In recent posts, I explained why hashing and pseudonyms often fail to provide anonymity. These problems, and the well-known examples of people re-identifying supposedly anonymized data sets, might tempt you into believing that any data set can be re-identified given enough effort or that there is just no way to provide access to data in a privacy-preserving way. But those conclus
Today the FTC announced a proposed settlement with Myspace, on charges that the company broke its privacy promises to consumers. I want to focus today on one of the FTC's charges, relating to possible syncing of identifiers.
Myspace, a popular social network, assigns each of its users a numeric identifier called a "Friend ID". If you know someone's Friend ID, you can use it to get their public information, by accessing the URL myspace.com/<Friend ID>.
Let's continue our discussion of "anonymous" data by talking about pseudonyms.
A pseudonym is any kind of identifier, other than a name, that is associated with a person or (what often amounts to the same thing) a device. Pseudonyms are very common. Examples include the random ID value in a tracking cookie; a device ID such as a WiFi MAC address or a phone's UDID; a synthetic identifier such as an "OpenUDID"; a mobile phone number; or a Twitter handle.
One of the most misunderstood topics in privacy is what it means to provide “anonymous” access to data. One often hears references to “hashing” as a way of rendering data anonymous. As it turns out, hashing is vastly overrated as an “anonymization” technique. In this post, I’ll talk about what hashing is, and why it often fails to provide effective anonymity.
One of the top-level recommendations of the FTC privacy report was greater transparency about the data practices of companies and technologies. The report pointed to mobile apps as especially needing better transparency. Indeed, a previous FTC staff report on mobile apps for kids found that hardly any of the apps that were studied offered full privacy disclosures.
Today the FTC announced that it has settled a complaint against RockYou, on charges that the company’s inadequate security led to a breach of consumer data, and that the company collected personal information from children it knew to be under 13 without parental consent.
Today the FTC is releasing a major report on privacy. Privacy geeks will read the whole thing–and should, because it represents a lot of careful thinking by folks in the agency.
But if you’re a techie who doesn’t have time to read it all, let me point you to a few of the parts you’ll probably find most interesting.
Welcome! I’m Ed Felten, Chief Technologist at the FTC. Let me introduce you to this blog.
As the nation’s consumer protection agency, the FTC works on technology issues every day. You’ll see lots of discussion of technology in our reports, cases, speeches and testimonies, not to mention the consumer and business education pieces we publish. But we haven’t had a venue for speaking, more directly and less formally, to the technically minded public about tech issues. That’s what this blog is for.