How We Can Save Anonymization

When we claim data is anonymous, we offer a simple promise to users: "This data cannot harm you. You don't need to worry about it." We've broken that promise again and again when datasets that we claimed were safe have been reidentified. There is now growing skepticism that anonymization is possible, and a belief that any claim of anonymization is fraud.

The good news is that we can do better. It is possible to effectively anonymize data. It's been done before! The bad news is that we're not doing it consistently, because there are no widely used standards for effective anonymization techniques. We might normally expect lawmakers and regulators to set minimum standards that prevent mistakes and restore public trust. But as Katharina Koerner's excellent PEPR talk pointed out last year, the legal guidance is muddled and contradictory, and shows no sign of improving any time soon. The law is not going to save anonymization.

Which leaves us - the privacy community - as the only ones left to fix this mess. If we want to regain the trust of our users, we need to follow a consistent approach that reliably gets anonymization right. That's what this talk is about. I'll walk through a list of operational principles our anonymization techniques need to meet to live up to our promises.