Much of the discussion on privacy is premised on the implicit imposition of a private-property model on data or information that is subject to control/consent. This could have worked when all we were dealing with were relatively simple data like a social security number or an address. But the really interesting data are transaction-generated data (TGD). These necessarily involve more than one person. How can I give or not give consent to the use of my TGD, when multiple entities have been involved in its production?
Privacy is a subjective thing. Some of it is from the inside of the individual; some is social. It’s not immutable. It’s not the same across societies. Now after Yudhanjaya’s reflection on the Chinese social credit system, we are more interested than ever in what is going on in China.
I have been a fan of Daniel Solove’s approach to privacy, where he foregrounds actual harms suffered by individuals rather than derive remedies from abstract principles. I have often said that the informed-consent model is of zero value when people find that their personally identifiable information stored by an organization has been stolen. The US Federal Trade Commission has called for comments on informational harms or injuries. I am tempted to respond. Would if there were 28 hours in a day.
Governments should not be flying blind. Now the tools of big data are available to reduce their ignorance. But we will not be able to use big data effectively if the narrative is dominated by utopian hype and dystopian scare mongering. For that we need effective, fit-for-purpose public public policy and regulation for big data (including algorithms), not remnants of 1970s thinking such as informed consent and strict purpose specification. For example, the above shibboleths do not provide any remedy for the real harms of lack of security of data storage.
Linnet Taylor correctly points out that US case law does not have applicability outside the US. However, the third-party doctrine set out in the Smith v Maryland case differentiated between transaction-generated data on a telecom network and the content of what was communicated. Now there’s likely to be a different governing precedent, for those under US law: The Supreme Court agreed on Monday to decide whether the government needs a warrant to obtain information from cellphone companies showing their customers’ locations. The Supreme Court has limited the government’s ability to use GPS devices to track suspects’ movements, and it has required a warrant to search cellphones. The new case, Carpenter v.
The second panel was on digital rights and multistakeholderism. I did not think there can be much debate about a Rorschach inkblot so I devoted only one slide to it and made some passing comments, which still managed to elicit some response from the people who live under the protection of the concept. Digital rights was where the robust exchange occurred. Not because of the relatively uncontroversial issue of governments being prevented from arbitrarily shutting down the Internet and the underlying telecom networks that I proposed. But it was because one of the panelists proposed the wholesale importation of the European data protection regime and rights such as the “right to be forgotten.
I’ve been working on privacy since 1991. I guess when one has been engaged with a subject deeply, one escapes the bubble effect: that of believing that one particular issue/value is paramount. But I interact with many people now, who seem to think that privacy is a paramount value even if some of the “safeguards” they want to put in place would basically make it impossible to use big data for the public good. Humans understand through analogical reasoning. So perhaps understanding about what we want to do with big data for the public good can be understood by this analogy with medical research using leftover materials from medical procedures?
Preparing for a session of the Privacy Advisory Group of UN Global Pulse and the UN Privacy Policy Group on 17-18 April, I had cause to reflect on some moves to develop new definitions (sensitive data, meta data and micro data). I may change my mind after listening to the deliberation, but here’s my starting position: Definitions are developed with some purpose in mind. A definition that is appropriate for one purpose may not be useful for another. Definitions embody assumptions and agendas. I believe that personally identifiable information (PII), a venerable category of data deeply embedded in privacy theory and practice is the only category of data requiring hard protection.
I have been impatient with people who think that inform-and-consent is the end all of privacy. One of the actual greatest dangers is personally identifiable information being stolen from service providers by hackers. This is a real privacy harm. I have not gone into the details of the FCC’s decision and its competitive implications. But it’s worth knowing they were paying attention to real privacy harms.
Europe has been the fount of data protection absolutism. Not a problem for anyone else but countries such as Thailand and Indonesia are well on the way to model their legislation on the European model. But Chancellor Merkel has seen that the absolutist approach poses dangers to European consumers and businesses as well. Europeans are famous for banning things, Merkel said. These bans are put in place for good reason, she said, but can be damaging if taken to excess.
I hope to write more about the insightful discussions at the workshop convened by LIRNEasia and CIS. For now, here are the slides I used to frame the discussion on Harms from Surveillance, (In)security, and impacts upon Privacy and Competition. Image source.
The 4th Circuit Court of Appeals upheld what is known as the third-party doctrine: a legal theory suggesting that consumers who knowingly and willingly surrender information to third parties therefore have “no reasonable expectation of privacy” in that information — regardless of how much information there is, or how revealing it is. Research clearly shows that cell-site location data collected over time can reveal a tremendous amount of personal information — like where you live, where you work, when you travel, who you meet with, and who you sleep with. And it’s impossible to make a call without giving up your location to the cellphone company. “Supreme Court precedent mandates this conclusion,” Judge Diana Motz wrote in the majority opinion. “For the Court has long held that an individual enjoys no Fourth Amendment protection ‘in information he voluntarily turns over to [a] third part[y].
That’s title of a report Sriganesh Lokanathan and I completed for the New Venture Fund. Here is an extract from the executive summary. Much of the discussion of the socio-economic implications of behavioral data has focused on the inclusion of more citizens and more aspects of their lives within the sphere of control enabled by pervasive data collection. Effective public policy rests on good information about problems and the efficacy of the deployed solutions. Governments obtained such information through National Statistical Organizations (NSOs) in the 19th and 20th Centuries.
Daniel Solove’s work forms the basis of our recent analyses of big data privacy. It is impressive that he pulls together a comprehensive analysis of the implications of the passing of Justice Scalia for the third-party doctrine within a day. Justice Scalia’s opinion in Jones actually provides very little protection against government location tracking. Only the physical affixing of a GPS device to a car violates the 4th Amendment according to his view. But under the third party doctrine, the government can readily obtain GPS data from third parties that provide GPS services without a physical trespass to the car.
As befitting an article on BIG data, the writer of this piece, done for Center for Internet and Society, is liberal with superlatives. A colossal increase in the rate of digitization has resulted in an unprecedented increment in the amount of Big Data available, especially through the rapid diffusion cellular technology. The importance of mobile phones as a significant source of data, especially in low income demographics cannot be overstated. This can be used to understand the needs and behaviors of large populations, providing an in depth insight into the relevant context within which valuable assessments as to the competencies, suitability and feasibilities of various policy mechanisms and legal instruments can be made. However, this explosion of data does have a lasting impact on how individuals and organizations interact with each other, which might not always be reflected in the interpretation of raw data without a contextual understanding of the demographic.
I first talked about the competitive issues of big data at the 2013 IGF in Bali. In actual fact the competitive implications of a subset, utility customer information, were discussed back in 1992. But it was rare to think that there was anything to talk about other than privacy. Finally, the message seems to be getting through. The concern is that while data can give a business competitive advantage, unique treasure troves of data can provide one player with unique insight and, potentially that can be translated into market power.