FTC, NIST Could Focus on De-Identification With Workshop, Report, Standards, Enforcement
The FTC could hold a de-identification workshop in the next 12 months, with a follow-up staff report, said former Consumer Protection Bureau Chief David Vladeck in an interview. Enforcement actions for breaking de-identification promises could follow in the coming years, said Vladeck, Georgetown Law professor and co-director of its Institute for Public Representation. It has been two years since the FTC privacy report, perhaps the commission’s major statement on de-identification, observers said. With research rapidly advancing in the two years since, de-identification experts told us it’s time for the FTC to step up its guidance, and possibly enforcement, role.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"When companies make specific promises around privacy tied to de-identification, they should be required to furnish some proof,” said Arvind Narayanan, a computer science assistant professor at Princeton University who has done extensive research on the state of de-identification. “We thought about doing [a workshop] in 2012 and we thought it would be premature,” Vladeck said.
Now, Vladeck said, “there are technical means of improving the ability to de-identify data.” Some believe the FTC is long-delayed in recognizing the potential effectiveness of de-identification. “The FTC in particular has really only gotten a one-sided view of this,” said Daniel Castro, head of Information Technology and Innovation Foundation’s Center for Data Innovation.
The FTC 2012 privacy report called on companies “to publicly commit to the steps they take” to de-identify data, agree not to re-identify data and contractually prohibit any recipients of their data from trying to re-identify as well (http://1.usa.gov/1cPhLc0). It stopped short of requirements or specific de-identification techniques, only listing several approaches that “may be reasonable” -- “deletion or modification of data fields, the addition of sufficient ‘noise’ to data, statistical sampling, or the use of aggregate or synthetic data."
"We heard it the moment the privacy report was issued,” Vladeck said. “Where’s the beef? Where’s the more detailed guidance?” The criticism was “fair,” he said, but “I think in 2012 we just weren’t just comfortable with saying, ‘Here’s what you guys ought to do.'” De-identification was being extolled as “sort of the magic bullet to solve the big data problem,” Vladeck said. But the FTC thought “look, there are limits to de-identification and in some fields de-identification is neither practical nor necessarily desirable,” he said. The report urged more research on de-identification techniques.
Split Interpretation
Fast forward two years -- that research is taking place, but its interpretation is split (WID June 18 p1). “Our disagreements are somewhat less on the facts and more on our interpretation of them,” Castro said. Castro and Ontario Privacy Commissioner Ann Cavoukian recently released a paper arguing the conclusions of prominent re-identification research were overblown (WID June 17 p1). It set off a back-and-forth. Former FTC chief technologist Ed Felten and Narayanan published a response paper, “No silver bullet: De-identification still doesn’t work.” Castro saw in the paper’s title another elevation of the researchers’ claims. “That’s the first time I've seen them make such a blanket statement like that,” he told us after publishing an article in which he called the research duo “de-identification deniers,” and their claims “incredible” and “dangerously misleading” (http://bit.ly/1s2zlSG).
It’s a poor characterization of his position, Narayanan told us. He’s not saying de-identification is useless. There just doesn’t yet exist “any methodology to allow you to put that sort of affirmative statement about a data release being safe,” he said. Even if the two sides agree on the risk of releasing a particular data set, “we seem to have different viewpoints on who the burden of proof is on,” said Narayanan. For him, that burden should fall to the data releaser.
The debate has spilled over into the policymaking and enforcement arena. Marjory Blumenthal, executive director of the President’s Council of Advisors on Science and Technology (PCAST), recently said privacy technology to properly protect data sets is “not there yet” (WID July 18 p3). In comments about the White House big data report filed Tuesday to NTIA, the Electronic Frontier Foundation (EFF) said “it is difficult” to craft a consumer privacy bill of rights “given the problems surrounding de-identified data.” The big data reports from PCAST and the White House (WID May 2 p1; May 5 p1) were seen as possible precursors to a broad consumer privacy legislative proposal.
The FTC has also indicated data de-identification is central to its upcoming agenda. The commission hired noted data re-identification researcher Latanya Sweeney as chief technologist for 2014 (WID April 21 p1) and both Chairwoman Edith Ramirez and Commissioner Julie Brill stressed Sweeney’s data encryption work would inform the agency’s research and work (WID March 7 p4; March 10 p6). After the FTC workshop could come a staff report about “what is going on in the industry and where is it headed,” said Vladeck. The FTC declined to comment.
Enforcement actions could follow in the years after, Vladeck said, where the commission targets companies for inadequate data de-identification techniques. “I think the agency would look for those kind of enforcement targets,” he said. The nascent de-identification market would first have to mature, said James Cooper, a former deputy director of the FTC Office of Policy Planning who left the commission three years ago. There would be have to be a commonly accepted set of best practices, similar to best practices the FTC cites in its data privacy and data security cases, he said. “If de-identification ever got to that point, I could certainly see them bringing a case like that."
The National Institute of Standards and Technology could help de-identification get to that point, observers said. Drawing from the Department of Commerce’s work through the Census Bureau on data de-identification, NIST is well situated to promulgate technical standards with outside stakeholder input, Castro said. “I don’t think I've seen anything at NIST really working on this, which is a problem.” NIST standards are an “interesting idea,” Narayanan said. He cautioned that data de-identification standards would “almost assuredly” require an ethical component, unlike the data encryption standards NIST currently releases.
Holding companies more accountable for de-identification promises benefits for both the market and consumers, Narayanan said. “It will force companies to either not carry out these practices any more, or invest in better technology, or state clearly in their privacy policies that they're not able to make privacy guarantees,” he said. “The resulting consumer backlash will move the market toward a new sort of equilibrium where the value that consumers place on privacy gets traded off with the benefits that we get from big data.”