anonymous – Techdirt (original) (raw)
One More Time With Feeling: 'Anonymized' User Data Not Really Anonymous
from the we-can-see-you dept
As companies and governments increasingly hoover up our personal data, a common refrain to keep people from worrying is the claim that nothing can go wrong — because the data itself is “anonymized” — or stripped of personal detail. But time and time again, we’ve noted how this really is cold comfort; given it takes only a little effort to pretty quickly identify a person based on access to other data sets. As cellular carriers in particular begin to collect every shred of browsing and location data, identifying “anonymized” data using just a little additional context has become arguably trivial.
Researchers from Stanford and Princeton universities plan to make this point once again via a new study being presented at the World Wide Web Conference in Perth, Australia this upcoming April. According to this new study, browsing habits can be easily linked to social media profiles to quickly identify users. In fact, using data from roughly 400 volunteers, the researchers found that they could identify the person behind an “anonymized” data set 70% of the time just by comparing their browsing data to their social media activity:
“The programs were able to find patterns among the different groups of data and use those patterns to identify users. The researchers note that the method is not perfect, and it requires a social media feed that includes a number of links to outside sites. However, they said that “given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50 percent of the time.”
The researchers had even greater success in an experiment they ran involving 374 volunteers who submitted web browsing information. The researchers were able to identify more than 70 percent of those users by comparing their web browsing data to hundreds of millions of public social media feeds.
Of course, with the sophistication of online tracking and behavior ad technology, this shouldn’t be particularly surprising. Numerous researchers likewise have noted it’s relatively simple to build systems that identify users with just a little additional context. That, of course, raises questions about how much protection “anonymizing” data actually has in both business practice, and should this data be hacked and released in the wild:
“Yves-Alexandre de Montjoye, an assistant professor at Imperial College London, said the research shows how “easy it is to build a full-scale ‘de-anonymizationer’ that needs nothing more than what’s available to anyone who knows how to code.” “All the evidence we have seen piling up over the years showing the strong limits of data anonymization, including this study, really emphasizes the need to rethink our approach to privacy and data protection in the age of big data,” said de Montjoye.
And this doesn’t even factor in how new technologies — like Verizon’s manipulation of user data packets — allow companies to build sophisticated new profiles based on the combination of browsing data, location data, and modifying packet headers. The FCC’s recently-passed broadband privacy rules were designed in part to acknowledge these new efforts, by allowing user data collection — but only if this data was “not reasonably linkable” to individual users. But once you realize that all data — “anonymized” or not — is linkable to individual users, such a distinction becomes wholly irrelevant.
One of the study’s authors, Princeton researcher Arvind Narayanan, has been warning that anonymous data isn’t really anonymous for the better part of the last decade, yet it’s not entirely clear when we intend to actually hear — and understand — his message.
Filed Under: anonymized data, anonymous, privacy
The Anonymous Assault On ISIS Is Hurting More Than It's Helping
from the well-he-sounded-like-a-terrorist dept
Tue, Nov 24th 2015 02:07pm - Karl Bode
In the aftermath of the Paris attacks, portions of Anonymous decided to “launch multiple operations” against the jackass collective that is ISIS/Daesh. Dubbed #OpISIS, the group’s self-declared “biggest operation ever” has predominately involved posting what the group claims are ISIS affiliated Twitter accounts to Pastebin. These “ISIS affiliated” users are then reported to Twitter using a “Twatter Reporter” script being circulated among some members of the collective. In a video, Anonymous crows that the group has been responsible for bringing 20,000 ISIS-related social media accounts offline:
Except there’s a major problem with the latest Anonymous campaign. A large number of the accounts they’re suspending have absolutely nothing to do with ISIS. A review of the banned accounts by Ars Technica found that large number of the accounts were banned simply for using Arabic, with many ordinary Palestinian, Chechan and Kurdish users caught in the crossfire. Similarly, some of the banned accounts were trying to troll the religious cult. And there’s indications that many in the group aren’t even sure who they’re supposed to be targeting:
“Meanwhile, some of the people coming to the IRC chat channel associated with the operation don’t seem to really understand what’s going on. One person logging into the channel asked, “Who’s ISIS?” The people managing the channel also demanded that others only speak English in the chat and not “clutter up the channel with only mandarin or Spanish or something.”
Twitter insiders meanwhile have commented off the record that the list Anonymous has compiled is a bit of a joke:
“A spokesperson for Twitter, who asked not to be quoted by name, told the Daily Dot that the lists generated by Anonymous are not being used by the company, saying research has found them to be ?wildly inaccurate.?
?Users flag content for us through our standard reporting channels, we review their reports manually, and take action if the content violates our rules,? the spokesperson said, adding: ?We don’t review anonymous lists posted online, but third party reviews have found them to be wildly inaccurate and full of academics and journalists.”
And while the group’s behavior has been held up by Presidential candidates like Ben Carson as a “model” of how to deal with terrorist groups, this kind of indiscriminate, misinformed hysteria (like oh, trying to ban all Syrian refugees based on false media reports) arguably aids ISIS more than it hurts it. Well aware of this fact, some splinter Anonymous groups (like GhostSec) have started more quietly forwarding their findings to the U.S. government. Other members of Anonymous find cooperating with the government intolerable for obvious reasons:
“It seems rather foolish to me to be aiding our mortal enemies, who lock up and even torture Anons ? in a fight against an evil that they themselves actually created. If the USA and Europe were willing to release our Anon POW’s, and agree to stop attacking us – in exchange for our rather ample assistance against ISIS, well – that might be different. Until then, I say let NATO and the USA fight their own monsters. At least the resources they will need to dedicated to hunting ISIS can not be used to hunt Anons.”
So as usual, the headlessness that helps keep Anonymous alive as an ideal often winds up being its own worst enemy when it comes to coordination and quality control. That’s not to say that Anonymous members can’t contribute intel, disrupt some online ISIS capabilities, or act as an occasional propaganda counterweight. The group is, after all, helping things out by rick rolling pro ISIS hashtags:
Our upcoming action: spamming verified ISIS hashtags with rickrolls. Will release the list as soon as it's compiled.
— #OpParis (@OpParisOfficial) November 18, 2015
But beyond that, given the lack of any centralized jihadhist mainframe to be DDoS’d, #OpISIS is limited in what it can actually accomplish. Effective international espionage requires a lot more tactical coordination than the leaderless, mythological meme appears capable of, and the kind of societal problems that are driving angry, disenfranchised young people to join the cult of ISIS go much deeper than the hacktivist amoeba’s tendrils reach.
Techdirt Reading List: Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous
from the read-it-today dept
We’re back again with another in our weekly reading list posts of books we think our community will find interesting and thought provoking. Once again, buying the book via the Amazon links in this story also help support Techdirt.
This week we’ve got a book we’ve talked about in the past: Gabriella Coleman’s wonderful Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. Gabriella was a guest on our podcast, joining us for two episodes earlier this spring, where we talked about this book quite a bit (including having her read some excerpts). The first was the “many faces of Anonymous,” which looked at how difficult it is for some to understand Anonymous, because it doesn’t fit neatly into any sort of standard classification. Gabriella, of course, spent a ton of time getting to know many people within Anonymous, and that’s why her book gives such a nuanced and detailed picture of what Anonymous is about and how it’s changed over time.
The second podcast focused on one of those key changes, how Anonymous went from doing stuff just for the “lulz” to actual activism and what that shift has meant for Anonymous. The entire book is a worthwhile read, if you want to get beyond the standard mainstream media narratives of Anonymous, and to understand how Anonymous not only functions but how it’s had a real impact (and not necessarily in the way that most people think). I’d argue that if you’re at all interested in online culture, this is a must-read, or you’ll be missing some key elements in your understanding.
Filed Under: anonymous, gabriella coleman
Matthew Keys Found Guilty Of Criminal 'Hacking' For Sharing News Company Login
from the seems-extreme dept
Two and a half years ago, we wrote about former Reuters editor Matthew Keys being indicted based on charges that he’d shared the login information for the content management system to his former employer, the Tribune Company, in an online forum and then encouraged members of Anonymous in that forum to mess things up. Some people used that access to change a story on the LA Times website. Keys insists that he didn’t do this and the feds have no direct evidence linking him to whoever leaked the login (he also claims at the time of the leak he no longer had access to the Tribune Company’s systems).
As we noted at the time, if we accept the DOJ’s version of what happened, what Keys did definitely was the wrong thing to do. But the result was little more than annoying vandalism — and nothing Keys did should qualify as “criminal hacking.” The changes to the LA Times were up for less than an hour and quickly reverted. There was little evidence that it created any real damage, and certainly no lasting damage. And yet, because this is a “computer crime,” the feds came down on Keys as if he was part of some massive criminal conspiracy. In order to use the already problematic CFAA, it needed to show more than 5,000worthofdamage,whichiscrazy.Evencrazier…isthatthefedsargued5,000 worth of damage, which is crazy. Even crazier… is that the feds argued 5,000worthofdamage,whichiscrazy.Evencrazier…isthatthefedsargued929,977 worth of damage, based on some ridiculously exaggerated estimates of the amount of time people had to work on this issue.
And now a jury has convicted Keys on all three counts. Sentencing will be in January, and while lots of people are throwing around the statutory maximum of 25 years in jail, prosecutors have said they’ll likely ask for “less than 5 years” according to Motherboard’s Sarah Jeong, who was at the courthouse.
I think it’s clear that Keys was in the wrong in handing out the login to the Tribune’s systems, if he actually did it. But should that equate to criminal hacking charges and jailtime, because it resulted in a bit of online vandalism and some annoyance for a sys admin somewhere? That seems doubtful. As Keys himself points out in a pinned tweet in his Twitter feed, if sharing logins is a criminal act, all of you who share your HBO Go or Netflix logins may want to be careful.
The problem, once again, comes back to the ridiculous CFAA and the bogeyman of “computer hackers.” It was wrong to give out the login, but the idea that it did even $5,000 in damage (as required by the CFAA), let alone nearly a million in damages, is ludicrous. It’s even more ludicrous that this should be a criminal offense with any jailtime at stake. Go after him in a civil case for actual damages (of which there would be very little) and move on. Keys, for his part, has said the verdict is “bullshit” and he’s planning to appeal.
It’s way past time that we fixed the CFAA, and the Matthew Keys verdict is just yet another reminder that Congress needs to do something.
Filed Under: anonymous, cfaa, defacement, hacking, login, matthew keys, vandalism
Companies: tribune company
Anonymous Targeting CloudFlare Seems To Go Against Anonymous' History
from the anonymous-is-random dept
We recently had an excellent two-part podcast discussion (Part I, Part II) with professor Gabriella Coleman, all about Anonymous, its “many faces,” and how it shifted from just being about the “lulz” into real political activism. Of course, it covered the many contradictions of Anonymous — including the idea that anyone can just declare themselves a “member” and take on whatever they want, meaning that sometimes Anonymous’ actions are self-contradictory. One faction may decide to do one thing, while another faction may disagree with it entirely. And that’s all perfectly reasonable under the banner of Anonymous. You can see that in the recent effort by Anonymous to take on ISIS with #OpISIS. Over the past few years, Anonymous certainly got plenty of attention for jumping into some fights in the Middle East, gaining plenty of attention for its attempts to aid protesters in Tunisia, which kicked off the Arab Spring.
Even so, the strategies of #OpISIS are a bit baffling, and certainly seem to go against Anonymous’ general stance in other situations. Last week, it put out a list of hosting/infrastructure companies that it claimed were hosting pro-ISIS content, with the aim of demanding such sites take down that content. One of the main targets: CloudFlare, a company that many websites (including Techdirt) use to protect against denial-of-service attacks and to generally improve reliability. CloudFlare has responded by pointing out the obvious: it makes decisions to stop serving websites based on court orders, not mob rule:
CloudFlare does not itself host the content of the websites, meaning blocking its service would not actually make the content go away. The service instead protects sites from malicious traffic and cyber threats, meaning without it websites would be more vulnerable to attacks from Anonymous.
“We’re the plumbers of the internet,” [CloudFlare founder & CEO Matthew] Prince said. “We make the pipes work but it’s not right for us to inspect what is or isn’t going through the pipes. If companies like ours or ISPs (internet service providers) start censoring there would be an uproar. It would lead us down a path of internet censors and controls akin to a country like China.”
[….]
CloudFlare has previously faced criticism for protecting websites associated with Anonymous, however Prince asserts that their service is only removed if they’re told to do so by a court of law.
“The irony is there is no organisation that we have had more requests to terminate services for than the hacking group Anonymous, including from government officials – which we have not done without following the proper legal process,” Prince said.
In other words, careful where you aim that gun, #OpISIS, because it might point back at you as well. It seems even more ironic when you realize that one of the earliest “high profile” campaigns by Anonymous was when it targeted companies like Paypal and Amazon after each made the decision to cut off Wikileaks. Thus, Operation Payback began, targeting those who chose to arbitrarily cut off Wikileaks, without waiting for any sort of official legal process.
So it seems rather bizarre and counterproductive for this particular segment of Anonymous to now be pushing for the same thing: companies to arbitrarily cut off other content, while in the past it has argued that infrastructure providers should not bow down to the opinions of a few without a legal basis. It’s fascinating that Anonymous is targeting ISIS, showing just how bizarre this world has become, but doing so by trying to pressure companies into voluntary censorship campaigns seems really counterproductive and completely contrary to the message that Anonymous has presented to the world in the past.
Filed Under: anonymous, free expression, hosting, infrastructure, isis, mob rule, opisis
Companies: cloudflare
Techdirt Podcast Episode 19: From Lulz To Activism, With Gabriella Coleman
from the internet-culture dept
Last week, Gabriella Coleman joined us to discuss her new book Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous and share her insider view of the nebulous group. Gabriella is back this week to continue the discussion with a broader look the astonishing and still-recent shift in the digital world towards real, widespread political engagement on issues like privacy and surveillance.
Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt.
Filed Under: activism, anonymous, gabriella coleman, geek culture, lulz, podcast
Techdirt Podcast Episode 18: The Many Faces Of Anonymous, With Gabriella Coleman
from the we-are-legion dept
People (especially those in the news media) love to talk about Anonymous, often making bold, sweeping and generally inaccurate proclamations about the group’s nature and goals. Gabriella Coleman, on the other hand, has spent years closely studying and engaging with Anonymous in the real world, and developing a nuanced understanding of the nebulous phenomenon. Her new book Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous provides insider details about Anonymous that you won’t find anywhere else, and she joins us to discuss it on this week’s episode.
Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt.
Filed Under: anonymous, gabriella coleman, hacktivism, podcast
Massive Copyright Troll Malibu Media/xArt Defies Court Order To Publicly Name Defendant
from the not-a-good-move dept
We’ve talked a lot about massive copyright trolling operation, Malibu Media (which is also known for providing porn under the name xArt). In some other cases, it’s been revealed that Malibu Media is one of many operations that appear to be little more than a copyright delivery system for a series of German companies that are behind the scenes of almost every major copyright trolling operation these days. The company is also somewhat infamous for its shady practices and the way in which it files many questionable lawsuits — including the use of “Exhibit C” — totally unrelated films that it claims the accused also downloaded illegally, but over which Malibu Media has no copyright claims. That exhibit clearly served only to try to pressure individuals into settling, so there wouldn’t be a public court document insinuating a list of embarrassing films had been downloaded.
Its latest move seems to go seriously over the line in yet another effort to try to force defendants to pay up and settle. In this case, involving a “John Doe” defendant, the court had been clear that any documents involving the name of the defendant needed to be filed under seal. That came after the court had rejected the defendant’s attempt to have the whole subpoena thrown out, but was clearly on to Malibu Media’s usual tricks pressuring people into settling. As summarized in a new filing from Booth Sweet (the lawyers for the defendant), the court had been abundantly clear that Malibu Media was not to publicly name the defendant:
Here, the Order was sent by the Court to the Plaintiff. The Court’s language could not have been more clear.
> ?If the summons and its return disclose the Defenan[d]t?s name and identifying information, Defendant shall file the same under seal.?
[….]
Nor was the intent of the Court?s Order lost upon the Plaintiff. In its motion to file its summons and return of service, Plaintiff specifically noted:
> ?To comply with the Court?s Protective Order [CM/ECF 20], Plaintiff seeks leave of Court to file its proposed summons and affidavit of service under seal.?
[….]
In approving the Plaintiff?s request to file its summons and return of service under seal, the Court once again took pains to establish
> the following procedure to balance Defendant’s privacy interests with the presumption of open judicial proceedings. Simultaneously with filing its proposed summons under seal, Plaintiff shall also file a Reference List and an amended complaint. The Reference List, which shall be filed under seal, must contain Defendant’s name and any other identifying information that Plaintiff deems necessary to the prosecution of its case, as well as an appropriate identifier that uniquely corresponds to each item listed. See Fed. R. Civ. P. 5.2(g). The amended complaint and all subsequent filings shall be publicly filed and must refer to Defendant only as John Doe and use the identifier provided in the Reference List for other identifying information….
So what do you think happened? Well, first, as has happened in many other Malibu Media cases, the company and its trolling lawyers failed to serve the defendant, so Booth Sweet filed for a motion to dismiss. In response… Malibu Media filed another filing (a “summons and reference list”) that was not redacted and not under seal. And did so at a time that made it difficult to fix in a timely manner:
On March 13, 2015, Plaintiff, in violation of the Court?s repeated Orders, filed an unredacted summons and reference list with John Doe?s name and address plainly visible. See Docs. 24 & 25. By choosing to file these documents at 8:00 PM on a Friday evening, Plaintiff intentionally chose a time when it would be difficult to correct, and the embarrassment alone might cause John Doe to seek a non-trial disposition just to end the matter. More so, the documents are dated March 12, 2015, further compounding the inference that Plaintiff intentionally waited until Friday evening to file them.
Furthermore, Booth Sweet notes that Malibu Media pulled this same damn trick in multiple other cases as well, including another one done late on a Friday evening:
Malibu Media v. John Does 1-14, No. 12-cv-0764-BAH, ECF No. 35 (D.D.C. 2012)
Plaintiff filed an un-redacted first amended complaint and summons, both identifying the John Doe there by name, in express contravention of the Court?s protective order. Before a sanctions motion was filed, the matter was dismissed due to Plaintiff?s failure to timely serve the complaint.
Malibu Media v. John Does 1-14, No. 12-cv-2084, ECF #37 (E.D. Pa. Nov. 1, 2012)
Plaintiff filed un-redacted notices ?in the other cases affected by the October 3 Order, naming all the Doe defendants? on a Friday evening. Id. at n.1. Malibu Media v. John Does 1- 14, No. 12-cv-263, ECF #48 (N.D. Ind. Dec. 14, 2012) Plaintiff?s motion to strike un-redacted complaint it filed in violation of court order, blaming error on paralegal.
In fact, Booth Sweet notes that not only does the unredacted filing late on a Friday seem questionable, the entire filing is questionable as it is entirely inappropriate here:
Plaintiff?s deadline to serve the Defendant was February 28. To date, no extension to effectuate service has been granted?which begs the question why these documents were even filed in the first place. These documents are neither necessary at this point in the litigation nor relevant to opposing Defendant?s pending motion to dismiss. However, they are essential to a Plaintiff, who unable to obtain a quick settlement, is all to happy to act out of spite.
It really is incredible how frequently we see this kind of gamesmanship in copyright trolling cases. I guess when you look on the federal judicial system as a system worth gaming for extortionate payouts from individuals, it shouldn’t be that surprising that the lawyers would also look to game other aspects of the system as well.
The judge in the case, Judge Timothy Black, has wasted little time in ordering Malibu Media’s lawyer, Yousef Faroniya, to explain why he shouldn’t be sanctioned for clearly disobeying the court’s orders:
Defendant moves the Court to order Plaintiff and its counsel to show cause why they should not be sanctioned or held in contempt for publicly filing Defendant’s name and address in contravention of two Court orders directing Plaintiff to file this information under seal. For the reasons set forth in Defendant’s motion, the Court finds that Defendant has established a prima facie case that Plaintiff and its counsel “violated a definite and specific order of the court requiring him to perform or refrain from performing a particular act or acts with knowledge of the court’s order.” … Accordingly, Plaintiff and its attorney Yousef Faroniya are ORDERED to show cause in writing by March 20, 2015 at 5:00 p.m. why they should not be sanctioned or held in contempt for publicly filing Defendant’s name and address in violation of the Court’s Orders dated January 21, 2015 and February 26, 2015. Defendant may file a response by March 24, 2015 at 5:00 p.m. The Court will set this matter for a hearing, if appropriate, after receipt of the written responses. The Clerk is DIRECTED to withhold issuance of the summons until this matter is resolved.
And, in a footnote, the judge makes it clear that Faroniya “shall specifically address Defendant’s allegation that substantially similar conduct has occurred in other cases involving Plaintiff.”
Given how frequently we see this kind of gamesmanship, it’s still somewhat amazing that Malibu Media and its lawyers haven’t yet collapsed into a Prenda- or Righthaven-style mess.
Filed Under: anonymous, copyright troll, timothy black, under seal, yousef faroniya
Companies: malibu media, xart
Australian Government Prosecuting Anonymous Member Who Allegedly Exposed The Major Flaw In Its Data Retention Demands
from the prison-is-for-useful-people dept
Find a security flaw, go to jail. That’s the general attitude of government entities around the world. Over in Australia, an Anonymous member and fundraising manager for a cancer support group is facing an ever-shifting number of charges for finding and testing security holes.
Adam John Bennett is a rather un-anonymous member of Anonymous. He also acts as an unofficial mouthpiece for Anonymous via his LoraxLive online radio show. His supposed participation in a large-scale hack saw him raided by Australian Federal Police in May of 2014. Since then, he’s been awaiting prosecution for a variety of charges — charges government prosecutors seem unable to pin down.
The data breach leading to Bennett’s arrest involved a target of Australia’s controversial data retention law, which requires ISPs to hold onto subscribers’ internet activity (including social network use and emails) for two years and grant extensive access to a variety of government agencies.
AAPT confirmed it was breached in July 2012, following claims by an Australian sect of Anonymous that it snatched 40GB of data from the major Australian internet service provider (ISP).
After stripping out personally identifiable information from the data (which included members of the Australian government), Anonymous released the data to raise awareness around expectations of data security: To demonstrate that if an ISP as large and trusted as AAPT can’t keep its own data secure, it will be unable to keep Australians’ data safe under the proposed laws.
Rather than consider this a point well taken, the government went after Bennett. As for the prosecution itself, it’s been a complete shambles.
On March 11, Adam Bennett — known by most as the radio voice of Anonymous, LoraxLive, who was arrested last year for alleged computer crimes — will finally learn what he’s being charged with.
This had been expected to happen this week. Instead, at the last minute, Australian Commonwealth prosecutors — for the third time since the case began 10 months ago — requested another delay to change its lineup of accusations against him.
Maddeningly, the prosecution also indicated it will be dropping its initial charges against Bennett, and adding a slew of new ones.
Not only can’t the government decide what to charge Bennett with, but it’s also been instrumental in hamstringing his defense counsel. It’s hard enough to structure a defense when charges remain largely unknown. It’s even harder when the prosecution shows up late on the Friday before the next court date and dumps 20 GB of “evidence” into the defense’s lap.
Even more irritating is the fact that the prosecution apparently hopes to add Bennett’s vulnerability testing of his own employer to list of charges.
One of the charges Bennett’s counsel expect to be in the final lineup is “Heartbleed Vulnerability Testing for Cancer Support W.A. 2014.” This is in regard to a Heartbleed vulnerability test created by Bennett to test his employer’s servers (Cancer Support W.A.) for Heartbleed vulns, which would have put the CRM that Bennett was involved in building for the organization at significant risk.
This addition of complete BS suggests the prosecution can’t find much about the Anonymous ISP hack it can wrap charges around. Instead, it seems to be operating purely on bluster. Constant delays followed by last-minute data dumps aren’t the sort of actions that indicate prosecutorial confidence. Instead, it gives the impression that the government hopes to obfuscate its way into a guilty verdict.
Meanwhile, Bennett is still living under restrictive bail conditions that prevent him from using the internet for anything other than banking, employment (he lost his job at the cancer support group after his arrest) or legal advice.
While the government may be right to complain about the unauthorized use of an ISP’s data, it seems to be more concerned with making an example out of someone who may have had something to do with providing a practical demonstration of the stupidity of data retention laws. The fact that it’s going after him for testing his own employer’s defense against vulnerabilities suggests there will be some prosecutorial “piling on” when it finally gets around to enumerating its criminal charges — presumably in hopes of deterring future exposures of flaws in its lawmaking logic.
This is what happens when governments try to “protect” citizens with little more than expansions of surveillance and law enforcement powers. Retained data is just as apt to be misused by cybercriminals as it is by law enforcement/security agencies. Any time you ask a third party to hold onto data it normally doesn’t, it increases the risk of serious breaches involving plenty of normally private information. There are no exceptions. Anonymous exposed the short-sightedness of data retention laws. In response, the government has decided to shoot as many messengers as it can get its hands on.
Filed Under: adam bennett, adam john bennett, anonymous, australia, data retention, hacking, loraxlive
Companies: aapt
Yet Another Report Showing 'Anonymous' Data Not At All Anonymous
from the what-privacy dept
Wed, Feb 18th 2015 02:45pm - Karl Bode
As companies expand the amount of data hoovered up via their subscribers, a common refrain to try and ease public worry is that consumers shouldn’t worry because this data is “anonymized.” However, time and time again studies have highlighted how it’s not particularly difficult to tie these data sets to consumer identities — usually with only the use of a few additional contextual clues. It doesn’t really matter whether we’re talking about cellular location data, GPS data, taxi data or NSA metadata, the basic fact is these anonymous data sets aren’t really anonymous.
The latest in a long stream of such studies comes from MIT, where researchers explored (the actual study is paywalled) whether they could glean unique identities from “anonymous” user data using a handful of contextual clues. Studying the purportedly anonymous credit card transactions of 1.1 million users at 10,000 retail locations over a period of three months, the researchers found they could identify 90% of the users’ names by using four additional data points like the dates and locations of four purchases. Using three clues, including more specific points like the exact price of a purchase, allowed the identifying of 94% of the consumers. Intentionally trying to make the data points less precise didn’t help protect consumer privacy much:
“The MIT researchers also looked at whether they could preserve anonymity in large data sets by intentionally making the data less precise, in order to examine whether preserving privacy would still enable useful analysis. But the researchers found that even if the data set was characterised as each purchase having taken place in the span of a week at one of the 150 stores in the same general area, four purchases would still be enough to identify more than 70 percent of users.”
Note they’re not saying they can ascertain your personal identity from this data alone, but they (or a hacker that nabs this data) can identify you if they have just a smattering of other contextual clues as to who you are. In an age when cellular companies track and sell your daily location down to the minute, and your automobile, insurance companies and toll payment systems are all gathering even more precise data, that’s not going to be a particularly difficult task. The gist of the study isn’t going to be a shock to most of you: privacy in the modern age — unless you’re willing to go to extreme lengths — is an illusion.
“We are showing that the privacy we are told that we have isn’t real,” study co-author Alex “Sandy” Pentland of MIT said in an email…The study shows that when we think we have privacy when our data is collected, it’s really just an “illusion”, said Eugene Spafford, director of Purdue University’s Centre for Education and Research in Information Assurance and Security. Spafford, who wasn’t part of the study, said it makes “one wonder what our expectation of privacy should be anymore.”
That said, it’s very important to remember that we can probably trust that companies rushing head first toward vast new revenue generation opportunities are spending the time and resources necessary to ensure consumer privacy is at the very top of their list of priorities.
Filed Under: anonymous, anonymous data, data