Recall a couple of years ago when I lauded Google – and also picked on them – for making customer data “more anonymous”?

“‘Anonymous’ is correctly regarded as an absolute condition,” I wrote. “Like pregnancy, anonymity is either there or it’s not. Modifying the word with a relative adjective like ‘more’ is a curious use of language.”

The challenge of these concepts – “anonymized” or “de-identified” data – is still around, and it’s still a difficult one.

Here’s a sophisticated take on the question:

Information is increasingly difficult to classify as “identified” or “de-identified,” particularly as it is copied, exchanged, or recombined with other information. With rapidly evolving technologies and databases, it is more appropriate to describe a spectrum of “identifiability,” rather than a binary classification of information as identifiable or not. The question could then become not whether deidentified information might be made re-identifiable, but rather which entities would be able to re-identify the information, how much effort they would have to expend, and what limits are placed on their doing so.

And here’s an advocacy group apparently lacking that sophistication. They treat information as flatly “de-identified” in a legal filing about a New Hampshire law that bans the sale of prescription drug data for marketing purposes:

[T]he Prescription Information Law does not implicate patient privacy. While it purports to protect privacy interests, the statute regulates patient de-identified information.

Here’s the thing: Both quotes were issued by the Center for Democracy and Technology. Continue reading →

SHARE: 16 comments