Arvind Narayanan and Edward W. Felten write:
Paul Ohm’s 2009 article “Broken Promises of Privacy” spurred a debate in legal and policy circles on the appropriate response to computer science research on re-identification.1 In this debate, the empirical research has often been misunderstood or misrepresented. A new report by Ann Cavoukian and Daniel Castro is full of such inaccuracies, despite its claims of “setting the record straight.”2
We point out eight of our most serious points of disagreement with Cavoukian and Castro. The thrust of our arguments is that (i) there is no evidence that de-identification works either in theory or in practice 3 and (ii) attempts to quantify its efficacy are unscientific and promote a false sense of security by assuming unrealistic, artificially constrained models of what an adversarymight do.
Read their full article on Arvind’s blog, RandomWalker (pdf).