Making smartphone data anonymous no longer enough: study
Privacy measures that are meant to preserve the anonymity of smartphone users are no longer suitable for the digital age, a study suggested on Tuesday.
Vast quantities of data are scooped up from smartphone apps by firms looking to develop products, conduct research or target consumers with adverts.
In Europe and many other jurisdictions, companies are legally bound to make this data anonymous, often doing so by removing telltale details like names or phone numbers.
But the study in the Nature Communications journal says this is no longer enough to keep identities private.
The researchers say people can now be identified with just a few details of how they communicate with an app like WhatsApp.
One of the paper's authors, Yves-Alexandre de Montjoye of Imperial College London, told AFP it was time to "reinvent what anonymisation means".
His team took anonymised data from more than 40,000 mobile phone users, most of which was information from messaging apps and other "interaction" data.
They then "attacked" the data searching for patterns in those interactions—a technique that could be employed by malicious actors.
With just the direct contacts of the person included in the dataset, they found they could identify the person 15 percent of the time.
When further interactions between those primary contacts were included, they could identify 52 percent of people.
"Our results provide evidence that disconnected and even re-pseudonymised interaction data remain identifiable even across long periods of time," wrote the researchers from the UK, Switzerland and Italy.
"These results strongly suggest that current practices may not satisfy the anonymisation standard set forth by (European regulators) in particular with regard to the linkability criteria."
De Montjoye stressed that the intention was not to criticize any individual company or legal regime.
Rather, he said the algorithm they were using just provided a more robust way of testing what we regard as anonymised data.
"This dataset is so rich that the traditional way we used to think about anonymisation... doesn't really work any more," he said.
"That doesn't mean we need to give up on anonymisation."
He said one promising new method was to heavily restrict access to large datasets to just simple question and answer interactions.
That would get rid of the need to classify a dataset as "anonymised" or not.
More information: Ana-Maria Creţu et al, Interaction data are identifiable even across long periods of time, Nature Communications (2022). DOI: 10.1038/s41467-021-27714-6
© 2022 AFP