My Photo
Location: Ottawa, Ontario, Canada

Monday, August 23, 2010

Cavoukian rightly warns but more privacy isn’t the solution

Policy makers should take heed of the warning from the Ontario Information and Privacy Commissioner that personal information is already flowing so freely on the Internet and technology is advancing at such a pace that privacy rights legislation “can no longer keep up”.

Ann Cavoukian’s clarion call is, however, not new. Technology specialists and policy wonks have been saying the same thing for the better part of a decade but few legislators have offered much more than token measures of protection. Each time new steps appear to gain ground, newer technologies put privacy further at risk. It is an unwinnable game.

Can we shackle technology development to protect our privacy? No. Can policy makers be reasonably expected to be out in front of new technologies? No. Cavoukian’s response, embodied in Privacy by Design, would make everyone responsible for the privacy of everyone else. No matter how well intended, I believe this would ultimately lead to bad public policy.

I may be in the minority but nevertheless I’ll say it anyway. Privacy isn’t the solution. It is the problem.

Privacy isn’t a right like the right to air, water or food but a modern claim on the state by those who want to benefit from society but remain isolated from it. A lack of privacy in fact can contribute quite positively to community life. It can help develop social capital and knit us together.

If it’s a given, as Cavoukian suggests, that technologies will continue to evolve in ways that increasingly connect people to the world, then our current concept of privacy, which involves each of us living behind impenetrable walls that no one can see through, will inevitably become eroded. So what? Good riddance, I say.

Fifty years ago people had no such concept, let alone any such expectation. It was accepted that family, friends and neighbours would unavoidably learn about what went on in our lives even as we would learn about what went on in theirs. This had its downsides but also its upsides. The lack of privacy certainly had its embarrassing moments when things we’d rather have kept secret got out, but it was a good thing when we were in trouble and needed help. It was good for building friends and neighbours. So it was back then that a lack of complete privacy was simply the accepted price one paid for living together with other people. Absolute privacy was guaranteed only for hermits and recluses.

But, you say, what about all those nasty people who might invade our privacy and cause us harm – they could steal from us, defraud us, libel or slander us, assault us or our families and sometimes even direct hate at us? Don’t we have an expectation, a right even, that we will be protected from such invasions of our privacy?

The hard truth is no. No society, no government can guarantee that no harm will ever come to its citizens. What they can guarantee, however, is a fair system of consequences for those that do cause harm to others, the cornerstone of which is that someone has to be proven guilty of misconduct. Over many hundreds of years we have developed a complex system of laws to deter both those who may harm us and those who might make false accusations of wrongdoing. (For those uninformed of history, it was to seek protection from arbitrary accusation, arrest and seizure that much of our system of justice evolved.) Although we can convict specific people in abstentia, we can’t convict unidentified people.

In addition to our legal system, we have also created, in Canada at least, a system of dealing with convicted wrongdoers that is considered by and large to be fair and humane. Therefore, we need to keep in mind that both our legal and justice systems are already in place to deal with Internet crime regardless of what new technology gets created or how far computers can reach across cyber space.

If we don’t need new laws to combat online crime, why then is it that only 2% of online crimes ever reach a conviction ? The simple answer is privacy itself. In our modern obsession to create electronic walls around ourselves in the name of privacy, we have succeeded in creating an online space where individuals can act anonymously. This has occurred in part because of the cowboy legacy of the early Internet days but more recently it is because of government reluctance to alter policies that in effect provide huge incentives to commit crimes online. Governments have bought into the notion that perfect privacy is somehow achievable in our technology mediated society. And so they have contributed to the creation of risk-free spaces in which people can say anything and do anything without much fear of social consequences.

Added to this are the immense and tantalizing rewards dangled in front of criminals as a result of being able to reach out to billions of people. A .01% success rate in a global Internet scam might yield millions of dollars without ever having to raise a gun or worry about pursuit. It’s no wonder that classic criminal organizations and even nation states are turning to what in the past was considered “white collar crime”. For criminals the Internet is the new gold rush. According to the FBI, the worldwide cost of Internet crime in 2004 was $400B -- a figure that is growing dramatically. Last year in the US alone cyber crime was up 22% over 2008, according to the US Internet Crime Complaint Center, resulting in over half a billion dollars in financial losses.

Isn’t this an argument to strengthen the underpinnings of privacy even more? No. The more individual privacy is strengthened, the more the privacy and the anonymity of criminals are strengthened. Can’t we set up a system where only governments can have access to our information, presumably because we trust them, and criminals can not? Not really. Privacy is privacy. If you’re totally private then you’re not sharing information with friends and family, with the businesses you like, with doctors and hospitals, with your bank, etc. Any database can be hacked and the more concentrated with personal information a database becomes, the more attractive it becomes as a target. In the end, you can’t be partially private any more than you can be partially pregnant. And if you can have perfect privacy and anonymity, then so can criminals.

Besides, even if we could be partially private, a society where governments can know everything about us but we can’t know anything about anyone else, or about government itself for that matter, is not a society most of us would relish living in, as George Orwell so aptly described. Paradoxically, the solution to the privacy issue can only come from increasing individual transparency while complementing it with increases in government transparency. People must ultimately have an ability to see who has harmed them – whether they are criminals, organizations or governments – in order to apply existing legal remedies. This requires more transparency not more privacy.

If privacy is not necessarily a good thing and the lack of privacy is not always a bad thing, then where’s the problem? The problem lies with the harm that a lack of privacy can facilitate from people who can act anonymously. It’s the very asymmetry in the online relationship that is the problem. Criminals can know who we are without us knowing who they are. If, on the other hand, we can create a system in which online activity can not be conducted anonymously, then if someone does do something bad to us (and let’s face it there will always be such people) then the appropriate laws and punishments that are already in place and ready to be applied. Right now this is not the case. People can hide quite successfully online -- despite what popular crime dramas might suggest.

Is such a lack of online anonymity even possible? Absolutely! Every organization with a private intranet knows this. Every user is unambiguously identified and all their actions through their computer can always be traced back to them. In such environments, very few sane people are willing to roll the dice and hope that they won’t get caught. Can the intranet experience be applied more broadly? Yes. The only requirement is to link every person (no exceptions) to a unique online identifier, such as an online equivalent of a social insurance number, so that when you use any computer your actions can be traced back to you and only you.

“Therein lies the rub”, as the Bard would say. Many people like their anonymity. They like to pretend they are someone else online. They like to do things online that they wouldn’t do in the company of their family and friends. They may also fear social censure so they engage in make believe through online aliases and virtual personalities. And unfortunately, some people also like to take advantage of others. What this appears to add up to is that a significant segment of the population would still like to live their lives as irresponsible juveniles and not as mature adults behaving with a clear understanding of their obligations as members of a community. Unfortunately, to change this politicians would probably offend many people, something they are unlikely to do no matter how much good might come of it.

Besides requiring more individual maturity, a more transparent online experience would also require communities to step up their levels of tolerance so that the behaviours of some members, which might be considered unpopular but otherwise harmless, can be accommodated. Some societies, most notably the Japanese, have evolved a sort of polite social blindness when it comes to the behaviours of individual members. Why can’t we?

Cavoukian’s warning about privacy is neither the first nor the last. I believe we should heed it today rather than stick our heads in the sand and pretend everything will work out on its own. But if we choose to act, we shouldn’t get caught up believing the lack privacy is really the problem. The real problem is the harm generated by people who can act with impunity because of their online anonymity. To deal with this, requires more transparency not less, and less anonymity not more for every Internet user -- no matter where they might be located. Only then can we expect the rules of fairness and justice to apply.


Post a Comment

<< Home