UK Wants To Criminalize Re-Identification of Anonymized User Data (bleepingcomputer.com) 120
An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.
Privacy researchers express concerns... (Score:2)
Well, they'll just have to work, anonymously...
Re: (Score:2)
If the UK wants to make network research illegal, find a nation that fully supports science and that respects academic publication.
Re: (Score:2)
find a nation that fully supports science and that respects academic publication.
On this planet?
Re: (Score:2)
Only to consider a ban using some of the network skills?
Some of the very best AV and malware security researchers seem to still be doing ok in other nations?
If the UK wants to only allow the gov and mil to do internet research?
People with a good UK university education that the UK gov no longer wants or supports?
Find a nation that still respects academic research.
Re: (Score:2)
Shhh, it's only a trick to get them into data centres, when ever they want, for what ever reason they want and also it's part of the leverage to force local storage only of local data, no data export and deletion. See, extra sneaky, now all the data will be there for them to get in to see, what ever they want to see it, with the claims of data audit. So the law is kind of rough and ready because it's the wedge in, rather than a law of it's own. The privacy rights of citizens must be protected in the digital
Re: (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
Some of the very best AV and malware security researchers seem to still be doing ok in other nations?
We don't know that. *Seem to be* isn't a valid criteria. Maybe I'll believe it when pirate bay finds an invincible fortress for their servers.
Find a nation that still respects academic research.
Alright already! Name a single one...
Disempowers the masses (Score:3, Insightful)
The extreme focus on privacy disempowers ordinary people from making their on inquiries. And strongly contrasts with the total access demanded by government. Combined with censorship of the web which has become a major form of communication, this shifts the balance of power away from the common man towards government bureaucrats.
Re:Disempowers the masses (Score:4, Insightful)
And anyway, it mostly just makes beneficial security research harder, while doing nothing to protect privacy (since criminals and governments will just do this anyway).
All they really want to do is punish ordinary people when they discover embarrassing things about politicians using public data. Everything else is just hot air.
Re: (Score:3)
How exactly can collecting user names from data be used for beneficial security research? Security research is fine with anonymous data, re-identification is only interesting for advertisers.
Also, your logic is very cute because it works for basically everything. I mean, why forbid murder/rape/whatever, criminals and government will just do this anyway.
Re: Disempowers the masses (Score:2)
Your analogy fails badly. Where is the harm when someone is de-anonymized? Other laws already prohibit publication of private information, defamation, and other bad uses of the unmasked data. It doesn't seem to me that de-anonymization itself causes any harm, whereas the harm is obvious for murder, rape, theft, and so forth.
Re: (Score:2)
You can ask people in witness protection where the harm is. Just to give you an obvious example. Privacy is very important in the modern always connected world.
Re: Disempowers the masses (Score:2)
That is, frankly, pants-on-head stupid. This law isn't about lists of people in witness protection programs, and it isn't limited to protecting their status as witnesses.
Re: Disempowers the masses (Score:4, Insightful)
The law is about all people who don't want unneeded intrusion in their lives. Americans don't get it and this is why they get dozens of robocalls a week. I get one a year in worst case.
Re: Disempowers the masses (Score:2)
What are you saying? That the only way you (Europeans) are protected from robocalls is that it has been made illegal to talk about weaknesses in data anonymization?
Robocalls are a problem in the US mostly because of the First Amendment, not because it's legal to talk about how to de-anonymize a data set.
Re: (Score:2)
Robocalls are a problem in the US mostly because of the First Amendment
Not really. There are laws restricting robocalls in the US. The reason they remain a problem is that those laws are extremely hard to enforce.
Re: (Score:2)
"Because the bad actors aren't going to care that it's against the law to de-anonymize." Are you absolutely sure about that. I've heard a few people, rich people even, telling me that criminals will stop selling guns to each other in the US if only US law would require permission from the government before any gun is sold. I don't see this de-anonymizing thing being any different.
Yes, people really are that stupid and it is not generally the ones that voted against Hillary and others of a similar ilk.
Re: (Score:2)
Where is the harm when someone is de-anonymized?
Depends on the data. Could be blackmail, for instance, or an increase in insurance premiums.
Re: Disempowers the masses (Score:2)
My point, which was apparently too subtle for you, was that those harms come from how the unmasked data is used, not from the mere unmasking, and much less from the disclosure of weaknesses in the masking procedures.
Re: (Score:2)
Fair point. It's not 'for nought' though - it would prohibit some things which are currently legal. Research, say. (Whether academic research, or market research.)
Re: (Score:2)
Where is the harm when someone is de-anonymized?
Have we really degenerated to the point where it's only valid to assert personal rights if you can show there is harm involved if they aren't asserted?
Re: Disempowers the masses (Score:2)
Which personal right are you referring to? This is data that is already in the hands of someone else. They've just somehow masked bits of it.
Re: (Score:2)
No, it just doesn't go far enough. it is not enough to simply tell people they can't do something because bad people will ignore that. We need to pass laws that tell us we cannot even think about doing something bad and then people will start to follow the law.
Re: (Score:2)
Nonsense. It empowers them. Remember this only applies to systematic reversal of implied privacy, not manual. Also it is already illegal in the EU, this seems to just a UK backup law for once the leave the protection of EU privacy laws.
Re: (Score:3)
Your assumption that the views of the parent are leftist do more to betray your own ideology than cast any light on the author.
Meanwhile, the lack of technical content and complete lack of reasoning in your narrative, mixed with declarative rhetorical statements strongly suggests that the Conservatives suit you down to the ground.
Regardless, and in light of your fascination with politics, I strongly recommend you read Jonathon Haidt's well-received book "The Righteous Mind: Why Good People are Divided by Po
Re: (Score:1)
With all due respect, having written that opening paragraph you could scarcely proceed to pen the next without exposing yourself to a charge of hypocrisy. Your objection to a party making good on its election promises, however, is noted. To put invective to one side and proceed to matters of substance ...
As for the business of criminalising reversing anonymisation ...
At the risk of drifting off-topic, I was not addressing that point in pa
Re: (Score:2)
This isn't about privacy really, it's to help facilitate business. The government sees big data as a growth area, but there are legal problems with sharing the data. By making de-anonymization illegal they can give their usual "don't worry, safeguards are in place" message and then let the orgy of personal data mining commence.
In other words, it's actually anti-privacy.
Re: (Score:2)
Thanks for the book ref. From the wiki summary it sounds similar to the issue that, as minds develop, they take on the habit of looking at multiple perspectives (and some psychologists/philosophers call this "vision-logic"), where no one perspective is right or wrong, so what you do is take as many perspectives as you can, and then integrate them (so arriving at a more useful perspective -- rather than postmodernism which gets stuck in, "well if all perspectives could be taken, then none are true, and so th
Make being bad unlawful... (Score:3)
Let's just criminalize being bad in general, since it seems these politicians think it'll solve all the problems in the world.
A law is useless if there is no way to enforce it.
Murder, Rape and Larceny (Score:1)
Let's just criminalize being bad in general
Yup, that's kinda the whole idea of the criminal law.
Re: (Score:3)
It seems to be a common misunderstanding, that laws are there to stop people from doing things; they aren't. The laws are meant to be:
- a toolset for for the police and the courts: under the rule of law, the police and judges can only act as the law prescribes. This means they cannot arrest people on a whim, at least in principle, and a judge cannot pronounce a sentence that is contrary to the law.
- a ruleset to guide everybody, when they are in doubt. Most of the time, people know what is right and don't n
Re: (Score:2)
Wait, we are not allowed to discuss whether doing something is good or bad or both depending on what happens after that something unless we pass a law imposing an infinite fine for doing the first something first?
When was the law passed that made it illegal to pass a law about de-anonymizing so that we could debate passing the de-anonymizing law?
Re: (Score:2)
Why would it be impossible to enforce?
Laws like this are usually designed so that people can whistleblow or interested parties (like journalists) who discover evidence of de-anonymization can present evidence to the police, who can investigate. It's similar to other data protection laws, which generally don't involve inspections but where infractions are still regularly detected and punished.
In this case they are targeting companies that abuse anonymized data for profit, which can be quite difficult to hide
Re: (Score:2)
Except (Score:2)
Except for the government, of course.
Re: (Score:2)
Except for the government, of course.
Nope, except for manual cases. Which means it can be done with warrent.
If it's possible to re-identify... (Score:1)
...then it's not anonymous data. How about make it illegal to collect enough info to make connecting the dots even possible?
What the what? (Score:5, Insightful)
There is this persistent undercurrent from governments that security researchers are the enemies. As if weaknesses don't exist until someone points them out. The apparent opinion is that we'd be safer if only people weren't free to point out the flaws in the system. The actual reality is the reverse.
Re: (Score:1)
You seem to believe that the proposed law is meant to protect privacy. Given the often and loudly expressed views of the current UK government, it seems far more likely that weakening privacy protection by banning pointing out flaws is the actual purpose, with the rest being obfuscating fluff added because no one could figure out how to spin it as an anti-terrorist measure.
Re: (Score:3)
Given the fun everybody is having shouting at each other about how leftist SJW are going to die and the alt-right are ignorant swine it is refreshing to find the most significant comment buried down here in the noise. Of course the purpose is to prevent any research into potential government methods in identifying opponents. The government is often accused of being stupid and ignorant of the function and behavior of the internet and its inhabitants. Nothing could be further from the truth, they understand i
If it weren't for those meddling kids... (Score:2)
...and their dog too. Oh, if only there was a law to make uncovering illegal.
UK is confused (Score:1)
Re: (Score:2)
The days of passive nation wide collect it all is over.
The security services will be moving down networks and into networks at a user level.
What happened when AV or malware detection starts getting too smart at reporting back about all detected network issues in real time?
Suddenly the security services need a unique ip rage for all the interesting people they are trying to watch?
Re-identification done with enough funding and skill might show contractors for the
Like ROT-13 is encryption (Score:5, Insightful)
The biggest problem I see with this is that it flips the responsibility over to the one who says the emperor has no clothes. While it is difficult to create truly anonymous data and it would be nice to stop large law-abiding companies from trying to break down any compartmentalization you've done, I fear the effect will be quite the opposite. Because now if you call anyone out on poor anonymization it must be because you've tried exactly what this law prohibits, so white hats will be silenced. The companies will get lazier, because it's cheaper. And the black hats will have a field day with it.
So I can do it, and use it for evil... (Score:3, Funny)
So I can do it, and use it for evil... so long as the UK government doesn't find out about it?
Got it.
So when I write that paper on "de-anonymization made easy", all I have to do is anonymize my authorship of the paper, and I'll be safe, because the U.K. government won't break their own laws ... correct?
Re: (Score:1)
I don't get why people make these kind of posts - its not as if a government being exempt from a lot of domestic laws is a new thing, so why wouldn't they be able to investigate your breach of this law? Its like saying that the police cannot legally detain you, because thats illegal for you to do to someone else.
This is another thing they can charge you with when they arrest you, thats it.
Re: So I can do it, and use it for evil... (Score:2)
When the government exempts itself from the laws that it applies to other people, that's a pretty strong clue that those laws are unjust.
Re: (Score:2)
The police aren't supposed to shoot you dead, but they do on occasion murder people anyway.
It would be unfortunate if you had a concealed weapon on you during a police raid, and you had to die because of it.
Re: (Score:2)
Yes, like all laws you can get away with breaking them if your crime is not detected.
And no, the government has given itself specific exemptions, e.g. for the police and security services, so the law doesn't apply to it when investigating you.
Hide it under the carpet? (Score:1)
Anonymized data is fake anonimized. They leave enough selectors in the data to simply match it to the person.
The crime here is the disclosure of personal data fake-anonymized.
Making it a crime, won't stop an attacker (e.g. Putin) from deanoymizing data (e.g. MP's surfing habits, their research, their family data) from fake anonymized sources.
Another "Amazon" Law (Score:5, Interesting)
I interviewed with Amazon a few years ago and, coming from Cisco, their engineers were very keen to pick my brains on how to identify individuals using network trickery.
It was very obvious during the interview that this was their holy grail, the identification of individuals for targeted marketing particularly in the EU/UK where stiff laws on cookie usage had recently come into effect.
One wonders if this too is another political swipe at Amazon?
It's certainly not in the public interest what with the UK Gov's repeated statement of war on person encryption.
Thoughtcrime (Score:2)
This is basically a thought crime.... Banning the Mining and Analysis of data from multiple sources in order to derive more facts about an event or piece of information?
Re: (Score:3)
No. Thought crime does not mean what you think it means.
Thought crime refers to the practice of making thoughts themselves illegal, not actions. You are arrested not for protesting but instead for not applauding the dear leader and telling him how great he is.
In this case, if they made it illegal for you to know HOW to de-anonymize, that would be a thought crime. But this law does not do that, it criminalizes acting on those thoughts, something very different.
Re: (Score:2)
if you are sufficiently smart, it criminalizes looking at a bunch of data and thinking about it hard.
The set of sufficiently smart people is likely to be empty in most cases, but I don't think there's a lower bound on the quality of the anonymization.
Re: (Score:2)
Thought crime refers to the practice of making thoughts themselves illegal, not actions.
Right.... And de-anonymizing someone is a thought process. CAUSING IT TO BE KNOWN TO YOU the author behind an anonymized record.
The action of gathering, analyzing, and writing facts down is not otherwise capable of being a crime.
My understanding is if you analyze some data through whatever method, and the police interview you, and you admit that you KNOW or have thought out the real name of the person behind a
Re: (Score:2)
You continue to mistake the evidence for the crime.
This law makes it illegal to use the de-anonymizer software, an action not knowledge. The knowledge itself is not a crime, it is merely evidence.
Here is a current law, existing similarlity.
It is the equivalent of making it illegal to use a password cracker, rather than making it illegal to know someone else's password.
There is no difference between this and the identity laws being considered.
The knowledge of the people's identities is merely proof that the
Re: (Score:2)
And de-anonymizing someone is a thought process
For you perhaps. Most of us mere mortals would use computers and data processing (specifically to be criminalised in the proposed legislation).
CAUSING IT TO BE KNOWN TO YOU
There mere fact of an identity becoming, by the unaided powers of mental deduction, known to you is unlikely of itself to attract any liability. Don't fear ... you're safe Sherlock. ;)
You may, however, commit an offence were you actually to identify (i.e. publish the identity of) any
Police state UK (Score:1)
So UK wants to expand its plethora of persecution powers.. ..what crime is this criminalization really about, and are they just making shit up? No, this seems to be a rule. A behavior modification.
I suspect that UK is NOT into privacy rights, but instead, is into policing secrecy, or more to the point, enforcing persecution powers and scheming to control society. Making me think this is just some police state bs.
This might be a problem for Facebook... (Score:3, Interesting)
Re: (Score:1)
Don't upmod. Look at the damn link. It's an obfuscated affiliate link, again.
This is against the terms of use and the CFAA. It's a damn redirection attack. This user really needs to be banned.
Re: (Score:2)
I've long been interested in fighting back by poisoning these commercial databases with fake profiles and misinformation, but it's hard to know what is effective because it's all trade secrets.
If a company you target goes bust, it's very hard to know if it was because their database became worthless due to pollution or if they were just incompetent or had a worthless product.
Re: (Score:2)
From what I read in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" [slashdot.org] by Antonio Garcia Martinez, Facebook takes its own data and combines it with third-party data to create profiles on every user, whether logged in or browsing anonymously.
At already is, this has already been illegal in all of the EU for 20 years. This is just a UK specific version of it. So nothing really changes.
"despite leaving the European Union" (Score:1)
The UK is still a full member of the EU. We're not due to leave for at least another 18 months, assuming it doesn't get delayed, or the decision to leave reversed.
Irony (Score:3)
And just the other day, the head of GCHQ was complaining that he couldn't hire hackers with previous experience and that the schools weren't turning out students who knew how to do unexpected things with computers.
This has the usual issue (Score:2)
Re: (Score:2)
Americans simply don't get privacy, preferring to jizz over their firearm and free speech laws instead.
Your example is stupid because
1) France and Ireland both have reasonably strong privacy laws.
2) Advertisers that have a business in the UK who would target a UK citizen using re-identified data, would break the law, hence even if they had re-identified a UK user abroad, this data would not do them any good.
On her Majesty's secret service ... (Score:1)
... this is actively used to identify persons of interest. So criminalize re-identification of anonymized user data would become a state privilege?
'despite leaving the EU' (Score:3, Informative)
We haven't left yet. We won't leave til 2019 at the earliest.
You can tell this is an American site (Score:5, Informative)
"Recently, despite leaving the European Union"
Fucking ignoranace at the highest level
Re: (Score:1)
Criminalizaing showing vulnerabilies? (Score:2)
It may sound far fetched, but what other sane reason would you try to prevent people finding weakness, thus enabling them to be fixed? Unless this is a conspiracy to keep "backdoors" in the process of anonymizing data, it's just encouraging people to find those vulnerable points and NOT report them. Hackers much be laughing their butts off.
How. Literally how. (Score:2)
If someone posts something on-line and it contains enough information to make identification likely if not probably, how is a third party reading it somehow culpable for making an elementary inference or deduction?
Moreover, are they seriously going make illegal the cross referencing of public information?
Re: (Score:2)
It's a "don't-peek" law I guess.
I like it. It needs a clause to exempt all attempts to break the anonymization "by any party for the purpose of research into anonymization and the validation of strength of anonymization itself" so as to ensure re-identification to identify (and retention of re-identified data) is an offense whereas re-identification to show that it can be done and how is perfectly-legal.
Is there anything the UK won't try to criminalize? (Score:2)
This is why (Score:2)
Any time someone talks about how some data collection is OK because it's "anonymized", the only logically correct reaction is laughter.
Modern databases and analytics has ensured that it is literally impossible to effectively anonymize data while still retaining the usefulness of the data.
uh oh (Score:1)
How is the government supposed to help the democratic process?
Why can't we build wonderful countries like Venezuela?
Brilliant idea! (Score:2)
Now the crooks can continue doing what they're doing unimpeded, meanwhile security professionals get their hands tied behinds their backs and anonymization techniques can be used regardless of how flaws they are.
I have this great method for anoymization, based on the tried and true ROT13 encryption algorithm. And if anyone cracks it, I can lay charges instead of wasting time wondering if my entire process is horribly broken.
How odd... (Score:2)
Let me think this out a minute.
Someone points out that something can be done by criminals and should be fixed.
So you make it illegal for them to point it out?
Is that kind of like making it illegal to speak up about 'the emperor's new cloths'(https://en.wikipedia.org/wiki/The_Emperor%27s_New_Clothes).
seriously, let's make it illegal then only criminals can do it.
(I guess it makes it easier for the black ops guys that you own ) .
Good Concept, Backdoored Implementation (Score:2)
Prohibiting re-identification for profit, political, etc purposes is an excellent idea. I was actually excited when I saw the headline.
But if they block researchers and disclosure of methods, then how will anyone ever know if re-identification is happening or even possible? How could we assess the risk of re-identification by malicious actors? What can we do to protect our personal privacy, our users, and our networks without detailed technical information?
The proposed law may protect citizens from corporat
tearing a page from the Hermit Kingdom (Score:2)
Tear a page from the Hermit Kingdom, and what you end up building will have the same level of intrinsic merit: a privacy shroud that could be broken by an ambitious elementary school kid.
I, for one, welcome our new mules.
This is a GOOD idea (Score:1)
I am a privacy researcher.
Aside from the "not even research is allowed" bit, this is a good idea.
Currently most people believe anonymisation is possible. Just the noise around this law might help most policymakers understand that the real question is 'for how long do we believe we can make this anonymous'.
This post almost feels like a hit job: the idea is placed in a very negative light with a lot and mostly negative comments straight away.
You'd think the people on Slashdot would also understand the problem
Re: (Score:3)
Why is UK law relentlessly criminalizing everything except actual criminality? One of the major things the UK does criminalize is fighting back against criminals. Small wonder that gangs of kids on mopeds are ripping down London's sidewalks, snatching phones, purses and briefcases from pedestrians - and there's nothing that people can do about them.
Re:Does the "UK" not realize this is their problem (Score:5, Insightful)
Guess you guys shouldn't have given up your guns, eh?
I'll never be able to figure out how liberals think gun ownership is pointless when you have a police force (actual US supreme court justice dissenting opinion in D.C. v Heller), but at the same time think the police force is inept and the bastion of racism and sexism.
Which is it? Can we depend on them or not? Why would you take all the guns away from people, and then give them to the people accused of shooting blacks for fun? Wouldn't it make more sense to give citizens the right to defend themselves--even from corrupt cops and corrupt "institutions"?
Re: (Score:2)
Why is UK law relentlessly criminalizing everything except actual criminality?
Fraud isn't criminality?
If I agree to share personal data because I was told it was anonymized, and it is later de-anonymized, I have been defrauded.