Data Privacy and Consumer Protection: Anonymizing User Data is Necessary, and Difficult

Soren Heitmann
29 Nov 2017

by Soren Heitmann

Next generation data analytics are driving innovative products, services and new FinTech business models.  Many of these products draw on individual consumer data.  Responsibly managing data privacy and ensuring consumer data protection is critical to mitigate operational and reputational risks.  In many markets, regulators are still catching up.  Unfortunately, many innovators identify risks after it is too late.  This post explores the issue of data anonymization and encryption.  Three cases identify different ways in which individually identifying data was exposed, even though providers took steps to anonymize and encrypt identifying information.

Difficulties in Anonymizing Data are Well-Documented
In 2006, America Online (AOL), an internet service provider, made 20 million search queries publicly available for research. People were anonymized by a random number.  In a New York Times article, journalists Michael Barbaro and Tom Zeller describe how customer number 4417749 was identified and subsequently interviewed for their article. While user 4417749 was anonymous, her searches were not. She was an avid internet user, looking up identifying search terms: ‘numb fingers’; ‘60 single men’; ‘dog that urinates on everything’. Searches included people’s names and other specific information including, ‘landscapers in Lilburn, Georgia, United States of America’. No individual search is identifying, but for a sleuth – or a journalist – it is easy to identify the sixty-something women with misbehaving dogs and nice yards in Lilburn, Georgia. Thelma Arnold was found and affirmed the searches were hers. It was a public relations debacle for AOL.

Another data breach made headlines in 2014 when Vijay Pandurangan, a software engineer, de-anonymized 173 million taxi records released by the city of New York for an Open Data initiative. The data was encrypted using a technique that makes it mathematically impossible to reverse-engineer the encrypted value. The dataset had no identifying search information as in the case of Arnold above, but the encrypted taxi registration numbers had a publicly known structure: number, letter, number, number (e.g., 5H32). Pandurangan calculated that there were only 23 million combinations, so he simply fed every possible input into the encryption algorithm until it yielded matching outputs. Given today’s computing power, he was able to de-anonymize millions of taxi drivers in only two hours.

Netflix, an online movie and media company, sponsored a crowdsourced competition challenging data scientists to improve by 10 percent its internal algorithm to predict customer movie rating scores. One of the teams de-anonymized the movie watching habits of encrypted users for the competition. By cross-referencing the public Internet Movie Database (IMDB), which provides a social media platform for users to rate movies and write their own reviews, users were identified by the patterns of identically rated sets of movies in the respective public IMDB and encrypted Netflix datasets. Netflix settled lawsuits filed by identified users and faced consumer privacy inquiries brought by the United States government.

Properly anonymizing data is very difficult, with many ways to reconstruct information. In these examples, cross-referencing public resources (Netflix), brute force and powerful computers (New York Taxis), and old-fashioned sleuthing (AOL) led to privacy breaches. If data are released for open data projects, research or other purposes, great care is needed to avoid de-anonymization risks and serious legal and public relations consequences.

There are many good reasons to provide access to data.  Academic research may seek to provide access for peer reviewers.  Firms may crowdsource innovative techniques to solve problems.  Products may provide public Application Programming Interfaces (APIs) to enable derivative services.  Consider first if needs can be met without providing any identifiable information.  Understand unstructured data, such as user-generated memo fields and information it could contain, like names or places; and if so, consider if these notes, when grouped together, might be attributed to a specific individual.  Where encryption is required, ensure industry standards are used; but also add-in randomly generated information to each identifier.  This is known as a salt, and can eliminate risks of unlocking entire datasets with a single key.  Much has been written on how to anonymize data.  The first thing to remember is that it is not a trivial task and it should be undertaken after purposeful planning and in consideration of the data at hand.

Note: Adapted from a case study presented in the Data Analytics and Digital Financial Services Handbook (June, 2017).  This post was authored by Soren Heitmann, IFC-Mastercard Foundation Partnership for Financial Inclusion, for the Responsible Finance Forum Blog November, 2017.


Advancing Responsible Finance in Myanmar

Lory Camba Opem and Ricardo Garcia Tafur
28 Nov 2017

By Lory Camba Opem and Ricardo Garcia Tafur

IFC’s mission is to support effective, responsible, inclusive financial intermediaries and leverage them to meet development impact and financial sustainability goals.  Myanmar is one of the top 25 priority countries in the World Bank Group’s Universal Financial Access initiative to expand access to one billion of the world’s unbanked by 2020.  For Myanmar, this goal entails increasing financial inclusion from 30 percent in 2014 to 70 percent by 2020. Advancing responsible finance is a cornerstone to ensuring that people have sustainable and affordable means to manage their financial lives.  As such, IFC has played a proactive role in promoting responsible finance globally through knowledge sharing initiatives such as the G20/Global Partnership for Financial Inclusion, and the Responsible Finance Forum. IFC also supports microfinance institutions committed ongoing efforts to implement the Smart Campaign’s Client Protection Principles.

Responsible microfinance is a core value-add and manages risks
Responsible microfinance is a core value-add that implements essential business practices to protect clients and builds their confidence when using microfinance products and services.  Maintaining customer trust is ultimately critical, for it enhances credit and operational risk management.   Customer trust further empowers lower income people, in particular the rural poor to make better financial decisions. Microfinance institutions empower their clients when they increase financial awareness through: transparent pricing, disclosure of terms and conditions in local/simple language, offering the right products based on clients’ needs; providing customer services for resolving complaints and preventing over-indebtedness.  This is a dynamic relationship that can be mutually reinforced between these clients and their microfinance providers, for example: understanding customer needs informs product design and rollout that can be integrated in risk management frameworks.  This ongoing process builds client loyalty and institutional resiliency; as well as longer term stability of the microfinance sector.

Myanmar’s path to responsible financial inclusion
Myanmar is well positioned to harness global best practices and strategically avoid crises of confidence, which befell the global microfinance industry over the last decade –in Bolivia, India, Nicaragua, among others.  Myanmar’s relatively nascent microfinance sector allows it to create a more resilient path for itself and particularly for 70% of its rural poor and underserved without access to formal financial services.  Having expanded to over 200 microfinance institutions since microfinance legislation was passed in 2012, Myanmar has demonstrated it is a dynamic sector.  Yet capturing the opportunities that microfinance brings will require a comprehensive understanding of potential risks to its clients, for the institutions themselves and the broader financial sector. The evolving digital finance landscape further introduces a more competitive environment.  Myanmar’s microfinance regulations reflect the relevance of responsible finance, particularly in the Notifications on Consumer Protection by the Microfinance Business Supervisory Committee.  The client protection principles resonate, as it focusses on: preventing over-indebtedness, responsible pricing, fair and respectable treatment of clients and data privacy.  How to pragmatically implement these principles in practice will require persistent focus as the microfinance sector matures, and a commitment at the top by microfinance institutions and their leadership.

IFC’s Responsible Microfinance Training series
Due to the current context of Myanmar Microfinance sector, Responsible Finance will be one of the most relevant topics. In October 16, 2017, IFC, in collaboration with the Myanmar Microfinance Association,  launched a monthly training series over the next 6 months to build capacity for responsible business practices and promote financial consumer protection through knowledge sharing activities with regulators and industry players.  The training series further reinforces IFC’s earlier advisory initiatives in Myanmar to enhance institutional capacities and mitigate lending risks at the industry level. It also adds to IFC efforts on building the financial infrastructure in Myanmar, which has involved supporting the development of a central credit bureau expected to be launched later this year following the issuance of a landmark IFC-supported credit reporting regulation in March 2017.    IFC’s advisory training initiative is in line with IFC’s recent investment financing package of $13.5 million to local microfinance institutions to help meet Myanmar’s critical credit needs and unlock the country’s economic potential of the rural sector and small enterprises.

Targeting development results
IFC’s ongoing investments and advisory work are helping to provide much needed financing to increase productivity and create jobs, incomes and prosperity for a significant number of low income people in the country.  To complement these efforts, the responsible finance advisory training program in Myanmar will enable IFC to further improve client protection, financial education and transparency in lending policies for MFIs in Myanmar, which are ultimately serving thousands of micro enterprises, lower income households and women in rural and urban areas. These clients will benefit from more appropriate products and services that meet their needs, coupled with responsible finance practices that seek to ensure adequate consumer protection.

About IFC
IFC, a member of the World Bank Group, is the largest global development institution focused on the private sector in emerging markets. Working with more than 2,000 businesses worldwide, we use our capital, expertise, and influence to create markets and opportunities in the toughest areas of the world. In FY16, we delivered a record $19 billion in long-term financing for developing countries, leveraging the power of the private sector to help end poverty and boost shared prosperity. For more information, visit

Stay Connected\ifc_org

GPFI members came together in Washington for the last Meeting under Germany’s G20 Presidency

28 Nov 2017

The GPFI held its 3rd Meeting under the German G20 Presidency on 12 October 2017 in Washington D.C. The German Presidency presented the relevant financial inclusion results of the G20 Hamburg Summit and the incoming Argentine Presidency introduced planned GPFI priorities for 2018 and discussed these with GPFI members. Furthermore, the stocktaking study “Financing for SMEs in Sustainable Global Value Chains” was launched at the GPFI Meeting.

GPFI members agreed on renewing and confirming the mandate of the Temporary Steering Committee (TSC) on “Financial Inclusion of Forcibly Displaced Persons”. The TSC will lead the process of developing a roadmap for ‘sustainable and responsible financial inclusion of forcibly displaced persons’ by 2018 as requested by the G20 leaders in the G20 Hamburg Action Plan.

Data protection in digital financial services was another key topic addressed during the GPFI Meeting. The GPFI members discussed financial consumer protection and data privacy in the light of the G20 High-Level Principles for Digital Financial Inclusion and the results of the 2017 Responsible Finance Forum.

The Subgroups also discussed how to reflect the Argentine priorities in their work and took concrete steps to finalize the GPFI Subgroup Terms of Reference.

To review the summary proceedings from the 2017 G20 Global Partnership for Financial Inclusion Forum, please click here.

Note: This post was originally published on the GPFI website.