Sunday, 24 November 2013

Privacy, Evidence Trails and a Change in Terminology?

One of the main aspects of personal [information] privacy is that much of the topic is that other parties would not collect nor perform any analysis of your data. The trouble is that this argument is often made in isolation, in that it somewhat assumes that the acts we perform by computer exist in a place where we can hide. For example, what someone does behind closed doors usually remains private. But, if that act is made in a public place, say, in the middle of the street by default whatever is done is not private - even if we hoped no-one saw.

Anything and everything we do on the internet is in public by default. When we perform things in public, then other people may or will see, find out and perform their own analysis to form a profile of you.

Many privacy enhancing technologies are akin to standing in the middle of a busy street and shouting "don't look!". Even if everyone looks away, more often than not there is a whole raft of other evidence to show what you've been doing.

Admittedly most of the time nobody really cares nor are actually looking in the first place. Though as it has been found out recently (and this really isn't a surprise) that some such as the NSA and GCHQ are continually watching. Even the advertisers don't really care that much; their main interest is trying to categorise you to ship a generic advertisement - and advertisers are often really easy to game...

If we really do want privacy on the internet then rather than concentrating on how to be private (or pretending that we are), we need to concentrate on how to reduce the evidence trail that we leave. Such evidence is in the form of web logs, search queries, location traces from your navigator, tweets, Facebook postings etc.

Once we have understood what crumbs of evidence is being left, we can start exploring all the side avenues where data flows (leaks) and the points where data can be extracted surreptitiously. We can also examine what data we do want released, or have no choice about.

At this moment, I don't really see a good debate about this, at least not at a technical level though there are some great tools such as Ghostery that assist in this. Certainly there is little discussion at a fundamental level which would really help us define what privacy really is.

I personally tend to take the view at the moment that privacy might even be the wrong term, or at best, somewhat a misleading term.

On the internet every detail of what we do is potentially public and can be used for good as well as evil (whatever those terms actually mean), our job as privacy professionals is to make that journey as safe as possible, hence the use of the term "information safety" to better describe what we do.


Jason said...

Ian, I have to take issue with your post here. I consider myself a privacy professional not an information safety professional. Privacy is much more inclusive than information safety and data protection, but I think the distinction is all too often lost. This is especially pertinent in the E.U. where privacy is synonymous with the Data Protection Directive and the privacy professional focuses primarily on compliance with that regulatory regime. Identifying harmful acts of aggregation, intrusion, invasion and other non-data related privacy violations is just as important as protecting data. Finally, I reject your analogy with the public square. Real privacy enhancing technologies (see my blog post at is about performing the function necessary to do the task at hand without revealing or leaking data to a public audience.

Ian Oliver said...

Thank you Jason and exactly the sort of comment I was hoping for. As I see in your post (linked above) we both have worries about terminology and semantics, not to mention the application of these. I think that what you've written about the difference between privacy and information safety is a good point and one that has been troubling me in my more "technical" role with the developers, hence my preference for the term information safety. I believe what we're seeing is maybe not that privacy is the wrong term, but a specialisation within privacy as we need to ensure that at the end of the day our systems and ultimately code needs to comply (I'm with Lawrence Lessig on this one).

Would you agree wit that the continuum from security through to privacy is becoming possibly finer and what we're seeing here is just the ongoing specialisation within our areas?