In their paper “De-Anonymising Social Networks“, Arvind Narayanan and Dr Vitaly Shmatikov from the University Of Texas at Austin present a method by which supposedly “anonymous” data can be turned back into identifiable names and addresses. This is a very disturbing development.
Do you still believe that the claims of companies like Phorm when they say nothing identifiable is recorded by their (still to be proven legal) DPI product “Webwise” ? I never have. This confirms my beliefs and affirms my position as an opponent of Phorm and any peddler of DPI technology to snoop on ISP customers.
The paper’s conclusion is quite scary. I’ve tried to snip a few bits out for brevity.
The main lesson of this paper is that anonymity is not sufficient for privacy when dealing with social networks. We developed a generic re-identification algorithm and showed that it can successfully de-anonymize several thousand users in the anonymous graph of a popular microblogging service (Twitter), using a completely different social network (Flickr) as the source of auxiliary information.
Our experiments underestimate the extent of the privacy risks of anonymized social networks… we expect that our algorithm can achieve an even greater re-identification rate on larger networks.
We demonstrated feasibility of successful re-identification based solely on the network topology… In reality, anonymized graphs are usually released with at least some attributes in their nodes and edges, making de-anonymization even easier.
Furthermore, any of the thousands of third-party application developers, the dozens of advertising companies, governments who have access to telephone call logs have access to auxiliary information which is much richer than what we used in our experiments. At the same time, an ever growing number of third parties get access to sensitive social-network data in anonymized form.
These two trends appear to be headed for a collision resulting in major privacy breaches, and any potential solution would appear to necessitate a fundamental shift in business models and practices and clearer privacy laws on the subject of Personally Identifiable Information.