Authors and celebrities are using pseudonyms for a variety of reasons including the creation of new brand names, for publishing their works in different genres, as a marketing strategy or to protect their privacy. With the advent of digitalisation, cybercriminals, hackers, tax evaders, activists and the dark web are all using pseudonyms to serve their own purposes since pseudonymisation can be used for both legal and illegal purposes. In the digital age, it is. to name one example, a reaction of the cyberpunk movement to not wanting to be identifiable, a symbol for freedom and independence from institutions, faceless responsibility among other trends. How much has pseudonymisation changed our society in the digital age?
In the latest of her Duet interviews, Dr Caldarola, editor of Data Warehouse as well as author of Big Data and Law, and Dr Fabian Niemann discuss the facets of pseudonymisation.
Dr Niemann, you have written a comprehensive chapter in our book “Data Warehouse” about information security as well as technical and organisational measures. For that, I take my hat off to you! It contains a lot of legal issues that definitely need discussing. Since we cannot cover everything here, let us consider a topic that I find extremely relevant in view of the current crises: pseudonymisation. Many people are familiar with pseudonymisation from literature. Paul Celan, Truman Capote, Jack London, George Sand, Françoise Sagan, Anna Seghers – none of these authors wrote under their real names. Things are no different these days but in this particular context, what exactly is pseudonymisation and how is it used?
Dr Fabian Niemann: First of all, when it comes to pseudonymisation, it is important to recognise that the word “pseudonymisation” is used as a buzzword- and not always correctly. Sometimes the word is used for matters that actually refer to anonymisation while other times pseudonymisation is indeed meant.
What is crucial is whether someone can create a separation between their person and their data sets when they use a pseudonym – as in the literary examples you mentioned. Pseudonymisation is a technical protection measure for separating data sets from the person to whom these data sets belong.
In common parlance, pseudonymisation is often understood as meaning that records or data can no longer be assigned to a natural person, an individual. If a “final” separation of the data from the individual takes place that cannot be restored or is difficult to restore (in terms of time and money), then this is an anonymisation in the legal sense. However, if recovery is still possible using an assignment key (e.g. because the password/pseudonym/assignment key is assigned to a person in a second database), we lawyers speak of pseudonymisation. According to the General Data Protection Regulation, pseudonymous data will continue to be treated like personal data/personal data sets. In contrast to anonymisation, data protection laws continue to apply.
In short, pseudonymisation uses a password for a data set, while anonymisation permanently deletes the association with a person or is very difficult to restore.
What pseudonymisation methods exist?
Of course, you can use other real names – such as the authors, actors, artists mentioned above often do. It is also possible to use sequences of numbers, characters and/or letters. What is probably more important to your question is how the pseudonyms are created.
Not only is a random arrangement conceivable, but also a “methodical” arrangement of letters, numbers and characters. Most of the time, the choice between an arbitrary and methodical arrangement depends on the intended use. If I want to assign the data records again later or if I want to make it clear that the respective data records belong to different people, a “methodical” arrangement is usually chosen. If I no longer want an assignment, then one or more arbitrary arrangements can be selected for each data record.
In this context, it is also important that a data set remain a set including identifiable personal data in the legal sense if – despite the removal or pseudonymization of the name or classical personal data – it still contains data in the data set that can make identification possible – be it on their own or based on additional information available. For example, a person with a rare disease and information about their place of residence can certainly be identified easily without the name, at least with additional knowledge obtained from public records or people knowing the person. Another example: a person can also be identified if the data record contains, for example, “Father of two children and lives on XY Street in the city of Z. Even then, the lawyer does not speak of anonymisation, but of pseudonymisation. Basically, anonymisation and thus “circumvention” of the data protection law becomes more difficult the more data about a person is available or accessible.
The GDPR gives those responsible for a digital business model more leeway when working with pseudonymous data. Which is this leeway?
First of all, let us be clear that the use of pseudonymisation is not an absolute “must”, but pseudonymizing where reasonably possible is a “duty of care” and an “option” to extent data use cases in a compliant manner. Pseudonymisation is a technical protective measure that is recommended by the legislature for certain situations. The legislator also mentions situations that are only permitted with certain technical protective measures. So, if someone wants to carry out these things which are in fact prohibited legally, they have to implement the prescribed technical protective measures mentioned there. In this way, the field of action for an individual entrepreneur expands. In my opinion, pseudonymisation is both of a duty and an option. Of course, I can gain more rights if I use pseudonymisation as a technical protection measure. To me, it is like a staircase: the first step is anonymisation, the second is pseudonymisation and the last step is the use of personal data.
I asked the question given the background of the Russia-Ukraine war and the sanctions against oligarchs. Historically speaking, we know François-Marie Arouet (known as Voltaire), who came in conflict with the law at the age of 23 and ended up behind bars in the Bastille. He used 160 cover tactics, fooled his opponents and thus became a pioneer of the French Revolution. He used pseudonyms to protect his privacy. Today, in the Russia-Ukraine war and the sanctions imposed against Russian oligarchs, in the case of the Russian oligarch Roman Abramovich it is relatively easy to impose sanctions on his assets because those assets are in his name. But Roman Abramovich is an exception because most of the owners and rich oligarchs are unknown. Their assets are disguised through front men and anonymous affiliated offshore companies, which make it very difficult to identify the true owners. Tax havens, offshore companies, front men have always been and are a blind spot that was and is accepted. The OECD has been trying to bring more transparency to this practice for years through BEPS. Against the backdrop of the Ukraine-Russia war, should we continue to accept this practice and the approved use of pseudonymisation because it is not superficially clear whether it is being used for the French Revolution or to simply disguise one’s assets?
In your examples, a clear distinction must be made between pseudonymisation and front men. Front men act in their own name for their – usually unknown – client. People with a pseudonym do not act with their real name but still act for themselves in their own “name”.
The effect is the same, because the real name of the other person remains hidden in the case of the front man, the pseudonym, the offshore company.
Of course, if you use a pseudonym, you can ask for identification. In the case of a front man who has a secret appointment with someone else, showing his own ID won’t help at all. There are laws such as the Money Laundering Act that are intended to prevent exactly such situations. Whether these laws will be effective is another matter. It is precisely in these matters that supervisory authority is needed to carry out an investigation, and this is where many such supervision is lacking. In my opinion, not everything can be prevented.
You are right that the intended use – French Revolution or tax evasion – leaves a bad taste. Data protection is great when it comes to informational self-determination of the individual and not good at all when it comes to illegal transactions. Data protection does not help with all problems and constellations. It is one law among many others that may have the common goal of preventing or making illegal transactions more difficult. Data protection is often “touted” as the primary law, although informational self-determination is just one right among others. The COVID-19 crisis also showed us this dilemma, where health and economic losses were weighed against each other, but not against informational self-determination in data protection. One had the feeling that data protection was above all else in terms of importance, like a super constitutional right more important than others, but really all these rights should have been measured against each other.
My opinion is:
Dr Fabian Niemann
“When using pseudonyms, it is important to look closely at each individual case and find out what is behind it. Standard procedures alone won’t help here.”
Aren’t the Internet and digital databases or data warehouses making it even easier for asset management to mask their activities via pseudonymisation? Very few countries have publicly accessible registers of the actual owners who stand to benefit from these fronts. British journalist Chris Taggart has identified 200 million companies from publicly accessible registers worldwide. Nevertheless, EU countries take different approaches to this issue. While the UK and Latvia are setting up public registers, Spain is keeping their registers inaccessible, Germany and Ireland do not allow machine printing and France is only publishing parts of their data, to name a few examples. Against this background, don’t we need barriers to pseudonymisation or publicly accessible registers of the real names behind the pseudonyms, so that information for tax optimisation is comprehensible, sanctions are possible in times of crisis, something can be done about this type of crime and corruption? In Germany alone we do not even know how many German companies are actually in the hands of Russian oligarchs. At the moment, it is impossible to identify Russian suppliers who supply product parts for “German” products. Do the limits of pseudonymisation need to be reassessed in view of all these issues?
The real question here is whether certain processes should be possible without proof of identity. It makes no difference whatsoever whether proof of identity need not be required for certain processes, whether an actor appears anonymously or under a pseudonym, or whether no personal information is requested at all. But the political question that actually arises here is whether activities not required an identity should even be possible or whether identification should be required so that measures can be taken against the person responsible in the event of illegal services. It’s like all things on earth. Streets, the internet, AI and so on are used by police officers, do-gooders and criminals alike. This range of possible activities cannot be prevented – whether by banning something or allowing it to freely occur. Pseudonymisation and anonymisation are merely technical measures and tools- just like the Internet, the streets and much more; they merely serve to simplify daily life.
Let’s consider the practice of the many pseudonyms circulating on the Internet. Be it the many platforms where citizens can participate under false names, look for partners, chat etc. Even avatars are pseudonyms. Every person is usually registered at birth. What about pseudonyms and avatars? Do we need an assignment to real names? What happens when we move from the real world to the Metaverse, where different rules and laws may apply? Do we need a registration of pseudonyms and avatars of an actual person for the attribution and responsibility of his/her actions in the Metaverse as well as in the real world?
Of course, the Metaverse is parallel to the real world. So far, the same rules which govern the real world also apply to the Metaverse. If an Avatar wants to purchase a weapon or open an account in the Metaverse, they must provide their real-world identity. It’s different with games in the Metaverse. Identification is not absolutely necessary.
Of course, the Metaverse knows no national borders by which the applicable law can be determined. But we are also familiar with this phenomenon of a “borderless territory” from the Internet, and rules for determining the applicable law have also emerged there.
And of course, the Metaverse is not a government undertaking. Rather, it was brought into being by companies, so one could of course ask whether state or private sector rules apply here, i.e. only the company’s own “rules of the game / code of conduct / governance”.
The Metaverse is and remains – technically speaking- a game like any classic board game at home. If the “game” is not attractive enough, then users and players will stay away. Likewise, I can’t ask the police to gain entry for me into a game in the Metaverse if the company doesn’t let me. This is the case with every board game, football game etc.
It is also true that digital clothing, digital houses and much more are sold in the Metaverse. Companies hope to increase their real-world sales in the Metaverse because the avatars there are not yet saturated and still have “needs.” But let’s be honest, who wants and will seriously spend money on these immovable things (digital jeans, digital house…), especially when the Metaverse can disappear at any time? Is it just selling the dream of a supposedly new alternative life with new possibilities and supposedly new starting conditions? It is not forbidden to escape from real life into another, more beautiful world and to suppress everyday worries – be it the Metaverse or simply a techno party in the real world where people dance for hours. The Metaverse is a leisure activity and ultimately just a computer game like Monopoly that does not need to be regulated.
The GDPR and pseudonymisation are not a means of specially regulating the Metaverse. This requires other tools. Of course, the GDPR applies in the Metaverse like in the real world – not more, not less. The first well-known Metaverse was called “Second Life”. No reason to apply different rules to your second than to your first life.
A lot of money is said to be laundered through the use of pseudonyms in the block chain. There are also many pseudonyms on the dark web and, of course, many attacks on digital tools come from anonymous hackers. Fake online shops appear on the internet and can be mistaken for real ones. Companies and authorities are usually helpless in these sorts of situations while perpetrators usually cannot be uncovered. It seems that pseudonyms are experiencing a new trend in the digital world. What sort of relationship between informational self-determination, pseudonymisation and transparency is needed to avoid misuse? Are manipulation security, authentication, access and access controls, cryptography, encryption enough in these situations without having precise knowledge of the real person or their real name?
Here we are talking about whether certain services on the Internet or Metaverse require the person acting to be identifiable – i.e. anonymity is permitted. Today you can access the Internet without revealing your identity.
It is a completely different matter whether and, if so, which services one would like to allow or tolerate anonymously in the digital world and for which ones identification/ID control should be required. This has less to do with data protection and the technical protective measure pseudonymisation commonly used there.
There are several cases for identifying people. Minors must declare their age so that sales transactions are possible and legal. The same applies to transferring money, paying with credit cards, opening a bank account, to name a few examples. There are already many situations in the real world in which identification was and is required. Many of these same constellations now also apply to digital businesses.
Whether these measures are enough and whether there should be more nuanced descriptions for actions taking place in the digital world due to the fact that you are no longer face to face and do not get an impression of the person is a political issue. I would even dare to say that there won’t be much change because the necessary majorities in the various ruling governments needed for enacting changes are currently not there, at least in all EU countries including Germany.
National data protection laws around the world vary widely. Are there also major differences in pseudonymisation or is this a field where there is widespread global agreement about its technical implementation, use and limits?
There are some technical methods for pseudonymising data and datasets. There may be more in the future as technology improves. However, pseudonymisation has nothing to do with political interests of whether certain services require identification of a person or not. There are quite different views among the countries with their various forms of government.
Dr Niemann, thank you for sharing your insights on pseudonymisation
Thank you very much, Dr Caldarola, and I look forward to reading your upcoming interviews with recognised experts, delving even deeper into this fascinating topic.