Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Crime United Kingdom EU Government Privacy Security Your Rights Online

UK Wants To Criminalize Re-Identification of Anonymized User Data (bleepingcomputer.com) 120

An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.
This discussion has been archived. No new comments can be posted.

UK Wants To Criminalize Re-Identification of Anonymized User Data

Comments Filter:
  • Well, they'll just have to work, anonymously...

    • by AHuxley ( 892839 )
      Lots of other nations would be happy to have UK experts work with them and sell better AV products.
      If the UK wants to make network research illegal, find a nation that fully supports science and that respects academic publication.
      • find a nation that fully supports science and that respects academic publication.

        On this planet?

        • by AHuxley ( 892839 )
          The UK spent so much of its budget on computers, maths and science education over the last decades.
          Only to consider a ban using some of the network skills?
          Some of the very best AV and malware security researchers seem to still be doing ok in other nations?
          If the UK wants to only allow the gov and mil to do internet research?
          People with a good UK university education that the UK gov no longer wants or supports?
          Find a nation that still respects academic research.
          • by rtb61 ( 674572 )

            Shhh, it's only a trick to get them into data centres, when ever they want, for what ever reason they want and also it's part of the leverage to force local storage only of local data, no data export and deletion. See, extra sneaky, now all the data will be there for them to get in to see, what ever they want to see it, with the claims of data audit. So the law is kind of rough and ready because it's the wedge in, rather than a law of it's own. The privacy rights of citizens must be protected in the digital

          • Some of the very best AV and malware security researchers seem to still be doing ok in other nations?

            We don't know that. *Seem to be* isn't a valid criteria. Maybe I'll believe it when pirate bay finds an invincible fortress for their servers.

            Find a nation that still respects academic research.

            Alright already! Name a single one...

  • by aberglas ( 991072 ) on Wednesday August 09, 2017 @10:18PM (#54980599)

    The extreme focus on privacy disempowers ordinary people from making their on inquiries. And strongly contrasts with the total access demanded by government. Combined with censorship of the web which has become a major form of communication, this shifts the balance of power away from the common man towards government bureaucrats.

    • by Anonymous Coward on Wednesday August 09, 2017 @11:19PM (#54980833)

      And anyway, it mostly just makes beneficial security research harder, while doing nothing to protect privacy (since criminals and governments will just do this anyway).

      All they really want to do is punish ordinary people when they discover embarrassing things about politicians using public data. Everything else is just hot air.

      • How exactly can collecting user names from data be used for beneficial security research? Security research is fine with anonymous data, re-identification is only interesting for advertisers.

        Also, your logic is very cute because it works for basically everything. I mean, why forbid murder/rape/whatever, criminals and government will just do this anyway.

        • Your analogy fails badly. Where is the harm when someone is de-anonymized? Other laws already prohibit publication of private information, defamation, and other bad uses of the unmasked data. It doesn't seem to me that de-anonymization itself causes any harm, whereas the harm is obvious for murder, rape, theft, and so forth.

          • You can ask people in witness protection where the harm is. Just to give you an obvious example. Privacy is very important in the modern always connected world.

            • That is, frankly, pants-on-head stupid. This law isn't about lists of people in witness protection programs, and it isn't limited to protecting their status as witnesses.

              • by dunkelfalke ( 91624 ) on Thursday August 10, 2017 @08:27AM (#54982291)

                The law is about all people who don't want unneeded intrusion in their lives. Americans don't get it and this is why they get dozens of robocalls a week. I get one a year in worst case.

                • What are you saying? That the only way you (Europeans) are protected from robocalls is that it has been made illegal to talk about weaknesses in data anonymization?

                  Robocalls are a problem in the US mostly because of the First Amendment, not because it's legal to talk about how to de-anonymize a data set.

                  • Robocalls are a problem in the US mostly because of the First Amendment

                    Not really. There are laws restricting robocalls in the US. The reason they remain a problem is that those laws are extremely hard to enforce.

          • Where is the harm when someone is de-anonymized?

            Depends on the data. Could be blackmail, for instance, or an increase in insurance premiums.

            • My point, which was apparently too subtle for you, was that those harms come from how the unmasked data is used, not from the mere unmasking, and much less from the disclosure of weaknesses in the masking procedures.

              • Fair point. It's not 'for nought' though - it would prohibit some things which are currently legal. Research, say. (Whether academic research, or market research.)

          • Where is the harm when someone is de-anonymized?

            Have we really degenerated to the point where it's only valid to assert personal rights if you can show there is harm involved if they aren't asserted?

    • Nonsense. It empowers them. Remember this only applies to systematic reversal of implied privacy, not manual. Also it is already illegal in the EU, this seems to just a UK backup law for once the leave the protection of EU privacy laws.

  • by XSportSeeker ( 4641865 ) on Wednesday August 09, 2017 @10:20PM (#54980603)

    Let's just criminalize being bad in general, since it seems these politicians think it'll solve all the problems in the world.

    A law is useless if there is no way to enforce it.

    • by Anonymous Coward

      Let's just criminalize being bad in general

      Yup, that's kinda the whole idea of the criminal law.

    • It seems to be a common misunderstanding, that laws are there to stop people from doing things; they aren't. The laws are meant to be:

      - a toolset for for the police and the courts: under the rule of law, the police and judges can only act as the law prescribes. This means they cannot arrest people on a whim, at least in principle, and a judge cannot pronounce a sentence that is contrary to the law.

      - a ruleset to guide everybody, when they are in doubt. Most of the time, people know what is right and don't n

      • Wait, we are not allowed to discuss whether doing something is good or bad or both depending on what happens after that something unless we pass a law imposing an infinite fine for doing the first something first?

        When was the law passed that made it illegal to pass a law about de-anonymizing so that we could debate passing the de-anonymizing law?

    • by AmiMoJo ( 196126 )

      Why would it be impossible to enforce?

      Laws like this are usually designed so that people can whistleblow or interested parties (like journalists) who discover evidence of de-anonymization can present evidence to the police, who can investigate. It's similar to other data protection laws, which generally don't involve inspections but where infractions are still regularly detected and punished.

      In this case they are targeting companies that abuse anonymized data for profit, which can be quite difficult to hide

    • Worse than that, it inspires cynicism and disrespect for government as a whole.
  • Except for the government, of course.

    • Except for the government, of course.

      Nope, except for manual cases. Which means it can be done with warrent.

  • by Anonymous Coward

    ...then it's not anonymous data. How about make it illegal to collect enough info to make connecting the dots even possible?

  • What the what? (Score:5, Insightful)

    by Anonymous Coward on Wednesday August 09, 2017 @10:39PM (#54980679)

    . As an extension, the UK wants to to ban re-identification...or pointing out the weakness of the used anonymisation process.

    There is this persistent undercurrent from governments that security researchers are the enemies. As if weaknesses don't exist until someone points them out. The apparent opinion is that we'd be safer if only people weren't free to point out the flaws in the system. The actual reality is the reverse.

    • by Anonymous Coward

      You seem to believe that the proposed law is meant to protect privacy. Given the often and loudly expressed views of the current UK government, it seems far more likely that weakening privacy protection by banning pointing out flaws is the actual purpose, with the rest being obfuscating fluff added because no one could figure out how to spin it as an anti-terrorist measure.

      • Given the fun everybody is having shouting at each other about how leftist SJW are going to die and the alt-right are ignorant swine it is refreshing to find the most significant comment buried down here in the noise. Of course the purpose is to prevent any research into potential government methods in identifying opponents. The government is often accused of being stupid and ignorant of the function and behavior of the internet and its inhabitants. Nothing could be further from the truth, they understand i

    • ...and their dog too. Oh, if only there was a law to make uncovering illegal.

  • On the one hand they want to ruin encryption, spy on everyone on the internet, censor the living hell out of everything, and there's no end to how many cameras they install all over the place. On the other hand there's this. Make up your mind, UK.
    • by AHuxley ( 892839 )
      Could be to protect the new GCHQ methods?
      The days of passive nation wide collect it all is over.
      The security services will be moving down networks and into networks at a user level.
      What happened when AV or malware detection starts getting too smart at reporting back about all detected network issues in real time?
      Suddenly the security services need a unique ip rage for all the interesting people they are trying to watch?
      Re-identification done with enough funding and skill might show contractors for the
  • by Kjella ( 173770 ) on Wednesday August 09, 2017 @10:48PM (#54980709) Homepage

    The biggest problem I see with this is that it flips the responsibility over to the one who says the emperor has no clothes. While it is difficult to create truly anonymous data and it would be nice to stop large law-abiding companies from trying to break down any compartmentalization you've done, I fear the effect will be quite the opposite. Because now if you call anyone out on poor anonymization it must be because you've tried exactly what this law prohibits, so white hats will be silenced. The companies will get lazier, because it's cheaper. And the black hats will have a field day with it.

  • by tlambert ( 566799 ) on Wednesday August 09, 2017 @10:59PM (#54980749)

    So I can do it, and use it for evil... so long as the UK government doesn't find out about it?

    Got it.

    So when I write that paper on "de-anonymization made easy", all I have to do is anonymize my authorship of the paper, and I'll be safe, because the U.K. government won't break their own laws ... correct?

    • I don't get why people make these kind of posts - its not as if a government being exempt from a lot of domestic laws is a new thing, so why wouldn't they be able to investigate your breach of this law? Its like saying that the police cannot legally detain you, because thats illegal for you to do to someone else.

      This is another thing they can charge you with when they arrest you, thats it.

    • The police aren't supposed to shoot you dead, but they do on occasion murder people anyway.

      It would be unfortunate if you had a concealed weapon on you during a police raid, and you had to die because of it.

    • by AmiMoJo ( 196126 )

      Yes, like all laws you can get away with breaking them if your crime is not detected.

      And no, the government has given itself specific exemptions, e.g. for the police and security services, so the law doesn't apply to it when investigating you.

  • by Anonymous Coward

    Anonymized data is fake anonimized. They leave enough selectors in the data to simply match it to the person.

    The crime here is the disclosure of personal data fake-anonymized.

    Making it a crime, won't stop an attacker (e.g. Putin) from deanoymizing data (e.g. MP's surfing habits, their research, their family data) from fake anonymized sources.

  • Another "Amazon" Law (Score:5, Interesting)

    by seoras ( 147590 ) on Wednesday August 09, 2017 @11:55PM (#54980969)

    I interviewed with Amazon a few years ago and, coming from Cisco, their engineers were very keen to pick my brains on how to identify individuals using network trickery.
    It was very obvious during the interview that this was their holy grail, the identification of individuals for targeted marketing particularly in the EU/UK where stiff laws on cookie usage had recently come into effect.
    One wonders if this too is another political swipe at Amazon?
    It's certainly not in the public interest what with the UK Gov's repeated statement of war on person encryption.

  • This is basically a thought crime.... Banning the Mining and Analysis of data from multiple sources in order to derive more facts about an event or piece of information?

    • No. Thought crime does not mean what you think it means.

      Thought crime refers to the practice of making thoughts themselves illegal, not actions. You are arrested not for protesting but instead for not applauding the dear leader and telling him how great he is.

      In this case, if they made it illegal for you to know HOW to de-anonymize, that would be a thought crime. But this law does not do that, it criminalizes acting on those thoughts, something very different.

      • by amorsen ( 7485 )

        if you are sufficiently smart, it criminalizes looking at a bunch of data and thinking about it hard.

        The set of sufficiently smart people is likely to be empty in most cases, but I don't think there's a lower bound on the quality of the anonymization.

      • by mysidia ( 191772 )

        Thought crime refers to the practice of making thoughts themselves illegal, not actions.

        Right.... And de-anonymizing someone is a thought process. CAUSING IT TO BE KNOWN TO YOU the author behind an anonymized record.

        The action of gathering, analyzing, and writing facts down is not otherwise capable of being a crime.

        My understanding is if you analyze some data through whatever method, and the police interview you, and you admit that you KNOW or have thought out the real name of the person behind a

        • You continue to mistake the evidence for the crime.

          This law makes it illegal to use the de-anonymizer software, an action not knowledge. The knowledge itself is not a crime, it is merely evidence.

          Here is a current law, existing similarlity.

          It is the equivalent of making it illegal to use a password cracker, rather than making it illegal to know someone else's password.

          There is no difference between this and the identity laws being considered.

          The knowledge of the people's identities is merely proof that the

        • And de-anonymizing someone is a thought process

          For you perhaps. Most of us mere mortals would use computers and data processing (specifically to be criminalised in the proposed legislation).


          There mere fact of an identity becoming, by the unaided powers of mental deduction, known to you is unlikely of itself to attract any liability. Don't fear ... you're safe Sherlock. ;)

          You may, however, commit an offence were you actually to identify (i.e. publish the identity of) any

  • by Anonymous Coward

    So UK wants to expand its plethora of persecution powers.. ..what crime is this criminalization really about, and are they just making shit up? No, this seems to be a rule. A behavior modification.

    I suspect that UK is NOT into privacy rights, but instead, is into policing secrecy, or more to the point, enforcing persecution powers and scheming to control society. Making me think this is just some police state bs.

  • by __aaclcg7560 ( 824291 ) on Thursday August 10, 2017 @01:12AM (#54981231)
    From what I read in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" [slashdot.org] by Antonio Garcia Martinez, Facebook takes its own data and combines it with third-party data to create profiles on every user, whether logged in or browsing anonymously.
    • by Anonymous Coward

      Don't upmod. Look at the damn link. It's an obfuscated affiliate link, again.

      This is against the terms of use and the CFAA. It's a damn redirection attack. This user really needs to be banned.

    • by AmiMoJo ( 196126 )

      I've long been interested in fighting back by poisoning these commercial databases with fake profiles and misinformation, but it's hard to know what is effective because it's all trade secrets.

      If a company you target goes bust, it's very hard to know if it was because their database became worthless due to pollution or if they were just incompetent or had a worthless product.

    • From what I read in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" [slashdot.org] by Antonio Garcia Martinez, Facebook takes its own data and combines it with third-party data to create profiles on every user, whether logged in or browsing anonymously.

      At already is, this has already been illegal in all of the EU for 20 years. This is just a UK specific version of it. So nothing really changes.

  • by Anonymous Coward

    The UK is still a full member of the EU. We're not due to leave for at least another 18 months, assuming it doesn't get delayed, or the decision to leave reversed.

  • by Rande ( 255599 ) on Thursday August 10, 2017 @03:38AM (#54981571) Homepage

    And just the other day, the head of GCHQ was complaining that he couldn't hire hackers with previous experience and that the schools weren't turning out students who knew how to do unexpected things with computers.

  • A UK user could be re-identified in another country. For some reason the UK government can't get its head round the fact that the internet is international. Looking at the crimes which can be tried in the UK when committed abroad [kingsleynapley.co.uk] I think that someone from the UK could even just pop over to France or Ireland, identify somebody, then pop back and they couldn't do anthing
    • Americans simply don't get privacy, preferring to jizz over their firearm and free speech laws instead.

      Your example is stupid because
      1) France and Ireland both have reasonably strong privacy laws.
      2) Advertisers that have a business in the UK who would target a UK citizen using re-identified data, would break the law, hence even if they had re-identified a UK user abroad, this data would not do them any good.

  • by Anonymous Coward

    ... this is actively used to identify persons of interest. So criminalize re-identification of anonymized user data would become a state privilege?

  • by Anonymous Coward on Thursday August 10, 2017 @04:38AM (#54981699)

    We haven't left yet. We won't leave til 2019 at the earliest.

  • by Anonymous Coward on Thursday August 10, 2017 @05:27AM (#54981783)

    "Recently, despite leaving the European Union"

    Fucking ignoranace at the highest level

  • Sounds a lot like the UK government actually WANTS to keep those weaknesses. Wonder if some were built in. Hmmm.

    It may sound far fetched, but what other sane reason would you try to prevent people finding weakness, thus enabling them to be fixed? Unless this is a conspiracy to keep "backdoors" in the process of anonymizing data, it's just encouraging people to find those vulnerable points and NOT report them. Hackers much be laughing their butts off.
  • If someone posts something on-line and it contains enough information to make identification likely if not probably, how is a third party reading it somehow culpable for making an elementary inference or deduction?

    Moreover, are they seriously going make illegal the cross referencing of public information?

    • It's a "don't-peek" law I guess.

      I like it. It needs a clause to exempt all attempts to break the anonymization "by any party for the purpose of research into anonymization and the validation of strength of anonymization itself" so as to ensure re-identification to identify (and retention of re-identified data) is an offense whereas re-identification to show that it can be done and how is perfectly-legal.

  • That country seems to be in the hands of yahoos, nitwits and tinpot despots wannabees these days.
  • Any time someone talks about how some data collection is OK because it's "anonymized", the only logically correct reaction is laughter.

    Modern databases and analytics has ensured that it is literally impossible to effectively anonymize data while still retaining the usefulness of the data.

  • Does Susan Rice know about this?

    How is the government supposed to help the democratic process?

    Why can't we build wonderful countries like Venezuela?
  • Now the crooks can continue doing what they're doing unimpeded, meanwhile security professionals get their hands tied behinds their backs and anonymization techniques can be used regardless of how flaws they are.

    I have this great method for anoymization, based on the tried and true ROT13 encryption algorithm. And if anyone cracks it, I can lay charges instead of wasting time wondering if my entire process is horribly broken.

  • Let me think this out a minute.
    Someone points out that something can be done by criminals and should be fixed.
    So you make it illegal for them to point it out?
    Is that kind of like making it illegal to speak up about 'the emperor's new cloths'(https://en.wikipedia.org/wiki/The_Emperor%27s_New_Clothes).

    seriously, let's make it illegal then only criminals can do it.
    (I guess it makes it easier for the black ops guys that you own ) .

  • Prohibiting re-identification for profit, political, etc purposes is an excellent idea. I was actually excited when I saw the headline.

    But if they block researchers and disclosure of methods, then how will anyone ever know if re-identification is happening or even possible? How could we assess the risk of re-identification by malicious actors? What can we do to protect our personal privacy, our users, and our networks without detailed technical information?

    The proposed law may protect citizens from corporat

  • Tear a page from the Hermit Kingdom, and what you end up building will have the same level of intrinsic merit: a privacy shroud that could be broken by an ambitious elementary school kid.

    I, for one, welcome our new mules.

  • I am a privacy researcher.

    Aside from the "not even research is allowed" bit, this is a good idea.

    Currently most people believe anonymisation is possible. Just the noise around this law might help most policymakers understand that the real question is 'for how long do we believe we can make this anonymous'.

    This post almost feels like a hit job: the idea is placed in a very negative light with a lot and mostly negative comments straight away.

    You'd think the people on Slashdot would also understand the problem

The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system.