A hash is kinda trash.
Or, more precisely, not only will hashing data not anonymize it, but regulators, including the Federal Trade Commission, consider hashed identifiers to be personal information.
In late July, the FTC published a blog post reminding companies that hashes aren’t anonymous. They can still be used to identify users, and their misuse can lead to harm.
Data hashing involves cryptographically scrambling data into a string of unreadable text. Take this brief explanation with a grain of salt – hashing pun intended – because I’m not a technologist.
I do know that hashing is a common and useful technique for data authentication and secure data storage. But it doesn’t work as an anonymization technique, because anyone using the same hashing algorithm against the same data – an email address, for example – will generate the same string of hashed text, which can then be used as an identifier.
Presto, reidentification.
Heed the FTC’s warning
The FTC’s stance on hashing isn’t new news, though.
In 2012, the FTC’s then chief technologist Ed Felten wrote a blog post with the title: “Does Hashing Make Data ‘Anonymous’”? The answer to that question was and remains a definitive nope.
As Felten pointed out back then, “hashing is vastly overrated as an ‘anonymization’ technique,” and “the casual assumption that hashing is sufficient to anonymize data is risky at best and usually wrong.”
But why did the FTC feel the need to issue a fresh warning about hashing over a decade after its first? Well, because companies didn’t heed it.
In 2015, the FTC settled with a retail tech firm called Nomi for, among other things, failing to properly anonymize MAC addresses. It hashed the data, but that wasn’t enough.
And in 2022, the FTC brought a case against online therapy provider BetterHelp, which was accused of sending hashed email addresses to Facebook. The FTC alleged that Facebook could still use this information to identify and target ads at people seeking mental health counseling.
In other words, it’s safe to assume that the FTC has its antennae back up on the topic of hashing. Because regulators don’t publish advisories about bad practices just for fun. A warning is a courtesy heads-up to watch out.
But is this most recent blog post the precursor before a salvo of enforcement actions? I asked a few trusted sources – lawyers deep in the ad tech weeds – to weigh in.
Jessica Lee, chief privacy & security partner, Loeb & Loeb
“The FTC’s recent warning about hashing is a good – but hopefully not surprising – reminder that hashing does not equate to anonymity.
“A few years ago, Ashkan Soltani, executive director of the California Privacy Protection Agency, noted that hashed emails and other first-party identifiers used as replacements for third-party cookies remain personal information and may pose greater privacy risks due to their durability.
“For the advertising industry, hashed IDs are a solution for restrictions on third-party cookies – they are not a tool to get outside of privacy regulations. To the extent that companies are claiming that hashing data alone renders that data anonymous, they should really think again.
“Making public statements that you only use anonymous data when that data is not truly anonymous may be considered a deceptive statement, and the FTC is signaling that they are watching this issue and are prepared to enforce.”
Julie Rubash, general counsel & chief privacy officer, Sourcepoint
“It’s not enough to assess a data element in isolation. … The FTC’s warning instructs that companies should also be assessing the full life cycle of the data element, whether it can be reidentified by anyone in the process and the final outcome, or potential outcome, of using the data element.
“If a data element has the capability to track the same user over time, then it’s likely not anonymous in the eyes of the FTC.”
Daniel Rosenzweig, founder, DBR Data Privacy Solutions
“Companies don’t need to stop using hashed data, as there are valid reasons to do so, but treating hashing as a method of anonymizing personal data is not one of those reasons.
“The FTC’s warning could be a precursor to stricter enforcement actions. By proactively treating hashed personal data with the same care as any other personal data, companies can better navigate potential regulatory scrutiny and avoid costly penalties.
“The message is clear: Hashing is not a loophole for data privacy compliance.”
🙏 Thanks for reading! And here’s a cat video that has nothing to do with hashing. I just think it’s adorable. As always, feel free to drop me a line at [email protected] with any comments or feedback.
