New on SSRN
There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33.
Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,”
Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often ‘reidentify’ or ‘deanonymize’ individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.
Michael Froomkin has posted a draft of “Government Data Breaches.”
This paper addresses the legal response to data breaches in the US public sector. Private data held by the government is often the result of legally required disclosures or of participation in formally optional licensing or benefit schemes where the government is as a practical matter the only game in town. These coercive or unbargained-for disclosures impute a heightened moral duty on the part of the government to exercise careful stewardship over private data. But the moral duty to safeguard the data and to deal fully and honestly with the consequences of failing to safeguard them is at best only partly reflected in current state and federal statute law and regulations. The paper begins with an illustrative survey of federal data holdings, known breach cases, and the extent to which the government’s moral duty to safeguard our data is currently instantiated in statute law and, increasingly, in regulation.
For additional perspectives, please see comments, response by Paul Ohm, and additional remarks on the first paper at:
http://ehip.blogs.com/ehip/2009/08/has-there-been-a-failure-of-anonymization.html
I think the case is not as strong as it initially seems.
Adam,
Thank you for the link to my paper.
Khaled,
I thank you for the opportunity to have a polite exchange about the strength of my work on your blog, but I’m a little less impressed with your blithe summary here: “the case is not as strong as it initially seems.” In fact, on our exchange on your blog, you cite much more support for my thesis than refutation. For refutation, you continue to point to one paper you have co-authored summarizing a series of k-anonymity techniques–the very techniques that some of the recent reidentification research have cast doubt on.
And I know from your post, response, and our private phone conversation that you in fact agree with almost all of what I have said in my paper, and with the heart of my analysis in particular: many data custodians do a woeful job anonymizing; these data custodians nevertheless place great faith in their ability to protect privacy; legislators and regulators are ill-informed about the weaknesses of many anonymization techniques; the concept of PII is flawed; a risk-assessment strategy is the best prescription in light of all of these changes.
So I’m awfully puzzled at how we could have such a good, nuanced, careful back-and-forth exchanges which you then summarize with such relative carelessness.
To everybody else, please read my paper and the exchange with Khaled, and make up your minds for yourself.