Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


12:45 PM

Companies' 'Anonymized' Data May Violate GDPR, Privacy Regs

New study found that any database containing 15 pieces of demographic data could be used to identify individuals.

For more than two decades, researchers have chipped away at the assumption that anonymized collections of data could protect the identities of research subjects as long as the datasets did not include one of a score of different identifying attributes.  

In the latest research highlighting the ease of what is known as "re-identification," three academic researchers have shown that 99.98% of Americans could be re-identified from an otherwise anonymized dataset, if it included 15 demographic attributes.

The findings suggests that even the current policies surrounding the protection of customer identities, such as the General Data Protection Regulation (GDPR), fall short of truly protecting citizens.

In the paper, which appeared in Nature on July 23, the researchers conclude that "even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model." 

The paper adds to the mountain of research suggesting that any dataset that contains useful information about individuals likely could be used to re-identify those subjects and link individuals to information that may be protected by privacy regulations or law. The research could lead to a rethinking of whether all big data sets need to be significantly better protected.

"Many companies think that, if it's anonymous, I don't need to secure it, but the data is likely not as anonymous as they think," says Bruce Schneier, a lecturer at Harvard University's Kennedy School of Management and the author of Data and Goliath, a book about how companies' data collection results in a mass-surveillance infrastructure. "Again and again and again, we have learned that anonymization of data is extremely hard. People are unique enough that data about them is enough to identify them."

The findings mean that companies and government agencies need to reassess how they deal with "anonymized" data, says Scott Giordano, vice president of data protection, Spirion, a providers of data-security services. The US Department of Health and Human Services, for example, currently requires that businesses remove 18 different classes of information from files, or have an expert review their anonymization techniques, to certify data as non-identifying. 

That may not be enough, he says.

"It is too easy, with advances in big data, to de-anonymize things that maybe you couldn't have de-anonymized five years ago," Giordano says. "We are in an arms race between the desire to anonymize data and our collection of big data, and big data is winning."

Zip Code, Gender, and DoB

The concerns over re-identification appeared in the late 1990s, when then-graduate student Latanya Sweeney conducted research into the possibility of combining voter rolls and medical research records on Massachusetts state employees to de-anonymize patients' information. Famously, Sweeney, now a professor of government and technology in residence at Harvard University, was able to find then-Governor William Weld's medical record in the dataset. In a 2000 paper, she estimated that 87% of US citizens could be identified using just three pieces of information: their 5-digit zip code, gender, and data of birth. 

With the collection of a broad range of data proliferating from personal devices — not just from smartphones, but from Apple watches to connected mattresses — technology firms and data aggregators are making choices that affect the rights of US citizens, she argued in a speech at Stanford University's School of Engineering in 2018.

"We live in a technocracy — that is, we live in a world in which technology design dictates the rules we live by," she said. "We don't know these people, we didn't vote for them in office, there was no debate about their design, but yet, the rules that they determined by the design decisions they make — and many of them somewhat arbitrary — end up dictating how we will live our lives." 

The Nature paper, written by a team of three researchers from the Imperial College of London and Belgium's UC Louvain, shows that the massive number of attributes collected about people makes them more unique. For companies, the lesson is that any sufficiently detailed dataset cannot be, by definition, anonymous. Even releasing partial datasets runs the risk of re-identification, the researchers found.

"Moving forward, (our results) question whether current de-identification practices satisfy the anonymization standards of modern data protection laws such as GDPR and CCPA (the California Consumer Privacy Act) and emphasize the need to move, from a legal and regulatory perspective, beyond the de-identification release-and-forget model," the researchers stated in the paper. 

This leaves companies with no easy answers on whether following current guidelines is enough to protect the anonymity of the information in their care, says Pravin Kothari, CEO of CipherCloud, a data-security provider. 

"This finding proves that re-identification is easy, so companies need to make sure they are anonymizing all demographic data, not just names," he says. "The removal of names is simply not enough to properly de-identify a person. We'll need to ensure that all personally identifiable information is anonymized in order to remove the risk of re-identification of individuals."

Related Content

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/29/2019 | 4:43:37 PM
Re: Clarification on the GDPR
the researchers conclude that "even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR..." The GDPR is not focusing on datasets but on each information. One can read Recital 27 of the GDPR and understands how the GDPR does not apply to anonymous information. Thus, if working with a dataset or several available databases the anonymization technique has to be applied to each piece of information making sure that none of the remaining unanonymized data does not relate to an identified or identifiable natural person.
User Rank: Ninja
7/26/2019 | 8:17:34 PM
Isn't the police department and other federal agencies capturing our faces (facial recognition)
Ok, maybe I missed something, aren't the US police departments using tools to capture information from license plates; as well as capturing information from traffic cameras and cameras on their uniforms. Agencies are performing some sort of facial recognition when they stop you or at the airports, your informaiton is being captured and recorded in a database. Federal agencies and other organizations are capturing your information and this information is being retrieved from a centralized database. The database is called XKeyScore, so at this point nothing is private. This database creates relational tables where they determine relationships based on success rates. There are other tools but I won't go into detail (Facia, Informant, Stingray, etc).
Even if companies are anonymizing data (jumbling or encrypting the data), the user's information is found on Facebook, Linkedin (social media), public records (clerk of court, where you live and stay) and now they have added facial recognition to the equation. I don't think it is the companies that we need to focus on but the other 3 letter agencies that are using our PII data as a way of determining if we are legitimate or not.
Just something to think about.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-12
Roundcube Webmail before 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document.
PUBLISHED: 2020-08-12
An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CS...
PUBLISHED: 2020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
PUBLISHED: 2020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
PUBLISHED: 2020-08-12
An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server.