- Date published:
- Author:Brian Wood
The article below by John Bryan in Naked Security is the yin to tomorrow’s yang on the same topic — so be sure to check back mañana.
The essence of the debate is whether we are gearing up to fight the last war rather than recognizing that the threats (and what we value) have changed over time.
Emphasis in red added by me.
Brian Wood, VP Marketing
Is data privacy an out of date concept?
I work in SophosLabs on the Data Leakage Prevention (DLP) team. Sophos DLP analyses the text content of documents to identify privacy- and confidential-related information before it leaves our customer’s networks.
As the DLP team leader I manage our definitions of what is classed as privacy-related information, and I spend a large amount of my time having to understand and question exactly what is and what is not “Privacy Data”.
Nowadays people post publicly on various social media sites about where they go, what they do when they’re there and with whom they do those things with.
For some people, it seems as if they put their whole lives on display.
They are often, themselves, posting the very information that organisations go to great lengths to try to protect.
So are we trying to protect privacy based on past social values? Are we old-fashioned in trying to keep a lid on the social media generation?
Social norms change over time. Attitudes to unmarried mothers, sexual preference, social mobility, religion, race and the expectations of life are starkly different from even 50 years ago.
Many changes in the past have been influenced by popularisation of new technologies, such as the printing press, motorised transport and television.
In many places, internet usage has become more universal than being able to drive a car and is therefore having an equivalent level of impact on society.
To many, not using Twitter or Facebook is seen as something from a bygone era.
Can we live without each other’s personal data?
Data that is about us, our property and our lives is shared and processed in more ways than can be calculated. From the age-old service of telephone directories to choosing the best schools, we are using information that is based on personal data or statistics.
When planning to buy a house we want to know about local crime rates, flood risks, and the quality of the schools or hospitals.
Directly or indirectly, our activities use personal-related data on a daily basis, and if enough of us were to object to our own pieces of that data being used we could impact public services, commercial businesses, research institutions, news media and much more that relies on the complex inter-weaved net of data.
Where will you hide tomorrow?
There is a lot of hype currently around devices such as Google Glass. As wearable computers become more common, surely society’s acceptance of a lack of privacy will have to follow?
Google’s StreetView has been forced to mask specific houses or even whole streets because of privacy objections.
But preventing a view of one’s house frontage doesn’t stop the layout of the grounds and contents being visible from satellite maps.
And with the first commercial video satellite system soon to go on the market, and the increase in popularity of similar publicly-available technologies, it’s likely to make the censorship of Google’s StreetView images moot.
So perhaps privacy is irrelevant now? Maybe it’s time to accept the brave new world of data freedom – to throw away our virtual modesty and feel free to expose more of ourselves to the world?
Legislated “Sensitive” personal data
When it comes down to it, is it only whether we are embarrassed about something that defines whether it is really private?
If society should become blasé even about such things as having, say, a sexually transmitted infection then would it be a breach of privacy to let that become public, even without the individual’s explicit consent? After all, would you worry now if someone blogged that you seemed to have a common cold?
In the 1950s being gay was illegal in many places and people were convicted and sent to prison for such a ‘crime’. Now if somebody were to mention to me that they are gay I would think, “So what?”.
There are pieces of person-related information that are explicitly enshrined in various data privacy legislations as “Sensitive Personal Data”. Yet the reasons for these are, hopefully, rapidly moving towards being obsolete.
These sensitive personal data items are only so due to largely historical discrimination reasons that were still a major concern when these legislations were first written.
Do they still need to be seen as “sensitive”? In fact, some special categories – such as race, gender and nationality – along with the corresponding personal data, are in most cases protected and deemed not ‘relevant’ for recording unless there is a clearly stated reason for doing so.
Take these four attributes:
- Your sexuality
- Your IP address at home
- Your race
- Your Skype address
Which is the most sensitive? Well, 1 and 3 are often given extra legislative protection over that of 2 and 4.
Disclosure of your home static IP address could make you vulnerable to crime, yet this computer equivalent of your postal address is often not explicitly mentioned in personal data privacy directives.
So what am I saying?
It’s not that I’m saying that data privacy is unimportant. Unfortunately in the real world not everyone one has evolved to the point where prejudices don’t exist. The security reasons for some data privacy is more urgent now than ever before.
But data privacy should not be done by rote, instead it should be done with thought and consideration.
As data controllers we should think beyond protecting A, B and C just because we are told to while ignoring the unmentioned X, Y and Z. As a society we need to be discussing the current privacy directives in terms of what is, or is not relevant.
And over time, as individuals, we will need to adapt our own concepts of privacy to fit closer to society’s ever evolving concepts.
There always will be someone who wants to use and abuse that information for profit and exploitation. So anyone who is a caretaker of personal data still needs to ensure that they leave decisions on what is no longer private to the data owner – the individual.
But let’s also keep our minds open that ‘personal’ is about being living, breathing people and not something to be imprisoned under lock and key.