The Massachusetts Group Insurance Commission had a bright idea back in the mid-1990s—it decided to release “anonymized” data on state employees that showed every single hospital visit. The goal was to help researchers, and the state spent time removing all obvious identifiers such as name, address, and Social Security number.
87 percent of all Americans could be uniquely identified using only three bits of information: ZIP code, birthdate, and sex.Such work by computer scientists over the last fifteen years has shown a serious flaw in the basic idea behind “personal information”: almost all information can be “personal” when combined with enough other relevant bits of data.
Because most data privacy laws focus on restricting personally identifiable information (PII), most data privacy laws need to be rethought.
“Anonymized” data really isn’t—and here’s why not by Nate Anderson on ArsTechnica