Case Study: De-identification Failures: The Netflix Prize Dataset

"The claim that 'we de-identified it' should be met with the same skepticism as the claim that 'the check is in the mail.'" — Paul Ohm, legal scholar, University of Colorado

Overview

In October 2006 — just two months after the AOL search log disaster examined in Chapter 1 — Netflix launched the Netflix Prize, a $1 million competition challenging data scientists to improve the company's movie recommendation algorithm by at least 10%. To fuel the competition, Netflix released a dataset containing 100 million movie ratings from approximately 480,000 subscribers. Netflix had "de-identified" the data by removing subscriber names and replacing them with anonymous numerical IDs. Two years later, University of Texas researchers Arvind Narayanan and Vitaly Shmatikov demonstrated that many of these "anonymous" subscribers could be re-identified by cross-referencing their Netflix ratings with public movie reviews on IMDb. The resulting privacy scandal, class-action lawsuit, and FTC intervention killed Netflix's planned second competition and became one of the most cited examples in data privacy scholarship. This case study examines what happened, why standard de-identification failed, and what it teaches us about the privacy models — k-anonymity, l-diversity, differential privacy — introduced in Chapter 10.

Skills Applied: - Analyzing re-identification attacks using quasi-identifier theory - Evaluating de-identification techniques against known attack models - Understanding the limits of k-anonymity for high-dimensional datasets - Connecting technical privacy failures to legal and ethical consequences

The Situation

The Netflix Prize

Netflix, in 2006, was a DVD-by-mail service in the early stages of its streaming transition. Its recommendation engine — the system that predicted how much a subscriber would enjoy a movie — was central to its business. Better recommendations meant subscribers found more movies they liked, watched more, and retained their subscriptions longer.

Netflix's existing recommendation algorithm, Cinematch, produced predictions with a root mean squared error (RMSE) of 0.9525 on a 1-to-5 star rating scale. Netflix challenged the world's data scientists to beat this score by at least 10% — reducing the RMSE to 0.8563 or below. The first team to achieve this improvement would win $1 million.

To enable the competition, Netflix needed to provide participants with real data. Synthetic data would not capture the complex, idiosyncratic patterns of real human preferences — the fact that people who like The Shawshank Redemption also tend to like Goodfellas but not necessarily The Godfather Part III. Only real ratings from real subscribers would do.

What Netflix Released

The Netflix Prize dataset contained:

Field Description Example
Subscriber ID Anonymized numerical identifier 1488844
Movie ID Numerical code for each film (mapped to titles) 17770 (Forrest Gump)
Rating 1-5 star rating 4
Date Date the rating was submitted 2005-09-06

The dataset contained 100,480,507 ratings from 480,189 subscribers across 17,770 movies, spanning the period from October 1998 to December 2005. Netflix removed all subscriber names, email addresses, and account information. Each subscriber was assigned a random numerical ID with no relationship to their account number. Netflix also perturbed some ratings — changing a small number of ratings by one star — and withheld certain ratings entirely.

Netflix's terms for the competition stated: "Some of the rating data have been modified to protect customer privacy. All customer identifying information has been removed; all that remains are ratings and dates."

Netflix believed — genuinely, by all accounts — that this de-identification was sufficient.

The Assumptions Behind De-identification

Netflix's de-identification strategy rested on several implicit assumptions:

  1. Direct identifiers are what matter. By removing names and account numbers, Netflix believed it had eliminated the linkage between ratings and real people.

  2. Movie ratings are not sensitive. Netflix assumed that knowing someone rated The Notebook 3 stars and Die Hard 5 stars does not reveal sensitive information.

  3. The volume of the dataset provides cover. With 480,000 subscribers, each individual was one among hundreds of thousands — a needle in a haystack.

  4. No external dataset exists that could be matched. Netflix did not consider the possibility that the same subscribers might have publicly rated movies on another platform using their real names.

Every one of these assumptions proved to be wrong.

The Re-identification Attack

Narayanan and Shmatikov's Approach

In 2008, Arvind Narayanan and Vitaly Shmatikov, computer scientists at the University of Texas at Austin, published a paper titled "Robust De-anonymization of Large Sparse Datasets" at the IEEE Symposium on Security and Privacy. Their work demonstrated that the Netflix Prize dataset could be substantially de-anonymized using publicly available information.

Their method was conceptually simple:

  1. Identify a public dataset where people rate movies under their real names. The Internet Movie Database (IMDb) allows users to rate and review films publicly, with their reviews linked to their IMDb username — which often contains or is linked to the reviewer's real name.

  2. For each IMDb user, extract their set of movie ratings and rating dates. This creates a "fingerprint" — a sparse vector in the space of all possible movies.

  3. Search the Netflix dataset for anonymous subscribers whose rating patterns closely match the IMDb fingerprint. Even a partial match — as few as six to eight movies rated by both the IMDb user and the anonymous Netflix subscriber, with similar ratings and dates — can be sufficient to identify the subscriber with high confidence.

Why It Worked: The Sparsity Argument

The key insight was that movie-rating behavior is highly individualistic. Out of 17,770 movies in the Netflix catalog, any given subscriber had rated a relatively small subset — on average, about 200 movies. The specific combination of movies a person has watched and rated, together with their specific ratings and the dates they submitted them, forms a pattern that is essentially unique.

Narayanan and Shmatikov formalized this: they showed that knowing just two movies a target person rated (plus approximate dates within a 14-day window) was enough to identify them within the Netflix dataset 68% of the time. Knowing eight movies narrowed identification to a single subscriber with 99% confidence.

This result is devastating for k-anonymity-based thinking. The quasi-identifiers in this dataset are not simple demographics (age, ZIP code, gender) but a high-dimensional vector of movie ratings. In a 17,770-dimensional space, almost every person occupies a unique position. No amount of generalization or suppression can achieve meaningful k-anonymity in such a space without destroying the data's utility entirely.

What the Attack Revealed

Narayanan and Shmatikov did not publicly name any re-identified individuals, but they demonstrated the feasibility of the attack and discussed its implications:

  • Political preferences. A person's movie-watching patterns can reveal political leanings (documentaries about specific issues, political films, choices between Fox News specials and liberal-leaning documentaries).
  • Sexual orientation. Rating patterns for LGBTQ-themed films could reveal sexual orientation — particularly consequential if the individual had not publicly disclosed this information.
  • Religious beliefs. Patterns of religious-themed film consumption could reveal or suggest religious identity.
  • Mental health concerns. Heavy viewing of films about depression, addiction, or suicide could suggest personal struggles.

The researchers emphasized that even movie ratings — seemingly innocuous data — can become sensitive when they form a behavioral portrait. As Narayanan later wrote: "There is no such thing as non-sensitive data. Any dataset that is large and detailed enough to be useful is large and detailed enough to be re-identifying."

The Class-Action Lawsuit

In December 2009, a Netflix subscriber identified as "Jane Doe" filed a class-action lawsuit against Netflix in the U.S. District Court for the Northern District of California. The plaintiff, described as a closeted lesbian and mother living in a conservative community, alleged that Netflix's release of her movie ratings — which included LGBTQ-themed films — violated the Video Privacy Protection Act (VPPA) of 1988, which prohibits the disclosure of personally identifiable video rental records.

The lawsuit argued that the de-identified data was not truly de-identified because it could be re-linked to specific individuals, and that the disclosure of viewing patterns could reveal sexual orientation, an extremely sensitive attribute with potential for real-world harm — particularly for the plaintiff, who feared that disclosure could affect her custody arrangements and her relationships in her community.

Netflix settled the lawsuit in 2010 for undisclosed terms. As part of the settlement, Netflix cancelled the planned Netflix Prize 2 competition, which had been announced in September 2009 with a new dataset and an improved $1 million prize.

The FTC's Response

The Federal Trade Commission engaged with Netflix following the re-identification research and the lawsuit. While the FTC did not bring a formal enforcement action, the case influenced the agency's thinking about de-identification standards. In its 2012 report, "Protecting Consumer Privacy in an Era of Rapid Change," the FTC cited the Netflix case and recommended that companies adopt stronger de-identification standards, noting that simply removing direct identifiers is insufficient for high-dimensional datasets.

Netflix's Cancellation of Prize 2

Netflix's decision to cancel the second Netflix Prize competition was direct evidence that the company recognized the privacy risks it had created. In its cancellation announcement, Netflix cited both the pending litigation and "privacy concerns" as reasons. The company stated that it would continue to improve its recommendation algorithm internally, without public data releases.

The cancellation was significant because it demonstrated a real cost of privacy failure: Netflix lost a valuable crowdsourced research program because it could not release data without unacceptable privacy risk. No de-identification technique available at the time could have adequately protected the data while preserving its research utility.

Analysis Through Chapter 10 Frameworks

Why k-Anonymity Failed

The Netflix dataset illustrates the fundamental limitation of k-anonymity for high-dimensional data. k-Anonymity requires that each combination of quasi-identifier values appears in at least k records. In a dataset where the quasi-identifiers include ratings for 17,770 possible movies, each person's combination of rated movies is essentially unique. Achieving even 2-anonymity would require either:

  • Suppressing the vast majority of ratings, destroying the dataset's utility, or
  • Generalizing ratings so aggressively (e.g., grouping all movies into 10 broad genres and all ratings into "positive/negative") that the nuanced preference patterns the competition needed would be lost.

Narayanan and Shmatikov's work showed that the "curse of dimensionality" makes k-anonymity impractical for rich behavioral datasets. When the space of possible quasi-identifier combinations is vast relative to the number of records, almost every record is unique, and no suppression or generalization strategy can achieve meaningful anonymity without destroying utility.

Would l-Diversity Have Helped?

l-Diversity addresses attribute disclosure within equivalence classes, but it presupposes that k-anonymity has been achieved. Since k-anonymity itself is unachievable in this high-dimensional setting, l-diversity offers no additional protection. Even if equivalence classes could be formed, the "sensitive attributes" in this context are not a single column but the pattern of ratings itself — the very data that makes the dataset valuable.

Would Differential Privacy Have Helped?

Differential privacy could have provided a path forward, but with significant trade-offs. Under differential privacy, Netflix could have:

  1. Added calibrated noise to each rating (local differential privacy), making individual ratings unreliable while preserving aggregate patterns. However, the noise required for meaningful privacy guarantees would have substantially degraded the data's utility for the competition's goal of improving prediction accuracy.

  2. Released only differentially-private aggregate statistics (global differential privacy), such as average ratings by genre, co-viewing frequencies, or noisy matrix factorization results. This would have protected individual privacy but would have changed the nature of the competition entirely — participants could not have built personalized recommendation models without individual-level data.

  3. Used a privacy-preserving competition format: instead of releasing data, Netflix could have hosted the data on its own servers and allowed participants to submit algorithms to be evaluated against the real data in a controlled environment (similar to modern Kaggle competitions with private test sets). Combined with differential privacy on the evaluation metrics, this could have enabled the competition while preventing data exposure.

The Netflix case demonstrates that for high-dimensional behavioral data, differential privacy is the most viable privacy framework — but it requires fundamentally rethinking how data is shared and used, not merely adding a de-identification step to an existing release process.

Broader Implications

The "Auxiliary Information" Problem

The Netflix attack relies on auxiliary information — the public IMDb ratings that serve as a linking key. This is not a quirk of the Netflix case but a general feature of the modern data landscape. In a world where people generate data across hundreds of platforms, any "anonymous" dataset can potentially be linked to other datasets that contain identifying information. The existence of social media profiles, public reviews, forum posts, and other user-generated content means that auxiliary information is abundant and growing.

This has a profound implication for de-identification: the security of a de-identified dataset depends not only on what was removed but on what else exists in the world. A dataset that is safe today may become re-identifiable tomorrow as new auxiliary datasets become available. De-identification is not a one-time property but a temporally unstable condition.

The Impossibility of "Safe" Release for Rich Data

The Netflix case, together with the AOL case from Chapter 1, supports a broader conclusion: for rich, high-dimensional behavioral datasets, there may be no way to release microdata that is simultaneously useful and safe. Any dataset detailed enough to support novel research or algorithm development is likely detailed enough to enable re-identification.

This does not mean that such data cannot be used — but it means that the use must occur under controlled conditions (secure data enclaves, federated learning, privacy-preserving computation) rather than through unrestricted public release.

Discussion Questions

  1. The "innocuous data" assumption. Netflix assumed that movie ratings were not sensitive. The Jane Doe lawsuit demonstrated that they could reveal sexual orientation. What other types of data that organizations commonly treat as non-sensitive could reveal sensitive information in aggregate? How should organizations evaluate the sensitivity of data they plan to release?

  2. The competition trade-off. Netflix cancelled Prize 2 because it could not release data safely. Was this the right decision? Could the competition have been restructured to protect privacy while still enabling research? What would a privacy-preserving competition design look like?

  3. Temporal instability. Narayanan and Shmatikov matched Netflix data to IMDb profiles that existed in 2008. But new auxiliary datasets are created constantly. Does this mean that any dataset released publicly is eventually re-identifiable, given enough time? What implications does this have for data retention policies?

  4. Connecting to Mira's world. Mira's father's company, VitraMed, is considering releasing a "de-identified" dataset of patient health outcomes to support academic research on treatment effectiveness. Based on the Netflix case, what advice would you give Mira to pass along? Be specific about which privacy models and techniques you would recommend.

Your Turn: Mini-Project

Option A: Dimensionality and Uniqueness. Using Python, generate a synthetic dataset of 10,000 "users" who each rate a random subset of 100 "movies" on a 1-5 scale (with each user rating between 5 and 30 movies). Calculate the percentage of users who have a unique combination of rated movies. Then repeat with 1,000 movies. How does dimensionality affect uniqueness, and what does this imply for k-anonymity?

Option B: The Legal Landscape. Research the Video Privacy Protection Act (VPPA) of 1988. Write a 1,000-word analysis covering: (a) what the VPPA protects, (b) why a 1988 law about video rental records was applicable to a 2006 dataset of online movie ratings, (c) how the Netflix case expanded the VPPA's relevance, and (d) whether the VPPA is adequate for protecting viewing data in the streaming era.

Option C: Alternative Designs. Design a privacy-preserving version of the Netflix Prize. Your design should specify: (1) what data is made available and how, (2) what privacy protections are applied, (3) how competition participants develop and test their algorithms, and (4) how the winning algorithm is evaluated. Explain how your design addresses the specific re-identification vulnerabilities demonstrated by Narayanan and Shmatikov.

References

  • Narayanan, Arvind, and Vitaly Shmatikov. "Robust De-anonymization of Large Sparse Datasets." In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 111-125. IEEE, 2008.

  • Narayanan, Arvind, and Vitaly Shmatikov. "How to Break Anonymity of the Netflix Prize Dataset." arXiv preprint cs/0610105, 2006 (revised 2008).

  • Ohm, Paul. "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization." UCLA Law Review 57 (2010): 1701-1777.

  • Singel, Ryan. "Netflix Cancels Recommendation Contest After Privacy Lawsuit." Wired, March 12, 2010.

  • Federal Trade Commission. "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers." FTC Report, March 2012.

  • Sweeney, Latanya. "k-Anonymity: A Model for Protecting Privacy." International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, no. 5 (2002): 557-570.

  • Bennett, James, and Stan Lanning. "The Netflix Prize." In Proceedings of KDD Cup and Workshop, 2007.

  • Dwork, Cynthia. "Differential Privacy." In Proceedings of the 33rd International Colloquium on Automata, Languages, and Programming (ICALP), 1-12. Springer, 2006.

  • Doe v. Netflix, Inc., No. 5:09-cv-05903 (N.D. Cal. 2009).