Anonymization or pseudonymization? Large companies sell data under the shield of being anonymized data, when in reality they are not

The software company Yodlee, one of the largest financial data brokers in the United States, said that the data it sells, regarding the banking transactions of millions of Americans, is anonymous. However, a confidential document obtained by Motherboard said that even with this feature, the individuals behind the data sold could be identified, he said. Vice.

How did this come to light? US Senators They urged the US Federal Trade Commission to investigate the owner of Yodlee, Envestnet, in view of the information that was being commercialized. Worst? The holders of such information were not even being informed. In fact, the anonymised data no longer belong to the spectrum of data protected by the regulation of personal data because, precisely, they lose the characteristic of such, they can no longer identify the person to whom they belong. However, this would work if the anonymization process was actually done correctly.

And how is the anonymization that Yodlee does? According to Nicholas Weaver, principal investigator of the International Institute of Communication Sciences in Berkeley, very bad (for not using the language originally used).

According to Yves-Alexandre de Montjoye, professor at Imperial College London, the process of "Yodlee anonymization" seems more like a pseudonymization, where, although there is no information that directly identifies the individual, it does allow someone (other companies probably) who previously have some information about that individual to "tie up" and identify the owner of the "anonymized" data. The problem is that the space-time traces of individuals are not eliminated, and this makes it possible to connect the sold data with them.

Anonymization, pseudonymization (dissociation procedure, in the Peruvian case), what is the difference? Both processes aim to hide the individual's information behind the data, the difference is that anonymization does it permanently, and pseudonymization does not. For the latter, it is enough that a third party has information that can be related to that pseudonymized data, so that the individual behind the data can be identified. Therefore, anonymized data loses the status of personal data, while pseudonymised data retains it.

The problem is that many companies use disinformation on this issue in their favor, and the novelty of regulation (even worse in the case of the US where regulation on this matter is restricted to some states) to publish that they are complying with the norm, when in reality they are not doing it. Only in-depth research can discover these behaviors.

What information is put up for sale? According to Motherboard, data of a unique identifier given by the bank to the holder of the credit card that made the purchase, the amount spent for the transaction, the date of the sale, the city, the state, the postal code of the company in which he bought the person and other metadata. What is the purpose of obtaining this information? That investment and hedge fund companies have information on where it is that people usually spend their money in order to detect patterns and trends in consumption.

- Advertising Notice-
Marilú Lazo
Bachelor in Law from the Pontifical Catholic University of Peru (PUCP). He has experience in corporate advice, as well as personal data protection and new technologies.


es Spanish