Encryption has very much been in the news lately, from Apple's fracas with the FBI through BYOE to encrypted WhatsApp messages. "One solution is advanced data-centric encryption," says Bill Stroud, principal engineer at Covata. "This encodes each piece of data on the sender's device and can only be decrypted when the authorised recipient can pass the relevant identity and policy requirements – ensuring data remains unreadable to would-be snoopers."
Put simply, if you want to truly make data safe, encrypt it. However, timing is everything; data should be encrypted before transferring, storing and processing. Nothing should be saved to the cloud without first being encrypted, which protects against any loss of data, too.
Is complete anonymisation actually possible?
Some argue that in the era of geo-location and logged browsing habits, anonymising personal data is becoming almost impossible. "Technology can already build a profile of individuals from their internet browsing habits on an anonymised basis," says Hall. "One of the difficulties is that the profiles become so rich and informative, and so specific on matters such as geographical location, that they can easily edge into constituting personal data rather than anonymous data."
James Henry, UK Southern Region Manager at Auriga Consulting, agrees. "Absolute anonymisation and privacy is far from achievable right now," he says. "One could argue that the exact opposite is far more feasible, since researchers have managed to deploy successful de-anonymisation attacks against several technologies, including onion routing (the famous TOR) and extracting sensitive personal data from open source intelligence utilising big data, machine learning and other techniques."
Recent research at Columbia University indicates that location data makes users highly linkable across different services.
What's the law around TOR?
This is the so-called 'dark web', which obscures the true identity and location of both the user and the service provider. "It could be argued that legitimate sites on TOR would have a slightly reduced regulatory burden in respect of their obligations under the GDPR because it is technically not possible to ascertain who the users are," says Ashley Winton, Partner and UK head of data protection and privacy at international law firm Paul Hastings LLP and Chairman of the UK Data Protection Forum.
Several sites use the anonymity of TOR for the trading of hacked personal data, but for them GDPR compliance is irrelevant. It's currently 'cat and mouse' between government agencies wanting to unmask such TOR users, and those same people evolving their anonymity in response. If the government agencies fail, regulation of TOR is inevitable. "It may develop into a challenging dichotomy between the desire to protect persons whose data is being traded on illegitimate sites on TOR and the desire to protect the rights of legitimate users of TOR," says Winton.
Safety in (smaller) numbers
For many, the best practice on an industry-wide scale would be to minimise the amount of personal data collected. "Unfortunately, we are not currently inclined to limit the data collected, and instinctively services collect and access far more information than they really need," says Ross Woodham, Director of Legal Affairs and Privacy, Cogeco Peer 1. As long as companies blindly build data siloes of personal data they don't use, the role of encryption and anonymisation technology will only increase.