A Tech Liberty representative spent two half days at a group discussion about privacy and technology.
Here are some of the things that were discussed:
- That everything you do on the internet leaves a trail. While anonymity is achievable, it is generally much harder than most people believe.
- That this data can be collected, aggregated and analysed to reveal a surprising amount of information about people – and that this is only going to get easier.
- Consent is meaningless when people are presented with a long document written in legalese with a checkbox at the end and no chance to question or negotiate.
- A major new source of privacy breaches is people sharing information about their friends and family. Normally these remain within a social group but sometimes they can be picked up by other people and shared across the world.
- Young people often don’t understand the ramifications of posting personal data about themselves and their friends to social networking sites. There have been a number of cases where the news media have used photos, comments and other material from these sites in reporting.
- The increase in geo-tagged data is making it increasingly possible to track people – which most people see as an unwanted invasion of privacy. Possibility of creating a “tracking without consent” offence.
- The EU has rules about the “processing” of geographical data. For example, if you wanted to collect location data for a person from a Twitter update, a Flickr photo and a Four-Square check-in and use it for some purpose, you would need to get the permission of that person, even though they’d already published that data themselves.
- New Zealand can’t set its own rules in isolation – we’re too small to enforce them on the global internet. Instead we should be supporting international harmonisation, particularly with like minded countries such as those in the EU.
- If a company collects personal information, stores it “in the cloud” and then the information leaks out, the Privacy Act seems to imply that the company wouldn’t be responsible.
- That the Privacy Act does not stop companies from sharing any private information with the Police for the purpose of stopping crime. No warrant is required.
- Should companies have to notify people of a privacy breach? Does this apply to all types of personal information? Should it apply to all breaches (individual and en masse)? How would we know if people are honouring this provision?
- Anonymising data is harder than everyone thinks – as shown by inadvertent leaks by AOL and Netflix.
Some tentative conclusions
Many organisations are collecting huge amounts of data in many ways across multiple jurisdictions and then making it available in a variety of ways. We can’t control this, all we can do is control how organisations and people in New Zealand use the data that is collected. Some rules we might like to consider:
- aggregating data about a person from multiple sources should require the permission of the person.
- you can outsource your data processing, but you can’t outsource your responsibility for the data be used and stored responsibly.
- banning or limiting the republishing of information about minors from social media sites.
There is no real way to control what people publish about their friends. We’re going to need to rely on new social norms being developed.
I may be odd man out on this one, but I’m far less worried about Google collecting information on me from my search and web traffic than I am about government collecting information about me. What’s the most Google will do with the data: sell it on to folks for targeted marketing campaigns? Try to give me more accurate information about the kinds of products or services I might wish to purchase? But government having the same kind of data could lead to targeted taxes based on diet and consumption or worse.
“Aggregating from multiple sources”: a company would then be banned from combining data from their customer mailing list with information from the phone book? Hmmm.
When it comes to “aggregating from multiple sources” the company wouldn’t be banned from doing it – rather they would need to comply with the provisions that already exist in the Privacy Act about having to have a good purpose to collect personally identifiable information and they’d need the permission of the person involved.
It’s already implicit in the Privacy Act, but the idea is that if you aggregate public data about someone you are effectively creating personal information (converting data into information) and therefore the Privacy Act principles should apply to it.
As for Google vs the government – I worry about both, but in some ways I’m even more worried about the third party who aggregates information from multiple sources including Google, Twitter, publicly available data and ties it together to infringe my privacy.
One obvious example is the one in the article, where people can collect geotagged information from multiple sources and then use it to track your movements – and post that to the web. I’d see that as an unwarranted invasion of privacy.
What is collected today by Google is tomorrow the basis of fishing trips for crimes. The EU has already adopted a measure which expects Google to turn data it’s collected over to authorities for a currently limited range of crimes, but the chances of this remaining limited are slim.
Aggregation of data is also a way of turning anonymised data into much more precise information about people. This means while, for example, you might be happy with a company releasing anonymised data about your activities, because you can’t be readily identified from solely that release, if you patch together enough of those sources you can end up with a highly accurate and specific set of information about you.
For example, your MAC address does not identify you personally as-is. Gathered from, say, wireless broadcasts, we can assert where that MAC address is, your address. But your MAC address is also used as the basis of IPv6 addresses, attached to cookies, and then to your login on a website. Now armed with anonymous wifi data I can assert your location even if you have never provided it to me or given me that right.
I kinda agree with Eric. What worries me is not that my personal data will be collected and stored (it has been for years, and by people like the grocery and bus company, as well as higher-tech enterprises), but that it will be used against me.
Maybe we can’t put the genie back in the box, and people will have to accept that they *will* know stuff about each other, and with that comes a higher requirement of tolerance.
I’d also suggest that “international harmonisation” of proscriptive laws could easily end up with us having a restrictive legal framework we can’t change democratically (a bit like drug and copyright law). What if I *want* to use a service that aggregates data from multiple sources – do I need people’s permission to have their face pop up on my Android when they text me?
I’d be wary of replacing the problem of corporate invasion of privacy with another one – a further are of net censorship.
Rich – that’s kind of what we’re saying. We know the data is being collected, all we can do is try to set some legal limits on how that data can be used. Overseas companies can ignore our laws, but at least Government agencies and companies active in New Zealand will be limited by these laws. Current privacy law includes both but is aimed more at the collection side.
And I entirely agree about the problems with harmonisation of privacy laws – after all, I just came from another briefing about the ACTA treaty where international harmonisation is causing problems!