The UK version of the forthcoming EU General Data Protection Regulation (GDPR) is being highly criticized by the cyber security experts. This law is supposed to prepare the UK for Brexit by codifying the GDPR regulations into the British constitution. Last week, the first insights into the proposal were released by the UK’s digital minister, Matt Hancock.
Experts seem to express their concern surrounding a specific clause contained within the draft Data Protection Bill (DP Bill). They believe that the specifications within the British legislation could criminalize security research that is actually aimed at enhancing digital privacy for British customers.
The specific part of the DP Bill that is experts’ concern says that re-identifying individuals from anonymized or pseudonymized data will become a criminal offense. This seems like a good idea when you think about the fact the researchers have proven in the past that it’s possible to re-identify previously anonymized credit card data.
But for the researcher whose job is to do that kind of work, the wording just isn’t right. It could actually make it a crime for them to try and prove that the anonymization isn’t being thoroughly executed. They believe that that research is an essential part of finding the flaws in the current systems. Intentionally re-identifying anonymized data is the only way to carry out that work.
If this proposal goes through, researchers will face massive fines in case they do attempt to help out their customers, up to £17 million, which would make the work too dangerous for them to even try and do, as they say.
It has already been proven in the past that re-identifying anonymized data is very dangerous for customers. There was a case in 2006 when a 62-year-old woman from Lilburn in the US was identified from de-anonymized data released by AOL. The firm was hoping this would aid academic research.
But this all turned terribly wrong and the firm was forced to take the data offline when someone managed to single out person No. 4417749. The reporter who did it used several specific search queries that eventually led him to a widow called Thelma Arnold, who confirmed that the searches were hers.
Another case in 2006 was a Netflix related case when the firm was being sued by a woman whose sexuality had been revealed due to re-identified anonymized data. And just last year, an add-on for browsers called Web of Trust was caught selling web searches to third parties. Investigative journalists used the searches to re-identify a German judge’s porn habits, among other scandalous information about 50 that should have been left anonymous.
Although this kind of research can bring embarrassment to people, it is very needed in order for researchers to know how to fix the vulnerabilities in the system. The concern, of course, is that those records could fall into the hands of cyber criminals, or other nefarious actors.