The Federal Trade Commission (FTC) regularly assesses whether a company’s privacy claims align with its data handling practices. Discrepancies often arise when companies inaccurately assert that data without obvious identifiers is anonymous. True anonymity means data cannot be traced back to an individual, but if data can still uniquely identify or target someone, it remains potentially harmful.
One common method companies use to obscure personal data is through “hashing.” Hashing converts data—such as email addresses or phone numbers—into a consistent numerical value (hash) using mathematical algorithms. For instance, hashing the phone number “123-456-7890” produces a hash like “2813448ce6316cb70b38fa29c8c64130,” which seems random but consistently represents that number.
Hashing has the advantage of making it difficult to infer the original data directly from the hash. Companies often use hashing when they need to store data for later matching but prefer not to handle or share the raw identifiers. They may claim that hashing ensures user privacy because the hash appears meaningless. However, this belief is flawed. Hashes are not truly anonymous and can still be used to identify individuals. Misusing hashing can lead to privacy violations, and companies should not misrepresent it as a method of anonymizing personal information. The FTC remains vigilant in ensuring that companies’ privacy claims are truthful and taking action against deceptive practices.
In 2012, former Chief Technologist Ed Felten addressed this issue in a blog titled “Does Hashing Make Data ‘Anonymous’?” The answer is no; hashing does not make data anonymous. Although hashing can obscure identifiers, it creates a unique signature that can track individuals over time. The warning was clear: hashing alone does not reduce data sensitivity.
Despite this, some companies have not heeded the warning. In 2015, the FTC took action against Nomi for using hashed MAC addresses to track consumers in stores. Although the MAC addresses were hashed, they still served as persistent unique identifiers.
In 2022, the FTC targeted BetterHelp for sharing users’ sensitive health data, including hashed email addresses, with Facebook. Despite using hashes, BetterHelp’s actions allowed Facebook to reverse the hashing process and access users’ email addresses, thereby violating privacy.
The privacy issues in these cases stem from the ability to identify users, not merely from the hashing process. The FTC has also highlighted other user tracking methods that use pseudonymous identifiers.
In 2023, the FTC filed a complaint against Premom for collecting and sharing unique advertising and device identifiers contrary to its claims of sharing only “non-identifiable data.” This enabled third parties to bypass privacy controls and track individuals.
Similarly, in January 2024, the FTC accused InMarket of unlawfully collecting and using a unique mobile device identifier to track users without their consent.
The FTC continuously works to protect Americans’ privacy by scrutinizing various identifiers used to track users online. Regardless of their appearance, all user identifiers can be used to track and identify individuals, and their obscurity does not justify improper use or disclosure.