Data Privacy: The Netflix Challenge
Concept. "Anonymized" data is rarely anonymous. Stripping names leaves quasi-identifiers, rare combinations of attributes that a linkage attack can join against public data to re-identify people. The fix is mathematical: k-anonymity and differential privacy trade a little accuracy for a real privacy guarantee.
Intuition. Netflix released 100M "anonymized" ratings for a $1M prize in 2006. Researchers joined them to public IMDB reviews on shared (movie, rating, date) pairs and re-identified users in 2007. About 8 ratings with dates make you roughly 99% unique, so the names were never the only identifier.
Anonymous Is Not Private
Netflix had three options for the prize dataset: release it with names (an obvious breach), keep it private (safe, but no competition), or release it with random IDs in place of names. They chose the random IDs and assumed that broke the link to real people. It did not.
Figure 1. Each dataset looks safe alone, but the join breaks anonymity. A user's rare ratings (which movie, what score, on what date) are a fingerprint; the same person leaves some of those reviews publicly on IMDB under their real name. Joining the two on (movie, rating, date) matches the anonymous ID to the real person, exposing their entire viewing history. Removing names does nothing when the remaining attributes are this unique.
Privacy Attacks
| Attack | How it works | Example | Prevention |
|---|---|---|---|
| Linkage | Join anonymous data with public data | Netflix + IMDB | Do not release individual records |
| Inference | Unique attribute combinations | DOB + gender + ZIP = 87% unique | Generalize attributes |
| Location | Unique movement patterns | 4 locations = 95% unique | Aggregate or add noise |
| Temporal | Timing patterns reveal identity | login and activity times | Round timestamps |
Legal Requirements
| Regulation | Scope | Key requirement | Penalty |
|---|---|---|---|
| GDPR | EU citizens | Data stays in the EU or adequate countries | Up to 4% of revenue |
| CCPA | California | Right to delete personal data | $7,500 per violation |
| HIPAA | Healthcare | Protect electronic health records (ePHI) | $2M + criminal charges |
Defense Methods
Synthetic data. Generate fake records that match the statistical shape of the real data without containing any real individual. Good for development, testing, and early ML.
Differential privacy. Add calibrated noise to query results so no single person changes the answer much, while aggregate trends stay accurate. The privacy budget epsilon sets the trade-off: lower means more noise and more privacy.
| Epsilon (ε) | Privacy | Noise | Use case |
|---|---|---|---|
| 10 | Low | ±1-2% | Internal analytics |
| 1.0 | Balanced | ±10% | Research datasets |
| 0.1 | High | ±100% | Public release |
| 0.01 | Maximum | ±1000% | Highly sensitive |
-- BigQuery differential privacy
SELECT WITH DIFFERENTIAL_PRIVACY
OPTIONS(
epsilon = 1.0, -- privacy budget (lower = more private)
delta = 1e-5, -- probability bound
max_groups_contributed = 1 -- limit each user's contribution
)
diagnosis,
COUNT(*) AS noisy_count
FROM medical_records
GROUP BY diagnosis;
-- k-anonymity: generalize, then require a minimum group size
SELECT
age_group, -- not exact age
zip_prefix, -- first 3 digits only
COUNT(*) AS COUNT
FROM users
GROUP BY age_group, zip_prefix
HAVING COUNT(*) >= 5;
Key Takeaways
-
Your data is a fingerprint. About 8 movie ratings can uniquely identify you.
-
Anonymous is not private. Public data sources enable re-identification.
-
Combinations matter. DOB + gender + ZIP identifies 87% of Americans.
-
Math protects privacy. Differential privacy gives a provable guarantee.
-
It is always a trade-off. More privacy means less accuracy; the epsilon budget makes the choice explicit.
Next
Case Study: Differential Privacy → See the math in the field: how Google published COVID mobility reports useful to public health without exposing any individual.