Obfuscating Geocode results to protect privacy?

I have an app that finds other users within a 20 mile radius on a google map and associates an icon with each of them. However, I do not want their exact points to be given but rather an approximation. I've wrestled with a few ideas on how to do this:

1. Only Geocode the Zip Code, make graphic icons for 1-99, use the icon to represent how many results are within the zip code, and use the info window to show hyperlinks to the individual results. The only problem is, I'd like each individual icon to be shown because it just looks a lot better.

2. Add/Subtract a random number to the lat/lng values stored with each user and add a translucent circle around the icon.

What do 开发者_如何学Cyou guys suggest?

It depends on the level of privacy you want (the 1st option protects privacy better), but I'd be tempted to go with randomly moving the indicators because it's a more natural representation (people on a map, not groups of people on a map) without too much of a compromise in terms of usefulness.

That depends on how hard you think someone will try to defeat your system.

If you plan to track these positions over time, you give away more information over time than you do in a snapshot. For instance, if you choose a fixed-offset from the center of the circle, it may be possible to find this offset by mapping the path over time to the street map. On the other hand if you continually change the offset, the position may be discoverable by averaging.

Here's one possible scheme based on hysteresis. Leave the visible circle in place until the user exits an invisible bounding circle with a random radius. Then compute a new visible circle with a different random offset, and also set up a new invisible circle with a different random radius. This should generate a visible-circle movement that is almost impossible to reverse engineer, but also avoids lots of jittery movement.