Head Belly Root
Notes Privacy Is Hard Creative Commons License
Chapter 1

We Are Not Collecting Personal Data

  1. The camera was using a tool called automatic license plate recognition (ALPR)— also known as automatic number plate recognition (ANPR)— which is also used by traffic-enforcement cameras to automatically detect the license plate of a speeding car or a car that crosses a red traffic light.
  2. O. S. Kerr, "The Mosaic Theory of the Fourth Amendment," Michigan Law Review 111, no. 3 (2012): 311–354.
  3. Q-Park—one of the businesses managing such car parks—claims it only processes license plates locally and doesn't store them afterward (in the limited number of cases in which it uses license plate parking in the first place, according to a clarification provided by email in May 2019).
  4. N. Purtova, "The Law of Everything: Broad Concept of Personal Data and Future of EU Data Protection Law," Law, Innovation and Technology 10, no. 1 (2018): 40–81.
  5. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, "On the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation)," Official Journal of the European Union L 119 (May 4, 2016): 1–88; Regulation (EU) 2016/679 (GDPR), Article 4 (1). Emphasis added.
  6. See Purtova, "The Law of Everything"; recital 26 of the GDPR; and the Breyer ruling of the European Court of Justice (judgement of October19, 2016, Patrick Breyer v. Bundesrepublik Deutschland, C-582/14 EU:C:2016:779), although that ruling was based on the earlier data-protection directive.
  7. This is where the GDPR differs from earlier legislation, offering stronger protection than before. Recital 26 of the GDPR specifically mentions singling out individuals, as opposed to the corresponding recital 26 of the previous Data Protection Directive; see Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, "On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data," Official Journal of the European Communities L 281 (November 23, 1995): 31–50. But the Article 29 Working Party did consider such identifiers to fall under the scope of the definition of personal data under the old directive even back in 2007; see Article 29 Working Party, "Opinion 4/2007 on the Concept of Personal Data," June 20, 2007. See also Purtova, "The Law of Everything"; and F. J. Zuiderveen Borgesius, "Singling Out People without Knowing Their Names—Behavioural Targeting, Pseudonymous Data, and the New Data Protection Regulation," Computer Law & Security Review 32, no. 2 (2016): 256–271.
  8. R. Leenes, "Do They Know Me?—Deconstructing Identifiability," University of Ottawa Law & Technology Journal 4, no. 1–2 (2008): 135–161.
  9. These are recognizable identifiers and not lookup identifiers only if the account is not associated with a named individual.
  10. Rb. Oost-Brabant, 26-11-2013, ECLI:NL:RBOBR:2013:6553.
  11. Hof 's-Hertogenbosch, 19-08-2014, ECLI:NL:GHSHE:2014:2803.
  12. According to M. Lafsky, "Attack of the Super Crunchers: Adventures in Data Mining," Freakonomics (blog), August 23, 2007. Visa denies this; see N. Ciarelli, "How Visa Predicts Divorce," Daily Beast, last updated July 14, 2017.
  13. S. Boztas, "Look Away: Privacy Watchdog Warns Banks Not to Use Payments for Marketing," DutchNews (blog), July 3, 2019 ; M. Gijzemijter, "Privacy Outrage Causes Bank to Ditch Plans for Targeted Ads Based on Customers' Spending Habits," ZDNet, March 18, 2014.
  14. G. Pogrund, "Home Office Tracks Debit Card Use to 'Spy' on Asylum Seekers," The Times, January 27, 2019.
  15. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015, "On Payment Services in the Internal Market, Amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and Repealing Directive 2007/64/EC," Official Journal of the European Union L 337 (December 23, 2015): 35–126.
  16. A Google subsidiary (Google Payment Ltd.) already has a license to issue electronic money and to provide payment services in the United Kingdom; see here, accessed July 15, 2019.
  17. K. Poulsen, "PayPal Freezes WikiLeaks Account," Wired, April 12, 2010; A. Greenberg, "Visa, MasterCard Move to Choke WikiLeaks," Forbes, December 7, 2010.
  18. T. S. Heydt-Benjamin, H.-J. Chae, B. Defend, and Kevin Fu, "Privacy for Public Transportation," in Privacy Enhancing Technologies: 6th International Workshop, PET 2006, ed. G. Danezis and P. Golle (New York: Springer, 2006), 1–19.
  19. G. Coppola and D. Welch, "The Car of the Future Will Sell Your Data," Bloomberg Businessweek, February 20, 2018.
  20. Kevin Bankston, Twitter, November 18, 2018, 11:48 a.m.
  21. M. L. Stone, Big Data for Media (Oxford: Reuters Institute for the Study of Journalism, November 2014).
  22. J. Zaslow, "If TiVo Thinks You Are Gay, Here's How to Set It Straight," Wall Street Journal, November 26, 2002.
  23. Regulation (EU) 2016/679 (GDPR), Article 5.1(b).
  24. Regulation (EU) 2016/679 (GDPR), Recital 47, 70, Article 21.
  25. Digital Rights Ireland (CJEU, Joined Cases C-293/12 and C-594/12, 8.04.2014).
  26. Rb. Den Haag, 06-01-2020, ECLI:NL:RBDHA:2020:187.
  27. "Santander Arrest," Hoge Raad, 09-09-2011, ECLI:NL:HR:2011:BQ8097.
  28. S. Gürses, "Can You Engineer Privacy? The Challenges and Potential Approaches to Applying Privacy Research in Engineering Practice," Communications of the ACM 57, no. 8 (August 2014): 20–23; G. Danezis and S. Gürses, "A Critical Review of 10 Years of Privacy Technology," August 12, 2010. The distinction between hard and soft privacy was drawn by George Danezis. See G. Danezis, "Distributed Ledgers: What Is So Interesting about Them?," Conspicuous Chatter (blog), September 27, 2018.
  29. B.-J. Koops, "The Concept of Function Creep," Law, Innovation and Technology 13, no. 1 (forthcoming). See also dictionary.com, accessed February 4, 2019.
  30. Banksy is a famous example in this latter category, having started his career as a graffiti artist in the nineties in Bristol in the United Kingdom.
  31. A. Pfitzmann and M. Hansen, Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management—A Consolidated Proposal for Terminology, version 0.34, August 10, 2010.
  32. ENISA, Pseudonymisation Techniques and Best Practices: Recommendations on Shaping Technology According to Data Protection and Privacy Provisions (Attica, Greece: ENISA, November 2019).
  33. In general, hash codes are not unique as the domain of inputs to the hash function is typically much larger than the range of available output hash codes. This means that in fact (infinitely) many possible inputs are mapped to a single output hash code. But as the range of hash functions is actually quite large (in practice, hash functions have 256-bit outputs), the probability of a collision is negligible. We ignore these important details in the main text as they are not relevant for the exposition here.
  34. People often confuse hashing and encryption. It is important to stress here that using a publicly known hash function—which, by definition, cannot be inverted by anyone—is really different from using a publicly known encryption function but keeping the cryptographic key secret. In a symmetric key setting, this key must be known and available to compute the equivalent of a hash code. But this allows the holder of that key to trivially decrypt and hence invert the code. Only in an asymmetric setting, wherein the public key is used for encryption to generate the hash code while the private key is destroyed right away, are the two methods roughly equivalent.
  35. For example, SHA-3 FIPS180–4, Secure Hash Standard, NIST FIPS PUB 180-4 (Gaithersburg, MD: National Institute of Standards and Technology, US Department of Commerce, August 4, 2015).
  36. It may even not be easy (although certainly possible) to come up with a plausible document that, when hashed, returns the same table of letter frequencies.
  37. Actual hash codes are longer, typically between 128 and 256 bits—that is, sixteen to thirty-two bytes, which corresponds roughly to sequences of twenty-two to forty-four characters. For an illustration of the example given here, see xkcd, accessed January 31, 2019.
  38. This is not true for shorter passwords like petname01!, as we will see in a moment.
  39. See www.surety.com; see also D. Oberhaus, "The World's Oldest Blockchain Has Been Hiding in the New York Times since 1995," Motherboard/Vice, August 27, 2018.
  40. There were 46,475,000 registered cars in Germany. See H. Bekker, "2018 Germany: Total Number of Registered Cars," Car Sales Statistics (blog), March 5, 2018. This may sound like a large number, but even a personal computer can execute millions of instructions per second these days. Depending on the particular hash function used, this means an ordinary PC can hash between one hundred thousand and one million license plates per second. Graphics processors can do this quite a lot faster.
  41. The construction of dictionaries to break the protection offered by hashing can be made more difficult in two different ways. The first method is by applying a key-derivation function, which is essentially a hash function that is known to take a significant amount of time (say, a second) to compute its output. Constructing a dictionary with a million entries would then take an adversary seven days to compute. A dictionary for fifty million entries would take a year. The second method is called salting, which we will discuss later on in this chapter.
  42. Even hashed passwords are at risk if the password used is too short or too easy to guess. This explains why even when password files contain only the hashes of passwords, hacks like the 2012 LinkedIn hack can allow criminals to recover the passwords of millions of accounts.
  43. C. Percival and S. Josefsson, The scrypt Password-Based Key Derivation Function, RFC 7914 (RFC Editor, August 2016).