Kesan, et al. 2013 (†720)Kesan, Jay P., Carol M. Hayes, and Masooda N. Bashir, "Information Privacy and Data Control in Cloud Computing: Consumers, Privacy Preferences, and Market Efficiency," Washington and Lee Law Review 70:1 (Winter 2013), p.341-472.
- reidentification (p.442-443): Even if identifying information is removed, that does not necessarily solve the privacy problems. Reidentification science is a new field in computer science research that reattaches anonymized information to identified individuals. Researchers may reidentify a dataset by, for example, comparing two databases, one anonymized and one containing PII [Personally Identifiable Information] and some information fields in common with the anonymized database. The FTC has recently acknowledged that the distinction between PII and de-identified information is often blurred. Because of the ease with which data can be reidentified, Ohm suggests rejecting the concept of PII entirely, though Schwartz and Solove instead suggest a reunderstanding of what information should be considered PII. Considering the technological issues, theorists who urge government regulation should evaluate which approach to PII should be taken. Reidentification science should be examined by policymakers to determine whether the concept of PII should be expanded to include both identified and identifiable information. Schwartz and Solove propose a model in which information is considered identified when the person's identity is ascertained, identifiable when there is a nonremote possibility of future identification, and nonidentifiable when the risk of identification is remote and the information is not relatable to a person. (†1643)
- reidentification (p.465): The problem of reidentification raises additional issues because it can lead to anonymized, descriptive information about the consumer being reattached to the consumer's identity. While we would not recommend a regime that stifles innovation and academic creativity, a legal regime to protect PII in the cloud also needs some forward-looking provisions addressing the possibility that reidentification science could lead to threats to personal privacy in the future. These provisions, for example, might prohibit the use of public records for reidentification purposes unless the user certifies compliance with some form of privacy standard. (†1644)