Data Obfuscation: Proceed with Caution

There are many methods of guarding private data, and oftentimes companies still need to preserve the data’s utility while doing so. This is especially crucial for enterprises that process data for business without the complexity and time it takes for cryptographics. IT professionals should be aware, in hiding data from view, they may be creating a completely different set of problems.

Data masking and obfuscation allow some parts of sensitive data to remain seen while hiding the entire value. The most widely seen use of masking shortens a Social Security number to the last four digits. Masking also takes place when you enter your password but only see symbols on the screen. Obfuscation is a little more complicated. It involves performing arithmetic on number values that change the data value to keep it obscure, yet don’t change the value enough for it to be statistically significant. A location’s zip code without the “+4” digits can still be accurate data, but not as precise as it can be. GPS coordinates can be rounded to a certain digit to hide the most specific data without preventing parcel delivery, for instance. No matter what value ends up being the one utilized, enterprises need to keep in mind, it is pointing somewhere.

Digital Hell

Since 2011, one couple in Kansas says they have been living what they call a “digital hell” thanks to some rounded GPS coordinates. But it took them five years before they connected the dots. Eighty-two-year-old Joyce Taylor’s farm has been in the family for more than 100 years. She rents some of it out to James and Theresa Arnold. In a place where most excitement surrounds the annual watermelon festival, things were about to be turned upside down. The farmhouse near Potwin, Kansas is more than one mile away from its nearest neighbors, but that didn’t prevent the Arnolds and Taylor from getting lots of visitors.

First came law enforcement officials looking for a stolen truck. Later, ambulances looking for suicidal patients. Knocks came at all hours from officers insisting the renters were hiding runaway children and producing pornography with underage girls. Later IRS agents visited concerning tax fraud and Bitcoin transactions. People began showing up or calling insisting the Arnolds injured them, stole their identities, or harmed their businesses. Why the Arnolds? Why the Taylor farm?

Rounding Error  

Rounding a number, for instance a GPS coordinate, can keep things neat and tidy. When there is no utility for having four decimal places, as in data obfuscation, that number is often rounded. And that is precisely what Internet Protocol (IP) mapping company MaxMind allegedly did. Their database matches IP numbers to a set of GPS coordinates for clients. Oftentimes, MaxMind could only determine that the device with the IP address was located in the United States. So, the company estimated what it thought to be the geographic center of America: near Potwin, Kansas. A rounded “dummy” set of GPS coordinates pointing there became the default location anytime a more specific geographic location was unknown. And wouldn’t you know…that location was precisely the Taylor farm.

600 Million and Counting

Even rounded coordinates are coordinates to somewhere. A journalist made the discovery while researching the unreliable practice of IP mapping. In the end, more than 600 million IP addresses were connected to this one residence in Kansas. The Arnolds decided to sue MindMax in August 2016 for more than $75,000 for what they say is distress and embarrassment. Police have still visited the farm even though MindMax changed the default location to the center of a lake in Wichita.


Residents of a farm in Kansas are suing IP mapping company MindMax after what they call a “living hell.” The company used rounded GPS coordinates as a default for when a location more precise than United States was unknown. Unfortunately for James and Theresa Arnold, that led police, investigators, and disgruntled customers right to their front door. Devices with IP devices mapped to this “dummy” number have been linked to IRS fraud, child trafficking and pornography, stolen property, and more. IT professionals who change data through obfuscation should proceed with caution. Any time data’s value is changed, whether to protect privacy or as a default placeholder, the value may be pointing to another, real, data point.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Technologist (CIPT) Exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy in Systems and Applications, Other Privacy Enhancing Technologies (PET), Data Masking and Data Obfuscation (V.F.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>