Four unresolved issues in privacy
Recently a friend and colleague asked me about key areas of conflict in the field of privacy. After a bit of brainstorming, I came up with four such issues.
Information privacy versus information disclosure.
Not so much a conflict but a trade-off which can lead to tension. Information privacy is a condition of keeping personal information private. Information privacy balances information disclosure, the act of sharing personal information as part of communication. Information disclosure necessarily determines trust. This is particularly relevant for trust building in online commerce with its potential for information imbalances leading to a market of lemons. What’s interesting about social media and many mobile apps is that disclosures made to build trust with your friends is being used by those platforms to market to you or make money off your information. Granted, they own the platform and make it clear up front (usually) that is the case. Yet, it often creates tension between the desire to disclose and trust and the desire to keep information private.
Who owns personal information? The observer or the individual.
European law favors the individual. U.S. law favors the observer. The essential point comes down to this: if an observer sees something an individual does, can the observer use that observation in commercial endeavors? With modern technology, if a computer system observes something about you (i.e. your picture, your actions online, your location, your demographic data) does the owner of the computing system need to seek permission to use that observation? This is particularly relevant with social media and the ability to combine data from multiple sources to build a fuller profile of an individual. Another way to think about this is by asking if you see something walking down the street, can you use information about their behavior or characteristics for commercial purposes? Now suppose you take a picture of them walking down? Can you use that information for commerce purposes? What if you take a picture of 20 people? What then? At what point is using the personal information for commercial purposes considered inappropriate? In other words, who owns the personal information of an individual?
Right to privacy versus privacy subsumed under other rights (e.g. property and liberty)
In 1890, Warren and Brandeis wrote an Harvard Law Review article arguing for a right to privacy that should be protected by the U.S. government. They argue that privacy is a new class of rights that cannot be properly protected by existing law. Partially because the point about ownership of data (above) has never been fully resolved. Since then, various lawyers have argued both for and against a distinct right to privacy. This is a little harder to apply to current events but does suggest long-term implications for privacy as the approach to one or the other principle gets refined over time. I talk about this a little in my paper on organizations requesting social media passwords from job candidates. That case was interesting because there are four groups of people to consider and the rights of each – the hiring organization, the job candidate, the social media platform, and the friends of the job candidate.
Personal information security versus Public physical security
The San Bernardino Apple vs. FBI case highlights the complexity of this issue. The FBI argues that for them to perform their jobs of securing the public, they must be able to gain access to restricted areas in times of a criminal investigation. They have always been able to get warrants to enter locked buildings before. They should get access to locked phones as well. Apple on the other hand argued that information security is a different beast than physical security, that introducing a hole or backdoor into information systems destroys the notion of information security. To add to the complexity, I argue that forcing someone to write the code is the same as forced speech, a notion that’s opposite of our constitutional protections.
Implications for Privacy
Addressing these four issues has important implications for business and society. I don’t claim to have all the answers, but I believe finding the answers is necessary for better understanding and protecting privacy. I’m tempted to write a research article articulating each of these in more detail and exploring what implications for each of them might mean for our future.