Privacy advocates have long been raising a hue and cry about the negative impact social networking sites are having on privacy. For the most part, the glare has been on the poor security practices and privacy controls of these sites. But now researchers at the University of Texas at Austin have brought to light a far more problematic issue.
Computer scientists Arvind Narayanan and Dr Vitaly Shmatikov have proven that the anonymized data sets that social sites sell to marketing firms are not really that anonymous. It is possible to reverse engineer these data sets and obtain actual names and addresses, by looking at the content and structure of the data (in their example, correlating data from Twitter with Flickr).
- BBC Coverage
- Detailed look by Ars Technica
- The paper: De-anonymizing Social Networks
This raises grave concerns about a practice that has becoming increasingly common as social networking sites seek ways to monetize their data. They routinely release social graphs from which a few bits of personally identifiable information (PII) has been stripped to interested parties - advertisers, third-party apps, government and academic researchers. Conventional thinking is that this is good enough to protect people's identities.
But as the paper shows, this is nowhere near good enough. It's an interesting study that essentially redefines the term PII, and could (should) have grave implications for social networks and their responsibility towards their users.
The lesson, as Ars Technica points out, is that "anonymity is not sufficient for privacy on the web".
