Slashdot Mirror
UK Wants To Criminalize Re-Identification of Anonymized User Data (bleepingcomputer.com)
An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.
Well, they'll just have to work, anonymously...
“He’s not deformed, he’s just drunk!”
The extreme focus on privacy disempowers ordinary people from making their on inquiries. And strongly contrasts with the total access demanded by government. Combined with censorship of the web which has become a major form of communication, this shifts the balance of power away from the common man towards government bureaucrats.
Let's just criminalize being bad in general, since it seems these politicians think it'll solve all the problems in the world.
A law is useless if there is no way to enforce it.
Except for the government, of course.
I'm a good cook. I'm a fantastic eater. - Steven Brust
...then it's not anonymous data. How about make it illegal to collect enough info to make connecting the dots even possible?
There is this persistent undercurrent from governments that security researchers are the enemies. As if weaknesses don't exist until someone points them out. The apparent opinion is that we'd be safer if only people weren't free to point out the flaws in the system. The actual reality is the reverse.
The biggest problem I see with this is that it flips the responsibility over to the one who says the emperor has no clothes. While it is difficult to create truly anonymous data and it would be nice to stop large law-abiding companies from trying to break down any compartmentalization you've done, I fear the effect will be quite the opposite. Because now if you call anyone out on poor anonymization it must be because you've tried exactly what this law prohibits, so white hats will be silenced. The companies will get lazier, because it's cheaper. And the black hats will have a field day with it.
Live today, because you never know what tomorrow brings
So I can do it, and use it for evil... so long as the UK government doesn't find out about it?
Got it.
So when I write that paper on "de-anonymization made easy", all I have to do is anonymize my authorship of the paper, and I'll be safe, because the U.K. government won't break their own laws ... correct?
Anonymized data is fake anonimized. They leave enough selectors in the data to simply match it to the person.
The crime here is the disclosure of personal data fake-anonymized.
Making it a crime, won't stop an attacker (e.g. Putin) from deanoymizing data (e.g. MP's surfing habits, their research, their family data) from fake anonymized sources.
Could be to protect the new GCHQ methods?
The days of passive nation wide collect it all is over.
The security services will be moving down networks and into networks at a user level.
What happened when AV or malware detection starts getting too smart at reporting back about all detected network issues in real time?
Suddenly the security services need a unique ip rage for all the interesting people they are trying to watch?
Re-identification done with enough funding and skill might show contractors for the security services all appearing from the same staging servers.
Ban re-identification and the security services can still use existing methods.
No need to worry about real time AV efforts or security researches if they can only look at code litter rather than uncover entire malware pushing networks.
Domestic spying is now "Benign Information Gathering"
I interviewed with Amazon a few years ago and, coming from Cisco, their engineers were very keen to pick my brains on how to identify individuals using network trickery.
It was very obvious during the interview that this was their holy grail, the identification of individuals for targeted marketing particularly in the EU/UK where stiff laws on cookie usage had recently come into effect.
One wonders if this too is another political swipe at Amazon?
It's certainly not in the public interest what with the UK Gov's repeated statement of war on person encryption.
This is basically a thought crime.... Banning the Mining and Analysis of data from multiple sources in order to derive more facts about an event or piece of information?
So UK wants to expand its plethora of persecution powers.. ..what crime is this criminalization really about, and are they just making shit up? No, this seems to be a rule. A behavior modification.
I suspect that UK is NOT into privacy rights, but instead, is into policing secrecy, or more to the point, enforcing persecution powers and scheming to control society. Making me think this is just some police state bs.
Let's just criminalize being bad in general
Yup, that's kinda the whole idea of the criminal law.
From what I read in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" by Antonio Garcia Martinez, Facebook takes its own data and combines it with third-party data to create profiles on every user, whether logged in or browsing anonymously.
Your assumption that the views of the parent are leftist do more to betray your own ideology than cast any light on the author.
Meanwhile, the lack of technical content and complete lack of reasoning in your narrative, mixed with declarative rhetorical statements strongly suggests that the Conservatives suit you down to the ground.
Regardless, and in light of your fascination with politics, I strongly recommend you read Jonathon Haidt's well-received book "The Righteous Mind: Why Good People are Divided by Politics and Religion". Not because I want you to shift your political views - but merely so that you can understand why some great thinkers, scientists, philosophers, (and yes, morons) vote Left. The book is ingenious in that it allows us to empathise and relate to each side of the political (and religious) divide in a meaningful and well structured manner.
As for the business of criminalising reversing anonymisation, I agree, it's a good idea in principle, but it is essentially a straw man: The exemptions will include the police and intelligence services, who don't break domestic laws by spying on their neighbours, but then swap the data over. Meanwhile, big business (e.g., the likes of Facebook, etc) don't need to even try to reverse anonymity - they already know more about you than your mother does, and for all the wrong reasons.
One of the difficulties facing the challenge of modern PI obfuscation is that it's pretty trivial to reverse anonymity, which itself makes it very hard to develop clinical environments for social and medical research. Take, for instance, a clinical trial: If the sponsor (the pharmaceutical company) is able to identify an individual patient engaged in the trial, then the trial has, essentially, failed (Why? Because there is no way of subsequently demonstrating that the sponsor has then not used a back-channel to skew the data), which can be very expensive indeed.
This set of laws does very little to address those issues - because it's making it illegal to reverse anonymity - a bit like locking the door after the horse has bolted.
Instead, it would be far more useful to develop and publish a set of standards for anonymising data (and many other aspects of the IT industry), just as we find in e.g. the construction industry. The difficulty with that is that the big players (the likes of Oracle, Microsoft, and so on) use their significant lobbying power to provide standards that implicitly require a lock-in to their own platforms. (We can see analogous examples of this in, for instance, MOD field and operations computers which are often stuck to running Windows 95).
It's early days - we are still very much in the cowboy era of the 'new frontier'. Legislation, and the legislative process altogether is ineffective and inefficient as a means of mitigation, because technology is changing far too rapidly for legislation to ever catch up. Try Charlie Stross' text: Accelerando as a great (and entertaining) source for this. (Free, as in beer, copy: http://www.antipope.org/charli... )
This comment was written with the intention to opt out of advertising.
The UK is still a full member of the EU. We're not due to leave for at least another 18 months, assuming it doesn't get delayed, or the decision to leave reversed.
With all due respect, having written that opening paragraph you could scarcely proceed to pen the next without exposing yourself to a charge of hypocrisy. Your objection to a party making good on its election promises, however, is noted. To put invective to one side and proceed to matters of substance ...
As for the business of criminalising reversing anonymisation ...
At the risk of drifting off-topic, I was not addressing that point in particular, but rather OP's assertion that: "The extreme focus on privacy disempowers ordinary people from making their o[w]n inquiries" The quote at the head of my post ought to have made that clear.
Even without consulting the authoritative document linked to in the summary, that is relying instead on the 'bleepingcomputer' article, OP would have been made aware the the present Bill makes provision, inter alia, to:
> Make it simpler to withdraw consent for the use of personal data
> Make it easier and free for individuals to require an organization to disclose the personal data it holds on them
> Allow people to ask for their personal data held by companies to be erased
> Require ‘explicit’ consent to be necessary for processing sensitive personal data
> Enable parents and guardians to give consent for their child’s data to be used
> Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
> Make it easier for customers to move data between service providers
In light of those proposed changes, even a hyper-partisan Corbynite would need to recognise the accusation of "disempower[ing] ordinary people from making their o[w]n inquiries" is breathtakingly absurd.
I do take your point, however, and it is perhaps instead a cowboy mentality we are dealing with here. Of one thing we can be certain: The moderation of this counterfactual twaddle as 'Insightful' evidences the most remarkable groupthink here at this 'new-frontier.'
And just the other day, the head of GCHQ was complaining that he couldn't hire hackers with previous experience and that the schools weren't turning out students who knew how to do unexpected things with computers.
This isn't about privacy really, it's to help facilitate business. The government sees big data as a growth area, but there are legal problems with sharing the data. By making de-anonymization illegal they can give their usual "don't worry, safeguards are in place" message and then let the orgy of personal data mining commence.
In other words, it's actually anti-privacy.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
A UK user could be re-identified in another country. For some reason the UK government can't get its head round the fact that the internet is international. Looking at the crimes which can be tried in the UK when committed abroad I think that someone from the UK could even just pop over to France or Ireland, identify somebody, then pop back and they couldn't do anthing
... this is actively used to identify persons of interest. So criminalize re-identification of anonymized user data would become a state privilege?
We haven't left yet. We won't leave til 2019 at the earliest.
"Recently, despite leaving the European Union"
Fucking ignoranace at the highest level
...and their dog too. Oh, if only there was a law to make uncovering illegal.
Sounds a lot like the UK government actually WANTS to keep those weaknesses. Wonder if some were built in. Hmmm.
It may sound far fetched, but what other sane reason would you try to prevent people finding weakness, thus enabling them to be fixed? Unless this is a conspiracy to keep "backdoors" in the process of anonymizing data, it's just encouraging people to find those vulnerable points and NOT report them. Hackers much be laughing their butts off.
"Imagination is more important than knowledge" - Einstein
Why is UK law relentlessly criminalizing everything except actual criminality? One of the major things the UK does criminalize is fighting back against criminals. Small wonder that gangs of kids on mopeds are ripping down London's sidewalks, snatching phones, purses and briefcases from pedestrians - and there's nothing that people can do about them.
If someone posts something on-line and it contains enough information to make identification likely if not probably, how is a third party reading it somehow culpable for making an elementary inference or deduction?
Moreover, are they seriously going make illegal the cross referencing of public information?
---- The above post was generated by the Turing Institute. Maybe.
Thanks for the book ref. From the wiki summary it sounds similar to the issue that, as minds develop, they take on the habit of looking at multiple perspectives (and some psychologists/philosophers call this "vision-logic"), where no one perspective is right or wrong, so what you do is take as many perspectives as you can, and then integrate them (so arriving at a more useful perspective -- rather than postmodernism which gets stuck in, "well if all perspectives could be taken, then none are true, and so there are no truths" (not integrating but disintegrating/deconstructing)).
As for banning de-anonymisation, well surely that needs to apply to the methods used for anonymising, which can be awful -- take for example people who happen to live in a very remote area, so their postcode alone identifies them.
As one of the replies said, this sounds more like it is about providing "procedures" which show "compliance" whilst continuing to hoover everything up.
That country seems to be in the hands of yahoos, nitwits and tinpot despots wannabees these days.
Any time someone talks about how some data collection is OK because it's "anonymized", the only logically correct reaction is laughter.
Modern databases and analytics has ensured that it is literally impossible to effectively anonymize data while still retaining the usefulness of the data.
Does Susan Rice know about this?
How is the government supposed to help the democratic process?
Why can't we build wonderful countries like Venezuela?
Now the crooks can continue doing what they're doing unimpeded, meanwhile security professionals get their hands tied behinds their backs and anonymization techniques can be used regardless of how flaws they are.
I have this great method for anoymization, based on the tried and true ROT13 encryption algorithm. And if anyone cracks it, I can lay charges instead of wasting time wondering if my entire process is horribly broken.
Guess you guys shouldn't have given up your guns, eh?
I'll never be able to figure out how liberals think gun ownership is pointless when you have a police force (actual US supreme court justice dissenting opinion in D.C. v Heller), but at the same time think the police force is inept and the bastion of racism and sexism.
Which is it? Can we depend on them or not? Why would you take all the guns away from people, and then give them to the people accused of shooting blacks for fun? Wouldn't it make more sense to give citizens the right to defend themselves--even from corrupt cops and corrupt "institutions"?
Let me think this out a minute.
Someone points out that something can be done by criminals and should be fixed.
So you make it illegal for them to point it out?
Is that kind of like making it illegal to speak up about 'the emperor's new cloths'(https://en.wikipedia.org/wiki/The_Emperor%27s_New_Clothes).
seriously, let's make it illegal then only criminals can do it.
(I guess it makes it easier for the black ops guys that you own ) .
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Prohibiting re-identification for profit, political, etc purposes is an excellent idea. I was actually excited when I saw the headline.
But if they block researchers and disclosure of methods, then how will anyone ever know if re-identification is happening or even possible? How could we assess the risk of re-identification by malicious actors? What can we do to protect our personal privacy, our users, and our networks without detailed technical information?
The proposed law may protect citizens from corporate abuse, assuming it is enforced uniformly. But it also gives government agencies and organized criminals considerable leeway to develop capabilities without public oversight or defensive barriers/mitigations.
The only thing worse than no law is a backdoored law.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Why is UK law relentlessly criminalizing everything except actual criminality?
Fraud isn't criminality?
If I agree to share personal data because I was told it was anonymized, and it is later de-anonymized, I have been defrauded.
Tear a page from the Hermit Kingdom, and what you end up building will have the same level of intrinsic merit: a privacy shroud that could be broken by an ambitious elementary school kid.
I, for one, welcome our new mules.
I am a privacy researcher.
Aside from the "not even research is allowed" bit, this is a good idea.
Currently most people believe anonymisation is possible. Just the noise around this law might help most policymakers understand that the real question is 'for how long do we believe we can make this anonymous'.
This post almost feels like a hit job: the idea is placed in a very negative light with a lot and mostly negative comments straight away.
You'd think the people on Slashdot would also understand the problem this law tries to address. Big databrokers are bringing together so many datasets that, once overlapped, the k-anonymity levels of each of those datasets might not be sufficient.
Any privacy solution will have to be a combination of both technological AND judicial protections. (And public awareness)