First, is the outrage at the extent of intrusion into our private lives. We all now know that internet searches, email, voice, SMS and security camera feeds are not safe from the NSA’s, or any other country’s security agency's prying eyes, should it need to know.
Second, what do ‘they’ really need to know – and who is ‘they’ anyway?
The NSA is one of the privileged and somewhat anonymous ‘they’ and plays the public interest trump card saying that if it did not monitor ‘things’ terrorism would go unchecked, crimes would be unsolved, and the world would be a much worse place. This is a very hard argument to counter, especially in light of Boston Bombing, 9/11 and so much more avoidable tragedy.
Sadly, constant conditioning has made most decent people accept that privacy must have limits for the greater good.
So in my usual ‘101 for Managing Directors format’ let us look at global privacy issues and identify a smart approach. No, I do not have a solution but I like to get conversation rolling.
FACT: There is an average of 45GB of information - a private dossier, on almost every person. It comes from:
- Mobile or fixed IP/mac/IMEI address
- Computer used (OS and browser)
- Internet searches, pages visited, pages arrived from, pages going to (unless you anonymise your web habits but cookies, toolbars, spyware and other methods like transparent gifs can override privacy)
- What you are doing and where (calendar programs as well as Skype)
- Near Field Communication chips, ubiquitous in mobiles act like an RFID chip for users.
- TV (smart TV, set top box, Xbox, PlayStation or Foxtel – what and when you are watching) and more ominously Kinect/Wii etc., can tell who is watching.
- Location (via GPS chips in tablets and smart phones but also by remarkably accurate phone tower triangulation
- What you buy (linked to credit card or store or loyalty cards)
- People in your household (estimated by the size of the electricity or water bill) or Kinect
- Transport options (Drivers Licence, use of transit cards, credit cards, toll receivers)
- Physical whereabouts (facial recognition from the many security cameras as well as smart phone tracking)
- Address (Australia Post)
- Holiday travel preferences (passport, airline tickets, hotel bookings)
- Date of birth and ethnicity (and more obscure things like religion)
- Newspaper, magazine and electronic newsletter and “tip of the day” subscriptions
- Criminal or civil records (applying for loans)
- Medical and insurance data
- Falcon credit card fraud detection
- Passive collection
The only redeeming feature is that this information is spread over multiple providers such telco’s, banks, utility companies, government departments and at present, is not LinkedIn (to use a bad pun).
The biggest threat to privacy is aggregation of this data and social media is trying very hard to become the aggregator.
Recently, Facebook was exposed as keeping secret dossiers on its users comprising information from third parties. We do not know, but suspect, that it was using your IP address as the ‘’parent record’ to link up child records such as address, phone number, email, loyalty programs and more.
LinkedIn can build a profile of friends and six degrees of separation becomes a reality (that we are only ever six people away from anyone in the world – see Wikipedia article here).
Facebook, LinkedIn, Twitter, Google+, and more, encourage this behaviour in order to fill in knowledge gaps about you.
Scared? Concerned? Don’t give a damn because your life is so dull and boring (so stop reading)?
Angela Merkel, the formidable German Chancellor has called for unified data protection rules across Europe. She said that the NSA spying allegations had underlined the need for guidelines on European data protection – and for a similar agreement at international level.
“We want these companies to tell to whom they give our data. We have great German data protection laws but Facebook is based in Ireland, which law applies. We need unified European [data protection] regulation,” she said. (Note EU member states have criticised the Irish Data Protection Commission as understaffed and accused it of being beholden to US multinationals).
Fortunately, Angela usually gets what she wants, so strike one for the good guys. She has vowed to add a data protection protocol to the Universal Declaration of Human Rights (technically not the UDHR but the International Covenant on Civil and Political Rights or ICCPR) that protects the private sphere of individuals.
Angela also justified NSA surveillance saying Germany remains a most loyal US ally. “German Federal Intelligence Agency cooperation with NSA took place within strict legal and judicial guidelines and is controlled by a competent parliamentary committee.” An Oxymoron if ever I heard one.
Merkel stressed that intelligence “has always been, and will remain essential, for the security of citizens of democratic countries. A country without intelligence would be too vulnerable.”
“At the same time” she observed, “there must be a balance between maximum freedom, and what the state needs, to give its citizens the greatest possible security.”
Speechmaking aside - and there were frequent chants of “German PRISMers of war” - the concept of a Universal Declaration of Human Rights remains our best hope to stop this nonsense before it kills any vestige of privacy.
Forgive my scepticism – the ICCPR is a piece of paper, important at that, but it really has no teeth. What is infuriating is that Europe already has some of the better data protection laws and the European Union should have the power to enact them across all member countries. Google, Facebook et al chose Ireland allegedly based on secret deals to exempt activities from the issues that could potentially cripple these questionable business models.
Now, back to privacy issues
ICCPR Article 17 states “no-one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence.” With more resolute prose, this could be strengthened to separate personal data from big data and prohibit data being stored in such a way that granularity (tracking back to a user) was illegal.
Using a fictitious loyalty card program as an example
- It collects data when you join (name, address, email, social media accounts, DOB, gender and information about you like shoe, hat, waist size) that is used to target you with offers. You know this because you filled in a print or electronic form.
- Every week it emails you with an offer based on the information e.g. men’s shoes because you are one.
- As you shop, it builds a profile e.g. a preference towards business or casual, colours, etc.
- It refines the targeting over time to build a profile and starts to offer complimentary products or even products from other companies.
- It notes that you shop online and adds IP, confirms location by reverse IP lookup, interrogates (buys at its cost) your social media and all of a sudden, you are exposed and receiving offers from everywhere.
A number of relatively easy safeguards must protect personal data.
- The owner (target) must know: what data is being collected (use); why it is collected; and when it is collected. A simple alert system would suffice.
- The owner should have the right to withhold any data without jeopardising membership or delivery of service e.g. ageist or sexist information.
- It must be stored in such a way that the owner can access it on-line at no cost and be able to curate same including deletion of items that may inhibit the collector’s ability to deliver service.
- It must never be used outside the original collection purpose without the owner’s specific approval.
- It must never be sold, or linked to other third party databases
- It must be automatically deleted based on a number of triggers: the original use is no longer relevant; the owner requests it at any time; it becomes stale after a certain period; the company is no longer in existence, e.g. data should not form a balance sheet asset.
Because of the power of big data (and the falling costs of storage and processing), good data protection law should regulate the way in which data is collected in the first place, rather than simply concentrating on specific abuses. For that reason, it would make sense to introduce to the ICCPR a modern data protection protocol that explicitly protects people from abuses of both the real-time and potential varieties.
We need to define two new terms. One that has data that identifies us, and one that does not. Perhaps for convenience small data and big data should be used in that context until we come up with a better alternative.
Small data is what we should all be worried about. What web sites searched; what restaurants visited; shows seen (on-line bookings); places shopped; services used (credit card); cornflakes bought (loyalty programs); and so on.
Big data is not the concern if it is totally anonymised.
Unfortunately, NSA PRISM issues will not be so easily solved but at if all people have an enshrined curatorial right to their data then we are on the right path.