Yesterday, the Federal Communications Commission posted FPF’s comments about “anonymization” and “deidentification.” The comments come in response to a request from Public Knowledge that the FCC clarify whether “anonymized” or “deidentified” but non-aggregate call records constitute individually identifiable “customer proprietary network information” under Section 222 of the Communications Act.
FPF submitted comments to address the argument that all anonymized records must be considered “personally identifiable” records because there have been instances in which some publicly available, anonymized records have been reidentified. Public Knowledge argues that because researchers have been able to reidentify some publicly disclosed data sets that were purged of personally identifying information, all datasets that have been purged of personally identifying information must necessarily be considered individually identifiable. FPF responded:
Logically, this argument is flawed. It is analogous to the argument that because some locks have been broken, there is no such thing as a reasonably secure door.
Although reidentification may be possible in some specific circumstances, when proper anonymization practices are used, anonymization is a valuable and effective way to advance the goal of protecting individual privacy while allowing for beneficial uses of data. The full set of comments is available to read.