James Nixon, thinq.co.uk March 29, 2011
Identity theft isn't the biggest threat to your privacy online. According to one leading US lawyer, it's the details you give away without realising - and even seemingly anonymous data can be used to piece together your identity.
'Re-identification' - the process of piecing together someone's ID from fragments of anonymous data - could see our darkest secrets in the hands of unscrupulous marketeers, governments and even criminals.
Paul Ohm, Associate Professor of Law at the University of Colorado Law School, should know: he's a former trial attorney in the US Department of Justice's Computer Crime and Intellectual Property Section.
In a recent interview with IT news website Smart Planet, he explained that it was now possible for data on an individual from disparate sources to be pieced together - thanks in part to a boom in processing power, but also due to the new-found willingness of Internet users to give away information about themselves, through interactive services and social networking.
According to research by Ohm, simply deleting personal details such as names and social security numbers is not the "silver bullet" required to disguise our identity from potential snoopers. And it's a problem that is being overlooked not only by regulators, but by so-called 'experts' in data management and privacy.
Ohm explains that anything a user leaves behind on the Internet can be used to piece together their identity - movie ratings, previous purchases: anything that allows snoopers to home in on what Ohm terms their "human uniqueness".
It doesn't even require a great deal of information to identify an individual, says Ohm. Just "six to eight" anonymously posted movie reviews on a site like Netflix could be enough to identify a pinpoint a single user in a crowd.
Ohm says the time has come a fresh look at privacy law that regulates the way in which companies are allowed to draw inferences from the data they hold - a move that could prevent e-commerce sites such as Amazon collecting and using data on a customer's purchase history to make recommendations:
"We have 100 years of regulating privacy by focusing on the information a particular person has. But real privacy harm will come not from the information they have but the inferences they can draw from the data they have. No law I have ever seen regulates inferences.
So maybe in the future we may regulate inferences in a really different way; it seems strange to say you can have all this data but you can't take this next step. But I think that's what the law has to do."
Ohm warns that the consequence of protecting privacy in this way is that some services, which previously traded on their ability to capture and use this information, will no longer be free.
"We have to get used to talking about the price of privacy. People are starting to say, if you have this privacy law, and industry doesn't have access to this big database, your favourite website will no longer be free. I actually think that's the right conversation. Maybe we should give up some of the efficiency and convenience of the Internet if we can protect privacy." The threat of large-scale 're-identification' along the lines Ohm describes appears to be a very real one.
Earlier this month, members of online hacktivist collective Anonymous claimed to have uncovered evidence that the US military is developing software that could be used to control an army of fake profiles on social networks such as Facebook. According to patents revealed by Anonymous, the software could be used to identify users by cross-referencing information such as an author's writing style from different sites.