What did the Netflix Prize de-anonymization (Narayanan & Shmatikov) prove about "anonymized" datasets?
That removing all personally identifiable information (PII) does NOT guarantee privacy — auxiliary data can re-identify people anyway.
In 2006 Netflix released an "anonymized" dataset of movie ratings from 500,000 subscribers for its $1M recommendation prize, claiming all PII had been removed. In 2007, researchers Narayanan & Shmatikov (UT Austin) broke it: by cross-referencing the ratings against public IMDb reviews, they could uniquely identify a subscriber from as few as 8 movie ratings with dates, at ~99% confidence — even after noise had been added.
The proof: PII removal ≠ anonymization. Seemingly innocuous quasi-identifiers (which movies you rated, and roughly when) form a fingerprint when combined and matched against an external source. This is the canonical demonstration of the linkage / mosaic effect.
Tip: The attacker doesn't need your name — they just need a second dataset where you appear under your name and behave similarly.
Go deeper:
Robust De-anonymization of Large Sparse Datasets (Narayanan & Shmatikov, 2008) — the original Netflix attack paper.
Data re-identification (Wikipedia) — summarizes the Netflix + IMDb linkage result.