Monday, June 15, 2009

"those entrusted with our privacy often don't have much incentive to respect it"

I love this man (no, not McLovin). He accurately describes what I think is the greatest problem with the current practices regarding how information about people is treated today.

The title of this post is a quote from his article. To recap, Schneier is saying that the organizations who are keeping records about you, do not have an incentive to protect that data from 'other uses'. In fact, I supose their only incentive to safeguard your data is to ensure continuation of their own business. As long as they have the data which describes you, they couldn't care less what happens next with it. Spreading, leaking, selling of your representation is all fine, as far as they are concerned. It doesn't hurt, so why care.

However, the article then continues to describe how laws and policies can be created or improved, as to better protect the individual's privacy. Great stuff, but for me, laws and policies are a sign of trouble in itself. Please allow me to explain.

The only option available right now for protecting the people being represented in remote systems, is to create artificial incentives in the form of laws (so bad behavior can be punished); Sometimes the fear for bad publicity (eg. a memory stick lost leading to public scandal, see the 'oh dear' section below right) is seen as a reversed incentive. However, it is probably much more efficient to let the PR department handle those cases after they take place. You lose again.

As in most cases where laws and 'after the fact' measures are instated, the actual problem is that such mishaps can occur at all. To prevent this, laws try to tell organizations that manage your data, what society finds desirable and undesirable behavior.

This is a totally powerless situation for the individual being represented by the data kept by those organizations. The only things you can do once you trust your data to remote system are:
  • hope for the best, and have full confidence that the 'privacy policy' is adequately upheld.
  • sue when your identity leaks, through some fault or intentionally via data sales to third parties. I don't think this has much effect in real life, and again, the damage is already done by that time

The only real option to stay in control is to not entrust anyone with your personal data, but that would mean you would be deprived of most basic services such as telephone, electricity and ahem, twitter. ;)

Or, if Santa ever grants my wish, you could have a personally controlled data set which all those organizations need to refer to if they need to know something. A total inversion of data flow. Instead of you handing out your representation to be kept in remote systems, the service providers would be granted (by you) access to some appointed data store (selected by you) to request access to certain bits of your personal profile (created and shaped by you).

Empowerment of the individual by means of technological innovation would help people to take ownership and control of their representations, rendering the whole policy discussion moot. The current power imbalance would be fundamentally reshaped.

See also my little rant 'My representation in remote systems, the present'.

No comments:

Post a Comment

Creative Commons LicenseExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License