In March, the Federal Trade Commission started a new technology blog and Twitter account for FTC Chief Technologist Ed Felten. Recently, Felten wrote two posts concerning the issues of anonymity and privacy. In the first, he discusses “hashing” as a poor technique for “anonymization.” (We’ve discussed problems with anonymization and de-anonymization before.) Felten writes:

What is hashing anyway? What we’re talking about is technically called a “cryptographic hash function” (or, to super hardcore theory nerds, a randomly chosen member of a pseudorandom function family–but I digress). I’ll just call it a “hash” for short. A hash is a mathematical function: you give it an input value and the function thinks for a while and then emits an output value; and the same input always yields the same output. What makes a hash special is that it is as unpredictable as a mathematical function can be–it is designed so that there is no rhyme or reason to its behavior, except for the iron rule that the same input always yields the same output.

He goes on to give an example of how a hash can be a poor anonymization technique, but he also notes: “Does this means that hashing always fails, and is never a good way to scrub data? Almost, but not quite. There are more advanced uses of hashing that can offer some protection in some settings. But the casual assumption that hashing is sufficient to anonymize data is risky at best, and usually wrong.” Read more »

To recap: In 2010, Google came under fire for its Street View product, where the online services giant photographed homes and other buildings in numerous countries as part of its online mapping service, as individuals said the photos invaded their privacy. Then, in 2010, Google announced that, for more than three years — in more than 30 countries — it had been “mistakenly collecting” personal data from open WiFi networks as its vehicles roamed the streets taking photos for its Street View mapping service. Later, the company admitted the data collected — without individuals’ knowledge or consent — included entire e-mails and passwords. And it was revealed that “Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks and then made the data available through Google.com.” The online services giant faced questions from states, and Google reached a settlement with Connecticut over the data collection. In October 2010, the Federal Trade Commission announced that (pdf) it had closed an investigation into possible privacy breaches by Google’s Street View after the company pledged to stop gathering consumers’ e-mail, passwords and other personal data.

A few weeks ago, the Federal Communications Commission decided (redacted pdf) that it would not take enforcement action against the company over this data collection and retention, but it would fine Google for impeding the agency’s investigation into the private data collected and retained via its Street View product. The FCC noted that it still had “significant factual questions” about the Street View data collection and that it could not interview “Engineer Doe,” the Google engineer “who developed the software code that Google used to collect and store payload data,” because Doe had invoked his Fifth Amendment right against self-incrimination. (“Payload data” is a technical term for sensitive, private data such as e-mail messages, passwords, Internet search or browsing history.)

The New York Times spoke with a former state investigator (several states investigated the data collection by Google through its Street View project) and he identified Engineer Doe as “Marius Milner, a programmer with a background in telecommunications who is highly regarded in the field of Wi-Fi networking, essential to the project.” Milner directed reporters to his lawyer. Read more »

NPR takes a look at tensions between Europe and technology companies in the United States concerning privacy rights:

America’s big technology companies are negotiating the details of a new privacy system called “Do Not Track,” to let people shield their personal data on websites. There’s no deal yet, but people inside the talks say the main reason American companies are even considering “Do Not Track” is the pressure they’re feeling from Europe.

Jacob Kohnstamm, a European privacy regulator, has been on a tour of Silicon Valley, and his message to America’s tech giants is, respect European privacy rules — or else. [...]

Not only should people be allowed to block websites from collecting and keeping their data, he says, but that should be the default setting — on European browsers, at least. Talking from a phone inside the headquarters of Facebook, Kohnstamm is in no mood to let Americans decide everything about the Internet. [...] Read more »

The Washington Post reports on the issue of patient privacy and mobile applications related to medical data:

As smartphone users have grown more comfortable forking over information about their bank accounts and physical whereabouts to mobile applications, a growing group of app developers are betting health-related data will be next. [...]

Applications are being built to assist physicians at a patient’s bedside or help remotely monitor chronic conditions, but remain somewhat limited by concerns about their ability to ensure patient safety and privacy.

That’s caught the eye of federal regulators. The Food and Drug Administration will likely finalize its first-ever guidance on mobile health applications later this year, giving the agency at least some oversight of mobile products that replace or complement other medical devices, such as a stethoscope or EKG machine. Read more »

In the newly released annual report for 2011 (agency pdf; archive pdf), Irish Data Protection Commissioner Billy Hawkes says that the Irish public made a record number of complaints last year. There were 1,161 complaints in 2011, much higher than the 783 complaints received in 2010. The complaints were related to “unsolicited direct marketing text messages, phone calls, fax messages and emails,” as well as “unfair obtaining of data” and “use of CCTV footage,” among other complaints.

The commissioner noted that the “most comprehensive and detailed [audit] ever undertaken by our Office” was the investigation of Facebook Ireland, the social-networking service. The audit involved “about a quarter of our staff resources for 3 months and external technical assistance from University College Dublin.”

Here’s more information from the introduction: Read more »

We’re discussed before how there is an industry of gathering data on individuals and how personal data that is posted online can be used to created detailed profiles of individuals for things such as targeted behavioral advertising. Now, the New York Times has a reporter trying to track the trail of data collection and sharing by companies on individuals’ behavior:

I wondered how all those campaigns, companies and institutions got my number. And how much money data brokers behind the scenes might make by flipping my name and address.

Turns out there’s no easy way for consumers in the United States to track the data dealers who profile our spending, Web browsing and social media habits, the better to sell us stuff. Although the Federal Trade Commission issued a consumer privacy report last month urging companies that collect and share customer information to give people more notification and control over the proliferation of their personal details, the recommendations don’t have the force of binding regulations. Read more »