Why “Anonymized Data” Still Knows Exactly Who You Are

Companies have been selling our data from the moment they had the option. The justification for this has always been that the data was anonymized. Because of this, they could capture all the benefits while seemingly avoiding any risk. But the reality couldn’t be further from the truth.

Yes, they might encrypt your name, password, phone number, or other personal data so that anyone accessing the database wouldn’t know whose data it is. But if you are collecting a huge amount of data, that doesn’t matter. Anyone with malicious intent who wants to exploit it will find a way. Here are a few events and studies that demonstrate this.

1 Singapore Health Data Breach

In 2018, the SingHealth database was breached, and around 1.5 million patient records were stolen. Although any data that could directly reveal a person’s identity was anonymized, hackers were still able to cross-reference information and re-identify individuals. The list even included the Prime Minister of Singapore, Lee Hsien Loong. More on it here.

2 Grindr App Location Data

Between 2018 and 2020, Grindr’s anonymized location data was being sold by data brokers. However, by cross-referencing movement patterns with home or work addresses, analysts were able to deanonymize it. This not only revealed users’ identities but also details about their sex lives and daily routines.

3 Massachusetts Governor Re-identification

To demonstrate the flaws of anonymized datasets, in 1997 Latanya Sweeney re-identified Massachusetts Governor William Weld’s medical records. The state had released supposedly anonymous hospital discharge data, but by cross-referencing it with publicly available voter rolls using zip code, gender, and date of birth, she was able to pinpoint the governor’s record. Link

4 MIT “Unique in the crowd ” study

In 2013, MIT researchers analyzed an anonymized dataset of 1.5 million phone users. They were able to identify 95 percent of individuals using only four spatiotemporal points (locations at specific times). (Source : MIT)

In all these cases, companies may have encrypted sensitive data. However, they did not encrypt information such as your address, zip code, or location, which could easily be used to narrow you down to a small group of people or, in many cases like those above, identify you completely.

So what can you do? You cannot avoid providing some data. Institutions such as governments, banks, and hospitals legally require accurate information. However, you can limit sharing your real details with companies such as Google, Netflix, social media platforms, or with apps you rarely use. This greatly reduces risk, because reputable institutions are more likely to keep your data secure. Essentially, avoid sharing your real data when possible. Use a fake name or alternate address, do not grant location permissions, or go further and create a separate digital identity and hope that those who do have your real information do not misuse it. This is the best an average person can do.