Hashing alone is not enough to protect privacy
The Wired News article “Gambling on Private Data Search” includes many naive-sounding quotes regarding hashing and data mining. Obviously hashing alone is not enough to avoid serious privacy problems. So is there more to this than the vendor quotes below? (I hope so.)
Systems Research and Development, a company known for helping casinos spot fraud, has developed a product called Anonymous Entity Resolution. It claims the technology can help investigators determine whether a terrorist suspect appears in two separate databases — say, a government watch list and a hotel reservation system.
…
It not only finds the information by comparing records in multiple databases, but also scrambles the information using a “one-way hash function,” which converts a record to a character string that serves as a unique identifier like a fingerprint.“All it tells them is that they have somebody in common,” said Jeff Jonas, founder and chief scientist at SRD. “It doesn’t tell them who.”
Once a match is found, which happens when disparate records produce the same character string, agents can isolate those particular records without examining any other information.
A record that has been one-way hashed cannot be “un-hashed” back to the original record — any more than “a sausage can be turned back into a pig,” Jonas said.
