The Privacy Paradox

Paradox_HeaderEver since the Edward Snowden revelations began last spring, the problem of privacy has become big business, possibly eclipsing Big Data for space in the technology feeds.  Almost daily, one or more articles opining on the issue crosses my inbox.  Some of these are thoughtful and relevant while others are irrational and useless.  The point is that Privacy is on everyone’s mind these days.  The concern is global and may well become the top moral and ethical question of this century.

Part of the problem of privacy is the definition of the word. Let us consult my trusty unabridged English dictionary (Copyright © 1987 by Random House, Inc.).  Privacy: noun 1. the state of being private.  2. the state of being free from intrusions or disturbance in one’s private life or affairs.  This does not help much, does it?  Even as a public understanding of the word, the meaning is pretty vague.  (NOTE:  See Dialectic for my definitions of public and guild meanings.) Looking up the base word adds little.  Private:  adjective 1. belonging to some particular person 2. pertaining to or affecting a particular person or a small group of persons 3. confined to or intended only for the persons immediately concerned 4. personal and not publically expressed 5. not holding public office or employment 6. not of an official or public character 7. removed from or out of public view or knowledge 8. etc.  Even the derivation is unhelpful.  L privatus private.

But even though the official definition of the English word is fraught with vagueness, we all have some shared understanding and belief about what it means.  For purposes of this essay, I will take the following definition as our axiom.

Axiom1I cobbled this definition together from ideas in several recent articles on the topic.  However, in order to be able to use it as an axiom, we should first examine some of the key assumptions it contains.  These include:

  • Generally understood:  This assumes that most cultures recognize some form of human rights for all people.  This definition does not stand where such is not the case.
  • Some data:  This assumes that there are data about us that we cannot reasonably expect to be private by this definition.
  • Data:  By data I mean raw facts without context, as well as contextualized facts (information).
  • Personal lives:  It is not reasonable to assume that any aspect of our lives outside of our immediate sphere of influence (essentially, anything that touches another human being directly) can be totally private.
  • Accessed forcibly:  We can realistically expect these data not to be forcibly accessed in a reasonably free and/or democratic society.
  • Or surreptitiously:  In theory this should be the same as the last point, right?
  • Just cause:  This depends on the laws, customs, and social mores of the specific society involved.

As you can see, in highlighting a few assumptions, we have taken a definition with indistinct edges and blurred them further just by looking more closely. If we were to poke at the word “surreptitiously” a bit further, things would go even more out of focus.  It is a slippery word in and of itself, and how businesses and governments collect information about us without our tangible awareness (and explicit consent) is almost infinite in its variation.

So given that we are working with an unclear and nearly indefinable concept from the start, how does one go about proposing reasonable public policy to govern privacy in the age of electronic information? My thesis is that we cannot, at least in the short term.  For purposes of this essay, let us consider this question purely from the standpoint of the United States of America since it was revelations of that country’s espionage that reshaped this debate.  Surprisingly, using the Constitution of the United States as a starting point is little help.  It is challenging not only because all relevant language in both that document and the twenty-seven amendments was written before the inception of the Internet, but also because the language is contradictory.  The Constitution specifically makes provision to provide for the common defense in the form of “calling forth the Militia to execute the Laws of the Union, suppress Insurrections and repel Invasions.” These are words written more than two hundred years ago and consequently bring us back to creating contemporary definitions of words such as Militia and Invasions.

In direct conflict with this provision stands the Fourth Amendment.  This states:  The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.  Again, the language is archaic and does not address electronic information directly.  Clearly, though, the US Government (through the NSA) believes that its present-day interpretation of the common defense provision trumps the Fourth Amendment, and has surreptitiously equipped itself to support that position (e.g., the United States Foreign Intelligence Surveillance Court, established by the Foreign Intelligence Surveillance Act of 1978 or FISA).

Therein lies the paradox of privacy.  In order for the U.S. Government to protect its citizens from the forces that putatively would take away those rights to privacy, it must itself violate those rights – or so it would seem.  On the surface, that violation is reasonably benign insofar as the information being collected is considered meta data (data about data) rather than content.  Or is it?  First of all, the government justifies its right to collect telephone metadata with impunity because of a controversial 1979 Supreme Court ruling (Smith v. Maryland) invoking the “third party doctrine,” meaning that when we dial the telephone, we are willingly giving up these data to the phone company which, in effect, revokes any reasonable right to privacy.  The ruling implies that the Fourth Amendment protects only the content of the phone call.  But because the Federal Government has collected the call metadata in bulk, call patterns can reveal scenarios that may or may not be what they seem.

Bear in mind, though, that the same principal (and paradox) applies to Internet service providers and online retailers.  We willingly allow them to store metadata about our browsing habits, shopping habits, and social networking habits.  And it is abundantly clear that these businesses are using them to enhance the efficiency of their sales and advertising revenues as much as to enhance our Internet or online shopping experiences.  In fact, the average U.S. citizen has given up much more personal information to these online businesses than the Government has collected thus far.  Nevertheless, we are truly in the infancy of this world and we have no idea yet where this will lead us.  Can we trust these online concerns to be guardians of our data?  What happens when these data are stolen (e.g., Target during December 2013)?  What happens when the Government subpoenas these data?  Is personal privacy dead?

These are not questions that I can answer here, nor are they likely to be answered anytime soon.  I do not think that there will ever be a nice, crisp syllogism capable of logically expressing a solution to the privacy paradox.  It is the natural dissonance between the individual and society that has in one form or another always existed, but that has now been exacerbated by our wired existence.  The good news is that as human beings, most of us are able to reason beyond paradoxes.  This is often accomplished by changing the semantic concept of a statement or situation.  In the case of a linguistic paradox, that is fairly simple.  For instance, the statement “Everything I say is a lie” is clearly a linguistic construct and easy to diffuse.  A real world paradox such as the dissonance between “the common defense” and “the right of the people to be secure in their persons, houses, papers, and effects…” is more difficult but not impossible to manage.  I think it requires a combination of individual and societal integrity.

  • Question everything.  Individuals and societies alike must continue to ask and re-ask these fundamental questions about privacy in the electronic information age.
  • Act with savvy.  In the age of electronic information, there is no excuse for ignorance about the medium.  The Internet is the most self-instructive institution in human history.  Consequently, it is the responsibility of every person engaged in using the Internet to understand it as well as the consequences of divulging personal information to a third party.  As soon as you hit Enter, it is no longer within your control.
  • Demand integrity.  Never have so many people known so much about each other.  Individuals as well as companies and governments have access to troves of data about each other not even thinkable a mere thirty years ago.  We have an obligation to act with integrity and to demand the same integrity of the individuals and institutions with which we share our data.

I am convinced that personal privacy will be the defining issue of the 21st Century.  Most of our notions of privacy have changed forever.  Our easy electronic access to information, content, goods and services comes with a price.  That price is that a significant portion of our personal information is now a commodity to be used, abused, or exploited by people and organizations outside our knowledge or control.  During the course of the next ninety years, I expect this dissonance between the individual and organizations to come to a point of crisis.  The genie has been out of the bottle for some time; Edward Snowden has merely pointed a light on the abandoned bottle along with some footprints in the sand.  I do not have the answer, but I know that the solution to the privacy paradox will require more than public policy.

Do you agree that personal privacy is one of the defining issues of the age?  Short of eschewing our online lives, what can we do to protect our personal data?

Here are some links to interesting and important articles on the topic.

Here’s Looking at You, Kid

In my last article, I mentioned that our ability to mine unstructured data presented some new issues with respect to digital privacy.  This resonated for one of my readers who raised some good questions on the subject.  That prompted me to think seriously about my own personal computing habits, my personal online exposure, and the ethics surrounding how all of these data touch points are used by total strangers for purposes over which I have little control.  Being a Business Intelligence professional as well, this raised a mirror to my face.

My first step was to take stock of my own online habits and digital exposure.  I have resisted convergence for years, so I’m not nearly as connected as others may be.  Still, I was shocked at how wired-in I really am, and how potentially exposed.  For purposes of this discussion, I present a short list.  I may as well be honest about it.  It is all out there already.

  • Social Media (personal):  Facebook and Quora
  • Social Media (professional):  LinkedIn and Facebook
  • Email:  A personal account, one for my firm, and at least one at each of my clients
  • Instant Messaging:  Skype
  • Blogging:  WordPress
  • Online data storage:  Amazon S3 and DropBox
  • Active online vendors (one or more purchases per month):  5
  • Periodic online vendors (one or more purchases per year): ~30
  • Devices:  Smartphone and iPad
  • Web sites: One for my firm as well as a family site
  • Online banking and investment data

That is a lot of digital me in cyberspace. And while there is no clear legal definition for digital privacy yet, I have my own ideas about what it should be.  First, this is my content and it belongs to me.  Consequently, it should be mine to control and to decide how it is used and shared, and who may use and share it.  For those services for which I pay, this goes without saying.  Not so for the majority of these digital relationships.  These are the free ones, with the services deriving their income from advertising or other means.  This means that in exchange for the free service from which I derive value, I give up some measure of privacy.  And that is the crux of the matter.  What is that measure?  How do I trust that each of these services will make ethical use of my personal information?  Where will each of them draw the line?

The answer, of course, is that each entity draws its line in a different place, and not always where one would expect or desire.  Here are three examples.

ECPA

Congress passed the Electronic Communications Privacy Act (ECPA) in 1986 to protect electronic communication such as email from being accessed by law enforcement without a judicial warrant.  But the Act was written for the technology of the time, and Federal law enforcement agencies have not had to play by the rules you and I would expect today.  Any electronic communication older than 180 days is subject to subpoena without a warrant, bypassing any requirement of probable cause.  Any more recent mail that is opened, as well as email drafts, are included.  Warrants are required only for email that is both unopened and less than 180 old and in this day and age, there is no such thing. The case of former CIA Director David Petraeus is a perfect example of the consequences of such unregulated access, which resulted in the destruction of careers and relationships.  The good news is that Senator Patrick Leahy introduced a bi-partisan amendment to the ECPA in March that will require a judicial warrant for any email.  It is a step in the right direction, but it is not law yet.

Social Media as Big Brother

On October 1, 2012 a new law went into affect in Maryland prohibiting employers from being able to require that applicants or employees turn over personal social media credentials.  This came following discovery that a government agency had made it a mandatory condition of employment.  Unfortunately, the legislation does not extend to students at either public or private educational institutions.  The practice is particularly widespread in collegiate athletics, where athletes are often required to “friend” a coach or advisor, who is then responsible for monitoring their online lives.  In some cases, they are required to divulge their account passwords.  It is an outrageous violation of first amendment rights just by itself.  It is also a violation of the Terms of Service for most social media services.  While many states are following Maryland’s lead, we are far from securing our digital privacy on this front.

Google vs. CNIL

When Google first announced the consolidation of its security policies in early 2012, cries of Foul! went up all over, but no louder than in Europe.  CNIL, the French data protection commissioner, agreed to take the lead for the European community to investigate the implications and legality of the changes.  “By merging the privacy policies of its services, Google makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service.  As such, Google’s new policy fails to meet the requirements of the European Data Protection Directive (95/46/CE) regarding the information that must be provided to data subjects.  Google should supplement existing information with processing- and purpose-specific information.”  Google unilaterally implemented the changes in March 2012 as planned, and has yet to materially address the European concerns.  In the latest development, individual countries are launching their own independent actions.  Here again, we come down to a vague line of trust that the stewards of our personal information are respecting our rights.

What is interesting about these three examples is that while highlighting the legal and ethical fuzziness of what personal digital privacy is, in all three cases we are talking about the good guys.  These are not the criminals who hack into our accounts, steal identities, and wreck mayhem.  These are our service providers, our law enforcement officials, our governments, and our educational institutions.  What is our digital vulnerability from the bad guys?  They do not need our putative permission (passive or otherwise) to look into and disrupt our lives.  If they can hack into the Pentagon, they can certainly hack me.  And it doesn’t take much of a geek to track my IP and know whether I’m in San Francisco or Sequim.

So what does this mean for those of us who are practitioners of Business Intelligence?  In many respects, we are integrally entwined in this debate.  Especially as we march into the future of Big Data computing, we will be dealing increasingly with unstructured data, mining it and monetizing it for the benefit of our clients and employers.  As we do so, we will be forced to draw our own ethical lines with regard to what we know about individual people and what we do with that knowledge.  That is a huge responsibility and the lines are both delicate and vague.  Let me illustrate with two more examples.

I enjoy the “anonymity” of shopping online.  It is fast, convenient, and offers a range of options impossible in a conventional store. But every single click is being tracked.  Every item I look at is being recorded (irrespective of my reasons for doing so). Everything I purchase is remembered.  Does this bother me?  Well, no and yes.  As long the retailer is using the information only to sharpen my experience and build my loyalty, then it doesn’t.   If that information is being used in some other way, or is being shared, then I most certainly do mind, particularly because the profile might be harmfully erroneous.  My shopping and buying habits could be easily and, frankly, seriously misconstrued.  That brings me to my second example.

I never click through the ads on Facebook, even if something interests me. But I don’t ignore them either. I am fascinated by what Facebook thinks it knows about me. For instance, FB knows that I play the piano and so I see ads for shady “get proficient quick” piano lessons.  It has not figured out that I have a degree in piano performance, which indicates that FB may not be using my profile data.  It knows that I have some hair loss so I see a persistent ad for a spurious miracle cure. It knows that I visited a particular web site in early February looking for the perfect Valentine’s Day gift and now there is an ad from that retailer suggesting that I need some “summer flirt factor.”  During the elections last year, FB thought it knew my political party.  It was 100% wrong.

So here’s my point.  The danger to me – and to all of us – is not just when and how my data are being used, but also how they are being interpreted.  I’m inclined to be forgiving for now because my relationship with my online providers is symbiotic and none have crossed the line as far as I know.  Besides, the imp in me thinks it is hysterical that FB has me pegged as a bald female libertarian.  And yet, is that really so funny?  It demonstrates just how easy it is to reveal facts that are inappropriate or that could lead to incorrect or even harmful conclusions. I think it is vital for all of us to be aware of and participate in the digital privacy debate, and continually examine our own ethical compass.  I think we need to be cognizant, informed, and proactive in both our personal online practices as well as our professional lives.  I think we need to be ready to act when that line is crossed and our personal information ceases to be our own.

I put it to you.  What steps do you already take to secure your personal information and protect your online footprint?  More important, what steps can we all take now to raise the profile of this debate in our industry?