Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday November 12 2023, @10:42AM   Printer-friendly
from the target-marketing dept.

From The Electronic Frontier Foundation: Debunking the Myth of "Anonymous" Data

Personal information that corporations collect from our online behaviors sells for astonishing profits and incentivizes online actors to collect as much as possible. Every mouse click and screen swipe can be tracked and then sold to ad-tech companies and the data brokers that service them.

In an attempt to justify this pervasive surveillance ecosystem, corporations often claim to de-identify our data. This supposedly removes all personal information (such as a person's name) from the data point (such as the fact that an unnamed person bought a particular medicine at a particular time and place). Personal data can also be aggregated, whereby data about multiple people is combined with the intention of removing personal identifying information and thereby protecting user privacy.

...

However, in practice, any attempt at de-identification requires removal not only of your identifiable information, but also of information that can identify you when considered in combination with other information known about you. Here's an example:

  • First, think about the number of people that share your specific ZIP or postal code.
  • Next, think about how many of those people also share your birthday.
  • Now, think about how many people share your exact birthday, ZIP code, and gender.

According to one landmark study, these three characteristics are enough to uniquely identify 87% of the U.S. population. A different study showed that 63% of the U.S. population can be uniquely identified from these three facts.

We cannot trust corporations to self-regulate. The financial benefit and business usefulness of our personal data often outweighs our privacy and anonymity. In re-obtaining the real identity of the person involved (direct identifier) alongside a person's preferences (indirect identifier), corporations are able to continue profiting from our most sensitive information. For instance, a website that asks supposedly "anonymous" users for seemingly trivial information about themselves may be able to use that information to make a unique profile for an individual.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by pTamok on Sunday November 12 2023, @03:04PM (5 children)

    by pTamok (3042) on Sunday November 12 2023, @03:04PM (#1332605)

    The GDPR is very clear about what constitutes personal data, but I suspect a lot of people misinterpret it, either through ignorance, or through wilful misinterpretation.

    Unfortunately, the EU publishes its legal texts in ways that make them difficult to quickly get an overview of, but the official text, in English, is here:

    REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [europa.eu]

    There are other sites that have easier URLs:

    1) An EU site: European Commission: What is personal data? [europa.eu]

    2) An EU funded site, set up by Proton AG: Complete guide to GDPR compliance: General Data Protection Regulation (GDPR): Article 4 : Definitions

    3) An independent site: Intersoft Consulting: Article 4 Definitions [gdpr-info.eu]

    The EU site gives a comprehensive and detailed answer with links to legislation. It's not just GDPR Article 4.

    But if you take GDPR Article 4, the definition of personal data is given as:

    For the purposes of this Regulation:

    (1)‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

    (2)‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

    (3)‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

    (4)‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

    (5)‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

    (6)‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

    I've highlighted 'or indirectly'

    The EU website clarifies further:

    Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

    Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.

    Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

    The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

    I've highlighted a few points.

    If a person can be identified by combining different sets of records, those records constitute personal data.

    It is clear; and ignored for convenience by huge numbers of people and organisations, because following the GDPR properly is hard.

    Starting Score:    1  point
    Moderation   +4  
       Interesting=1, Informative=3, Total=4
    Extra 'Informative' Modifier   0  

    Total Score:   5  
  • (Score: 3, Informative) by Runaway1956 on Sunday November 12 2023, @03:46PM (2 children)

    by Runaway1956 (2926) Subscriber Badge on Sunday November 12 2023, @03:46PM (#1332608) Journal

    It may be worth remembering IBM's contribution to the holocaust. They made it possible to categorize and deanonymize and track millions of people. The Nazis were truly grateful for that contribution.

    --
    A MAN Just Won a Gold Medal for Punching a Woman in the Face
    • (Score: 5, Insightful) by pTamok on Sunday November 12 2023, @04:06PM

      by pTamok (3042) on Sunday November 12 2023, @04:06PM (#1332611)

      There were many contributors, both witting and unwitting.

      The pre-war Dutch government helped, by keeping good records of the religion of people living in the Netherlands. Was it necessary? Who knows, But it allowed the German invading force to quickly single out that sector of the population. The Dutch resistance tried to destroy records [wikipedia.org].

      It's a good example of what happens when you allow a benign government to keep apparently benign records. You never know when a regime might change, and innocuous behaviour before the change becomes a liability. Anyone with a university degree was targetted in Cambodia when Pol Pot achieved power [wikipedia.org].

      A good rule of thumb is to collect as little data as possible to do what you need, and destroy it as soon as possible afterwards. Having data hand around is a liability. Only collect what is necessary, and keep it for a short a time as possible.

      Meanwhile, modern practices appear to be 'collect it all'; generate a central ID database linked to all your government records; keep for as long as possible.

      What could possibly go wrong?

      The point is not whether you trust the current data collectors to 'do no evil', but what about the possible future inheritors of that data, who you don't know. If someone wanted to use it in the least benign way possible, would you be worried?

    • (Score: 5, Interesting) by pTamok on Sunday November 12 2023, @07:35PM

      by pTamok (3042) on Sunday November 12 2023, @07:35PM (#1332621)

      Oh, and while I am at it.

      The Nazis. Or, to give the full name of the political party the Nationalsozialistische Deutsche Arbeiterpartei (NSDAP - The National Socialist German Worker's Party). In the free-ish* elections of July 1932, they got 37.2% of the vote on a turnout of 84.1% of the electorate. The Nazis were not a tiny minority - it's 31% of the electorate. Note that President Trump, in the 2016 Presidential elections, got the vote of 27.3% of the electorate.

      If, as a German, you think the Nazis were bad for Germany, you can see that voting for them, even if holding your nose 'for want of a better candidate' didn't necessarily give you the result you wanted. It's clear that voting counts, unless you want decision to be made by a minority you didn't vote for, and don't necessarily agree with; and it is a good idea to vote for candidates that aren't simply popular demagogues. Not voting isn't 'sending a message' - it's giving power to people you actively disagree with. Use your vote wisely. Please.

      *There was a fair amount of voter intimidation.

  • (Score: 4, Informative) by captain normal on Sunday November 12 2023, @09:27PM (1 child)

    by captain normal (2205) on Sunday November 12 2023, @09:27PM (#1332632)

    ".. following the GDPR properly is hard."

    Are you talking about hard for the common user who has to click through a custom cookie banner before a site will load properly? Or are you talking about hard for the web designers, ad trolls and ISPs trying to load up the common person's device with third party cookies, tracking cookies, supercookies, Zombie cookies and Flash cookies in order hide from likes of the EU cookie law, the PECR, CCPA and the LGPD.
    It's all really as simple as outlawing any cookie other than a cookie that identifies an individual only on a site that they have signed up for.

    --
    The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.