This blog on The Register caught my with the headline “Re-identifying folks from anonymised data will be a crime in the UK”. It’s a very good overview of the UK goverments recent (7th August 2017) Statement of Intent on Data Privacy (basically how the UK will align to EU wide GDPR legislation given Brexit).
It’s worth reading the Statement of Intent in full, the points that caught my attention were:
- The UK intends to legislate that a parent/similar must give explicit consent for data to be held on a child under 13 (for the EU it’s 16) but how on earth will that be policed or technically implemented? 13 year olds don’t have credit cards or similar.
- The range of bodies who submitted input is fascinating charities, universities, councils, museums, media bodies but there is hardly any representation from the tech industry itself – from the folks that will have to implement this.
- The past regulatory fines issued for breaches under the data protection act are tiny ~£3.5M last year and the value of fines doesn’t correlate well to the rise in complaints about breaches
- The criminalisation of trying to de-anomymize data. It shouldn’t be possible to re-identify people from genuinely anonymized data, so it’s an odd concept.
De-anonymising data – an example
Think about your web browsing history and what you do:
- visit your bank
- update your LinkedIn profile
- pay your gas supplier
- check the local paper’s website
- look up your kids’ schools newsletters
- login to your company portal
- turn you smart home heating system off when you leave work
- check the traffic on your route to work (perhaps entering your postcode which covers several hundred people so isn’t personal)
The list of sites you’ve visited individually often contain no personal or identifying data. but collectively the more you use the internet, the more we are connected, the more data there is that can pinpoint you. It wouldn’t take a rocket scientist to work out who you are with enough bits of info.
Many believe anonymising data by removing data isn’t enough, even the process of removing data systematically can leave artefacts that can be reverse engineered. Many believe to be anonymised data needs to be muddled up and written over with fake data. The UK Data Archive is a good read on this.
The arrival of the Internet of Things will greatly increase the number of devices spewing little clues about us into the ether…. interesting times….