Photo data as crude oil
It's been said that "data is the new oil". The immense stores of Personal Information gifted to Facebook, Google et al by their users are like crude oil reserves: raw material to be tapped, refined, processed and value-added. I'm especially interested in photo data, and the rapid evolution of tools for monetising it. These tools range from embedded metadata in the uploded photos, through to increasingly sophisticated object recognition and facial recognition algorithms.
Image analysis can extract place names and product names from photos, and recognise objects. It can re-identify faces using biometric templates that users have helpfully created by tagging their friends in entirely unrelated images. Image analysis lets social media companies work out what you're doing, when and where, and who you're doing it with. If Facebook can work out from a photo that you're enjoying a coffee at a recognisable retail outlet, they don't need you to expressly "Like" it. Nor do you have to actively check in to the cafe when most phones tag their photos with geolocation data. Instead, Facebook will automatically file away another little bit of Personal Information, to be melded into the amazingly rich picture they're relentlessly building up.
The ability to extract value from photo data defines a new black-gold rush. Like petroleum engineering, Image Analysis is high tech stuff. There is extraordinary R&D going on in face recognition and object recognition, and the "infomopolies" like Apple, Google and Facebook pay big bucks for IP and startups in this space.
I think there is only one way to look at Facebook's acquisition of Instagram. With 250 million new pictures being added everyday, Instagram is like an undeveloped crude oil field. As such, a billion dollars seems like a bargain.
So Facebook's core business isn't all of a sudden photo sharing. It always was and always will be PI refining:
Posted in Social Media, Privacy
A penny for your marketable thoughts?
Most people think that Apple's Siri is the coolest thing they've ever seen on a smart phone. It certainly is a milestone in practical human-machine interfaces, and will be widely copied. The combination of deep search plus natural language processing (NLP) plus voice recognition is dynamite.
And Siri also marks a new milestone in privacy invasion. I predict Siri will become the poster girl for PII piracy, the exemplar of the sly bargain for Personal Information at the heart of most social media.
If you haven't had the pleasure ... Siri is a wondrous new function built into the latest iPhone. It’s the state-of-the-art in artificial intelligence and NLP. You speak directly to Siri, ask her questions (yes, she's female) and tell her what to do with many of your other apps. Siri integrates with mail, text messaging, maps, search, weather, calendar and so on. Ask her "Will I need an umbrella in the morning?" and she'll look up the weather for you – after checking your calendar to see what city you’ll be in tomorrow. It's amazing.
Natural Language Processing is a fabulous idea of course. It radically improves the usability of smart phones, and even their safety with much improved hands-free operation.
An important technical detail is that NLP is very demanding on computing power. In fact it's beyond the capability of today's smart phones, even if each of them alone is more powerful than all of NASA's computers in 1969!. So all Siri's hard work is actually done on Apple's mainframe computers scattered around the planet. That is, all your interactions with Siri are sent into the cloud.
Imagine Siri was a human personal assistant. Imagine she's looking after your diary, placing calls for you, booking meetings, planning your travel, taking dictation, sending emails and text messages for you, reminding you of your appointments, even your significant other’s birthday. She's getting to know you all the while, learning your habits, your preferences, your personal and work-a-day networks.
And she's free!
Now, wouldn't the offer of a free human PA strike you as too good to be true?
Indeed it would. So realise this about Siri: she's continuously reporting back to Apple about your every move. If Apple were a PA placement agency, what they get in return for the free secretarial services is a full transcript of all you've said, everyone you've been in touch with, everything you've done. Apple won't say what they plan to do with all this data, how long they'll keep it, nor who they'll share it with. Apple's Privacy Policy (dated October 2011, accessed 12 March 2012) doesn't even mention Siri nor the collection of the voice-to-text data.
When you dictate your mails and text messages to Siri, you’re providing Apple with content that's usually off limits to carriers, phone companies and ISPs. Siri is an end run around telecommunicationss intercept laws.
Of course there are many, many examples of where free social media apps mask a commercial bargain. Face recognition is the classic case. It was first made available on photo sharing sites as a neat way to organise one’s albums, but then Facebook went further by inviting photo tags from users and then automatically identifying people in other photos on others' pages. What's happening behind the scenes is that Facebook is running its face recognition templates over the billions of photos in their databases (which were originally uploaded for personal use long before face recognition was deployed). Given their business model and their track record, we can be certain that Facebook is using face recognition to identify everyone they possibly can, and thence work out fresh associations between countless people and situations accidentally caught on camera. Combine this with image processing and visual search technology (like Google's "Goggles") and the big social media companies have an incredible new eye in the sky. They can work out what we're doing, when, where and with whom. Nobody will need to like expressly "like" anything anymore when Facebook can see what cars we're driving, what brands we're wearing, where we spend our vacations, what we're eating, what makes us laugh. Apple, Facebook and others have understandably invested hundreds of millions of dollars in image recognition start-ups and intellectual property; with these tools they convert the hitherto anonymous image collections in Picassa, Flickr and the like into content-addressable PII gold mines. It's the next frontier of Big Data.
Now, there wouldn't be much wrong with these sorts of arrangements if the social media corporations were up-front about them. In their Privacy Policies they should detail what Personal Information they are extracting and collecting from all the voice and image data; they should explain why they collect this information, what they plan to do with it, how long they will retain it, and how they promise to limit secondary usage. They should explain that biometrics technology allows them to generate brand new PII out of members' snapshots and utterances. And they should acknowledge that by rendering data identifiable, they become accountable in many places under privacy and data protection laws for its safekeeping as PII. It's just not good enough to vaguely reserve their rights to "use personal information to help us develop, deliver, and improve our products, services, content, and advertising". They should treat their customers -- and all those innocents about whom they collect PII indirectly -- with proper respect, and stop pretending that 'service improvement' is what they're up to.
Siri along with face recognition herald a radical new type of privatised surveillance, and on a breathtaking scale. While Facebook stealthily "x-ray" photo albums without consent, Apple now has even more intimate access to our daily routines and personal habits. And they don’t even pay as much as a penny for our thoughts.
As cool as Siri may be, I myself will decline to use any natural language processing while the software runs in the cloud, and while the service providers refuse to restrain their use of my voice data. I'll wait for NLP to be done on my device with my data kept private.
And I'd happily pay cold hard cash for that kind of app, instead of having an infomopoly embed itself in my personal affairs.
Posted in Social Networking, Social Media, Privacy, Language, Biometrics
What stops Target telling you're pregnant?
Question: What stops Target from telling that you're pregnant?
Answer: In many parts the world, the law!
The recent New York Times feature How Companies Learn Your Secrets has caused a helluva stir. Investigative reporter Charles Duhigg details conversations he had with data analysts and statisticians about what marketing gold they can divine from shoppers' buying habits ... and how one department store then seemed to shut down the dialogue.
The case in point was pregnancy. Duhigg and his contacts looked into the enormous business potential for retailers if they could work out from what they're buying that individual customers were pregnant. One analyst said "We knew that if we could identify them in their second trimester, there’s a good chance we could capture them for years".
Department store insiders admitted to developing and testing a "pregancy prediction" score but they seemed to duck the question of whether the stores actually use these tools. But a year after Duhigg's first inquiries, Target got into trouble for direct marketing new baby products to a teenager -- before she'd told her parents she was pregnant.
This is pretty heady stuff, at the leading edge of "big data" analytics, bringing into sharp relief the boundless commercial value of what big corporations know about us.
What kind of problem is this?
Duhigg's work ends on a note of resignation, and I get the impression from scanning blog posts on this matter that many people -- especially in the largely unregulated United States -- are feeling powerless to do anything about this.
Yet I take heart from existing privacy law. In places like Australia with OECD-based data protection legislation, it's pretty clear for anyone who actually reads the rules, that for a department store here to work out and record that someone is pregnant is likely be unlawful.
A look at how Australia regulates privacy
At state and federal level, Australia has several privacy acts and health records acts. For our purposes here, they are all much the same. And I repeat that the following analysis is likely to have parallels in many other countries. I will use the Victorian Health Records Act 2001 (the "Act") as a model; underlining in the quoted passages is added by me for emphasis.
Personal Information is defined in the Act as:
information or an opinion (including information or an opinion
forming part of a database), whether true or not, and whether
recorded in a material form or not, about an individual whose
identity is apparent, or can reasonably be ascertained
from the information or opinion
At this point, note that the definition is broad and unqualified by such matters as data ownership. In the Australian legal system, privacy rights attach to any information whatsoever that pertains to an identifiable individual, whether that information is explicitly collected from the person, or generated within some lights-out big data analytics engine.
Health Information is defined as, amongst other things:
(i) the physical, mental or psychological health
(at any time) of an individual; or
(ii) a disability (at any time) of an individual; or
(iii) an individual's expressed wishes about the
future provision of health services to him or her
The cornerstones of privacy in OECD-style data protection systems are Collection Limitation and Use Limitation. Here are the opening clauses of Victoria's Health Privacy Principle HPP 1 - Collection:
1.1 When health information may be collected
An organisation must not collect health information about an
individual unless the information is necessary for one or more
of its functions or activities and at least one of the following
applies —
(a) the individual has consented;
(b) the collection is required, authorised or permitted,
whether expressly or impliedly, by or under law;
(c) the information is necessary to provide a health service ...
Note that consent is required in advance of collecting health information, whereas in the case of regular Personal Information, organisations have more latitude to give notice of collection after the fact.
And here are the opening clauses of Health Privacy Principle HPP 2 - Use & Disclosure:
2.1 An organisation may use or disclose health information about
an individual for the primary purpose for which the information was
collected in accordance with HPP 1.1.
2.2 An organisation must not use or disclose health information about
an individual for a purpose (the secondary purpose) other than the
primary purpose for which the information was collected unless
at least one of the following paragraphs applies —
(a) both of the following apply—
(i) the secondary purpose is directly related to the primary purpose; and
(ii) the individual would reasonably expect the organisation to use or
disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure ...
HPP 1 goes on to sanction how individuals should be kept informed about the collection of health information about them:
How health information is to be collected
1.4 At or before the time (or, if that is not practicable,
as soon as practicable thereafter) an organisation collects
health information about an individual from the individual,
the organisation must take steps that are reasonable in the
circumstances to ensure that the individual is generally aware of—
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the
information; and
(c) the purposes for which the information is collected; and
(d) to whom (or the types of individuals or organisations to which)
the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be
collected; and
(f) the main consequences (if any) for the individual if all or
part of the information is not provided.
1.5 If an organisation collects health information about an
individual from someone else, it must take any steps that are
reasonable in the circumstances to ensure that the individual
is or has been made aware of the matters listed in HPP 1.4 except
to the extent that making the individual aware of the matters
would pose a serious threat to the life or health of any
individual or would involve the disclosure of information
given in confidence.
Conclusion: Don't give up on privacy!
On my reading of the Act, we can be sure of the following:
- If a department store mines its data on shopping habits, determines that a named woman is likely to be pregnant, and records that prediction in a database, then the store will have collected health information about her and is subject to health privacy legislation in several states (as well as the Sensitive Personal Information clauses of Australia's federal privacy law).
- If the department store has not obtained the customer's consent to having the state of her pregnancy being determined, then the store will have breached HPP 1.1.
- If the store uses information originally collected from customers to monitor their shopping habits to generate new information predicting their pregnancies, then it will have breached HPP 2.2.
- If the store has not informed the woman that they have predicted she is pregnant, then it will have breached HPP 1.5.
Many commentators fear that the march of technology outpaces the law, but I for one am more optimistic. For the most part, it seems our current information privacy law actually copes well with the sorts of business actitivites we find so intuitively offensive. I am not a lawyer but it looks clearly unlawful to me if a department store in Australia purposefully works out its customers are pregnant. Technically, just recording that prediction even without acting upon it probably counts as a Collection of health information and as such it needs the consent of the customer.
The same legal principles apply -- with even more force -- in Europe. It remains to be seen whether information privacy can be better regulated in the US through the FIPPs or other mechanisms.
Posted in Privacy
Information companies and the Use Limitation Principle
Google has copped a lot of flak over its move to join up all services with the cover story that it's simply rationalising its privacy policies. Amongst those defending Google is another information company, Bloomberg. In this post, I want to draw attention to details of Australian privacy law that Bloomberg is oblivious to. Other jurisdictions with OECD based data protection legislation (and that's a lot of the world) may present the same challenge to Google's and Bloomberg's simplistic view of privacy. Let's take a closer look.
In an editorial on March 1, Bloomberg positively thrilled to an alleged over-reaction of privacy advocates:
You’d think Google had announced it would start collecting terabytes of data about you, your neighbor and your dog, if he’s ever online.
Then Bloomberg's editors asserted:
You’d be wrong: Google already does that. Google is not collecting any new information; rather, it is sharing (with itself) more of the information it already has [emphasis added].
But it is Bloomberg that's wrong.
The Use Limitation principle holds that custodians of Personal Information should not put that PI to secondary uses unrelated to the primary purpose for which it was collected. Nobody using Blogger or YouTube for instance over the years could have foreseen that one day their posts and videos would be mashed up with Google's boundless data mines and put to any old comemrcial purpose Google sees fit.
Use Limitation is really basic. One cannot really believe Google doesn't get it; their ambit claim that what they're doing is good for privacy because now there's a single simple privacy policy just doesn't pass muster.
But in Australia, the situation for the big infomopolies is potentially even more restrictive, with recent legally enforceable interpretations of the Use Limitation principle expressly nullifying the presumption that 'sharing information with itself' is ok for heterogeneous organisations.
The Privacy Commissioner for the State of Victoria has advised that "entities within the Victorian public sector should not assume that, because one part of the organisation collected some personal information, this can disclosed to any other part of the organisation without regard for [the Use & Disclosure Principle]" Ref: Guidelines to the Information Privacy Principles, Office of the Victorian Privacy Commissioner, Edition 3, November 2011.
This advice derives from a tribunal ruling elsewhere in Australia, which I discussed at length in another blog post: http://lockstep.com.au/blog/2011/09/04/the-ultimate-opt-out. In that case, patient information collected by a counsellor in a hospital was shared without the patient's consent with another specialist, and the patient's rights were ruled to have been violated.
The relevance of these matters in the current discussion about Google amalgamating services is that the Australian legal system has taken a conservative view of what it means to share personal information within large organisations. Technically, the ruling is that individuals have the right to be informed about internal disclosures, and they may have the right to withdraw their consent.
Let's remember that Australian law is not as strict as that of European states like Germany, and is not enforced as energetically. With OECD principles forming the basis for all these sorts of data protection regulations, I suspect that European states will reach the same conclusions, that Google is not in fact entirely free to share information 'with itself'.
Case law around OECD Privacy Principles is clearly fluid. Big infomopolies need to take more care not to presume what the law actually says.
But let's be less legalistic about this, and instead make this appeal to Google: If you truly have the interests of customers at heart, then please heed civil rights, reconsider how people expect their treasured private information to be handled, and try not to take their online permissiveness for granted.
Posted in Social Media, Privacy
More evidence of the gap between tech and policy
After the scandal broke of how the iPhone app "Path" was accessing users' address books and transmitting them back to base, many in the developer community said they thought this was pretty common. The good folks over at Veracode decided to check, so they built another app that simply scans all code on your device for signs that the address book is being accessed. Believe it or not, the Apple operating system has a standard call, available to every app, called "ABAddressBookCopyArrayOfAllPeople".
Mark Kriegsman at Veracode blogged about their results :
Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone who’s been following mobile development or security research for mobile platforms (emphasis added).
This is terrific work.
Despite the Veracode team's reaction, I'm sure most of the public — even the technologically informed public — would indeed be very surprised to know any old app can freely access their contact lists. If developers are not surprised, perhaps they look at privacy differently?
What probably will surprise many technologists is that under black letter privacy law in Australia, Europe and elsewhere, it would be an offence for the company deploying the app to access contact information on a phone without a good reason and/or user consent (let alone to do it without any notice at all as was the case with Path). As Kriegsman writes in the Veracode article, it’s hard to imagine why many of these apps have any cause to call ABAddressBookCopyArrayOfAllPeople.
Developers sometimes seem to think that if information is accessible to them, then it’s fair game for re-use or innocant "research". The classic example was the collection of wifi transmissions by Google Street View cars. Many said at the time that if data is in the “public domain” then it’s free to be collected and used. And they were very surprised indeed to learn that their presumption is simply wrong at law. Many privacy laws are generally blind to where Personally Identifiable Information is collected. If information is identifiable, and if you have no business collecting it, then you’re not allowed to. It’s black and white.
Posted in Social Networking, Privacy
Trade PI not privacy
Yet another headline crossed my desk this morning reinforcing the orthodoxy that privacy is willingly compromised in return for some reward. This time it's "Many online consumers would trade privacy for discounts" [Internet Retailer, Dec 9].
Try Googling "trade privacy for" (with the quote marks). I got 181,000 hits! Amongst other things, people are said to trade their "privacy" for convenience, security, safety, cheaper loans and free phones.
There's a category error here. And sloppy language belies sloppy thinking.
Increasingly what consumers are doing is trading their Personal Information for a gain of some sort, but not necessarily their privacy. Information privacy is a state where third parties that hold information about you respect that information, undertaking to not know more about you than they need, and to not re-use Personal Information arbitrarily.
We can and should preserve privacy when trading off Personal Information for mercantile benefits. There is no inherent problem in bargaining your PI with others who happen to value it, but to preserve privacy in these transactions, what we need from retailers et al is greater visibility of what they intend to do with the PI they collect, and more sophisticated tools so consumers can fully comprehend what's going on. And we need greater precision in the way we talk about privacy. Let's be clear: there can and should be a fair trade in Personal Information, but not in privacy.
In contrast, the Advanced Persistent privacy breach committed by Facebook and the like is that they harvest vast amounts of PI, without committing themselves to any Use Limitation, and without even telling their users what they're up to. For example, Facebook's privacy policy is silent on what they do with facial recognition in the background and with biometric templates; Apple's says nothing about how they use all the text messages and dictations harvested via Siri. These informopolies make inordinate amounts of money on the back of PI collected without acknowledging its true value. That's the unfair bargain at the heart of most social media.
Strippers are better off than Facebook users
Journalist Farhad Manjoo at Slate recently lampooned the privacy interests of Facebook users, quipping sarcastically that "the very idea of making Facebook a more private place borders on the oxymoronic, a bit like expecting modesty at a strip club". Funny.
A stripper might seem the archetype of promiscuity but she has a great deal of control over what's going on. There are strict limits to what she does and moreover, what others including the club are allowed to do to her. Strip club customers are banned from taking photos and exploiting the actors' exuberance, and only the most unscrupulous club would itself take advantage of the show for secondary purposes.
Facebook offers no such protection to their own members.
While people do need to be prudent on the Internet, the real privacy problem with Facebook is not the promiscuity of some of its members, but the blatant and boundless way that it pirates personal information. Regardless of the privacy settings, Facebook reserves all rights to do anything it likes with PI, behind the backs of even its most reserved users. That is the fundamental and persistent privacy breach. It's obscene.
Update 5 Dec 2011
Farhad Manjoo took me to task on Twitter and the Slate site [though his comments at Slate have since disappeared] saying I misunderstood the strip club analogy. He said what he really meant was propriety, not modesty: visitors to strip clubs shouldn't expect propriety and Facebook users shouldn't expect privacy. But I don't see how refining the metaphor makes his point any clearer or, to be frank, any less odious. I haven't been to a lot of strip clubs, but I think that their patrons know pretty much what to expect. Facebook on the other hand is deceptive (and has been officially determined to be so by the FTC). Strip clubs are overt; Facebook is tricky.
Manjoo blames the victims, saying that if people want privacy they shouldn't use Facebook at all. The headline on his article says users are as much to blame for Facebook's privacy woes as Mark Zuckerberg. This is just tacit acceptance of a Wild West, everyone-for-themselves morality that runs through so much of the Internet. We should debate the difference between what is and and what ought to be happening on the Internet, rather than accepting rampant piracy of PI and leaving hapless users to their own devices. The sorts of privacy intrusions that Facebook foists on its users are not intrinsic. Facebook doesn't have to construct biometric templates without the subjects' permission as soon as someone else tags them in photos, neither does it have to continuously run those biometric templates over third party photo data (probably uploaded for other reasons). Facebook could if it desired delete the biometric templates when users ask for tags to be removed, or at the very least alert users to what's going on in the backiground with photo tags. If photo tagging was just for the fun of the users, rather than commercial exploitation, Facebook would promise in its Privacy Policy not to put biometric templates to secondary purposes. But no, Facebook doesn't even mention these things in its Policy.
Some of us -- including both Manjoo and me -- have realised that everything Facebook does is calculated to extract commercial value from the Personal Information it collects and creates. But I don't belittle Facebook's users for falling for the trickery.
Posted in Social Networking, Social Media, Privacy, Internet, Culture
Technocrats' happy snaps
Once again, technologists confuse being in public with giving up one's right to privacy.
Today's Sydney Morning Herald reports on recent advances in automatic surveillance by facial recognition of people in public, especially airports. Now, I am not weighing into the public good argument; personally I would be delighted if this sort of technology thwarted terrorist plots. What worries me is the fundamental failure of technocrats to grasp privacy, and how this chronic blind spot biasses their work.
The subject of the article, Professor Brian Lovell, is quoted as saying 'people did not have the right to privacy in places such as airports'.
It's vital to appreciate that the concept of being "in public" doesn't actually figure in Australia's Privacy Act. What matters in our privacy regime, and in the Information Privacy law of many countries, is Personal Information -- that is, any information about someone whose identity is readily apparent -- and how that information is collected, used, shared and managed.
Traditional surveillance tapes of people in public places are retained for some months, and if suspicion arises, they're pored over by cops on a mission. People caught on tape who are not of interest remain anonymous. But automatic facial recognition of digital imagery converts otherwise anonymous data into PI, in real time and en masse, without discriminating between suspects and everyone else. Identifiable information is then converted into profiles and intelligence and probably retained 'just in case' a good deal longer than video tapes. After all, disk space is cheap.
It's worrying that technocrats seem so often to have a very limited and self-selected understanding of information privacy (see some more analysis of this gap at Public yet still private). They're not well equipped to have the crucial public good debate if they don't get how their technology works to create vast drifts of Personal Information where previously there was none.
Posted in Security, Privacy, Biometrics
If Facebook were a government, there'd be riots
A repeated refrain of Facebook’s apologists is that privacy is dead. People are supposed to know that anything on the Internet is up for grabs. It’s digital apartheid: the new digital Brown Shirts say if you’re so precious about your privacy, just stay offline.
But socialising and privacy are hardly mutually exclusive; we don’t walk around in public with our names tattooed on our foreheads. Why can't we participate in these networks in a measured, controlled way without submitting to the operators' rampant X-Ray vision? And why can’t the apologists see how they’re sucked into generating the vast fortunes of Zuckerberg et al? It's nothing inevitable about trading off privacy for conviviality -- it's just more lucrative that way for the PI robber-barons.
The privacy dangers of Facebook are real and present and run so much deeper than the self-harm done by some peoples’ overly enthusiastic sharing. The privacy of millions in the mainstream of Facebook is imperilled. Facebook crowd-sources the identification and constant surveillance of its members. With facial recognition, Facebook is building up detailed pictures of what people do, when, where and with whom. I can be tagged without consent in a photo that was not taken by me, and not uploaded by me. The majority of photos in the cloud were not uploaded for this purpose. And look closely: When you remove a tag, Facebook does not remove the underlying biometric template, nor do they undertake to stop using the template that has been gifted to them by innocents who just think tagging their mates is kinda cool.
It’s not cool, it's insidious! And it’s rapaciously commercial like everything else they do. Facebook places no limitations whatsoever on the secondary uses it makes of the Personally Identifiable Information it's generating (which in itself is at odds with European and other privacy law, hence the law suits now underway in Germany).
You know, if a government was stealing into our photo albums, labelling people and profiling them, there would be riots.
Posted in Social Networking, Privacy, Biometrics
Despite the IdM hype, privacy and security remain uneasy bedfellows
The information security sub-specialisation of Digital Identity has spurred prodigious activity in the past decade, from academics, policy makers and IT vendors. We’ve seen new “Laws of Identity”, national identity strategies, numerous big industry consortia, many new technical standards for federating identities and exchanging interoperable “identity assertions”, and a flood of new products. All the while, enhanced privacy is held to be axiomatic in the new identity frameworks.
Yet despite all this, technologists’ views on privacy have been diverging, often dramatically. Data breaches by big information companies―whether accidental or slyly intended―seem to have only got worse. The responses of security professionals to cases like the collection of wifi data by Google Streetview cars have been muddle-headed, with many not seeing the problem at all. Social network operators like Facebook and Google have sought to re-cast societal norms, by banning nicknames and insisting that members use only their one “real” name. Facebook’s Mark Zuckerberg argues that those who use more than one name lack integrity.
Distressingly, at every level, security and privacy remain very uneasy bedfellows.
Technocrats give lip service to privacy. They skate over privacy principles, often presuming to know what privacy laws say without actually reading them. In their deeds and in their crazy talk, the Zuckerbergs and Schmidts of the world reveal grave misunderstandings about the topic. Of course it passes understanding that anyone listens to these guys on privacy when their multi-billion dollar fortunes are made on the back of pirating Personal Information.
And yet even well meaning technologists also seem to be on a different wavelength from privacy strategists. For instance, the architects of OpenID and grand plans like NSTIC try to deal with privacy and yet the claimed privacy benefits are problematic when looked at closely. Orthodox federated identity brings a host of privacy challenges that have not yet been properly canvassed (possibly because US privacy perspectives are especially “high tech” whereas in other jurisdictions, information privacy focuses on controlling the flow of personally identifiable information, which is often a surprisingly low tech business). I see immense privacy challenges in federated identity formulations, including:
- Many Identity Providers will be start-ups. Or existing enterprises setting up new business units to strike out into brand new cyber markets. Either way, in a spookily familar action replay of Big PKI in the 1990s, these players will be aggregating vast amounts of Personal Information, making them honey pots for organised crime, and lucrative corporate takeover targets.
- The net amount of PI collected in the federated identity “metasystem” is larger than what is collected today.
- Federated Identity transforms time-honoured private bilateral transactions into complicated multi-lateral dealings, with excessive PI being collected where previously it was not needed.
- The new privacy constructs are highly technical and artificial. For instance, “Verified Anonymity” services work by collecting PI only to hide it from others.
A re-think of security and privacy is urgently needed. Let’s recognise that digital identity is really a metaphor for the way we act in certain complex relationships. As such, “identity” is not an intrinsic characteristic at all but instead is an emergent property of the collection, use and disclosure of personal information in different contexts. It’s not the sort of stuff that demands fancy new theories, just a recognition that we deal with individuals in constrained ways in the real world, and we should continue to do so online. If we could just demystify digital identity a little, we should find it easier to marry information privacy and security.
Posted in Privacy, Identity, Federated Identity