Playing 'Whac-A-Mole' with personal data

According to this article, the current legal approach to protecting Personally Identifiable Information (PII) can be compared to playing "Whac-A-Mole" with personal data. Dr. Paul Ohm, law professor at the University of Colorado Law School, writes:
Data can either be useful or perfectly anonymous but never both.
For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical 'database of ruin,' the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Reidentification has formed the database of ruin and given access to it to our worst enemies.
The trouble is that PII is an ever-expanding category. Ten years ago, almost nobody would have categorized movie ratings and search queries as PII, and as a result, no law or regulation did either.
Src: "Anonymized" data really isn't—and here's why not - Ars Technica

No comments: