The Digital You and Privacy
By By Bruce Arnold
Assistant Professor, School of Law, University of Canberra
As more of our lives move online, our every click and “like” builds a data profile about us. This requires vigilance to ensure that laws adequately ensure that businesses and law enforcement agencies use and protect information about us.
Who are you? As far as your friends, parents and children are concerned you are a person. You are someone who is flesh and blood. Someone who snores, who sleeps in or turns up to work on time, has a great smile, has a scar from falling off the skateboard, brings a smile to gran’s face every time she sees you, who votes and is otherwise an individual worthy of respect.
In the age of “big data”, where overseas corporations are building whole-of-population genetic databases, most of the Australian population is online, many of us gift our information to Facebook, you are a data profile rather than a person. You are a dot on a “social graph” of attributes identified by insurers, phone companies, the health department, national security agencies and marketers.
This article asks questions about the meaning of privacy in a world of pervasive data collection and analysis, a world in which you have few opportunities to escape surveillance unless you live a primitive existence “off the grid”. The following suggests that being a data profile has advantages along with disadvantages. It also suggests that we can act responsibly – and not leave all decisions to technology – in changing the law so that we are respected as people rather than mere digits in a public or private sector database.
We should regard surveillance technologies and the internet as tools, not outcomes. Tools do not have an independent existence. They can be controlled.
Most aspects of our lives can be read as data attributes. Everyone, for example, has a name (one attribute) and a birthdate (another attribute). Most people have a gender, a nationality and an address (more attributes). Most Australians over the age of 15 have mobile phones, a basic identifier for communications and for identifying the location at which a communication – an SMS or voice call – took place. Most have two or more email addresses, some of which may be used on an ongoing basis and some of which are thrown away after a message or two. Many have driver’s licences, credit cards, passports, student cards, pensioner cards and other identifiers.
It’s difficult to live unencumbered unless you share that information. If you want total privacy you need to ignore Hollywood thrillers about fake identities and instead be prepared to live alone on a desert island or have a possum as your only friend while you starve in the remotest part of Tasmania out of the sight of any neighbours and the government.
For many people the pervasiveness of surveillance raises questions about privacy, whether in the here and now or in the long term. We’ve seen outrage (along with some applause) for very large-scale government surveillance that is claimed to be useful in detecting or deterring terrorists. We’ve also seen controversy over the supposed “right to be forgotten”, which in reality is a narrow right in Europe to suppress some information in the search results displayed by Google and its competitors but does not mean you can remove every embarrassing photo or unfortunate tweet or regrettable post from every part of the internet.
What’s the Deal with Online Privacy?
Governments, businesses and non-profit bodies are fans of the digital environment because regarding you as a set of data profiles works for them. It works well enough that most of us haven’t raised strong objections. We won’t raise strong objections – or pack our bags for that desert island – unless there are major abuses.
Organisations collect and analyse personal information for three reasons: persuasion, prediction and evidence.
Most of us are keen on persuasion. We like personalised communication – what some academics have called the customised “market of one” – so that we receive relevant information rather than being drowned in a flood of junk mail and spam. We want governments and businesses to “remember” us and meet our needs straight away so, for example, we can pay a bill online, make a booking or fix a problem rather than having to queue at a counter. All of that requires personal information. It is not necessarily a bad thing. We want only authorised people to vote in elections, enter Australia, fly planes or conduct surgery. We don’t want unauthorised people making withdrawals from our bank accounts.
As a society we thus accept that we do not have an exhaustive right to privacy. There are, however, limits on what information is collected, how it is collected and who it is collected by ... particularly if collection/use is without our knowledge and consent.
What about prediction? With enough digital information about you – or people like you – I may be able to predict what you are going to do and what you want, often before you have taken any action or expressed any desire. For some people that prediction is offensive: it means I am disrespecting you and making the same sort of forecasts that we see in the behaviour of the family cat and dog.
The prediction might be trivial, for example that given your history you are likely to respond to a particular advertisement on Facebook. It might be more life-changing, as in you are consistently late in paying your bills so you miss out on a cheap loan. It might be bad news, such as a vetting service invisibly keeping you out of a job because when it searched Facebook and Twitter – something that is increasingly common – it found lots of images of you getting drunk, doing party drugs or slagging off your employer. Be wary about too much sharing online!
National security agencies love digital technology because most of us leave traces on the internet and on telecommunication networks. In isolation each snippet of data might be meaningless, but put together it can reveal a picture about both an individual and that person’s associates. That picture might enable the prediction of criminal activity, for example that a scammer is planning to transfer her assets out of the company and then leave on the next available plane, or that a group of terrorists are planning to engage in mass murder with a bomb at a particular location.
In practice, given the very large amounts of information accessible by law enforcement agencies and the difficult of making sense of the data, there has been very little successful prediction of terrorist activity. (Most prevention involves old-fashioned informants, undercover personnel and phone taps rather than “big data” analysis.) Yet from a law enforcement perspective, digital information is invaluable as evidence. Once you know what to look for it is often easy to find and in a form that will satisfy an Australian court.
That satisfaction is important, because one thing that differentiates Australia from China, Russia and places under the control of terrorists is that police and national security agencies are not above the law. They must provide evidence rather than simply asserting their authority or referring to serious dangers. Courts, for example, have relied on evidence that an SMS or voice call was made from a particular location (so the offender was not at a different place and thus did not have an alibi), that CCTV images place a person at the scene of a crime and so forth.
Do We Need to Change the Rules?
One conclusion is that digital technology, just like fire or a knife, is a tool that needs to be used properly. In thinking about law we need a balance. In thinking about how we all use that technology we need to act responsibly.
Responsibility means helping each other. That could be as simple as warning people who are younger than you not to make and release intimate images. Many Australian relationships – among adults and teenagers – have a shorter life than a toaster or an iPhone. Once photos of what you do in bed or in the car have got onto the internet or are being shared on the phones of your former “bestest friends” they’re not coming back – there’s no easy “erase” switch on the internet, and making/distributing intimate images of young people is a serious crime in all parts of Australia.
Less dramatically, you can warn friends (and older people, who sometimes fall for quite obvious scams) to be wary about providing personal information online. That might be the name, age, address and occupation details that are the basis of much identity theft. It might instead be the picture of a workmate wearing only a silly grin, gumboots and a feather boa after the office Christmas party. On the internet what happens in Vegas – or at the party – doesn’t stay in Vegas.
We might want to change the rules, which means forcing businesses such as Facebook, Telstra and Google to act responsibly. Because many of us spend much of our time online they know a lot about us. Some of those businesses are selling that data to other businesses and government agencies. Some are being careless about data protection, with phone companies and retailers, for example, recurrently experiencing major data breaches that release personal information for exploitation by criminals or the merely curious. That information might be financial details. It might instead be health records or photos.
At the moment Australian law doesn’t hold businesses accountable for negligence in preventing harms attributable to data breach. They won’t be more vigilant until law requires them to be more responsible.
We might also want to think about government agencies such as the Australian Security Intelligence Organisation, the police and the National Security Agency. In a world where everyone is simply a collection of digits, a set of data profiles rather than a person, it is easy to regard everyone as a suspect and disregard human rights. We can see that in current disagreement about mandatory data retention and warrantless access by bodies that range from ASIO to the RSPCA.
Few privacy advocates are opposed to law enforcement. They do, however, want investigations to be conducted properly and proportionately. Just because you have a digital hammer does not mean that everything is a nail and must be hammered. Proposals to force your phone company, your internet service provider and other businesses to store metadata – information about your online activity – for several years is disturbing particularly if that data can be accessed without a warrant (i.e. with no supervision by a court) and without any notice to you.
Such an erosion of privacy is offensive and contrary to the freedoms that are fundamental to Australia. It is contrary to recognition of privacy as a right for all law-abiding people to be free of interference and not regarded as a suspect.
More broadly, it is contrary to respect for everyone as a person rather than just a set of data profiles. You are a person – more than your name, address, age, education, tax file number, Medicare number, driver’s licence – and should be respected as such.