Ben Laurie blathering

Encryption Is Not Anonymisation

I was surprised to see

the encrypted (and thus anonymised) customer identity

in Richard Clayton’s analysis of Detica.

As we know from the AOL and Netflix fiascos, this is far from the truth. If you want anonymity, you also need unlinkability. But I’ve said that before.

1 Comment

  1. yeah, I thought it was odd too. Given access to the hardware, you can de-anonymise by spoofing in TCP packets; if the VM address space is 16 bits, that’s 2^16 packets, which isn’t that many on a decent network. Bring up a Hadoop cluster, push out the work, wait.

    If you were listening to BitTorrent status updates you’d know who was talking at a specific time, then go back to fingerprint data, and then you are one step away from the complete history of that user.

    As a Virgin Media customer, I’m not sure what my options are. I think a note arguing that I do not authorise this intercept and that any claim about anonymity is behind modern thinking in datamining.

    Comment by SteveL — 8 Dec 2009 @ 23:37

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress