Topic 1. Protecting individuals whose data are re-identified.

Post 1

You have a responsibility to keep personal information private, unless publishing that information serves a greater purpose. If that is the case, one should contact those people and explain to them what has happened and ask for their consent to publish their data.

Post 2

If we find evidence of significant harm then it is appropriate to notify them. It depends on the goal of your experiment, and whether the goal is to quantify vulnerability or make a political case against these data disclosures.

Post 3

The researcher should point out potential risks in a consent form so as to separate culpability from him/herself. Commercial entities, on the other, should be eligible for prosecution if they are using data upon which precautions have been taken to prevent re-identification.

Post 4

A researcher has a responsibility to keep the data confidential and to themselves. If they need to publish this re-identified data, they should seek the consent of those who are in the data.

Post 5

It would depend if you were going to publish the results. You might be able to tell them you have identified a danger and you probably need to let them know. The adverse impact would depend on what kind of information it is. What if someone were in the witness protection program, for example?

Post 6

The researchers are responsible for keeping the data confidential; however, if it is necessary to publish the data in order to reveal procedures or techniques, it is the researcher's responsibility to go to the re-identified individuals (or some set of those) in order to obtain consent to publish the information.

Post 7

Researchers must get their consent in order to publish that data. Consent involves full and complete information given to the participant about what exactly will be done with the data. Adverse impacts: having public health records can make you less employable if you are sick.

Post 8

Consent needed in either research or commercial applications. Health records release can affect employment prospects, especially with the insurance mandate.

Post 9

When dealing with unidentified data, most people wouldn't mind if it was being used by commercial entities, i.e. marketing, market research etc. The ethical issue arises when dealing with re-identified data because of the genuine loss of privacy .

Post 10

The researcher should do as much work as possible with the individuals or company who have the exposed dataset. Ideally, they will publish their methods after the problem has been fixed. The important issues are the exposed identities from the dataset and the action that is taken to fix the dataset. If the company does not want to change their dataset, then the researcher may be forced to go public in some way to expose the problem.

Post 11

I would argue that researchers engaging in a re-identification experiment has the responsibility of attempting to protect the re-identified the data. However, the researcher should also share the vulnerabilities in an attempt to fix the security flaws.

Post 12

While it would be nice to be able to convince publishers that they should hold back that their data, often they will not listen, and you may be compelled to publish the re- identified data as a way to "shock" the public into an outcry. Of course, now you risk harming those in the data. Ideally, you could publish a subset of the data, or find a way to invoke the outcry without publishing all the results.

Post 13

For me this is a double-edged sword. If you publish methods for re-identification, others can use it to their advantage to harm people, however, methods aren't published, nobody will buy the story. I think a researcher should share the information in stages, first to those who can fix the problem, and once the problem is fixed, to the public.

Post 14

Researchers should describe the risks of reidentification as part of the informed consent process for volunteers or participants. Commercial entities do not need to contact participants about risk; that should be the job of whoever is providing the data to the entities for their use.