Safeguard Anonymous Private Data?
Patterns of Behavior Are Protected Identifiers?
Privacy as a legal concept is in crisis. The law of privacy is becoming so expansive that the scope of the law is confusing, and literal compliance can entail strange and arduous effort.
Consider Connecticut’s new Public Act No. 08-167. Section 1(a) says, “Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties . . .” Then, Section 1(c) explains:
“As used in this section, ‘personal information’ means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.”
That seems like a breathtakingly broad definition.
Observe that it considers any “account number” as an identifier that triggers the requirement for security in Section 1(a). Public Act No. 08-167 does not define “account number,” which can make for surprising results for all kinds of organizations that collect money, including small ones like neighborhood parent-teacher associations.
Surprising Case Example - Health Club Locker Number
For example, suppose a small health club keeps track of membership payments according to locker numbers, which are viewable in the locker room. That practice may be a mistake under Connecticut’s law because anyone walking through the locker room could learn that my locker number, i.e., my account number, is “57". That unit of identifying information might be misused by, say, a snoopy debt collector who is investigating how much I spend on luxuries like club membership. Knowing my name and locker number, he could telephone the health club and say, “This is Ben Wright, and my locker number is 57. Can you tell me how much I owe on my club membership this month?”
So, to say it in different words: This little health club has opened itself to a lawsuit in Connecticut by doing something (making account number and locker number the same thing) that would seem to be perfectly natural and insignificant to anyone but the most paranoid of lawyers.
Behavior Patterns as Identifiers?
Although Connecticut’s law itemizes some identifiers like “account numbers” and Social Security numbers, its definition of personal information reaches wider than the itemized list. The law regulates any and all “information capable of being associated” with a person through an “identifier.”
What kinds of information can be used to identify people by way of an “identifier?” What about patterns of behavior and patterns of social relationship? Could patterns of activity be “identifiers?” I don’t see why not.
Academic researchers have demonstrated that so-called anonymous data about human behavior can be used to identify individuals. For instance, researchers started with “anonymized” data from one Web 2.0 service, Twitter. From this data, they ascertained the identities of individual Twitter users. How did they do it? They drew on behavior data from another Web 2.0 service, Flickr. By comparing maps of relationships from unnamed Twitter users with maps of relationships for known Flickr users, the researchers uncovered the identities of the Twitter users!
From the perspective of privacy, this research is chilling.
Is All Data About a Person Private?
Responding to this research, a privacy advocate is naturally inclined to say that no one should keep any data about anyone.
While that response may be excessive, it does accurately reflect the privacy concern when anyone retains information about the patterns of behavior of individuals.
Another Case Example - Identifying People by Writing Style
So given how information about behavior patterns can serve as the “identifiers” of an individual . . . let's consider the following application of Connecticut law. Suppose a small nonprofit in Connecticut works with volunteers to develop and publish opinions on controversial civil rights topics, such as abortion or homosexual marriage. The organization attributes the opinions only to itself, without identifying the volunteers involved in writing them.
Sally is one of those writer volunteers. The organization publishes a controversial opinion based largely on prose composed by Sally. Could the organization be violating Connecticut law simply by publishing Sally’s written words? Logically, the answer could be yes. Here’s the logic . . .
Examples of Sally’s writing – on non-controversial topics – appear in association with her name in many public places such as blogs, libraries, Facebook pages, LinkedIn comments, letters to the editor and so on.
Research shows that people can be identified according to their writing style – syntax, word choice and so on. In fact, researchers today track “anonymous” terrorists according to the style of their writing, records and communication on the web.
Hence, when the civil rights organization publishes Sally’s words, even with her name removed, it is failing to safeguard her personal information. It is opening her to embarrassment and ridicule by people who disagree. Adversaries could analyze the patterns of behavior exhibited in the published words and ascertain that Sally is the author!
In other words, in the legislative terms of Public Act No. 08-167, the organization failed to protect her personal identifying information (i.e., the patterns of her unique writing style woven into her text) from being "misused" to criticize her personally.
What Does This Mean in Practice?
So what could the organization have done to comply with Connecticut law? Before publishing Sally's words, the organization could have removed from the words the “identifier” linking to Sally by hiring a team of third-party writers to rearrange the words into anonymous writing style.
Shiver my timbers. Thats a lot of work for a small nonprofit, just to comply with Connecticut privacy law. The regulation chills free speech. Is that really what the Connecticut legislature had in mind?
Society faces an emerging conflict between the civil right of privacy and the civil right of free speech.
Global Impact of Strange Legislation
Notice that the foregoing conundrums arise from legislation enacted by just one small US state. But in our Internet-connected world, the data privacy law of Connecticut can be applicable to the activities of an organization in Australia or Hong Kong. Further, nothing prevents the legislature of Arizona, Pennsylvania, Michigan or name-your-jurisdiction from adopting law that is similarly strange and broad in scope -- all the while using words and standards that differ from Connecticut's.
Full compliance with data privacy law has become very difficult.
Mr. Wright teaches data law, including electronic data discovery (EDD) at the SANS Institute.