Nearly every data privacy regulation separates information into two categories: sensitive and non-sensitive. Often, the rules dole out special treatment for those who transform sensitive into non-sensitive information through anonymization—the elimination of personal identifiers like names and social security numbers. For example, to satisfy regulators, Google anonymizes data in its search query database after nine months and health researchers aggregate statistics before publishing them.
Two recent, newsworthy events have upended our understanding of the privacy-protecting power of anonymization. America Online and Netflix each released millions of anonymized records containing the secrets of hundreds of thousands of users. In both cases, to the surprise of all, researchers were able to “deanonymize” or “reidentify” some of the people in the data with ease.
In part by studying these events, Computer Scientists have recently taken giant strides in developing theories of anonymization and reidentification. Through this research, none of which has been rigorously imported into legal scholarship until now, they have concluded that the utility and anonymity of data are connected. The only way to anonymize a database perfectly is to strip all of the information from it, and any database which is useful is also imperfectly anonymous. This profoundly important result will do no less than reshape every privacy law and regulation and revolutionize every privacy-related policy debate.
About Paul Ohm
Paul Ohm joined the faculty of the University of Colorado Law School in 2006. He specializes in computer crime law, information privacy, criminal procedure, and intellectual property.
Prior to joining Colorado Law he worked for the U.S. Department of Justice’s Computer Crime and Intellectual Property Section as an Honors Program trial attorney. Professor Ohm is a former law clerk to Judge Betty Fletcher of the U.S. Ninth Circuit Court of Appeals and Judge Mariana Pfaelzer of the U.S. District Court for the Central District of California. He attended the UCLA Law School where he served as Articles Editor of the UCLA Law Review and received the Benjamin Aaron and Judge Jerry Pacht prizes. Prior to law school, he worked for several years as a computer programmer and network systems administrator, and before that he earned undergraduate degrees in computer science and electrical engineering.