Data & Privacy
Your Anonymous Data Isn't Anonymous — It Never Was
In 2006, AOL released 'anonymised' search logs for 650,000 users, and within days a New York Times reporter had identified a 62-year-old widow from Georgia using nothing but her searches.
The Idea
Anonymisation sounds like a technical guarantee. Strip out the name, the address, the obvious identifiers — and what remains is just data, floating free of any person. This intuition is wrong, and the gap between the intuition and reality is where most privacy policy quietly collapses. The problem is re-identification: the process of linking supposedly anonymous records back to specific individuals. It turns out that most datasets, even heavily scrubbed ones, are riddled with combinations of mundane details that are individually harmless but collectively unique. Your age, postcode, and biological sex together are enough to identify around 87% of the US population. Add a few more variables — your commute pattern, your three most-visited locations, your purchase timing — and you are, statistically speaking, the only person on the planet who fits that description. Researchers call these quasi-identifiers: fragments that feel anonymous but act as fingerprints when combined. The deeper problem is that the power of any given dataset to re-identify people scales with the number of other datasets it can be cross-referenced against. Every loyalty card database, every fitness tracker export, every leaked voter roll becomes a new key that can unlock supposedly sealed records somewhere else. Anonymisation, done in isolation, is like locking your front door while leaving the windows open — it looks secure until someone tries.
In the World
In 2019, a team of researchers at MIT and Imperial College London published a striking demonstration of this. They took a dataset of credit card transactions — four spatial-temporal data points per person, meaning four purchases with location and time stamps — and showed that 90% of individuals could be uniquely re-identified even when the dataset had been fully anonymised by conventional standards. The researchers weren't using exotic surveillance tools. They were using the kind of auxiliary information you could piece together from public records and social media: the rough neighbourhood someone lives in, the times they typically shop, a known gym or workplace. Four data points. That's roughly what a single afternoon of contactless payments produces. The AOL case from 2006 remains the most human illustration of the same principle. Search logs for user 4417749 showed queries for 'landscapers in Lilburn, Ga', several people with the last name Arnold, and 'hand trembling'. Reporters Barbaro and Zeller cross-referenced these fragments and knocked on the door of Thelma Arnold within days. She was mortified — she'd had no idea her searches were even being recorded, let alone published. AOL had removed her name. They had not removed her.
Why It Matters
Most of the consent frameworks we interact with — cookie banners, privacy policies, app permissions — are built on the premise that anonymisation is a meaningful protection. If you accept that premise, the whole system feels reasonable: share the data, strip the names, everyone's safe. But if anonymisation is largely a polite fiction, then those frameworks are offering a kind of theatrical privacy rather than the real thing. This changes how you might read headlines about data breaches, data sales, or government requests for 'anonymised' records. The question isn't just whether your name is attached — it's what other datasets exist that could be cross-referenced, and who has access to them. It also reframes the idea of informed consent. You can only consent meaningfully to sharing data if you understand what can be inferred from it. Right now, most of us are consenting to things we don't fully grasp — not because we're naive, but because the re-identification math is genuinely non-obvious. Knowing that math exists is the first step toward asking better questions of the systems that process your data every day.
A Question to Ponder
If the data you consider most private about yourself isn't your name or address but your patterns — when you sleep, where you hesitate, what you search at 2am — who currently holds enough of those patterns to know you better than you'd like?
Get a new one of these every morning.
Start learning with Thinkable