In 1997, an MIT graduate student named Latanya Sweeney stunned the privacy world by matching publicly available voter rolls with hospital records stripped of names and addresses to identify the supposedly anonymous medical history of the then-governor of Massachusetts. Three years later, she expanded on that finding by demonstrating that 87 per cent of the U.S. population could be uniquely identified using just three data points: ZIP code, date of birth and gender.
My Globe and Mail op-ed notes that Ms. Sweeney’s work shaped privacy frameworks worldwide, which responded with de-identification standards designed to manage the risk by removing obvious identifiers, applying statistical tests and treating the resulting data as safe to use. Indeed, a core tenet of modern privacy regulation rests on the premise that de-identified data can be used, disclosed and commercialized without compromising individual privacy.
