fbpx

Download free GDPR compliance checklist!

Tag Archives for " anonymity "

Firm Tracking Purchase, Transaction Histories of Millions Maybe Not Really Anonymizing Them

The nation’s largest financial data broker, Yodlee, holds extensive and supposedly anonymized banking and credit card transaction histories on millions of Americans.

Internal documents, however, appear to indicate that Yodlee clients could potentially de-anonymize those records by simply downloading a giant text file and poking around in it for a while. That includes a unique identifier associated with the bank or credit card holder, amounts of transactions, dates of sale, which business the transaction was processed at, and bits of metadata.

Source: Report: Firm Tracking Purchase, Transaction Histories of Millions Maybe Not Really Anonymizing Them

German Federal Supervisory Authority Launches Public Consultation on Anonymization

On February 10, 2020, Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) launched its first public consultation procedure.

The consultation invites comments on a position paper of the BfDI which addresses the anonymization of personal data under the General Data Protection Regulation (GDPR), with a particular focus on the telecommunications sector (for example, the anonymization of location data in mobile networks).

Source: German Federal Commissioner for Data Protection and Freedom of Information Launches Public Consultation on Anonymization

Researchers Find ‘Anonymized’ Data Is Even Less Anonymous Than We Thought

Corporations love to pretend that ‘anonymization’ of the data they collect protects consumers. Studies keep showing that’s not really true.

When it was revealed that Avast is using its popular antivirus software to collect and sell user data, Avast CEO Ondrej Vlcek first downplayed the scandal, assuring the public the collected data had been “anonymized”—or stripped of any obvious identifiers like names or phone numbers.

But analysis from students at Harvard University shows that anonymization isn’t the magic bullet companies like to pretend it is. Previous studies have shown that even within independent individual anonymized datasets, identifying users isn’t all that difficult. But when data from different leaks are combined, identifying actual users isn’t all that difficult.

Source: Researchers Find ‘Anonymized’ Data Is Even Less Anonymous Than We Thought – VICE

Even Privacy-Focused Cryptocurrency Can Spill Your Secrets

From a Harry Potter-themed protocol to high-profile coins, cryptocurrency is often not quite as private as it seems.

Privacy coins are a reaction to the realization that bitcoin isn’t private at all. All bitcoin transaction data is public and open to all for analysis; combine that with some strategic subpoenas to get the personal data cryptocurrency exchanges are required to collect on their customers, and it’s pretty trivial to untangle who’s who. But also privacy focused couns like Grin and Beam have their flaws, as research shows.

Source: Even Privacy-Focused Cryptocurrency Can Spill Your Secrets | WIRED

Inherently identifiable: Is it possible to anonymize health and genetic data?

Nearly 25 million people have taken an at-home DNA testing kit and shared that data with one of four ancestry and health databases.

With this proliferation of genetic testing and biometric data collection, there should be an increased scrutiny of the practices used to deidentify this data. Biometric data, namely genetic information and health records, is innately identifiable.

But can biometric data ever truly be anonymized, what are the methods of deidentification and best practices, and the current state of biometric data under the EU General Data Protection Regulation?

Full article: Inherently identifiable: Is it possible to anonymize health and genetic data?

Spanish Supervisory Authority and EDPS release guidance on hashing for data pseudonymization and anonymization purposes

On November 4, 2019, the Spanish Supervisory Authority (“AEPD”), in collaboration with the European Data Protection Supervisor, published guidance on the use of hashing techniques for pseudonymization and anonymization purposes. In particular, the guidance analyses what factors increase the probability of re-identifying hashed messages.

The guidance provides examples of how controllers can make the re-identification of hashed messages more difficult. These examples include encrypting the message (prior to hashing), encrypting the hash value, or adding “salt” or “noise” (i.e., a random number) to the original message.

Source: Spanish Supervisory Authority and EDPS release guidance on hashing for data pseudonymization and anonymization purposes

Anonymisation does not work for big data

Recently, well-publicised research by data scientists at Imperial College in London and Université Catholique de Louvain in Belgium as well as a ruling by Judge Michal Agmon-Gonen of the Tel Aviv District Court have highlighted the shortcomings of outdated data protection techniques like “Anonymisation” in today’s big data world.

Anonymisation reflects an outdated approach to data protection developed when the processing of data was limited to isolated (siloed) applications prior to the popularity of “big data” processing that involves widespread sharing and combining of data.

Source: Anonymisation does not work for big data due to lack of protection for direct & indirect identifiers and easy re-identification vs pseudonymisation

‘Anonymised’ data can never be totally anonymous

An anonymised dataset is supposed to have had all personally identifiable information removed from it, while retaining a core of useful information for researchers to operate on without fear of invading privacy.

But in practice, data can be deanonymised in a number of ways. Now researchers have built a model to estimate how easy it would be to deanonymise any arbitrary dataset. A dataset with 15 demographic attributes, for instance, “would render 99.98% of people in Massachusetts unique”. And for smaller populations, it gets easier: if town-level location data is included, for instance, “it would not take much to reidentify people living in Harwich Port, Massachusetts, a city of fewer than 2,000 inhabitants”.

Source: ‘Anonymised’ data can never be totally anonymous, says study | Technology | The Guardian

Russia is working on a Tor de-anonymization project

Hackers have stolen a massive trove of sensitive data and defaced the website of SyTech, a major contractor working for Russian intelligence agency FSB.

The documents included descriptions of dozens of internal projects the company was working on, including ones on de-anonymization of users of the Tor browser and researching the vulnerability of torrents.

A Tor network routes internet traffic through random relays across the world, allowing users to conceal their location and internet usage from anyone conducting network surveillance or traffic analysis.

Source: BBC: Russia is working on a Tor de-anonymization project

Deidentification versus anonymization

Anonymization is hard. Just like cryptography, most people are not qualified to build their own.

Unlike cryptography, the research is far earlier-stage, and the pre-built code is virtually unavailable. That hasn’t stopped people from claiming certain datasets (like this ) are anonymized and (sadly) having them re-identified.

Full article: Deidentification versus anonymization

1 2 3 4
>