[orangecat]

Would the proposed ban really affect researchers proving that anonymization schemes don't work, or would it just apply to attempts to reidentify real people in real user data?

There's not a clear line between the two. If a company publishes a list of "anonymized" email addresses, should I be arrested for putting one of the strings into Google to see if it's just an MD5 hash?

The ease of doing it is rather irrelevant. I'm kind of tired of this tech culture meme, that something should be allowed because it is easy.

The full argument is of the form "X is easy to do and hard to detect, so it would require police state tactics to have any hope of enforcing a law against it". The war on drugs is the classic example for this. Murder isn't; killing someone may be relatively easy, but it's usually obvious when it happens and it's hard to avoid leaving evidence of your involvement.

[wildmusings]

>The full argument is of the form "X is easy to do and hard to detect, so it would require police state tactics to have any hope of enforcing a law against it".

Plenty of crimes go unsolved in most cases. Littering, for example.

When you do catch an internet marketing company deanonymizing data, you can throw the book at them though. Strong penalties can serve as sufficient discouragement to others even if they are unlikely to get caught.

[mpeg]

As far as I understand the GDPR, email hashes wouldn't be "anonymous" data at all, they'd be considered pseudo-anonymous (and therefore still PII)

I mean the problem is that this makes good-willed sites like haveibeenpwned.com illegal in the UK (with criminal sanctions) as they attempt to re-identify data that comes from a breach.

But on the other hand, I don't see why processing PII that comes from a data breach with the intent of de-anonymising it should be legal.

Maybe protections should be in place for security researchers, but how do you distinguish between them and malicious actors?