Paul Ohm's 2009 University of Colorado Legal Studies Research Paper 'Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization' (at SSRN here) considers problems with deidentification and re-identification of search/access information by internet users, proposing stronger and wider restrictions among other responses to abuses by corporations, governments and individuals.
Ohm suggests that "Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention."
What is to be done? Ohm indicates that "We must respond to the surprising failure of anonymization" - arguably not that surprising in relation to information processing technologies or the funamental wuzziness of US and Australian privacy law - before modestly announcing "this Article provides the tools to do so".
