Blogger: Bob Blakley
Andrea DiMaio of Gartner recently posted a blog entry entitled "Forget Privacy: It Is Just An Illusion".
DiMaio's lament rephrases Scott McNealy's famous quote ("You have zero privacy anyway. Get over it.")
McNealy was wrong then and DiMaio is wrong now; they're both dead wrong, and it's important.
Here's DiMaio's key sentence:
I have come to realize that, does not matter how careful we are, we are going to lose control of our privacy.
But Andrea DiMaio never had control of his privacy. And nothing - including technology - was ever going to give him control. DiMaio and McNealy assume without saying it that privacy means "keeping personal information secret". And by that definition privacy is an illusion. But "keeping personal information secret" is the wrong definition of privacy. As long as your personal information is secret, you don't even have a privacy problem. It's only when somebody else knows your personal information that you have a privacy problem.
Privacy is the problem you have after you share sensitive information.
When you discover that you might have a socially awkward medical condition and you go to the doctor, you don't keep the condition secret from him - you tell him about it so that you can get treated. And when you leave the office, you don't control your doctor; you trust him with your secret. You trust him with your private information because he has taken an oath to behave sociably and to use your personal information only in ways which benefit you.
That's how privacy works; it's not about secrecy, and it's not about control: it's about sociability. Privacy is a social good which we give to one another, not a social order in which we control one another.
Technologists hate this; social phenomena aren't deterministic and programmers can't write code to make them come out right. When technologists are faced with a social problem, they often respond by redefining the problem as a technical problem they think they can solve.
In rhetoric, we call this redefinition of the problem "framing".
The privacy framing that's going on in the technology industry today is this:
Social Frame: Privacy is a social problem; the solution is to ensure that people use sensitive personal information only in ways that are beneficial to the subject of the information.
BUT as technologists we can't (as DiMaio observes) control peoples' behavior, so we can't solve this problem. So instead let's work on a problem that sounds similar:
Technology Frame: Privacy is a technology problem; since we can't make people use sensitive personal information sociably, the solution is to ensure that people never see others' sensitive personal information.
We technologists have tried to solve the privacy problem in this technology frame for about a decade now, and, not surprisingly (information wants to be free!) we have failed. DiMaio now wants to give up. But he's forgotten the reframing; he's assuming that the technology frame is the problem, and therefore if the problem can't be solved in the technology frame it can't be solved.
The technology frame isn't the problem. Privacy is the problem. Society can and routinely does solve the privacy problem in the social frame, by getting the vast majority of people to behave sociably. Privacy isn't a new problem. It's existed in all human societies for as long as there have been human societies. Lawyers have solved it. Doctors have solved it. Priests have solved it. Friends have solved it. They've solved it by creating social structures which discourage monstrous behavior. We even have words for people who violate the often unwritten and unspoken rules governing the handling of delicate personal information; in the old days we called a man who was careless with others' secrets a "cad". Nowadays we use another word (a word which also has an anatomical denotation, if you're wondering).
Technology can't solve privacy problems, because they're not technology problems. But technology can make privacy problems worse, by making it easy to do antisocial things, or by making it hard to recognize the sensitivity of personal information and lowering our awareness that we're in a social situation and need to behave sociably; online spaces like Facebook, whose rules for handling private information are often opaque to users, create unnecessary privacy hazards in this way (see Ian Glazer's "Privacy Mirror" experiment for an example of how opaque privacy settings can undermine the sociability of an online space).
If we accept the technology frame and let technologists define privacy as control over dissemination of information, we ARE going to have less privacy. Resisting the technology frame is critical; if we don't resist it, lots of bad things happen. For example, if we accept the "privacy is defined as control of secrecy" frame, then we will start to believe (perhaps as a society, and perhaps even as a matter of law) that as soon as someone learns a piece of information about us, that information is no longer private, and we lose subsequent protections.
We don't have to accept the technology frame.
The assumption that led technologists to create the technology frame - that the social problem of getting people to behave sociably cannot be solved - amounts to an assumption that we will all be monsters.
This assumption is neither true nor acceptable. We've got to fight the technologists on this one.
Worldviews have consequences. A worldview that says "privacy is an illusion" can create a world in which there is no privacy, at least online.
My generation makes a distinction between the online world and "the real world". My kids' generation does not. The social world they live in will BE the online world - woven inextricably with what I grew up calling "the real world". I'm not willing to stand idly by and watch the sociability of that world destroyed by technologists who have given up because they can't see beyond their coding pads.
DiMaio concludes his post this way:
The problem for us, all of us, is that somebody will be watching all the time. We’d better behave.
The implied subtext is "because whoever's watching will be a monster, and turn us in to the authorities, and we'll be punished".
DiMaio is deeply irresponsible to encourage the view that just because the cryptographers can't give us a cloak of invisibility online it's OK to be a monster.
But he's right that we'd better behave. When we see someone else's private information, we'd better avert our gaze. We'd better not gossip about it. We'd better be sociable. Because otherwise we won't need the telescreen - we'll already have each other. And we'll get the society we deserve.
We are our brothers' keepers. We'd better start acting like it.
Technologists have a critical role to play in protecting privacy - but that role isn't building walls of secrecy. It's in building sociable spaces in the electronic world.
A sociable space is one in which people's social and antisocial actions are exposed to scrutiny so that normal human social processes can work.
A space in which tagging a photograph publicizes not only the identities of the people in the photograph but also the identities of the person who took the photograph and the person who tagged the photograph is more sociable than a space in which the only identity revealed is that of the person in the photograph - because when the picture of Jimmy holding a martini washes up on the HR department's desk, Jimmy will know that Johnny took it (at a private party) and Julie tagged him - and the conversations humans have developed over tens of thousands of years to handle these situations will take place.
A space in which personal information (a health record, say) always comes with metadata indicating who collected it, for what purpose it was collected, and under what terms and conditions it may be used is more sociable than a space in which a piece of personal information may be forwarded into another organization by someone who doesn't even know the information is personal. And so on.
At Burton Group we don't think privacy is an illusion. We think it's a hard issue - very hard - but that's why we're here: to give practical advice on hard issues. Ian Glazer and I have recently updated the privacy coverage our research and analysis customers get as part of their subscription. But privacy is so important and so widely misunderstood that we've decided to release our recent paper free to the public. It's here.
We hope you'll read it. We also hope you'll get in touch. Leave us comments here on the blog, email us, or call and ask for a dialog - even if you're not a customer.
There are lots of great viewpoints expressed in Bob's blog and comments. But I'd like to raise a perspective on privacy that is not fully addressed.
I'll start with an analogy. Fortunately my daughter is not yet old enough to drive but I’m sure this story is reality for many of us. You loan your car to your kid. You set an expectation—either explicitly (“you may go to the mall with your friend but only you can drive and you may not go anywhere else”) or implicitly (previously communication or rules and/or precedent about who can drive the vehicle). The expectation is a shared understanding of what may be done with the vehicle. You take on a calculated risk based on the nature of the act, your ability to “know” that the expectation is fulfilled (visibility), and to incent the fulfillment of that expectation. (The incentive can be a carrot or a stick—and can arise from friends, family, or institutions in our society, e.g., law enforcement.) In short, I let the kid have the car and cross my fingers she is not letting her friend drive or going somewhere other than the mall. Visibility is tough, although GPS and other technologies are helping these days. In a hypothetical world of complete trust, I can simply ask my daughter if she followed the expectation.
So why am I talking about loaning a car in a blog about Privacy? The answer is simple—privacy is a special case of trusting others with assets. In the world of privacy, the asset is information. Instead of loaning her a car I am telling my doctor about a medical condition. I take a calculated risk. (Will she tell others or post my name and condition on a web page?). I believe we have a common expectation. (Thank you HIPAA for ensuring I receive a Privacy Statement.) And I know there are incentives to uphold the Privacy Statement. (HIPAA does have teeth, right? Well, maybe: In a recent survey by Ponemon Institute, 80 percent of responding health care organizations had experienced at least one incident of lost or stolen electronic health information in the past year.)
Now, in the automobile analogy I set an expectation about the transference of the asset. “You may not let any one else drive.” I didn’t say “you can only loan the car to someone you trust.” In the case of my HIPAA Privacy Policy, there is a provision for transference—my medical information will be provided to my health insurance provider. But not my employer. OK.
In short, my view is that this is all about setting and meeting expectations. This is as old as human discourse and is not based on technology. But technology changes things—it both helps and hurts. And it could help a lot more than it is presently doing. I haven’t said much about visibility so far. Visibility is tricky: it’s nearly impossible to know if my daughter lets her friend drive and where she takes the car. (Well, until I get the photo radar speeding citation with friend Suzie driving nowhere near the mall.) But visibility could be easy with information assets—metadata can be included to identify the source of an asset (and even the chain of transference if it has been passed along). And privacy policies abound, so maybe we have enforceability to incent stewards of private information to abide by our expectations. Maybe.
So to me, privacy is not black and white. I might trust low-risk information to others even when there is little visibility or privacy incentives. I might set an expectations that transitive trust is OK—I not only trust my doctor with my medical history, I trust her to pass it along to others that are trusted and fall within the same parameters of our shared expectation. In some cases I know litigation is a real incentive. In other cases, societal pressures may suffice (when I expect a social behavior and not an anti-social behavior as called out in this blog). And in many cases, the expectation is not fully articulated or precise—I expect the recipient of “private information will be used to benefit me and not harm me.”
One thing that is fascinating about today’s connected world is the ease of disseminating information. One post to a web site can get millions of viewers. And information is freely replicated, unlike physical assets. So we need to be extremely careful with our private information. And digital information can stick around a long, long, time. And it is readily searched. So in these ways the technology hurts privacy.
The first time someone sent me a “gift from Pennsylvania” on Facebook, I declined because of the warning that the Gift application can access all of my personal information. And there is no transitive expectation of what that application will do with it. There was no privacy expectation period. Even if there was, I don’t feel I have visibility. (At least with the doctor’s office I can ask who my medical history was shared with.) And as far as incentives and enforceability are concerned, I don’t feel very protected on today’s social networking sites. But in the end, I have accepted (and sent) these kinds of gifts—based on one fact: my activities on Facebook are really pretty pedestrian. But I have yet to rush home from the doctor after being diagnosed with an embarrassing condition to post it on my Facebook wall. Check out Ian Glazer’s blog about the Facebook issue and PPIA at http://identityblog.burtongroup.com/bgidps/2009/07/personal-privacy-impact-assessments-for-facebook.html.
So as we further our privacy interests as a collective community of advocates, let’s continue to ask about expectations, how they are asserted, communicated, and agreed, how privacy infractions can be made visible, and the economic, legal, social, and moral incentives we can cultivate. Regardless of what you feel should or should not be “private”, we all have a right to set expectations that we trust will be met. And as technologists, we have the capability to improve the state of privacy in the face of technological advances that might otherwise undermine it. Privacy is not an Illusion. It is a challenge.
Posted by: Coby Royer | October 23, 2009 at 03:41 PM