A new law proposed to protect the privacy of British internet users could end up criminalising the only people working to uncover abuses of personal data, a leading privacy researcher has warned.
The new data protection bill will contain a clause making it a criminal offence to “intentionally or recklessly re-identify individuals from anonymised or pseudonymised data”. The maximum penalty under the new law would be an unlimited fine.
De-anonymisation of data is a real problem for individuals, who may find their privacy violated over a number of different areas.
For instance, in 2006 anonymised data released by AOL revealed affairs, illnesses and criminal activity when it was deanonymised by cross-referencing with phonebook listings. Netflix was hit with a lawsuit in 2006 by a mother whose sexual preference was revealed by anonymised data, while the porn habits of a German judge, drug prescriptions of a politician and operation details of active cybercrime cases were reveals by anonymised marketing data sold by the popular “Web of Trust” plugin.
But Lukasz Olejnik, a cybersecurity and privacy researcher, part of Princeton’s Center for Information Technology Policy, warns that the government’s proposed data protection bill may criminalise the research that highlights these problems, while doing nothing to stop the spread and release of poorly anonymised data.
Olejnik said: “It’s a justified risk. Security and privacy research requires assessing system strength, including trying to break de-identification and anonymisation systems.
“This can be done by demonstrating re-identification. When faced with ‘unlimited fines’ and unspecified provisions, I cannot imagine anyone risking conducting research for public good.”
A similar proposal in Australia also led to concerns from security researchers there. Melbourne University researchers argued that a ban on re-identification “could inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government”. As a result, “criminals and foreign spy agencies will be more likely to find them first”, they wrote.
The UK bill will allow for exemptions for journalists and whistleblowers, but not researchers, as planned. Olejnik says that’s not enough: “Any re-identification ban would need strong provisions guaranteeing that researchers acting in good faith are on the safe side.
“I worry that if re-identification is simply banned, there might be no incentive for sane security and privacy engineering designs. It’s a paradox, but re-identification ban might end up leading into overall weaker systems.”
But a better-drafted bill would be a net positive, he argues, saying that re-identification when done for financial or other gain is usually covert.
“It’s not like an organisation receiving “protected data” and attempting to reverse its anonymisation would be interested in speaking about it in the open. So in many cases it would be pretty challenging to learn that it’s actually the case,” said Olejnik. “That said, the risk of ‘unlimited fines’ would definitely make the cost-benefit and risk assessment of malicious actors much more clear for the potential abusers.”
Digital minister Matt Hancock said: “The new data protection bill will give us one of the most robust, yet dynamic, sets of data laws in the world. It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
The data protection bill will not be published in full until the end of the summer recess, and is expected to be voted on in the current parliamentary term.