From The Electronic Frontier Foundation: Debunking the Myth of "Anonymous" Data
Personal information that corporations collect from our online behaviors sells for astonishing profits and incentivizes online actors to collect as much as possible. Every mouse click and screen swipe can be tracked and then sold to ad-tech companies and the data brokers that service them.
In an attempt to justify this pervasive surveillance ecosystem, corporations often claim to de-identify our data. This supposedly removes all personal information (such as a person's name) from the data point (such as the fact that an unnamed person bought a particular medicine at a particular time and place). Personal data can also be aggregated, whereby data about multiple people is combined with the intention of removing personal identifying information and thereby protecting user privacy.
...
However, in practice, any attempt at de-identification requires removal not only of your identifiable information, but also of information that can identify you when considered in combination with other information known about you. Here's an example:
- First, think about the number of people that share your specific ZIP or postal code.
- Next, think about how many of those people also share your birthday.
- Now, think about how many people share your exact birthday, ZIP code, and gender.
According to one landmark study, these three characteristics are enough to uniquely identify 87% of the U.S. population. A different study showed that 63% of the U.S. population can be uniquely identified from these three facts.
We cannot trust corporations to self-regulate. The financial benefit and business usefulness of our personal data often outweighs our privacy and anonymity. In re-obtaining the real identity of the person involved (direct identifier) alongside a person's preferences (indirect identifier), corporations are able to continue profiting from our most sensitive information. For instance, a website that asks supposedly "anonymous" users for seemingly trivial information about themselves may be able to use that information to make a unique profile for an individual.
(Score: 5, Informative) by pTamok on Sunday November 12 2023, @03:04PM (5 children)
The GDPR is very clear about what constitutes personal data, but I suspect a lot of people misinterpret it, either through ignorance, or through wilful misinterpretation.
Unfortunately, the EU publishes its legal texts in ways that make them difficult to quickly get an overview of, but the official text, in English, is here:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [europa.eu]
There are other sites that have easier URLs:
1) An EU site: European Commission: What is personal data? [europa.eu]
2) An EU funded site, set up by Proton AG: Complete guide to GDPR compliance: General Data Protection Regulation (GDPR): Article 4 : Definitions
3) An independent site: Intersoft Consulting: Article 4 Definitions [gdpr-info.eu]
The EU site gives a comprehensive and detailed answer with links to legislation. It's not just GDPR Article 4.
But if you take GDPR Article 4, the definition of personal data is given as:
I've highlighted 'or indirectly'
The EU website clarifies further:
I've highlighted a few points.
If a person can be identified by combining different sets of records, those records constitute personal data.
It is clear; and ignored for convenience by huge numbers of people and organisations, because following the GDPR properly is hard.
(Score: 3, Informative) by Runaway1956 on Sunday November 12 2023, @03:46PM (2 children)
It may be worth remembering IBM's contribution to the holocaust. They made it possible to categorize and deanonymize and track millions of people. The Nazis were truly grateful for that contribution.
A MAN Just Won a Gold Medal for Punching a Woman in the Face
(Score: 5, Insightful) by pTamok on Sunday November 12 2023, @04:06PM
There were many contributors, both witting and unwitting.
The pre-war Dutch government helped, by keeping good records of the religion of people living in the Netherlands. Was it necessary? Who knows, But it allowed the German invading force to quickly single out that sector of the population. The Dutch resistance tried to destroy records [wikipedia.org].
It's a good example of what happens when you allow a benign government to keep apparently benign records. You never know when a regime might change, and innocuous behaviour before the change becomes a liability. Anyone with a university degree was targetted in Cambodia when Pol Pot achieved power [wikipedia.org].
A good rule of thumb is to collect as little data as possible to do what you need, and destroy it as soon as possible afterwards. Having data hand around is a liability. Only collect what is necessary, and keep it for a short a time as possible.
Meanwhile, modern practices appear to be 'collect it all'; generate a central ID database linked to all your government records; keep for as long as possible.
What could possibly go wrong?
The point is not whether you trust the current data collectors to 'do no evil', but what about the possible future inheritors of that data, who you don't know. If someone wanted to use it in the least benign way possible, would you be worried?
(Score: 5, Interesting) by pTamok on Sunday November 12 2023, @07:35PM
Oh, and while I am at it.
The Nazis. Or, to give the full name of the political party the Nationalsozialistische Deutsche Arbeiterpartei (NSDAP - The National Socialist German Worker's Party). In the free-ish* elections of July 1932, they got 37.2% of the vote on a turnout of 84.1% of the electorate. The Nazis were not a tiny minority - it's 31% of the electorate. Note that President Trump, in the 2016 Presidential elections, got the vote of 27.3% of the electorate.
If, as a German, you think the Nazis were bad for Germany, you can see that voting for them, even if holding your nose 'for want of a better candidate' didn't necessarily give you the result you wanted. It's clear that voting counts, unless you want decision to be made by a minority you didn't vote for, and don't necessarily agree with; and it is a good idea to vote for candidates that aren't simply popular demagogues. Not voting isn't 'sending a message' - it's giving power to people you actively disagree with. Use your vote wisely. Please.
*There was a fair amount of voter intimidation.
(Score: 4, Informative) by captain normal on Sunday November 12 2023, @09:27PM (1 child)
".. following the GDPR properly is hard."
Are you talking about hard for the common user who has to click through a custom cookie banner before a site will load properly? Or are you talking about hard for the web designers, ad trolls and ISPs trying to load up the common person's device with third party cookies, tracking cookies, supercookies, Zombie cookies and Flash cookies in order hide from likes of the EU cookie law, the PECR, CCPA and the LGPD.
It's all really as simple as outlawing any cookie other than a cookie that identifies an individual only on a site that they have signed up for.
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 2, Informative) by pTamok on Monday November 13 2023, @02:39AM
No, it's hard to handle personal data properly. It's inconvenient, and the restrictions make processing personal data an exercise in superlative data administration within the rules, which few organisations do well. It is a lot easier to ignore the regulations than follow them, and the fines for non-compliance are pitifully small.
Now, if individual users got a bounty of a non-trivial amount for each breach of the GDPR in handling their personal data, there would be a strong incentive for individuals to audit the use of their data; and a strong incentive for organisations to do things properly. As it is, even blatant breaches of the GDPR elicit a 'strongly worded letter' form the regulator. There are very, very few fines handed out - take a look: The CMS.Law GDPR Enforcement Tracker is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties. [enforcementtracker.com]