Broken Promises of Privacy

Lessons for Location Privacy
By LBx Staff | Published July 11, 2012

Summary

Paul Ohm has written the first comprehensive law review article that incorporates an important new subspe- cialty of computer science, reidentifica- tion science, into legal scholarship. His research and findings unearth a tension that shakes a foundational belief about data privacy: Data can be either useful or perfectly anonymous but never both. The excerpt highlights his find- ings on the failures of anonymization, a long-standing privacy protection tech- nique that has become the bedrock of privacy legal frameworks, laws, and policies. While the author’s audience is regulators and the legal community, his findings are relevant to location data, technology, and application providers who collect, aggregate and distribute location data, and who seek to develop proactive policies to balance business objectives with privacy protections.

With the permission of Paul Ohm, we are reproducing an excerpt of his original article Broken Promises of Privacy: Responding To The Surprising Failure of Anonymization, published in the UCLA Law Review (57 UCLA Law Review 1701 (2010).

Computer scientists have recently undermined our faith in the privacy- protecting power of anonymization, the name for techniques that protect the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated that they can often “reidentify” or “deanonymize” individuals hidden in anonymized data with astonishing ease. By understanding this research, we realize we have made a mistake, labored beneath a fundamental mis- understanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention.

Anonymization: the Purging of Personal Information

Anonymization plays a central role in modern data handling, forming the core of standard procedures for storing or disclosing personal informa- tion. Anonymization is a process by which information in a database is manipulated to make it difficult to identify data subjects. Database experts have developed scores of different anonymization techniques, which vary in their cost, complexity, ease of use, and robustness. A very common technique is suppression, whereby a data administrator suppresses data by deleting or omitting it entirely. For example, a hospital data administrator tracking prescriptions will suppress the names of patients before sharing data in order to anonymize it.

Data administrators anonymize to protect the privacy of data subjects when storing or disclosing data. They disclose data to three groups:

THIRD PARTIES: For example, health researchers share patient data with other health researchers, websites sell transaction data to advertisers, and phone companies can be compelled to disclose call logs to law enforcement officials.

THE PUBLIC: Increasingly, administrators do this to engage in what is called crowdsourcing—attempting to harness large groups of volunteer users who can analyze data more efficiently and thoroughly than smaller groups of paid employees.

OTHERS WITHIN THEIR ORGANIZATION: Particularly within large organizations, data collectors may want to protect data subjects’ privacy even from others in the organization. For example, large banks may want to share some data with their marketing departments, but only after anonymizing it to protect customer privacy.

Reindentification: The “Reverse Engineering” of Anonymized Data

The reverse of anonymization is reidentification or deanonymization. Anonymized data is reidentified by linking anonymized records to outside information, hoping to discover the true identity of the data subjects. Advances in reidentification should trigger a sea change in the law because nearly every information privacy law or regulation grants a get-out-of-jail-free card to those who anonymize their data. In the United States, federal privacy statutes carve out exceptions for those who anonymize.

About fifteen years ago, researchers started to chip away at the robust anonymization assumption, the foundation upon which [privacy policies and laws] have been built. Recently, however, they have done more than chip away; they have essentially blown it up, casting serious doubt on the power of anonymization, proving its theoretical limits and estab- lishing what I call the easy reidentification result. This is not to say that all anonymization techniques fail to protect privacy—some techniques are very difficult to reverse—but researchers have learned more than enough already for us to reject anonymization as a privacy-providing panacea.

Examples of Anonymization Failure

A. THE AOL DATA RELEASE. On August 3, 2006, America Online (AOL) announced a new initiative called...

The complete article is available in the Spring 2012 Digital Issue.

SEE MORE IN THIS CATEGORY:

Product Review: Find Spot

Spotlite 2.O Pet GPS Locator

SecurusGPS released their advanced pet locator Spotlite 2.0 in early March 2013. I had the privilege of trying out this nifty gadget. It is designed to be worn by a 10 pound or greater sized dog. I don’t have a dog, so I did the next best thing. I used it to track my car and to track my partner’s suitcase (with his permission of course) as he traveled from Colorado to the East Coast. Let’s call them both Spot.

By Natasha Léger | April 22, 2013 April 22, 2013

Scaling Map Wizardry

To 100 million Microsoft Office 2013 Users

Marketing, operations, and business managers have been asking their IT departments for several years now for ways to see data on a map. IT and GIS (or IT and geo applications) have not mixed well as departments or as integrated priorities. This difficulty left many managers and departments to seek other solutions or to engage in skunk works projects with a variety of available technologies, including free and open source applications. These work-arounds to productivity have had both their successes and challenges. Microsoft has come to the rescue...

By Natasha Léger | April 18, 2013 April 18, 2013

Underground Assets

Streamlining the Call-Before-You-Dig Process

Designers of large projects, such as a highway expansion, a new shopping mall, a sewer or water lineupgrade project, or a gas line replacement, are often presented with unique challenges – including those that lie beneath the earth’s surface. Although not seen from a casual, above-ground glance, there is a world of assets and critical infrastructure that exist underground. When new projects are in the early phases of development, it is vital...

By Bill Kiger | April 17, 2013 April 17, 2013

COLUMNS

Executive Interview

Bringing More Attention to the Location Profession

Past, Present, and Future

MINDY BROWN, President of Bruun Consulting shares the past, present and future of location and GIS. She was one of the early pioneers of the geospatial industry and watched it ebb and flow over the last thirty years. As such she has a unique perspective on how the location professional has evolved over the years.

By Natasha Léger | March 8, 2013 March 8, 2013

Scaling Enterprise GIS

A Retail Perspective

Jillian Elder is not your average GIS Manager. Jillian sees GIS as another tool in a broader information toolbox that helps to solve a problem. As her team sits within the Market Planning and Research Group of Walgreens that reports to the CFO, she is charged with finding and accessing the best data from across the organization to answer particular questions. This interview discusses the challenges encountered in implementing an enterprise-wide location information strategy.

By LBx Staff | January 29, 2013 January 29, 2013

The Case for Tracking

Assets, People, and Pets

Securus, Inc. is a mobile safety and security products and services company that is taking machine-to-machine (M2M) hardware and software solutions to a new level. They have built an M2M software platform that enables a user to track any asset, person, or pet. The convergence of more efficient hardware, improved mobile connectivity, and other sensor technology innovations are redefining the possibilities and affordability of the location tracking market. We spoke with Chris Newton, President and CEO of Securus, Inc., about the market drivers for assets, people, and pet tracking.

By LBx Staff | January 9, 2013 January 9, 2013

Game Changer

Humans As Sensors

Adding the Time Dimension

As Di-ann is driving around the Bay Area she uses Waze (http://waze.com) to find her way. From Waze she gets routing, traffic and road closure information. In exchange, Waze tracks her location and knows her ultimate destination. It knows that she is going slower than expected on Highway 101 and that she is probably in traffic.

By Brady Forrest | January 13, 2010 January 13, 2010

Back Behind the Firewall

Net Technologies Move From Consumer to Enterprise

About five years ago, the group I worked for at Microsoft looked at what was happening in the blogosphere and decided to bring it in-house. We saw that the conversations needed a

By Brady Forrest, O'Reilly | May 25, 2009 May 25, 2009

On Minding The Store

Think Locally, Act Globally

It’s the Customer, Stupid!

There was a time, not too long ago, when “global” was a concept, but hardly a reality. As a corporation pushed its horizons beyond the relatively homogeneous local market, it encountered increased diversity and complexity, strange customs and even stranger legal environments. There were no global markets, no truly global products and few global brands. Corporations at best were multinational, jerry-built conglomerates of local institutions, each catering to relatively homogeneous local markets, each differing from the next.

By Robert Avila | August 3, 2011 August 3, 2011

Corporate Evolution

Are corporations prepared to go where their policies are taking them?

Corporations have been pursuing an implicit model that has shed much of the internal political, social and cultural qualities that characterized past corporations and have transformed themselves more and more into purely economic institutions. As this model has advanced, corporate loyalty, a largely political concept, has been replaced by the formal or “at will” employment contract, a purely economic arrangement.

By Robert Avila, Managing Director, Future Crunch | June 14, 2011 June 14, 2011

The Rebirth of Brand Management

It’s Not the Lead; It’s the Customer Experience that Matters

Brand is the social contract of business, the implicit agreement between the parties in a transaction about the nature of their long-term relationship. One is tempted to quote Hobbs to the effect that economic life devoid of brands tends to be “solitary, poor, nasty brutish and short,” a description eerily evocative of today’s commercial environment. As with political theory, when discussing brand it is easy to slip into morality tales. The recent collapse of the Tiger Woods and Toyota brands calls up images from Greek tragedy with choruses of talking heads lamenting their fall from greatness.

By Robert Avila | June 30, 2010 June 30, 2010