26.03.2013

Anonymous data: Why security experts will always be focused on the flaws

Portrait von Niko Härting
Niko Härting

Many years ago, I was involved in equipping our office with a new burglar alarm. I had not the faintest idea about how such alarm systems work. And we consulted a few specialists for advice. The advice we got was devastating: Whatever system we discussed, the specialists would always point to significant soft spots. Our search for a "safe" burglar alarm seemed to be doomed to fail. With some resignation, we went for the system that sounded - more or less - "safest". And it worked.

Safety and the Law

Many of us will have had similar experiences with IT security experts: Whatever the question, the answer will always point to the flaws. "Is De-Mail" safe? Of course not (in German: "Kritik von Experten: Regierung will Bundes-Mail per GEsetz für sicher erklären", Spiegel Online v. 19.3.2013). Are there loopholes in the firewall? In most cases, yes. Is my antivirus software safe? Probably not.

Ask a lawyer who has spent hours and hours on drafting a contract if the contract is "waterproof": He is likely to cringe and stress that, well, of course, you never know what a court will say... Lawyers are security experts when it comes to the law and they have a reputation of avoiding straight-forward answers. When it is a lawyer's to plug the holes of a contract, he will always be the one who knows best where the remaining flaws are.

Key Consequences

What does this mean for recurrent (and, no doubt, accurate) studies that show how easy it is to lift the veil of anonymity and identify individuals when anyonymous data is processed (e.g. see “Unique in the Crowd: The privacy bounds of human mobility”, study by de Montjoye/Hidalgo/Verleysen/Blondel published at Science Reports 3, Articel no. 1376, on 25 March 2013; on the lacking impact of this study on data protection see Härting, "De-Anonymisation is always possible, but what are the consequences?", CRonline Blog v. 25.3.2013)?

  • Rarity of Expertise: Even though de-anonymisation may be the easiest of all jobs for an expert, this does by no means indicate that it is easy for someone who does not have the expertise.
  • No Simple "Either-Or": Data security and data protection is not black ("unsafe") and white ("safe"), it scales, and there are shades. And when the choice is between anonymous data, on the one hand, and name and address, on the other hand, it is just logical that anonymity is the safer bet when it comes to data protection.

 

Zurück