Wednesday, March 15, 2006

Schneier on privacy

Bruce Schneier has an essay on the future of privacy in his latest crypto-gram.

"The pervasiveness of computers has resulted in the almost constant
surveillance of everyone, with profound implications for our society
and our freedoms. Corporations and the police are both using this new
trove of surveillance data. We as a society need to understand the
technological trends and discuss their implications. If we ignore the
problem and leave it to the "market," we'll all find that we have
almost no privacy left...

Computers are involved more and
more in our transactions, and data are byproducts of these
transactions. As computer memory becomes cheaper, more and more of
these electronic footprints are being saved. And as processing becomes
cheaper, more and more of it is being cross-indexed and correlated, and
then used for secondary purposes.

Information about us has value. It has value to the police, but it also
has value to corporations. The Justice Department wants details of
Google searches, so they can look for patterns that might help find
child pornographers. Google uses that same data so it can deliver
context-sensitive advertising messages. The city of Baltimore uses
aerial photography to surveil every house, looking for building permit

In a sense, we're living in a unique time in history. Identification
checks are common, but they still require us to whip out our ID. Soon
it'll happen automatically, either through an RFID chip in our wallet
or face-recognition from cameras. And those cameras, now visible, will
shrink to the point where we won't even see them.

We're never going to stop the march of technology, but we can enact
legislation to protect our privacy: comprehensive laws regulating what
can be done with personal information about us, and more privacy
protection from the police. Today, personal information about you is
not yours; it's owned by the collector. There are laws protecting
specific pieces of personal data -- videotape rental records, health
care information -- but nothing like the broad privacy protection laws
you find in European countries. That's really the only solution;
leaving the market to sort this out will result in even more invasive
wholesale surveillance.

Most of us are happy to give out personal information in exchange for
specific services. What we object to is the surreptitious collection of
personal information, and the secondary use of information once it's
collected: the buying and selling of our information behind our back.

In some ways, this tidal wave of data is the pollution problem of the
information age. All information processes produce it. If we ignore the
problem, it will stay around forever. And the only way to successfully
deal with it is to pass laws regulating its generation, use and
eventual disposal."

Libertarian free marketeers won't like his conclusions but they're sound, if not sufficient. The kind of privacy regulations we have in Europe are regularly undermined by governments and commerce ignoring, regulating around (e.g. in the name of national security) and exploiting loopholes you could drive a horse and cart through (there are huge loopholes in Europrivacy regulation). Remember the EU has agreed that airlines should be forced to routinely hand over passenger data to the US authorities, arguably in breach of EU laws, yet there are no similar requirements on airlines in the US to do likewise. Yes I know some of them have been doing so voluntarily as part of the testing programs for CAPPSII and Secure Flight. I'm just saying regulation, particularly of the Swiss cheese variety, is not a panacea on its own.

In addition to having sound privacy laws, we have to ensure they are rigorously enforced (Dr Larry Brilliant's "early detection, early response" mantra applies to privacy too) and also supported by sound privacy enhancing technologies and network architectures that smart folks like Kim Cameron and Stefan Brands have been contemplating for some time. In addition further social and cultural awareness of the digital personas we create and deposit in so many different places and ways is needed, as well as an understanding of the value of that personal data both to ourselves and the organisations who collect, manipulate, analyse, use, buy and sell it.

No comments: