But before diving into the disintegration of privacy and what to do about it, we must define privacy and why it’s important. William Parent suggests that privacy is control over personal information. Jeffrey Reiman says it’s important as a key “social ritual [where] the group communicates to the individual that her existence is her own,” and that it’s “a precondition of personhood.”
Privacy, defined this way, has a history long on aspiration and short on delivery. As early as 1735, Ben Franklin recognized this when he wrote, “Three can keep a secret if two of them are dead.” In 1890, attorneys Louis Brandeis and Samuel Warren said something similar when faced with the threat of a device that could take your picture on a public street without your knowledge and land in the newspaper.
The 1990s saw the rise of a new threat: the personal information pirate. Driven by the profit to be made from collecting and exploiting personal information of private citizens, these pirates embody the stalker economy that thrives by violating our precondition of personhood. To some, like Oracle’s Scott McNealy, that’s completely (and self-servingly) as it should be: “You have zero privacy anyway. Get over it.” Unfortunately, our federal and most state governments have still not responded with basic privacy protections, even though good examples have been offered by California (AB-3775) and the EU’s General Data Protection Regulation (GDPR).
Can we turn to corporate interests to protect our privacy if the government won’t? After all, what we as citizens want is simply a fair commercial exchange: value (services) provided to us in exchange for value (some parts of our personal data). Unfortunately, the business model of the internet is based on making money by surveilling private citizens and selling the collected data that results. That makes for a disappointing answer.
Not all data pirates are created equal
At the risk of oversimplification, let’s posit that there are three classes of corporate information pirates collecting our personal data. In the first group are the pick and pull shops, also known as information aggregators. They are beyond pirates, because as Bela Kiraly said, “Even pirates, before they attack another ship, hoist a black flag.”
Thousands of companies exist to buy your data, clean it up, put it all together, and then sell it . . . to anyone who will pay. Who do they buy personal data from? Other companies that buy and sell data, of course. There’s an entire hidden economy of data aggregators. But where do they get their data from in the first place?
The government, the places you shop, and everybody you do business with or register with online; every website you visit, especially the personality quizzes and surveys you take; the apps on your phone; the Bluetooth and WiFi connections your devices make as you move from place to place; even the email you send. All of this personal and potentially sensitive data is aggregated, sold, and resold daily in this hidden pirate economy.
For them, surveillance of private citizens and related profit really is the business model for all the seas they sail, including the internet. There’s not even the concept of fair exchange. Is it legal? Is it ethical? Arrrr, what be laws or ethics to a pirate?
The second class of information pirates is just as bloodthirsty for the private data of Jane Q. Public, but at least their profit by it is one step removed. They pirate data and then use it mostly to sell well-placed advertisements. Facebook leads this pack of social (media) and seemingly friendly pirates, but beware the smiling faces of their privacy policies. They’ll rob you just as blind, in exchange for ads that you know you hate. Where is the fair exchange of your information for products or services that benefit you? Like Herman Melville’s Rokovoko, “It is not down on any map; true places never are.”
It’s folly to look to corporations from these two classes to act against their own business interests when it comes to our privacy. However, there exists a third group of kinder, gentler pirates like those in Gilbert and Sullivan’ Pirates of Penzance. While they do collect (some of) your data, many have demonstrated a genuine interest in using that data to deliver a richer customer experience while prioritizing your privacy—brands that seem to care deeply about the privacy of their customers, while at the same time aiming to provide the fair exchange of beneficial products and services for reasonable personal data. Their profit comes from the sale of goods, not sensitive information.
A word of caution
What’s the biggest treasure trove in your personal information? Your DNA. What can sequencing it reveal today? Risk levels for cancer, Alzheimer’s, Parkinson’s, heart disease. Tomorrow? A whole lot more that can be used against you, financially or otherwise. Once you give up that sample, you can’t ever make it private again, so as new analytics are developed, it’s the gift that keeps on revealing.
But there are two sides to every story. On one hand, giving up your DNA in exchange for some vague story about where you might have come from seems a highly questionable transaction. If you opt-in to allow the consumer genetic-testing companies to share your DNA with third parties (which the overwhelming majority of their customers do), they can profit while putting you at significant risk. On the other hand, consent to share your DNA with pharmaceutical companies, or research efforts by academics and nonprofits, could help lead to cures for diseases down the road.
How to protect yourself
Each of us needs to, in military parlance, OODA: Observe, Orient, Decide, and Act with the (information) pirates of today. Observe who is collecting, or has collected your personal information. Orient to what type of information pirate they be. Decide how they intend to profit from your data, and what risk you incur by their actions. Also consider the unintentional risk of their collection of your data. Even the Department of Defense admitted to a massive data breach. Corporate servers and networks should all be considered an open book, with your data in them exposed to random theft.
At a minimum, act to (legally) harass pirates in those first two categories and opt-out where you can. Act politically at the state level to demand new legislation to limit what these pirates can collect and how they can profit from it. Insist on laws that make them directly liable to individuals for theft of personal data from their servers.
You and I can and should also act by insisting on robust data liability protection as part of the fair exchange with that third class of pirates. Press them to look to new privacy-preserving technologies, such as secure computation, to cover the last mile of privacy. Keep data encrypted at all times, even when in use and to appropriately protect analytic results with techniques such as differential privacy, so that those results can’t be reverse-engineered to reveal sensitive data.
To pirate a phrase, “The only rules that really matter are these: what a technologist can do, and what a technologist can’t do.”
David Archer, PhD, serves as principal scientist, Cryptography & Multiparty Computation at Galois, where he leads privacy-preserving projects for the Department of Defense (DoD) DARPA program and Department of Homeland Security.