- From: Wendy Seltzer <wendy@seltzer.com>
- Date: Fri, 13 Aug 2010 15:23:18 -0400
- To: public-privacy@w3.org
On 08/13/2010 03:07 PM, Richard Barnes wrote: > David, > > In principle, I think you're exactly right that re-identification can > be a big problem, especially with the rich data sets that many > organizations are collecting nowadays. (Our position paper [1] > touches on this issue briefly, in a slightly different context.) > > As I understand it, however, (and I'm certainly not an expert) the > challenge for making/implementing policy with regard to > re-identification is that the mathematics are a little subtle and very > dependent on they types of data and the underlying population > distributions. There's a fairly large body of work on how to do > anonymization in specific domains (e.g., the techniques applied at the > Census Bureau [2]), but I'm not aware of a general enough methodology > to cover the diversity of data collected by entities in the Web. > (Again, not an expert!) Paul Ohm has been doing some work on re-identificaiton from the legal / policy side. He suggests that those who hold "bottleneck" data that pose particular risks of use in re-identification should be held responsible for those risks. <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006> (the policy recommendations may be in a newer version than is on SSRN). --Wendy -- Wendy Seltzer -- wendy@seltzer.org phone: +1.914.374.0613 Fellow, Silicon Flatirons Center at University of Colorado Law School Fellow, Berkman Center for Internet & Society at Harvard University http://cyber.law.harvard.edu/seltzer.html http://www.chillingeffects.org/ https://www.torproject.org/
Received on Friday, 13 August 2010 21:40:56 UTC