On Data Security and the Death of Privacy

 

By Nicholas Gerovasilis

 

In 1890, with the advent of the flexible film camera, Supreme Court Justice Louis Brandeis co-wrote an article in the Harvard Law Review in which he lamented the growing threat to privacy. Over a century later, with the rise of ATMs and the Internet, TIME magazine declared “The Death of Privacy”. A decade on, in 2010, Eric Schmidt, Steve Jobs and Mark Zuckerberg repeated this aphorism.

There is no doubt that the arc of history has inexorably bent towards individuals sharing more and more information. Companies collect data on our political engagement, our consumer habits, and even our whereabouts. Many of us don’t even know what information we are giving up. We are far too time poor, and far too apathetic to read “terms and conditions” documents that set out the demise of our privacy in size 6 font.

The far more important question then is “How important is our privacy?” For young people, at least, the answer seems to be, not important at all. Even if we are often not explicitly aware of the manner in which companies collect data on us, our active participation in these forums is at least suggestive of a revealed preference for better and more targeted services over enhanced privacy. Ultimately, the benefit of privacy lies in two things: the instrumental value feeling safe, and the agency to separate our private and public spheres, as we desire. It follows that it is perfectly reasonable for individuals to believe that sharing more about ourselves is eminently worth a more tailored and meaningful online experience.

No doubt there is a price to pay for our willingness to share more. The hacking of dating website Ashley Madison in 2015 highlights this. However, there is good reason to suggest that this incident was largely the result of poor data security by the company. Government oversight and regulation have an important role to play in this space. Policies, like that enacted in Europe, which give users the right to demand information held by companies about them, and for that information to be deleted, are also useful responses.

However, many governments have capitalised on this perceived indifference towards privacy. When cocaine dealer Antoine Jones objected to having a GPS placed without a warrant on his vehicle, the Obama administration challenged his fundamental entitlement to privacy. It argued that American citizens do not have a “reasonable expectation of privacy” when they’re in the public square, whether it’s their driveways, their front lawns, or even e-mails sent through public networks. If accepted, this is concerning, because it belies the notion that we ought to be in control of our privacy, and cede it for our own utility.

Likewise, with the increasing sophistication of terror networks, governments are seeking unprecedented access to user data. To be clear, telco companies should assist authorities wherever it is possible. The obligation is precisely analogous to the obligation on any private individual or business to help law enforcement. It is this premise which governments have rhetorically emphasised in justifying these laws. However, this is the status quo. What is being proposed is far beyond this. Devices are presently designed to encrypt communications on an end-to-end basis, such that they are protected even from telco companies themselves. For governments looking to disrupt terror networks, navigating this encryption is not as simple as information sharing between telcos and authorities. Facilitating law enforcement’s access to this data would effectively require a fundamental shift in the way in which companies protect their users’ communications. In other words, re-designing devices with weaker encryption would compromise all users’ ability to maximise their privacy.

It is possible that most individuals would view this as a fair trade off: weakened personal information security in exchange for arming governments with more effective information to counter terrorism. Nevertheless, the problem is that governments are failing the very standard which they impose on private companies: to unambiguously set out what impact their actions will have on our privacy. If and when we forfeit our privacy, we should at least be empowered agents in that decision. Privacy may almost be dead, but we should be able to take comfort in knowing we were the ones who killed it, and reaped the benefits.

 

Comments

comments