Yes - to me the most shocking thing about MPs expenses was this. That is - before hand I had reckoned it was fair enough to redact MPs addresses for data protection reasons (I remember saying this to Heather Brook).
But it turned out that she was right - the addresses were vital. So the only way of balancing the public and private nature of the data was for a third party (the Telegraph) to examine it, and play fair for both DPA of innocent MPs, and the public interest of detecting home flipping. Now, Tom (if he is still reading this), or anyone who can remember... What is the name of the query language for quizzing databases with a certain level of privacy as a parameter of the query? It was a very clever theoretical thing, I think from Microsoft research, and gets to the core of this debate. Francis On Sat, Jan 15, 2011 at 08:40:14AM +0000, Tim Green wrote: > I remember wondering this for the MPs expenses stuff - them > objecting to the publication of addresses meaning that you wouldn't > have been able to spot flipping. > > Thoughts: > a) Not sure how you'd explain hashing and salting to someone. > b) With only a few tens of millions of addresses, even with a salt, > it could be trivial to brute-force someone's address hash. You'd > have to estimate the current and future cost of the resources > involved. > > Tim > > On 15/01/2011 01:29, 'Dragon' Dave McKee wrote: > >(I know this is pie-in-the-sky thinking but...) > > > >The issue with the personally identifying information is that... well, > >it identifies a person. > > > >However, we don't necessarily want to identify that person, just > >confirm that record A and record B refer to the same person. > > > >Couldn't we take a hash (with appropriate salt etc) of the personally > >identifying information to permit these comparisons, without providing > >actual identifying information? > > > >Addresses can be normalised to whatever Royal Mail believes it should be. > >Names are harder, and more mutable - surname changes mess up most > >systems - but could potentially have different hashes (surname / > >surname + forename / surname + all names) to allow for partial > >matches. (We could salt it with further information - perhaps address? > >- to avoid 'SMITH' being the encoding for the most common surname > >hash.) > > > >There could even be a system to convert hashes from one system to > >hashes in another system, but not necessarily vice-versa. > > > >This doesn't necessarily solve the underlying problem, but might go > >some way to finding middle ground. > > > >_______________________________________________ > >developers-public mailing list > >[email protected] > >https://secure.mysociety.org/admin/lists/mailman/listinfo/developers-public > > > >Unsubscribe: > >https://secure.mysociety.org/admin/lists/mailman/options/developers-public/timothy.green%40gmail.com > > > _______________________________________________ > developers-public mailing list > [email protected] > https://secure.mysociety.org/admin/lists/mailman/listinfo/developers-public > > Unsubscribe: > https://secure.mysociety.org/admin/lists/mailman/options/developers-public/francis%40mysociety.org > _______________________________________________ developers-public mailing list [email protected] https://secure.mysociety.org/admin/lists/mailman/listinfo/developers-public Unsubscribe: https://secure.mysociety.org/admin/lists/mailman/options/developers-public/archive%40mail-archive.com
