[Guardian] Data protection in the EU: the certainty of uncertainty
When a regulation asserts that some data is 'anonymous', it is disconnected from the best theories in computer science. [...]
Since the mid-noughties, de-anonymising has become a kind of full-contact sport for computer scientists, who keep blowing anonymisation schemes out of the water with clever re-identifying tricks. A recent paper in Nature Scientific Reports showed how the "anonymised" data from a European phone company (likely one in Belgium) could be re-identified with 95% accuracy, given only four points of data about each person (with only two data-points, more than half the users in the set could be re-identified). [...]
It's all fascinating to think about, but the larger point is this: when a regulation breezily asserts that some data is "anonymous" or even "pseudonymous," that regulation is violently disconnected from the best theories we have in computer science. Where you find this in a regulation, you know that its author was either not serious about protecting privacy, or not qualified to draft a regulation. Either way, it's cause for alarm.