Global Security, Privacy, & Risk Management

(Guest Post) “Is Privacy Possible?” December 26, 2011

There is a lot of discussion lately about the right to privacy online.  Specifically, discussion has centered around two concepts of late – 1) the “do not track” concept and 2) the right to be forgotten. While there is significant debate about what these concepts mean, I think it’s interesting to take a look at the notion of privacy in today’s world.  What does it really mean to have privacy?  Is it possible to have privacy or are these policies and plans simply the act of closing the barn door after the horse has gotten out?

The fact of the matter is that privacy, at best, is a nebulous concept.  The amount of data that is available on any given individual, irrespective of social media, is plentiful to say the least.  Even before the advent of Facebook, MySpace, LinkedIn and other sharing sites, the information available on individuals was mind-boggling.  Over the last decade or more, a number of laws have been established to prevent the sharing and selling of information about individuals.  The Federal Trade Commission has been actively involved in pursuing violators and enforcing these privacy protection standards.  The “enforcement actions” in which the FTC has been involved range from companies selling customer  lists to those whose networks have been breached resulting in the loss of customer data. For a list of enforcement actions, visit the FTC website.

It may be helpful at this point to try to define exactly what privacy is, particularly in this day of social media and (over) sharing.  One of the primary challenges with privacy, especially in such a connected age, is the complexity of defining it.  How can one protect or preserve something, when one can’t fully define what that something is.  Robert Post once wrote “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”

The concept of privacy to which I subscribe is that “privacy as control over information,” as described by Charles Fried. Fried refines the notion of privacy as the absence of information by saying, “Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.”  I like this definition for a few reasons.  First, it provides some personal accountability for the individual.  Many modern definitions of privacy place the onus of protecting that information entirely on the enterprise or company in question, as if the very act of holding consumer data is a breach of privacy.  While this definition would certainly call for some action on the part of those organizations, it also calls on the individual to be selective about the information that is made available.  The phenomenon of “facebook firings” brings this issue into stark relief.  Individuals can control the quality of information that is shared by using care with respect to what information they post on their own sites.

The other component of this definition that resonates is that of cooperation and transparency on the part of the organization toward the individual. This is an element of privacy that is present in most, if not all, of the current information privacy models.  (For reference, see OECD Guidelines on the Protection of Privacy, FTC Fair Information Practice Principles and Privacy by Design).  According to this element of privacy, the individual should have access to any of his or her personal information held by the company.  Further, the individual should have the right to correct any inaccuracies and to determine how or if that information can be shared with third parties.

This takes us back to the question posed in the title; “is privacy possible?”  The answer is still rather nebulous, but what we do know is that it relies on both the individual and the organization. This is not to say that concepts like “do not track” and “the right to be forgotten” are useless, but that we as a society have to refine our definition of what privacy is – the concept is far more complex than legislators and the media would have one believe.  Individuals must be cognizant of the information that they are sharing on public forums and how that data might be used.   Similarly, companies must be aware of the sensitivities around sharing consumer information and take appropriate steps to ensure an appropriate level of protection – in terms of policy, process, and technology.

Heather Mark