Tuesday, May 6, 2008

Back to Basics: Privacy Ethics (part 2)

So, let's continue the journey through the 'what and why' of privacy. The second argument that Jeroen van den Hoven makes in his contribution Information Technology, Privacy and the Protection of Personal Data is that 'identity relevant information' should be protected, not any data about people (see: Van den Hoven/Weckert (e.d): Information Technology and Moral Philosophy, Cambridge University Press 2008).

Argument number 2: The scope of data protection should cover 'identity relevant information'.

Van den Hoven argues that the European definition of personal data is referential. In order to be 'personal data', the data need to be about a specific person, not just any person. This means that personal data need an identity-relevant context, regardless whether the context is right or wrong. Without such context data have no meaning and are just attributive: they would describe a situation or fact without reference to any specific individual. One could also argue that attributive data are conditional; they only become personal data if another identity-relevant condition occurs, for instance because the raw data is placed in an identity-relevant context or is combined with another piece of identity relevant information.

Because of the narrow definition of personal data in the European Data Protection Directive 95/46/EC, Van den Hoven concludes that attributive data go unprotected, but may very well be used to harm people with the assistance of new technologies such as data mining, profiling, etc. The Article 29 Working Party has recently tried to protect attributive data by dramatically extending the definition of personal data to data that are only conditionally identifiable. The most striking example of this extention to attributive data is example 16 about a collection of graffiti paintings in its Opinion on the Concept of Personal Data (Opinion 4/2007, WP136).

However, this opinion of the Article 29 Working Party has serious consequences. Data protection law does not only tells us what should be protected and why, but also how. It is the 'how' where the problem lies, especially in the case of attributive data. By bringing attributive data under the protection of the Data Protection Directive, all the formalities that come with this protection regime, like notifications, privacy notices, data export restrictions, prior checking, etc, are also triggered.

The argument for bringing attributive data under the protection of the Data Protection Directive is that the Working Party [quote]"assumes that the data controller or any other person has the means likely reasonably to be used to identify the data subject" [unquote]. In other words, there is probably always somebody somewhere who can re-attach an identity-relevant context to what -for most of us- is only meaningless information. For this very reason, some Data Protection Authorities in Europe do not consider key-coded data to be anonymous.....: if somebody has the key, he or she can always apply an identity-relevant context to the coded data, and therefore such coded data should be considered 'personal data' and treated in full compliance with the Directive.

The same argument is used to bring dynamic IP-addresses under the full protection of the Directive; the Internet Service Provider can always find out who was using a particular IP-address at a particular time. The fact that the government has given itself broad powers to collect information from private databases and to combine this information with other information, is the main argument for the position that electronic footprints, such as leaving an IP-address when visiting a website, are never completely anonymous and should thus be protected by the data protection laws.

This argument directly impacts businesses that collect attributive information to improve their products and services. They don't care who made the "electronic footprints" that their customers leave behind. As long as they have no intention of sharing this information with other parties or to use the data to harm their customers, there is little privacy risk for such data.

And here we uncover the key issue in the underlying ethical and legal debate that is currently going on. As soon as a piece of information about a person is disclosed, the privacy of that piece of information is -in principle- lost forever (see also Van den Hoven). If the party that holds that piece information does not know to whom that piece of information belongs and has no intention of ever finding it out, the likely impact on the privacy of that person -now and in the future- is close to zero. It is a 'footprint' made by 'somebody'.

However, the very fact that another party, most notably the government, can force the keeper of attributive data to release the data, triggers the slumbering privacy risk. This third party may be able to attach identity-relevant information to the otherwise anonymous data. This could be done by various means, such as forcing the disclosure of the key to unlock the data, pattern recognition and data mining, or combining various pieces of data with identity-relevant information that is already in the database. According to Van den Hoven such information is then used in another "sphere of access". It is the crossing into that other sphere where the slumbering privacy issue comes to the surface.

So, the moral problem that is presented here is: Should people's "footprints" that are only attributive be protected ?

My answer to that question is a affirmative "Yes", for the simple reason that the slumbering privacy risk may reveal itself at any time, any place, sometimes intentionally, but very often by accident. Therefore, people who have access to the "footprints" of other people, should be careful as to what part of this information to reveal to the outside world, because they have no way of knowing whether the data may have identity-relevant meaning to others. Speaking "hypothetically" about a real case with strangers at a party, or putting your holiday pictures of strangers on the Internet, could be a risk to privacy and should therefore be avoided.

BUT, unlike the Article 29 Working Party, I don't think that it is necessary to bring such data under the scope of the Data Protection Directive by default. They could very well be protected by criminal law or civil/tort law, so as to address any harm that is inflicted on the individual by the misuse of these data. Where somebody intentionally or accidentally has revealed such "footprints" to other people, and by doing so has brought such data outside the original "sphere of access", the victim may very well have a valid claim on that person for violation of privacy, if this piece of information is later used to harm that person. But bringing ALL attributive footprints within the scope of data protection legislation is one big step too far.

Monday, May 5, 2008

Back to Basics: Privacy Ethics (part 1)

When I am writing this, it is May 5th, Liberation Day in Holland. On this day Holland reflects on its freedom by organizing "freedom festivals" with music, dance, and theatre performances. Each festival has a Freedom Fire, which has been lit in Wageningen, the place where the Nazi occupation in Holland was officially ended. So-called "Embassadors of Freedom" tour the festivals to talk about freedom, human rights, and the effects of war and violence. So, this looks like a perfect day to reflect on the ethics of privacy and the moral foundations of our privacy laws and freedoms in Europe..... Back to Basics - part 1.

Yesterday, May 4th, Remembrance Day, Peter Hustinx -the European Data Protection Supervisor- was interviewed in a Dutch political talkshow Buitenhof about privacy and the foundations of freedom in Europe. He did a good job. He talked about the "haystacks" that Europe is building and the little chance that somebody may ever find a needle in them. And he warned against the speed with which those haystacks were established and the lack of adequate protections for the rights of European citizens. Moreover, he warned for the dangerously blind trust in information technology: that it will always pick out the bad guys and that nothing ever will go wrong with the data and the profiles stored in those databases. When asked who is making sure that the proper protections are put in place, Hustinx referred to the European Parliament that will get co-legislative powers on crime-fighting issues on January 1, 2009, when the new European Treaty will come into effect.

However, a word of caution is justified here. The "problem" with the belief that everything will be better once the European Parliament has something to say about privacy rights in crimefighting is that the Parliament is driven by politics. This means that privacy protection will be a mix of short-term political opportunities and the political and moral views of the MEP's on how society should be shaped.

On that note, I would like to draw your attention to the excellent work of Jeroen van den Hoven, professor in ICT ethics at Delft University. He has written extensively about the moral reasons for privacy and data protection. I warmly recommend to read his contribution Information Technology, Privacy and the Protection of Personal Data in Jeroen van den Hoven/John Weckert (e.d): Information Technology and Moral Philosophy (Cambridge University Press 2008). In this mini-series on Privacy Ethics I will summarize and comment on his work:

  • Thesis #1: In modern society, there are basically two main views on privacy and data protection: Liberalism and Communitarianism.

On the one end of the spectrum, there is the Liberal view of individual rights and freedoms. In this view, the exercise of people's freedoms is limited by the freedoms of others (see also John Stuart Mill's "Harm Principle"). Privacy and personal freedom is thus very large, and state interference with personal life is limited.

On the other end of the spectrum, there is the Communitarian view of the community's norms and values that can be forced upon the group members, and the need to deal with 'free riders' in our society. In this view, information about people should be made available to the state in order to identify the 'free riders', people that enjoy the benefits of society without participating in the activities that produce those benefits, such as criminals, tax evaders, etc.

The problem for privacy protection is evident. The two views are hardly reconcilable with each other, although Van den Hoven makes a decent effort in his article. Furthermore, in this day and age, Liberal views on personal freedoms are not very popular around officials in government circles. Many take the view that modern society has become too complex to allow Liberal freedoms to prosper unconditionally. Especially where the boundaries between the public and the private sphere vanish, it becomes more difficult to justify the unconditional exercise of personal freedoms. Also, the increased focus on combatting crime and terrorism puts pressure on the Liberal view on privacy and personal freedoms. Nevertheless, Liberals such as MEP Sophie In 't Veld continue to question policies, powers, programs and systems which are put in place by the government that impact people's privacy and keep asking for protections to be put in place to prevent misuse of data and infliction of information-based harm to individuals.

On the other hand, the Communitarian views on privacy and freedom are not always acceptable either, especially not when people are confronted with norms and values of society (or of the group that they belong to) that they don't share personally. The contemporary communitarian thinker Amatai Etzioni has even defended the burqa for muslim women by suggesting that privacy could be seen as an obligation to the group or society to keep certain parts of personal life private if society or the group beliefs it should be kept private. Personal beliefs, norms and values are thus overridden by the norms, values, and needs of society or the group, the 'common good' (Etzioni, 2004).

Communitarian proposals, ideas and actions are relatively easy to spot. They are typically justified by pointing to the obvious benefits for society. Most of the 'haystacks' that Hustinx referred to in the interview have communitarian characteristics. The fact that these proposals do not from the start take into consideration the protections for the privacy and fundamental rights of citizens ("privacy by design") is an even stronger indication of their communatarian origin. Examples of such proposals include: the pan-European fingerprint database proposed by Euro-Commissioner Frattini, the pan-European system of DNA databases proposed by the German Minister for Interior Wolfgang Schäuble; the Electronic Child File with data about the development of all Dutch children and their families in order to screen for child abuse and government-funded assistance to parents for bringing up their children, proposed by André Rouvoet, the Dutch Minister for Youth and Family Affairs; or the affair in Italy just last week, when the Italian Deputy-Minister of Finance Vincenzo Visco ordered the tax data of all Italians to be published on the Internet in a bid to improve tax transparency and combat tax evasion.

Which opinion, the Liberal or the Communitarian one, is dominant in the European Parliament at the moment the voting takes place, significantly defines the nature of the protections that Hustinx and others are hoping for. For now, things seem to look fine for the privacy camp, as the Parliament is very critical about the proposals that are put forward by the Council. Question is however.... is the Parliament critical because of real concern for the privacy of European citizens? Or is the Parliament critical only because it does not like the fact that new proposals are speedily adopted by the Council, before the deadline of January 1, 2009 ......? We will see after January 1st !