What is unlinkability (Nichtverkettbarkeit), and what measures achieve it?
Unlinkability means that an attacker cannot sufficiently determine whether a relationship exists between two or more objects (messages, persons, actions) in a system — ensuring data collected for one purpose can't be repurposed.
Formal definition:
Two or more observed objects in a system are unlinkable if an attacker cannot sufficiently determine whether a relationship exists between them. Also known as "non-linkability" or "non-chaining."
Example: An attacker wants to know whether two messages were sent by the same person — if the system provides unlinkability, this cannot be determined.
Measures to achieve unlinkability:
| Level | Measures |
|---|---|
| Organizational | Separation of processing, usage, and transmission rights; separation by organizational/departmental boundaries |
| Data level | Anonymization, pseudonymization, or non-collection of identified data |
| System level | Appropriate access controls; processing on separate systems |
Why it matters: Unlinkability is essentially purpose limitation enforced technically. Even if data is collected legitimately for one purpose, unlinkability ensures it cannot be correlated with data collected for a different purpose — preventing the kind of cross-referencing that enables re-identification.