Are We at a Privacy Protection Tipping Point?

Created on March 11, 2014

Scott Giordano Scott M. Giordano

Following is a guest post by Scott M. Giordano, Exterro’s corporate technology counsel, who attended the International Association of Privacy Professionals’ (IAPP) Global Privacy conference last week in Washington, D.C.

I attended the International Association of Privacy Professionals’ (IAPP) Global Privacy conference last week and noted in my previous post on the Thursday keynote session that one of speaker David Brin’s predictions may have been right on the mark. Brin, the author of 1998 work The Transparent Society, argues that the pervasiveness of surveillance technology will eventually eliminate privacy for all but powerful actors, such as government agencies and big corporations.

Friday’s keynote speaker, Julia Angwin, seems to have confirmed that notion. Angwin, a former journalist with the Wall Street Journal, presented a fascinating and depressing summary of a year-long project to make herself invisible to that surveillance. That project was chronicled in her book DRAGNET NATION: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. I have been a big fan of Angwin since she published a series in the Journal on the diminution of our privacy entitled What They Know. I’ve been involved in privacy in one capacity or another since the mid-1990’s and knew that privacy had suffered after the Internet become popular, but I had no idea how much so. Her efforts to evade the surveillance were sometimes successful, occasionally humorous, and often frustrating. Some examples:

  • She stopped using Google and instead used DuckDuckGo, a search engine that doesn’t save your searches.  While it was somewhat less efficient because it wasn’t “aware” of her location, it provided substantially the same results.
  • She stopped using Gmail in favor of Riseup, an email service for “people and groups working on liberatory social change”.  Its terms of service require the user to reject support for capitalism (among other things), something that might not make it the right service for, say, someone who works at the Journal.
  • She contacted the roughly 200 data brokers in the U.S. and attempted to have information about her removed, an effort in which she was mostly unsuccessful.
  • Her attempts to hide her cell phone usage were fruitless, given that even when cell phones are not in use, they’re broadcasting their location.  She showed how she placed her phone in a “Faraday bag,” which isolates the phone from the network, but also makes it an expensive paperweight.

Data PrivacyMy takeaway from her keynote is that we have far less privacy than we think because we don’t understand the implications of seemingly innocent acts like clicking on an advertisement or talking on a mobile device. When we take advantage of a “free” service, the price is often our privacy. As those acts accumulate over time, the result is a very (and disturbingly) accurate profile of our lives.

Angwin mentioned in passing the well-known story (at least in privacy and Big Data circles) of how department store Target knew, through Big Data analysis, that a particular young woman was pregnant and directed infant-related advertisements to her. I was already familiar with the story--the woman’s father complained about the advertisement but later his daughter admitted that Target was right.

All of this begs the question: Are we at a privacy protection tipping point? My suspicion is that we are not far away from an event that triggers a reaction creating an EU-style baseline privacy standard. I remember during the time I lived in California of the story of a young actress who was murdered by someone who looked up her address using Department of Motor Vehicle records. The law was promptly changed to eliminate access to those records to the general public. My fear is that something of this magnitude is going to have to happen before privacy is taken seriously.

I can point to some privacy successes (protection of healthcare information, anti-junk fax rules, and the Do Not Call list) but without building privacy protection into the fabric of our information infrastructure (known as Privacy by Design or PbD), we will forever be playing the privacy equivalent of Wack-A-Mole.

Having seen Privacy by Design work successfully in practice (we use it at Exterro for our EU privacy compliance capability), I believe applying it consistently to everyday consumer applications is a must. The Federal Trade Commission endorsed PbD in a March of 2012 report on protecting consumer privacy, stating that “[c]ompanies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.” It’s unfortunate that we have to wait for some tragedy before corporations and government agencies change their approach to protecting privacy, but when it happens I suspect PbD will be the solution they turn to.

Scott Giordano, Esq. is an experienced attorney with more than 16 years legal, technology and risk management consulting experience. Holding both Information Security Systems Professional (CISSP) and Certified Information Privacy Professional (CIPP) certifications, Giordano serves as Exterro’s subject matter expert on the intersection of law and technology as it applies to e-discovery, information governance, compliance and risk management issues. Giordano's latest white paper is titled, "Eliminating E-Discovery Over-Collection."