Triangulating and De-Anonymization theguardian.com

Olivia Solon, the Guardian:

Nameless New York taxi logs were compared with paparazzi shots at locations around the city to reveal that Bradley Cooper and Jessica Alba were bad tippers. In 2017 German researchers were able to identify people based on their “anonymous” web browsing patterns. This week University College London researchers showed how they could identify an individual Twitter user based on the metadata associated with their tweets, while the fitness tracking app Polar revealed the homes and in some cases names of soldiers and spies.

“It’s convenient to pretend it’s hard to re-identify people, but it’s easy. The kinds of things we did are the kinds of things that any first-year data science student could do,” said Vanessa Teague, one of the University of Melbourne researchers to reveal the flaws in the open health data.

[…]

“One of the failings of privacy law is it pushes too much responsibility on to the consumer in an environment where they are not well-equipped to understand the risks,” said [Anna Johnston, a director of consultancy Salinger Privacy]. “Much more legal responsibility should be pushed on to the custodians [of data, such as governments, researchers and companies].”

While we ought to try to inform ourselves about the privacy implications of the entirety of our online behaviour, I don’t think it’s possible for the vast majority of users to understand the depth of knowledge that advertising, analytics, and data brokerage companies have on each of us. We’ve often never heard of these companies, and we certainly haven’t explicitly consented to giving them any of our information.

It’s easy to say that users should be better educated, particularly for those with a vested interest in users’ ignorance. It absolves data collectors of the responsibility to get explicit permission, which users almost certainly won’t give. The incentives for data collectors are aligned with implied consent wherever possible, and then vague explanations beyond that point. Data collectors have insisted for decades that they can be trusted to self-regulate, but their behaviour in that time has repeatedly shown that they cannot — largely, it seems, because regulations are diametrically opposite to growth incentives.