and image (© Google) (b).

Figure 6 .
Figure 6.Residential urban scene featuring two different levels of detail for different portions of the privacy enabled 3D map (image © Google).