In my last article, I mentioned that our ability to mine unstructured data presented some new issues with respect to digital privacy. This resonated for one of my readers who raised some good questions on the subject. That prompted me to think seriously about my own personal computing habits, my personal online exposure, and the ethics surrounding how all of these data touch points are used by total strangers for purposes over which I have little control. Being a Business Intelligence professional as well, this raised a mirror to my face.
My first step was to take stock of my own online habits and digital exposure. I have resisted convergence for years, so I’m not nearly as connected as others may be. Still, I was shocked at how wired-in I really am, and how potentially exposed. For purposes of this discussion, I present a short list. I may as well be honest about it. It is all out there already.
- Social Media (personal): Facebook and Quora
- Social Media (professional): LinkedIn and Facebook
- Email: A personal account, one for my firm, and at least one at each of my clients
- Instant Messaging: Skype
- Blogging: WordPress
- Online data storage: Amazon S3 and DropBox
- Active online vendors (one or more purchases per month): 5
- Periodic online vendors (one or more purchases per year): ~30
- Devices: Smartphone and iPad
- Web sites: One for my firm as well as a family site
- Online banking and investment data
That is a lot of digital me in cyberspace. And while there is no clear legal definition for digital privacy yet, I have my own ideas about what it should be. First, this is my content and it belongs to me. Consequently, it should be mine to control and to decide how it is used and shared, and who may use and share it. For those services for which I pay, this goes without saying. Not so for the majority of these digital relationships. These are the free ones, with the services deriving their income from advertising or other means. This means that in exchange for the free service from which I derive value, I give up some measure of privacy. And that is the crux of the matter. What is that measure? How do I trust that each of these services will make ethical use of my personal information? Where will each of them draw the line?
The answer, of course, is that each entity draws its line in a different place, and not always where one would expect or desire. Here are three examples.
Congress passed the Electronic Communications Privacy Act (ECPA) in 1986 to protect electronic communication such as email from being accessed by law enforcement without a judicial warrant. But the Act was written for the technology of the time, and Federal law enforcement agencies have not had to play by the rules you and I would expect today. Any electronic communication older than 180 days is subject to subpoena without a warrant, bypassing any requirement of probable cause. Any more recent mail that is opened, as well as email drafts, are included. Warrants are required only for email that is both unopened and less than 180 old and in this day and age, there is no such thing. The case of former CIA Director David Petraeus is a perfect example of the consequences of such unregulated access, which resulted in the destruction of careers and relationships. The good news is that Senator Patrick Leahy introduced a bi-partisan amendment to the ECPA in March that will require a judicial warrant for any email. It is a step in the right direction, but it is not law yet.
Social Media as Big Brother
On October 1, 2012 a new law went into affect in Maryland prohibiting employers from being able to require that applicants or employees turn over personal social media credentials. This came following discovery that a government agency had made it a mandatory condition of employment. Unfortunately, the legislation does not extend to students at either public or private educational institutions. The practice is particularly widespread in collegiate athletics, where athletes are often required to “friend” a coach or advisor, who is then responsible for monitoring their online lives. In some cases, they are required to divulge their account passwords. It is an outrageous violation of first amendment rights just by itself. It is also a violation of the Terms of Service for most social media services. While many states are following Maryland’s lead, we are far from securing our digital privacy on this front.
Google vs. CNIL
When Google first announced the consolidation of its security policies in early 2012, cries of Foul! went up all over, but no louder than in Europe. CNIL, the French data protection commissioner, agreed to take the lead for the European community to investigate the implications and legality of the changes. “By merging the privacy policies of its services, Google makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service. As such, Google’s new policy fails to meet the requirements of the European Data Protection Directive (95/46/CE) regarding the information that must be provided to data subjects. Google should supplement existing information with processing- and purpose-specific information.” Google unilaterally implemented the changes in March 2012 as planned, and has yet to materially address the European concerns. In the latest development, individual countries are launching their own independent actions. Here again, we come down to a vague line of trust that the stewards of our personal information are respecting our rights.
What is interesting about these three examples is that while highlighting the legal and ethical fuzziness of what personal digital privacy is, in all three cases we are talking about the good guys. These are not the criminals who hack into our accounts, steal identities, and wreck mayhem. These are our service providers, our law enforcement officials, our governments, and our educational institutions. What is our digital vulnerability from the bad guys? They do not need our putative permission (passive or otherwise) to look into and disrupt our lives. If they can hack into the Pentagon, they can certainly hack me. And it doesn’t take much of a geek to track my IP and know whether I’m in San Francisco or Sequim.
So what does this mean for those of us who are practitioners of Business Intelligence? In many respects, we are integrally entwined in this debate. Especially as we march into the future of Big Data computing, we will be dealing increasingly with unstructured data, mining it and monetizing it for the benefit of our clients and employers. As we do so, we will be forced to draw our own ethical lines with regard to what we know about individual people and what we do with that knowledge. That is a huge responsibility and the lines are both delicate and vague. Let me illustrate with two more examples.
I enjoy the “anonymity” of shopping online. It is fast, convenient, and offers a range of options impossible in a conventional store. But every single click is being tracked. Every item I look at is being recorded (irrespective of my reasons for doing so). Everything I purchase is remembered. Does this bother me? Well, no and yes. As long the retailer is using the information only to sharpen my experience and build my loyalty, then it doesn’t. If that information is being used in some other way, or is being shared, then I most certainly do mind, particularly because the profile might be harmfully erroneous. My shopping and buying habits could be easily and, frankly, seriously misconstrued. That brings me to my second example.
I never click through the ads on Facebook, even if something interests me. But I don’t ignore them either. I am fascinated by what Facebook thinks it knows about me. For instance, FB knows that I play the piano and so I see ads for shady “get proficient quick” piano lessons. It has not figured out that I have a degree in piano performance, which indicates that FB may not be using my profile data. It knows that I have some hair loss so I see a persistent ad for a spurious miracle cure. It knows that I visited a particular web site in early February looking for the perfect Valentine’s Day gift and now there is an ad from that retailer suggesting that I need some “summer flirt factor.” During the elections last year, FB thought it knew my political party. It was 100% wrong.
So here’s my point. The danger to me – and to all of us – is not just when and how my data are being used, but also how they are being interpreted. I’m inclined to be forgiving for now because my relationship with my online providers is symbiotic and none have crossed the line as far as I know. Besides, the imp in me thinks it is hysterical that FB has me pegged as a bald female libertarian. And yet, is that really so funny? It demonstrates just how easy it is to reveal facts that are inappropriate or that could lead to incorrect or even harmful conclusions. I think it is vital for all of us to be aware of and participate in the digital privacy debate, and continually examine our own ethical compass. I think we need to be cognizant, informed, and proactive in both our personal online practices as well as our professional lives. I think we need to be ready to act when that line is crossed and our personal information ceases to be our own.
I put it to you. What steps do you already take to secure your personal information and protect your online footprint? More important, what steps can we all take now to raise the profile of this debate in our industry?