There is no such thing as Privacy
In 1999, the then CEO of Sun Microsystem Scott McNealy famously said, "You have zero privacy anyway. Get over it." In 2008, the TV presenter Jeremy Clarkson published his bank account details after rubbishing the furore over the loss of 25 million people's personal details on two computer discs and subsequently lost money. Now we have reams of data protection regulations and laws, but was Scott McNealy right?
Figure 1: An image generated by AI - Is this the future of privacy on the internet?
What is Privacy?
Different groups of people and societies consider different aspects of their life to be private. For example, while there has been concern that teenagers don’t appreciate the privacy implications of what they post on social media, a UK study found “…[they] are less disturbed by abstract invasions of privacy by government agencies and corporations than the very real and ever-present experience of trying to negotiate privacy in light of nosy parents.”
In Europe, the notion of privacy developed to counter the way governments had used personal data to identify and oppress individuals during the first half of the twentieth century. This led to Article 8 of the European Convention on Human Rights - “Everyone has the right to respect for his private and family life, his home and his correspondence.”
This legislation was conceived when only governments had the resources to collect and process data about large numbers of people and punched cards were state-of-the-art data processing technology.
GDPR, Schrems II and EU-US Data Privacy Framework
EU data protection has evolved over time. In 1995 EU Directive (EC/95/46) was enacted to enable the free flow of personal information between member states. In 2018 this was superseded by the EU General Data Protection Regulation. In 2020 a law student, Maximilian Schrems, brought a case against Facebook objecting to Facebook transferring his personal data to the US. The so called Schrems II judgement invalidated the the EU-US Data Protection Shield and led to the EU-US Data Privacy Framework which was approved by the European Commission on 10th July 2023.
This long running saga revolved around access by the US Government to personal data of EU residents and whether the safeguards around the use of this data were equivalent in the US to those in the EU. So, it was really all about government access.
These regulations have obliged organizations and cloud service providers to adopt complex technical and legal measures to protect the personal data that they hold.
Properly protecting this data is a good thing but does it ensure privacy? Is it any more effective than the toilet brush in Figure 1?
Data is the New Capital
The last twenty years have seen a massive explosion in the amount of data that can be collected, stored, and processed. Digital technology and the internet have made this possible and cloud services have made this affordable. Data analytics, Machine Learning and AI, in turn, have made this data extremely valuable. Data is the new capital.
Data has always been a valuable asset. The Rothschild’s family fortune was initially made by arranging to be the first to know the outcome of the battle of Waterloo. Analysis of deaths and disease in the 18th and 19th centuries underpinned financial services such as life insurance and annuities.
Although social media is often cited as the cause of the data explosion, its roots can be traced earlier.
In 1989 a husband-and-wife team set up a data analytics company in their home in Chiswick in London. Their approach involved understanding how to retain customers by analyzing their shopping behavior—what they referred to as being “voyeurs of the shopping basket.” This led to the development of customer loyalty cards.
The data collected by these cards provide the retailer with a deep insight into the buying habits of their customers. This data helps them to optimize the products stocked in individual stores, to identify premium customers, and, it is claimed, even work out when a customer is pregnant.
At the start of the COVID pandemic, UK supermarkets used this data to identify and offer support to vulnerable customers before the government.
The person using these cards agrees to provide intimate details of their lives in return for some loyalty benefits. For retail customers, these details include dietary habits, indicators of their health problems through the purchase of off-the-shelf medication and their sexual activity. For hospitality cards, the data provides insights into the card holder’s travel, location, preferences, and companions.
So, people can choose to reveal their personal information in return for some rewards and data protection laws obliging the organizations that collect this data to protect it and limit how it is used.
Anonymity
While people knowingly disclose some personal data there is also a large amount of data about them that they may not be aware of. For example, the internet contains millions of images of peoples’ faces uploaded to social media, published on news websites, and other open sources. This includes people who may not have been the main subject of a photo but who were in the background. This data can be used by AI facial recognition technology to identify individuals from data that they did not even know existed. Is this fair and if so, how should we use this data?
The firm Clearview AI has developed a facial recognition system that they claim can help law enforcement to identify suspects, witnesses, and victims. They also claim this technology has helped find child predators, rescue victims, and track down the suspects involved in the Capitol Riots.
These are laudable aims but not every country’s data privacy laws support this approach. In 2022, the UK Information Commissioners Office (ICO) fined Clearview AI £7.5M for allegedly unlawfully storing facial images. In November 2023, this fine was overturned in a judgement by the First Tier Tribunal. The ICO is now seeking permission to appeal this judgement. There are similar disputes within the EU.
The Light of Other Days, a 2000 science fiction novel written by Stephen Baxter, based on a synopsis by Arthur C. Clarke examines the impact on society of a quantum-based technology that allowed anyone to see and hear what was happening anywhere and at any time. This shattered all normal concepts of privacy. When people realized that they can be observed and can observe others without their knowledge it profoundly changed their behavior. While this allowed the perpetrators of crimes to be correctly identified and politicians’ plots to be uncovered, it altered society in unexpected ways.
Today, the internet contains a vast amount of publicly available data about everyone as well as a history of everything they wrote and liked on social media – how will this change us?
EIC 2024
Join us at Europe´s prime conference on Digital ID, Security, Privacy and Governance in an AI-driven world. EIC offers unparalleled networking opportunities with a great community and visionary leaders as well as deep dive sessions unravelling the very tech shaping our tomorrow. Sessions include a keynote by Max Schrems, chairman and founder of noyb, a "privacy enforcement platform".
