Freedom and Anonymous Data

It’s not that I have something to hide.
I have nothing I want you to see.

The closing lines to 2018’s science fiction film Anon truly resonate with me, as do the major underlying themes of the movie. Does a world with total surveillance, with total information transparency, make people safer? Who controls that data, and what does society do about those who don’t want to participate?

While Anon presents itself as a technological murder mystery, I think it has a greater message for anyone who may not realize just how much of their information is out there today, and what the privacy implications of that openness could be.

Games like Watch_Dogs 2 detail and demonstrate the value of user information to large corporations, and how the era of “Big Data” has functionally eroded individual privacy, whether end users opted in to being tracked or not.

I find myself at an interesting crossroads when it comes to the availability and ubiquity of information. On one hand I fully believe in an individual’s right to privacy, that everyone should be safe and secure in their ability to live without being watched and scrutinized. On the other hand I fully believe that information should be free and everyone should have access to accurate, available data that could help to improve their lives.

The rise of autonomous cars will do wonders for traffic flow and transportation efficiency, but only once cars are able to keep track of each other and wirelessly signal speed changes, intended lane merges, and the like. I think the idea that my car some day could “speak” to the other cars around it to improve everyone’s experience is a great thing. What I absolutely abhor is the idea that a company will take that information and build a profile of individual drivers, such as a log of their habits, their destinations, and their locations. I hope this example shows the two sides of the equation with which I struggle.

People playing the alternative-reality games of Pokemon Go and Harry Potter: Wizards Unite understand that the games use their real-time location information as a key component of the game. What I believe is far more sinister is that Niantic (the company behind both programs) has the game report up to thirteen times a minute with personally-identifying information, location being only the tip of the iceberg. What is Niantic doing with that data on hundreds of millions of users, and what is their obligation to keep it private? They have no such obligation, and that scares me.

Recently the news world has been rocked with tales of wireless carriers selling private data to less-than-scrupulous characters, including exact location data, all without any notification to the end-user. Is it possible to meaningfully participate in today’s society without a cellular phone? The only way to be “free” of direct surveillance is to attempt just that.

Companies like Facebook and Google don’t only compile information on their individual users, but also their larger sphere of influence and friends as well. I haven’t had a Facebook account in years and years, but I guarantee that posts from my friends and other seemingly innocuous information could be combined to paint a fairly accurate picture of my life.

I fully acknowledge the benefits that Britain’s CCTV system has brought when it comes to apprehending criminals, and to some extent reducing crime as well. I also hate the idea on principle. With no anonymization, whoever has access to that database can map out almost anyone’s movements and behaviors from the start of the Big Data era, and make fairly accurate predictive estimates about the future.

The line that invasive security and surveillance is acceptable if “you have nothing to hide” absolutely rankles me. Whenever someone trots out that old saw, I ask for their email password and full access to their browsing history. Nobody yet has taken me up on the offer.

If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

While often attributed to Cardinal Richelieu—no evidence has surfaced to prove he ever did say the famous line—the phrase has always given me chills. Not because it speaks to the fiendishness of the Cardinal, but more that we live in a society where there are enough laws, rules, and regulations that the vast majority of individuals are continually guilty of something, making our detention or incarceration a matter of preference for those who enforce the laws. Minorities and other oppressed groups know this to a degree I will likely never realize.

The California Penal Code, which does not cover vehicular rules, is comprised of 34,370 sections of laws. With small print and no legal analysis—which is often required to understand judicial rulings on individual statutes—this represents more than 3,300 pages. Can you honestly and truthfully state that you did not break any laws today, even ignoring the nearly 600 pages of statutes covering the use of motor vehicles? There’s almost no way to be sure.

Because most people read technical material at a rate of 60 words per minute, it would take more than 71 eight-hour days (that’s roughly three and a half work months) for someone to read the two Codes listed above. This ignores any analysis, understanding of judicial review, or identification of conflicts within the law. It also ignores local, county, and federal laws, as well as treaties, executive orders, and other standards of behavior which have been codified (such as the US-centric Uniform Code of Military Justice).

This isn’t meant to be a post advocating the creation or abolishment of any individual or set of laws, but I want to really drive home how arbitrary our continued freedom really is. With the signing of a pen or the change of an attitude, behaviors that were once perfectly normal, reasonable even, can become suspicious or criminal.

I love data and the truly amazing metrics that can be pulled out of a large enough data set. I also loathe the idea that individuals can be tracked and examined without oversight.

In the late 2010s there has been a push to encourage police officers to wear body cameras, to record their interactions with the public and provide a credible record of what did (and did not) transpire during such an interaction. I believe this level of accountability is good, and that a lot can be said about those who think otherwise. However, there have been examples of some police officers using their body cameras to specifically film individuals at protests, marches, or rallies, compiling a database of people who may be “problematic.” I am categorically against this (and most any other) “predictive policing” methodology, which seeks to use metrics and data to single out or target a particular individual or group of individuals.

How do I reconcile these two disparate thoughts, that on the one hand having massive amounts of data is an advantage and can be a net positive on the world, and on the other that each individual has a right to privacy and confidentiality?

For me it’s about the scale of data, the relevancy for its collection, and how it is used. A frozen yogurt shop may have a rewards program where visitors can earn free desserts after repetitive visits. I do not think it is in any way wrong for the shop to use this system to track and learn about the frequency of repeat business, as a way to improve their business. I would however wholly take umbrage if that data were singled out to say a particular customer regularly visits at X, Y, and Z times, to build a profile of that individual, rather than just as specific data points in an aggregate study.

When the Ed Snowden leaks were first published, some explanations or excuses going around were that the NSA didn’t collect the contents of phone calls, just the metadata. In reality, metadata can be far more damning or identifying than the actual contents of an individual phone call or action.

By looking only at the following metadata, can you piece together what happened?

• A woman makes a small purchase at a local pharmacy
• The woman makes a larger purchase at the same pharmacy some hours later
• The woman calls someone she called late at night three days prior
• The woman calls Planned Parenthood

Four data points and we have a very clear idea of a potentially momentous event in this person’s life. Expand that out to a system which collects thousands, millions, of data points every day, and the advanced algorithms which can search for almost any sort of connection, spurious or not. This isn’t fiction, it’s the world we live in today.

A not insignificant part of my job is compiling stats and running metrics—our key indicators help management see what current trends are and if adjustments need to be made. I’ve made it very clear from the beginning that I don’t want to use statistics or metrics to punish people; if someone is not performing to expectations the data may tell us where corrections may make the most impact, but I never want to be in a position to punish someone for being in the bottom X% or anything of the sort.

The reason Google and Apple can make very accurate predictions of how long a given drive will take isn’t only the information they are receiving from drivers on the road at that moment—they also comb through and compile vast datasets about all of the drivers who have ever used their services to route through that road, making very educated guesses and applying weighted averages to arrive at a very reasonable estimation, unexpected emergencies notwithstanding. This kind of data—the aggregate of everyone who has traveled—that kind of data is, to me, ethical to collect and use for everyone’s benefit. Keeping a permanent facial recognition profile for everyone who passes by a security camera? Not so much.

It’s been in the news lately that our government is stepping up efforts to force those seeking to enter this country to submit their DNA as part of the process. To me this is egregiously invasive and unnecessary. I’m not even happy that, if someone gets arrested for a crime, their fingerprints and mugshot stay active in the system forever, even if they are never brought to trial or are found not guilty.

Data, once collected in one of these monolithic, institutional databases, is extremely difficult to eradicate. Not only is there the unanswerable question of who controls that information, but also the often intentionally-obfuscated record of who exactly has access to that information.

While there may be a skeleton or two in my own closet, I’m a fairly open book if someone wants to find out more; I don’t believe I have much that is worth hiding, aside that which concerns other people. There is however a large difference between having nothing to hide and having your entire life on display.

I firmly believe that the current trend of Big Data will continue, if for no other reason than it is exceptionally profitable for business to gather, compile, sell access to, utilize, and target all of the many factors that go into these unbelievably large data sets. Governments find it invaluable to keep tabs on their citizens. It’s very existence drives innovation and creates programming jobs the likes of which were unthinkable a decade ago.

I believe no industry giant is going to effectively self-regulate, because their competition that doesn’t will soon become overtake them. To this end I feel the only way forward into the all-connected future that seems inevitable—the only way to keep a heavy emphasis on personal freedom and privacy, that is—is for technocratic forces to make a solid regulatory push, a compelling congressional and public case, for strong, consumer-focused legislation.

Don’t you get it? The more you try to hide, the more attention you attract.

These penultimate lines of Anon delivered by Clive Owen echo a lot of sentiment when it comes to information privacy and information security in today’s age. For some, the effort to reduce their digital footprint is just too high; it’s a constant vigil that could be seen as betraying the values of modern America (meaning ease above all things).

While the fight both for public transparency and private anonymity wages on, and will likely be reinvigorated every few years as technology advances, there are some great organizations who are currently shouldering much of the burden. Here are just a small few I support, and I highly encourage you to find similar groups that you can support, that suit your own thoughts on the importance of privacy and access to data.

• The Electronic Frontier Foundation – a group on the forefront of digital liberties, it would be impossible for me to easily summarize the sheer breadth of their activities and initiatives, or the depth of their impact for privacy rights. https://eff.org
• Electronic Privacy Information Center – a public research center committed to promoting the cause of individual privacy in an increasingly online world, this body was formed in the 1990s to combat budding online censorship. https://epic.org
• Open Privacy Research Society – a relatively recently-founded nonprofit, they promote the creation, development, distribution, and adoption of privacy tools, particularly for and within marginalized communities. Sarah Jamie Lewis, their Executive Director, is responsible for collecting the stories which became the seminal work Queer Privacy. https://openprivacy.ca