Private Lives in a Database World

[I was kindly invited to respond to a speech delivered by former Information Commissioner Richard Thomas CBE at a dinner at the ICAEW. The following is the text of that response]

In 1890, Samuel Warren and Louis Brandeis famously described privacy as “the right to be let alone.” For over a century since then, society has developed legal, technical and social frameworks that protected a concept of alone-ness, of isolation, of keeping others away from the individual and information about that individual. Our concept of privacy has become one of ‘urban anonymity:’ we believe we have some degree of anonymity when we are in public, since if nobody knows who we are, then our actions cannot have consequences since we can’t be identified.

But Richard has described how the emergence of the Internet has stood that idea on its head in the past ten years. The explosion of data, of access to that data, of tools to search, filter, analyse, interrogate, present and disseminate that data, placed in the hands of government, companies and individuals have stripped away that veneer of anonymity and created a dystopia in which our privacy is fading, not because of our failure to control privacy, but because privacy itself has changed, and the old controls are no longer able to contain or to manage the ways in which we share information with others. Nor has this erosion been gradual: great swathes of our privacy have been cut away by tragic catalyst events such as the killings of Jamie Bulger, Holly Wells and Jessica Chapman, Baby P; the attacks on the World Trade Centre and London’s transport system.

Privacy is no longer about keeping our personal information secret, but is instead about controlling how it is used. And unless we can enforce that control, the only possible outcome for our society is total transparency: a world in which nobody has any secrets at all, and individuals have no meaningful control over how those secrets are used. Nothing is ignored, nothing is forgotten, nothing is forgiven. That is the surveillance society which four years ago Richard warned the government we will sleepwalk into if we continue down this path.

There is still hope: during his tenure as Information Commissioner, Richard recognised the critical need not to prevent access to information – something which is now impossible, as Wikileaks have shown the world’s governments – but to render individuals, organisations and governments accountable for how that information is used. This evening he has described how the legal approach to accountability can work. But I would argue that if we continue to rely solely upon regulation to enforce that accountability, then we will never win, since there will always be those corporations – and in particular global ones – who choose to operate above the law, and Richard’s successor has discovered just how difficult it can be to fight the corporate spin machine.

True accountability must depend upon mathematics, not who has the best lawyers. As consumers, we must demand that privacy controls are coded into every aspect of our online world, so that we regain control of our information. It is consumers, not corporates and governments, who should dictate what is collected, processed, stored, disseminated, derived and deleted. And this can only happen when we have delivered the technical, as well as the regulatory, demands of Privacy by Design.

And that accountability will, ironically depend upon us delivering a truly effective population-scale identification and authentication system – not the control-freakery daydream that is thankfully now being struck from the statute books, but a proportionate, federated, privacy-enabling infrastructure that will provide the cryptographic roots of true information accountability. Individuals will be able to control how their information is used and by whom, and to easily identify and prove when misuse has occurred. In fact in a utopia where the cryptographers rule, I’m sorry to say for Richard that there might even be no further need for lawyers, or even an information commissioner.

But for now we have to live in reality, and that reality needs the rules and regulators that Richard has described. What I hope we can discuss now are the implications of his ideas for us as individuals, organisations and professionals, and how we can move forward from our imperfect present to a pretty good – if not actually perfect – future for privacy.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

"True accountability must depend upon mathematics, not who has the best lawyers" I couldn't agree with you more. If privacy continues to be seen as a legal problem, requiring legal solutions, defined by and for lawyers, I can't see us making any progress at all.
As a data security practitioner, I am finding data privacy discussions, such as Toby's blog, increasingly interesting and a challenging area to deal with. Although many of the technology mechanisms for protecting data privacy are the same as that for protecting confidentiality in the data security world, the gap between what data privacy needs and what data security provides is becoming more apparent. Data security has traditionally focussed on controlling the data content (from inappropriate access, storage and transmission). The "use of the data" is left to the discretion of the users to decide and enforce. We need to find new ways to address data privacy beyond that of traditional data security and related regulations.
In many ways, the problems of privacy are similar to the problems of technology. In a world increasingly being dominated by technology, there are key problem areas that technology seems unable to provide an effective answer, such as in world poverty, peace, climate change, etc. Why is that? I think it is because technology and science, in general, are not designed to take into account human complexities, and in particluar the emotional aspects of the human - aspects that are part of the human intelligence make-up. Understanding privacy requires understanding human emotions that drive their logic for privacy. Technology, including data security technoology, is not holistic enough to deal with these issues as of yet.