Inside Germany’s Massive Data Exploit: Andreas Dewes on Data De-Anonymisation

Andreas Dewes, a data scientist, a privacy advocate and a co-founder of KIProtect, is well known for his work in exposing the vulnerabilities of anonymised data. His presentation at the Eyes-Off Data Summit 2024 delivered a profound, eye-opening exploration into the ease with which supposedly "anonymous" data can be reverse-engineered to reveal personal information.

He exposed the alarming realities of data brokerage and the increasing exploitation of personal data in today’s digital economy, where anonymisation is often just an illusion. Dewes introduced his investigative work, originally presented in 2016 at the Def Con hacking conference to reveal the inherent flaws in anonymisation practices. 

Read on to uncover the deeply troubling insights from Dewes' talk, including how seemingly harmless browsing data can be used to track individuals, the growing role of AI in data harvesting, and the urgent need for stronger regulations to protect privacy rights today.

Setting the Scene

In 2016, Dewes partnered with investigative journalist Svea Eckart to conduct an interesting experiment: they created a fake marketing company, complete with a website, a LinkedIn page, a fictitious CEO, and even a careers page. Their goal was to infiltrate the world of data brokerage and acquire personal user data, which they would analyse to test its level of "anonymisation."

After months of negotiations, the ruse paid off. Dewes and Eckart were granted access to a staggering dataset containing 3 billion URLs from 3 million German users over a two-month period. The dataset was advertised as anonymised, but it didn’t take long for the researchers to dismantle it.  

They uncovered the complete browsing history of individuals, tracing every click, every hour, every website—from banking and shopping to private emails and Google Translate queries.

This discovery exemplified just how flawed anonymisation methods were. Dewes compared the process to someone showing up at your door with a detailed log of everything you’ve done online for the past month—not obtained through sophisticated hacking, but simply purchased from a data broker.

De-Anonymisation in a Nutshell

Dewes' talk centred around the startlingly simple process of de-anonymisation. He demonstrated that even without direct identifiers (like names or email addresses), each user’s unique digital footprint—comprising specific websites visited, social media accounts, and other habits—could easily be matched to public information, revealing their identity.

One of the most startling examples was how Google Translate revealed entire email texts within URLs. In one case, a German cybercrime investigator’s translation requests for foreign police assistance appeared in the dataset, exposing sensitive information about ongoing investigations. This vulnerability illustrated just how easily personal and professional data could be revealed through common, everyday online activities.

Andreas further explained how even seemingly innocuous data points, such as YouTube video IDs or Google Maps location data (e.g., home or work addresses), could be used to identify users. In fact, it often takes as few as three data points to uniquely identify a person. 

This is because the digital traces people leave behind while browsing—be it favourite news sites, social media logins, or bank websites—are surprisingly distinctive, making complete anonymisation nearly impossible.

This research echoed similar revelations in previous cases, such as the 2008 Netflix de-anonymisation, where researchers matched anonymous movie ratings to public IMDb profiles, unmasking users and even leading to lawsuits.

AI and the Growing Threat of Data Scraping

In the following fireside chat with the journalist and tech podcast host Elaine Burke, Dewes also talked about how advanced AI models like large language models (LLMs) have made data scraping significantly easier. 

Tasks that previously required extensive manual effort—such as combing through millions of entries—can now be automated by AI systems, rapidly extracting and organising data into structured attributes. This automation makes it possible to sift through vast datasets at a speed and scale never before possible.

Beyond the technical ease of data scraping, Dewes raised concerns about how users interact with LLMs, noting that people often share far more personal and intimate details with conversational AI than they would with a traditional search engine like Google. This introduces the risk of exposing much more sensitive information. 

“This growing intimacy raises significant privacy concerns—it’s not a matter of if but when misuse will occur. We must address these concerns now, while we still have some time,” warned Andrew.

The Illusion of Consent

In regards to user consent, Andreas expressed similar views as Max Schrems. While many platforms and companies ask users for consent to process their data, this consent is often superficial and fails to offer real protection. Instead, these forms act more as a shield for corporations than a mechanism of informed choice for users.

Dewes explained that most users don't fully understand what they are agreeing to. Consent forms are often written in legalese, with lists of data brokers and third-party advertisers that span hundreds or even thousands of entities. Few users are able—or willing—to go through these details, leading to uninformed and coerced consent.

Dewes highlighted the ad-tech industry's reliance on what he called "malicious compliance," where companies follow the letter of the law but undermine its spirit. For example, data brokers often hide behind lengthy vendor lists, making it impossible for users to effectively opt-out of the extensive data-sharing that occurs behind the scenes.

“Most users are not fully aware of how much data they are giving away,” Dewes explained. “The illusion of consent is designed to create a false sense of security, while data continues to be harvested at an alarming scale.”

The Lack of Regulation and Transparency

Despite the 2016 investigation sparking media attention and promises of action from policymakers, Dewes noted with disappointment that no official investigations were ever launched, and browser extensions (often the source of data collection) continue to siphon vast amounts of personal data without users’ knowledge. Although access to raw data may be more restricted now than before, data collection practices remain largely unchecked.

Additionally, Dewes criticised the ad-tech industry, where lesser-known data brokers continue to collect and sell vast quantities of personal data with little scrutiny compared to tech giants like Google or Meta. These smaller players thrive in the shadows, protected by a lack of public awareness and weaker regulations.

“While various tools like free browser extensions are designed to assist with various tasks, they may also be scraping your data. Developers create them as a fun project, leading to widespread use by thousands, rising in popularity, creating network effect and then they become monetised by leveraging the collected data,” explained Andrew.

Looking Ahead for Potential Solutions

While Dewes’ talk painted a grim picture of the current state of data privacy, he remained cautiously optimistic about the future. He pointed to emerging technologies like trusted execution environments and differential privacy, which offer the potential to safeguard personal information even when data is processed for commercial purposes. These technologies allow companies to extract insights from data without directly exposing the underlying personal information.

However, Dewes acknowledged that implementing these technologies at scale remains a challenge and technology alone won’t fix the problem. Dewes urged for stronger regulatory frameworks that match the pace of technological innovation. 

He suggested that privacy violations need to be treated with the same seriousness as other forms of corporate misconduct, like financial fraud, and penalised accordingly. This, he argued, would create a level playing field for companies and prevent the worst abuses of personal data.

Key Takeaways from Andreas Dewes’ Presentation

• Anonymisation is Often Just a Myth: Even datasets that claim to be anonymous can be easily de-anonymised using basic data-matching techniques. Each person’s digital footprint is unique, and even a small number of data points can be enough to re-identify an individual.
• Just a Few Data Points are Enough: Astonishingly, just three pieces of information—such as browsing history, YouTube video IDs, or Google Maps coordinates—are often enough to uniquely identify someone in a dataset, no matter how large.
• Common Tools Pose Major Risks: Despite increased awareness, common tools such as browser extensions continue to siphon massive amounts of data. These tools, initially designed for convenience, have been weaponised into powerful tools for data collection.
• AI is Accelerating Data Exploitation: Advances in AI, particularly LLMs, have made it much easier to scrape, analyse, and exploit personal data. This automation significantly accelerates privacy violations.
• Public Trust and Consent are Being Manipulated: While consent forms are now ubiquitous due to regulations like GDPR, they often serve more as a shield for corporations than as a real protective measure for users. Most users unknowingly agree to complex data-sharing practices without fully understanding the implications.
• There’s Still Hope for a Better Future: Emerging technologies like trusted execution environments and differential privacy provide pathways toward a more privacy-conscious ecosystem. But without stronger regulations, this will not be enough to address the growing scale of privacy violations.

Dewes' message was clear: privacy violations are not a future risk—they are happening right now and without coordinated action from governments, companies, and individuals, these abuses will only grow in scope and sophistication. The time to act is now.

For more insights from the Eyes-Off Data Summit, explore our detailed recaps of Day 1 and Day 2 to dive deeper into the expert discussions. You can also watch Andreas Dewes' full talk on our YouTube channel to gain a further understanding of the vulnerabilities in data anonymisation. To safeguard your organisation's data, reach out to us today.