Increasingly our news media feature stories about personal data and electronic systems: biometric passports, digital ID cards, DNA databases… make that security holes, cracked systems, data leaks, public outrage. When you add the proliferation of CCTV cameras, apparently the UK has more cameras per head of population than anywhere else in the world (MPs probe ‘surveillance society’ BBC, 22/3/7), it is easy to believe that digital technology, has a detrimental effect on privacy and personal autonomy.
Natasha McCarthy, Policy Advisor at the Royal Academy of Engineering (RAE) outlined in stark detail the issues that engineers, politicians and advocacy groups are confronting today in (1) the citizen and the state (2) the customer and business in a digital environment (3) personal data and social networks. I’d like to address the first two contexts but first let’s take a step back to redefine a few concepts as they relate to digital interaction:
Surveillance: A loaded (and culturally defined) term evoking “bureaucratically organised state terror” of Orwell’s 1984. A more useful metaphor ‘data capture’ (Agre, 1994) allows us to evaluate systems with greater discrimination and objectivity.
Identity: belongs in a philosophy class. A system does not ‘know’ the difference between you or a photograph of you. Identification and authentication are meaningful concepts.
Privacy: There is no inalienable right to privacy in the UK. 1998 Data Protection Act (sections 10-14) attempts to protect personal data which bears some relation to privacy. Article 8 of the 1998 Human Rights Act specifies a general and qualified right to ‘private and family life, … home and … correspondence’. What is often argued in celebrity cases, when not settled out of court is ‘breach of confidence’. (Privacy law remains confused, BBC, 9/6/3).
The citizen and the state
In her essay Profiling into the future: An assessment of profiling technologies in the context of Ambient Intelligence, Mireille Hildebrandt describes the insatiable need of the modern state to create citizen registers. First it was for purposes of attributing tax or national conscription, post welfare state to determine entitlements to benefits. Today it is considered essential to prevent an escalating number of security threats – fraud, terrorism, crime, etc. A competing number of digital systems exist to deal with the various ways in which the citizen interacts with the state but the promise of a giant, centralised database, shimmers in the distance. The latest Government proposal Sir David Varney’s, Transformational Government review refers to this ideal construct as a “single source of truth”.
Can we trust the Government to protect the citizen’s personal data when there have been serious breaches of existing databases? To give one example, admittedly the most serious yet: last year 25 million child benefit records, almost half of UK households, went missing (UK’s families put on fraud alert, BBC 20/11/7). Apart from the shock of discovering the sensitivity of the data put at risk – children’s and parent’s names, dates of birth, addresses, National Insurance numbers and bank details, the encryption used to protect this data was a flimsy winzip 8 password protection: HMRC Lost Disks & Encryption, (The Risks Digest, 18/12/7) and 2007 UK Child Benefit Data Scandal (Wikipedia). However such errors are not unique to UK governments, they are a feature of the modern, digital state. The USA government has also had severe data leaks for example Data Theft at the VA, (CSO Online, 14/8/2006) – 26.5 million personal records compromised, and last year’s email intrusion at the Pentagon, Defense officials still concerned about data lost in 2007 network attack (GovernmentExecutive.com 5 March 2008).
Natasha McCarthy underlined the fact that it is frequently the human factor that is the weakest link in the system. One RAE recommendations is that security of personal information might best be safeguarded through a trusted third party controlling access to the data. If we don’t trust the Government to protect our data can we trust private enterprise?
The customer and business in a digital environment
Businesses seek to acquire data about as many (potential) customers as possible. They aren’t interested in uniquely identifying a particular individual more a customer ‘class’ to which they can aim targeted services. Business marketing has always involved the selling, distribution and rental of ‘lists’ of personal data. Personal information is a commodity, the online environment and digital technology has simply provided more efficient ways to ‘exploit’ this data and on a scale vastly outstripping what went before. In this context concerns have been raised about online cookies, spam emails, profiling and data protection. A recent controversy is the Phorm debate: (BT admits misleading customers over Phorm experiments The Register, 17/3/8) where British Telecom, provided details of broadband subscribers to an online ad marketing company.
The interesting point about the legal challenges that BT is facing from irate customers is the variety of laws involved. They do not depend only on the ambiguities of data protection but whether BT has breached its own Terms and Conditions policy; violation of the Regulation of Investigatory Powers Act as it relates to unlawful interception of a public telecommunication system (RIPA sections 1(1) and 2(2) - see Foundation for Information Policy Research (FIPR) Open Letter to the Information Commissioner, 17/3/8; Computer Misuse Act and so on. However consumer outrage spread virally through blogs , online petitions, even Sir Tim Berner’s Lee (Berners-Lee wary of all web tracking, BCS 17/3/8) weighing in against the practice, might put paid to the Phorm experiment faster than the legal process. The Phorm share price has been in sharp decline since the controversy emerged.
Conclusion
Security and privacy in digital systems is a controversial area. Like the debates around DRM and copyright, technology and practice is outstripping the laws designed to protect against misuse. The essay has concentrated on digital interaction between the state and the citizen, the consumer and business, it has not seriously questioned the reliability or durability of the technology particularly against deliberate attacks. Nor was there space to discuss the third equally vital topic – personal data in social networks. It might be too much to hope that users and citizens read the Terms and Conditions but it is important that they are protected.
References
Agre, Philip E. “Surveillance and Capture” in Noah Wardrip-Fruin and Nick Montfort (eds) The New Media Reader p741-760 (Cambridge Mass: MIT Press, 2003)
