A Tech Liberty representative spent two half days at a group discussion about privacy and technology.
Here are some of the things that were discussed:
- That everything you do on the internet leaves a trail. While anonymity is achievable, it is generally much harder than most people believe.
- That this data can be collected, aggregated and analysed to reveal a surprising amount of information about people - and that this is only going to get easier.
- Consent is meaningless when people are presented with a long document written in legalese with a checkbox at the end and no chance to question or negotiate.
- A major new source of privacy breaches is people sharing information about their friends and family. Normally these remain within a social group but sometimes they can be picked up by other people and shared across the world.
- Young people often don't understand the ramifications of posting personal data about themselves and their friends to social networking sites. There have been a number of cases where the news media have used photos, comments and other material from these sites in reporting.
- The increase in geo-tagged data is making it increasingly possible to track people - which most people see as an unwanted invasion of privacy. Possibility of creating a "tracking without consent" offence.
- The EU has rules about the "processing" of geographical data. For example, if you wanted to collect location data for a person from a Twitter update, a Flickr photo and a Four-Square check-in and use it for some purpose, you would need to get the permission of that person, even though they'd already published that data themselves.
- New Zealand can't set its own rules in isolation - we're too small to enforce them on the global internet. Instead we should be supporting international harmonisation, particularly with like minded countries such as those in the EU.
- If a company collects personal information, stores it "in the cloud" and then the information leaks out, the Privacy Act seems to imply that the company wouldn't be responsible.
- That the Privacy Act does not stop companies from sharing any private information with the Police for the purpose of stopping crime. No warrant is required.
- Should companies have to notify people of a privacy breach? Does this apply to all types of personal information? Should it apply to all breaches (individual and en masse)? How would we know if people are honouring this provision?
- Anonymising data is harder than everyone thinks - as shown by inadvertent leaks by AOL and Netflix.
Some tentative conclusions
Many organisations are collecting huge amounts of data in many ways across multiple jurisdictions and then making it available in a variety of ways. We can't control this, all we can do is control how organisations and people in New Zealand use the data that is collected. Some rules we might like to consider:
- aggregating data about a person from multiple sources should require the permission of the person.
- you can outsource your data processing, but you can't outsource your responsibility for the data be used and stored responsibly.
- banning or limiting the republishing of information about minors from social media sites.
There is no real way to control what people publish about their friends. We're going to need to rely on new social norms being developed.