Two weeks ago (before taking some vacation), I wrote a critique of Glenn Greenwald’s recent TED talk on the importance of privacy in which I accused him of pillorying a silly straw man argument instead of substantively considering the issue. Having had some time to reflect, I feel like it’s only fair for me to better articulate my own view on the actual question that I wish Greenwald had used his platform to address: how is privacy going to work in our modern, wired society, and what will it actually mean for us in practical terms?
In preparation for a speaking engagement I have coming up, I spent some time recently organizing my thoughts on these questions. Like everything else on this blog, they are a work in progress; but here’s a summary of what I’ve come up with so far. In short: individual privacy is certainly important, but not to the exclusion of other public interests as well.
I come at this issue from a somewhat unusual standpoint: I am not an activist or campaigner, as are the vast majority who seem to offer opinions on the issue. Nor do I come from a law enforcement or intelligence background. I’m very familiar with most of the technology at stake, given my job, but professionally I’m mostly focused on how businesses use data to improve results – not on public policy. Nevertheless, like most others in industry (and privacy activist) circles I know, I’m interested in building a society that’s just and fair for everyone.
What that society will look like, however, is of course highly controversial.
Anonymity’s days are numbered
There is a great deal of interest in anonymity within the privacy activist community. Anonymity is sometimes seen as a great equalizer, and an important tool to keep government watchdogs at bay. And indeed, in some places, it is. There are many brave activists in the world who rely on anonymizing tools to remain hidden to their authoritarian governments. By contrast, I sincerely doubt how much anonymity really matters to activists in liberal democracies in the West – much of the discussion on that topic now borders a little too close to conspiracy theory for my taste.
For the vast majority of us, real anonymity is increasingly an inconvenient chore. Taking advantage of most useful web and mobile services increasingly requires authentication of some kind. Blocking advertising requires special browser software and constant vigilance (while simultaneously undermining the web’s economic model, by the way). Opting completely out of web services that monetize data about user behavior is extremely difficult – you try living without any Google services at all, and let me know how it goes.
I'm deeply unconvinced anyone really cares about Google & privacy. It's rather like worrying that your bank knows how much money you have
— Benedict Evans (@BenedictEvans) October 17, 2014
Meanwhile, the steady diffusion of mobile technology into every corner of our lives is eroding this veil of anonymity even more. While mobile devices have made our lives better and easier in innumerable ways, they have also made us trackable, and created a remarkably detailed record of our behavior. As Facebook, Google and (soon, I predict) Apple battle it out for third-party app login dominance, they are building centralized records of our behavior that will live forever. Just like the social network profiles that have become a de facto prerequisite for life in the 21st century.
These centralized profiles aren’t threats to the individual. Indeed, they’re actually very useful to him or her – which is why Google, Facebook or someone else has them in the first place. And more importantly, they’re now a fait accompli. There is no turning back now, which is why we must shift the discussion towards best practices for data use, not obsess about whether companies should keep individually identifiable data in the first place. That train has left the station, and consumers have generally made their choice.
Individual privacy and the public interest
Every generation develops a popular view of “privacy” that is largely drawn from expectations of contemporary consumer technologies of the day. Reliable postal service eventually enshrined the idea of absolute security of the mail; Phone service brought with it considerable agitation about whether permitting real-time communication into a private home was a good thing at all; People thought little of the privacy implications of “party line” phones until the widespread introduction of single-household phone lines; And so forth. Thus, the individual spheres that people feel should be legally inviolable to unknown parties have always changed, and will continue to do so. The principle underlying those expectations is generally that individuals’ most closely-held thoughts and private communications should be safe from undue surveillance, and most can agree that a high degree of confidence in their privacy is necessary for any healthy society.
But of course, none of these spheres have ever literally been “inviolable” at all. Any broad view of individual privacy must make some caveat for the need for compromises in the name of the public interest. Only the most ideologically committed activist can deny that it is sometimes in the public interest for governments to compel access to individuals’ communications and information. Wiretaps, device seizures and even hacking of individuals’ accounts or compelling the service providers to grant access to them are sometimes necessary to protect and serve the public. This is so obvious a point that it hardly merits belaboring.
The key to protecting individuals from official abuse of this surveillance is the rule of law and due process. The police need a valid warrant, duly signed by a judge, before they can tap a phone; the same should be true for gaining access to an email or Facebook account, mobile device, or any other such data that a user has consciously taken steps to protect. This, too, is a completely obvious point.
Unfortunately, a failure of many governments to adequately protect individuals’ privacy from undue meddling has now poisoned the debate, and the pendulum of public opinion is quickly tipping towards the other – equally unwise – extreme.
You can argue whether Apple and Google recently decided to make their newest mobile devices “go dark” to law enforcement to respond to a market demand for greater privacy, or whether they just wanted to dispense entirely with the hassle of having to deal with time-consuming demands for user data. Some say that it’s simply impossible to create secure devices that only authorized parties can unlock, though I doubt this is really true. Either way, it’s a terrible blow to law enforcement, who will inevitably be blamed later on when they cannot unlock critical information in a timely manner.
Nevertheless, lawmakers should be blamed for not putting in place clear legal guidelines for the authorities (and intelligence agencies) to abide by to begin with. The inability of the U.S. Congress to do much of anything (besides bombing) has left citizens feeling ignored, and eroding their faith in the legal system and due process. Apple and Google are only too happy to respond to that market sentiment; Congress seems only to pay attention when raising campaign donations, and the public is worse off for it.
For some, no level of individual privacy will ever suffice. Everything must be protected, encrypted, hidden and hashed. But for most of us, this is overkill. The overwhelming megatrend in online behavior is towards openly sharing more, not less. As our lives become more digitized, however, our legal structures must evolve with us, or risk creating an even more alienated public in the future.