The details are very important here. Would the proposed ban really affect researchers proving that anonymization schemes don't work, or would it just apply to attempts to reidentify real people in real user data?<p>It seems reasonable that a company be prohibited from actively trying to ascertain the identity of users who have tried to remain anonymous. The ease of doing it is rather irrelevant. I'm kind of tired of this tech culture meme, that something should be allowed because it is easy. How easy it is to do something is really irrelevant to how legal it should be. As an extreme example, killing a man is rather easy.<p>EDIT:<p>Here is the bit from the source document that the blog author is responding to:<p>><i>Create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine. </i><p>"intentionally or recklessly re-identifying individuals" seems to limit this to real user data, not researchers evaluating anonymization schemes. As with any law, it is important to see what the eventual proposed legislation looks like, but I don't think there's anything to worry about here for legitimate security research.
As far as I can tell the Statement of Intent[1] references this only in the following paragraph:<p>[We will:] <i>"Create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine."</i><p>Following that there is also:<p><i>"Create a new offence of altering records with intent to prevent disclosure following a subject access request. The offence would use section 77 of the Freedom of Information Act 2000 as a template. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland."</i><p><i>"Widen the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully)."</i><p><i>"Protection for journalists and whistleblowers - The important role of journalists and whistleblowers in holding organisations to account and underpinning our free press will be protected by exemptions."</i><p>Which seems more like creating clear legal charges for activity that is already illegal.<p>[1] <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf" rel="nofollow">https://www.gov.uk/government/uploads/system/uploads/attachm...</a>
Sounds good to me. Following the authors login why make anything an offence? It doesn't stop people from doing it anyway.<p>It seems like this is intended to stop dodgy marketing companies re-identifying data not hackers. And there doesn't need to be some technical way to know if they've done it. Any company can do illegal stuff and get away with it. They don't because if they are caught (and all that takes is one employee to come forward - and making it an offence to knowingly handle that data makes that more likely) they are in a lot of trouble (in this case an unlimited fine).<p>Why can't researchers work with fake data sets? If my data has been anonymised I don't care who the person is, I don't want them re-identifying it. Maybe I'm not seeing the necessity for this, and, if it exists I'm sure when the final Act comes around there will be an exception for researchers. Seems like panic over nothing for now.
I was reading about the UK's upcoming GDPR implementation on the BBC earlier, and I assumed the ban on reidentification would apply to service providers and businesses etc., and not to researchers or private individuals with legitimate intentions.<p>Is this not the case?
The author is clearly mistaken. There are several things that are possible in the physical world yet illegal, e.g. forging signatures, breaking doors open, breaking into parked car, sending spam emails etc. Specifying reindentification as illegal is a great step since it let's legal machinery to do its job.<p>The reality of data privacy is that it's impossible to guarantee anonymity while keeping data useful.<p>Reindentification ban enshrine coherent guidelines into the law. It's a good step forward.<p>I am saying this as a researcher who has signed several agreements with US government agencies which had reindentification ban clause and penalty of felony offense if found violated.
Watch this be used selectively to prevent the public from finding out how capital flows and which politicians it buys.<p>Publish the name of the owner of the company who built the bridge that collapsed due to cost-cutting? Now now, he didn't want that public, that's reidentification! He even hid behind several shell companies, so you can't claim you didn't know he wanted to stay anonymous.