New Zealand’s tax agency, Inland Revenue Department (IRD), is under fire for sending taxpayer data to social media platforms so they can serve targeted ads.
News broke over the weekend about IRD’s deals with Facebook and LinkedIn, a deal that sees lists of hundreds of thousands of users’ data sent to the forms to drive ad campaigns. To make matters worse, tax payers had no recourse or way of opting out.
The agency initially defended it’s actions by saying that all data—which includes names, birthdates, phone numbers, email addresses, and physical addresses—was properly anonymized by hashing it. There’s just one big issue: Hashing data does not reliably anonymize data.
The Problem With Hashing
Hashing involves converting text or data into strings of numbers and letters, making the original text unreadable without the algorithm that was used.
Unfortunately, as both RNZ and The New Zealand Herald highlight on their coverage, hashing has long since been discarded as a viable means of securely anonymizing data. In fact, the US Federal Trade Commission explained how hashing worked in July 2024, and pointed out the flaws in the process.
Hashing involves taking a piece of data—like an email address, a phone number, or a user ID—and using math to turn it into a number (called a hash) in a consistent way: the same input data will always create the same hash. For example, hashing the fictional phone number “123-456-7890” transforms it into the hash “2813448ce6316cb70b38fa29c8c64130”, a hexadecimal number that might appear random, but is always what someone gets when they hash that phone number.
Hashing has a nice potential benefit: a hash by itself cannot easily be used to guess what the original data was. For this reason, companies often use hashing in cases where they are uncomfortable writing down or sharing the directly identifying data, but they still want to be able to store the data for matching against later. Since the hash “2813448ce6316cb70b38fa29c8c64130” appears meaningless and seemingly can’t be used to find the original phone number, companies often claim that hashing allows them to preserve user privacy.
Unfortunately, as the FTC goes on to say say that such logic is flawed, and hashing should not be relied on alone.
This logic is as old as it is flawed – hashes aren’t “anonymous” and can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized. FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.
European regulators arrived at a similar conclusion in 2019, finding that hashed data could be de-anonymized.
In fact, it is generally a trivial process to de-anonymize data that has been hashed. Jonathan Wright, a developer and cybersecurity consultant, told RNZ that he was able to use basic online tools to de-anonymize hashed data from his bank, saying he could do it “in sub-one second.”
Despite the clear evidence that hashing is not a secure and private solution, IRD and Revenue Minister Simon Watts maintained it was viable, and adequately protected user data. It was only after multiple outlets reported on the issue that IRD finally said it will investigate the data sharing.
The Bigger Issue
The bigger issue, in many people’s minds, is why IRD thought it was acceptable to share taxpayers’ data with social media companies in the first place. In an era where corporate data collection and surveillance has reached Orwellian proportions, many believe government’s role should be to protect users and their data, not get in bed with the very companies abusing users’ trust.
“Our biggest government department and our biggest corporations in New Zealand… are doing this on a wholesale level,” David Buckingham, a Queenstown employment consultant, told RNZ.
“It’s not us who are giving over our details. It’s a third party who are giving over our details without our knowledge,” Buckingham added.
“The kind of campaigns that might take place essentially allows these companies to have a level of profile that… we don’t know about, and… if we did know about it, we wouldn’t want to consent.”