When it comes to personal information access, the rule of thumb is explicit consent. Pursuits hed: Pursuit of privacy dek: when it comes to personal information access, the rule of thumb is explicit consent. by Nelson King
Once upon a time when computers were new to average people and computer-related issues still seemed vital and impending, I used to meet on a regular basis with a small group of friends who were also employed in one way or another in the computer industry. We hashed over (and over) a number of issues, not always at low volume, but always in the spirit of trying to understand what seemed to be a world-changing technology.
The changing technology outlasted our group, as we went our separate ways, jobs, and lifestyles. From this group, only Mike and I stayed in touch. Mike was a programmer, trained in COBOL-a very good programmer. Then his company dumped the IBM mainframes that ran COBOL. Mike dropped the programming, but not the computer industry. He joined a corporate help desk and became something of a resident network guru. From time to time Mike would call me about problems or interesting issues.
One case I remember quite clearly involved a person who was abusing corporate e-mail. These were the days before the widespread use of the Internet, so the e-mail system was one that ran on the company’s local-area network. At the time the company had very few specific e-mail policies, but if an employee complained about a misuse of e-mail, the company had the right to investigate and take action.
In this case, a second employee had complained that she was receiving e-mail solicitations to buy a certain brand of plastic kitchen containers from the first employee. Apparently, she had complained to the e-mail sender, but that hadn’t stopped the messages. Management promised to investigate. Unfortunately, the offending e-mail had been angrily deleted. Without direct evidence, nothing could be done, so management turned to the network help desk people and asked them to monitor the e-mail of the employee who sent it.
It was based on this nuance that Mike gave me a call: “This is crazy. I’m supposed to intercept, read, and potentially report the content of private e-mail from this person-without her knowledge. I thought you had to get a court order for wiretaps and that kind of thing.” I asked him if the network and e-mail were a company system. “Sure. It’s the main way we communicate around this building.” I told him the courts generally upheld the company’s right to monitor and read any kind of e-mail on a company system. When an employee uses a company-owned system to communicate with another employee, it’s within the rights of company to treat it as their property just as an internal memo or report would be.
Mike didn’t like this interpretation. “You mean I sign away all my rights to privacy whenever I use any communication system owned by the company?” I said smart companies usually didn’t press cases into open interception of e-mail and potential lawsuits. The risk of losing general employee confidence and trust was far higher when the company cast doubt on the privacy of communication. “Yeah, right. How many companies are smart?” was his rejoinder.
I recall this story for two reasons: The privacy battle between companies and individuals has become broader and more intense (thanks to the Internet, of course); and Mike is now something of a crusader for cyberprivacy (his word).
Mike lives on the boundary between business and personal privacy. He sees the forces behind business abuse of privacy as persistent, powerful, and inevitable. In his opinion, this is the source of the most serious trouble with privacy. I know a lot of people are more concerned about the current or potential abuse of computer privacy by government, but Mike’s view is almost totally focused on business-related issues such as spam, consumer profiling, censorship, and e-mail control.
I’ve talked with Mike recently, and we’ve exchanged e-mails (encrypted) about cyberprivacy. I kind of like Mike’s approach because it isn’t based on chapter and verse from a committee or organization. His language is blunt and he’s speaking from personal conviction; but he sees the issues from more than one angle. Here’s his approach (transcribed):
“How much lack of privacy will you tolerate? A clear case: You’re using the toilet in a public restroom and somebody barges into the stall. That’s a physical sense of privacy, and we all have it. But in wartime soldiers use open latrines. They don’t like it, but under the circumstances they get used to it. Get my point? Even something like your personal space is subject to change and variation.
“Let’s say you’re an alcoholic and you’ve holed up in a room to drink yourself into oblivion. Does the landlord have the right to enter your room because he doesn’t want somebody committing suicide on his property?
“Mental privacy is more difficult to define and enforce. Sure, I can say my private thoughts are mine alone. No technology can read my mind, yet. But there sure are a lot of ways to prevent me from having private thoughts-distractions of all kinds. We all know about people and things that mess with your head. Your private thoughts may become so chaotic that you’ve got to see a shrink and say your most private thoughts out loud.
“So now we’ve got a problem with information privacy. Information about you. You have blue eyes, black hair and you buy lingerie from Victoria’s Secret. Lingerie that is not being sent to your house. OK, so that last bit might get you stirred up. Do you care who knows that you have blue eyes and black hair?
“Information privacy is so abstract. It doesn’t have neat physical boundaries and it isn’t buried like ideas in our head. Information about you doesn’t even have to come from you. Most of the computerized information is just bits and pieces, which individually don’t seem very important. Unless the loss of privacy does you some immediate harm or irritation, you’re likely to ignore it. I have sympathy for people who let businesses put hands in their cookie jar (you know about cookies). People may be foolish, but aren’t necessarily fools. However, until some of their personal information is turned against them-and maybe not even then-they just don’t care.
“On one side we have a tendency to be complacent. Unless certain unpleasant boundaries are crossed, people aren’t very protective about a great deal of personal information. On the other side you have businesses whose source of income is to gather as much information about you as possible and sell it to some other business. Many other businesses collect the information as a means of control and identification. Altruistic or mercenary, it’s in almost any business’s interest to gather information about their customers.
“For years I’ve thought about how to cut through the problems. Is there something individuals can do or require that will protect their privacy? Whatever it is, it has to be easily applied. The key phrase is explicit consent. Unless I explicitly indicate the information is available or usable, the information is not available or usable. None of this ‘personal data is fair game unless I opt out’ crap. Thump on the table, yell to the rooftops-‘No one collects or uses information about me without my explicit consent!’ Where that isn’t true, then I seek public forms of redress, up to and through laws.
“Explicit consent doesn’t solve all the problems. What does ‘explicit’ mean? When I buy something on the Internet, I have to provide my name and shipping address and usually billing information. My purchase is like a contract, and the information I provide is an agreement with that contract. If I publish a personal Web site with information about me, then it’s public, and any passing bot or agent can collect it. That’s tacit agreement about information availability-using the information still requires my explicit agreement.”
“Explicit consent is a rule of thumb. It’s rude and crude; businesses don’t like it. It takes a lot more machinery and documentation to record consent. So what? It’s a cost of doing business. The potential abuse of privacy is more important than the convenience of business.”
In essence there’s nothing about Mike’s approach that isn’t part of many approaches to protecting privacy of information. I’m sure readers can find holes in his arguments. However, I like his focus on “one thing” that could make a difference, while still being honest about remaining ambiguities. Information privacy is a relatively elastic concept; maybe it’s just as well to use a rule of thumb instead of trying to pursue every specific instance.