A hashed value, like 2813448ce6316cb70b38fa29c8c64130, looks like a wild scramble of gobbledygook. But in a recent blog, the FTC warned companies that when a hash is used to uniquely identify or target a consumer, that hash can threaten consumer privacy.
Hashing is an operation that uses math to transform data – such as personal information – into a seemingly random set of letters and numbers. For instance, under a particular hashing algorithm, the phone number “123-456-7890” is “2813448ce6316cb70b38fa29c8c64130.” The benefit of hashing is that it is practically impossible to take the hashed value and reverse-engineer it back to the original phone number. While the FTC has taken issue with the security of older hashing technology, they no longer question the security of current, secure hashes.
But although hashes securely mask the original, underlying data, hashes can in fact serve as identifiers. How? According to the FTC, when a hash is used to track a consumer across sites and is matched with disparate datasets, the hash itself is an identifier. Indeed, when a hash is used as a persistent identifier, it can be used to track consumers’ browsing history, demographic characteristics, and shopping habits across the Internet, for example, all of which can be done without needing to use the hash’s underlying value (e.g., “Jane Doe”) as an identifier. Thus, since hashes can be combined with other data and used to target users, companies should avoid characterizing such hashed personal information as “anonymous.”
The FTC has brought a variety of enforcement actions against companies for allegedly falsely maintaining that hashed data cannot identify and track users over time. For instance, the FTC accused Nomi of violating its privacy policy when Nomi allegedly tracked customers in its stores using hashed MAC addresses (a unique device identifier that likely constitutes personal data under most privacy laws). Even though the underlying MAC addresses were obscured with a hashed value, Nomi used the hash as a persistent identifier to track its customers over time. In another enforcement, BetterHelp only sent hashed email addresses to Facebook, yet the FTC alleged that Facebook was able to “effectively undo the hashing” and send targeted ads based on those seeking mental health counseling.
The new guidance emphasizes that unique identifiers can look as obscure as “2813448ce6316cb70b38fa29c8c64130,” but if used persistently, they may no longer be anonymous. A company and its third parties can build profiles of consumers by using hashed values combined with other data to follow users around the internet, even when the underlying data is hidden. The agency has and will continue to enforce against companies that deceptively claim that hashed data, and other persistent identifiers, don’t track users.