“Like it or not, we live in interesting times.”[64] Coined by Robert Kennedy in a graduation speech to the National Union of South African Students in 1966 (with some argument as to whether its origins lie in a Chinese curse or proverb), Kennedy was alluding to the ongoing Civil Rights movement:
“Like it or not, we live in interesting times. They are times of danger and uncertainty; but they are also the most creative of any time in the history of mankind. And everyone here will ultimately be judged -- will ultimately judge himself -- on the effort he has contributed to building a new world society and the extent to which his ideals and goals have shaped that effort.”[65]
Every generation faces seminal moments in history where a path must be taken and that path will shape the future. There are always inflection points where the unknown becomes known. There are always moments when the actions we take have unintended consequences; how we deal with those consequences will define us as individuals, businesses, governments, and countries.
The Internet is a powerful, disruptive force. It has altered the world in fundamental ways, creating waves of change across the economic, social and political landscape. The collection of so much personally identifiable information via our laptops, iPods, Smartphones, and the Internet of Things has been combined with cheap and accessible big data technology that can capture, analyze, and make predictions based on the digital trails we leave. The end result is all seeing and all knowing, which can be illuminating or frightening, depending on your perspective.
E-commerce and e-governance are commonplace. Our digital interactions are captured in real time, revealing things about us that we may not even know and predicting what we will do next—before we ourselves even think about it. Like all powerful technology innovations, it is a double edged sword. It helped to enable the “Arab Spring,” inspiring the hopes of millions for greater democracy across the Middle East. At the same time, it has made it easy to automatically identify and monitor individuals or groups, discouraging dissent and other forms of political activism around the world.
In the digital world we now inhabit, is privacy outmoded or even possible? Should we just get over it and move on? Should we embrace transparency and its many benefits and disadvantages? And if we do, or have it forced upon us, can we expect the same from our governments, our corporations, and powerful individuals? Will they be held to the same standard? If not, since information is power, what will our world look like?
We seem to be caught in a tug-of-war between all kinds of players who come at privacy from different perspectives, ranging from the utopian to Orwellian views of big data’s impact on privacy. There are those who would like us to cede all expectations of digital privacy – to live lives in a global public square, or a virtual Cheers “where everybody (everywhere) knows your name” as well as your salary and the ages of your kids. They argue that an open world breeds efficiency and safety; a society where services are delivered to us before we need them, corrupt politicians are outed on YouTube, and criminals are apprehended before any damage is done.
There are those who see the digital age (and the big data technologies that enable it) in stark Orwellian terms. They see it as a direct route to a tyrannical surveillance society where governments and corporations control what we read and write and where people’s digital profiles are used to make pre-emptive arrests. They remind us of Hitler and Stalin, asking what will the next monster that rises amongst us do with big data as a platform?
There are those who lie somewhere in the middle, redefining what privacy means, and then seeking ways to protect it through regulations, frameworks, and business models. With such divergent views, is it any wonder that most conversations about privacy devolve into one side versus another, where much shouting is heard but very little is actually said or done, all while our technical capabilities continue to outpace our social structures.
What privacy means to each one of us is formed by our unique life experiences and informed by our culture, society, politics, religion, race, gender—it is our worldview. But at its core it revolves around these two questions:
Is privacy a commodity that can be bought and sold?
Or is privacy a basic human right that transcends commoditization?
As we look across the world, it is easy to see how countries align along one of these two paths. In the U.S., historically, privacy is a commodity. It is an asset, regulated by the courts via tort laws, and viewed as a second class citizen when framed against what we regard as our essential freedoms. When we consider an invasion of privacy, we first ask what is the harm? And, unlike the European view, that harm must be tangible.
For Europeans and other countries and regions, privacy is a basic human right that is equivalent to other freedoms. It is amorphous, viewed through a prism of respect and dignity. When they consider an invasion of privacy, they first ask how it harmed the individual. But to them, the harm is intangible, based on whether one might view this information as embarrassing or humiliating.
For repressive regimes across the world, it can be argued that privacy for ones citizenry does not exist. Information is censored as is speech as is the press. In this case, privacy is constantly violated to root out those dissidents that are viewed as “enemies of the state.”
Of course, these views of privacy existed long before the digital age. Their roots can be traced back through the centuries. What is different about the world today is how interconnected we all are: the impact of what one does half way around the world can be felt by all of us.
In the digital age, there are no geographical borders. And yet, most governments have attempted to put restrictions on how their citizens’ data are used.
In the U.S., privacy regulations follow the sectoral model; it governs specific items, like children’s, medical, or financial privacy, with some self-regulation and consumer regulation thrown into the mix. When it comes to privacy, the U.S. is often characterized as one of the major perpetrators to its worldwide erosion. Certainly, Internet advertising began in the U.S. and started a domino effect in how personal data was collected and used. Equally, the big data and analytics technology that made the use of that data financially feasible and enabled easy linkage between multiple data sources (often removing assumed anonymity in the process), can also be traced back to the U.S. Then there are the most aggressive IP stakeholders, unleashing advanced DRM technology that has set in motion privacy’s version of collateral damage. But make no mistake, governments and businesses around the world have embraced these U.S. “breakthroughs” and applied them for their own ends.
Although the U.S. may be late to the idea of a comprehensive digital privacy policy, we are seeing some enlightened individuals in the Senate and House of Representative introduce bills that would seek to restrict what is tracked and provide consumers with more information. Some of the more notable bills include:
The Do Not Track Me Online Act of 2011 which would essentially give consumers the right to opt out of online tracking.
The Financial Information Privacy Act of 2011 which would require opt-in consent by consumers before financial institutions could share their information with third parties.
The Commercial Privacy Bill of Rights Act of 2011 that attempts to “strike a balance between protecting consumers from unauthorized tracking and allowing firms the flexibility to offer new services and technologies. Under the bill, companies must clearly communicate how they gather and use personal information while giving consumers the ability to opt out of any information collection unauthorized by the law.”[66]
The Data Accountability and Trust Act which requires companies to establish policies on the collection, storage, sale, and retention of consumer’s personal information and establishes a 60-day breach notification requirement.
In addition, the FTC has introduced a Privacy Framework which supports the implementation of Privacy by Design (PbD), a concept developed by Ann Cavoukian, Ontario, Canada’s Information and Privacy Commissioner, where privacy is embedded into technology itself. The Framework also includes simplified consumer choices where standard uses for data that is collected would not require prior consent, but anything else would require the consumer to opt-in, as well as greater transparency on the part of standardized privacy policies, consumer education, and more stringent policies regarding consumer notice and consent over any material changes. If this Framework were adopted, it would bring the U.S. closer to the EU model of a comprehensive privacy policy.
In addition to the state sponsored approaches there are many private organizations who have introduced various codes of conduct, such as the Privacy Bill of Rights and PbD. These organizations recognize technology advances well before the regulatory environment does. Their approach of working with companies to design privacy into solutions, websites, ecommerce, etc., can help to avoid the more egregious privacy violations. And at least some big businesses appear to be listening:
Google+ was designed with privacy as a fundamental building block through its uses of non-public circles.
Apple’s iPhone now has a purple icon arrow that appears whenever your location is being sent to an application.
GMAT no longer uses fingerprints to confirm test-takers’ identities due to concerns about those fingerprints being “cross-purposed for criminal databases... GMAT switched to scans of palm veins.”[67]
While we appreciate the genuine efforts of privacy advocates in government and across the world to protect digital privacy, we simply don’t believe that laws or voluntary agreements can keep up with the pace of technology. Nor will it dissuade companies engaged in data collection due to the immense economic incentives that comes with it. But even if both of those issues were addressed, there would be no realistic global way to enforce laws or other types of policies. Certainly, the inability of the music and film industries to stop piracy serves as ample evidence that regulating the flow of data on the Internet is doomed to fail. Our point is this: as long as data is collected, it can be used in unexpected and even harmful ways and no law, policy, or framework in any state, country, or region can change that fact.
As we’ve noted previously, when privacy is considered within the context of security and safety, it often comes out the loser. We have seen this happen in the U.S. and across the world which brings us back to this question: who regulates the regulators?
This is a legitimate question, as most of the regulatory and legislative actions we have looked at focus on the commercial uses of personal data. But governments are large collectors and users of data and are, for the most part, famously secretive about how they are using it. They are also quite capable of overlooking issues of privacy when dealing with issues of safety.
Certainly, the number of anti-terrorism laws on the books of most nations indicates a shift away from privacy, in favor of safety and security. From the U.S. PATRIOT Act, to France’s 2005 anti-terrorist law, to the U.K.’s Counter-Terrorism Act of 2008, to Canada’s Anti-Terrorism Act of 2001, all give law enforcement and the government far more latitude to invade our privacy in order to keep us safe.
The Internet itself, or any digital device for that matter, is no longer exempt from the government’s reach. For example, the U.K., under the Regulatory Investigatory Powers Act (RIPA), got access to the cell phone records of suspects in the recent London Riots. From that information, it was able to monitor Blackberry Messenger (BBM) and Twitter in real-time to prevent planned attacks at some of the most know London landmarks. The police also considered turning off social messaging sites but were told that the legality of doing so was questionable.[68] More ominous for the future:
“In the wake of the riots in London, the British government says it’s considering shutting down access to social networks — as well as Research In Motion’s BlackBerry messenger service — and is asking the companies involved to help. Prime Minister David Cameron said not only is his government considering banning individuals from social media if they are suspected of causing disorder, but it has asked Twitter and other providers to take down posts that are contributing to unrest.”[69]
In San Francisco, the Bay Area Rapid Transit (Bart) commuter system shut down mobile phone service in some stations to prevent protesters from organizing a protest over a fatal shooting of a man by police at one of those stations.
It certainly appears that censorship is alive and well, not just in repressive regimes but in democracies too. (As we noted previously, more than 40 countries restrict online access to some extent while more than 90 countries have laws that control organizations in order to monitor the communications of “someone” whether that someone is a political opponent, human rights activist, journalist, or labor organizer.) As we’ve illustrated throughout this book, law enforcement and government agencies are subject to few privacy regulations, and when they are, they work around those limits through loopholes such as the U.S. government’s purchase or seizure of third party data, as they are not held to any protection of privacy for third party personal information.
Over the decades, it has been shown again and again that our offline concept of privacy is very different from our online concept.[70] Consumer fears over loss of privacy have been steadily rising and unsurprisingly, are focused on the advertising industry. After all, they were the first to leverage technology and create a multi-billion dollar industry built on our personal data, and once it’s out there, it is pretty hard to control.
Let’s not forget the other, equally large, players riding on their coattails. Powerful groups, like the MPAA and RIAA and their international counterparts, have borrowed from advertising’s playbook and extended it to every device we own. Today, it’s not just about tracking our online behavior; it’s about tracking what we do within the “four walls” of any device that we own and being able to remotely control them without our permission. These technologies and policies could end up delivering a mortal blow to privacy as well as cede to the government and IP holders unprecedented control over what media we are allowed to consume and share. However you look at this, it’s a high price to pay to support an old business model that is unable to adapt to new technology.
At the same time, there are groups fighting to preserve privacy in the digital age, calling for more comprehensive privacy legislation and holding businesses and government agencies accountable when privacy violations are surfaced. There are businesses rising up to meet the privacy challenge, sometimes redefining it and sometimes offering consumers ways to mitigate the inherent lack of privacy that is the price we pay for living in a digital world.
It seems that we are back where we started. Historically, as small tribes of hunter and gatherers we had no concept of privacy. Then, as we became rooted in towns and villages, we continued to live primarily in the public square where everyone “knew our business.” With industrialization and the development of large dense urban areas, privacy was possible for the more privileged members of society and then, finally, for all of us.
We have come full circle. Again, we live our lives in a public, although now digital, square where any person, company, or organization around the world can watch us, whether we want them to or not. There is more known about us than ever before. What does privacy mean in the world we now live in?
This is not the first time (and certainly won’t be the last) that technology has leapfrogged ethics, bringing us to the age old question of what we can do versus what we should do. The question we should all be asking ourselves, our communities, our societies, and our leaders is this: does privacy still matter in the digital age? Yes, privacy still matters in this age of big data and digital devices. But what it means, how we regulate and enforce it, what we are willing to give up for it, how much power we give our governments over it, remains to be seen.
Like it or not, we live in interesting times.
112th Congress, 1st Session, H.R.654, Do Not Track Me Online Act
112th Congress, 1st Session, H.R.653, Financial Privacy Information Act of 2011
Gautham Nagesh, Hillicon Valley, “Kerry and McCain throw their weight behind privacy bill of rights,” April, 12, 2011
112th Congress, 1st Session, S., Commercial Privacy Bill of Rights Act of 2011
112th Congress, 1st Session, H.R.1707, Data Accountability and Trust Act
Tim Lisko, Privacy Wonk, “112th Privacy Legislation,” August 2, 2011
Preliminary FTC Staff Report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” December 2010
IT Law Group, “ftc’s privacy framework: similarities with eu privacy directives,” December 10, 2010
Kashmir Hill, Forbes, “Why Privacy by Design is the New Corporate Hotness,” July 28, 2011
Out-Law.com, “UK privacy laws are fundamentally flawed, report says,” August 17, 2011
Charles Raab, Benjamin Goold, Equality and Human Rights Commission Research report 69, “Protecting information privacy,” Summer 2011
Vikram Dodd, guardian.co.uk, “Police accessed Blackberry messages to thwart planned riots,” August 16, 2011
Matthew Ingram, GIGAOM, “Blaming the tools: Britain proposes a social media ban,” August 11, 2011
Reuters, guardian.co.uk, “Anonymous protests close San Francisco underground stations,” August 16, 2011
AFX News Limited, Forbes, “French parliament adopts tough anti-terrorism law,” December 12, 2005
Ned Millis, eHow, “The Counter Terrorism Act 2008,” July 24, 2010
Wikipedia, “Canadian Anti-Terrorism Act”
Wikipedia, “USA Patriot Act”
Steven Lee Myers, The New York Times, “Rights Abuses Extend Across Middle East, Report Says,” April 8, 2011
Jenn Webb, O’Reilly Radar, “The truth about data: Once it’s out there, it’s hard to control,” April 4, 2011
Danah Boyd, Personal Democracy Forum 2011, “Networked Privacy,” June 6, 2011
[64] Robert F. Kennedy, Day of Affirmation Speech, June 6, 1966
[65] Robert F. Kennedy, Day of Affirmation Address, June 16, 1966
[66] Gautham Nagesh, Hillicon Valley, “Kerry and McCain throw their weight behind privacy bill of rights,” April, 12, 2011
[67] Kashmir Hill, Forbes, “Why Privacy by Design is the New Corporate Hotness,” July 28, 2011
[68] Vikram Dodd, guardian.co.uk, “Police accessed Blackberry messages to thwart planned riots,” August 16, 2011
[69] Matthew Ingram, GIGAOM, “Blaming the tools: Britain proposes a social media ban,” August 11, 2011
[70] Jenn Webb, O’Reilly Radar, “The truth about data: Once it’s out there, it’s hard to control,” April 4, 2011