# Requirements

The goal of pseudonym changes is to split each trip into several unlinkable pieces and in particular to prevent linking of its origin and destination as described in Section 2.3.4. Therefore, this should be the main criterion for an evaluation of pseudonym strategies. Furthermore, the number of pseudonym changes should be kept as low as possible, because pseudonyms must be downloaded from the PCA and secure storage of sufficient size is required in each vehicle. Additionally, short change intervals might affect V2X-based safety applications [122] and geographic routing [170]. Therefore, the evaluation should also take into account the change strategies’ efficiency, i.e., the level of privacy they provide in relation to the number of pseudonyms used.

We capture these requirements with the trip-based metric in our generic framework. We evaluate pseudonym change strategies and their parameters with regard to an attacker’s success in tracking vehicles despite their pseudonym changes. A trip is consider *tracked* if the attacker correctly links all of his observations of this trip, in particular the first and the last one. The overall *tracking success* is the relative number of all trips that the attacker was able to track. The *efficiency* is the number of untracked trips in relation to the average number of pseudonym changes per trip (cf. Section 3.5).

Little guidance exists on what level of privacy is required in practice. Yet, for the sake of a more illustrative analysis we define two boundaries:

“Weak” privacy protection is achieved, if the attacker’s tracking success is less than 50 %.

“Reasonable” privacy protection is achieved, if the attacker’s tracking success is less than 10 %. We propose to use this boundary as a rule of thumb objective when choosing a pseudonym strategy and parameters for practical deployment.

The boundaries may seem arbitrary but will be very useful for discussing our results. Of course an even lower boundary would be desirable, e.g., “strong” privacy protection for a tracking success of less than 1 %, but it seems unfeasible to achieve this level of privacy protection with the strategies we examine.