Monday, June 29, 2009

the discussion continues

Regarding my previous post on Bruce Schneiers' blog... the discussion there continues and it is great; For the record, I replied again after it evolved, see below (but please read the whole thing)

Ok, my reply:

This is exactly the sort of discussion I was hoping for.

Regarding your comments, Bethan; When someone's data or observed behaviour (which is also data) is captured, that person (data subject, thanks for coining), has something to lose. He could for instance be exposed, embarrassed, harassed or whatever, by ill-meaning data-capturers. This is an acknowledged form of harm to individuals, against which laws are instated in many countries.

Individuals themselves are also aware of the risks of being 'observed' or 'captured', and commonly display a degree of consciousness and responsibility regarding their (chance of) exposure. Close the curtains, protect privacy. Maintaining a degree of privacy is common, and not only for those who have something to hide.

Surveillance, spying, or otherwise secretly observing or recording peoples behaviour (physical or otherwise) is usually not allowed as Clive pointed out; (interesting exception: government or police).

For me, I'm not concerned with the data capturing activity, legal as it might be, but with the subsequent _uses_ of the data about the data subjects. Here you claim that data subjects can not expect you to limit your use of their representations. This I find disturbing. There is, again as Clive pointed out, a certain expectation of intended use. Unfortunately, there is often no way for the data subjects to prevent deviation from those expectations (which I find even more disturbing). This lack of control for the data subjects is (for me) an area of great interest/concern (which I try to elaborate at )

The situation you describe, where a persons data, once captured, could be put to any use that would benefit the capturer, seems to me exactly the thing that most people would like to protect themselves from, if they could.

Lacking any control over your representation (its correctness, storage, distribution or exposure), even when it was once willingly conveyed to some organization (such as your energy company) makes you dependent on _their_ willingness and ability to change your relation with them. You might become powerless to influence their behaviour, since their representation of you, once acquired, is the truth for them. Never mind the 'unintended uses' that might occur (see for plenty of examples).


Reblog this post [with Zemanta]

Tuesday, June 23, 2009

we are data subjects

It has been bothering me for some time that I didn't have an accurate, captive term for describing you and me, the people whose identities are represented as data (which is often kept in systems beyond our control). I found it.

We are the data subjects. How would you like to be treated?

Monday, June 15, 2009

"those entrusted with our privacy often don't have much incentive to respect it"

I love this man (no, not McLovin). He accurately describes what I think is the greatest problem with the current practices regarding how information about people is treated today.

The title of this post is a quote from his article. To recap, Schneier is saying that the organizations who are keeping records about you, do not have an incentive to protect that data from 'other uses'. In fact, I supose their only incentive to safeguard your data is to ensure continuation of their own business. As long as they have the data which describes you, they couldn't care less what happens next with it. Spreading, leaking, selling of your representation is all fine, as far as they are concerned. It doesn't hurt, so why care.

However, the article then continues to describe how laws and policies can be created or improved, as to better protect the individual's privacy. Great stuff, but for me, laws and policies are a sign of trouble in itself. Please allow me to explain.

The only option available right now for protecting the people being represented in remote systems, is to create artificial incentives in the form of laws (so bad behavior can be punished); Sometimes the fear for bad publicity (eg. a memory stick lost leading to public scandal, see the 'oh dear' section below right) is seen as a reversed incentive. However, it is probably much more efficient to let the PR department handle those cases after they take place. You lose again.

As in most cases where laws and 'after the fact' measures are instated, the actual problem is that such mishaps can occur at all. To prevent this, laws try to tell organizations that manage your data, what society finds desirable and undesirable behavior.

This is a totally powerless situation for the individual being represented by the data kept by those organizations. The only things you can do once you trust your data to remote system are:
  • hope for the best, and have full confidence that the 'privacy policy' is adequately upheld.
  • sue when your identity leaks, through some fault or intentionally via data sales to third parties. I don't think this has much effect in real life, and again, the damage is already done by that time

The only real option to stay in control is to not entrust anyone with your personal data, but that would mean you would be deprived of most basic services such as telephone, electricity and ahem, twitter. ;)

Or, if Santa ever grants my wish, you could have a personally controlled data set which all those organizations need to refer to if they need to know something. A total inversion of data flow. Instead of you handing out your representation to be kept in remote systems, the service providers would be granted (by you) access to some appointed data store (selected by you) to request access to certain bits of your personal profile (created and shaped by you).

Empowerment of the individual by means of technological innovation would help people to take ownership and control of their representations, rendering the whole policy discussion moot. The current power imbalance would be fundamentally reshaped.

See also my little rant 'My representation in remote systems, the present'.
Creative Commons LicenseExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License