Slashdot Mirror
UK Wants To Criminalize Re-Identification of Anonymized User Data (bleepingcomputer.com)
An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.
Does the "UK" still not realize this is their problem? They try to tax, control, an profit from every tiny thing in a person's life. This is NOT acceptable. This is why people revolted and they lost their empire. Absolute, 100%, morons.
Well, they'll just have to work, anonymously...
“He’s not deformed, he’s just drunk!”
The extreme focus on privacy disempowers ordinary people from making their on inquiries. And strongly contrasts with the total access demanded by government. Combined with censorship of the web which has become a major form of communication, this shifts the balance of power away from the common man towards government bureaucrats.
Let's just criminalize being bad in general, since it seems these politicians think it'll solve all the problems in the world.
A law is useless if there is no way to enforce it.
Except for the government, of course.
I'm a good cook. I'm a fantastic eater. - Steven Brust
...then it's not anonymous data. How about make it illegal to collect enough info to make connecting the dots even possible?
There is this persistent undercurrent from governments that security researchers are the enemies. As if weaknesses don't exist until someone points them out. The apparent opinion is that we'd be safer if only people weren't free to point out the flaws in the system. The actual reality is the reverse.
On the one hand they want to ruin encryption, spy on everyone on the internet, censor the living hell out of everything, and there's no end to how many cameras they install all over the place. On the other hand there's this. Make up your mind, UK.
The biggest problem I see with this is that it flips the responsibility over to the one who says the emperor has no clothes. While it is difficult to create truly anonymous data and it would be nice to stop large law-abiding companies from trying to break down any compartmentalization you've done, I fear the effect will be quite the opposite. Because now if you call anyone out on poor anonymization it must be because you've tried exactly what this law prohibits, so white hats will be silenced. The companies will get lazier, because it's cheaper. And the black hats will have a field day with it.
Live today, because you never know what tomorrow brings
What is up with Took a crap? Leave a crap, okay.
So I can do it, and use it for evil... so long as the UK government doesn't find out about it?
Got it.
So when I write that paper on "de-anonymization made easy", all I have to do is anonymize my authorship of the paper, and I'll be safe, because the U.K. government won't break their own laws ... correct?
Anonymized data is fake anonimized. They leave enough selectors in the data to simply match it to the person.
The crime here is the disclosure of personal data fake-anonymized.
Making it a crime, won't stop an attacker (e.g. Putin) from deanoymizing data (e.g. MP's surfing habits, their research, their family data) from fake anonymized sources.
I interviewed with Amazon a few years ago and, coming from Cisco, their engineers were very keen to pick my brains on how to identify individuals using network trickery.
It was very obvious during the interview that this was their holy grail, the identification of individuals for targeted marketing particularly in the EU/UK where stiff laws on cookie usage had recently come into effect.
One wonders if this too is another political swipe at Amazon?
It's certainly not in the public interest what with the UK Gov's repeated statement of war on person encryption.
If it was to do with privacy they'd disallow selling 'anonymized' data on private citizens.
Instead they want to continue letting companies sell that data, knowing its not really anonymous. If anyone says ... here look how trivial it is to deanoymize the data.... that will be a prosecutable offence.
I guess this is an Amber Rudd thing, she will have been told there is a problem with anonymous data, and will have 'tackled' the effect not the cause. UK hasn't had a man Home Secretary since GCHQ obtained powers to spy on brits. Since then, its been a string of inoffensive, GCHQ friendly, women.
This is basically a thought crime.... Banning the Mining and Analysis of data from multiple sources in order to derive more facts about an event or piece of information?
So UK wants to expand its plethora of persecution powers.. ..what crime is this criminalization really about, and are they just making shit up? No, this seems to be a rule. A behavior modification.
I suspect that UK is NOT into privacy rights, but instead, is into policing secrecy, or more to the point, enforcing persecution powers and scheming to control society. Making me think this is just some police state bs.
Let's just criminalize being bad in general
Yup, that's kinda the whole idea of the criminal law.
From what I read in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" by Antonio Garcia Martinez, Facebook takes its own data and combines it with third-party data to create profiles on every user, whether logged in or browsing anonymously.
The extreme focus on privacy disempowers ordinary people from making their on inquiries.
Leftist hysteria! All this is about it us making good on our election promises ... because that's what we Conservatives do. This was part of the Manifesto upon which we were elected and the purpose is the very opposite of your fevered misinterpretation. Did you even bother to read the Bill's SoI (linked to in the summary)?
We will protect privacy, strengthen rights and empower individuals to have more control over their personal data by providing easier access. Individuals will generally have more control over their digital footprint, their personal data, how it is used and passed on by companies. Specifically, UK citizens will be better protected by a combination of new and strengthened existing rights: Privacy ... Improved data access ... Data portability ... Right to be forgotten ... Profiling ...
This gives the Individual real control over what can be done online with their personal information: it gives the Individual access to information about what kind of personal data is being used, how that data is being used, and the means to limit such use, --while still recognising the need for commercial and scientific data sharing as we move forward.
It has not been easy, but this Bill strikes the ideal balance between the needs of the digital economy, upon which our future prosperity depends, and the Rights of Individuals to have their privacy and specifically personal data respected, to be protected from identity theft and other potential misuse. It is the gold standard for data use and data protection globally. I'm terribly sorry, but the real world is a little more complicated than your simplistic socialist (or is it anarchist?) world-view might allow. This is what good government looks like.
Now back to your previously scheduled cyber-anarchist group think ...
"An anonymous reader writes: "
Actually, they're not anonymous, it's really easy to show that they're...
Hang on, there's a black helicopter landing in my garden, be right back
The UK is still a full member of the EU. We're not due to leave for at least another 18 months, assuming it doesn't get delayed, or the decision to leave reversed.
And just the other day, the head of GCHQ was complaining that he couldn't hire hackers with previous experience and that the schools weren't turning out students who knew how to do unexpected things with computers.
A UK user could be re-identified in another country. For some reason the UK government can't get its head round the fact that the internet is international. Looking at the crimes which can be tried in the UK when committed abroad I think that someone from the UK could even just pop over to France or Ireland, identify somebody, then pop back and they couldn't do anthing
... this is actively used to identify persons of interest. So criminalize re-identification of anonymized user data would become a state privilege?
We haven't left yet. We won't leave til 2019 at the earliest.
"Recently, despite leaving the European Union"
Fucking ignoranace at the highest level
...and their dog too. Oh, if only there was a law to make uncovering illegal.
Sounds a lot like the UK government actually WANTS to keep those weaknesses. Wonder if some were built in. Hmmm.
It may sound far fetched, but what other sane reason would you try to prevent people finding weakness, thus enabling them to be fixed? Unless this is a conspiracy to keep "backdoors" in the process of anonymizing data, it's just encouraging people to find those vulnerable points and NOT report them. Hackers much be laughing their butts off.
"Imagination is more important than knowledge" - Einstein
Why is UK law relentlessly criminalizing everything except actual criminality? One of the major things the UK does criminalize is fighting back against criminals. Small wonder that gangs of kids on mopeds are ripping down London's sidewalks, snatching phones, purses and briefcases from pedestrians - and there's nothing that people can do about them.
If someone posts something on-line and it contains enough information to make identification likely if not probably, how is a third party reading it somehow culpable for making an elementary inference or deduction?
Moreover, are they seriously going make illegal the cross referencing of public information?
---- The above post was generated by the Turing Institute. Maybe.
That country seems to be in the hands of yahoos, nitwits and tinpot despots wannabees these days.
Time and again neuronally challenged "law makers" dive into the same cesspit: outlaw xxx and only outlaws will have xxx.
Thanks, and fuck off.
Any time someone talks about how some data collection is OK because it's "anonymized", the only logically correct reaction is laughter.
Modern databases and analytics has ensured that it is literally impossible to effectively anonymize data while still retaining the usefulness of the data.
Does Susan Rice know about this?
How is the government supposed to help the democratic process?
Why can't we build wonderful countries like Venezuela?
Now the crooks can continue doing what they're doing unimpeded, meanwhile security professionals get their hands tied behinds their backs and anonymization techniques can be used regardless of how flaws they are.
I have this great method for anoymization, based on the tried and true ROT13 encryption algorithm. And if anyone cracks it, I can lay charges instead of wasting time wondering if my entire process is horribly broken.
.. imagine their embarrassment when a security research might de-anonymize their own browsing history, correspondence with corporate oligarchs for kickbacks, etc.. if unmasking them by network traffic is made a distinct crime, it'll be harder to expose corruption in politics.
Guess you guys shouldn't have given up your guns, eh?
I'll never be able to figure out how liberals think gun ownership is pointless when you have a police force (actual US supreme court justice dissenting opinion in D.C. v Heller), but at the same time think the police force is inept and the bastion of racism and sexism.
Which is it? Can we depend on them or not? Why would you take all the guns away from people, and then give them to the people accused of shooting blacks for fun? Wouldn't it make more sense to give citizens the right to defend themselves--even from corrupt cops and corrupt "institutions"?
Let me think this out a minute.
Someone points out that something can be done by criminals and should be fixed.
So you make it illegal for them to point it out?
Is that kind of like making it illegal to speak up about 'the emperor's new cloths'(https://en.wikipedia.org/wiki/The_Emperor%27s_New_Clothes).
seriously, let's make it illegal then only criminals can do it.
(I guess it makes it easier for the black ops guys that you own ) .
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Prohibiting re-identification for profit, political, etc purposes is an excellent idea. I was actually excited when I saw the headline.
But if they block researchers and disclosure of methods, then how will anyone ever know if re-identification is happening or even possible? How could we assess the risk of re-identification by malicious actors? What can we do to protect our personal privacy, our users, and our networks without detailed technical information?
The proposed law may protect citizens from corporate abuse, assuming it is enforced uniformly. But it also gives government agencies and organized criminals considerable leeway to develop capabilities without public oversight or defensive barriers/mitigations.
The only thing worse than no law is a backdoored law.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Why is UK law relentlessly criminalizing everything except actual criminality?
Fraud isn't criminality?
If I agree to share personal data because I was told it was anonymized, and it is later de-anonymized, I have been defrauded.
Tear a page from the Hermit Kingdom, and what you end up building will have the same level of intrinsic merit: a privacy shroud that could be broken by an ambitious elementary school kid.
I, for one, welcome our new mules.
I am a privacy researcher.
Aside from the "not even research is allowed" bit, this is a good idea.
Currently most people believe anonymisation is possible. Just the noise around this law might help most policymakers understand that the real question is 'for how long do we believe we can make this anonymous'.
This post almost feels like a hit job: the idea is placed in a very negative light with a lot and mostly negative comments straight away.
You'd think the people on Slashdot would also understand the problem this law tries to address. Big databrokers are bringing together so many datasets that, once overlapped, the k-anonymity levels of each of those datasets might not be sufficient.
Any privacy solution will have to be a combination of both technological AND judicial protections. (And public awareness)
Thinking critically is hard for them.