Discrete-time linear time-invariant (LTI) systems face privacy leakage risks when adversaries possess prior knowledge—such as system steady-state statistics—enabling inference of sensitive states. Method: This paper introduces the Pointwise Maximum Leakage (PML) privacy metric—the first to precisely quantify worst-case privacy loss—and establishes its theoretical connections with differential privacy and mutual information privacy. Integrating control theory and information theory, we develop a computationally tractable PML-aware design framework, deriving necessary and sufficient conditions for PML compliance and constructive synthesis methods. From the PML perspective, we reformulate the Kalman filtering estimation error lower bound, yielding an explicit analytical lower bound on the steady-state error covariance in terms of PML parameters. Results: The framework is validated on a distributed sensing application in smart buildings, demonstrating both theoretical soundness and practical efficacy in balancing privacy and estimation performance.

For systems whose states implicate sensitive information, their privacy is of great concern. While notions like differential privacy have been successfully introduced to dynamical systems, it is still unclear how a system's privacy can be properly protected when facing the challenging yet frequently-encountered scenario where an adversary possesses prior knowledge, e.g., the steady state, of the system. This paper presents a new systematic approach to protect the privacy of a discrete-time linear time-invariant system against adversaries knowledgeable of the system's prior information. We employ a tailored emph{pointwise maximal leakage (PML) privacy} criterion. PML characterizes the worst-case privacy performance, which is sharply different from that of the better-known mutual-information privacy. We derive necessary and sufficient conditions for PML privacy and construct tractable design procedures. Furthermore, our analysis leads to insight into how PML privacy, differential privacy, and mutual-information privacy are related. We then revisit Kalman filters from the perspective of PML privacy and derive a lower bound on the steady-state estimation-error covariance in terms of the PML parameters. Finally, the derived results are illustrated in a case study of privacy protection for distributed sensing in smart buildings.