Once in a while, news show us yet another issue with privacy.
The current status of data privacy
Last year I was planning to do a review of the privacy legislation around European Union, to update a study that I did six years ago to help a partner develop a privacy service in Italy, and then to review data management practices in few projects that I had to manage on behalf of a partner in the public sector.
Years ago, to enforce privacy, it started being compulsory to include along with the balance sheet what is called “Documento Programmatico per la Sicurezza” (DPS), a kind of company-wide operational manual on privacy.
The document requires to explicitly state who is deputized for the execution (the accountability still stays with the ones who are responsible for data privacy issues within the organization).
Eventually, after monitoring the discussion about privacy issues in online social networks and other online/offline collectors of private data, I decided that producing a review of the implementation of the Data Privacy directive would have been a waste of time.
The 2000s were generally unkind toward data privacy, as 9/11 and the ensuing “security awareness” chipped at the data privacy wall bit by bit.
Sometimes, by accident. Sometimes, by design. But always with the same result: finding yet another rhetorical twist-and-shake to justify how the new reduction of privacy would enhance privacy.
The net result was the adoption of some Orwellian Newspeak, such as calling “data privacy” a law project actually removing data privacy.
Yesterday I received the latest issue of the IEEE Technology and Society Magazine (it focuses on the social implications of technology), and this issue is focused on “Surveillance and überveillance” , i.e. the extended and often unjustified pervasive collection and diffusion of private data, and the new wave in adding more sensors (from the RFID on your papers and clothes, to the swallowable tracing chip (already used by some clubs for VIP access and virtual cash purposes).
The magazine contains an overview of trends across different jurisdictions- and how actually it is taken for granted a simple side-effect: citizens expect to be “covered” by own laws about privacy also when they travel abroad, when this is not actually the case.
It was already present in the discussions after the Patriot Act: about the disclosure of information that could allow permanent monitoring of EU citizens, after they travel to the US, by requiring that they disclose banking account number, credit card number, and other personal information; online activities are just an extension.
My position and experience on data privacy is quite simple: no individual has still the same ability that (s)he was supposed to have in the 1990s.
The only way to save it (or, at least, data confidentiality)?
Split between data collection, storage, processing- and data use.
Data privacy and data confidentiality
What is the difference between data privacy and data confidentiality?
The simplest (but slightly simplistic) definitions are:
- data privacy is your right to decide which data you disclose
- data confidentiality is your right to decide what is done with the data that you disclose.
I worked since late 1980s in the banking industry- or to produce reporting on the management/financial/controlling side of non-banking companies.
Well before the data privacy directive, it had been a common understanding that keeping confidential customers’ information is a basic requirement to ensure the viability of the business model.
You use the data for the purpose that has been agreed with the customer when the customer provided the data to you.
If you fail to keep the data that you receive confidential, you will start getting less and less data, and therefore you will lose information that could actually help you doing your own business decisions.
As a customer, I remember being told in London in a bank that a foreign customer was told that, in order to receive a credit card, the bank needed to receive some financial information about her positions held abroad.
The customer did not want to disclose information that she considered irrelevant to the relationship that she wanted to have with the bank, and therefore kept just the debit card- and received the credit card later on, when the bank saw that the flow through her new account justified issuing the credit card.
For various reasons, the confidentiality has been slowly weakened, first to manage credit-related risk, then to avoid money laundering, and finally to help identify potential sources of financing for terrorists and other illegal activities.
Still, a basic mantra that I was taught in the first day on the first banking project was: having the data available does not imply using the data- unless you need it for what you are doing.
Moving to the XXI century: while everybody is concerned about the unwanted disclosure of private data (e.g. the movie rentals of a candidate to the US Supreme Court), the quantity and quality of information that we willingly disclose every day is staggering.
I worked in many industries, at first on controlling/accounting and decision support systems, then on management reporting, some operational issues, and business intelligence/datawarehousing (if you do not know what it means: number crunching first to help making decisions, then to manage activities).
What always puzzled me is the uni-dimensional approach to data confidentiality (as distinct from data privacy) that is presented by the current privacy laws (and discussions).
Each industry has unique ways to collect and store and process data about their customers, ranging from just collecting, to using the data for predictive behavioral analysis (a.k.a. using data as tea leaves to guess how to extend the loyalty of your customer, while increasing your business).
Evolving privacy statutes
While the first data privacy statutes were based on general principia, by gradually playing “gotcha” with new potential issues we slowly shifted to a technology-oriented approach.
I have been officially working in ICT since 1986 (actually I did activities before that)- and I kept seeing every few years a new “trend”.
My approach to technology is that any software, equipment, process should have a business purpose.
If the business purpose is not there, or it is removed (things do change), then you should either refrain from using the process or technology, or phase out what is not needed anymore.
If you want: data privacy started as a top-down decision (a kind of bill of rights), and ended up being managed bottom-up, by piling up ponderous studies on each new detail.
Beside the data privacy professional (on both sides of the line), who is able to follow all the details, nuances, and continuous updates?
Also some professionals are caught off-guard from the constant stream of announces and studies.
Regulating data privacy is becoming a law-making process: covering any industry and any activity.
A Sisyphean task: as soon as you release new updates or decisions- something new happen.
But instead of reinventing the wheel, there is another industry that has been there for a long time (since libraries existed), and that adapted quite well to the XXI century, with a proactive approach: knowledge management.
If you think about it: each individual has a certain set of data (what they do, what they like/dislike, what they think, what they are planning/willing to do, and so on).
The way behavioural analysis has been applied by various industries (security is a late comer to the game- supermarkets were much better at data mining for decades) implies that your ordinary relationship with each supplier is a kind of disclosure- both about data and potential data.
What most behavioural models forget is that it is true that there is a potential consequence given the same conditions, i.e. that a certain behaviour will be adopted by an individual, but we individuals behave as social animals.
For example: somebody could say- I would like to punch you in your face- but they never do.
Why? Because there is a difference between thinking, feeling, and acting on those thoughts and feelings.
In most articles and material/discussions about using software to predict the behaviour of individuals, what I saw was an oversimplification of the potential external mitigating or influencing factors.
Managing knowledge
I believe that data privacy has been removed from the table from our use of electronic systems, ranging from plastic instead of cash, to online social networking, and its “permanent memory” status.
Whatever is done electronically is out there somewhere (also if originally it started as a physical activity).
Did you twitter about your frustration during a meeting, as you would have done five years ago around the water cooler?
Sorry, your grand-children probably will be able to read it.
FourSquare and few other services are now offering the reverse: anybody can comment on any business they visit- and share that with anybody visiting the location.
If you want: a pervasive, mutual data exchange: it is not just companies collecting private data, it is also individuals having access to systems that collect, store, process individuals’ and businesses’ data.
When this data collection was available only for large organizations, it was easier for regulators to set out rules and advise large businesses to behave, either through industry associations, or through formal and informal channels.
The Italian DPS approach was, de facto, a surrender: it is practically impossible to oversee and regulate the data privacy practices of every business, in a country where most businesses are tiny.
Therefore, the data privacy became an addendum to the balance sheet- and the enforcement task was outsourced to the tax police, somebody who would anyway have to monitor any business.
The new technologies remove even that possibility, as anybody can set up a website in any jurisdiction- and attract users from all around the world: and we still lack a global enforcement agency, with the resources and manpower required (to say nothing about common rules to enforce).
Let’s say that tomorrow in Belgium some companies (as some clubs do around Europe) will allow an easier access to their services if you have a chip: what would refrain others to scan to see if people going around have a chip, and transmit the chip identification information to a central database, that then will be shared on the Internet?
If it sounds fanciful- when you open your gmail mailbox, if you then switch to google to search while still being logged into your mailbox, potentially your searches are linked to your gmail account, allowing to further extend the “targeting” of product and service offers.
And what if you will start posting your DNA to one of the commercial websites (few hundred dollars, and the promise to keep you posted whenever there is a new discovery that could affect you- creating a market of hypochondriacs 
)?
Then, add your google profile, and you have also the possibility of stating which interests could be discouraged considering the potential risks coming from your DNA (I stress “potential”: the DNA is a blueprint, not a routeplan).
The issue is, again: setting common rules on knowledge management.
Setting common rules
The first issue is the jurisdiction: as it happened in other industries, some states could see a market opportunity in creating legislation that enables the most blatant misuse of the data (I saw free online games aiming at elementary school kids, that once in a while asked marketing data about the family- it is illegal!).
While waiting for the Internet 2.0, and its traceability of any individual connection and any individual data exchange, the Internet is a de facto global jurisdiction.
And any database can be connected to the Internet- allowing “regulatory shopping”, e.g. by giving access to services that require to waive some rights to privacy or to allow the data to be transferred to a jurisdiction that does not follow the “safe harbor principles” on data privacy.
For the time being, the basic issue is considering our current reality:
- that you want or not, wherever you go and whatever you do, you leave a trace behind
- since the early 2000s, we shifted from a few to potentially infinite data privacy hotspots
- technology is becoming more and more data-intensive, and IPv6 creates further data producers
- no individual living in a developed country is currently able to control his or her data privacy.
A common framework could be to embed into the technology safeguards, akin to the “class label” adopted for laser pointers and other potentially damaging sources of light.
The idea is to move from regulating the devices, to regulating the use of the information that will be anyway collected- whatever the device- by “tagging” the information collected with a “usage policy”.
A 2005 EU document quoted in the IEEE Technology and Society issue that I quoted above contains a series of “Fundamental Ethical Principles” (pagg. 19 and following).
The concept would be to join those principles with a taxonomy of data usage categories, and then ask to classify each new data-collecting device.
If it seems too intrusive: the industry already had to do something similar for RFID tags, and the banking industry has had for a long time the Bank of International Settlements in Basel playing a role in ensuring common rules (e.g. in anti-money laundering or risk management).
It is true that extending the concept to data confidentiality (considering that data privacy is virtually impossible) would require something more focused on a cross-industry consensus, and then the category or categories assigned should be linked to the information collected within each database.
Any data request or data exchange would then be allowed only between compatible categories.
The compatibility definition (e.g. is marketing for new medicaments for a specific ailment compatible with data collected for medical uses from chronic patients?).
Bona fide traders would actually see their market share boosted- as any violator would be automatically denied access.
And, at last, we would create an information market, as it would be relatively easy to see what is the value of the information across jurisdictions, industries, categories, and demographic information.
Why not? The added market transparency and confidentiality structure could actually allow to create a “win-win” scheme, by adding a value to the information provided by each customer.
Again: it has already been done by some telecom companies, with some customers accepting to provide information to become a “target” for marketeers, in exchange of free services, ranging from SMS to free calls, gadgets, and so on.
Tags: confidentiality, database, privacy, rfid