In search of privacy

Way back in 1999, Scott McNealy – then the chief executive officer of Sun Microsystems – famously said that consumer privacy issues are a "red herring." He went on to say: "You have zero privacy anyway, get over it."

Yet just in the past two weeks privacy has been much in the news on many counts.

A French court ruled that pictures of Kate, the Duchess of Cambridge, sunbathing topless were an invasion of her privacy since there was a reasonable expectation that she would be unobserved while poolside at a private residence hundreds of meters from a public vantage point. (The photographer evidently used one of the largest telephoto lenses available)
A candidate for the US presidency (former Massachusetts governor and 2002 winter Olympics honcho Mitt Romney) was secretly taped while addressing a small group of very wealthy supporters. His remarks, disparaging of many non-wealthy Americans, have placed him in a decidedly negative light with just a few weeks until election day. His campaign says that the remarks were intended for a private audience and should not have been used outside of that context.
Microsoft recently announced that its Internet Explorer browser would support by default the privacy-enhancing "Do Not Track" option when the next version is released. Google has also announced that they will have an option of “Do Not Track” in their Chrome browser, but it will need to be actively turned on by the user.
Microsoft also launched an ad campaign for its Bing search engine to attract users of Apple’s Safari browser citing the large fine imposed on Google for ignoring that browser’s privacy settings.
The US Federal Trade Commission has announced proposed changes to the interpretation of the Children’s Online Privacy Protection Act (COPPA) which could severely impact all web sites and, ironically, lead them to collect more data thus actually reducing their users’ privacy. See this article on Ars Technica for the details.

Now it’s possible that I was especially tuned in to these stories because I recently became involved with the Privacy Standing Committee of the Identity Ecosystem Steering Group (IdESG) set up under the US’s National Strategy for Trusted Identities in Cyberspace (NSTIC) – but I don’t think so. Certainly I couldn’t visit a news web site, open a newspaper or watch a news program on TV without at least being made aware that there were “naughty” pictures of the Duchess of Cambridge circulating on the internet and in print in a French magazine. The Mitt Romney quotes were all over the US news outlets as well as those in other countries that cover international stories. The other privacy issues may have garnered a small note in the general media but would have been prominent for the Technorati and the Identorati. So 13 years after Scott McNealy said that we have zero privacy – why are we still talking about it? More importantly, why are we still trying to device ways to protect it?

What is privacy, and how important is it? Ayn Rand, in The Fountainhead, said: “Civilization is the progress toward a society of privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men.” While Isaac Asimov (in Foundation’s Edge) has one character say: “It seems to me, Golan, that the advance of civilization is nothing but an exercise in the limiting of privacy.”

G.B. Shaw, the great Irish playwright is quoted as saying “An American has no sense of privacy. He does not know what it means. There is no such thing in the country.” But US Supreme Court justice William O. Douglas opined “We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times.” So did the US ever have privacy or not?

There is indeed a lot of confusion about the subject, but there are two key phrases to remember when talking about privacy:

Privacy is not anonymity
Privacy is not secrecy

On the first point, in a long response to a discussion of anonymity and privacy I noted that if I live in a small town, then there are many people whom I know and many who know me. And those two sets are not equivalent. But that doesn't mean that all of those people - or even some of those people - know everything I do nor do I know everything they do. Privacy - which is very important - is not the same as anonymity. But it's easy to paint it as such.

On the second point, Bob Blakley – then with the Burton Group, now a VP at Citicorp – said “As long as your personal information is secret, you don't even have a privacy problem. It's only when somebody else knows your personal information that you have a privacy problem. In other words, privacy is the problem you have after you share sensitive information.”

Blakley also once defined privacy as “the ability to lie about yourself and get away with it." What he meant was that whenever you make a personal statement, no one in the audience for that statement can contradict you because they don’t know the details which (until that point, possibly) are private.

The Right to Privacy then isn’t about someone else knowing a detail about you. It’s about that person or entity sharing that detail with a third party without your permission. Your medical record is shared between you and your medical providers (doctors, hospitals, nurses, pharmacists, insurance company) but it’s still private, and those people shouldn’t be sharing it with others (employers, pharmaceutical companies, even others in your family) without your specific permission.

There’s also the expectation of privacy, which means that you couldn’t foresee that an outside observer might see what you are doing and try to turn that activity to their advantage. This applies to paparazzi (See Duchess of Cambridge note above), employees of a private facility used for an activity (the likely source of the Mitt Romney problem) or even (in some countries) to the activities of law enforcement. In the US there is a prohibition against unwarranted searches, but the law and the courts are just now catching up with the technology such as heat sensors (that can “see” through walls) and unmanned drone aircraft (that can overfly private property).

In Europe, there is also the “right to be forgotten”, which seeks to take public information and make it, once more, private. (There’s a fascinating article about this, and what’s being said about it, on the National Public Radio web site). In short, you could petition for websites to remove data about you (a boon to college graduates now looking for jobs!)

So what does it all mean?

Thirteen years after McNealy’s proclamation we still are trying to keep at least some parts of our lives private. We also seem to believe that there is a technological solution that will help us maintain our privacy. That’s not going to happen. Get over it. In fact, technology is a greater aid to those looking to violate our privacy than to those looking to protect it.

What we can do is strengthen and modernize the laws concerning privacy. The Duchess of Cambridge found recourse through the French courts – and won. It might still be possible for her to have the pictures (or links to the pictures) removed via “right to be forgotten” laws. Mr. Romney might learn from his opponent, President Obama, who routinely has cellphones checked at the door when holding so-called private events in order to prevent the sort of leaks that damaged Romney.

On the other hand, draconian fiats such as the extension of COPPA can actually lead to less privacy. In general, privacy law – at least as regards the internet – shouldn’t be written by lawyers and politicians. That’s one of our hopes within IdESG – to craft a framework for internet identity that favors privacy without hog-tying business, government, education and ordinary users so that interactions become impossible. It won’t be an easy task, and we’ll need lots of help doing it. So if you have any ideas – or you want to help – drop me a note and share.