Blogger: Bob Blakley
Andrea DiMaio of Gartner recently posted a blog entry entitled "Forget Privacy: It Is Just An Illusion".
DiMaio's lament rephrases Scott McNealy's famous quote ("You have zero privacy anyway. Get over it.")
McNealy was wrong then and DiMaio is wrong now; they're both dead wrong, and it's important.
Here's DiMaio's key sentence:
I have come to realize that, does not matter how careful we are, we are going to lose control of our privacy.
But Andrea DiMaio never had control of his privacy. And nothing - including technology - was ever going to give him control. DiMaio and McNealy assume without saying it that privacy means "keeping personal information secret". And by that definition privacy is an illusion. But "keeping personal information secret" is the wrong definition of privacy. As long as your personal information is secret, you don't even have a privacy problem. It's only when somebody else knows your personal information that you have a privacy problem.
Privacy is the problem you have after you share sensitive information.
When you discover that you might have a socially awkward medical condition and you go to the doctor, you don't keep the condition secret from him - you tell him about it so that you can get treated. And when you leave the office, you don't control your doctor; you trust him with your secret. You trust him with your private information because he has taken an oath to behave sociably and to use your personal information only in ways which benefit you.
That's how privacy works; it's not about secrecy, and it's not about control: it's about sociability. Privacy is a social good which we give to one another, not a social order in which we control one another.
Technologists hate this; social phenomena aren't deterministic and programmers can't write code to make them come out right. When technologists are faced with a social problem, they often respond by redefining the problem as a technical problem they think they can solve.
In rhetoric, we call this redefinition of the problem "framing".
The privacy framing that's going on in the technology industry today is this:
Social Frame: Privacy is a social problem; the solution is to ensure that people use sensitive personal information only in ways that are beneficial to the subject of the information.
BUT as technologists we can't (as DiMaio observes) control peoples' behavior, so we can't solve this problem. So instead let's work on a problem that sounds similar:
Technology Frame: Privacy is a technology problem; since we can't make people use sensitive personal information sociably, the solution is to ensure that people never see others' sensitive personal information.
We technologists have tried to solve the privacy problem in this technology frame for about a decade now, and, not surprisingly (information wants to be free!) we have failed. DiMaio now wants to give up. But he's forgotten the reframing; he's assuming that the technology frame is the problem, and therefore if the problem can't be solved in the technology frame it can't be solved.
The technology frame isn't the problem. Privacy is the problem. Society can and routinely does solve the privacy problem in the social frame, by getting the vast majority of people to behave sociably. Privacy isn't a new problem. It's existed in all human societies for as long as there have been human societies. Lawyers have solved it. Doctors have solved it. Priests have solved it. Friends have solved it. They've solved it by creating social structures which discourage monstrous behavior. We even have words for people who violate the often unwritten and unspoken rules governing the handling of delicate personal information; in the old days we called a man who was careless with others' secrets a "cad". Nowadays we use another word (a word which also has an anatomical denotation, if you're wondering).
Technology can't solve privacy problems, because they're not technology problems. But technology can make privacy problems worse, by making it easy to do antisocial things, or by making it hard to recognize the sensitivity of personal information and lowering our awareness that we're in a social situation and need to behave sociably; online spaces like Facebook, whose rules for handling private information are often opaque to users, create unnecessary privacy hazards in this way (see Ian Glazer's "Privacy Mirror" experiment for an example of how opaque privacy settings can undermine the sociability of an online space).
If we accept the technology frame and let technologists define privacy as control over dissemination of information, we ARE going to have less privacy. Resisting the technology frame is critical; if we don't resist it, lots of bad things happen. For example, if we accept the "privacy is defined as control of secrecy" frame, then we will start to believe (perhaps as a society, and perhaps even as a matter of law) that as soon as someone learns a piece of information about us, that information is no longer private, and we lose subsequent protections.
We don't have to accept the technology frame.
The assumption that led technologists to create the technology frame - that the social problem of getting people to behave sociably cannot be solved - amounts to an assumption that we will all be monsters.
This assumption is neither true nor acceptable. We've got to fight the technologists on this one.
Worldviews have consequences. A worldview that says "privacy is an illusion" can create a world in which there is no privacy, at least online.
My generation makes a distinction between the online world and "the real world". My kids' generation does not. The social world they live in will BE the online world - woven inextricably with what I grew up calling "the real world". I'm not willing to stand idly by and watch the sociability of that world destroyed by technologists who have given up because they can't see beyond their coding pads.
DiMaio concludes his post this way:
The problem for us, all of us, is that somebody will be watching all the time. We’d better behave.
The implied subtext is "because whoever's watching will be a monster, and turn us in to the authorities, and we'll be punished".
DiMaio is deeply irresponsible to encourage the view that just because the cryptographers can't give us a cloak of invisibility online it's OK to be a monster.
But he's right that we'd better behave. When we see someone else's private information, we'd better avert our gaze. We'd better not gossip about it. We'd better be sociable. Because otherwise we won't need the telescreen - we'll already have each other. And we'll get the society we deserve.
We are our brothers' keepers. We'd better start acting like it.
Technologists have a critical role to play in protecting privacy - but that role isn't building walls of secrecy. It's in building sociable spaces in the electronic world.
A sociable space is one in which people's social and antisocial actions are exposed to scrutiny so that normal human social processes can work.
A space in which tagging a photograph publicizes not only the identities of the people in the photograph but also the identities of the person who took the photograph and the person who tagged the photograph is more sociable than a space in which the only identity revealed is that of the person in the photograph - because when the picture of Jimmy holding a martini washes up on the HR department's desk, Jimmy will know that Johnny took it (at a private party) and Julie tagged him - and the conversations humans have developed over tens of thousands of years to handle these situations will take place.
A space in which personal information (a health record, say) always comes with metadata indicating who collected it, for what purpose it was collected, and under what terms and conditions it may be used is more sociable than a space in which a piece of personal information may be forwarded into another organization by someone who doesn't even know the information is personal. And so on.
At Burton Group we don't think privacy is an illusion. We think it's a hard issue - very hard - but that's why we're here: to give practical advice on hard issues. Ian Glazer and I have recently updated the privacy coverage our research and analysis customers get as part of their subscription. But privacy is so important and so widely misunderstood that we've decided to release our recent paper free to the public. It's here.
We hope you'll read it. We also hope you'll get in touch. Leave us comments here on the blog, email us, or call and ask for a dialog - even if you're not a customer.
It is possible some technologists are wrong and some aren't. Some technologists may have assumed that privacy was the ability to control the circulation of personally sensitive information (subsequent to disclosure). Others such as myself assume privacy as the protection of the pre-existing physical boundaries that delimit an individual's exclusive space (and that shared with their confidants).
People exert peer pressure to persuade adherence to discretion.
The law protects physical privacy against invasion or violation, and provides remedy.
The law cannot enforce discretion. It protects only privacy. All individuals (even doctors) are naturally at liberty to break the confidence of those who confide in them. However, no individual is at liberty to burgle their neighbour and thus violate their privacy.
The law governs burglary.
Opprobrium governs indiscretion.
There is a difference, and rightly so.
Technologists may help in either respect, but they can't make private what isn't, nor make a matter of discretion what is properly a matter of privacy.
Just as lawyers cannot prevent people sharing files, so technologists cannot prevent people being indiscreet.
Posted by: Crosbie Fitch | October 05, 2009 at 02:57 PM
Thanks Bob for your detailed response to my blog post. I do not think we disagree as to the definition of privacy. You are absolutely right, it is a social problem. Where I believe our views differ is about whether and how the boundaries of this problem are moving.
All the examples in the free report you link to in your post refer to how organizations (e.g. a hospital or a bank) or professionals (e.g. a doctor or a lawyer) can deal with privacy. But the boundaries of the problems have changed because individuals (and not in their professional capacity) can unwillingly or inadvertedly "invade" each other privacy.
Being caught in the background of an innocent picture or being tagged in a old school picture are just inches away from being tagged in a more recent picture or be seen by a friend of a friend in Facebook.
The problem is that the boundaries between discretion and indiscretion will become increasingly porous and soon it will be difficult to track back who breached your confidence first, as your private information may be miles away from where it was first collected.
On the other hand, is having the picture of your house indiscreet if this allows a tax agent to figure out that it is three times bigger than what you paid for? Or does having yourself pictured on the background of a scene that witnesses an accident or a crime and that somebody anonimously upoloads on Flickr to provide evidence bother you?
I like Crosbie's analogy with music downloads. The reason why music labels and their lawyers have a hard time is that they are not fighting organizations, they are fighting individual consumers: if a peer-to-peer network breaches the law and how effective it is to pursue each and every one of its members are two different matters.
The same applies to privacy. All your advice about "Activities of an Effective Privacy Program" apply to an enterprise, but not make little sense with a network of peers, such as friends on a social network, that changes all the time (and the platform changes too).
Neither technologists nor lawyers nor analysts will solve the puzzle in time: which is why - as I said - we'd better behave.
Incidentally, you keep referring to monstruous behavior, but I was not implying that at all. Our personal safety, our ability to get services when we get old and suffer from cognitive impairment, as well as our kids' ability to find new ways of solving problems, socializing, building their own future, may depend on accepting that privacy boundaries will blur in ways that we cannot anticipate.
Posted by: Andrea Di Maio | October 05, 2009 at 05:20 PM
Thanks for the response, Andrea.
To say that individuals inadvertently infringing one anothers' privacy represents a shifting of the boundaries is just wrong; the privacy problem consisted entirely of individuals behaving indiscreetly toward one another by accident or on purpose for tens of thousands of years before there were corporations. James Joyce's "The Dead" was all about an indiscreet remark revealing personal information inadvertently, and it's just one of countless examples from literature; Othello is about a series of invented indiscretions.
When you say "the problem is that... soon it will be difficult to track back who breached your confidence first, as your private information may be miles away from where it was first collected", you identify an important problem: private information in today's electronic systems lacks the contextual metadata which would allow us to figure out who created it, who collected it, what the rules regarding its handling are, and so on. The proper response to this issue is not to give up and declare privacy dead - it is (as I noted in my entry) to put the metadata on the private data. We address this issue directly in another freely available paper entitled "A Relationship Layer for the Web - And for Enterprises Too" (http://www.burtongroup.com/Guest/Idps/RelationshipLayerWeb.aspx - this one's got mandatory registration; if you want a copy without registering please email me).
Regarding some of your examples, the right to privacy does not extend to covering up evidence of fraud; if I've misrepresented the size of my house to evade taxation, I shouldn't be relying on privacy to keep me out of the docket. And being in public at the scene of a crime also doesn't seem to me to be a privacy issue - as long as I'm not the victim or the perpetrator I don't see how this is a privacy concern. I like my example better; if I'm at a bar having a martini, and someone takes a picture of that in the "after hours bar context" and then emails it to my company's HR director in the "at work HR context", that's a privacy issue. In that case I'd object if it were done anonymously - I'd want social consequences for that sort of antisocial behavior. And that's part of my point; businesses build the online systems and spaces that make these things possible. If they build systems and spaces that make anonymous antisocial acts easy, we'll have less privacy. If they build systems and spaces which provide trails of accountability for indiscretions and other antisocial behavior, we'll have more privacy.
Where we disagree most violently is at the beginning and end of your post. The WRONG answer is to give up and declare privacy "just an illusion". Once we do that the programmers who create online spaces will give up trying to make those spaces social and privacy-protective. I don't sign on to self-fulfilling prophecies.
And your advice that "we'd better behave" is just abhorrent, at least to me - if it means, as I think you intend it to mean, "never do anything you don't want to see in the New York Times. I will not acquiesce in turning my society into a herd of Stasi collaborators continually on the lookout for excuses to destroy one another.
The interface between the physical world and the electronic world can be thought of as a kind of border. Salman Rushdie in his great Tanner Lecture ("Step Across This Line") described how borders can dehumanize and tyrannize:
"At the frontier we can’t avoid the truth; the comforting layers of the quotidian, which insulate us against the world’s harsher realities, are stripped away, and, wide-eyed in the harsh fluorescent light of the frontier’s windowless halls, we see things as they are. The frontier is the physical proof of the human race’s divided self...
Here is the truth: this line, at which we must stand until we are allowed to walk across and give our papers to be examined by an officer who is entitled to ask us more or less anything. At the frontier our liberty is stripped away—we hope temporarily—and we enter the universe of control. Even the freest of free societies are unfree at the edge, where things and people go out and other people and things come in; where only the right things and people must go in and out. Here, at the edge, we submit to scrutiny, to inspection, to judgment. These people, guarding these lines, must tell us who we are. We must be passive, docile. To be otherwise is to be suspect, and at the frontier to come under suspicion is the worst of all possible crimes.
We stand at what Graham Greene thought of as the dangerous edge of things. This is where we must present ourselves as simple, as obvious: I am coming home. I am on a business trip. I am visiting my girlfriend. In each case, what we mean when we reduce ourselves to these simple statements is, I’m not anything you need to bother about, really I’m not: not the fellow who voted against the government, not the woman who is looking forward to smoking a little dope with her friends tonight, not the person you fear, whose shoe may be about to explode. I am one-dimensional. Truly. I am simple. Let me pass.
Across the frontier the world’s secret truths move unhindered every day. Inspectors doze or pocket dirty money, and the world’s narcotics and armaments, its dangerous ideas, all the contrabandits of the age, the wanted ones, who do have something to declare but do not declare it, slip by; while we, who have nothing much to declare, dress ourselves in nervous declarations of simplicity, openness, loyalty. The declarations of the innocent fill the air, while the others, who are not innocent, pass through the crowded, imperfect borders, or make their crossings where frontiers are hard to police, along deep ravines, down smugglers’ trails, across undefended wastelands, waging their undeclared war."
We are in a time of change, and each of us has to make a choice. You choose to treat privacy as an illusion and just behave. Not me.
Posted by: Bob Blakley | October 06, 2009 at 10:51 AM
I agree with the view that solutions to the 'privacy' problem are not to be found in technology. But I don't think 'social' is the only other option; I believe that 'commercial' will also prove an area of privacy solutions. i.e. in the current modus operandi, organisations believe that it is commercially a sensible thing to do to gather, store and use personal data to the full extent the law will allow them. I would contend that this will break down over the next 5 years and that a more commercially sensible solution will be to store less personal data, and be extremely selective about how it is used.
Posted by: Iain Henderson | October 06, 2009 at 11:05 AM
If I understand your logic I should leave my shades up and believe that some social process will work to keep people from peeking into my window. That just doesn't make sense to me. When someone's privacy desires are unknown technology or other tools are ways to express that. Hoping that social norms will protect our privacy is a bit naive. If that works why do we have prisons?
Posted by: JC | October 06, 2009 at 12:17 PM
Thanks Bob, let me explain my examples a bit further.
A picture of a private property is private as far as it may reveal personal details that are covered by relevant data protection laws (e.g. a flag waving on the window suggests my political orientation). In this case I guess you would argue that that picture violates my privacy. However if the fact that somebody posted that picture allows a tax agent to catch me as a tax evader, I assume law enforcement would prevail over data protection: and yet law could be enforced only because somebody took that picture and posted it somewhere.
The other example (the crime scene) is even more intriguing. I may be in the background, walking around with my mistress on a day when I told my wife I was somewhere else: and yet somebody took that picture and posted it somewhere. I guess society would be grateful to whoever posted the picture that evidence of a crime is available, but I would not be equally happy. Should my right to privacy prevail over the rights of society to apply laws?
Coming to your example, if you were an HR professional or a possible client of the martini-contest drinker, wouldn't you like to find out that your colleague or doctor or supplier gets drunk after hours? As an employee is not supposed to post indecent pictures on a web site even when he's at home if he can be directly or indirectly associated to the enterprise (take a look at social media policies in most enterprises) so maybe he is not supposed to get drunk in a bar (which is a public place).
Now, moving from theory to practice, checking LinkedIn or Facebook profiles and activities is becoming a norm in HR. We have clients who are using LinkedIn and not internal systems to figure out their employees' skills and plan accordingly. Social media policies that I see (at least in the public sector, which is my coverage area) do not distinguish any longer between what you are supposed to do while on duty or after hours, from your workplace or at home.
I take your point about the lack of contextual metadata, but I would argue that the rules concerning how to handle information will be difficult to cast in stone. I also agree that "if businesses build systems and spaces which provide trails of accountability for indiscretions and other antisocial behavior, we'll have more privacy". But the problem is that the very definition of what is antisocial is changing.
I read a quite interesting article today (see http://torontolife.com/features/lament-igeneration/) that shows the difference between "cheating" and "collaborating" for two different generations (teachers and students). Just the way of socializing information today is changing very rapidly.
I am quite sure that you and (to some extent) I will still fight for our privacy, but in doing so we will struggle to understand how that is evolving for the next generation. We would never date or break a relationshiop by SMS, nor would we share very private pictures by MMS or IM or Flickr with our friends and their friends. But kids do. Will they care about tracking who posted what and where, or will they just assume they live in a glassbox?
Maybe privacy will be replaced by something like "tolerable or socially acceptable indiscretion".
Posted by: Andrea Di Maio | October 06, 2009 at 12:24 PM
Why do we want privacy? Is it because we are concerned a violation of the same would lead us to some form of hard (legal, physical, financial, personal etc.).
If we agree that to be so, we must then look at the question in the broader social context,along with the personal context that all have commented on so far.
If we do that, then we must be ready to accept the definite possibility of a person vs society context. Now ensuring personal privacy may be deemed essential by the individual, but in whatever social cluster he or she belongs may decide otherwise. So the society/group/cluster may be behaving themselves, but the individual member believes otherwise. The point on the lack of privacy at the "borders" is a good example of the same.
So once you share your "private" information to the outside world, however small or homegenous it is, you are taking a risk, that the society may not honor your privacy. It gets worse when the information is released to a larger and less well-defined group.
So sharing information (i am doing that when I wlak out in public with my mistress) in any world, real or online must come with a statutory warning, and indeed it does. I am inclined to agree with Bob, that we should prevent anonymous posting, access and usage of that information. That at least ensures consistentency with the laws in most societies, where the accused gets to face the accuser.
I think this is where technology can help.
Posted by: Tridib Roy Chowdhury | October 07, 2009 at 05:22 AM
I agree Bob, privacy is what happens after the disclosure. People will sell their souls for a free T-shirt or a 10% discount. But what they want is for bad things to not happen after they disclose the information. I elaborate more at: https://www-951.ibm.com/blogs/visible/entry/defining_privacy_management_again
Posted by: twitter.com/visibleit | October 07, 2009 at 05:03 PM
Enter "Contextual Integrity".
Last year, Dr. Helen Nissenbaum of NYU gave an excellent lecture at Berkeley about privacy.
Here is how Dr. Nissenbaum described privacy:
"Privacy is not secrecy but rather appropriate flow of information."
Following are some of the notes I took from the lecture.
Socio-technical systems: It is not just the technology that causes privacy issues. It is the technology embedded in the social system. e.g. RFID implanted into humans or RFID enabled passports.
Three classifications of socio-technical system:
1. Tracking and monitoring systems e.g. Web browser cookies.
2. Systems that aggregate and analyze - Choicepoint, Amazon's personalized recommendation system.
3. Systems that broadcast, disperse, distribute, propagate, publicize and disseminate information. - e.g. making court records, which are public, available online. In this case the web is technical system that disseminate the court records.
Controversial vs non-controversial socio-technical systems. Medical devices in use at hospitals are non-controversial and maybe beneficial. However, using information electronic toll collection on freeways to track someone's movement is controversial.
Traditional approaches to privacy:
1. Private / Public duality (dichotomy). This is an oversimplified approach. It may be argued that what is public maybe disseminated by any medium. e.g. Google's street view, license plate recognition is not a privacy breach as both streets and license plates are public in nature. Private / Public dichotomy maybe good in political philosophy, but it is problematic in privacy realm.
2. The measure of respect for privacy is the control of information by the subject. i.e. the subject has control over what gets revealed and what does not.
3. Lobbying for what is constitutes as a privacy breach and what doesn't. Especially problematic if the privacy is considered a preference rather then a moral right.
4. Privacy vs. other values (e.g. security).
These approaches are limited and do not work.
Dr. Nissenbaum's proposed approach: Contextual Integrity. Based on privacy as a human/moral right.
Contextual Integrity is a measure of how closely the flow of personal information conforms to context relative information norms. Contextual integrity is breached when these norms are violated and is respected when these norms are enforced.
Context relative information flow norms: In a context the flow of information (particular attribute) about a subject from a sender to a recipient is governed by a particular transmission principle. Context (circumstance), attributes (information about the subject), actors (subject (information owner), sender and receiver) and transmission principles are the key parameters. All these parameters must be taken into account when performing a analysis of the information flow. Google street map argument fails because it only takes one principle i.e. attributes (streets are public) into account and ignores the other key principle i.e. the context (distributing it over the web and making it widely available).
Fiduciary transmission principle: You trust someone with private information about yourself under the assumption that your private information will be used to benefit you and not harm you.
Privacy is not secrecy but rather appropriate flow of information.
Posted by: Saqib Ali | October 10, 2009 at 08:04 PM
Blakley's points are true and quite frankly- obvious. There is no way to ensure "information privacy" when it hits a human interface. You can mitigate, but not control a human, although you can terminate it :). This issue has nothing to do with technology and everything to do with human nature.
Although technology enables the ability to transport said "secrets / private information" faster and make them far more accessible than any other method thus far invented, it has nothing to do with integrity and cannot since information is only useful to humans and not computers. So the gentleman from Gartner is correct in nature; that technology enables secrets to be divulged faster- but he, as Gartner usually does; miss-communicated his key-point.
Secrecy, as it always has and will be, is in "your" hands, and "yours" alone.
Posted by: Scoman | October 16, 2009 at 01:22 PM