Privacy and security need not be mutually exclusive; we just need to remember why people keep secrets in the first place.
This week brought news of another massive government data collection effort. Called XKeyscore, it is said to allow the NSA to essentially look at anything that is online. Criminal violations of privacy were also in the spotlight as federal prosecutors announced indictments for those alleged to have stolen information on 160 million credit card holders.
Can anything be done? Even if the NSA is reigned in, the government steps up efforts to catch data thieves and we all change our passwords, will it still be hopeless? Is our future one where everything about us, from our conversations to our proclivities are out there in public?
There are alternatives. There are ways that the situation might evolve to an acceptable one.
Knowing and using
One aspect of why we want things to be “private” is that we don’t want people using the information against us. We don’t think a single overdraft fee from a bank would justify another bank dumping us as a customer; we don’t think a single intemperate post on Facebook justifies our employer firing us. A photo of our car in some location shouldn’t be used by anyone to conclude we were doing something suspicious.
It’s possible to separate knowing from using. Ironically, the NSA could be very close to doing just that. First, a little background.
In many countries the agency that looks for spies is not the police. The United Kingdom provides the well-known example. Their NSA equivalent is GCHQ, the Government Communications Headquarters that operates out of a futuristic looking building in Cheltenham, Gloucestershire. But the agency that tries to thwart spying and terrorism is The Security Service, more commonly known as MI5.
MI5 has no power of arrest. They, along with the GCHQ, collect all manner of information, but in order to arrest someone they have to present evidence to the police. Of course, there is close cooperation between MI5, the police and prosecutors, and it isn’t likely that many MI5 requests are refused.
But what this arrangement means is that there is a degree of institutional separation between the collection of information and its use against persons. To track terrorists and investigate subversion MI5 has reason to collect rumors, unverified reports and all manner of evidence that could not be collected if search warrants were required.
Little of this leaks out. MI5 as an institution has a culture of not talking to the press. There are exceptions, but most of the time it keeps secret what it knows.
In the United States, by contrast, the agency that performs the same function as MI5 is the Federal Bureau of Investigation — the FBI. Not only is this also a police agency, but it has a long history of being used for political purposes. The New York City Police Department also has its own massive counter-terrorism organization. This is another politicized agency which has come under fire for it’s stop-and-frisk policies that are attacked for being aimed at minorities.
Rules for use
The line between collection and use could be made much stronger: a set of rules, laws and customs for courts, businesses and the press that would restrict their use of information they obtain.
Courts already have a set of rules that prohibit certain information (such as previous convictions of a defendant) from being used despite this being known to all parties in the dispute.
Google has a project of mapping every single public street. They’ve got into trouble for violating privacy by showing license plates and faces as well as collecting passwords from unsecured Wi-Fi networks they encountered. They still collect images but blur out sensitive information now.
Every automobile will soon have “black boxes” that record all manner of data about what your car is doing and where it went. Rules are being proposed to regulate what use can be made of that information.
It is impossible to stop the expansion of data collection, but lines can still be drawn around where its use is permitted.
There is a difference between something being “in the closet” and it being “private.” Consider the heterosexual couple who announces that they are pregnant or trying to get pregnant. Everyone then knows what that entails. Their sexual activity is not “in the closet.” It is, however, still private: it isn’t discussed in any detail. That’s different from the gay person who is hiding their sexual orientation to friends and family for fear of the consequences.
There are a class of activities that are currently “in the closet” that could move to the “private” category. Consider the schoolteacher who is into some sexual fetish. It’s not illegal, not done on the job, but revealing it could cost them the job. It could become something that other teachers know, but isn’t referred to, any more than the sexual activity of that pregnant couple is referred to.
That’s a distinction that ought to be developed further. We could come to accept a number of activities and have them be things that are known about each other, but not discussed or used against people.
A business opportunity
There are companies selling products to protect your computer or alert you if your confidential data has escaped. But it seems that some significant opportunities for profit are being ignored. Credit card companies and banks, in particular, seem not to have fully grasped how to turn consumers’ concerns about privacy and identity theft into serious businesses.
Any company charged with protecting consumer data could develop more comprehensive services to respond to attacks on customers. Once you get an account at a credit card company or a bank, they could record a series of data to thoroughly verify your identity such as your picture, driver license and other identifying characteristics. This information would be stored in the most secure form people can devise.
Should your identity be stolen, or should someone violate your privacy in certain, defined ways, the legal department of the company would go to work to verify you to the police or other companies. They could sue people who violate your privacy.
In short, companies actually could become advocates for the consumer.
The robot cop
The NSA collects far more information than can be inspected by analysts; they have to filter it. One problem revealed by the NSA scandals is that too many people had access to this data.
If we can’t create an institutional wall between collection and use, perhaps a technical one can be created. Imagine that the data is collected automatically and stored in a data repository that no human can examine. Instead, analysts write rules to describe suspicious activity. These might be constant use of certain key words, contact with known suspicious persons and the like.
The computer would apply these rules and only share information to analysts when the rules kick up suspicious activity. Something like this appears to exist already. But how well is it insulated from human snooping? If a low-level analyst like Edward Snowden could have access to anyone’s Facebook, then data clearly isn’t protected enough by either technical or institutional rules.
Privacy used to be how we protected things that others could use against us as well as those aspects of ourselves that were personal and intimate. That older model doesn’t seem likely to survive. But perhaps a different model could be hoped for in the future: one where we had to hide fewer things and more of ourselves could be known without fear. Sometimes that happens already: a secret gets revealed and we discover that people already knew, or had their own secrets or simply didn’t think less of us.
This could only work if our businesses had a similar tolerance, understood that everyone makes little mistakes, and didn’t go digging for excuses to punish someone. How realistic a hope is this?
The alternative is a thought-police state operating alongside a dozen-odd, hyper-intrusive mega-corporations — a place where we are watched by not one, but many Big Brothers.
The views expressed in this article are the author’s own and do not necessarily reflect Mint Press News editorial policy.