The collaborative society
One of the fundamental omissions in our general discourse about privacy is to cast it solely as an individual right. It is that, but it is also a social compact. This orientation matters, as Carrie James points out in her 2014 book, Disconnected: Youth, New Media, and the Ethics Gap, because as a result the primary lesson we teach kids about privacy is that they should protect their own: "Don't get caught on camera doing something stupid that someone else may post online, where it will eventually cause trouble for you." We spend much less time saying to them, "Everyone does something stupid sometimes. Before you post a picture of your friends embarrassing themselves, think about how someone who doesn't know them will view that picture and what might happen to them as a result." We also don't say, "You know that picture of you where you look so stupid? Well, you know that isn't a complete representation of yourself and your abilities, so when you grow up and get a job in Human Resources, remember that before you eliminate a good prospective employee on the basis that they were caught on film smoking a cigarette when they were 14." Both of these things would make equally reasonable lessons to teach.
In a talk for the Safer Internet conference in October, I noted that the best educational opportunity provided by the "Internet of Toys" (a marketing term for "smart" toys like Hello Barbie is to sit down with your kid and review the privacy policy and what it actually means in practice.
In the same vein, we don't have very good language for data that does not have a single creator. My medical records are mine, of course - but they are not *solely* mine; significant portions are the doctor's interpretations of both information I give her and test results, put together with her own hard-won knowledge. Probably if you conducted a test where the same patient presented the same symptoms to a series of doctors no two sets of notes would be exactly the same, even though, one hopes, they all reached the same diagnosis. The same is true of things like phone records. Are they really mine? They're about me, but they're also about my correspondents, and they wouldn't exist at all without the phone company's involvement in generating and compiling the list.
The Open Data Institute has a Venn diagram they like to promulgate, that shows the overlaps between three types of data: open, personal, and big.
Medical data is shared in a different way. All the way back in his 1988 book
This is all leading up to noting that not only do we fail to understand privacy as collaborative, but we do the same thing with data. A database typically is deemed to have a single owner, as is my medical record. Yet as soon as you think about the latter the problem is obvious. I say "my medical record". My GP may say "your patient record", but many GP think nonetheless that they own that information.
We can't talk about property rights in personal data without acknowledging the reality that often multiple parties have a reasonable claim to ownership but we have no reasonable way of allocating shares. Do we try to calculate a numeric value and allocate percentages? Or distribute rights based on who suffers the most if the data is disclosed? In a well-researched piece this week on medical privacy, Pro Publica's Charles Ornstein argues that the worst medical breaches are the small-scale ones that expose just a few people's intimate information. It is very hard for victims to get redress: the information can't be unleaked, and there's no good way to assign a monetary value on the resulting ditress.
The spread of the Internet of Things will complicate things further: every service will rely on multiple providers who collect and aggregate multiple data streams. A municipal system that that provides an app to let car drivers find open spaces might use sensors implanted in the street that detect the presence of a car along with GPS data locating everyone looking for spots to blank the meter when a car pulls away. This would be truly multi-party: probably the municipality maintains an open database of all legal parking spots, one company provides and interprets the output of pavement sensors, another makes the app, a third provides wireless infrastructure, a fourth makes and manages the parking meters, and each user has their own choice of mobile device and network operator. Who owns "my parking spot" in such a scenario?
I don't have a specific set of proposals for solving this. But first, as they say, we need to acknowledge there's a problem.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.
.We apologize that comments have been turned off on this blog due to overactive spambots.