CPI is pleased to announce the return of CPI Talks - a public outreach lecture series.
This month’s talk features Joel Reardon on Anonymity, Consent, and Other Noble Lies.
When: Monday, June 15, 2026
Where: Enterprise Theatre, East Campus 5 (Room EC5-1101/1111), 305 Phillip St., University of Waterloo
Time: 2:30 p.m. to 4 p.m.
Please register in advance.
Abstract:
While legal scholars have cited decades of computer science research that demonstrates why anonymity is hard (and that datasets should not be labelled as “anonymous” cavalierly), industry and legal practitioners have not heeded those warnings: many organizations trafficking in consumer data continue to assert to customers, courts, and regulators, that their data is anonymous or “deidentified.” We acquired datasets from multiple data brokers to demonstrate empirically why this is false. Using publicly available email addresses found in data breaches posted on the Internet, we trivially reidentified 88% of the hashed email addresses that we obtained.
Relatedly, organizations trafficking in this data make another assertion, that this data was collected from consumers with their consent. To evaluate this claim, we performed a survey (n=369), in which we emailed a subset of the reidentified individuals in our datasets to recruit them to participate. This survey asked participants about their recollections of having provided consent (99% had no recollection) and their feelings about the sale of their information (94% were opposed, while 77% said they planned to submit deletion requests). Overall, our study shows that hashed email addresses and device identifiers do not come close to meeting commonly understood definitions of “anonymous” or “deidentified” data, and that any notion of “consent” must also involve a similarly tortured definition. We argue that this industry and its defenders are not simply misinformed or indifferent to the veracity of their statements, but that this is an example of Plato’s “noble lie”: their entire social order relies on these demonstrably untrue statements being believed by courts, regulators, policymakers, and the public.
About Joel Reardon
Joel Reardon is an Associate Professor at the University of Calgary who researches mobile security and privacy issues and data collection done through those devices. He has also co-founded the privacy analytics company AppCensus. He received his Bachelor’s and Master’s at the University of Waterloo and his Doctor of Sciences at ETH Zurich. His work has uncovered widespread privacy violations in mobile apps, including studies on how apps circumvent Android’s permissions system and fail to comply with children’s privacy laws, and has been covered by the CBC, the BBC, the Washington Post, and the Wall Street Journal, among other places. His research has received the Emilio Aced Research and Personal Data Protection Award, the CNIL–Inria Data Protection Award, and the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies. He has advised regulators and policymakers on digital privacy and works to translate technical findings into changes that protect everyday users. He likes bicycling and snowboarding.
CPI Talks feature experts speaking on cybersecurity and privacy topics that concern the general public as a whole. The talks are intended for people from all walks of life, and thus will be designed so that they are accessible to members of the general public without any pre-requisite background or knowledge in cybersecurity and privacy. In our increasingly digital world, cybersecurity and privacy concerns affect everyone. Everyone is therefore welcome to attend CPI Talks.