On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Monday, 24 May 2010

Online privacy is not a myth, just do your homework and model human nature

A friend congratulated me after a recent talk I gave at Digital Surrey for being brave enough to talk and host a discussion about digital rights in a public forum.  It's a big amorphous subject with no clear answers; a subject about which everyone (in the industry at least) seems to have a strong opinion on one or more of the sub-topics: privacy and data protection, rights management, censorship etc.

My talk was on rights management, namely copyright protection and the Digital Economy Act, however online privacy is perhaps a subject which carries far more emotive overtones. Like with censorship, there are unavoidable links with extremely difficult and sensitive subjects such as child protection.  The "nothing to hide, nothing to fear" mantra is largely discredited, yet is often quoted without even a hint of irony.

A kind of Goodwin's Law for both privacy and internet censorship is that the discussion inevitably tends to the subject of child abuse.  But please I beg that this unsavoury premise does not become known as Firth's Law!  I'm probably not the first to make this parallel, and on the slim chance I am let's call it the law of disproportionate fear.  Speak out against censorship and people inevitably scrabble to find an example of why censorship is sometimes OK.  Argue for privacy rights and you can literally feel the question brewing, "what are you hiding?".

With that out of the way I can say I firmly believe privacy is as important today as it ever was, despite the internet and our love to share, be creative and show off.  It's important despite our disproportionate fear that those who crave privacy are up to no good.

Think of an embarrassing story you wouldn't mind sharing with your friends, or even broadcasting on Twitter or Facebook.  Your parents may or may not be following you on your social networks, but I'll bet most of us can find at least one example of a story they wouldn't mind sharing with friends down the pub but would be uncomfortable, mortified even, if our parents found out.

Article 8 of the European Convention on Human Rights provides the right to privacy in home and family life.  It does so because it's widely acknowledged that privacy is an important side of human nature that we must respect.  Breaching a person's privacy can severely upset that individual.  Many victims of home burglaries speak of the anger they feel that someone has been through their private belongings. But what we each choose to cherish as private in our life differs from person to person, and from culture to culture.

Respecting an individual's privacy boils down to respecting that individual's choice.  This is no different on the internet than in the real world, but the internet introduces some new concepts, particularly trust and complexity.

In the physical world we have a well established principle of "home life".  There are things we chose to do behind closed doors despite the fact that doing the same thing in public would not be illegal. Obviously this preference varies from individual to individual.

One such common example is singing.  I love to sing in the shower, but I'm embarrassed to be overheard - even by my wife! Yet I'm a bit of an extrovert, so there's no logic to my discomfort of making a "tune" in public - apart from being crap at singing. But so are many other people, yet they're happy to warble away down the karaoke every Tuesday.

Society has evolved over thousands of years to provide structures to accommodate human emotion in this area; to respect our choice over what we do in public and what we do in private.  By and large we don't live in large communal halls without screens or doors to afford us a private space.  Some communities do, through necessity or choice, but a far larger proportion of the population chose privacy.

Furthermore social norms reflect a strong respect for privacy.  We don't like to intrude, we knock before entering, and we look away if we feel our presence may  prove embarrassing.

Of course there is no absolute right to privacy. Society has evolved to remove some of our rights, e.g. for public officials and celebrities choosing to live in the public eye - an important concept, a safeguard to prevent abuse of power for those who have a strong influence on the lives of others.  We also accept as a society our privacy might be invaded in the course of an investigation into a serious crime, although the definition of serious and the concept of private (e.g. contents of a mobile phone, home computer) are continually under review.

In contrast to the physical world, confusion reigns online.  There are no absolutes, no givens.  So some argue simply  privacy is a myth. Well, it probably is - if you confuse privacy with traceability.

Almost everything is traceable back to an individual unless one undertakes concerted measures to avoid detection.  Just like plotters throughout history, the people who really need privacy and to avoid traceability - the criminals - will find that privacy and non-traceability in one way or another.

And conversely the extroverts who crave publicity have in the internet found just that.  Those who, self included, are not perturbed - excited, in fact - by broadcasting and sharing information and ideas in the public arena are making the most of the opportunity.

But what then for the masses, the ordinary folk who see this pervasive and useful tool but remain too confused or afraid to embrace its potential?

In some respects it's not possible to build the concept of a "home life" central to Article 8 of the ECHR on the internet due mainly to the issue of trust.

Your physical home is a domain under your control (exclusively, or jointly with those you chose to live with).  Yet to build a private space on the internet over which you retain exclusive control is all but impossible.  It can be done, should one host one's own service and use encryption for all external communications, but it remains largely impractical.

But we shouldn't just accept this as a fait acompli and declare, as many seem to be suggesting, that all information posted online is public, is "fair game".  As humans, in Western culture at least, we choose to spend rather a lot of our free time indoors; in private.   Internet services offering social experiences should take note and reflect this.

We must not let the internet, or at least the interactive aspect of the internet in social media, become the sole preserve of the extroverts comfortable with living their entire lives in public and sharing their thoughts with absolute strangers.

I happen to love this aspect of the internet, hence why I write a blog and tweet. Over the years I've participated in numerous public mailing lists. I think ultimately the "extreme sharing" principle will be an incredibly positive force in our evolution.  It's already providing a rich data source that new applications are already tapping.

But this is a personal choice and we should not overlook the majority who want to exert closer control over their online image, the information they chose to share and the people they chose to share it with.

When such delicate psychological issues exist we must model software on society rather than expecting society to embrace our software. What we absolutely must not do is attempt to force society to comply with revenue models heavily reliant on exploiting the value of private data.

Service providers and ISPs must accept that they are custodians of our data, not owners. These companies must provide a foundation of trust on which people are able to build a digital home life.

Without this trust its clear that a digital equivalent of a home life cannot be built, and online privacy will indeed become a myth.  I hope that governments will act under Article 8 of the ECHR to ensure that ISPs and service providers contribute the building blocks - trusted communications and protected data storage - to allow a private digital home life to be built and function.

Once trust is established, a simple privacy model also needs to be defined.  A model whereby individuals can make a clear choice for any given online activity of where the activity is to be performed: in public, or in private.  Two choices, the former having a presumed right of access (e.g. being photographed walking down the street) and the latter where no right of access, by anyone, can be presumed; behind closed and locked doors.

I'm not just defining how "friends" or "followers" can access information; the concept runs far deeper. Information which the owner has deemed private for whatever reason should be protected from advertisers, even staff working for the service provider.  It should be encrypted in "the cloud" - all necessary steps should be taken to prevent accidental disclosure.  Systems must be designed with privacy in mind.  Law enforcement officials should not have access to private data without a warrant.  Private data should be treated in all cases as if it was locked inside a private residence.

And critically it is up to the individual and no-one else to decide what class (public or private) each piece of information belongs.  Information commissioners for various governments have struggled to define the concept of "personally identifiable information" for the purposes of data protection legislation.  This definition is largely unnecessary in a model which respects consumer choice. It is up to the information owner to decide whether any given piece of data is public or private.

That's not to say that private activities can't be shared, but the owner remains in full control; they send the invites, and act as doorman able to chuck out guests at any point.

Of course the nature of the internet introduces new problems or complexities that don't exist or are far easier to handle in the physical world. Will  your guests misbehave by capturing and re-broadcasting in public your private performances?  Such problems still need to be addressed by society, but social norms will be established, just like one knocks on a door before entering and doesn't film at a friend's house without permission.

If and only if the data owner remains in full control of the guest list can such problems be addressed.  Guests will not want to jeopardise a friendship from anti-social behaviour.  Once the data owner loses control of the guest list - keys to his or her digital home - the concept collapses.

Ultimately it's up to us as a society to choose whether we want to endorse the concept of a digital home life and consequently make available the necessary building blocks in terms of trust structures and, where needed, legislation to support them.

I see a clear business opportunity for any organisation wanting to put the individual back in control of the personal data they chose to share.  I'm optimistic that government intervention needed is minimal, namely to define when and how law enforcement can access one's digital home and extending the existing principles of data protection so that there's a clear commercial incentive to ensure custodians of our data act resposibly at all times.

I don't see an end to profiling of individuals by advertisers nor do I believe that returning control of personal data to the owner will be a death-knell for exciting new services which rely on personal information being shared.  I think over time individuals will become more comfortable living more of their life in public, just as we're now far less squeamish dealing with issues of sex, race or disability on prime-time TV.

There's a clear danger in rushing to persuade people to adopt a more public private life. Many will resist this change, and the backlash could stymie adoption and extend the normalisation period - the time society needs to adopt and adapt.

Advertisers will be free to build behavioural models on the data we chose to make public, and I predict the public proportion will increase over time.  There may still be restrictions imposed on analysing even public activities to prevent exploitation.  After all whilst it's not illegal to take a picture of a random stranger in public, it is not usually acceptable to exploit this person's image, e.g. to endorse a product or service, without clear permission.

Only by returning control of data back to the owner will we encourage those who currently don't feel comfortable sharing any information online to use these services and find their comfort zone at their own pace.


  1. James, very thoughtful analysis and I agree that there is a distinction between privacy and "discoverability" or "traceability." While distinct, both are essential to examine, understand and protect. These issues are not at all confined to the internet, but technology certainly adds to the complexity. Think of how long it has taken for stalking (physical or cyber) to have laws attached to it. In the not so recent past, there was not a law that explicitly protected you if someone secretly filmed you in the privacy of your home or even a public restroom (in the U.S.). I hope that we all continue to participate in these discussions for in doing so we are shaping our future.

  2. First, let me say that I think there's a huge difference between security and privacy. I believe that we should do a better job at protecting private information, like my bank account or credit card data. And while I really like the house imagery, in this case, people aren't visiting house, it's more like they're visiting a mall. And the thing about being in a mall is that your actions aren't private. Sure, I may be with some friends and do something dumb, but anyone around me has the right to talk about what I've done. If I'm loudly speaking on my phone while at the mall or another public place and someone overhears me, then I can't expect that people won't share what they hear.

    I also believe that we need to look at the business model of sites like Facebook and understand what it means. We have to pay for that service some how and unless we're going to go the subscription route, we have to expect that they're going to going to do something with advertisers. That's sort of the contract we have with them, isn't it? We understand when we go to sites like FB that they make money from our data. We have to pony up at some point? If FB or Twitter or something else delivers the right value, then we're OK with it. If not, that when we have a problem.

    Lastly, I think that particularly with FB, the problem is that they haven't been upfront and transparent about their privacy policies and that's what 's gotten people upset. They need to outline a clear plan and let people know what their going to do. They need to stop being so cavalier with their attitude towards this issue. It's funny that a company at the center of SM is working as badly as they are in this regard.

    This privacy issue has been around a long time. I think it's interesting that credit card companies and the like have been compiling detailed information about us and selling it for years. They probably have a lot more data then FB does.

  3. Thanks for your comments David. All very valid, but I personally don't buy the argument that we have to sell our souls in order to get free access to social media services.

    I think it is possible to build digital equivalent of houses alongside the digital mall, and what we chose to do in our digital homes is protected from advertisers, snoopers etc.

    I think providing a comfort zone with high levels of statutory protection is actually key to driving adoption and increasing long term profit for these companies. As people get more comfortable, they will do more in the mall!

    Despite getting a service for free, Facebook and the like are still custodians not owners of our personal data.

    And yes, transparency and choice is key!

  4. This is a fantastic post James and I agree than in an ideal world businesses and online suppliers would respect the privacy of users data. However they don't do they, we have no idea just how much of our own personal data is recorded and where our data goes, who has access to it and what they are using it for.

    As individuals I agree that this simply shouldn't be the case but it has already happened, as soon as someone signs up on Facebook they have to give away personal information and such is our way of life now, that many people think nothing of it.

    So going back to our initial comments on Twitter yesterday, do I believe online privacy is a myth, at the time of writing yes. Should it be? That is a definite no!

  5. Thanks Melanie for your encouraging comments. In short I'm an optimist and a technologist heavily involved in the net since the beginning.

    I think yes we can rebuild trust and return control to the user. We need privacy in communications (the internet 'pipes'), already guaranteed by EU law but threatened by e.g. data retention and related issues and we need service providers to think again at how they view their role in protecting our data.

    I think business models will evolve to match what society demands because ultimately there is a demand to support this approach. We choose to protect our privacy in the physical world and I therefore predict that the same psychological drivers will force service providers to have a far greater respect for privacy online.


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.