Anonymity Project

Risk Assessments of Personal Identification Technologies for Domestic Violence Homeless Shelters

by Latanya Sweeney

In an attempt to perform a national unduplicated accounting of visit patterns across domestic violence homeless shelters, while respecting the confidentiality of the clients who are the subjects of that accounting, the United States Department of Housing and Urban Development ("HUD") has sponsored locally administered Homeless Management Information Systems ("HMIS"). These are computerized data collection and processing systems designed to capture person-specific information over time from homeless persons being serviced by local shelters. In order to maintain client safety and to insure high degrees of compliance, HUD agreed that the name and Social Security number of each client of a domestic violence homeless shelter are not to be forwarded to HMIS. Instead, a newly created identifier termed a “unique identification number ("UID") can be used. A question posed is, "how do shelters construct UIDs with minimal risk of re-identification while still achieving an accurate unduplicated accounting?"

The work reported herein provides a framework for reasoning about and assessing proposed technical solutions that may answer this question. Eight categories of technologies (encoding, hashing, encryption, scan cards/RFID, biometrics, consent, inconsistent hash, and distributed query) are examined and a set of recommendations provided. Results suggest that inconsistent hashing, distributed query and (regular) hashing may be easier to bundle with policies and best practices to create an effective solution. Scan cards, encryption, and biometrics create new kinds of risks to consider. Consent and encoding are technically the simplest to implement but harbor serious dangers that are difficult for any particular implementation to overcome. Biometrics is the only technology that authenticates clients; all the other technologies tend to rely on non-verified information from clients. While significant differences and tradeoffs exist in the use of these technologies, there is no magic technology as much as practices that must be bundled with any chosen technology in order to demonstrate minimal risk of client reidentification and maximum correctness in computing an unduplicated accounting.


L. Sweeney Risk Assessments of Personal Identification Technologies for Domestic Violence Homeless Shelters. Carnegie Mellon University, School of Computer Science. Technical Report CMU-ISRI-05-133. Pittsburgh: November 2005. Data Privacy Lab Working Paper 901. Pittsburgh 2005. (PDF).

Related links:

Copyright © 2011. President and Fellows Harvard University.   |   IQSS   |    Data Privacy Lab   |    [info@dataprivacylab.org]