Print

Print


I have long been worried by the data mining potential for seemingly 
innocent transactions.

Excuse me while I mention TATP, Islam, Cemtex or is it semtex, 
revolution, and AK47 in this email.  They are mentioned innocently, but 
the juxtaposition of the words could conceivably create yet another non 
existent terror plot!

Prohibiting access does not prohibit a court order from obtaining 
access.  So what is the full technical solution, especially of one needs 
to levy fines against a library borrower for a short period for late 
book return, thus needs Jon's real world details associated with Pentboy?

Mark van Harmelen wrote:
> Hi Ian and others
>
> Once a name is translated to a GUID there is no going back or finding 
> the user without observational help (eg the CCTV Ian mentions, or that 
> I know the examplar jon and spot him with books as in the original post).
>
> For info a GUID is a huge number, wiipedia: 'consider the observable 
> universe ... 5x10power 22 stars, each star would then have 
> 6.8x10power15 GUIDs' -- that's 6,800,000,000,000,000 unique GUIDs per 
> each of 50,000,000,000,000,000,000,000 observable stars.
>
> But rather than be sidetracked by GUIDs, it's more the fact that there 
> is a small chance that I might be able to deduce someones borrowing 
> habits that worries me.
>
> thanks
> mark
>
>
>
> On Thu, May 28, 2009 at 1:07 AM, Griffiths, Ian 
> <[log in to unmask] <mailto:[log in to unmask]>> 
> wrote:
>
>     I'm not really clear on the use of a guid here.  I'm assuming that
>     can be reverse engineered in some way?  You would be better using
>     a one-way hash function, I generally use MD5 for this type of
>     thing.  You should salt it so it's not susceptible to rainbow
>     table lookups.  Even truncated it still has a fairly small
>     likelihood of collision.  That would give you the required
>     functionality for anonymity.
>
>     Regarding reverse engineering the names from the historical data,
>     surely this is all in the past?  Unless you had access to CCTV
>     which clearly corroborated the borrowing habits you simply
>     couldn't see who had which books, it's in the past and I'm
>     guessing all the books are returned or now with new borrowers?
>      And the date obfuscation probably does enough here anyway.  Sure
>     it is possible, particularly when the numbers are low - but
>     really, I can't see it actually happening.  That isn't a legal
>     stance btw.
>
>     Generally the most effective way of making it entirely DPA safe is
>     to not treat it as discrete transactions.  Saying that a
>     particular book was borrowed 5 times in any given month for
>     example is fairly safe.  But listing those 5 then leads you on to
>     the problems above.
>
>     And re the raw data - yes prohibiting access to raw data is a good
>     idea.  There's no issue with you seeing it if you're a data
>     controller.  Otherwise no one would be able to process anything!
>
>     Ian
>
>
>     -----Original Message-----
>     From: This list is for those interested in Data Protection issues
>     on behalf of Mark van Harmelen
>     Sent: Wed 27/05/2009 20:31
>     To: [log in to unmask]
>     <mailto:[log in to unmask]>
>     Subject: [data-protection] a problem that worries me
>
>     Hi everyone,
>
>     Today's emails have got me thinking... and I hope my prognosis is
>     not true.
>
>     Some people may be about to give me library records that are
>     purportedly
>     anonymised in different ways. The most worrying case is captured
>     by the
>     following example:
>
>
>
>     jon borrowed from library L war&peace 25 may
>     jon borrowed from librarly L das capital 1 jun 08
>     jon borrowed from library L penthouse 1 july 08
>         (I guess that this is not a run of the mill library :-) but
>     the example
>     works to demonstrate a point)
>
>     Quite possibly Jon may neither want to be identified as a borrower
>     of das
>     capital, nor of penthouse. Whatever jon's predelicitons, I'm
>     presuming that
>     the anonimised data should not give rise to anyone being able to
>     ascertain
>     jon's reading habits
>
>     When they are given to me the library use records are anoymised thus
>
>       - replace jon's name with a large random number X (for the
>     technically
>       minded this random number is a GUID, see eg wikipedia for details)
>       - replace the date with a sequence number starting from 1 in a
>     given year
>
>     Thus I might be given
>
>     X borrowed war&peace 1st in 08
>     X borrowed das capital  2nd in 08
>     X borrowed penthouse   3rd in 08
>
>     Also
>
>       - any work that is borrowed only once in a year has been removed
>     from
>       this list,
>       - anyone who borrows only one work in a year has been removed
>     from the
>       list.
>
>     Let's assume that each of these library holdings have been
>     borrowed many
>     many  times in 08, and my current assumption is that I can
>     therefore NOT
>     identify Jon from the data if I saw him come out the library with
>     a copy of
>     war&peace.
>
>     I don't really know what the situation is if I saw Jon come out
>     the library
>     with war&peace one day and then some time later with das capital.
>     For many
>     borrowings ov these two works over the year, I assme that the data
>     does not
>     contravene the DPA.
>
>     But for a unique sequnce of borrowings, it seems that the
>     prognosis is not
>     good,: If there is no other person who borrowed war&peace and
>     then, later,
>     das capital in 08 I can deduce that Jon also borrowed penthouse if
>     I observe
>     him first with L's war&peace , and then with L's das capital.
>
>     So, if this data is about to be delivered to me, then
>      1) is the DPA possibly to be contravened (I am not registered as a
>     processor for library L)?
>      2) is there any transformation or partial eradication of the data
>     that
>     makes it 'DPA-safe' while preserving both a random number
>     identified user,
>     and the sequence of loans.
>
>     If there is a problem, then I guess the argument that I have never
>     seen any
>     people walking around with library L's books does not hold, I
>     could have
>     found out jon's first two loans by any means
>
>     (eg, to pick up on messages passim,  jon, somewhat paranoid about
>     privacy,
>     shielded his face with the first two  works when he twice saw a google
>     street view car on the street. I subsequently chanced on the images in
>     google street view, and knowing jon, recognised him both by his unique
>     sartorial style, and by the fact that, not knowing much about
>     google street
>     view, he neglected to cover the side of his face as the car
>     passed, taking
>     360 degree pictures in the horizontal plane).
>
>     What if I never look at the raw data and just use it in rather
>     obscure ways
>     (ie bury it in a database that is only used for library catalogue
>     search
>     personalisation purposes, by a search engine  that could never
>     reveal what X
>     borrowed and in what order  -- still a problem, I'm presuming, I
>     or anyone
>     else with access to the raw database, could find out jon's data.
>
>     Its a minefield out there...
>     regards
>     mark
>
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>         All archives of messages are stored permanently and are
>          available to the world wide web community at large at
>          http://www.jiscmail.ac.uk/lists/data-protection.html
>         If you wish to leave this list please send the command
>           leave data-protection to [log in to unmask]
>     <mailto:[log in to unmask]>
>     All user commands can be found at
>     http://www.jiscmail.ac.uk/help/commandref.htm
>      Any queries about sending or receiving messages please send to
>     the list owner
>                  [log in to unmask]
>     <mailto:[log in to unmask]>
>      Full help Desk - please email [log in to unmask]
>     <mailto:[log in to unmask]> describing your needs
>            To receive these emails in HTML format send the command:
>             SET data-protection HTML to [log in to unmask]
>     <mailto:[log in to unmask]>
>       (all commands go to [log in to unmask]
>     <mailto:[log in to unmask]> not the list please)
>        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
>
>     --------------------------------------------------------------------------------------------
>
>     Please consider the environment before printing this email
>
>     --------------------------------------------------------------------------------------------
>
>     This email and any attachments are confidential and intended
>     solely for the use of the individual to whom it is addressed.  Any
>     views or opinions presented are solely those of the author and do
>     not necessarily represent those of Liverpool Community College or
>     associated companies.  You must not, directly or indirectly, use,
>     disclose, distribute, print, or copy any part of this message if
>     you are not the intended recipient.
>
>
>
>     The message content of in-coming emails is automatically scanned
>     to identify Spam and viruses otherwise Liverpool Community College
>     does not actively monitor content.  However, sometimes it will be
>     necessary for Liverpool Community College to access business
>     communications during staff absence.
>
>
>
>     Liverpool Community College has taken steps to ensure that this
>     email and any attachments are virus free.  However, it is the
>     responsibility of the recipient to ensure that it is virus free
>     and no responsibility is accepted by Liverpool Community College
>     for any loss or damage arising in any way from its use.
>
>     --------------------------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> All archives of messages are stored permanently and are available to 
> the world wide web community at large at 
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the body of 
> the email if you are receiving emails in HTML format):
>
>     * Leaving this list: send */leave data-protection/* to
>       [log in to unmask]
>       <mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
>     * Suspending emails from all JISCMail lists: send */SET * NOMAIL/*
>       to [log in to unmask]
>       <mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
>     * To receive emails from this list in text format: send */SET
>       data-protection NOHTML/* to [log in to unmask]
>       <mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
>     * To receive emails from this list in HTML format: send */SET
>       data-protection HTML/* to [log in to unmask]
>       <mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
>
> All user commands can be found at 
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the 
> *body* of an otherwise blank email to [log in to unmask] 
> <mailto:[log in to unmask]>
>
> Any queries about sending or receiving messages please send to the 
> list owner [log in to unmask] 
> <mailto:[log in to unmask]>
>
> (Please send all commands to [log in to unmask] 
> <mailto:[log in to unmask]> not the list or the moderators, and 
> all requests for technical help to [log in to unmask] 
> <mailto:[log in to unmask]>, the general office helpline)
>
> ------------------------------------------------------------------------

-- 
------------------------------------------------------------------------

*Tim Trent* - Consultant
*/Tel/*: +44 (0)7710 126618
*/web/*: ComplianceAndPrivacy.com <http://complianceandprivacy.com> - 
where busy executives go to find the news first
*/personal blog/*: timtrent.blogspot.com/ 
<http://timtrent.blogspot.com/> - news, views, and opinions
*/personal website/*: Tim's Personal Website 
<http://www.trent.karoo.net> - more than anyone needs to know

Marketing by Permission 
<http://feeds.feedburner.com/%7Er/MarketingByPermission/%7E6/1>

*Important*: This message is private and confidential. If you have 
received this message in error, please notify us and remove it from your 
system. This email and any attachment(s) are believed to be virus-free, 
but it is the responsibility of the recipient to make all the necessary 
virus checks. This email and any attachments to it are copyright of 
Meadowood Associates, owners of Compliance And Privacy, unless otherwise 
stated. Their copying, transmission, reproduction in whole or in part 
may only be undertaken with the express permission, in writing, of 
Meadowood Associates, at Meadowood House, 30 Redditch, Bracknell, 
Berkshire, RG12 0TT.


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^