The Second Netflix Challenge and Privacy Research

Okay, if you’re just catching up with this story, go read this first — Netflix’s announcement that it was canceling its second Netflix Prize challenge over privacy concerns.

Next, head over to 33bits.org, blog of one of the co-authors of the paper on de-anonymizing Netflix users from the first Netflix Prize challenge data, to read the authors’ open letter to Netflix about the canceled second challenge.

Data privacy researchers will be happy to work with you rather than against you. We believe that this can be a mutually beneficial collaboration. We need someone with actual data and an actual data-mining goal in order to validate our ideas. You will be able to move forward with the next competition, and just as importantly, it will enable you to become a leader in privacy-preserving data analysis. One potential outcome could be an enterprise-ready system which would be useful to any company or organization that outsources analysis of sensitive customer data.

I find that paragraph from the post particularly interesting. This seems similar to the conversations between security researchers and the companies whose products they find ways to exploit. That has often been a very hostile conversation, but it seems (speaking from the outside of the security community) to have improved over time. (For instance, check out this security research guidelines document from PayPal.) Is there a way for privacy research to head in a similar direction, so that companies view external researchers as in some way beneficial? If anything that seems like a bigger challenge to me; at least everyone usually agrees that security holes should be fixed, while most companies do not agree, publicly at least, that privacy breaches are really a problem (e.g., “Get over it.“).