When the data industry is talking about sharing 'anonymized' profile data:
They do indeed not share email addresses, for example. But they share hashed versions of it, and they all use THE SAME hash function, and can thus still monitor and act on people across the digital world.
They do indeed not share email addresses, for example. But they share hashed versions of it, and they all use THE SAME hash function, and can thus still monitor and act on people across the digital world.
Calling this kind of personal data sharing 'anonymized' is corporate misinformation. A whole industry has been built on this lie.
Many still don't understand that.
Also, the question of whether or not you can reverse the hash is irrelevant, if everyone uses the same function.
Many still don't understand that.
Also, the question of whether or not you can reverse the hash is irrelevant, if everyone uses the same function.
Of course, hashed IDs can also be based on phone numbers or other data.
There are more complex versions of this, e.g. hashing the hashes, using temporary IDs and later match it to persistent ones, linking/matching chains of identifiers, using salted hashes for sub-purposes etc.
There are more complex versions of this, e.g. hashing the hashes, using temporary IDs and later match it to persistent ones, linking/matching chains of identifiers, using salted hashes for sub-purposes etc.
But in many cases it's as simple as I described it above.
Sharing/matching personal data by converting email addresses into hashed pseudonymous identifiers across companies is just: sharing/matching personal data.
I wrote about this here (from p. 69):
crackedlabs.org/dl/CrackedLabs…
Sharing/matching personal data by converting email addresses into hashed pseudonymous identifiers across companies is just: sharing/matching personal data.
I wrote about this here (from p. 69):
crackedlabs.org/dl/CrackedLabs…
The largest corps are relying on this lie.
Convert "email addresses and phone numbers to SHA-256 hashed IDs" to synchronize them "with the network of user profiles that are linked together in the Oracle ID Graph". No "personally identifiable information"! docs.oracle.com/en/cloud/saas/…
Convert "email addresses and phone numbers to SHA-256 hashed IDs" to synchronize them "with the network of user profiles that are linked together in the Oracle ID Graph". No "personally identifiable information"! docs.oracle.com/en/cloud/saas/…
Wanna upload lists of email addresses or phone numbers of people with certain characteristics to FB or Google, in order to link them to FB/Google profile data?
"you must share your data in an hashed format to maintain privacy"
developers.facebook.com/docs/marketing…
support.google.com/google-ads/ans…
"you must share your data in an hashed format to maintain privacy"
developers.facebook.com/docs/marketing…
support.google.com/google-ads/ans…
Apart from hashing there are additional mechanisms that can make it look like there is only minimal personal data sharing, from 'querying' to 'verifying' to 'matching' etc. It's crucial to understand the distributed and dynamic nature of today's tracking and profiling industries.
Anyway, it would be helpful if people would stop discussing whether or not data can be 'deanonymized' when it's not anonymized in the first place.
And if personal data sharing based on pseudonymous identifiers would be discussed in the same way as sharing names or phone numbers.
And if personal data sharing based on pseudonymous identifiers would be discussed in the same way as sharing names or phone numbers.
To the folks who turn their email address into many addresses by adding a plus and some characters, I have bad news:
docs.oracle.com/en/cloud/saas/…
docs.oracle.com/en/cloud/saas/…
Yes it's good to use a few different email addresses in different contexts but this cannot be fixed individually.
docs.oracle.com/en/cloud/saas/…
docs.oracle.com/en/cloud/saas/…
Yes it's good to use a few different email addresses in different contexts but this cannot be fixed individually.
In Europe, under the GDPR, it doesn't make much difference whether you process/share personal data linked to names or to other personal identifiers.
Still, too many companies rely on this 'trick' and there is a lack of enforcement. Regulators are often looking the other way.
Still, too many companies rely on this 'trick' and there is a lack of enforcement. Regulators are often looking the other way.
In the US, the industry has long been pushing a flawed definition of 'personally identifiable information' (PII), which declared most data linked to digital identifiers as 'non-PII'.
Recent state legislation has changed this, but details matter, also for federal regulation.
Recent state legislation has changed this, but details matter, also for federal regulation.
Many industry players are lobbying hard to undermine privacy legislation such as the CCPA and to keep pseudonymous personal data 'outside the scope of personal data covered' by future federal privacy legislation in the US.
For example, Microsoft:
For example, Microsoft:
Also in Europe, and - ironically - especially in Germany, industry players have been lobbying regulators and politicians to make it easier for companies to process pseudonymous personal data, and thus undermine the GDPR, for many years.
For example, this:
For example, this:
Here's a more complex practical example of allegedly “anonymous” personal data sharing across websites, apps and customer databases based on pseudonymous identifiers (hashed email addresses).
It covers just one specific use case, there are many other possible variants:
It covers just one specific use case, there are many other possible variants:
Website X and mobile app Y share personal information with data brokers A and B, who then sell it to another company Z who wants to learn more about a customer.
Many in today's data industry still claim this is about 'anonymized' data sharing, but it's not.
[draft graphic]
Many in today's data industry still claim this is about 'anonymized' data sharing, but it's not.
[draft graphic]
My graphic shows an additional bs 'trick':
Data broker A stores "only" profile data linked to a proprietary ID, but relies on data broker B who 'translates' hashed email addresses into proprietary data broker IDs.
Data broker B is, for example, LiveRamp.
slideshare.net/mediapostlive/…
Data broker A stores "only" profile data linked to a proprietary ID, but relies on data broker B who 'translates' hashed email addresses into proprietary data broker IDs.
Data broker B is, for example, LiveRamp.
slideshare.net/mediapostlive/…
There are myriads of companies who use hashed email addresses to transmit personal information to other firms.
A smaller number of data brokers maintain comprehensive databases that link different personal identifiers referring to billions to each other.
martechtoday.com/whos-who-in-th…
A smaller number of data brokers maintain comprehensive databases that link different personal identifiers referring to billions to each other.
martechtoday.com/whos-who-in-th…
Infutor, a US consumer data broker even I have rarely heard about, ties 'anonymous' phone IDs to 'hashed email addresses' and to 'rich profile attributes'. They claim to have 'over 2 billion' pairs of phone ID / hashed email.
Everything totally anonymous!
infutor.com/digital-soluti…
Everything totally anonymous!
infutor.com/digital-soluti…
Device IDs and hashed email addresses as 'anonymous consumer identifiers' in a landscape where interactions are 'anonymous', a 'challenge' for those 'who need to identify the unique online and offline attributes and lifestyle traits that characterize these anonymous consumers' 🧐
