Well, interesting. This is one of the reasons we have the GDPR. @costco, if I were to make a GDPR erasure request, would you service it?
And I'm no lawyer, but it seems like there's also an outside chance of a breach of section 171 here as well, which is a criminal offence committed by a person who reidentifies de-identified data.
Plus - the laws have extraterritoriality. Vanishingly unlikely that you'd actually be pursued for it, but it's worth bearing in mind when you munge people's personal data.
With extraterritoriality. And if identifying people in this way is covered (I'm not a lawyer, I'm not claiming it definitely is), then it's also possible that EU citizens using the tool are committing a criminal offence.
The law seems to only apply where the deidentification has been made by the data controller, but HN admins changing someone's username, for example, if they ever do, would count. A person then using the tool to match another non-anonymous username to that account would seem to be caught.
Important to stress how much of a technicality this is, but that sort of thing can be interesting sometimes.
And I'm no lawyer, but it seems like there's also an outside chance of a breach of section 171 here as well, which is a criminal offence committed by a person who reidentifies de-identified data.
Plus - the laws have extraterritoriality. Vanishingly unlikely that you'd actually be pursued for it, but it's worth bearing in mind when you munge people's personal data.