Melanie D.G. Kaplan interviewed Paul Ohm on the re-identification of supposed-to-be de-identified records. Here’s a snippet of the interview, which you can read in its entirety on SmartPlanet:
Earlier this month the Commerce Department released a green paper that proposes a privacy bill of rights. What are your thoughts on this?
I think it’s great in principle. The devil’s in the details. It depends on what is going into this so-called bill of rights. From the things I’ve seen, I’m not sure they’re sufficiently incorporating the trends I and others are seeing in technology.
We have 100 years of regulating privacy by focusing on the information a particular person has. But real privacy harm will come not from the information they have but the inferences they can draw from the data they have. No law I have ever seen regulates inferences. So maybe in the future we may regulate inferences in a really different way; it seems strange to say you can have all this data but you can’t take this next step. But I think that‘s what the law has to do.
What would you like to see from the regulation?
What I’m starting to do now is think about how I’d make more concrete recommendations. One I’ve been tiptoeing around: Quantity is an interesting thing to me. Reidentification is much easier if you have a lot of data, yet I don’t know of many laws that treat you differently once you have more data; our privacy laws are very qualitative, not quantitative. So if you don’t have sensitive information, you can have as much information as you want. For instance, you’re not regulated if you know 10 things about me, but if you know 25 things about me, that might be enough to put you under a stricter form of regulation.