A recent piece by NY Times Bits blogger Nick Bilton, Disruptions: “Coming in 2014: Extremely Smart Watches and Wearable TVs” described his predictions for technology in 2014, many of which have significant privacy and security implications.
It described a certain type of data convergence, where cloud and mobility merge to paint a more accurate picture of consumers’ behavior, and provide targeted information to that consumer. Bilton notes:
“Foursquare, the location-based social network is at the forefront of this innovation. Its app works in the background to corral different pieces of information — including your location, the time of day and where your friends have been — and then makes suggestions for what to do. “It looks like you’re near the Sightglass Coffee,” the company’s app says if I walk by a coffee shop in the morning, “Your friend Dennis has been there and recommends the cappuccino.”
Thus, technology will measure much more precisely who you are and what you are doing. It also will show what you have been doing, the nature of your relationships with people (friends, colleagues, family members), the nature of your communications and associations, your movements (not just where you are, but what you are doing with more granular accelerometers), and will use this mass of data to profile you and your friends, and to deliver “useful” information to you.
Bilton describes technologies that will be deployed in 2014 that will detect a consumer’s’ level of excitement or boredom, when for example playing a video game, watching a movie, reading a book, or listening to a conference call.
Drones and microdrones will allow the collection of more data more surreptitiously. In Bilton’s article, a drone manufacturer dismissed any privacy concerns noting:
“When GPS first came out from the government, people saw it as something that could track them and they said absolutely not,” … Yet now, we all have GPS in our cars and smartphones. “I think we’ll see something very similar happen with drones.”
And this is how it starts.
Now data is not inherently bad, or inherently good. It’s just data. It can be accurate, precise, misleading, misinterpreted, but at the end it is just data. Big data (by volume) is just data as well.
The question is how the data is used, how it can be (and will be) misused and abused, and finally, how it will be secured. Also, how transparent we will be as a society in answering these questions.
Big BAD Data
The biggest problem with data collection is that we do it surreptitiously. Look at the drone spokesman. People were afraid that GPS could track them and “they” (whoever they are) said absolutely not.
Of course, passive GPS that simply receives satellite signals does not directly permit tracking of our movements, but the recording of location data in the GPS device does.
Police departments and others routinely obtain so-called “black box” data from cars, and location history information even from “dumb” GPS devices.
The Supreme Court will likely decide this term whether the police may, without a warrant and without probable cause, seize a person’s smartphone and examine (and copy) the full contents of the phone including the GPS data in it.
In addition, location data from GPS and towers are routinely collected not only by cellular providers, but by literally thousands of apps on smartphones — with little or no privacy protection.
GPS data is embedded in posts, chats, photos, videos and other information. All of it is retrievable with a simple subpoena — and many times without even that. The data can be (and is) shared, sold, analyzed, sliced and diced.
What the drone guy is really talking about is the (apocryphal) story of the frog in the saucepan. Remember when you first went to the movies and saw a commercial? People were outraged and yelled at the screen. Now we have become hardened — dulled to it. It’s not that the conduct is any less outrageous; it’s just that we have lost our capacity for outrage.
Persistence of Memory
The problem here is not so much data creation, but data use, sharing and persistence. It’s fine for the phone company to know my location so it can help me get where I am going. It may also be ok for me to find a restaurant nearby using Open Table, and to share that data with Open Table and the restaurant. When Open Table shares the data with the restaurant that is expected and necessary to fulfill my wishes.
But we cannot treat privacy as “binary.” Just because I wanted to know where the Outback Steakhouse in Kansas City is doesn’t mean that I want the Outback Steakhouse to know where I am. It also doesn’t mean I want it to be shared with others or that I want that data to be preserved forever.
The basic rules of thumb for privacy are (1) collect only the minimum amount of information necessary to fulfill the objective for which the data was collected; (2) tell the data subject what you have collected, why and what you are doing with it, and where appropriate get their express consent to do this; (3) make sure the data is accurate; (4) protect the data from unauthorized use; (5) kill the data when you are done. Kill it. Dead.
Unfortunately, we rarely do any of these things.
Take any customer relationship management (CRM) system. A store collects data about an individual’s purchases at the store, the method of payment, the customer’s address, store location, etc. Was there “consent” given to collect that data? Probably not for explicit collection.
Imagine if you were buying a stick of lip balm at the drug store and the cashier asked, “excuse me, would you please give me your name, address, telephone number, and date of birth, so we can tell other manufacturers that you purchased that lip balm here today, the brand and flavor of lip balm you like, how much you paid and how you purchased it?” “Oh, and we would like to use that data forever to create a detailed profile of you.” Or would you prefer the cashier simply say, “Oh, and would you like to use your loyalty card?” Same thing.
We also are creating data that does not exist in real life. We take online and offline data and merge them to create more detailed profiles of people. We sell databases and access to databases to government agencies, and purchase data and databases from government agencies. Just as Bilton’s article suggests that an app can know when we are at dinner with our families and silence cell phones, an app can determine when we are at our lawyer’s office, or when we are planning a merger or acquisition. We are left completely exposed.
As the frog in the saucepan might say, “is it getting warm in here?”