Differential Private Motion Sensor and Wasted Energy in Building Energy Management System

Building energy management system (BEMS) uses various sensors and smart meters to detect power consumption and user movement within buildings. By applying data integration, raw BEMS data can be employed for multiple purposes. For example, power consumption data can be matched with motion sensor data and electric appliance details in any staff room to calculate wasted energy and continually predict an individual electric appliance status. Therefore, disclosing these data severely violates local electricity users’ privacy. To resolve data privacy concerns using differential privacy, the traditional Laplacian mechanism cannot be used to detect overloads and the standard coin-flipping algorithm gives a high percentage error of wasted energy calculation. Thus, this paper proposes a modified truncated Laplacian noise addition and random motion state processes to hide the actual electrical use and movement patterns. Based on a 30-day sample period of actual BEMS, both privacy and usability of the proposed processes have been compared with the traditional methods in terms of the privacy loss parameter, the reported error of energy consumption, the correctness of overload detection, and the error of the wasted energy calculation. Based on the obtainable effectiveness, these proposed processes are recommended for further extension to implement at BEMS data gateways in real-time.


I. INTRODUCTION
A building energy management system (BEMS) deploys many sensors [1] and smart meters [2] that send real-time data to a data storage. The storage collects the data at specified time intervals (e.g., 1 minute and 1 hour). The data can be utilized for load monitoring, air-conditioner control, and weekly pattern data analysis. A BEMS usually consists of gateways to collect data from sensors and smart meters and make decisions about releasing data to consumers, such as data analytic research teams or other data user counterparts. For example, a demonstration of BEMS in Chulalongkorn University (CU-BEMS) runs such operations of data collection and processing at the time granularity of 1 minute [3].
The associate editor coordinating the review of this manuscript and approving it for publication was Alon Kuperman .
The CU-BEMS also has a test facility for renewable energy, such as solar cells and wind turbines, to demonstrate the renewable energy potential. For sensor data requests, uniform resource identifiers (URIs) with specified sensor types, dates, times, and locations must be sent to the storage to query sensor data of an area, and the real data will be returned. Like other BEMS studies, CU-BEMS analytics can then be utilized to raise public awareness of electricity use by presenting the analyzed raw data in various ways [4], such as an interactive visualization energy game [5] and its advanced version with IDaaS architecture [6]. For another example, if no motion has been detected for at least 15 time points (minutes) and the smart meter in that area measures at least 15 W (watt) of average power consumed during those time points, then wasted energy is said to occur [7]. Such incidences result in wasted energy could be up to 30% of the annual electricity bill [7], and they are caused by preventable scenarios, such as people taking breaks without turning off unnecessary airconditioning systems or lights.
However, opting for data usability alone without careful data release governance causes easily violated individual privacy. There are many conventional ways to protect individual local electricity users' privacy, where BEMS sensors must continuously carry out their monitoring tasks. Original encryption had worked well until machine learning algorithms became available to analyze encrypted data [8]. Additionally, such an encryption method becomes inappropriate for public data sharing since the encrypted data must be decrypted before sharing with the public [9]. Also, cryptographic approaches become irrelevant for data consumers that are intended by design to see unencrypted data. Likewise, anonymized data can be matched with non-anonymized data to reidentify an individual [9]. This technique is referred to as the linking attack [10]. Moreover, encryption and anonymization techniques are computationally complex, so that the system slows. Hence, such conventional methods are no longer viable. The challenge of securely releasing data without jeopardizing privacy is prominent, especially when BEMS relies on addressing that could be linked to the physical world. For the CU-BEMS context, as an example that is commonly found in a BEMS, full name details of the staff occupying each room are publicly accessible, e.g., via the campus websites. Assume that staff room details are matched with the data released from BEMS. In this case, data requesters may know enough even at the level of an individual movement from electricity usage patterns or directly from motion sensors. To worsen matters, criminals who obtain actual data can easily choose when to commit criminal acts if the BEMS is a part of the enterprise or governmental facility.
In recent solutions to resolve privacy concerns, we have chosen differential privacy due to its simplicity, controllable privacy, aggregated original data persistence [9], and scalability [11]. Currently, differential privacy processes have been applied to data in many sectors, such as personal information in organizations [12], private data sharing for collaborative filtering purposes [13], and other infrastructures, including energy systems [9]. The main concept of differential privacy is to apply necessary noise addition, e.g., Laplacian, exponential, and Gaussian noise patterns [9], or randomization like the coin-flipping example in [14], to statistical and realtime individual private data before being released for public access [12]. In this research, data types such as energy consumption and local electricity movements are considered in privacy processing since these readings refer to the activities of electricity users in an area. However, the renewable energy sources in CU-BEMS are not consumed by staff rooms, which are privacy concern areas, so differential privacy processes are not needed to apply with them. The challenge of differential privacy is to balance privacy and usability of data [9]. The conclusions of using randomized data should be correct or in the acceptable error range of a system [11], [14]. Motivated by this challenge, we propose an overload detectable truncated Laplacian mechanism and a conditional random motion states algorithm with a low percentage error of wasted energy calculation as the main contributions of this paper. In addition, the proposed truncated Laplacian mechanism can be applied to renewable energy sources, such as solar cells and wind turbines, if they are designed to be consumed by staff rooms with arising privacy concerns in the future.
In the remainder of this paper, related literature and research gaps are mentioned in Section II. Some basic concepts of this paper are mentioned in Section III. The overload detectable truncated Laplacian mechanism is mentioned in Section IV. The random algorithm to hide the actual timeseries data of the motion sensor and wasted energy in an area is mentioned in Section V. The privacy and usability of the proposed processes are discussed in Section VI. This paper is concluded in Section VII.

II. RELATED WORK
There have been many differential privacy solutions for energy systems in the past. The traditional Laplacian noise addition was usually applied in many studies, e.g., random Laplacian noise for privacy-preserved smart metering in [11], differential privacy-based distributed load balancing for smart grid in [15], non-intrusive load monitoring in a compressive sensing framework in [16], differentially private data clustering for intelligent electrical IoT in [17], and deep learning non-intrusive load monitoring in [18]. Some energy systems use Gaussian noise for data obfuscation. For example, a perturbation method using Gaussian noise was combined with encryption [19] to prevent filtering and true value attacks. Additionally, geometric noise addition can be applied with plug readings [20].
The typical constraint of the randomization mechanism in a BEMS is to hide the actual time-series data of electrical use in the queried area. Apart from other studies, the additional conditions of this research are to detect overload and calculate wasted energy in an area. For overload detection, traditional Laplacian and Gaussian noises cannot be applied to actual power usage since their distribution range is infinite. Noiseadded power usage may exceed the power rating of all electric appliances in the queried area, although the actual power usage is less than the power rating. Therefore, an intended truncated noise addition is required for overload detection.
There are some studies on energy systems using truncated Laplacian noise addition techniques. For instance, truncated Laplacian noise, normalized by adding a constant parameter, was applied to preserve the privacy of capacity-limited rechargeable batteries [21]. Another example of batterybased differential privacy preservation, truncated Laplacian noise, normalized by scaling a parameter, was applied to rechargeable batteries to obfuscate smart meter readings [22]. These noise patterns can be modified for overload detection purposes in a BEMS. However, the accuracy of the aggregated noise-added energy consumption values is not guaranteed due to non-zero mean noise addition. VOLUME 10, 2022 To apply differential privacy with a constrained system, feasible distribution ranges of the randomization mechanism must be specified [23]. However, some infeasible ranges are allowed for noise addition. For example, negative noiseadded power consumption values are allowed in [11], [24]. The truncated Laplacian noise pattern in [25]- [27] is symmetric, so regression analysis [28] like the Bayesian inference attack [8] can be easily executed since the distribution ranges of different noise-added values differ. Additionally, symmetric truncated Laplacian noise gives a high probability that actual data will be leaked [29]. The truncated Laplacian noise pattern in [30] becomes difficult to apply with energy systems since its distribution range is [0, 1]. Therefore, unlike the past studies, this paper proposes to apply asymmetric two-side scaled truncated Laplacian noise to the original time-series electricity consumption data. This paper evaluates this noise addition process for non-intrusive load monitoring and overload detection. In addition, to the best of our knowledge, there is still no wasted energy based differentially private algorithm for motion sensor data. The challenge of generating a random algorithm for motion sensor data is to minimize the percentage error of the wasted energy calculation. Furthermore, since motion sensor data in an area used to calculate wasted energy refer to the presence and absence of people in that area, actual sensor data must not be shown. For example, consider the case in which the actual occurrence of wasted energy time is shown, which indicates that nobody (no motion detected) is in the area in that duration. Information hiding must be carefully crafted both in the value of time-series data and the indexing time, where interesting events occur. Therefore, apart from other energy systems, this paper presents an algorithm to solve this challenge by applying time shifting to a randomization algorithm that is adapted from a coin-flipping example in [14]. With the proposed algorithm, wasted energy with a low percentage error can be displayed to raise public awareness of electricity use while mitigating the risk of privacy leakage.

III. PRELIMINARY
In this section, we introduce the concepts of differential privacy and time-series data.
A. DIFFERENTIAL PRIVACY Differential privacy [9], [12] aims to protect an individual private data by applying randomization processes to the statistical and real-time data that can be used to identify an individual [9]. However, non-private personal information may be revealed [12]. In terms of usability, the conclusions of using randomized data should be correct or in the acceptable error range of the system [11], [14].
A database in differential privacy is defined in terms of a vector. Each element in the vector is the number of database records belonging to a data type [14]. Let U = |α i | be a norm l 1 of α.
The distance between two databases is the sum of the differences in the number of records of each data type between any two isometric vectors, that is, the database distance between two isometric vectors representing the databases, α, γ ∈ (I + 0 ) |U| , is [14] ||α For example, if α = [2 3 4 4] and γ = [2 3 3 5] then In the case that ||α − γ || 1 1, if R is an ( , η)differentially private randomization process, then for all V ⊆ Range{R}, the following probability condition must be satisfied: Therefore, the privacy loss parameter of the process R in R , satisfies the condition that P L (V) R 1 − η, that is, the privacy loss boundary does not exceed with probability 1 − η [14] where η is the probability that actual data will be leaked [29] by using the process R.
In practice, the privacy loss boundary ranges from 0.01 7 [29] and η 1/|U| are utilized since η ≈ 1/|U| permits a few of the actual records to be published [14]. Consider a universe of m data types (|U| = m); if η ≈ 1/|U| = 1/m then the number of the actual records released to the public is expected to be (m)(1/m) = 1 record. For the privacy context, the smaller is, the higher the privacy. However, privacy should be balanced with usability.

IV. DIFFERENTIAL PRIVACY FORMULATION FOR ELECTRICITY CONSUMPTION
This section focuses on applying differential privacy, our proposed truncated Laplacian mechanism, with electrical use data. This proposed mechanism will be compared and contrasted with the traditional Laplacian mechanism in terms of privacy and usability in Section VI. The notations of this section are summarized in Table 1. Apart from x t , if y t is another electrical use vector where ||x t − y t || 1 1 and all S ⊆ Range{A} then A is (ε, δ)differentially private when [14] P{A(x t ) ∈ S} e ε P{A(y t ) ∈ S} + δ By using generated intended noise, the released noiseadded power consumption data should be practicable for purposes that do not violate privacy. The total energy usage computed from the noise-added data on a period must be similar to the actual value, e.g., error lower than 2.5% for Thailand's Provincial Electricity Authority billing constraints. Additionally, the data could also be made usable for other purposes, for example, load prediction and other abnormal electrical use detection [11].
In the following, we first discuss why using traditional noise distributions here would incur undesired consequences. Firstly, since the Laplacian distribution range is (−∞, ∞), applying this noise addition may cause false-positive and false-negative overload detection. If the actual power usage at time t, denoted by µ t , is less than P r , but the input noise is so high that the noise-added power usage exceeds P r , then this situation causes false-positive overload detection (refer to Fig. 1). On the other hand, if the actual power usage at that time exceeds P r , but the noise-added power usage is lower than P r , then this situation leads to false-negative overload detection. Secondly, for symmetric truncated Laplacian noise patterns, different distribution ranges of different noise-added values yield high privacy loss (refer to Fig. 2).
Due to these drawbacks foreseen if the symmetric truncated Laplacian noises are here used, therefore, the distribution range of noise-added data should be truncated and asymmetric. To detect electrical overload, intended noiseadded power usage values under normal loadings must still be lower than the power rating of all electrical appliances in the queried area P r . However, power usage values exceeding P r will be shown without any noise addition. The maximum of the intended noise distribution range is P r , which means the released noise-added data distribution range is [u 0 , P r ], where u 0 is set so that the noise addition mechanism's privacy loss parameter is in the range [0.01, 7] [29]. Thus, modified truncated Laplacian noise is proposed in this paper to elide infeasible ranges [23] that affect typical constraints of the systems. However, infeasible ranges that do not affect the constraints of the systems are still acceptable. In this research, u 0 is set to −P r , which means Range{A} = [−P r , P r ], where the infeasible range [−P r , 0) is acceptable for this  research because only aggregated energy consumption values of periods are released accurately for any data analytic to protect electricity users' privacy. In contrast, if the actual power usage value of the queried area is revealed, the privacy of the electricity users in that area will be violated.
For each time point with an overload, the actual power usage will be released without any noise addition to show the occurrence of overload. However, this paper proposes that the following modified truncated Laplacian noise is added to the data for other time points without the overload. In particular, by letting f (x t ) = µ t be the actual power usage in the queried area at time t and µ t < P r , the distribution of the noise-added power usage is defined as where r, , and b are positive real numbers.
The probability density function (pdf ) normalization of (4) requires that Further, we propose that the expected value of the distribution in (4) is herein set equal to the actual data value µ t : To solve for r and using (5) and (6), let Rewrite (5) and (6) as With algebraic derivations, the parameters r and can be expressed as Let υ be a uniformly distributed random value in the interval (0, 1) and, by using the inverse transform method, the noiseadded power usage at time t is To obtain the privacy loss parameter as parameterized by ε, let µ x,t and µ y,t be the actual power usage at time t of the electrical use vectors x t and y t , respectively. The distributions of A(x t ) and A(y t ) that satisfy the probability density function (from (5)) and expected value (from (6)) conditions are and respectively.
From (16) and (17), suppose that ||x t − y t || 1 = 1, and let S = du be any narrow interval in [−P r , P r ] and µ x,t > µ y,t . Hence, ε can be calculated by The variables r x , r y , x , and y are presented in (13) and (14) by changing µ t to µ x,t and µ y,t . The remaining degree-offreedom parameter, b, is numerically tried out with values in the range [0.001, 10] using a step size of 0.001 and all possible (x t , y t ) pairs, where ||x t − y t || 1 = 1, to minimize the privacy loss parameter of a proposed mechanism in (18).
Once the appropriate value of b is obtained, this value will be applied without recalculation. The maximum absolute value of (18) is ε because L (S) A ε as required by differential privacy.
Assume that for each time interval [t, t + 1), the power usage is at the same level during the interval. The energy consumption (in kWh units) in each minute is the product of the power usage (in kW units) at time t and the interval size (which is 1/60 hours). Therefore, the actual and noise-added energy consumption in any time period, [t first , t last ] where t last > t first , can be calculated by and respectively.

V. DIFFERENTIAL PRIVACY FORMULATION FOR MOTION SENSOR
For motion sensor privacy, if the actual movement data are revealed, data requesters will know the actual motion in the queried area all the time, including the case that the actual occurrence time of wasted energy is shown. Hence, differential privacy and time-shifting are applied with motion sensor data to hide the actual movement of local electricity users while maintaining the accuracy of wasted energy calculation. Table 2 summarizes all main notations in this section. The energy consumption in an area is defined as wasted energy if a smart meter measures at least 15 W of average power consumption in that area where the motion sensor states have continuously been 0 for at least 15 minutes [7]. For each of these minutes, wasted power usage is the power consumption at that time. For all the other minutes, the wasted power usage is 0. This definition of wasted energy [7] is motivated by the circumstance of area users in which they forget to turn off air-conditioners in their area when they leave the area for a prolonged period. A past study revealed that such wasted energy could account for up to 30% of the total building energy consumption, which explains why it is essential to allow this metric to be extractable from the BEMS data release to improve building user engagement in raising public awareness without harming privacy.
The differential private randomization algorithm formulation must also be carefully designed to ensure an acceptable percentage error of wasted energy calculation in maintaining the usefulness of released noisy data. Information hiding with such randomization must be carefully crafted both in the value of time-series data and the indexing time when interesting events would occur. In this case, such interesting events are the time points when wasted energy occurs.
Let  In this paper, we propose Algorithm 1 to find v[t] = M(s[t]) that satisfies the required probability condition in (21). Our algorithm is adapted from a coin-flipping example in [14].

Algorithm 1 Differential Private Motion State
For any time point t with a probability p defined in (27): The difference between Algorithm 1 and the standard coin-flipping example in [13] pertains to the condition of the if statement and the value being released. By using Algorithm 1, both the probabilistic condition and wasted power condition are employed in the if statement. Thus, the probability parameter p is time-varying and the occurrence time of wasted energy is shifted from the actual time for approximately t s time points. However, the standard coinflipping example in [13] uses only the probabilistic condition 1 st Rand(0, 1) p, where p is set to 0.5, in the if statement.
From the wasted energy definition, the 0 state in a motion state vector at a time point does not always infer the occurrence of wasted energy unless the motion states have continuously been 0 for at least 15 minutes. Therefore, the time-shifted motion state s must be shifted for at least 15 minutes to determine whether wasted energy will occur.
The privacy loss parameter of using a coin-flipping algorithm in [14] is ln (3). To obtain the parameter p of Algorithm 1, let B in (21) to be {s[t]}, then The probability that wasted energy occurs at time t is assumed to be calculated by using the statistical data in time period [t − t w + 1, t]. The events P w [t] > 0 and r[t] = 0 are dependent. Therefore, the probability that wasted energy occurs at and from s[t] = r[t − t s ] in Table 2, can be rewritten as: The events 1 st Rand(0, 1) and 2 st Rand(0, 1) are independent. These events are also independent of the events that P w [t − t s ] > 0 and s[t] = 0, so: and With constraint in (22), combining (25) and (26) results in and The maximum absolute of the privacy loss parameter L and hence the privacy is protected. By using the same assumption as (19) and (20), the actual energy wasted in any time period, [t first , t last ] where t last > t first , can be calculated by 60 (30) and the energy wasted in that time period based on the random motion states is defined in Algorithm 2 and can be calculated by The actual wasted power consumption can also be defined by using Algorithm 2 and changing v to r, A(x t ) to f (x t ), and P w,alg to P w .

Algorithm 2 Wasted Energy Based on Random Motion States
For any time point t: A(a k ) 0.015(t − t 1 )) then /* t − t 1 15 refers to the time constraint of wasted energy; nobody was in the queried area for at least 15 minutes. */ /* 0.015(t − t 1 ) refers to the average power constraint (in kW unit) of wasted energy; the average power usage of the queried area in that duration is at least 0.015 kW. */ for (t 1 + 1 k t) do P w,alg [k] ← A(a k ) (see Table 2) end for end if VOLUME 10, 2022

VI. RESULTS AND DISCUSSIONS
From [3], consider an example office area with approximately 4 × 15 m 2 equipped with 2 air-conditioners (with power ratings of 4.4 and 3.5 kW) and 3 light zones (with power ratings of 0.7, 0.3, and 0.4 kW), as shown in Fig. 3. The sum of the power ratings of all electric appliances in the room is 9.3 kW. For the actual power consumption and motion sensor data of the 30-day sample period as shown in Figs. 4 and 5, the actual wasted energy data are plotted in Fig. 6. There were 155 minutes with the overload shown in Fig. 4. These overloads could occur upon the transient surge of power required at each initial starting time of air-conditioner compressors and electric appliance deterioration caused by a lack of maintenance or usual hardware degradation over the equipment lifetime.   Consider the 4 th day of the 30-day sample period as an example for further discussion in Sections VI-B and VI-C. The actual power consumption, motion state and wasted energy data of the office on the considered day are shown   in Figs. 7, 8, and 9, respectively. The electrical usage period (office hours) is from 08:00 to 20:00. The wasted energy occurred from 16:16 to 16:38.

A. TRADITIONAL LAPLACIAN MECHANISM'S PRIVACY AND USABILITY VALIDATION
Let U ∈ R (set of real numbers) be a random variable by adding Laplacian noise to the actual processed value of an electrical use vector. The probability density function (pdf ) of the Laplace distribution can be written as [32] (u) = 1 2κ e −|u−µ t |/κ (32) where µ t represents the actual power usage and κ ∈ R + is the distribution parameter.
The privacy loss parameter of the traditional Laplacian mechanism is [14]: and the appropriate proposed by [32] is To approximately calculate the privacy loss parameter in the case of the office area investigated in this research, let x 1,t be a status of 4.4 kW air-conditioner at time t x 2,t be a status of 3.5 kW air-conditioner at time t x 3,t be a status of 0.7 kW light zone at time t x 4,t be a status of 0.3 kW light zone at time t x 5,t be a status of 0.4 kW light zone at time t y t be an electrical use vector at time t such that ||x t − y t || 1 = 1 Assume the maximum probability that an electric appliance will be identified as being used at time t (being identified as present in the electrical use vector) is ρ = 1/3 according to [32]. By applying the traditional Laplacian noise addition to the original power usage data of the 30-day sample period, the result of applying that noise with appropriate privacy loss calculated by using (34) is shown in Fig. 10. The result of applying the low privacy loss ( = 0.01) traditional Laplacian noise to the original power usage data of the 30-day sample period is shown in Fig. 11. The parameter κ = f / = 440 in this case. Thus, the distribution variance of this case is Var = 2κ 2 = 387200. The result of applying the high privacy loss ( = 7) traditional Laplacian noise to the original power usage data of the 30-day sample period is shown in Fig. 12. The parameter κ = f / = 0.62857 in this case. Thus, the distribution variance of this case is Var = 2κ 2 = 0.79020. In terms of the noise addition mechanism usability, the percentage error of energy consumption can be calculated by where E c is defined in (19) and E c,mec is energy consumption after applying a noise-addition mechanism. The percentage error values of energy consumption in the 30-day sample period after applying the privacy-usability balanced, low privacy loss, and high privacy loss cases of traditional Laplacian noise addition mechanisms are 1.156%, 86.367%, and 0.00147%, respectively. The percentage error of the energy consumption calculation after applying the privacy-usability balanced case of traditional Laplacian noise addition is acceptable (lower than 2.5%) for billing purposes while the actual energy consumption data are hidden. Thus, the privacy of electricity users in this queried area is protected. However, the usability of overload detection remains  to be considered. Although electricity users' privacy in the queried area is protected after applying the low privacy loss case of traditional Laplacian noise addition, the percentage error of energy consumption calculation is not acceptable (higher than 2.5%) for billing purposes. This high percentage error is due to an increased distribution variance, which produces a high variance of random values. The high privacy loss case of the noise addition mechanism gives a low percentage error of energy consumption since a low distribution variance yields a low variance of random values. However, the noiseadded power consumption pattern is similar to the actual pattern, which means that the privacy of electrical users in the queried area is rarely protected.
The usability of overload detection can be defined by the F 1 -score formula as where N tp , N fp , and N fn represent the number of truepositives, false-positives, and false-negatives, respectively.
The number of true-positive overload detections of the 30-day sample period energy consumption data is N tp = 155. For traditional Laplacian noise addition, the number of falsepositives and false-negatives in overload detection of the mechanism with privacy-usability balanced case are N fp = 7418 and N fn = 80. Thus, the overload detection correctness of the privacy-usability balanced case is 0.03970. For the low privacy loss case of traditional Laplacian, the number of false-positives and false-negatives in overload detection of the mechanism are N fp = 21366 and N fn = 74. There are many false-detection values since the probability density of the distribution is regular over a wide range caused by a high κ value (refer to (32)). The overload detection correctness of the case with low privacy loss is 0.01425. For the last main case, the high privacy loss traditional Laplacian, the number of false-positives and false-negatives in overload detection are N fp = 457 and N fn = 59. There are quite a few false-detection values compared to the other cases since the probability density of the distribution is greater than 0 in a narrow range caused by a low κ value (refer to (32)). The overload detection correctness of the case with high privacy loss is 0.37530. Due to the overload detection capability of the traditional Laplacian noise addition, this mechanism cannot be employed for the constraint of overload detection in this research. This mechanism will not be mentioned further in this paper. A since the electrical use vector [1 1 1 1 1] usually incurs an overload. All the overloads are shown without any noise-addition. As in this research case, the ratio between h x (u) and h y (u) in Fig. 14 is the lowest at u = µ y,t , and its absolute natural logarithm value, which is the privacy loss parameter, is greater than that of the highest ratio between h x (u) and h y (u). Thus, the privacy loss boundary is calculated as the absolute natural logarithm of the ratio between the probability density values in the purple circles. If the electrical use vector [1 1 1 1 1] does not usually incur an overload, the parameter P r can be set slightly greater than the sum of the power ratings of all electric appliances in the queried area. In practice, the range of ε is [0.01, 7] [29]. Therefore, by numerical experiments, b value lower than 0.834 cannot be applied in this case. The parameter b = 2.458 is chosen since its value minimizes ε. In addition, the probability density distribution with that b value incurs a low percentage error of energy consumption calculation in (36), while the regularly distributed probability density caused by a high b value tends to produce a higher percentage error of that calculation because of the higher variance of random values.  From Fig. 13, the best selection of the b value gives the minimum ε at 4.30036, so the privacy loss parameter boundary in this case is: The results of adding the proposed truncated Laplacian noise to the original energy consumption data of the 30-day sample period (Fig. 4) and the considered day (Fig. 7) using (15) are shown in Figs. 15 and 16, respectively.
From (36), the percentage error values of energy consumption in the 30-day sample period and the considered day after applying the noise addition mechanism are 0.054% and 1.957%, respectively. These energy consumption values after applying the noise addition mechanism are similar to the actual energy consumption values because the expected value of the noise-added power consumption at any time point is equal to the value of the actual power being used at each time point.  From (37), the overload detection correctness of the mechanism is 1 because the randomization has been designed by constraining on N fp = N fn = 0. Moreover, this mechanism can be employed for purposes that are based on timeaggregated values of energy consumption.
The probability that actual data will be leaked [29], δ, (refer to Table 1) of the modified mechanism in this research is 155/43200 = 0.00359 because 155 overloads are detected (which must be shown to inform electrical consumers) based on the original data of 43200 power usage values. This obtainable level of δ is acceptable in practice [14]. However, the limitation of applying this noise-addition mechanism is the uncontrollable δ. In the extreme case of all-time overload, the actual power consumption data cannot be hidden using the proposed mechanism. Nevertheless, such extreme cases are rare for, once they occur, the responsible engineers must be urgently notified to provide overload investigation and correction.

C. RANDOM MOTION STATES ALGORITHM'S PRIVACY AND USABILITY VALIDATION
Similar to Section VI-B, considering the 4 th day of the 30-day sample period, the parameter ξ (refer to Table 2) of Algorithm 1 depends on N (t −t s −t w , t −t s ] and n(t −t s −t w , t − t s ] in (29), as shown in Fig. 17. The measured wasted energy and error of that measurement (calculated by using (39)) on the considered day based on the noise-added energy consumption data shown in Fig. 16   An example of motion states randomized by using Algorithm 1 with t s = 60 is shown in Fig. 20. These motion states obviously differ from the actual states in Fig. 8, so the actual movement of electricity users in the queried area is hidden. The energy wasted on the considered day based on the noise-added energy consumption data in Fig. 16 and the motion states in Fig. 20 is shown in Fig. 21.
The result of wasted energy, based on the noise-added energy consumption of the 30-day sample period in Fig. 15, using the motion states randomized by Algorithm 1 is shown in Fig. 22.
The motion states randomized by using the coin-flipping algorithm in [14] are shown in Fig. 23. These motion states obviously differ from the actual states in Fig. 8, so the actual movement of electricity users in the queried area is hidden. However, the accuracy of the wasted energy calculation is very low. The privacy loss parameter of this algorithm is ln(3). By using the noise-added energy consumption result shown in Fig. 16, wasted energy based on the randomized motion states in Fig. 23 is shown in Fig. 24.
The result of wasted energy, based on the noise-added energy consumption of the 30-day sample period in Fig. 15, using the motion states randomized by the coin-flipping algorithm in [14] is shown in Fig. 25.
In terms of privacy, if the actual energy consumption data are revealed, people who receive the data can only guess   about an individual movement. However, assume that actual motion sensor data are revealed. In that case, people who receive these data know the actual individual movement, which means that the privacy of people using that queried area is jeopardized. Therefore, the random algorithm of motion sensor data is more important than the noise addition mechanism of energy consumption data. The privacy loss parameter boundary of the proposed algorithm shown in Fig. 17 is 1.12500 > ξ > 1.10000 > ln(3) = 1.09861, which means that the privacy loss of the proposed algorithm is   Randomized motion states on the considered day using the coin-flipping algorithm in [14]. slightly greater than the privacy loss of the coin-flipping algorithm in [14]. This algorithm also shifts the wasted energy occurrence time because the occurrence of wasted energy means that nobody is in the queried area in that duration. Since the privacy loss parameter boundary of the modified truncated Laplacian noise addition mechanism from (38) is ε = 4.30036, the privacy loss parameters of the proposed processes are acceptable [29].  Wasted energy data, based on the noise-added energy consumption data in Fig. 15 and motion states randomized by using the coin-flipping algorithm in [14], with a total of 3.685 kWh in the 30-day sample period.
In terms of the usability of the random motion state algorithm, the percentage error of wasted energy can be calculated by where E w and E w,alg are defined in (30) and (31), respectively. From (39), the percentage error values of wasted energy on the considered day using Algorithm 1 and the coin-flipping algorithm in [14] are 4.042% and 100%, respectively. The percentage error values of wasted energy in the 30-day sample period using Algorithm 1 and the coin-flipping algorithm in [14] are 3.962% and 97.988%, respectively. Thus, the proposed conditional randomization is better than the standard coin-flipping algorithm in [14].
Since wasted energy usually occurs in the middle of the office hour with similar power consumption for hours, by shifting the wasted energy occurrence time to approximately 60 time points (an hour), the wasted energy calculation using Algorithm 2 is still similar to the actual value as shown in Figs. 21 and 22. In addition, by using Algorithm 1, the number of time points with wasted energy in the office hour duration should be similar to the actual value since the motion states are conditionally randomized with an appropriate time-shifting value. This value depends on the presence or absence of electricity users who have been to the queried area in the considered duration (e.g., 1 day and 1 month), which means that the power consumption defined as wasted energy in both durations is similar. Moreover, the probability of at least 15 consecutive 0 states randomized by Algorithm 1 is low if no wasted energy occurs in that time duration. Likewise, the wasted energy based on the coinflipping algorithm in [14], as shown in Figs. 24 and 25, is much different from the actual value since it is difficult to obtain at least 15 consecutive 0 states from this unconditional random algorithm. For any time duration out of the office hour, the actual motion states are 0, so at least 15 consecutive 0 states may occur. However, the actual power usage is nearly 0 kW. Applying the modified truncated Laplacian noise to the original power consumption data has been found to incur an insignificant amount of wasted energy in that duration. Hence, this finding suggests the practicality of the proposed algorithm. Nevertheless, the actual motion sensor data cannot be hidden using the proposed algorithm in the extreme case of all-time energy wasted due to the condition to show shifted occurrence time of wasted energy. This condition is the limitation of the algorithm.

VII. CONCLUSION
Based on the differential privacy framework, this research has investigated comparatively various noise-addition mechanisms to apply for the BEMS dataset. Although the traditional Laplacian noise-addition mechanism with an appropriate privacy loss parameter can hide the actual power consumption data, it fails to detect overloads. The distribution range (−∞, ∞) or the distribution symmetry of traditional Laplacian noise give false positives and negatives in overload detection. Additionally, an excessive low privacy loss case incurs a high percentage error of the energy consumption calculation, while an excessive high privacy loss case can hardly hide the data.
Due to these limitations of existing traditional Laplacian noises, this research has proposed a modified truncated Laplacian noise addition mechanism that can hide the collected actual time-series of electrical appliance usage patterns effectively while maintaining the accuracy of power usage overload detection. Based on the reported 30-day actual BEMS dataset, this mechanism's privacy loss parameter boundary is 4.30036. The percentage error of the noise-added energy consumption in the 30-day sample period is lower than 2.5% for the standard billing constraint. The F 1 -score overload detection correctness of the proposed truncated Laplacian noise addition is 1, i.e., no overload detection errors at all by design. These results confirm that the mechanism is practicable for billing computation, overload detection, and other purposes based on time-aggregated energy consumption values. Moreover, a random motion state algorithm is proposed to hide the actual movement in the queried area. This algorithm's privacy loss parameter boundary is in the range of [1.1000, 1.12500], which varies with regard to tunable time-shifting values, 15 to 1500 minutes in this research. With an optimal time-shifting value, the percentage error of the wasted energy calculation is lower than 5%. In future work, this time-shifting value can periodically (e.g., daily and weekly) be randomized within the optimal range based on the electrical use pattern to increase individual privacy. Additionally, based on the potential indicated by the results in this research, these data perturbation processes can be further extended to operate in real-time at the BEMS data gateways.