Anonymity loophole puts UK data at risk

DPA loophole 'has been a problem for years'...
Written by Natasha Lomas, Contributor

DPA loophole 'has been a problem for years'...

Information Commissioner Christopher Graham

Information Commissioner Christopher Graham said the data watchdog is bound by the limits of current UK data protection law, which dates back to 1998Photo: Natasha Lomas/silicon.com

A loophole in UK's Data Protection Act (DPA) has been putting the anonymity of sensitive data at risk for years, a seminar on online privacy has heard.

The European Commission is in the process of reviewing European data-protection legislation with a view to creating a new privacy framework that takes account of the rise of privacy-compromising digital activities, such as online social networking and behavioural advertising.

But a loophole in the UK's DPA relating to data anonymising has already caused sensitive data to be compromised on a massive scale, according to Caspar Bowden, chief privacy adviser for Microsoft's worldwide technology office, who was speaking at a Westminster Media Forum Keynote Seminar on social media and online privacy in London.

Bowden described how a database containing information on who telephoned whom across the UK over the course of a month was exported to the US five years ago with "sham anonymisation" applied to the data - employing a process that turns each individual telephone number into a random yet consistently used number. Such a process can easily be undone, according to Bowden.

"Computer-science results from the past few years have shown that it is really relatively easy to reidentify that database," he claimed. "You can start with external sources of data where you can get a few phone numbers, a few relationships, you look for some patterns and then very quickly, like pulling at the threads of a sweater, you can reidentify the whole lot," Bowden said.

"In my view [this database was] perhaps the most significant privacy breach [or] flouting of the data-protection prescriptions on the transport of data that I've ever heard about, that this country has suffered," he said, adding: "It's never been reported, it's never been investigated."

Bowden said we have to understand that computer science has moved on, particularly in the past five years. "Data which would have been considered satisfactorily anonymised - even under harsher European regimes than our own in data protection - would not be considered satisfactorily anonymised today," he said.

The Information Commissioner, Christopher Graham, also speaking at the event, said data watchdog the Information Commissioner's Office (ICO) has its hands tied - bound by the limits of the current UK legislation, the DPA, which dates back to 1998. However, he added that the ICO is holding a seminar on data anonymisation on 30 March.

"The debate we're going to have starting off with the anonymisation seminar and future sessions will all contribute to the process of renewing the [European data protection] directive and we hope that at the end of this process we'll get...

...a directive that's a bit more [fit for] the 21st century - rather than going through the motions and ticking boxes and not addressing the real issues about the way that data is handled," Graham said.

Many of the problems with the UK's DPA stem from how it defines personal data, according to Microsoft's Bowden. While European law contains a definition of personal data that is "very broad" in his view - even broad enough to cope with some digital-era threats - Bowden said the UK's interpretation of European law does not have a broad enough definition.

"[The DPA] says data is only considered to be personal if it is identifiable by the data controller. If some other bunch of parties - whether they are trustworthy, whether they are liable to collude, whatever the privacy risk - may collude to identify data then that is not a personal risk in UK law and this has been frankly a poisonous issue throughout UK data-protection policy for the past 11 years, since the act came into force, and yet it is something the Information Commissioner has stayed essentially silent about," he said.

Bowden also warned about the looming privacy risks posed by smart-meter technology - unless data-minimisation techniques are used to safeguard the sensitive data they will generate.

"Databases will be created about your microscopic consumption inside your own household and this could mean, for example, that somebody could build a statistical model which would have a pretty good idea, two years before you might know, you were going to get divorced," Bowden said.

"Now with privacy-friendly smart metering [a technique developed by George Danezis, a Microsoft colleague of Bowden]… it essentially allows you to do calculations inside the meter so that no fine-grained data leaves the meter at all but still you can perform all of the functions, all of the smart tariffs that you want.

"We would love people to get interested in this and actually use this technology but it's extremely difficult to get regulators even to take a seriously close look at this," he added.

Bowden reckons the ICO will have to take a more active role in future - to help UK consumers steer through the minefield of digital privacy risks.

"I think a lot more obligation will fall on the regulator to steer people, perhaps in a much more active way than we've seen before," he said. "I do not believe frankly that ordinary consumers can possibly be in a position to appreciate their privacy risk.

"The speed with which things have evolved online in just the past few years, the entirely new phenomenon of social networking, the issues now coming up about online behavioural advertising, I think it is simply moonshine to believe that consumers will actually be able to achieve a state of awareness about their privacy risk which can lead them to discriminate in favour of genuine privacy-friendly services rather than bogus services."

Editorial standards