Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If the data is truly anonymized (and that's a big if), would you still have an issue?

Could you share which government is doing this? It is very troubling.

Edit: thank you all for good responses, I wasn't aware of the risks of de-anonymization but I will do more research into this.



I wrote that they sell it, which is wrong. They want to give it away for free. I don't know what is worse at this point. Patients don't have any possibility to protest.

It is in Germany and the law isn't active yet, but will be very soon. They basically create a central organization to collect data from all insurers. They receive info and are allowed to spread it to third parties in anonymized form.

> If the data is truly anonymized (and that's a big if), would you still have an issue?

Health data cannot be anonymized , since indicators and diagnoses can quickly identify a person. But no, this is my data and I do only share it when I explicitly consent to it.

You can opt out if you make enough money because that allows you to leave state insurance, which is kind of a real problem in our health system. But that wouldn't phase our current health minister, who seems to be an idiot and needs to be removed from office. His performance is bad enough.


Thank you for the response.

Now that you bring it up, I can see how one could identify a person based on that data. We're able to identify users based on things like browser extensions; I see how the concepts map.

The only reason I have to favor this sort of data sharing is that I have a (perhaps naive) hope that it would aid diagnoses and treatment.


Would it be possible to prevent this by using laws set by GDPR? Or at least cause such a great hassle for them to stop it?


Not exactly the same thing, but the following is happening now, in Spain. Citizens can opt-out by either turning off their phones or putting them in airplane mode during the dates mentioned.

"Spain’s National Statistical Institute (INE) plans to track the movements of millions of Spanish citizen’s cellphones to conduct a ‘sociological study’, El Pais and EFE reported. The INE will analyze user’s movements between November 18 to 21, November 24, on December 25 and during July 20 and August 15, using data from the ‘big three’ telecom companies in Spain. Data however will be anonymized before processing, the INE stressed."


Wait what - you can opt out of having any phone or mobile data service for a week?

What on earth are they going to learn? People go to work, people go shopping?


I know your question was rhetorical, but let's give it fair consideration. I suspect what they'll learn is whether they have the capability to analyze the movements of their entire population efficiently and if not, what it would take to do so.

Armed with that knowledge, they can prepare for the eventuality where the one-off exercise gets turned on permanently.


When people go where they go, and where they go next. This can help to figure out which interventions are even worth trying to improve things for public transport. I can imagine this would be very useful and relatively cheap to do.


Actually I have worked on projects for major UK rail stations along these lines - how many people on this platform then go to this platform, and should we build a bridge / open up a barrier.

I can see that as useful - it is targeted and pretty simple to do (although the anti-tracking mechanisms in wifi now makes it harder)

but ... I struggle with the value of such data collected on such a scale. Cell Tower radius is on the order of kilometres - the interesting stuff to do inside cities cannot be discovered on that scale - you need metres or better.

This feels like a mass public holiday migration watch. And you learn that ... people live in different cities to their parents?


Cells have both a maximum range and a _maximum population_. The multiplexing that enables many devices to use the same spectrum to communicate with a tower is limited, so you can't just put up one tower in Manhattan and you're done, that'd fill up with users immediately, you need to add lots of towers in areas with many simultaneous users or the service is lousy. As a bonus the reduced transmission distance means handsets (automatically) reduce radio power, which means improved battery life.

As a result cells are naturally much smaller in populated areas where you're most likely to want detailed information. In a city centre the cells may be only a hundred meters across. True, up a mountain the cellular network may have no idea where on the mountain you are, but this isn't a Safety of Life application, it's a survey.


_Can_ any large dataset actually be anonymised effectively?

I'm not yet convinced it can be done in a way that can't trivially be reversed by anyone combining it with other datasets.

And if it can't be anonymised, then it probably shouldn't be saleable.


The US Census famously used differential privacy in their most recent surveys. They have a quite extensive analysis of the tradeoffs they had to make to ensure everyone's privacy, and there is a fairly large body of academic work that analyzes (e.g.) the economic impact of this privacy preservation. The general consensus AFAIK is that they did a great job.

See https://arxiv.org/abs/1809.02201 for the main paper from the Census.


I'm not sure that this can be done with certain datasets, like health data.

If you had access to anonymised health data from my nation, for example, picking me personally out of the records would be extremely trivial, using just two data points:

+ I have an illness that only 1% of people have.

+ I lost my spleen whilst I was in primary school.

Both of those things are actually a matter of public record, thanks to being mentioned in various local newspapers, so it's reasonable to assume someone somewhere has that data.

I believe the general consensus on health data is that you have the age a person was at an incident, and the nature of an incident, you only need to have two or three incidents in your database to de-anonymise their records.

The only way to combat it is to not provide the detail required for the analysis that is exactly what the above organisations wish to do. No profiles, no fine-grained demographics.

And yet, people with rarer illnesses or events than mine will still stand out, so you also need to eliminate them from the dataset, even though they may well be the ones who could benefit most from this sort of widescale analysis.


Furthermore, the data may be static, but de-anonymization capabilities are not and may improve over time to identify someone.

For example, if they're tracking all instances of various ailments seen by some doctor in some time period. Suppose you are the only person of a given age and gender with that ailment, so that bucket would one entry for anonymous you. Fine. But then suppose the aggregating party begins to buy and correlate against credit card and location records that place you at the doctor's office in that time frame, bingo, they have a match to tie all three data.


> If the data is truly anonymized (and that's a big if), would you still have an issue?

Hell yes. The only time it's acceptable is if they get my informed consent.


> If the data is truly anonymized (and that's a big if), would you still have an issue?

Yes!

It's simply not anyone's matter to decide but the affected person what their data is used for, if only because that destroys trust. It is critical to the relationship between doctors and patients that the patient doesn't feel any need to hide information because they think that it might be shared and used against them, even when that fear might not actually be justified by the actual facts of the situation.

Also, that big if of anonymization is an important reason why the decision should be for the individual to make, if it is allowed at all: If you distrust the anonymization, then you should be able to refuse, without any requirement on your part to prove that it is unreliable.


Besides the "it can't be reliably anoned" answer, there are other issues.

One key one imo is simply ownership. Why do they get to sell it, regardless of who they are. I find the "terms of service" argument to be disingenuous.

I really think we need to completely change the way we do IP, and "data" has effectively become a new type of IP.

The default should be open/public domain, at lwats for anonyzable data. There are lots of reasons for it, economic moral and liberal.


Excellent question. In my mind I had been thinking that it could be analogous to census data. That doesn't answer the why though, or how it would bring commensurate benefits to civilians.


>> in much the same way it benefits us now, just more.

Tesla's data enables better driving software. Medical data lost motives medical tech, etc. If more people had access to it, the technology would improve more.

The conventional argument for patents, is/was (1) to encourage/reward innovation and (2) avoid secrecy. Imo, #2 failed, for the most part.

On innovation/etc... Ultimately data needs volume to be useful for ml applications. Opening all the datasets would also combine them, and improve their usefulness.


I'm skeptical as to whether robust anonymisation is possible, given the incentives involved.

After all, the data is more valuable the more bits there are per patient record, for researchers to find correlations - and the more bits there are, the easier it is to de-anonymise. Especially as you never know how many bits of data are already public about a given individual.

And given that they're releasing the data to make a profit, or to advance research, anyone doing this has an incentive to release more bits - and no incentive to release fewer bits.


Data that needs to be shared should be signed by sender at every port of exit and by receiver at every port of entry. All significant transformations should also be signed in a manner that allows one to follow data to it's real world source.

If applying complete attribution to our data was the norm, for at least some markets places, entities empowered by our data would be much less likely to just "share" it willy nilly.

Dark markets will always exist, but I think attribution of data would incentives certain corporations (health, banking, etc) to act in their users better interests, at least compared to what we have now.


"Anonymized data" can always be deanonymized. There have been plenty of studies about this.

It also reminds me of a recent post-Cambridge Analytica story about FB trying to get patient records, for which they said they "wouldn't get the names of the patients".

Okay, but the only reason Facebook would even get that data is to match it with its users' real names through some of their algorithmic reverse engineering of the data. That data is only useful to FB if it can associate various illnesses with real users on its platforms so that then advertisers can market to those people directly.

Don't fall for the "anonymized data" bullcrap. Google was caught doing something similarly recently, too.


Thank you for the response, I will do my own research into the deanonymization of data, but please share a source or two if you have them at hand.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: